linux/net/wireless
Luciano Coelho f89f46cf3a nl80211: check matches array length before acessing it
If the userspace passes a malformed sched scan request (or a net
detect wowlan configuration) by adding a NL80211_ATTR_SCHED_SCAN_MATCH
attribute without any nested matchsets, a NULL pointer dereference
will occur.  Fix this by checking that we do have matchsets in our
array before trying to access it.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
IP: [<ffffffffa002fd69>] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
PGD 865c067 PUD 865b067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) [last unloaded: compat]
CPU: 2 PID: 2442 Comm: iw Tainted: G           O   3.17.2 #31
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff880013800790 ti: ffff880008d80000 task.ti: ffff880008d80000
RIP: 0010:[<ffffffffa002fd69>]  [<ffffffffa002fd69>] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
RSP: 0018:ffff880008d838d0  EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000143c RSI: 0000000000000000 RDI: ffff880008ee8dd0
RBP: ffff880008d83948 R08: 0000000000000002 R09: 0000000000000019
R10: ffff88001d1b3c40 R11: 0000000000000002 R12: ffff880019e85e00
R13: 00000000fffffed4 R14: ffff880009757800 R15: 0000000000001388
FS:  00007fa3b6d13700(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000024 CR3: 0000000008670000 CR4: 00000000000006e0
Stack:
 ffff880009757800 ffff880000000001 0000000000000000 ffff880008ee84e0
 0000000000000000 ffff880009757800 00000000fffffed4 ffff880008d83948
 ffffffff814689c9 ffff880009757800 ffff880008ee8000 0000000000000000
Call Trace:
 [<ffffffff814689c9>] ? nla_parse+0xb9/0x120
 [<ffffffffa00306de>] nl80211_set_wowlan+0x75e/0x960 [cfg80211]
 [<ffffffff810bf3d5>] ? mark_held_locks+0x75/0xa0
 [<ffffffff8161a77b>] genl_family_rcv_msg+0x18b/0x360
 [<ffffffff810bf66d>] ? trace_hardirqs_on+0xd/0x10
 [<ffffffff8161a9d4>] genl_rcv_msg+0x84/0xc0
 [<ffffffff8161a950>] ? genl_family_rcv_msg+0x360/0x360
 [<ffffffff81618e79>] netlink_rcv_skb+0xa9/0xd0
 [<ffffffff81619458>] genl_rcv+0x28/0x40
 [<ffffffff816184a5>] netlink_unicast+0x105/0x180
 [<ffffffff8161886f>] netlink_sendmsg+0x34f/0x7a0
 [<ffffffff8105a097>] ? kvm_clock_read+0x27/0x40
 [<ffffffff815c644d>] sock_sendmsg+0x8d/0xc0
 [<ffffffff811a75c9>] ? might_fault+0xb9/0xc0
 [<ffffffff811a756e>] ? might_fault+0x5e/0xc0
 [<ffffffff815d5d26>] ? verify_iovec+0x56/0xe0
 [<ffffffff815c73e0>] ___sys_sendmsg+0x3d0/0x3e0
 [<ffffffff810a7be8>] ? sched_clock_cpu+0x98/0xd0
 [<ffffffff810611b4>] ? __do_page_fault+0x254/0x580
 [<ffffffff810bb39f>] ? up_read+0x1f/0x40
 [<ffffffff810611b4>] ? __do_page_fault+0x254/0x580
 [<ffffffff812146ed>] ? __fget_light+0x13d/0x160
 [<ffffffff815c7b02>] __sys_sendmsg+0x42/0x80
 [<ffffffff815c7b52>] SyS_sendmsg+0x12/0x20
 [<ffffffff81751f69>] system_call_fastpath+0x16/0x1b

Fixes: ea73cbce4e ("nl80211: fix scheduled scan RSSI matchset attribute confusion")
Cc: stable@vger.kernel.org [3.15+]
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-12-12 12:33:25 +01:00
..
.gitignore
ap.c cfg80211: export interface stopping function 2014-05-06 15:16:34 +02:00
chan.c cfg80211: Fix 160 MHz channels with 80+80 and 160 MHz drivers 2014-12-12 12:18:47 +01:00
core.c cfg80211: leave invalid channels on regdomain change 2014-11-28 14:33:41 +01:00
core.h cfg80211: add wowlan net-detect support 2014-11-19 18:45:45 +01:00
db.txt
debugfs.c mac80211: fix some snprintf misuses 2013-10-01 12:16:51 +02:00
debugfs.h
ethtool.c cfg80211: make ethtool the driver's responsibility 2014-06-23 11:05:33 +02:00
genregdb.awk wireless: fixup genregdb.awk for remove of antenna gain from wireless-regd 2014-07-21 12:24:20 +02:00
ibss.c cfg80211: clear connect keys when freeing them 2014-09-11 12:07:18 +02:00
Kconfig cfg80211: make WEXT compatibility unselectable 2014-11-28 12:21:34 +01:00
lib80211.c lib80211: remove unused print_ssid() 2014-10-14 02:18:27 +02:00
lib80211_crypt_ccmp.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
lib80211_crypt_tkip.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
lib80211_crypt_wep.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
Makefile cfg80211: 802.11p OCB mode handling 2014-11-04 13:18:17 +01:00
mesh.c cfg80211: export interface stopping function 2014-05-06 15:16:34 +02:00
mlme.c cfg80211/mac80211: add wmm info to assoc event 2014-09-11 12:24:39 +02:00
nl80211.c nl80211: check matches array length before acessing it 2014-12-12 12:33:25 +01:00
nl80211.h cfg80211/mac80211: add wmm info to assoc event 2014-09-11 12:24:39 +02:00
ocb.c cfg80211: 802.11p OCB mode handling 2014-11-04 13:18:17 +01:00
radiotap.c radiotap: fix bitmap-end-finding buffer overrun 2013-12-16 12:06:43 +01:00
rdev-ops.h cfg80211: introduce TDLS channel switch commands 2014-11-19 18:45:12 +01:00
reg.c cfg80211: avoid mem leak on driver hint set 2014-12-12 12:25:33 +01:00
reg.h cfg80211: Enable GO operation on indoor channels 2014-04-09 10:55:37 +02:00
regdb.h
scan.c cfg80211: add Intel Mobile Communications copyright 2014-09-05 13:52:06 +02:00
sme.c cfg80211: set the rates mask in connection probes over specified freq 2014-10-10 17:11:13 +02:00
sysfs.c net: wireless: convert class code to use dev_groups 2013-07-25 16:34:40 -07:00
sysfs.h net: misc: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
trace.c cfg80211: add tracing to rdev-ops 2012-10-18 10:53:37 +02:00
trace.h cfg80211: introduce TDLS channel switch commands 2014-11-19 18:45:12 +01:00
util.c cfg80211: 802.11p OCB mode handling 2014-11-04 13:18:17 +01:00
wext-compat.c cfg80211: clear wext keys when freeing and removing them 2014-09-11 12:07:28 +02:00
wext-compat.h cfg80211: remove unused wiphy argument from cfg80211_wext_freq() 2014-04-10 10:06:19 +02:00
wext-core.c wext: include wireless event id when it has a size problem 2012-09-05 16:12:44 +02:00
wext-priv.c
wext-proc.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
wext-sme.c cfg80211: clear connect keys when freeing them 2014-09-11 12:07:18 +02:00
wext-spy.c