iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Anant Thazhemadam 55422f175e net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() 
commit 3dc289f8f139997f4e9d3cfccf8738f20d23e47b upstream.

In nl80211_parse_key(), key.idx is first initialized as -1.
If this value of key.idx remains unmodified and gets returned, and
nl80211_key_allowed() also returns 0, then rdev_del_key() gets called
with key.idx = -1.
This causes an out-of-bounds array access.

Handle this issue by checking if the value of key.idx after
nl80211_parse_key() is called and return -EINVAL if key.idx < 0.

Cc: stable@vger.kernel.org
Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
Link: https://lore.kernel.org/r/20201007035401.9522-1-anant.thazhemadam@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-10-14 09:48:14 +02:00
..
6lowpan
6lowpan: Off by one handling ->nexthdr
2020-01-29 10:24:22 +01:00
9p
net/9p: validate fds in p9_fd_open
2020-08-21 11:01:54 +02:00
802
8021q
vlan: fix memory leak in vlan_dev_set_egress_priority
2020-01-12 11:24:27 +01:00
appletalk
appletalk: Set error code if register_snap_client failed
2019-12-21 10:41:45 +01:00
atm
atm: fix a memory leak of vcc->user_back
2020-10-01 20:40:12 +02:00
ax25
AX.25: Prevent integer overflows in connect and sendmsg
2020-07-31 16:44:06 +02:00
batman-adv
batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh
2020-10-01 20:40:18 +02:00
bluetooth
Bluetooth: Handle Inquiry Cancel error after Inquiry Complete
2020-10-01 20:40:13 +02:00
bridge
netfilter: nft_reject_bridge: enable reject with bridge vlan
2020-06-03 08:16:45 +02:00
caif
caif: reduce stack size with KASAN
2019-05-08 07:19:07 +02:00
can
can: purge socket error queue on sock destruct
2019-07-10 09:55:33 +02:00
ceph
libceph: ignore pool overlay and cache logic on redirects
2020-06-03 08:16:41 +02:00
core
neigh_stat_seq_next() should increase position index
2020-10-01 20:40:04 +02:00
dcb
net: dcb: For wild-card lookups, use priority -1, not 0
2018-09-19 22:47:15 +02:00
dccp
net: ipv6: add net argument to ip6_dst_lookup_flow
2020-05-20 08:15:30 +02:00
decnet
decnet: fix DN_IFREQ_SIZE
2019-12-05 15:35:12 +01:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2018-07-22 14:27:39 +02:00
dsa
net: dsa: tag_brcm: Fix skb->fwd_offload_mark location
2020-04-13 10:32:53 +02:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2020-01-12 11:24:19 +01:00
hsr
net/hsr: Check skb_put_padto() return value
2020-10-01 20:40:01 +02:00
ieee802154
nl802154: add missing attribute validation for dev_type
2020-03-20 09:07:39 +01:00
ipv4
rt_cpu_seq_next should increase position index
2020-10-01 20:40:04 +02:00
ipv6
gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY
2020-09-03 11:21:15 +02:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 15:44:41 +02:00
irda
irda: Only insert new objects into the global database via setsockopt
2018-09-15 09:43:01 +02:00
iucv
net/af_iucv: always register net_device notifier
2020-01-29 10:24:26 +01:00
kcm
kcm: switch order of device registration to fix a crash
2019-04-17 08:36:44 +02:00
key
af_key: pfkey_dump needs parameter validation
2020-10-01 20:39:59 +02:00
l2tp
l2tp: remove skb_dst_set() from l2tp_xmit_skb()
2020-07-22 09:10:47 +02:00
l3mdev
net: ipv6: Remove l3mdev_get_saddr6
2016-09-10 23:12:53 -07:00
lapb
lapb: fixed leak of control-blocks.
2019-06-22 08:17:22 +02:00
llc
llc: make sure applications use ARPHRD_ETHER
2020-07-22 09:10:47 +02:00
mac80211
mac80211: do not allow bigger VHT MPDUs than the hardware supports
2020-10-14 09:48:12 +02:00
mac802154
mac802154: tx: fix use-after-free
2020-10-01 20:40:18 +02:00
mpls
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
2020-05-20 08:15:30 +02:00
ncsi
net/ncsi: Improve HNCDSC AEN handler
2016-10-20 11:23:08 -04:00
netfilter
netfilter: ctnetlink: add a range check for l3/l4 protonum
2020-10-14 09:48:14 +02:00
netlabel
netlabel: fix problems with mapping removal
2020-09-12 11:47:39 +02:00
netlink
genetlink: remove genl_bind
2020-07-22 09:10:48 +02:00
netrom
net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node
2020-05-02 17:23:08 +02:00
nfc
net/nfc/rawsock.c: add CAP_NET_RAW check.
2020-08-21 11:02:04 +02:00
openvswitch
openvswitch: support asymmetric conntrack
2019-12-21 10:42:23 +01:00
packet
net/packet: fix overflow in tpacket_rcv
2020-10-14 09:48:13 +02:00
phonet
phonet: fix building with clang
2019-03-23 13:19:44 +01:00
qrtr
net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
2020-06-03 08:16:29 +02:00
rds
rds: Prevent kernel-infoleak in rds_notify_queue_get()
2020-08-21 11:01:49 +02:00
rfkill
rfkill: Fix incorrect check to avoid NULL pointer dereference
2020-01-12 11:24:23 +01:00
rose
net: rose: fix a possible stack overflow
2019-04-03 06:24:14 +02:00
rxrpc
rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
2020-07-31 16:44:06 +02:00
sched
net: sched: export __netdev_watchdog_up()
2020-06-30 15:38:37 -04:00
sctp
sctp: not disable bh in the whole sctp_get_port_local()
2020-09-12 11:47:40 +02:00
strparser
strparser: Fix incorrect strp->need_bytes value.
2018-04-29 11:32:02 +02:00
sunrpc
svcrdma: Fix leak of transport addresses
2020-10-01 20:40:11 +02:00
switchdev
switchdev: Execute bridge ndos only for bridge ports
2016-10-19 10:58:04 -04:00
tipc
tipc: use skb_unshare() instead in tipc_buf_append()
2020-10-01 20:40:00 +02:00
unix
skbuff: fix a data race in skb_queue_len()
2020-10-01 20:40:06 +02:00
vmw_vsock
vsock/virtio: stop workers during the .remove()
2020-10-14 09:48:11 +02:00
wimax
wireless
net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key()
2020-10-14 09:48:14 +02:00
x25
net/x25: Fix null-ptr-deref in x25_disconnect
2020-08-21 11:01:50 +02:00
xfrm
xfrm: fix a NULL-ptr deref in xfrm_local_error
2020-06-03 08:16:44 +02:00
compat.c
net/compat: Add missing sock updates for SCM_RIGHTS
2020-08-21 11:02:08 +02:00
Kconfig
Makefile
socket.c
net: Set fput_needed iff FDPUT_FPUT is set
2020-08-21 11:02:04 +02:00
sysctl_net.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2016-10-06 09:52:23 -07:00