[PATCH OLK-5.10] wifi: cfg80211: check A-MSDU format more carefully - Kernel

5 Jun 2024

From: Johannes Berg johannes.berg@intel.com
mainline inclusion
from mainline-v6.9-rc1
commit 9ad7974856926129f190ffbe3beea78460b3b7cc
category: bugfix
bugzilla: 190054, https://gitee.com/src-openeuler/kernel/issues/I9QGJD
CVE: CVE-2024-35937
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
If it looks like there's another subframe in the A-MSDU
but the header isn't fully there, we can end up reading
data out of bounds, only to discard later. Make this a
bit more careful and check if the subframe header can
even be present.
Reported-by: syzbot+d050d437fe47d479d210@syzkaller.appspotmail.com
Link: https://msgid.link/20240226203405.a731e2c95e38.I82ce7d8c0cc8970ce29d0a39fdc0...
Signed-off-by: Johannes Berg johannes.berg@intel.com
Conflicts:
    net/wireless/util.c
[ieee80211_is_valid_amsdu() isnt implemented in the
current version for commit 6e4c0d0460bd not merged.
commit 9f718554e7ea and 986e43b19ae9 wasnt merged,
which lead to context conflicts]
Signed-off-by: Dong Chenchen dongchenchen2@huawei.com
---
 net/wireless/util.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 4b32e85c2d9a..5177fd63b1b8 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -751,24 +751,27 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
    struct sk_buff *frame = NULL;
    u16 ethertype;
    u8 *payload;
-	int offset = 0, remaining;
+	int offset = 0;
    struct ethhdr eth;
    bool reuse_frag = skb->head_frag && !skb_has_frag_list(skb);
    bool reuse_skb = false;
    bool last = false;
while (!last) {
+		int remaining = skb->len - offset;
    	unsigned int subframe_len;
    	int len;
    	u8 padding;
+		if (sizeof(eth) > remaining)
+			goto purge;
+
    	skb_copy_bits(skb, offset, &eth, sizeof(eth));
    	len = ntohs(eth.h_proto);
    	subframe_len = sizeof(struct ethhdr) + len;
    	padding = (4 - subframe_len) & 0x3;
/* the last MSDU has no padding */
-		remaining = skb->len - offset;
    	if (subframe_len > remaining)
    		goto purge;
    	/* mitigate A-MSDU aggregation injection attacks */
-- 
2.25.1


    