Patch "wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 3 Dec 2022 04:31:21 -0500

This is a note to let you know that I've just added the patch titled

    wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 5e97690e4f4fe3122e7b2acf58e260164a471ec4
Author: Lorenzo Bianconi <lorenzo@xxxxxxxxxx>
Date:   Tue Nov 8 16:19:26 2022 +0100

    wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration
    
    [ Upstream commit 3e8f7abcc3473bc9603323803aeaed4ffcc3a2ab ]
    
    Fix possible out-of-bound access in ieee80211_get_rate_duration routine
    as reported by the following UBSAN report:
    
    UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47
    index 15 is out of range for type 'u16 [12]'
    CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic
    Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017
    Workqueue: mt76 mt76u_tx_status_data [mt76_usb]
    Call Trace:
     <TASK>
     show_stack+0x4e/0x61
     dump_stack_lvl+0x4a/0x6f
     dump_stack+0x10/0x18
     ubsan_epilogue+0x9/0x43
     __ubsan_handle_out_of_bounds.cold+0x42/0x47
    ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]
     ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]
     ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]
     ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]
     mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]
     mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]
     mt76u_tx_status_data+0x67/0xd0 [mt76_usb]
     process_one_work+0x225/0x400
     worker_thread+0x50/0x3e0
     ? process_one_work+0x400/0x400
     kthread+0xe9/0x110
     ? kthread_complete_and_exit+0x20/0x20
     ret_from_fork+0x22/0x30
    
    Fixes: db3e1c40cf2f ("mac80211: Import airtime calculation code from mt76")
    Signed-off-by: Lorenzo Bianconi <lorenzo@xxxxxxxxxx>
    Acked-by: Toke Høiland-Jørgensen <toke@xxxxxxx>
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/mac80211/airtime.c b/net/mac80211/airtime.c
index 26d2f8ba7029..758ef63669e7 100644
--- a/net/mac80211/airtime.c
+++ b/net/mac80211/airtime.c
@@ -457,6 +457,9 @@ static u32 ieee80211_get_rate_duration(struct ieee80211_hw *hw,
 			 (status->encoding == RX_ENC_HE && streams > 8)))
 		return 0;
 
+	if (idx >= MCS_GROUP_RATES)
+		return 0;
+
 	duration = airtime_mcs_groups[group].duration[idx];
 	duration <<= airtime_mcs_groups[group].shift;
 	*overhead = 36 + (streams << 2);






