[LTS 9.2] wifi: mac80211: Avoid address calculations via out of bounds array in… #103

pvts-mat · 2025-02-04T00:48:54Z

CVE-2024-41071
VULN-6991

Problem

The bug was submitted https://bugzilla.kernel.org/show_bug.cgi?id=218810 about array-index-out-of-bounds errors in the mac80211 module when the kernel was compiled with UBSAN (Undefined Behavior Sanitizer) enabled.

I am seeing multiple array-index-out-of-bounds related to `ieee80211_channel[]` iteration.

This is with a Mediatek MT7921 chipset.
I have only tested with kernel 6.8.9, but I don't see any channel index related fixes in master.

This was discovered as part of Gentoo Hardened enabling CONFIG_UBSAN_ARRAY_BOUNDS

[  106.194465] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/wireless/nl80211.c:9203:29
[  106.195063] index 42 is out of range for type 'struct ieee80211_channel *[]'
[  106.195599] CPU: 11 PID: 4166 Comm: wpa_supplicant Not tainted 6.8.9-gentoo-dist-hardened #1
[  106.196038] Hardware name: ASUS System Product Name/TUF GAMING B650M-PLUS WIFI, BIOS 2214 01/02/2024
[  106.196485] Call Trace:
[  106.196913]  <TASK>
[  106.197439]  dump_stack_lvl+0x71/0x90
[  106.197899]  __ubsan_handle_out_of_bounds+0xed/0x160
[  106.198420]  nl80211_exit+0x7c3f/0x21f70 [cfg80211]

Solution

The bug was fixed in upstream with the 2663d0462eb32ae7c9b035300ab6b1523886c718 commit - see https://lore.kernel.org/linux-cve-announce/2024072909-CVE-2024-41071-4eb6@gregkh/T/#u

Fixed in 6.10 with commit 2663d0462eb3

No additional commits that weren't derivative of this one were identified to be related to this issue.

Analysis

The problem doesn't seem to be a vulnerability really, and the solution is less about the fix of erroneous code and more about satisfying the UBSAN runtime checker, which apparently needs to have the index < data_size invariant satisfied at all times instead of only at the end of data construction. This looks like overzealousness on the UBSAN part which should be checking index < allocated_size which is satisfied all right (see cfg80211_scan_request definition and local->hw_scan_req allocation with req->n_channels * sizeof(req->channels[0]) part to fit all the elements inserted inside the later called ieee80211_prep_hw_scan(…) at lines 371 and 387 at indexes upper-bound in both cases by req->n_channels, the same req->n_channels used to allocate the local->hw_scan_req->req.channels). The 7.8 CVSS score doesn't seem to be justified.

kABI check: passed

python3 /mnt/code/kernel-dist-git/SOURCES/check-kabi \
        -k /mnt/code/kernel-dist-git/SOURCES/Module.kabi_$(uname -m) \
        -s /mnt/build_files/kernel-src-tree-ciqlts9_2-CVE-2024-41071.bkp/Module.symvers

kernel-dist-git state:

On branch el-9.2
Your branch is up to date with 'origin/el-9.2'.

Boot test: passed

boot-test.log

Kselftests: passed relative

Methodology

A mix of kernel-selftests-internal and source-compiled (f08be21dd6d4b10d0da6f60abbf8c20337f8b836) tests were used:

kernel-selftests-internal: bpf tests, except:
- bpf:test_kmod.sh: takes very long time to finish and always fails anyway,
- bpf:test_progs: unstable, can crash the machine,
- bpf:test_progs-no_alu32: unstable, can crash the machine.
source-compiled: all the rest.

Machine preparation:

modprobe mac80211

Coverage (including tests skipped during execution)

bpf, breakpoints, capabilities, cgroup, clone3, core, cpu-hotplug, cpufreq, drivers/dma-buf, drivers/net/bonding, drivers/net/team, efivarfs, filesystems, filesystems/binderfs, filesystems/epoll, firmware, fpu, ftrace, futex, gpio, intel_pstate, ipc, ir, kcmp, landlock, lib, livepatch, membarrier, memfd, memory-hotplug, mincore, mount, mqueue, nci, net, net/forwarding, net/mptcp, netfilter, nsfs, openat2, pid_namespace, pidfd, pstore, ptrace, rlimits, rseq, rtc, seccomp, sgx, sigaltstack, size, splice, static_keys, sync, syscall_user_dispatch, sysctl, tc-testing, tdx, timens, timers, tmpfs, tpm2, user, vDSO, vm, x86, zram

Reference `ciqlts9_2` (`f08be21dd6d4b10d0da6f60abbf8c20337f8b836`)

kselftest–mixed–ciqlts9_2–run1.log
kselftest–mixed–ciqlts9_2–run2.log
kselftest–mixed–ciqlts9_2–run3.log
kselftest–mixed–ciqlts9_2–run4.log
kselftest–mixed–ciqlts9_2–run5.log

Patch (`c8c91992be998a22058aef656a0e785be34f332c`)

kselftest–mixed–ciqlts9_2-CVE-2024-41071–run1.log
kselftest–mixed–ciqlts9_2-CVE-2024-41071–run2.log

Comparison

Column    File
--------  ----------------------------------------------------
Status0   kselftest--mixed--ciqlts9_2--run1.log
Status1   kselftest--mixed--ciqlts9_2--run2.log
Status2   kselftest--mixed--ciqlts9_2--run3.log
Status3   kselftest--mixed--ciqlts9_2--run4.log
Status4   kselftest--mixed--ciqlts9_2--run5.log
Status5   kselftest--mixed--ciqlts9_2-CVE-2024-41071--run1.log
Status6   kselftest--mixed--ciqlts9_2-CVE-2024-41071--run2.log

TestCase                                               Status0  Status1  Status2  Status3  Status4  Status5  Status6  Summary
bpf:get_cgroup_id_user                                 pass     pass     pass     pass     pass     pass     pass     same
bpf:test_bpftool.sh                                    pass     pass     pass     pass     pass     pass     pass     same
bpf:test_bpftool_build.sh                              pass     pass     pass     pass     pass     pass     pass     same
bpf:test_bpftool_metadata.sh                           pass     pass     pass     pass     pass     pass     pass     same
bpf:test_cgroup_storage                                pass     pass     pass     pass     pass     pass     pass     same
bpf:test_dev_cgroup                                    pass     pass     pass     pass     pass     pass     pass     same
bpf:test_doc_build.sh                                  pass     pass     pass     pass     pass     pass     pass     same
bpf:test_flow_dissector.sh                             pass     pass     pass     pass     pass     pass     pass     same
bpf:test_lirc_mode2.sh                                 pass     pass     pass     pass     pass     pass     pass     same
bpf:test_lpm_map                                       pass     pass     pass     pass     pass     pass     pass     same
bpf:test_lru_map                                       pass     pass     pass     pass     pass     pass     pass     same
bpf:test_lwt_ip_encap.sh                               pass     pass     pass     pass     pass     pass     pass     same
bpf:test_lwt_seg6local.sh                              pass     pass     pass     pass     pass     pass     pass     same
bpf:test_maps                                          pass     pass     pass     pass     pass     pass     pass     same
bpf:test_offload.py                                    pass     pass     pass     pass     pass     pass     pass     same
bpf:test_skb_cgroup_id.sh                              pass     pass     pass     pass     pass     pass     pass     same
bpf:test_sock                                          pass     pass     pass     pass     pass     pass     pass     same
bpf:test_sock_addr.sh                                  pass     pass     pass     pass     pass     pass     pass     same
bpf:test_sockmap                                       pass     pass     pass     pass     pass     pass     pass     same
bpf:test_sysctl                                        pass     pass     pass     pass     pass     pass     pass     same
bpf:test_tag                                           pass     pass     pass     pass     pass     pass     pass     same
bpf:test_tc_edt.sh                                     pass     pass     pass     pass     pass     pass     pass     same
bpf:test_tc_tunnel.sh                                  pass     pass     pass     pass     pass     pass     pass     same
bpf:test_tcp_check_syncookie.sh                        pass     pass     pass     pass     pass     pass     pass     same
bpf:test_tcpnotify_user                                pass     pass     pass     pass     pass     pass     pass     same
bpf:test_tunnel.sh                                     pass     pass     pass     pass     pass     pass     pass     same
bpf:test_verifier                                      pass     pass     pass     pass     pass     pass     pass     same
bpf:test_verifier_log                                  pass     pass     pass     pass     pass     pass     pass     same
bpf:test_xdp_meta.sh                                   pass     pass     pass     pass     pass     pass     pass     same
bpf:test_xdp_redirect.sh                               pass     pass     pass     pass     pass     pass     pass     same
bpf:test_xdp_redirect_multi.sh                         pass     pass     pass     pass     pass     pass     pass     same
bpf:test_xdp_veth.sh                                   pass     pass     pass     pass     pass     pass     pass     same
bpf:test_xdp_vlan_mode_generic.sh                      pass     pass     pass     pass     pass     pass     pass     same
bpf:test_xdp_vlan_mode_native.sh                       pass     pass     pass     pass     pass     pass     pass     same
bpf:test_xdping.sh                                     pass     pass     pass     pass     pass     pass     pass     same
bpf:test_xsk.sh                                        pass     pass     pass     pass     pass     pass     pass     same
bpf:urandom_read                                       pass     pass     pass     pass     pass     pass     pass     same
breakpoints:step_after_suspend_test                    fail     fail     fail     fail     fail     fail     fail     same
capabilities:test_execve                               pass     pass     pass     pass     pass     pass     pass     same
cgroup:test_core                                       pass     pass     pass     pass     pass     pass     pass     same
cgroup:test_cpuset_prs.sh                              pass     pass     pass     pass     pass     pass     pass     same
cgroup:test_freezer                                    pass     pass     pass     pass     pass     pass     pass     same
cgroup:test_kill                                       pass     pass     pass     pass     pass     pass     pass     same
cgroup:test_kmem                                       pass     pass     pass     pass     pass     pass     pass     same
cgroup:test_memcontrol                                 fail     fail     fail     fail     fail     fail     fail     same
cgroup:test_stress.sh                                  fail     fail     fail     fail     fail     fail     fail     same
clone3:clone3                                          pass     pass     pass     pass     pass     pass     pass     same
clone3:clone3_cap_checkpoint_restore                   pass     pass     pass     pass     pass     pass     pass     same
clone3:clone3_clear_sighand                            pass     pass     pass     pass     pass     pass     pass     same
clone3:clone3_set_tid                                  pass     pass     pass     pass     pass     pass     pass     same
core:close_range_test                                  pass     pass     pass     pass     pass     pass     pass     same
cpu-hotplug:cpu-on-off-test.sh                         pass     pass     pass     pass     pass     pass     pass     same
cpufreq:main.sh                                        fail     fail     fail     fail     fail     fail     fail     same
drivers/dma-buf:udmabuf                                pass     pass     pass     pass     pass     pass     pass     same
drivers/net/bonding:bond-arp-interval-causes-panic.sh  pass     pass     pass     pass     pass     pass     pass     same
drivers/net/bonding:bond-break-lacpdu-tx.sh            pass     pass     pass     pass     pass     pass     pass     same
drivers/net/bonding:bond-lladdr-target.sh              pass     pass     pass     pass     pass     pass     pass     same
drivers/net/bonding:dev_addr_lists.sh                  skip     skip     skip     skip     skip     skip     skip     same
drivers/net/bonding:mode-1-recovery-updelay.sh         pass     pass     pass     pass     pass     pass     pass     same
drivers/net/bonding:mode-2-recovery-updelay.sh         pass     pass     pass     pass     pass     pass     pass     same
drivers/net/team:dev_addr_lists.sh                     skip     skip     skip     skip     skip     skip     skip     same
efivarfs:efivarfs.sh                                   skip     skip     skip     skip     skip     skip     skip     same
filesystems/binderfs:binderfs_test                     fail     fail     fail     fail     fail     fail     fail     same
filesystems/epoll:epoll_wakeup_test                    pass     pass     pass     pass     pass     pass     pass     same
filesystems:devpts_pts                                 skip     skip     skip     skip     skip     skip     skip     same
firmware:fw_run_tests.sh                               skip     skip     skip     skip     skip     skip     skip     same
fpu:run_test_fpu.sh                                    skip     skip     skip     skip     skip     skip     skip     same
fpu:test_fpu                                           pass     pass     pass     pass     pass     pass     pass     same
ftrace:ftracetest                                      fail     fail     fail     fail     fail     fail     fail     same
futex:run.sh                                           fail     fail     fail     fail     fail     fail     fail     same
gpio:gpio-mockup.sh                                    fail     fail     fail     fail     fail     fail     fail     same
intel_pstate:run.sh                                    pass     pass     pass     pass     pass     pass     pass     same
ipc:msgque                                             pass     pass     pass     pass     pass     pass     pass     same
ir:ir_loopback.sh                                      skip     skip     skip     skip     skip     skip     skip     same
kcmp:kcmp_test                                         pass     pass     pass     pass     pass     pass     pass     same
landlock:base_test                                     fail     fail     fail     fail     fail     fail     fail     same
landlock:fs_test                                       fail     fail     fail     fail     fail     fail     fail     same
landlock:ptrace_test                                   fail     fail     fail     fail     fail     fail     fail     same
lib:bitmap.sh                                          skip     skip     skip     skip     skip     skip     skip     same
lib:prime_numbers.sh                                   skip     skip     skip     skip     skip     skip     skip     same
lib:printf.sh                                          skip     skip     skip     skip     skip     skip     skip     same
lib:scanf.sh                                           skip     skip     skip     skip     skip     skip     skip     same
lib:strscpy.sh                                         skip     skip     skip     skip     skip     skip     skip     same
livepatch:test-callbacks.sh                            pass     pass     pass     pass     pass     pass     pass     same
livepatch:test-ftrace.sh                               pass     pass     pass     pass     pass     pass     pass     same
livepatch:test-livepatch.sh                            pass     pass     pass     pass     pass     pass     pass     same
livepatch:test-shadow-vars.sh                          pass     pass     pass     pass     pass     pass     pass     same
livepatch:test-state.sh                                pass     pass     pass     pass     pass     pass     pass     same
membarrier:membarrier_test_multi_thread                pass     pass     pass     pass     pass     pass     pass     same
membarrier:membarrier_test_single_thread               pass     pass     pass     pass     pass     pass     pass     same
memfd:memfd_test                                       pass     pass     pass     pass     pass     pass     pass     same
memfd:run_fuse_test.sh                                 fail     fail     fail     fail     fail     fail     fail     same
memfd:run_hugetlbfs_test.sh                            pass     pass     pass     pass     pass     pass     pass     same
memory-hotplug:mem-on-off-test.sh                      pass     pass     pass     pass     pass     pass     pass     same
mincore:mincore_selftest                               fail     fail     fail     fail     fail     fail     fail     same
mount:run_nosymfollow.sh                               fail     fail     fail     fail     fail     fail     fail     same
mount:run_unprivileged_remount.sh                      fail     fail     fail     fail     fail     fail     fail     same
mqueue:mq_open_tests                                   pass     pass     pass     pass     pass     pass     pass     same
mqueue:mq_perf_tests                                   fail     fail     pass     fail     fail     pass     pass     diff
nci:nci_dev                                            fail     fail     fail     fail     fail     fail     fail     same
net/forwarding:bridge_igmp.sh                          skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:bridge_locked_port.sh                   skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:bridge_mld.sh                           skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:bridge_port_isolation.sh                skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:bridge_sticky_fdb.sh                    skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:bridge_vlan_aware.sh                    skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:bridge_vlan_mcast.sh                    skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:bridge_vlan_unaware.sh                  skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:custom_multipath_hash.sh                skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:dual_vxlan_bridge.sh                    skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ethtool.sh                              skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ethtool_extended_state.sh               skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:gre_custom_multipath_hash.sh            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:gre_inner_v4_multipath.sh               skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:gre_inner_v6_multipath.sh               skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:gre_multipath.sh                        skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:gre_multipath_nh.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:gre_multipath_nh_res.sh                 skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:hw_stats_l3.sh                          skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:hw_stats_l3_gre.sh                      skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ip6_forward_instats_vrf.sh              skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ip6gre_custom_multipath_hash.sh         skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ip6gre_flat.sh                          skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ip6gre_flat_key.sh                      skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ip6gre_flat_keys.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ip6gre_hier.sh                          skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ip6gre_hier_key.sh                      skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ip6gre_hier_keys.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ip6gre_inner_v4_multipath.sh            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ip6gre_inner_v6_multipath.sh            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ipip_flat_gre.sh                        skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ipip_flat_gre_key.sh                    skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ipip_flat_gre_keys.sh                   skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ipip_hier_gre.sh                        skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ipip_hier_gre_key.sh                    skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:ipip_hier_gre_keys.sh                   skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:loopback.sh                             skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre.sh                           skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_bound.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_bridge_1d.sh                 skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_bridge_1d_vlan.sh            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_bridge_1q.sh                 skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_bridge_1q_lag.sh             skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_changes.sh                   skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_flower.sh                    skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_lag_lacp.sh                  skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_neigh.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_nh.sh                        skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_vlan.sh                      skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_gre_vlan_bridge_1q.sh            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:mirror_vlan.sh                          skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:pedit_dsfield.sh                        skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:pedit_ip.sh                             skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:pedit_l4port.sh                         skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:q_in_vni.sh                             skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:q_in_vni_ipv6.sh                        skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:router.sh                               skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:router_bridge.sh                        skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:router_bridge_vlan.sh                   skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:router_broadcast.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:router_mpath_nh.sh                      skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:router_mpath_nh_res.sh                  skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:router_multicast.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:router_multipath.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:router_nh.sh                            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:router_vid_1.sh                         skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:sch_ets.sh                              skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:sch_red.sh                              skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:sch_tbf_ets.sh                          skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:sch_tbf_prio.sh                         skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:sch_tbf_root.sh                         skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:skbedit_priority.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:tc_actions.sh                           skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:tc_chains.sh                            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:tc_flower.sh                            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:tc_flower_router.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:tc_mpls_l2vpn.sh                        skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:tc_police.sh                            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:tc_shblocks.sh                          skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:tc_vlan_modify.sh                       skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_asymmetric.sh                     skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_asymmetric_ipv6.sh                skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_bridge_1d.sh                      skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_bridge_1d_ipv6.sh                 skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_bridge_1d_port_8472.sh            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_bridge_1d_port_8472_ipv6.sh       skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_bridge_1q.sh                      skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_bridge_1q_ipv6.sh                 skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_bridge_1q_port_8472.sh            skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_bridge_1q_port_8472_ipv6.sh       skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_symmetric.sh                      skip     skip     skip     skip     skip     skip     skip     same
net/forwarding:vxlan_symmetric_ipv6.sh                 skip     skip     skip     skip     skip     skip     skip     same
net/mptcp:diag.sh                                      fail     fail     fail     fail     fail     fail     fail     same
net/mptcp:mptcp_connect.sh                             fail     fail     fail     fail     fail     fail     fail     same
net/mptcp:mptcp_join.sh                                fail     fail     fail     fail     fail     fail     fail     same
net/mptcp:mptcp_sockopt.sh                             fail     fail     fail     fail     fail     fail     fail     same
net/mptcp:pm_netlink.sh                                fail     fail     fail     fail     fail     fail     fail     same
net/mptcp:simult_flows.sh                              fail     fail     fail     fail     fail     fail     fail     same
net/mptcp:userspace_pm.sh                              fail     fail     fail     fail     fail     fail     fail     same
net:altnames.sh                                        skip     skip     skip     skip     skip     skip     skip     same
net:bareudp.sh                                         pass     pass     pass     pass     pass     pass     pass     same
net:cmsg_so_mark.sh                                    fail     fail     fail     fail     fail     fail     fail     same
net:devlink_port_split.py                              skip     skip     skip     skip     skip     skip     skip     same
net:drop_monitor_tests.sh                              skip     skip     skip     skip     skip     skip     skip     same
net:fcnal-test.sh                                      skip     skip     skip     skip     skip     skip     skip     same
net:fib-onlink-tests.sh                                pass     pass     pass     pass     pass     pass     pass     same
net:fib_nexthop_multiprefix.sh                         pass     pass     pass     pass     pass     pass     pass     same
net:fib_nexthops.sh                                    fail     fail     fail     fail     fail     fail     fail     same
net:fib_rule_tests.sh                                  pass     pass     pass     pass     pass     pass     pass     same
net:fib_tests.sh                                       fail     fail     fail     fail     fail     fail     fail     same
net:fin_ack_lat.sh                                     fail     fail     fail     fail     fail     fail     fail     same
net:gre_gso.sh                                         skip     skip     skip     skip     skip     skip     skip     same
net:gro.sh                                             fail     fail     fail     fail     fail     fail     fail     same
net:icmp.sh                                            fail     fail     fail     fail     fail     fail     fail     same
net:icmp_redirect.sh                                   pass     pass     pass     pass     pass     pass     pass     same
net:ip6_gre_headroom.sh                                pass     pass     pass     pass     pass     pass     pass     same
net:ip_defrag.sh                                       fail     fail     fail     fail     fail     fail     fail     same
net:ipv6_flowlabel.sh                                  fail     fail     fail     fail     fail     fail     fail     same
net:l2tp.sh                                            pass     pass     pass     pass     pass     pass     pass     same
net:msg_zerocopy.sh                                    fail     fail     fail     fail     fail     fail     fail     same
net:netdevice.sh                                       pass     pass     pass     pass     pass     pass     pass     same
net:pmtu.sh                                            pass     pass     pass     pass     pass     pass     pass     same
net:psock_snd.sh                                       fail     fail     fail     fail     fail     fail     fail     same
net:reuseaddr_conflict                                 pass     pass     pass     pass     pass     pass     pass     same
net:reuseaddr_ports_exhausted.sh                       fail     fail     fail     fail     fail     fail     fail     same
net:reuseport_addr_any.sh                              fail     fail     fail     fail     fail     fail     fail     same
net:reuseport_bpf                                      pass     pass     pass     pass     pass     pass     pass     same
net:reuseport_bpf_cpu                                  pass     pass     pass     pass     pass     pass     pass     same
net:reuseport_bpf_numa                                 pass     pass     pass     pass     pass     pass     pass     same
net:reuseport_dualstack                                pass     pass     pass     pass     pass     pass     pass     same
net:route_localnet.sh                                  pass     pass     pass     pass     pass     pass     pass     same
net:rps_default_mask.sh                                fail     fail     fail     fail     fail     fail     fail     same
net:rtnetlink.sh                                       skip     skip     skip     skip     skip     skip     skip     same
net:run_afpackettests                                  fail     fail     fail     fail     fail     fail     fail     same
net:run_netsocktests                                   fail     fail     fail     fail     fail     fail     fail     same
net:rxtimestamp.sh                                     fail     fail     fail     fail     fail     fail     fail     same
net:so_txtime.sh                                       fail     fail     fail     fail     fail     fail     fail     same
net:stress_reuseport_listen.sh                         fail     fail     fail     fail     fail     fail     fail     same
net:tcp_fastopen_backup_key.sh                         fail     fail     fail     fail     fail     fail     fail     same
net:test_blackhole_dev.sh                              fail     fail     fail     fail     fail     fail     fail     same
net:test_bpf.sh                                        pass     pass     pass     pass     pass     pass     pass     same
net:test_vxlan_fdb_changelink.sh                       pass     pass     pass     pass     pass     pass     pass     same
net:test_vxlan_under_vrf.sh                            pass     pass     pass     pass     pass     pass     pass     same
net:tls                                                pass     pass     pass     pass     pass     pass     pass     same
net:traceroute.sh                                      pass     pass     pass     pass     pass     pass     pass     same
net:txtimestamp.sh                                     fail     fail     fail     fail     fail     fail     fail     same
net:udpgro.sh                                          fail     fail     fail     fail     fail     fail     fail     same
net:udpgro_bench.sh                                    fail     fail     fail     fail     fail     fail     fail     same
net:udpgro_fwd.sh                                      fail     fail     fail     fail     fail     fail     fail     same
net:udpgso.sh                                          fail     fail     fail     fail     fail     fail     fail     same
net:udpgso_bench.sh                                    fail     fail     fail     fail     fail     fail     fail     same
net:unicast_extensions.sh                              skip     skip     skip     skip     skip     skip     skip     same
net:veth.sh                                            fail     fail     fail     fail     fail     fail     fail     same
net:vrf-xfrm-tests.sh                                  pass     pass     pass     pass     pass     pass     pass     same
net:vrf_route_leaking.sh                               fail     fail     fail     fail     fail     fail     fail     same
net:vrf_strict_mode_test.sh                            pass     pass     pass     pass     pass     pass     pass     same
net:xfrm_policy.sh                                     pass     pass     pass     pass     pass     pass     pass     same
netfilter:bridge_brouter.sh                            skip     skip     skip     skip     skip     skip     skip     same
netfilter:conntrack_icmp_related.sh                    pass     pass     pass     pass     pass     pass     pass     same
netfilter:conntrack_tcp_unreplied.sh                   fail     fail     fail     fail     fail     fail     fail     same
netfilter:conntrack_vrf.sh                             fail     fail     fail     fail     fail     fail     fail     same
netfilter:ipip-conntrack-mtu.sh                        skip     skip     skip     skip     skip     skip     skip     same
netfilter:ipvs.sh                                      skip     skip     skip     skip     skip     skip     skip     same
netfilter:nf_nat_edemux.sh                             skip     skip     skip     skip     skip     skip     skip     same
netfilter:nft_concat_range.sh                          fail     fail     fail     fail     fail     fail     fail     same
netfilter:nft_conntrack_helper.sh                      skip     skip     skip     skip     skip     skip     skip     same
netfilter:nft_fib.sh                                   pass     pass     pass     pass     pass     pass     pass     same
netfilter:nft_flowtable.sh                             fail     fail     fail     fail     fail     fail     fail     same
netfilter:nft_meta.sh                                  pass     pass     pass     pass     pass     pass     pass     same
netfilter:nft_nat.sh                                   fail     fail     fail     fail     fail     fail     fail     same
netfilter:nft_queue.sh                                 fail     fail     fail     fail     fail     fail     fail     same
netfilter:nft_trans_stress.sh                          pass     pass     pass     pass     pass     pass     pass     same
netfilter:rpath.sh                                     pass     pass     pass     pass     pass     pass     pass     same
nsfs:owner                                             pass     pass     pass     pass     pass     pass     pass     same
nsfs:pidns                                             pass     pass     pass     pass     pass     pass     pass     same
openat2:openat2_test                                   fail     fail     fail     fail     fail     fail     fail     same
openat2:rename_attack_test                             pass     pass     pass     pass     pass     pass     pass     same
openat2:resolve_test                                   fail     fail     fail     fail     fail     fail     fail     same
pid_namespace:regression_enomem                        pass     pass     pass     pass     pass     pass     pass     same
pidfd:pidfd_fdinfo_test                                pass     pass     pass     pass     pass     pass     pass     same
pidfd:pidfd_getfd_test                                 pass     pass     pass     pass     pass     pass     pass     same
pidfd:pidfd_open_test                                  pass     pass     pass     pass     pass     pass     pass     same
pidfd:pidfd_poll_test                                  pass     pass     pass     pass     pass     pass     pass     same
pidfd:pidfd_setns_test                                 pass     pass     pass     pass     pass     pass     pass     same
pidfd:pidfd_test                                       pass     pass     pass     pass     pass     pass     pass     same
pidfd:pidfd_wait                                       pass     pass     pass     pass     pass     pass     pass     same
pstore:pstore_post_reboot_tests                        skip     skip     skip     skip     skip     skip     skip     same
pstore:pstore_tests                                    fail     fail     fail     fail     fail     fail     fail     same
ptrace:get_syscall_info                                pass     pass     pass     pass     pass     pass     pass     same
ptrace:peeksiginfo                                     pass     pass     pass     pass     pass     pass     pass     same
ptrace:vmaccess                                        fail     fail     fail     fail     fail     fail     fail     same
rlimits:rlimits-per-userns                             pass     pass     pass     pass     pass     pass     pass     same
rseq:basic_percpu_ops_test                             pass     pass     pass     pass     pass     pass     pass     same
rseq:basic_test                                        pass     pass     pass     pass     pass     pass     pass     same
rseq:param_test                                        pass     pass     pass     pass     pass     pass     pass     same
rseq:param_test_benchmark                              pass     pass     pass     pass     pass     pass     pass     same
rseq:param_test_compare_twice                          pass     pass     pass     pass     pass     pass     pass     same
rseq:run_param_test.sh                                 fail     fail     fail     fail     fail     fail     fail     same
rtc:rtctest                                            fail     fail     pass     pass     pass     fail     fail     diff
seccomp:seccomp_benchmark                              pass     pass     pass     pass     pass     pass     pass     same
seccomp:seccomp_bpf                                    pass     pass     pass     pass     pass     pass     pass     same
sgx:test_sgx                                           fail     fail     fail     fail     fail     fail     fail     same
sigaltstack:sas                                        pass     pass     pass     pass     pass     pass     pass     same
size:get_size                                          pass     pass     pass     pass     pass     pass     pass     same
splice:default_file_splice_read.sh                     pass     pass     pass     pass     pass     pass     pass     same
splice:short_splice_read.sh                            fail     fail     fail     fail     fail     fail     fail     same
static_keys:test_static_keys.sh                        skip     skip     skip     skip     skip     skip     skip     same
sync:sync_test                                         skip     skip     skip     skip     skip     skip     skip     same
syscall_user_dispatch:sud_benchmark                    pass     pass     pass     pass     pass     pass     pass     same
syscall_user_dispatch:sud_test                         pass     pass     pass     pass     pass     pass     pass     same
sysctl:sysctl.sh                                       skip     skip     skip     skip     skip     skip     skip     same
tc-testing:tdc.sh                                      fail     fail     fail     fail     fail     fail     fail     same
tdx:tdx_guest_test                                     fail     fail     fail     fail     fail     fail     fail     same
timens:clock_nanosleep                                 pass     pass     pass     pass     pass     pass     pass     same
timens:exec                                            pass     pass     pass     pass     pass     pass     pass     same
timens:futex                                           pass     pass     pass     pass     pass     pass     pass     same
timens:procfs                                          pass     pass     pass     pass     pass     pass     pass     same
timens:timens                                          pass     pass     pass     pass     pass     pass     pass     same
timens:timer                                           pass     pass     pass     pass     pass     pass     pass     same
timens:timerfd                                         pass     pass     pass     pass     pass     pass     pass     same
timens:vfork_exec                                      pass     pass     pass     pass     pass     pass     pass     same
timers:inconsistency-check                             pass     pass     pass     pass     pass     pass     pass     same
timers:mqueue-lat                                      pass     pass     pass     pass     pass     pass     pass     same
timers:nanosleep                                       pass     pass     pass     pass     pass     pass     pass     same
timers:nsleep-lat                                      pass     pass     pass     pass     pass     pass     pass     same
timers:posix_timers                                    pass     pass     pass     pass     pass     pass     pass     same
timers:raw_skew                                        pass     pass     pass     pass     pass     pass     pass     same
timers:rtcpie                                          pass     pass     pass     pass     pass     pass     pass     same
timers:set-timer-lat                                   pass     pass     pass     pass     pass     pass     pass     same
timers:threadtest                                      pass     pass     pass     pass     pass     pass     pass     same
tmpfs:bug-link-o-tmpfile                               pass     pass     pass     pass     pass     pass     pass     same
tpm2:test_smoke.sh                                     skip     skip     skip     skip     skip     skip     skip     same
tpm2:test_space.sh                                     skip     skip     skip     skip     skip     skip     skip     same
user:test_user_copy.sh                                 skip     skip     skip     skip     skip     skip     skip     same
vDSO:vdso_standalone_test_x86                          pass     pass     pass     pass     pass     pass     pass     same
vDSO:vdso_test_abi                                     pass     pass     pass     pass     pass     pass     pass     same
vDSO:vdso_test_clock_getres                            pass     pass     pass     pass     pass     pass     pass     same
vDSO:vdso_test_correctness                             pass     pass     pass     pass     pass     pass     pass     same
vDSO:vdso_test_getcpu                                  pass     pass     pass     pass     pass     pass     pass     same
vDSO:vdso_test_gettimeofday                            pass     pass     pass     pass     pass     pass     pass     same
vm:run_vmtests.sh                                      fail     fail     fail     fail     fail     fail     fail     same
x86:amx_64                                             fail     fail     fail     fail     fail     fail     fail     same
x86:check_initial_reg_state_64                         pass     pass     pass     pass     pass     pass     pass     same
x86:corrupt_xstate_header_64                           pass     pass     pass     pass     pass     pass     pass     same
x86:fsgsbase_64                                        pass     pass     pass     pass     pass     pass     pass     same
x86:fsgsbase_restore_64                                pass     pass     pass     pass     pass     pass     pass     same
x86:ioperm_64                                          pass     pass     pass     pass     pass     pass     pass     same
x86:iopl_64                                            pass     pass     pass     pass     pass     pass     pass     same
x86:mov_ss_trap_64                                     pass     pass     pass     pass     pass     pass     pass     same
x86:sigaltstack_64                                     pass     pass     pass     pass     pass     pass     pass     same
x86:sigreturn_64                                       pass     pass     pass     pass     pass     pass     pass     same
x86:single_step_syscall_64                             pass     pass     pass     pass     pass     pass     pass     same
x86:syscall_arg_fault_64                               pass     pass     pass     pass     pass     pass     pass     same
x86:syscall_nt_64                                      pass     pass     pass     pass     pass     pass     pass     same
x86:syscall_numbering_64                               pass     pass     pass     pass     pass     pass     pass     same
x86:sysret_rip_64                                      pass     pass     pass     pass     pass     pass     pass     same
x86:sysret_ss_attrs_64                                 pass     pass     pass     pass     pass     pass     pass     same
x86:test_mremap_vdso_64                                pass     pass     pass     pass     pass     pass     pass     same
x86:test_vsyscall_64                                   pass     pass     pass     pass     pass     pass     pass     same
zram:zram.sh                                           pass     pass     pass     pass     pass     pass     pass     same

The only differences are for mqueue:mq_perf_tests, rtc:rtctest which pass and fail within the reference kernel check as well. Added to the list of unreliable tests at https://docs.google.com/spreadsheets/d/1tUwJ2rV57cYZXh7momPtraSjZcHDjMYHLeHA3DYWrUU/edit?pli=1&gid=0#gid=0&range=J:J.

Specific tests: inconclusive

An attempt was made to replicate the errors mentioned in https://bugzilla.kernel.org/show_bug.cgi?id=218810. The reference kernel ciqlts9_2 was compiled with CONFIG_UBSAN=y option set and a naive iw call was used in hope of triggering the ieee80211_scan_work(…) function, but the replication failed with the VM machine not having any wireless devices installed, the test confirming only the mac80211 module being loaded.

$ iw dev
[   19.428690] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   19.430357] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   19.431678] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[   19.433096] cfg80211: failed to load regulatory.db

No further attempts were made to replicate this issue.

…dexing jira VULN-6991 cve CVE-2024-41071 commit-author Kenton Groombridge <concord@gentoo.org> commit 2663d04 req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] <TASK> [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810 Co-authored-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <kees@kernel.org> Signed-off-by: Kenton Groombridge <concord@gentoo.org> Link: https://msgid.link/20240605152218.236061-1-concord@gentoo.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> (cherry picked from commit 2663d04) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

gvrose8192

No diff from upstream, the code does not appear to have any side effects outside the local function - LGTM. Thanks!

PlaidCat

This code looks good and things are in place, I really appreciate your testing when it comes to the individual test results.

WRT to the Analysis and the Important 7.8 rating, I've reached out to one of our key security engineers that might be able to help shed some light. My guess is that even though there are not a lot of remote aspects but Impact ratings are all really high.

It could also be that for the specific code base we're working its not quite as high and the max value is Important - 7.8
Does that make sense?

bmastbergen

🥌

solardiz · 2025-02-04T21:36:21Z

Thank you for @pvts-mat for your analysis.

My current understanding is that there were two related commits, the CVE captures only one of them, and it shouldn't have been a CVE.

https://bugzilla.kernel.org/show_bug.cgi?id=218810 lists 3 distinct UBSAN crashes referencing 2 source files. It also links to a commit fixing 1 of the files (net/wireless/nl80211.c):

https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git/commit/?id=838c7b8f1f278404d9d684c34a8cb26dc41aaaa1

Then the CVE assignment message references stable tree commits for the other 1 file (net/mac80211/scan.c):

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2663d0462eb32ae7c9b035300ab6b1523886c718

Now, why would UBSAN be triggered here? There's this commit:

torvalds/linux@e3eac9f

-       struct ieee80211_channel *channels[];
+       struct ieee80211_channel *channels[] __counted_by(n_channels);

Both fix commits for the UBSAN detection issues also mention Before request->channels[] can be used, request->n_channels must be set. and req->n_channels must be set before req->channels[] can be used. At first this sounded like nonsense to me, but seeing the above commit it all makes sense. The code got this annotation, but didn't keep the n_channels field in sync with actual usage, thereby triggering UBSAN.

Another issue is that the flexible array is used as two concatenated arrays - it's also followed by ies. The second array elements are of a different type, so we can't just add the two sizes (measured in elements) together. And so the annotation only covers the first array's size, and the code now tries to avoid exposing its "out of bounds" accesses to the second array in net/wireless/nl80211.c (and in fact, I think here it hides accesses to the first array from UBSAN as well).

cc: @kees @0xC0ncord in case you guys have any comments as you were involved in making these fixes. Thanks!

The problem doesn't seem to be a vulnerability really, and the solution is less about the fix of erroneous code and more about satisfying the UBSAN runtime checker, which apparently needs to have the index < data_size invariant satisfied at all times instead of only at the end of data construction.

It would actually be a reasonable requirement of UBSAN to require that pointers stay within their target objects at all times (or point just past end of the object, which is a special case allowed by the C standards), because the compiler is free to make this assumption when optimizing. So it would be reasonable for it insisting on that invariant satisfied at all times (although only for operations giving pointers, not indices) rather than only at the end.

However, this would only make a difference if the code added something and then subtracted something else from a pointer (or did the equivalent via array indexing and taking address). This doesn't appear to have been the case here. There are only (implied) additions and multiplications.

solardiz · 2025-02-04T21:51:28Z

My current understanding is that there were two related commits, the CVE captures only one of them, and it shouldn't have been a CVE.

I also looked at nearby CVE assignment messages to see if the other commit possibly got its own CVE - but it seems not.
https://lists.openwall.net/linux-cve-announce/2024/07/29/

pvts-mat · 2025-02-04T21:57:49Z

Now, why would UBSAN be triggered here? There's this commit:

torvalds/linux@e3eac9f
-       struct ieee80211_channel *channels[];
+       struct ieee80211_channel *channels[] __counted_by(n_channels);
Both fix commits for the UBSAN detection issues also mention Before request->channels[] can be used, request->n_channels must be set. and req->n_channels must be set before req->channels[] can be used. At first this sounded like nonsense to me, but seeing the above commit it all makes sense. The code got this annotation, but didn't keep the n_channels field in sync with actual usage, thereby triggering UBSAN.

Yes! I was missing that part as well. It's obviously not a part of C language definition or something that a variable named "n_‹array›" dictates the size of "‹array›" so I looked for annotations as well, didn't find them, assumed that UBSAN uses some other methods I'm not aware of and dropped the issue as investigating how UBSAN works was not part of the task at hand. The doubts raised about the 7.8 rating were in part motivated by wanting to solve this mystery in a discusison. Thanks!

solardiz · 2025-02-04T22:07:11Z

see cfg80211_scan_request definition

Note that we do not even have the array size annotation in there, and indeed the commit you reference is a recent one in our LTS 9.2 https://github.com/ctrliq/kernel-src-tree/commits/ciqlts9_2/ - so there's nothing to fix for this product.

PlaidCat

Blocking accidental merges while we wait for comment.

The way we are approaching the ordering of CVEs may not line up with our upstream fork order of commits so they may have brought something back for another CVE that then makes this valid after that change so I don't necessarily want to cancel this at the moment

0xC0ncord · 2025-02-05T18:54:41Z

@solardiz Your analysis of the patch is way better than anything I could have written.

This is the first time I've heard of CVE-2024-41071, which should never have been filed for this. The patch doesn't fix any security issue or even alter runtime behavior in any way. It just, as you wrote, satisfies UBSAN by making sure to update n_channels before data is written to the flexible array.

EDIT: It looks like the CVE was withdrawn a few moments ago.

PlaidCat · 2025-02-05T21:25:54Z

@solardiz Your analysis of the patch is way better than anything I could have written.

This is the first time I've heard of CVE-2024-41071, which should never have been filed for this. The patch doesn't fix any security issue or even alter runtime behavior in any way. It just, as you wrote, satisfies UBSAN by making sure to update n_channels before data is written to the flexible array.

EDIT: It looks like the CVE was withdrawn a few moments ago.

@0xC0ncord I appreciate you jumping in and reviewing @solardiz 's statements after @pvts-mat looked deeper into this CVE during their analysis and work.
Thank You

I'm going to close this commit and set all our internal VULN's marked as such.

gvrose8192 self-requested a review February 4, 2025 16:59

gvrose8192 approved these changes Feb 4, 2025

View reviewed changes

PlaidCat requested review from PlaidCat and bmastbergen February 4, 2025 19:51

PlaidCat approved these changes Feb 4, 2025

View reviewed changes

bmastbergen approved these changes Feb 4, 2025

View reviewed changes

PlaidCat self-requested a review February 5, 2025 14:52

PlaidCat requested changes Feb 5, 2025

View reviewed changes

PlaidCat closed this Feb 5, 2025

pvts-mat mentioned this pull request Jul 24, 2025

[LTS 9.2] CVE-2024-38562 #436

Draft

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[LTS 9.2] wifi: mac80211: Avoid address calculations via out of bounds array in… #103

[LTS 9.2] wifi: mac80211: Avoid address calculations via out of bounds array in… #103

Uh oh!

pvts-mat commented Feb 4, 2025

Uh oh!

gvrose8192 left a comment

Uh oh!

PlaidCat left a comment •

edited

Loading

Uh oh!

bmastbergen left a comment

Uh oh!

solardiz commented Feb 4, 2025

Uh oh!

solardiz commented Feb 4, 2025

Uh oh!

pvts-mat commented Feb 4, 2025

Uh oh!

solardiz commented Feb 4, 2025

Uh oh!

PlaidCat left a comment •

edited

Loading

Uh oh!

0xC0ncord commented Feb 5, 2025 •

edited

Loading

Uh oh!

PlaidCat commented Feb 5, 2025

Uh oh!

Uh oh!

[LTS 9.2] wifi: mac80211: Avoid address calculations via out of bounds array in… #103

[LTS 9.2] wifi: mac80211: Avoid address calculations via out of bounds array in… #103

Uh oh!

Conversation

pvts-mat commented Feb 4, 2025

Problem

Solution

Analysis

kABI check: passed

Boot test: passed

Kselftests: passed relative

Methodology

Coverage (including tests skipped during execution)

Reference ciqlts9_2 (f08be21dd6d4b10d0da6f60abbf8c20337f8b836)

Patch (c8c91992be998a22058aef656a0e785be34f332c)

Comparison

Specific tests: inconclusive

Uh oh!

gvrose8192 left a comment

Choose a reason for hiding this comment

Uh oh!

PlaidCat left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

bmastbergen left a comment

Choose a reason for hiding this comment

Uh oh!

solardiz commented Feb 4, 2025

Uh oh!

solardiz commented Feb 4, 2025

Uh oh!

pvts-mat commented Feb 4, 2025

Uh oh!

solardiz commented Feb 4, 2025

Uh oh!

PlaidCat left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

0xC0ncord commented Feb 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

PlaidCat commented Feb 5, 2025

Uh oh!

Uh oh!

Reference `ciqlts9_2` (`f08be21dd6d4b10d0da6f60abbf8c20337f8b836`)

Patch (`c8c91992be998a22058aef656a0e785be34f332c`)

PlaidCat left a comment •

edited

Loading

PlaidCat left a comment •

edited

Loading

0xC0ncord commented Feb 5, 2025 •

edited

Loading