forked from luck/tmp_suning_uos_patched
05725b40b9
commit 2d9463083ce92636a1bdd3e30d1236e3e95d859e upstream. syzbot discovered a bug in which an OOB access was being made because an unsuitable key_idx value was wrongly considered to be acceptable while deleting a key in nl80211_del_key(). Since we don't know the cipher at the time of deletion, if cfg80211_validate_key_settings() were to be called directly in nl80211_del_key(), even valid keys would be wrongly determined invalid, and deletion wouldn't occur correctly. For this reason, a new function - cfg80211_valid_key_idx(), has been created, to determine if the key_idx value provided is valid or not. cfg80211_valid_key_idx() is directly called in 2 places - nl80211_del_key(), and cfg80211_validate_key_settings(). Reported-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com Tested-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com Suggested-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> Link: https://lore.kernel.org/r/20201204215825.129879-1-anant.thazhemadam@gmail.com Cc: stable@vger.kernel.org [also disallow IGTK key IDs if no IGTK cipher is supported] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| certs | ||
| .gitignore | ||
| ap.c | ||
| chan.c | ||
| core.c | ||
| core.h | ||
| debugfs.c | ||
| debugfs.h | ||
| ethtool.c | ||
| ibss.c | ||
| Kconfig | ||
| lib80211_crypt_ccmp.c | ||
| lib80211_crypt_tkip.c | ||
| lib80211_crypt_wep.c | ||
| lib80211.c | ||
| Makefile | ||
| mesh.c | ||
| mlme.c | ||
| nl80211.c | ||
| nl80211.h | ||
| ocb.c | ||
| of.c | ||
| pmsr.c | ||
| radiotap.c | ||
| rdev-ops.h | ||
| reg.c | ||
| reg.h | ||
| scan.c | ||
| sme.c | ||
| sysfs.c | ||
| sysfs.h | ||
| trace.c | ||
| trace.h | ||
| util.c | ||
| wext-compat.c | ||
| wext-compat.h | ||
| wext-core.c | ||
| wext-priv.c | ||
| wext-proc.c | ||
| wext-sme.c | ||
| wext-spy.c | ||