From: Johannes Berg johannes.berg@intel.com
stable inclusion from stable-v5.10.148 commit a6408e0b694c1bdd8ae7dd0464a86b98518145ec category: bugfix bugzilla: 187813, https://gitee.com/src-openeuler/kernel/issues/I5VM7L CVE: CVE-2022-41674
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element:
/* copy the IEs after MBSSID */ cpy_len = mbssid[1] + 2;
This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated.
Fix this by using size_t for the cpy_len variable.
This fixes CVE-2022-41674.
Reported-by: Soenke Huster shuster@seemoo.tu-darmstadt.de Tested-by: Soenke Huster shuster@seemoo.tu-darmstadt.de Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reviewed-by: Kees Cook keescook@chromium.org Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Dong Chenchen dongchenchen2@huawei.com Reviewed-by: Liu Jian liujian56@huawei.com Reviewed-by: Yue Haibing yuehaibing@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- net/wireless/scan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index fe65ad969e80..1c883c2856f5 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, size_t new_ie_len; struct cfg80211_bss_ies *new_ies; const struct cfg80211_bss_ies *old; - u8 cpy_len; + size_t cpy_len;
lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);