Thread (4 messages) 4 messages, 3 authors, 2025-07-18

Re: [syzbot] [wireless] BUG: unable to handle kernel paging request in ieee80211_wep_encrypt

From: Johannes Berg <johannes@sipsolutions.net>
Date: 2025-07-18 15:57:36
Also in: linux-crypto, linux-wireless, lkml

On Fri, 2025-07-18 at 07:50 -0700, Eric Biggers wrote:
quoted
BUG: unable to handle page fault for address: ffff8880bfffd000
[...]
quoted
Call Trace:
 <TASK>
 crc32_le_arch+0x56/0xa0 arch/x86/lib/crc32.c:21
 crc32_le include/linux/crc32.h:18 [inline]
 ieee80211_wep_encrypt_data net/mac80211/wep.c:114 [inline]
 ieee80211_wep_encrypt+0x228/0x410 net/mac80211/wep.c:158
[...]
quoted
 nl80211_tx_mgmt+0x9fd/0xd50 net/wireless/nl80211.c:12921
syzbot assigned this to the "crypto" subsystem.  However, the crash
happened in crc32_le() which is not part of the crypto subsystem.  Also,
crc32_le() is well-tested (e.g. by crc_kunit), and the bug is unlikely
to be there.  Rather, the calling code in ieee80211_wep_encrypt_data()
is passing an invalid data buffer to crc32_le().  So let's do:
Agree, that makes sense, looks like we never check the frame length
correctly. Since there's no reproducer (yet) I guess we won't be testing
against it with syzbot though :)

johannes
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help