Bug 269321 - kernel page fault in ieee80211_scan_copy_ssid() if sr_nssid = -1
Summary: kernel page fault in ieee80211_scan_copy_ssid() if sr_nssid = -1
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: wireless (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-wireless (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-04 14:08 UTC by Robert Morris
Modified: 2023-08-03 04:17 UTC (History)
3 users (show)

See Also:

Attachments
crash by passing sr_nssid=-1 to ioctl SIOCS80211 IEEE80211_IOC_SCAN_REQ (1.43 KB, text/plain)
2023-02-04 14:08 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-02-04 14:08:36 UTC 
Created attachment 239900 [details]
crash by passing sr_nssid=-1 to ioctl SIOCS80211 IEEE80211_IOC_SCAN_REQ

If an SIOCS80211 / IEEE80211_IOC_SCAN_REQ ioctl sets sr_nssid to -1,
eventually ieee80211_scan_copy_ssid() runs

        memcpy(ss->ss_ssid, ssids, nssid * sizeof(ssids[0]));

which crashes.

The code has sanity-checks like

        if (nssid > IEEE80211_SCAN_MAX_SSID) {
           // error

but nssid is often declared to be int, and there's no check for < 0.

I've attached a demo, which yields:

# cc wlanctl2a.c
# ./a.out
panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffc073570000
panic() at panic+0x2a
vm_fault_lookup() at vm_fault_lookup+0x1bc
vm_fault() at vm_fault+0x9c
vm_fault_trap() at vm_fault_trap+0x66
page_fault_handler() at page_fault_handler+0x17a
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 15, tval = 0xffffffc073570000
memcpy() at memcpy+0xf8
ieee80211_scan_copy_ssid() at ieee80211_scan_copy_ssid+0x4e
ieee80211_swscan_check_scan() at ieee80211_swscan_check_scan+0x6e
ieee80211_check_scan() at ieee80211_check_scan+0x168
ieee80211_scanreq() at ieee80211_scanreq+0x2b8
ieee80211_ioctl_scanreq() at ieee80211_ioctl_scanreq+0x6e
ieee80211_ioctl_set80211() at ieee80211_ioctl_set80211+0x9b8
ieee80211_ioctl() at ieee80211_ioctl+0x30e
ifioctl() at ifioctl+0x318
soo_ioctl() at soo_ioctl+0x2d8
fo_ioctl() at fo_ioctl+0xa
kern_ioctl() at kern_ioctl+0x242
sys_ioctl() at sys_ioctl+0x120
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
Comment 1 Adrian Chadd freebsd_committer freebsd_triage 2023-08-03 04:17:12 UTC 
oops! should be easy to fix though?