linux/net/mac80211
Lorenzo Bianconi 59b54f0563 wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration
[ Upstream commit 3e8f7abcc3 ]

Fix possible out-of-bound access in ieee80211_get_rate_duration routine
as reported by the following UBSAN report:

UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47
index 15 is out of range for type 'u16 [12]'
CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic
Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017
Workqueue: mt76 mt76u_tx_status_data [mt76_usb]
Call Trace:
 <TASK>
 show_stack+0x4e/0x61
 dump_stack_lvl+0x4a/0x6f
 dump_stack+0x10/0x18
 ubsan_epilogue+0x9/0x43
 __ubsan_handle_out_of_bounds.cold+0x42/0x47
ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]
 ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]
 ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]
 ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]
 mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]
 mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]
 mt76u_tx_status_data+0x67/0xd0 [mt76_usb]
 process_one_work+0x225/0x400
 worker_thread+0x50/0x3e0
 ? process_one_work+0x400/0x400
 kthread+0xe9/0x110
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x22/0x30

Fixes: db3e1c40cf ("mac80211: Import airtime calculation code from mt76")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-12-08 11:28:40 +01:00
..
aead_api.c mac80211: Check crypto_aead_encrypt for errors 2021-03-16 21:20:41 +01:00
aead_api.h
aes_ccm.h
aes_cmac.c mac80211: aes_cmac: check crypto_shash_setkey() return value 2021-04-19 12:01:40 +02:00
aes_cmac.h
aes_gcm.h
aes_gmac.c mac80211: Check crypto_aead_encrypt for errors 2021-03-16 21:20:41 +01:00
aes_gmac.h
agg-rx.c mac80211: fix memory leaks with element parsing 2022-10-15 07:59:05 +02:00
agg-tx.c mac80211: refuse aggregations sessions before authorized 2022-03-19 13:47:48 +01:00
airtime.c wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration 2022-12-08 11:28:40 +01:00
cfg.c wifi: mac80211: allow bw change during channel switch in mesh 2022-10-26 12:34:39 +02:00
chan.c wifi: mac80211: fix use-after-free in chanctx code 2022-06-09 10:23:18 +02:00
debug.h
debugfs_key.c mac80211: remove trailing semicolon in macro definitions 2020-12-11 12:51:55 +01:00
debugfs_key.h
debugfs_netdev.c mac80211: Switch to a virtual time-based airtime scheduler 2021-06-23 18:12:00 +02:00
debugfs_netdev.h
debugfs_sta.c mac80211: Switch to a virtual time-based airtime scheduler 2021-06-23 18:12:00 +02:00
debugfs_sta.h
debugfs.c mac80211: Switch to a virtual time-based airtime scheduler 2021-06-23 18:12:00 +02:00
debugfs.h
driver-ops.c mac80211: fix station rate table updates on assoc 2021-02-01 15:07:09 +01:00
driver-ops.h mac80211: mark TX-during-stop for TX in in_reconfig 2021-12-22 09:32:34 +01:00
ethtool.c
fils_aead.c
fils_aead.h
he.c mac80211: fix NULL ptr dereference during mesh peer connection for non HE devices 2021-06-23 18:06:44 +02:00
ht.c mac80211: allow SMPS requests only in client mode 2021-06-23 11:29:13 +02:00
ibss.c mac80211: fix memory leaks with element parsing 2022-10-15 07:59:05 +02:00
ieee80211_i.h wifi: mac80211: fix MBSSID parsing use-after-free 2022-10-15 07:59:05 +02:00
iface.c mac80211: fix monitor_sdata RCU/locking assertions 2021-11-25 09:48:34 +01:00
Kconfig ath9k: fix build error with LEDS_CLASS=m 2021-01-28 09:29:34 +02:00
key.c mac80211: prevent mixed key and fragment cache attacks 2021-05-11 20:12:51 +02:00
key.h mac80211: prevent mixed key and fragment cache attacks 2021-05-11 20:12:51 +02:00
led.c mac80211: don't open-code LED manipulations 2021-06-23 11:29:12 +02:00
led.h mac80211: fix throughput LED trigger 2021-12-08 09:04:38 +01:00
main.c wifi: mac80211: fix memory free error when registering wiphy fail 2022-12-02 17:41:01 +01:00
Makefile mac80211: remove legacy minstrel rate control 2021-01-22 09:11:37 +01:00
mesh_hwmp.c mac80211: always allocate struct ieee802_11_elems 2022-10-15 07:59:05 +02:00
mesh_pathtbl.c wifi: mac80211: Fix ack frame idr leak when mesh has no route 2022-12-02 17:41:01 +01:00
mesh_plink.c mac80211: always allocate struct ieee802_11_elems 2022-10-15 07:59:05 +02:00
mesh_ps.c mac80211: mesh: fix potentially unaligned access 2021-09-23 13:25:09 +02:00
mesh_sync.c mac80211: mesh: clean up rx_bcn_presp API 2022-10-15 07:59:04 +02:00
mesh.c mac80211: always allocate struct ieee802_11_elems 2022-10-15 07:59:05 +02:00
mesh.h mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh 2022-01-11 15:35:13 +01:00
michael.c
michael.h
mlme.c mac80211: fix memory leaks with element parsing 2022-10-15 07:59:05 +02:00
ocb.c
offchannel.c mac80211: Inform AP when returning operating channel 2020-09-28 13:18:53 +02:00
pm.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
rate.c Revert "mac80211: do not use low data rates for data frames with no ack flag" 2021-09-23 12:59:29 +02:00
rate.h mac80211: populate debugfs only after cfg80211 init 2020-04-24 11:30:13 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrel_ht: show sampling rates in debugfs 2021-02-12 08:58:11 +01:00
rc80211_minstrel_ht.c mac80211: minstrel_ht: fix where rate stats are stored (fixes debugfs output) 2022-06-09 10:22:31 +02:00
rc80211_minstrel_ht.h mac80211: minstrel_ht: remove sample rate switching code for constrained devices 2021-02-12 08:58:22 +01:00
rx.c wifi: mac80211: fix crash in beacon protection for P2P-device 2022-10-15 07:59:03 +02:00
s1g.c wifi: mac80211: Set TWT Information Frame Disabled bit as 1 2022-11-16 09:58:14 +01:00
scan.c mac80211: always allocate struct ieee802_11_elems 2022-10-15 07:59:05 +02:00
spectmgmt.c mac80211: 160MHz with extended NSS BW in CSA 2021-01-21 13:39:11 +01:00
sta_info.c net: Use u64_stats_fetch_begin_irq() for stats fetch. 2022-09-08 12:28:07 +02:00
sta_info.h mac80211: fix regression in SSN handling of addba tx 2021-12-22 09:32:34 +01:00
status.c mac80211: introduce individual TWT support in AP mode 2021-08-24 10:30:43 +02:00
tdls.c mac80211: always allocate struct ieee802_11_elems 2022-10-15 07:59:05 +02:00
tkip.c
tkip.h
trace_msg.h
trace.c
trace.h mac80211: introduce individual TWT support in AP mode 2021-08-24 10:30:43 +02:00
tx.c wifi: mac80211: fix regression with non-QoS drivers 2022-10-05 10:39:43 +02:00
util.c wifi: mac80211: fix MBSSID parsing use-after-free 2022-10-15 07:59:05 +02:00
vht.c mac80211: remove NSS number of 160MHz if not support 160MHz for HE 2021-01-21 13:45:13 +01:00
wep.c
wep.h
wme.c wifi: mac80211: fix queue selection for mesh/OCB interfaces 2022-07-21 21:24:13 +02:00
wme.h
wpa.c mac80211: fix use-after-free in CCMP/GCMP RX 2021-09-27 11:59:49 +02:00
wpa.h