This is a note to let you know that I've just added the patch titled
wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
wifi-nl80211-fix-integer-overflow-in-nl80211_parse_mbssid_elems.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 6311071a056272e1e761de8d0305e87cc566f734 Mon Sep 17 00:00:00 2001
From: Keith Yeo <keithyjy@xxxxxxxxx>
Date: Mon, 31 Jul 2023 11:47:20 +0800
Subject: wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()
From: Keith Yeo <keithyjy@xxxxxxxxx>
commit 6311071a056272e1e761de8d0305e87cc566f734 upstream.
nl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the
number of MBSSID elements in the nested netlink attribute attrs, which can
lead to an integer overflow if a user of the nl80211 interface specifies
256 or more elements in the corresponding attribute in userspace. The
integer overflow can lead to a heap buffer overflow as num_elems determines
the size of the trailing array in elems, and this array is thereafter
written to for each element in attrs.
Note that this vulnerability only affects devices with the
wiphy->mbssid_max_interfaces member set for the wireless physical device
struct in the device driver, and can only be triggered by a process with
CAP_NET_ADMIN capabilities.
Fix this by checking for a maximum of 255 elements in attrs.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: dc1e3cb8da8b ("nl80211: MBSSID and EMA support in AP mode")
Signed-off-by: Keith Yeo <keithyjy@xxxxxxxxx>
Link: https://lore.kernel.org/r/20230731034719.77206-1-keithyjy@xxxxxxxxx
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/wireless/nl80211.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5378,8 +5378,11 @@ nl80211_parse_mbssid_elems(struct wiphy
if (!wiphy->mbssid_max_interfaces)
return ERR_PTR(-EINVAL);
- nla_for_each_nested(nl_elems, attrs, rem_elems)
+ nla_for_each_nested(nl_elems, attrs, rem_elems) {
+ if (num_elems >= 255)
+ return ERR_PTR(-EINVAL);
num_elems++;
+ }
elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
if (!elems)
Patches currently in stable-queue which might be from keithyjy@xxxxxxxxx are
queue-6.1/wifi-nl80211-fix-integer-overflow-in-nl80211_parse_mbssid_elems.patch
