From: Johannes Berg johannes.berg@intel.com
mainline inclusion from mainline-v6.9-rc1 commit 9ad7974856926129f190ffbe3beea78460b3b7cc category: bugfix bugzilla: 190054, https://gitee.com/src-openeuler/kernel/issues/I9QGJD CVE: CVE-2024-35937
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
If it looks like there's another subframe in the A-MSDU but the header isn't fully there, we can end up reading data out of bounds, only to discard later. Make this a bit more careful and check if the subframe header can even be present.
Reported-by: syzbot+d050d437fe47d479d210@syzkaller.appspotmail.com Link: https://msgid.link/20240226203405.a731e2c95e38.I82ce7d8c0cc8970ce29d0a39fdc0... Signed-off-by: Johannes Berg johannes.berg@intel.com Conflicts: net/wireless/util.c [ieee80211_is_valid_amsdu() isnt implemented in the current version for commit 6e4c0d0460bd not merged. commit 9f718554e7ea and 986e43b19ae9 wasnt merged, which lead to context conflicts] Signed-off-by: Dong Chenchen dongchenchen2@huawei.com --- net/wireless/util.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/wireless/util.c b/net/wireless/util.c index 5fd7dc3ec5b0..b39ee17dbead 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -632,24 +632,27 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list, struct sk_buff *frame = NULL; u16 ethertype; u8 *payload; - int offset = 0, remaining; + int offset = 0; struct ethhdr eth; bool reuse_frag = skb->head_frag && !skb_has_frag_list(skb); bool reuse_skb = false; bool last = false;
while (!last) { + int remaining = skb->len - offset; unsigned int subframe_len; int len; u8 padding;
+ if (sizeof(eth) > remaining) + goto purge; + skb_copy_bits(skb, offset, ð, sizeof(eth)); len = ntohs(eth.h_proto); subframe_len = sizeof(struct ethhdr) + len; padding = (4 - subframe_len) & 0x3;
/* the last MSDU has no padding */ - remaining = skb->len - offset; if (subframe_len > remaining) goto purge; /* mitigate A-MSDU aggregation injection attacks */
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/8699 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/O...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/8699 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/O...