You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Anant Thazhemadam e9a47662ff net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key()
commit 3dc289f8f139997f4e9d3cfccf8738f20d23e47b upstream.

In nl80211_parse_key(), key.idx is first initialized as -1.
If this value of key.idx remains unmodified and gets returned, and
nl80211_key_allowed() also returns 0, then rdev_del_key() gets called
with key.idx = -1.
This causes an out-of-bounds array access.

Handle this issue by checking if the value of key.idx after
nl80211_parse_key() is called and return -EINVAL if key.idx < 0.

Change-Id: Ie00275076bb4ee6a31d0e59b4b0e477ae732327d
Cc: stable@vger.kernel.org
Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
Link: https://lore.kernel.org/r/20201007035401.9522-1-anant.thazhemadam@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
3 years ago
..
9p 9p: forgetting to cancel request on interrupted zero-copy RPC 9 years ago
802 net/802/mrp: fix lockdep splat 11 years ago
8021q 8021q: fix a potential memory leak 10 years ago
appletalk net: add build-time checks for msg->msg_name size 5 years ago
atm arch: Mass conversion of smp_mb__*() 10 years ago
ax25 net: add build-time checks for msg->msg_name size 5 years ago
batman-adv batman-adv: Fix broadcast/ogm queue limit on a removed interface 8 years ago
bluetooth Bluetooth: Don't advertise high speed support without SSP 3 years ago
bridge net: bridge: multicast: use rcu to access port list from br_multicast_start_querier 5 years ago
caif net/unix: sk_socket can disappear when state is unlocked 9 years ago
can net: add build-time checks for msg->msg_name size 5 years ago
ceph libceph: introduce ceph_crypt() for in-place en/decryption 7 years ago
core net: sockev: avoid races between sockev and socket_close 4 years ago
dcb net: Use netlink_ns_capable to verify the permisions of netlink messages 10 years ago
dccp net/dccp: fix use after free in tw_timer_handler() 5 years ago
decnet net: add build-time checks for msg->msg_name size 5 years ago
dns_resolver dns_resolver: Do not accept domain names longer than 255 chars 5 years ago
dsa dsa: fix freeing of sparse port allocation 11 years ago
ethernet net: add ETH_P_802_3_MIN 11 years ago
ieee802154 net: add build-time checks for msg->msg_name size 5 years ago
ipc_router net: ipc_router: Do not allow change of default security rule 4 years ago
ipv4 igmp: fix memory leak in igmpv3_del_delrec() 4 years ago
ipv6 igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() 4 years ago
ipx net: add build-time checks for msg->msg_name size 5 years ago
irda net: add build-time checks for msg->msg_name size 5 years ago
iucv Merge upstream tag 'v3.10.49' into msm-3.10 10 years ago
key af_key: fix leaks in key_pol_get_resp and dump_sp. 4 years ago
l2tp net: add build-time checks for msg->msg_name size 5 years ago
lapb net/lapb: remove depends on CONFIG_EXPERIMENTAL 11 years ago
llc net: add build-time checks for msg->msg_name size 5 years ago
mac80211 mac80211: use constant time comparison with keys 5 years ago
mac802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 11 years ago
netfilter ANDROID: fix a bug in quota2 4 years ago
netlabel netlabel: check for IPV4MASK in addrinfo_get 5 years ago
netlink net: add build-time checks for msg->msg_name size 5 years ago
netrom net: add build-time checks for msg->msg_name size 5 years ago
nfc net: add build-time checks for msg->msg_name size 5 years ago
openvswitch openvswitch: fix panic with multiple vlan headers 10 years ago
packet net/packet: fix overflow in tpacket_rcv 4 years ago
phonet net: add build-time checks for msg->msg_name size 5 years ago
rds net: add build-time checks for msg->msg_name size 5 years ago
rfkill net: rfkill: move poll work to power efficient workqueue 5 years ago
rmnet_data net: rmnet_data: Change the log level for unknown IOCTL's 5 years ago
rose net: add build-time checks for msg->msg_name size 5 years ago
rxrpc net: add build-time checks for msg->msg_name size 5 years ago
sched net: Prevent invalid access to skb->prev in __qdisc_drop_all 5 years ago
sctp sctp: fix a type cast warnings that causes a_rwnd gets the wrong value 5 years ago
sunrpc kernel: make groups_sort calling a responsibility group_info allocators 5 years ago
tipc net: add build-time checks for msg->msg_name size 5 years ago
unix net: add build-time checks for msg->msg_name size 5 years ago
vmw_vsock net: add build-time checks for msg->msg_name size 5 years ago
wimax net: cleanup unsigned to unsigned int 12 years ago
wireless net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() 3 years ago
x25 net: add build-time checks for msg->msg_name size 5 years ago
xfrm xfrm: validate template mode 5 years ago
Kconfig kernel: remove CONFIG_USE_GENERIC_SMP_HELPERS cleanly 10 years ago
Makefile msm: ipc: Support multi-platform 10 years ago
activity_stats.c net: activity_stats: Stop using obsolete create_proc_read_entry api 11 years ago
compat.c net: support compat 64-bit time in {s,g}etsockopt 5 years ago
nonet.c llseek: automatically add .llseek fop 14 years ago
socket.c kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 5 years ago
sysctl_net.c net: Update the sysctl permissions handler to test effective uid/gid 11 years ago