[Bug 269321] kernel page fault in ieee80211_scan_copy_ssid() if sr_nssid = -1

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 269321] kernel page fault in ieee80211_scan_copy_ssid() if sr_nssid = -1"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 269321] kernel page fault in ieee80211_scan_copy_ssid() if sr_nssid = -1"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 04 Feb 2023 14:08:36 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269321

            Bug ID: 269321
           Summary: kernel page fault in ieee80211_scan_copy_ssid() if
                    sr_nssid = -1
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #239900 text/plain
         mime type:

Created attachment 239900
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=239900&action=edit
crash by passing sr_nssid=-1 to ioctl SIOCS80211 IEEE80211_IOC_SCAN_REQ

If an SIOCS80211 / IEEE80211_IOC_SCAN_REQ ioctl sets sr_nssid to -1,
eventually ieee80211_scan_copy_ssid() runs

        memcpy(ss->ss_ssid, ssids, nssid * sizeof(ssids[0]));

which crashes.

The code has sanity-checks like

        if (nssid > IEEE80211_SCAN_MAX_SSID) {
           // error

but nssid is often declared to be int, and there's no check for < 0.

I've attached a demo, which yields:

# cc wlanctl2a.c
# ./a.out
panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffc073570000
panic() at panic+0x2a
vm_fault_lookup() at vm_fault_lookup+0x1bc
vm_fault() at vm_fault+0x9c
vm_fault_trap() at vm_fault_trap+0x66
page_fault_handler() at page_fault_handler+0x17a
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 15, tval = 0xffffffc073570000
memcpy() at memcpy+0xf8
ieee80211_scan_copy_ssid() at ieee80211_scan_copy_ssid+0x4e
ieee80211_swscan_check_scan() at ieee80211_swscan_check_scan+0x6e
ieee80211_check_scan() at ieee80211_check_scan+0x168
ieee80211_scanreq() at ieee80211_scanreq+0x2b8
ieee80211_ioctl_scanreq() at ieee80211_ioctl_scanreq+0x6e
ieee80211_ioctl_set80211() at ieee80211_ioctl_set80211+0x9b8
ieee80211_ioctl() at ieee80211_ioctl+0x30e
ifioctl() at ifioctl+0x318
soo_ioctl() at soo_ioctl+0x2d8
fo_ioctl() at fo_ioctl+0xa
kern_ioctl() at kern_ioctl+0x242
sys_ioctl() at sys_ioctl+0x120
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72

-- 
You are receiving this mail because:
You are the assignee for the bug.