From patchwork Thu May 20 09:20:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 445703 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FC1CC433B4 for ; Thu, 20 May 2021 10:00:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7249961404 for ; Thu, 20 May 2021 10:00:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235032AbhETKBu (ORCPT ); Thu, 20 May 2021 06:01:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:59060 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235291AbhETJ7s (ORCPT ); Thu, 20 May 2021 05:59:48 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 278766162D; Thu, 20 May 2021 09:38:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621503526; bh=8CW865KVytU24fiLS2p4+yfG6Txeuofcb6aQV21QHlU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vWk34sMl0R9BjAU85Fd+gxmID8DiHHa2LaS1okr92UNjLRp6XVGo0aojux9U4yYcY 35cL/BZYvxNdu6cQ6Yay3ppF2Db2s4c2yC5z6eUM0ivKhNHCCJRcVdBysjAs54wzAi LWYnwgzY3YH7AGLXWMnjG25JlrUwmanshmdS2vHA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg , Sasha Levin Subject: [PATCH 4.19 262/425] mac80211: bail out if cipher schemes are invalid Date: Thu, 20 May 2021 11:20:31 +0200 Message-Id: <20210520092140.061530159@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092131.308959589@linuxfoundation.org> References: <20210520092131.308959589@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Johannes Berg [ Upstream commit db878e27a98106a70315d264cc92230d84009e72 ] If any of the cipher schemes specified by the driver are invalid, bail out and fail the registration rather than just warning. Otherwise, we might later crash when we try to use the invalid cipher scheme, e.g. if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd have an out-of-bounds access in RX validation. Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support") Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/mac80211/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/mac80211/main.c b/net/mac80211/main.c index f44d00f35fe7..e8c4e9c0c5a0 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -1080,8 +1080,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) if (local->hw.wiphy->max_scan_ie_len) local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len; - WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes, - local->hw.n_cipher_schemes)); + if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes, + local->hw.n_cipher_schemes))) { + result = -EINVAL; + goto fail_workqueue; + } result = ieee80211_init_cipher_suites(local); if (result < 0)