From nobody Mon Jun  8 08:30:21 2026
Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com
 [209.85.210.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0BCAD23EA8A
	for <linux-kernel@vger.kernel.org>; Sun, 31 May 2026 01:17:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780190253; cv=none;
 b=WnuiuR0KTYdMtFUZKp4ad5yWfQhqhYrArVm9wAfjg2601IPSfYsgig50DTPlMpyLA/uIhabbPmgIQJX0EURpd38iYjKYYn5IqTyl7rK6/FN5qvHtFAQqTevQd8z7K7ghFzaBy3QxSaHl9HXfhzsSpvLs0BSUqzUzEggosI8OXhw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780190253; c=relaxed/simple;
	bh=TzMtIekqFZQ4pyJ+QebnViVyPHre4Kj3xcBVFdEEkMU=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=SSGsEEaN+bahSTg7SdEWBol7B2BFqOOwYXcWLNZdQ5CkbhURVodz8ysw1pnOgTqhlalZkOMrVboCo9M5jXk8QNEPLoDbq2+BNJRRrDh9ZQFKBb3lwftN30+s1d/9eGxNx1PaFncEAmNMZBDyT86d+YnxftjJBUWlauks/mkAMr0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Zm1aXvH7; arc=none smtp.client-ip=209.85.210.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Zm1aXvH7"
Received: by mail-pf1-f180.google.com with SMTP id
 d2e1a72fcca58-8423f626a65so51108b3a.2
        for <linux-kernel@vger.kernel.org>;
 Sat, 30 May 2026 18:17:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780190250; x=1780795050;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=2Go5vFC5tNtfqreeIQjYzU5aFsIfZiZVmcXpPFzjREA=;
        b=Zm1aXvH7btlMvXHTwUh6yce3mH1R+dyAGH6CJiBr3Xd5ET/VkWa79y9QR6WYAfxQBB
         cbbpY65PmGsbCzbdhQWZhwlcVicKLoJ2x7ZgPPHSLJvS6gFCdiFNnTmTC23Qz0xiHOvu
         ByXp+DJIGwqsyBWPz9LuocUBJW6ebkcQESNfGiL51iih6WWMt5BYatBx15E+GV9A56kE
         siH8OGt1hGKZyM4S2tw1mxCXaniUBwBIkcTXtplB+zzZ5xsF5zCsP/6cmM9169KlJP86
         YCclLrxJT2/zMzhwmC+zSM3u/Yl/OPowmE7xKfpGjqetTXgVgpH0AlYOp4k0YPyOyxxT
         eEpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780190250; x=1780795050;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2Go5vFC5tNtfqreeIQjYzU5aFsIfZiZVmcXpPFzjREA=;
        b=Z+05FXEsGpPecSrdbicFRXujX3XbpMnGhAeplEnQQ0WsLCvFo6uANvdaJw++GZ5Us4
         6xPcTB99UdiVCKoMcbUgH8dvpUPktdxzJwggQzax1vbRlyVBGwmfOFOb1hZOl9wj3RVZ
         RADCto1+mbLxBV0wQR+Fu+edU+mZ6pfc0TqLqk6B8Tb/6CtohbA0UsW+skzWLMVS3AWg
         c7r5GPhZ3NdDEkvZG7+9saRrqX2bDjS8qXyzZiDISUXWTpWxjkWFuvnnuQp5rGoCmwIA
         iluP4yXKdfNXhlYdJ6gpFNJWtyEI1W7waGr1lat7TPqOhdJUfmh60VwSCF1ViAg4sQXt
         XPCQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ9AeReioiACFpbxR6bO+zbd9NkO7wLg9SaqPjImDCnGn72W3pC5wyC8UfcMZh5B2aQDWlz+RFpLxcFGAT8=@vger.kernel.org
X-Gm-Message-State: AOJu0YzXZdqgg/2telvT6DtErx7BOXqPPMyP5C4C92W2uC+qMs8drMgM
	sNSY95+WVH1u24V8zHNhpANFys03nSfdzbUtopzM/fkUfYeMnrab6A73
X-Gm-Gg: Acq92OHV8DhVwd9Te6UyWZuRz2Bk01qO9LKImRbC5glGLE3h5iTOyknyBOvwbXKAs5G
	EPQORq7JGit1utrVfAUWCfrYd8KhU0q3iSVR+NxQ+BXc95NoVn9fy3wL5TKg7eWYYEyVMAVg7ni
	nG9U6fnznnDowe+SWHG8n1LldpfCuBTinuiC2Z4AQQFQrm7fYZryWxLIKFaCiMCsUoi7xyrOjNz
	xs4GcxLmST/8WC21SzVLZHr0ktfxeBTdso1a2pCOPPYZFoXZeETlh4eRRV6+FyLLRiCjW1+eE5B
	ALaku4jrddHGRj8vm5/RAXoXzICfMhKHYhBC0yBwh3e4DgHwQor3iQZLm+OcvT4N8yQdps9vvio
	um38QZe9SUicadnNhNarjWvbBMbiWfZJnbgrRKq7qaWlC5XgE3G/Q857AZVTjIQSL7fEaqbmtab
	lip9DxIEM2oqFfrSnEFY4tjXTCfqpbf3nuQalKFl4G5LOYStbC9S/J2+ScPpAiyNgvqdlSxT6uj
	rgc5NwCFrKkCvHp
X-Received: by 2002:aa7:9a86:0:b0:824:afe1:f7e3 with SMTP id
 d2e1a72fcca58-84225376606mr5343989b3a.15.1780190250357;
        Sat, 30 May 2026 18:17:30 -0700 (PDT)
Received: from deepanshu-kernel-hacker..
 ([2405:201:682f:383f:5ff:3b84:efa9:8e7b])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-84214b31933sm5891818b3a.23.2026.05.30.18.17.26
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 30 May 2026 18:17:29 -0700 (PDT)
From: Deepanshu Kartikey <kartikey406@gmail.com>
To: johannes@sipsolutions.net
Cc: gregory.greenman@intel.com,
	linux-wireless@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Deepanshu Kartikey <kartikey406@gmail.com>,
	syzbot+8e0622f6d9446420271f@syzkaller.appspotmail.com
Subject: [PATCH] wifi: mac80211: limit injected antenna index in
 ieee80211_parse_tx_radiotap
Date: Sun, 31 May 2026 06:47:21 +0530
Message-ID: <20260531011721.102941-1-kartikey406@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When parsing the radiotap header of an injected frame,
ieee80211_parse_tx_radiotap() uses the IEEE80211_RADIOTAP_ANTENNA value
directly as a shift count:

	info->control.antennas |=3D BIT(*iterator.this_arg);

*iterator.this_arg is an 8-bit value taken straight from the frame
supplied by userspace, so BIT() can be asked to shift by up to 255. That
is undefined behaviour on the unsigned long and is reported by UBSAN:

  UBSAN: shift-out-of-bounds in net/mac80211/tx.c:2174:30
  shift exponent 235 is too large for 64-bit type 'unsigned long'
  Call Trace:
   ieee80211_parse_tx_radiotap+0xadb/0x1950 net/mac80211/tx.c:2174
   ieee80211_monitor_start_xmit+0xb1f/0x1250 net/mac80211/tx.c:2451
   ...
   packet_sendmsg+0x3eb6/0x50f0 net/packet/af_packet.c:3109

info->control.antennas is a 2-bit bitmap (u8 antennas:2), so only antenna
indices 0 and 1 can ever be represented. Ignore any larger value instead
of shifting out of bounds.

Reported-by: syzbot+8e0622f6d9446420271f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D8e0622f6d9446420271f
Fixes: ef246a1480cc ("wifi: mac80211: support antenna control in injection")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/mac80211/tx.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index b487d2330f25..ea7f63e1fc17 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2181,7 +2181,9 @@ bool ieee80211_parse_tx_radiotap(struct sk_buff *skb,
=20
 		case IEEE80211_RADIOTAP_ANTENNA:
 			/* this can appear multiple times, keep a bitmap */
-			info->control.antennas |=3D BIT(*iterator.this_arg);
+			/* control.antennas is only a 2-bit bitmap */
+			if (*iterator.this_arg < 2)
+				info->control.antennas |=3D BIT(*iterator.this_arg);
 			break;
=20
 		case IEEE80211_RADIOTAP_DATA_RETRIES:
--=20
2.43.0