On Thu, Jun 03, 2021 at 09:28:52AM -0700, Zubin Mithra wrote:
From: Anant Thazhemadam anant.thazhemadam@gmail.com
commit 2d9463083ce92636a1bdd3e30d1236e3e95d859e upstream
syzbot discovered a bug in which an OOB access was being made because an unsuitable key_idx value was wrongly considered to be acceptable while deleting a key in nl80211_del_key().
Since we don't know the cipher at the time of deletion, if cfg80211_validate_key_settings() were to be called directly in nl80211_del_key(), even valid keys would be wrongly determined invalid, and deletion wouldn't occur correctly. For this reason, a new function - cfg80211_valid_key_idx(), has been created, to determine if the key_idx value provided is valid or not. cfg80211_valid_key_idx() is directly called in 2 places - nl80211_del_key(), and cfg80211_validate_key_settings().
Reported-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com Tested-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com Suggested-by: Johannes Berg johannes@sipsolutions.net Signed-off-by: Anant Thazhemadam anant.thazhemadam@gmail.com Link: https://lore.kernel.org/r/20201204215825.129879-1-anant.thazhemadam@gmail.co... Cc: stable@vger.kernel.org [also disallow IGTK key IDs if no IGTK cipher is supported] Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Zubin Mithra zsm@chromium.org
Queued up, thanks!