[Bug 269322] ieee80211_scanreq() should validate ssid len passed to ioctl()

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 269322] ieee80211_scanreq() should validate ssid len passed to ioctl()"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 04 Feb 2023 18:14:44 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269322

            Bug ID: 269322
           Summary: ieee80211_scanreq() should validate ssid len passed to
                    ioctl()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #239906 text/plain
         mime type:

Created attachment 239906
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=239906&action=edit
crash the 80211 scan code with a negative ssid len

ieee80211_scanreq() says:

        for (i = 0; i < sr->sr_nssid; i++)
                if (sr->sr_ssid[i].len > IEEE80211_NWID_LEN)
                        return EINVAL;

len is an int, so this code will accept a negative len passed to ioctl
SIOCS80211 / IEEE80211_IOC_SCAN_REQ. Later on, ieee80211_add_ssid()
passes len to memcpy(), which causes a crash if it's negative.

I've attached a demo:

# cc wlanctl2b.c
# ./a.out
panic: Fatal page fault at 0xffffffc00065ff3a: 0xffffffc11352d006
cpuid = 0
time = 1675517224
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x38
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x170
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0xffffffc11352d006
memcpy() at memcpy+0x8e
ieee80211_add_ssid() at ieee80211_add_ssid+0x28
ieee80211_probereq_ie() at ieee80211_probereq_ie+0xac
ieee80211_send_probereq() at ieee80211_send_probereq+0x126
ieee80211_swscan_probe_curchan() at ieee80211_swscan_probe_curchan+0x58
ieee80211_probe_curchan() at ieee80211_probe_curchan+0x30
scan_curchan() at scan_curchan+0x70
scan_curchan_task() at scan_curchan_task+0x292
scan_start() at scan_start+0x18a
taskqueue_run_locked() at taskqueue_run_locked+0x96
taskqueue_thread_loop() at taskqueue_thread_loop+0x62
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa

-- 
You are receiving this mail because:
You are the assignee for the bug.