Bug 2300448 (CVE-2024-41071)

Summary: CVE-2024-41071 kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dfreiber, drow, gsierohu, jburrell, kgrant, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.9.11, kernel 6.10 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds buffer overflow has been found in the Linux kernel’s mac80211 subsystem when scanning for SSIDs. Address calculation using out-of-bounds array indexing could result in an attacker crafting an exploit, resulting in the complete compromise of a system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2301635    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-29 15:45:15 UTC 
In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: Avoid address calculations via out of bounds array indexing

req->n_channels must be set before req->channels[] can be used.

This patch fixes one of the issues encountered in [1].

[   83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4
[   83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'
[...]
[   83.964264] Call Trace:
[   83.964267]  <TASK>
[   83.964269]  dump_stack_lvl+0x3f/0xc0
[   83.964274]  __ubsan_handle_out_of_bounds+0xec/0x110
[   83.964278]  ieee80211_prep_hw_scan+0x2db/0x4b0
[   83.964281]  __ieee80211_start_scan+0x601/0x990
[   83.964291]  nl80211_trigger_scan+0x874/0x980
[   83.964295]  genl_family_rcv_msg_doit+0xe8/0x160
[   83.964298]  genl_rcv_msg+0x240/0x270
[...]

[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810
Comment 1 Mauro Matteo Cascella 2024-07-30 13:35:18 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024072909-CVE-2024-41071-4eb6@gregkh/T
Comment 2 Mauro Matteo Cascella 2024-07-30 13:35:41 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2301635]
Comment 21 errata-xmlrpc 2024-09-24 00:24:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:6990 https://access.redhat.com/errata/RHSA-2024:6990
Comment 22 errata-xmlrpc 2024-09-24 00:34:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:6992 https://access.redhat.com/errata/RHSA-2024:6992
Comment 23 errata-xmlrpc 2024-09-24 00:35:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:6995 https://access.redhat.com/errata/RHSA-2024:6995
Comment 24 errata-xmlrpc 2024-09-24 00:39:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7001 https://access.redhat.com/errata/RHSA-2024:7001
Comment 25 errata-xmlrpc 2024-09-24 00:47:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:7003 https://access.redhat.com/errata/RHSA-2024:7003
Comment 26 errata-xmlrpc 2024-09-24 00:47:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7005 https://access.redhat.com/errata/RHSA-2024:7005
Comment 27 errata-xmlrpc 2024-09-24 00:47:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:6991 https://access.redhat.com/errata/RHSA-2024:6991
Comment 28 errata-xmlrpc 2024-09-24 01:05:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:7002 https://access.redhat.com/errata/RHSA-2024:7002
Comment 29 errata-xmlrpc 2024-09-24 01:06:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2024:6999 https://access.redhat.com/errata/RHSA-2024:6999
Comment 30 errata-xmlrpc 2024-09-24 01:15:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6993 https://access.redhat.com/errata/RHSA-2024:6993
Comment 31 errata-xmlrpc 2024-09-24 01:19:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:6998 https://access.redhat.com/errata/RHSA-2024:6998
Comment 32 errata-xmlrpc 2024-09-24 01:20:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:6994 https://access.redhat.com/errata/RHSA-2024:6994
Comment 33 errata-xmlrpc 2024-09-24 01:35:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7004 https://access.redhat.com/errata/RHSA-2024:7004
Comment 34 errata-xmlrpc 2024-09-24 02:35:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7000 https://access.redhat.com/errata/RHSA-2024:7000
Comment 35 errata-xmlrpc 2024-09-24 02:49:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6997 https://access.redhat.com/errata/RHSA-2024:6997
Comment 36 errata-xmlrpc 2024-09-26 14:04:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support  - EXTENSION

Via RHSA-2024:7227 https://access.redhat.com/errata/RHSA-2024:7227
Comment 37 errata-xmlrpc 2024-10-01 00:30:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:7428 https://access.redhat.com/errata/RHSA-2024:7428
Comment 38 errata-xmlrpc 2024-10-01 00:32:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:7427 https://access.redhat.com/errata/RHSA-2024:7427
Comment 39 errata-xmlrpc 2024-10-01 00:37:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:7430 https://access.redhat.com/errata/RHSA-2024:7430
Comment 40 errata-xmlrpc 2024-10-01 00:39:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2024:7433 https://access.redhat.com/errata/RHSA-2024:7433
Comment 41 errata-xmlrpc 2024-10-01 00:44:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7429 https://access.redhat.com/errata/RHSA-2024:7429
Comment 42 errata-xmlrpc 2024-10-01 02:27:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:7432 https://access.redhat.com/errata/RHSA-2024:7432
Comment 43 errata-xmlrpc 2024-10-01 02:27:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7431 https://access.redhat.com/errata/RHSA-2024:7431