From nobody Fri Dec 19 20:32:32 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A8C7C4332F for ; Thu, 13 Oct 2022 18:05:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229954AbiJMSFy (ORCPT ); Thu, 13 Oct 2022 14:05:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231191AbiJMSDk (ORCPT ); Thu, 13 Oct 2022 14:03:40 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21298157F67; Thu, 13 Oct 2022 11:03:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A8C256192C; Thu, 13 Oct 2022 18:00:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BA7EFC433D6; Thu, 13 Oct 2022 18:00:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684029; bh=yO7jB7qJ3SzvXbCw+6Kqc+Vb9MrWMZHZx+fu+glnvtQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=L9sSsanom39si1D52rxNAjy+/eOpMiSssQb1LvxTpnHby3Qai1tMaCGA5iRQDvVbp ItI/CyySBMlmQweTK7XPqnp6oIIT3+KLK60U8261/V78bvjr4Ix8lMuSLkwer3uI+G ldgi4CQKL8KPNiCcZ3+xlGVDviM+Ffu+ub1Xb5UQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Soenke Huster , Kees Cook , Johannes Berg Subject: [PATCH 5.19 20/33] wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() Date: Thu, 13 Oct 2022 19:52:52 +0200 Message-Id: <20221013175145.955718271@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream. In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element: /* copy the IEs after MBSSID */ cpy_len =3D mbssid[1] + 2; This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated. Fix this by using size_t for the cpy_len variable. This fixes CVE-2022-41674. Reported-by: Soenke Huster Tested-by: Soenke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in sc= anning") Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2279,7 +2279,7 @@ cfg80211_update_notlisted_nontrans(struc size_t new_ie_len; struct cfg80211_bss_ies *new_ies; const struct cfg80211_bss_ies *old; - u8 cpy_len; + size_t cpy_len; =20 lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);