linux.git - Linux kernel mainline tree

diff options

author	Anant Thazhemadam <anant.thazhemadam@gmail.com>	2020-12-05 03:28:25 +0530
committer	Johannes Berg <johannes.berg@intel.com>	2020-12-11 13:20:04 +0100
commit	2d9463083ce92636a1bdd3e30d1236e3e95d859e (patch)
tree	71b70c29817336309d1dacd916265201ba5acf92 /include/net
parent	669b84134a2be14d333d4f82b65943d467404f87 (diff)
download	linux-2d9463083ce92636a1bdd3e30d1236e3e95d859e.tar.gz linux-2d9463083ce92636a1bdd3e30d1236e3e95d859e.tar.bz2 linux-2d9463083ce92636a1bdd3e30d1236e3e95d859e.zip

nl80211: validate key indexes for cfg80211_registered_device

syzbot discovered a bug in which an OOB access was being made because an unsuitable key_idx value was wrongly considered to be acceptable while deleting a key in nl80211_del_key(). Since we don't know the cipher at the time of deletion, if cfg80211_validate_key_settings() were to be called directly in nl80211_del_key(), even valid keys would be wrongly determined invalid, and deletion wouldn't occur correctly. For this reason, a new function - cfg80211_valid_key_idx(), has been created, to determine if the key_idx value provided is valid or not. cfg80211_valid_key_idx() is directly called in 2 places - nl80211_del_key(), and cfg80211_validate_key_settings(). Reported-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com Tested-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com Suggested-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> Link: https://lore.kernel.org/r/20201204215825.129879-1-anant.thazhemadam@gmail.com Cc: stable@vger.kernel.org [also disallow IGTK key IDs if no IGTK cipher is supported] Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Diffstat (limited to 'include/net')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: