CVE-2025-21910
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/04/2025
Last modified:
01/04/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
wifi: cfg80211: regulatory: improve invalid hints checking<br />
<br />
Syzbot keeps reporting an issue [1] that occurs when erroneous symbols<br />
sent from userspace get through into user_alpha2[] via<br />
regulatory_hint_user() call. Such invalid regulatory hints should be<br />
rejected.<br />
<br />
While a sanity check from commit 47caf685a685 ("cfg80211: regulatory:<br />
reject invalid hints") looks to be enough to deter these very cases,<br />
there is a way to get around it due to 2 reasons.<br />
<br />
1) The way isalpha() works, symbols other than latin lower and<br />
upper letters may be used to determine a country/domain.<br />
For instance, greek letters will also be considered upper/lower<br />
letters and for such characters isalpha() will return true as well.<br />
However, ISO-3166-1 alpha2 codes should only hold latin<br />
characters.<br />
<br />
2) While processing a user regulatory request, between<br />
reg_process_hint_user() and regulatory_hint_user() there happens to<br />
be a call to queue_regulatory_request() which modifies letters in<br />
request->alpha2[] with toupper(). This works fine for latin symbols,<br />
less so for weird letter characters from the second part of _ctype[].<br />
<br />
Syzbot triggers a warning in is_user_regdom_saved() by first sending<br />
over an unexpected non-latin letter that gets malformed by toupper()<br />
into a character that ends up failing isalpha() check.<br />
<br />
Prevent this by enhancing is_an_alpha2() to ensure that incoming<br />
symbols are latin letters and nothing else.<br />
<br />
[1] Syzbot report:<br />
------------[ cut here ]------------<br />
Unexpected user alpha2: A�<br />
WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline]<br />
WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline]<br />
WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516<br />
Modules linked in:<br />
CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br />
Workqueue: events_power_efficient crda_timeout_work<br />
RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline]<br />
RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline]<br />
RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516<br />
...<br />
Call Trace:<br />
<br />
crda_timeout_work+0x27/0x50 net/wireless/reg.c:542<br />
process_one_work kernel/workqueue.c:3229 [inline]<br />
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310<br />
worker_thread+0x870/0xd30 kernel/workqueue.c:3391<br />
kthread+0x2f2/0x390 kernel/kthread.c:389<br />
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br />
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/17aa34c84867f6cd181a5743e1c647e7766962a6
- https://git.kernel.org/stable/c/35ef07112b61b06eb30683a6563c9f6378c02476
- https://git.kernel.org/stable/c/59b348be7597c4a9903cb003c69e37df20c04a30
- https://git.kernel.org/stable/c/62b1a9bbfebba4b4c2bb6c1ede9ef7ecee7a9ff6
- https://git.kernel.org/stable/c/6a5e3b23054cee3b92683d1467e3fa83921f5622
- https://git.kernel.org/stable/c/be7c5f00aa7f1344293e4d48d0e12be83a2f223d
- https://git.kernel.org/stable/c/da3f599517ef2ea851208df3229d07728d238dc5
- https://git.kernel.org/stable/c/f4112cb477c727a65787a4065a75ca593bb5b2f4