On Thu, Jun 03, 2021 at 09:28:52AM -0700, Zubin Mithra wrote:
From: Anant Thazhemadam <anant.thazhemadam@xxxxxxxxx> commit 2d9463083ce92636a1bdd3e30d1236e3e95d859e upstream syzbot discovered a bug in which an OOB access was being made because an unsuitable key_idx value was wrongly considered to be acceptable while deleting a key in nl80211_del_key(). Since we don't know the cipher at the time of deletion, if cfg80211_validate_key_settings() were to be called directly in nl80211_del_key(), even valid keys would be wrongly determined invalid, and deletion wouldn't occur correctly. For this reason, a new function - cfg80211_valid_key_idx(), has been created, to determine if the key_idx value provided is valid or not. cfg80211_valid_key_idx() is directly called in 2 places - nl80211_del_key(), and cfg80211_validate_key_settings(). Reported-by: syzbot+49d4cab497c2142ee170@xxxxxxxxxxxxxxxxxxxxxxxxx Tested-by: syzbot+49d4cab497c2142ee170@xxxxxxxxxxxxxxxxxxxxxxxxx Suggested-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@xxxxxxxxx> Link: https://lore.kernel.org/r/20201204215825.129879-1-anant.thazhemadam@xxxxxxxxx Cc: stable@xxxxxxxxxxxxxxx [also disallow IGTK key IDs if no IGTK cipher is supported] Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> Signed-off-by: Zubin Mithra <zsm@xxxxxxxxxxxx>
Queued up, thanks! -- Thanks, Sasha
