Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2021 / CVE-2021-47395.mbox
blob: 8e5d4c9344b07129de39cd2b9229dcaa1e41a81a [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2021-47395: mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap
Limit max values for vht mcs and nss in ieee80211_parse_tx_radiotap
routine in order to fix the following warning reported by syzbot:
WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline]
WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244
Modules linked in:
CPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline]
RIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244
RSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216
RAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000
RDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003
RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100
R10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8
R13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004
FS: 00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740
netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089
__dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165
__bpf_tx_skb net/core/filter.c:2114 [inline]
__bpf_redirect_no_mac net/core/filter.c:2139 [inline]
__bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162
____bpf_clone_redirect net/core/filter.c:2429 [inline]
bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401
bpf_prog_eeb6f53a69e5c6a2+0x59/0x234
bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline]
__bpf_prog_run include/linux/filter.h:624 [inline]
bpf_prog_run include/linux/filter.h:631 [inline]
bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119
bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663
bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline]
__sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605
__do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
__x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665f9
The Linux kernel CVE team has assigned CVE-2021-47395 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.7 with commit 646e76bb5daf4ca38438c69ffb72cccb605f3466 and fixed in 4.9.285 with commit e5bb852aa2ad963074f0ad73030dbc20a30853e3
Issue introduced in 4.7 with commit 646e76bb5daf4ca38438c69ffb72cccb605f3466 and fixed in 4.14.249 with commit ce5f372f5f084ff51c285fc27b232f15a3d00f0b
Issue introduced in 4.7 with commit 646e76bb5daf4ca38438c69ffb72cccb605f3466 and fixed in 4.19.209 with commit 76538c7b4df314bb937e44c5cb1782f37d47443c
Issue introduced in 4.7 with commit 646e76bb5daf4ca38438c69ffb72cccb605f3466 and fixed in 5.4.151 with commit ab85997465b972d39d9747fc16311fa5773374b2
Issue introduced in 4.7 with commit 646e76bb5daf4ca38438c69ffb72cccb605f3466 and fixed in 5.10.71 with commit 1282bb00835ff79d2d9c023055d514df5b4de260
Issue introduced in 4.7 with commit 646e76bb5daf4ca38438c69ffb72cccb605f3466 and fixed in 5.14.10 with commit 997ee230e4f5285cd98445c102d9033c7ec4814b
Issue introduced in 4.7 with commit 646e76bb5daf4ca38438c69ffb72cccb605f3466 and fixed in 5.15 with commit 13cb6d826e0ac0d144b0d48191ff1a111d32f0c6
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2021-47395
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/mac80211/tx.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/e5bb852aa2ad963074f0ad73030dbc20a30853e3
https://git.kernel.org/stable/c/ce5f372f5f084ff51c285fc27b232f15a3d00f0b
https://git.kernel.org/stable/c/76538c7b4df314bb937e44c5cb1782f37d47443c
https://git.kernel.org/stable/c/ab85997465b972d39d9747fc16311fa5773374b2
https://git.kernel.org/stable/c/1282bb00835ff79d2d9c023055d514df5b4de260
https://git.kernel.org/stable/c/997ee230e4f5285cd98445c102d9033c7ec4814b
https://git.kernel.org/stable/c/13cb6d826e0ac0d144b0d48191ff1a111d32f0c6