wifi: mac80211: fix NULL dereference of eht_oper in ieee80211_start_ap()

[PATCH wifi] wifi: mac80211: fix NULL dereference of eht_oper in ieee80211_start_ap()
Posted by Weiming Shi 1 week, 1 day ago
From: Weiming Yang <weiming3@asu.edu>

ieee80211_start_ap() enters the EHT block when params->eht_cap is set,
but its last statement unconditionally dereferences params->eht_oper.
The two pointers are parsed from separate beacon-tail elements in
nl80211_calculate_ap_params(), and an EHT Operation element is not
required to be present when an EHT Capability element is. A beacon tail
carrying an HE Capability and HE Operation element (so he_support is
set) plus an EHT Capability element, but no EHT Operation element, thus
dereferences a NULL params->eht_oper:

 KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
 RIP: 0010:ieee80211_start_ap (net/mac80211/cfg.c:1599)
 Call Trace:
  nl80211_start_ap (net/wireless/nl80211.c:7177)
  genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
  genl_rcv_msg (net/netlink/genetlink.c:1209)
  netlink_rcv_skb (net/netlink/af_netlink.c:2550)
  genl_rcv (net/netlink/genetlink.c:1218)
  netlink_unicast (net/netlink/af_netlink.c:1344)
  netlink_sendmsg (net/netlink/af_netlink.c:1894)
  __sys_sendto (net/socket.c:2265)

NL80211_CMD_START_AP uses GENL_UNS_ADMIN_PERM, so this is reachable by
an unprivileged user in a user namespace.

Guard the dereference on params->eht_oper, as the HE block above already
does for params->he_oper.

Fixes: 22c64f37e1d4 ("wifi: mac80211: Update MCS15 support in link_conf")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
---
 net/mac80211/cfg.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 7b77d57c9f96f..5e8d4ccaa6be4 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1595,9 +1595,10 @@ static int ieee80211_start_ap(struct wiphy *wiphy, struct net_device *dev,
 				(IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_80MHZ |
 				 IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_160MHZ |
 				 IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ);
-		link_conf->eht_disable_mcs15 =
-			u8_get_bits(params->eht_oper->params,
-				    IEEE80211_EHT_OPER_MCS15_DISABLE);
+		if (params->eht_oper)
+			link_conf->eht_disable_mcs15 =
+				u8_get_bits(params->eht_oper->params,
+					    IEEE80211_EHT_OPER_MCS15_DISABLE);
 	} else {
 		link_conf->eht_su_beamformer = false;
 		link_conf->eht_su_beamformee = false;
-- 
2.43.0