[syzbot] [wireless?] KASAN: slab-out-of-bounds Read in ieee80211_ie_split_ric (3)

2 views
Skip to first unread message

syzbot

unread,
Jul 9, 2026, 12:33:31 PM (yesterday) Jul 9
to joha...@sipsolutions.net, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: a52d6c7160f7 selftests/arm64: fix spelling errors in comme..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=17ddd739580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ecdef466b08b9772
dashboard link: https://syzkaller.appspot.com/bug?extid=cc867e537e4bd36f69bb
compiler: Debian clang version 22.1.8 (++20260613092233+e80beda6e255-1~exp1~20260613092250.77), Debian LLD 22.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13940432580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=156e7d89580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/af2ea186884f/disk-a52d6c71.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cef93b18732f/vmlinux-a52d6c71.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b9f9b8922f14/Image-a52d6c71.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cc867e...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in skip_ie net/wireless/util.c:2068 [inline]
BUG: KASAN: slab-out-of-bounds in ieee80211_ie_split_ric+0x4a8/0x508 net/wireless/util.c:-1
Read of size 1 at addr ffff0000c2aac9c1 by task syz.0.18/4930

CPU: 0 UID: 0 PID: 4930 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xb0/0x238 mm/kasan/report.c:378
print_report+0x68/0x84 mm/kasan/report.c:482
kasan_report+0x8c/0xc4 mm/kasan/report.c:595
__asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
skip_ie net/wireless/util.c:2068 [inline]
ieee80211_ie_split_ric+0x4a8/0x508 net/wireless/util.c:-1
ieee80211_ie_split include/net/cfg80211.h:10226 [inline]
cfg80211_sme_get_conn_ies net/wireless/sme.c:529 [inline]
cfg80211_sme_connect net/wireless/sme.c:586 [inline]
cfg80211_connect+0xca8/0x1be4 net/wireless/sme.c:1528
cfg80211_mgd_wext_connect+0x3ac/0x508 net/wireless/wext-sme.c:57
cfg80211_mgd_wext_siwessid+0x2c4/0x40c net/wireless/wext-sme.c:184
cfg80211_wext_siwessid+0xc4/0x13c net/wireless/wext-compat.c:1415
ioctl_standard_iw_point+0x678/0xb04 net/wireless/wext-core.c:864
ioctl_standard_call+0xb4/0x178 net/wireless/wext-core.c:1049
wireless_process_ioctl net/wireless/wext-core.c:-1 [inline]
wext_ioctl_dispatch+0x104/0x36c net/wireless/wext-core.c:1013
wext_handle_ioctl+0x154/0x288 net/wireless/wext-core.c:1074
sock_ioctl+0x154/0x7ec net/socket.c:1353
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594

Allocated by task 4930:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:78
kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5362 [inline]
__kmalloc_node_track_caller_noprof+0x434/0x6d4 mm/slub.c:5497
kmemdup_noprof+0x44/0x8c mm/util.c:138
kmemdup_noprof include/linux/fortify-string.h:715 [inline]
cfg80211_wext_siwgenie+0x170/0x28c net/wireless/wext-sme.c:322
ioctl_standard_iw_point+0x678/0xb04 net/wireless/wext-core.c:864
ioctl_standard_call+0xb4/0x178 net/wireless/wext-core.c:1049
wireless_process_ioctl net/wireless/wext-core.c:-1 [inline]
wext_ioctl_dispatch+0x104/0x36c net/wireless/wext-core.c:1013
wext_handle_ioctl+0x154/0x288 net/wireless/wext-core.c:1074
sock_ioctl+0x154/0x7ec net/socket.c:1353
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594

The buggy address belongs to the object at ffff0000c2aac9c0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of
allocated 1-byte region [ffff0000c2aac9c0, ffff0000c2aac9c1)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000c2aaca20 pfn:0x102aac
flags: 0x5ffc00000000200(workingset|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000200 ffff0000c0001500 ffff0000c0000348 fffffdffc30937d0
raw: ffff0000c2aaca20 0000000800800064 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff0000c2aac880: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
ffff0000c2aac900: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
>ffff0000c2aac980: fa fc fc fc fa fc fc fc 01 fc fc fc fa fc fc fc
^
ffff0000c2aaca00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
ffff0000c2aaca80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
==================================================================
------------[ cut here ]------------
memcpy: detected buffer overflow: 18446744073709551615 byte write of buffer size 0
WARNING: lib/string_helpers.c:1037 at __fortify_report+0xa0/0xb8 lib/string_helpers.c:1036, CPU#0: syz.0.18/4930
Modules linked in:
CPU: 0 UID: 0 PID: 4930 Comm: syz.0.18 Tainted: G B syzkaller #0 PREEMPT
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : __fortify_report+0xa0/0xb8 lib/string_helpers.c:1036
lr : __fortify_report+0xa0/0xb8 lib/string_helpers.c:1036
sp : ffff8000986876a0
x29: ffff8000986876a0 x28: 1fffe000199c09e6 x27: 1fffe000199c09da
x26: ffff0000c2aac9c0 x25: 0000000000000001 x24: ffff0000d02ad200
x23: ffff0000cce04ed0 x22: ffff800086cbcad8 x21: 0000000000000001
x20: ffffffffffffffff x19: 0000000000000000 x18: 0000000000000000
x17: 3d3d3d3d3d3d3d3d x16: 3d3d3d3d3d3d3d3d x15: 3d3d3d3d3d3d3d3d
x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000002 x9 : e75ac9114b2ee700
x8 : e75ac9114b2ee700 x7 : 0000000000000000 x6 : ffff80008048ce60
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f7010
x2 : 0000000100000000 x1 : ffff0000d1543a80 x0 : 0000000000000000
Call trace:
__fortify_report+0xa0/0xb8 lib/string_helpers.c:1036 (P)
__fortify_panic+0x10/0x14 lib/string_helpers.c:1043
fortify_memcpy_chk include/linux/fortify-string.h:547 [inline]
cfg80211_sme_get_conn_ies net/wireless/sme.c:533 [inline]
cfg80211_sme_connect net/wireless/sme.c:586 [inline]
cfg80211_connect+0x1918/0x1be4 net/wireless/sme.c:1528
cfg80211_mgd_wext_connect+0x3ac/0x508 net/wireless/wext-sme.c:57
cfg80211_mgd_wext_siwessid+0x2c4/0x40c net/wireless/wext-sme.c:184
cfg80211_wext_siwessid+0xc4/0x13c net/wireless/wext-compat.c:1415
ioctl_standard_iw_point+0x678/0xb04 net/wireless/wext-core.c:864
ioctl_standard_call+0xb4/0x178 net/wireless/wext-core.c:1049
wireless_process_ioctl net/wireless/wext-core.c:-1 [inline]
wext_ioctl_dispatch+0x104/0x36c net/wireless/wext-core.c:1013
wext_handle_ioctl+0x154/0x288 net/wireless/wext-core.c:1074
sock_ioctl+0x154/0x7ec net/socket.c:1353
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
irq event stamp: 1077
hardirqs last enabled at (1077): [<ffff8000868c3474>] irqentry_exit_to_kernel_mode_after_preempt include/linux/irq-entry-common.h:507 [inline]
hardirqs last enabled at (1077): [<ffff8000868c3474>] arm64_exit_to_kernel_mode+0x80/0x94 arch/arm64/kernel/entry-common.c:62
hardirqs last disabled at (1076): [<ffff8000868bf484>] __el1_irq arch/arm64/kernel/entry-common.c:506 [inline]
hardirqs last disabled at (1076): [<ffff8000868bf484>] el1_interrupt+0x28/0x60 arch/arm64/kernel/entry-common.c:522
softirqs last enabled at (978): [<ffff800084c68eac>] local_bh_enable include/linux/bottom_half.h:33 [inline]
softirqs last enabled at (978): [<ffff800084c68eac>] rcu_read_unlock_bh include/linux/rcupdate.h:914 [inline]
softirqs last enabled at (978): [<ffff800084c68eac>] __dev_queue_xmit+0x14d0/0x2ba4 net/core/dev.c:4907
softirqs last disabled at (972): [<ffff800084c67bd8>] local_bh_disable include/linux/bottom_half.h:20 [inline]
softirqs last disabled at (972): [<ffff800084c67bd8>] rcu_read_lock_bh include/linux/rcupdate.h:893 [inline]
softirqs last disabled at (972): [<ffff800084c67bd8>] __dev_queue_xmit+0x1fc/0x2ba4 net/core/dev.c:4793
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
kernel BUG at lib/string_helpers.c:1044!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
Modules linked in:
CPU: 1 UID: 0 PID: 4930 Comm: syz.0.18 Tainted: G B W syzkaller #0 PREEMPT
Tainted: [B]=BAD_PAGE, [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : __fortify_panic+0x10/0x14 lib/string_helpers.c:1043
lr : __fortify_panic+0x10/0x14 lib/string_helpers.c:1043
sp : ffff8000986876d0
x29: ffff8000986876d0 x28: 1fffe000199c09e6 x27: 1fffe000199c09da
x26: ffff0000c2aac9c0 x25: 0000000000000001 x24: ffff0000d02ad200
x23: ffff0000cce04ed0 x22: 0000000000000002 x21: 0000000000000000
x20: ffff0000e2cc0740 x19: ffffffffffffffff x18: 0000000000000000
x17: 3d3d3d3d3d3d3d3d x16: 3d3d3d3d3d3d3d3d x15: 3d3d3d3d3d3d3d3d
x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000002 x9 : e75ac9114b2ee700
x8 : e75ac9114b2ee700 x7 : 0000000000000000 x6 : ffff80008048ce60
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f7010
x2 : 0000000100000000 x1 : ffff0000d1543a80 x0 : 0000000000000000
Call trace:
__fortify_panic+0x10/0x14 lib/string_helpers.c:1043 (P)
fortify_memcpy_chk include/linux/fortify-string.h:547 [inline]
cfg80211_sme_get_conn_ies net/wireless/sme.c:533 [inline]
cfg80211_sme_connect net/wireless/sme.c:586 [inline]
cfg80211_connect+0x1918/0x1be4 net/wireless/sme.c:1528
cfg80211_mgd_wext_connect+0x3ac/0x508 net/wireless/wext-sme.c:57
cfg80211_mgd_wext_siwessid+0x2c4/0x40c net/wireless/wext-sme.c:184
cfg80211_wext_siwessid+0xc4/0x13c net/wireless/wext-compat.c:1415
ioctl_standard_iw_point+0x678/0xb04 net/wireless/wext-core.c:864
ioctl_standard_call+0xb4/0x178 net/wireless/wext-core.c:1049
wireless_process_ioctl net/wireless/wext-core.c:-1 [inline]
wext_ioctl_dispatch+0x104/0x36c net/wireless/wext-core.c:1013
wext_handle_ioctl+0x154/0x288 net/wireless/wext-core.c:1074
sock_ioctl+0x154/0x7ec net/socket.c:1353
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
Code: d503233f a9bf7bfd 910003fd 94618cfa (d4210000)
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,
Jul 9, 2026, 9:37:25 PM (17 hours ago) Jul 9
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] wifi: cfg80211: validate IEs in cfg80211_wext_siwgenie()
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

Syzkaller reported a KASAN slab-out-of-bounds read in skip_ie()
and a fortify memcpy panic in cfg80211_sme_get_conn_ies().

The KASAN allocation trace shows that a malformed IE buffer is
stored via SIOCSIWGENIE (cfg80211_wext_siwgenie()) without any
validation. The crash trace shows that a subsequent SIOCSIWESSID
triggers a connection attempt which calls cfg80211_sme_get_conn_ies()
to process the stored IE buffer, causing:

- An out-of-bounds read in skip_ie() which reads ies[pos+1]
(the length byte) past the end of the 1-byte buffer.

- An integer underflow in the memcpy size argument when offs
returned by ieee80211_ie_split() exceeds ies_len, causing
unsigned subtraction to wrap to SIZE_MAX and triggering a
fortify panic.

Fix this by validating the IE buffer in cfg80211_wext_siwgenie()
before storing it. Add cfg80211_validate_ies() which walks the
buffer and verifies every element has at least 2 bytes (type +
length) and sufficient data bytes as indicated by its length
field. Return -EINVAL if validation fails.

Reported-by: syzbot+cc867e...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cc867e537e4bd36f69bb
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
include/net/cfg80211.h | 1 +
net/wireless/util.c | 16 ++++++++++++++++
net/wireless/wext-sme.c | 2 ++
3 files changed, 19 insertions(+)

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 8188ad200de5..32cef926f8a4 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -10992,4 +10992,5 @@ void cfg80211_incumbent_signal_notify(struct wiphy *wiphy,
u32 signal_interference_bitmap,
gfp_t gfp);

+bool cfg80211_validate_ies(const u8 *ies, size_t ies_len);
#endif /* __NET_CFG80211_H */
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 24527bf321b2..a685020c8efc 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -3083,3 +3083,19 @@ bool cfg80211_wdev_channel_allowed(struct wireless_dev *wdev,
return false;
}
EXPORT_SYMBOL(cfg80211_wdev_channel_allowed);
+
+bool cfg80211_validate_ies(const u8 *ies, size_t ies_len)
+{
+ size_t pos = 0;
+
+ while (pos < ies_len) {
+ if (pos + 2 > ies_len)
+ return false;
+ if (pos + 2 + ies[pos + 1] > ies_len)
+ return false;
+ pos += 2 + ies[pos + 1];
+ }
+
+ return true;
+}
+EXPORT_SYMBOL(cfg80211_validate_ies);
diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index 573b6b15a446..3e9b071f6d66 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -319,6 +319,8 @@ int cfg80211_wext_siwgenie(struct net_device *dev,
return 0;

if (ie_len) {
+ if (!cfg80211_validate_ies(extra, ie_len))
+ return -EINVAL;
ie = kmemdup(extra, ie_len, GFP_KERNEL);
if (!ie)
return -ENOMEM;
--
2.43.0

syzbot

unread,
Jul 9, 2026, 10:33:04 PM (16 hours ago) Jul 9
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+cc867e...@syzkaller.appspotmail.com
Tested-by: syzbot+cc867e...@syzkaller.appspotmail.com

Tested on:

commit: a52d6c71 selftests/arm64: fix spelling errors in comme..
console output: https://syzkaller.appspot.com/x/log.txt?x=11a0af39580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ecdef466b08b9772
dashboard link: https://syzkaller.appspot.com/bug?extid=cc867e537e4bd36f69bb
compiler: Debian clang version 22.1.8 (++20260613092233+e80beda6e255-1~exp1~20260613092250.77), Debian LLD 22.1.8
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=148fc346580000

Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages