| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: regulatory: improve invalid hints checking\n\nSyzbot keeps reporting an issue [1] that occurs when erroneous symbols\nsent from userspace get through into user_alpha2[] via\nregulatory_hint_user() call. Such invalid regulatory hints should be\nrejected.\n\nWhile a sanity check from commit 47caf685a685 (\"cfg80211: regulatory:\nreject invalid hints\") looks to be enough to deter these very cases,\nthere is a way to get around it due to 2 reasons.\n\n1) The way isalpha() works, symbols other than latin lower and\nupper letters may be used to determine a country/domain.\nFor instance, greek letters will also be considered upper/lower\nletters and for such characters isalpha() will return true as well.\nHowever, ISO-3166-1 alpha2 codes should only hold latin\ncharacters.\n\n2) While processing a user regulatory request, between\nreg_process_hint_user() and regulatory_hint_user() there happens to\nbe a call to queue_regulatory_request() which modifies letters in\nrequest->alpha2[] with toupper(). This works fine for latin symbols,\nless so for weird letter characters from the second part of _ctype[].\n\nSyzbot triggers a warning in is_user_regdom_saved() by first sending\nover an unexpected non-latin letter that gets malformed by toupper()\ninto a character that ends up failing isalpha() check.\n\nPrevent this by enhancing is_an_alpha2() to ensure that incoming\nsymbols are latin letters and nothing else.\n\n[1] Syzbot report:\n------------[ cut here ]------------\nUnexpected user alpha2: A�\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline]\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline]\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\nModules linked in:\nCPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: events_power_efficient crda_timeout_work\nRIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline]\nRIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline]\nRIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\n...\nCall Trace:\n <TASK>\n crda_timeout_work+0x27/0x50 net/wireless/reg.c:542\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "net/wireless/reg.c" |
| ], |
| "versions": [ |
| { |
| "version": "09d989d179d0c679043556dda77c51b41a2dae7e", |
| "lessThan": "62b1a9bbfebba4b4c2bb6c1ede9ef7ecee7a9ff6", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "09d989d179d0c679043556dda77c51b41a2dae7e", |
| "lessThan": "da3f599517ef2ea851208df3229d07728d238dc5", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "09d989d179d0c679043556dda77c51b41a2dae7e", |
| "lessThan": "6a5e3b23054cee3b92683d1467e3fa83921f5622", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "09d989d179d0c679043556dda77c51b41a2dae7e", |
| "lessThan": "f4112cb477c727a65787a4065a75ca593bb5b2f4", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "09d989d179d0c679043556dda77c51b41a2dae7e", |
| "lessThan": "35ef07112b61b06eb30683a6563c9f6378c02476", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "09d989d179d0c679043556dda77c51b41a2dae7e", |
| "lessThan": "be7c5f00aa7f1344293e4d48d0e12be83a2f223d", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "09d989d179d0c679043556dda77c51b41a2dae7e", |
| "lessThan": "17aa34c84867f6cd181a5743e1c647e7766962a6", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "09d989d179d0c679043556dda77c51b41a2dae7e", |
| "lessThan": "59b348be7597c4a9903cb003c69e37df20c04a30", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "net/wireless/reg.c" |
| ], |
| "versions": [ |
| { |
| "version": "2.6.34", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "2.6.34", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.4.291", |
| "lessThanOrEqual": "5.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.235", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.179", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.1.131", |
| "lessThanOrEqual": "6.1.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.83", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12.19", |
| "lessThanOrEqual": "6.12.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.13.7", |
| "lessThanOrEqual": "6.13.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.14", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "5.4.291" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "5.10.235" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "5.15.179" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "6.1.131" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "6.6.83" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "6.12.19" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "6.13.7" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "6.14" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/62b1a9bbfebba4b4c2bb6c1ede9ef7ecee7a9ff6" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/da3f599517ef2ea851208df3229d07728d238dc5" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/6a5e3b23054cee3b92683d1467e3fa83921f5622" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/f4112cb477c727a65787a4065a75ca593bb5b2f4" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/35ef07112b61b06eb30683a6563c9f6378c02476" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/be7c5f00aa7f1344293e4d48d0e12be83a2f223d" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/17aa34c84867f6cd181a5743e1c647e7766962a6" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/59b348be7597c4a9903cb003c69e37df20c04a30" |
| } |
| ], |
| "title": "wifi: cfg80211: regulatory: improve invalid hints checking", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2025-21910", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
