Date: Sat, 04 Feb 2023 14:08:36 +0000 From: bugzilla-noreply@freebsd.org To: wireless@FreeBSD.org Subject: [Bug 269321] kernel page fault in ieee80211_scan_copy_ssid() if sr_nssid = -1 Message-ID: <bug-269321-21060@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D269321 Bug ID: 269321 Summary: kernel page fault in ieee80211_scan_copy_ssid() if sr_nssid =3D -1 Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: wireless Assignee: wireless@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #239900 text/plain mime type: Created attachment 239900 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D239900&action= =3Dedit crash by passing sr_nssid=3D-1 to ioctl SIOCS80211 IEEE80211_IOC_SCAN_REQ If an SIOCS80211 / IEEE80211_IOC_SCAN_REQ ioctl sets sr_nssid to -1, eventually ieee80211_scan_copy_ssid() runs memcpy(ss->ss_ssid, ssids, nssid * sizeof(ssids[0])); which crashes. The code has sanity-checks like if (nssid > IEEE80211_SCAN_MAX_SSID) { // error but nssid is often declared to be int, and there's no check for < 0. I've attached a demo, which yields: # cc wlanctl2a.c # ./a.out panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffc073570000 panic() at panic+0x2a vm_fault_lookup() at vm_fault_lookup+0x1bc vm_fault() at vm_fault+0x9c vm_fault_trap() at vm_fault_trap+0x66 page_fault_handler() at page_fault_handler+0x17a do_trap_supervisor() at do_trap_supervisor+0x74 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 15, tval =3D 0xffffffc073570000 memcpy() at memcpy+0xf8 ieee80211_scan_copy_ssid() at ieee80211_scan_copy_ssid+0x4e ieee80211_swscan_check_scan() at ieee80211_swscan_check_scan+0x6e ieee80211_check_scan() at ieee80211_check_scan+0x168 ieee80211_scanreq() at ieee80211_scanreq+0x2b8 ieee80211_ioctl_scanreq() at ieee80211_ioctl_scanreq+0x6e ieee80211_ioctl_set80211() at ieee80211_ioctl_set80211+0x9b8 ieee80211_ioctl() at ieee80211_ioctl+0x30e ifioctl() at ifioctl+0x318 soo_ioctl() at soo_ioctl+0x2d8 fo_ioctl() at fo_ioctl+0xa kern_ioctl() at kern_ioctl+0x242 sys_ioctl() at sys_ioctl+0x120 syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf6 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-269321-21060>