Centos-kernel-stream-9

History

Patrick Talbert a0327d1bfc Merge: CVE-2024-56663: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6270 JIRA: https://issues.redhat.com/browse/RHEL-75898 CVE: CVE-2024-56663 ``` wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one Since the netlink attribute range validation provides inclusive checking, the max of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one. One crash stack for demonstration: ================================================================== BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 Read of size 6 at addr 001102080000000c by task fuzzer.386/9508 CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_report+0xe0/0x750 mm/kasan/report.c:398 kasan_report+0x139/0x170 mm/kasan/report.c:495 kasan_check_range+0x287/0x290 mm/kasan/generic.c:189 memcpy+0x25/0x60 mm/kasan/shadow.c:65 ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline] nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453 genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd Update the policy to ensure correct validation. Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") Signed-off-by: Lin Ma <linma@zju.edu.cn> Suggested-by: Cengiz Can <cengiz.can@canonical.com> Link: https://patch.msgid.link/20241130170526.96698-1-linma@zju.edu.cn Signed-off-by: Johannes Berg <johannes.berg@intel.com> (cherry picked from commit 2e3dbf938656986cce73ac4083500d0bcfbffe24) ``` Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com> --- <small>Created 2025-01-27 08:34 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small> Approved-by: José Ignacio Tornos Martínez <jtornosm@redhat.com> Approved-by: Kamal Heib <kheib@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: Patrick Talbert <ptalbert@redhat.com>		2025-02-10 03:47:14 -05:00
..
certs	…
tests	wifi: cfg80211: tests: Fix potential NULL dereference in test_cfg80211_parse_colocated_ap()	2025-01-15 17:26:24 +01:00
.gitignore	…
Kconfig	…
Makefile	…
ap.c	…
chan.c	wifi: cfg80211: reject non-conformant 6 GHz center frequencies	2024-10-29 08:18:01 +01:00
core.c	wifi: cfg80211: check radio iface combination for multi radio per wiphy	2025-01-15 17:26:22 +01:00
core.h	wifi: cfg80211: skip indicating signal for per-STA profile BSSs	2024-11-22 10:58:10 +01:00
debugfs.c	wifi: cfg80211: add locked debugfs wrappers	2024-10-29 08:16:30 +01:00
debugfs.h	…
ethtool.c	…
ibss.c	wifi: cfg80211: move DFS related members to links[] in wireless_dev	2024-11-22 10:58:11 +01:00
lib80211.c	wifi: lib80211: Constify struct lib80211_crypto_ops	2024-11-22 10:57:58 +01:00
lib80211_crypt_ccmp.c	wifi: lib80211: Constify struct lib80211_crypto_ops	2024-11-22 10:57:58 +01:00
lib80211_crypt_tkip.c	wifi: lib80211: Constify struct lib80211_crypto_ops	2024-11-22 10:57:58 +01:00
lib80211_crypt_wep.c	wifi: lib80211: Constify struct lib80211_crypto_ops	2024-11-22 10:57:58 +01:00
mesh.c	wifi: cfg80211: move DFS related members to links[] in wireless_dev	2024-11-22 10:58:11 +01:00
mlme.c	wifi: cfg80211: Remove the Medium Synchronization Delay validity check	2025-01-15 17:26:23 +01:00
nl80211.c	Merge: CVE-2024-56663: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one	2025-02-10 03:47:14 -05:00
nl80211.h	wifi: nl80211: clean up coalescing rule handling	2024-10-29 08:17:55 +01:00
ocb.c	…
of.c	…
pmsr.c	wifi: nl80211: remove the FTMs per burst limit for NDP ranging	2024-10-29 08:18:01 +01:00
radiotap.c	…
rdev-ops.h	wifi: cfg80211: handle DFS per link	2024-11-22 10:58:11 +01:00
reg.c	wifi: cfg80211: handle DFS per link	2024-11-22 10:58:11 +01:00
reg.h	wifi: cfg80211: add return docs for regulatory functions	2024-10-29 08:17:00 +01:00
scan.c	wifi: cfg80211: Do not create BSS entries for unsupported channels	2024-11-22 10:58:17 +01:00
sme.c	wifi: cfg80211: sme: init n_channels before channels[] access	2025-01-15 17:26:24 +01:00
sysfs.c	wifi: cfg80211: fully move wiphy work to unbound workqueue	2024-10-29 08:17:24 +01:00
sysfs.h	…
trace.c	…
trace.h	wifi: cfg80211: handle DFS per link	2024-11-22 10:58:11 +01:00
util.c	wifi: cfg80211: clear link ID from bitmap during link delete after clean up	2025-01-15 17:26:26 +01:00
wext-compat.c	…
wext-compat.h	…
wext-core.c	wifi: cfg80211: add a flag to disable wireless extensions	2024-06-17 09:20:01 +02:00
wext-priv.c	…
wext-proc.c	…
wext-sme.c	…
wext-spy.c	…