In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: don't use rate mask for offchannel TX either
Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for scanning"), ignore incorrect settings to avoid no supported rate warning reported by syzbot.
The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211: fix default HE tx bitrate mask in 2G band"), which however corrects bitmask of HE MCS and recognizes correctly settings of empty legacy rate plus HE MCS rate instead of returning -EINVAL.
As suggestions [1], follow the change of SCAN TX to consider this case of offchannel TX as well.
[1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024
{ "vanir_signatures": [ { "digest": { "length": 671.0, "function_hash": "71806819843978298024613418417892653407" }, "target": { "function": "ieee80211_get_tx_rates", "file": "net/mac80211/rate.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-0f825e69" }, { "digest": { "line_hashes": [ "123035020667352387069746054490007823959", "2030591917770939297513646348350374962", "248515520455334026826017166184429555021", "6076710052380250227737731930553799496", "125999747287372561873632845791408815553", "44788758953955620335169608255675316177", "200082999076609744330637806538513658734" ], "threshold": 0.9 }, "target": { "file": "include/net/mac80211.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aafca50e71dc8f3192a5bfb325135a7908f3ef9e", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-12ed7897" }, { "digest": { "line_hashes": [ "331899321808006596053233169771982345762", "235815958340768062928624858285288598955", "171204915086759967853919895282567758060", "289599281949089187867675630281303608644" ], "threshold": 0.9 }, "target": { "file": "net/mac80211/rate.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-1935dd71" }, { "digest": { "length": 4668.0, "function_hash": "318486505180880058712527545896193338782" }, "target": { "function": "ieee80211_mgmt_tx", "file": "net/mac80211/offchannel.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-252b30d6" }, { "digest": { "length": 751.0, "function_hash": "54101456494356935015614335051155273866" }, "target": { "function": "ieee80211_send_scan_probe_req", "file": "net/mac80211/scan.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-39f6c971" }, { "digest": { "line_hashes": [ "241024092190566317102761129865869392515", "30518723519799307503379301006920113579", "132245669029845469883365014284605579835", "123752968437127377121414771032870662890" ], "threshold": 0.9 }, "target": { "file": "net/mac80211/tx.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aafca50e71dc8f3192a5bfb325135a7908f3ef9e", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-415d2058" }, { "digest": { "line_hashes": [ "160580590111192395659198079120391968891", "313446943898493482625275721616510083778", "19160180045603136129913366058309935577", "36162308152531470429871130947157920387" ], "threshold": 0.9 }, "target": { "file": "net/mac80211/scan.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aafca50e71dc8f3192a5bfb325135a7908f3ef9e", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-477bb59e" }, { "digest": { "line_hashes": [ "160580590111192395659198079120391968891", "313446943898493482625275721616510083778", "19160180045603136129913366058309935577", "36162308152531470429871130947157920387" ], "threshold": 0.9 }, "target": { "file": "net/mac80211/scan.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-5694635f" }, { "digest": { "line_hashes": [ "331899321808006596053233169771982345762", "235815958340768062928624858285288598955", "171204915086759967853919895282567758060", "289599281949089187867675630281303608644" ], "threshold": 0.9 }, "target": { "file": "net/mac80211/rate.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aafca50e71dc8f3192a5bfb325135a7908f3ef9e", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-963df126" }, { "digest": { "length": 3328.0, "function_hash": "19678733201788916585012215043831163323" }, "target": { "function": "ieee80211_tx_h_rate_ctrl", "file": "net/mac80211/tx.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-a09e09bb" }, { "digest": { "length": 751.0, "function_hash": "54101456494356935015614335051155273866" }, "target": { "function": "ieee80211_send_scan_probe_req", "file": "net/mac80211/scan.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aafca50e71dc8f3192a5bfb325135a7908f3ef9e", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-aa00a574" }, { "digest": { "line_hashes": [ "102986810846790561773567650021844740916", "205580349902176211687481600950883038598", "21061597437101898087486211303448452718", "50673748695753676825425162548435427382" ], "threshold": 0.9 }, "target": { "file": "net/mac80211/offchannel.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-ccebf7ea" }, { "digest": { "line_hashes": [ "241024092190566317102761129865869392515", "30518723519799307503379301006920113579", "132245669029845469883365014284605579835", "123752968437127377121414771032870662890" ], "threshold": 0.9 }, "target": { "file": "net/mac80211/tx.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-d1ea0705" }, { "digest": { "length": 3328.0, "function_hash": "19678733201788916585012215043831163323" }, "target": { "function": "ieee80211_tx_h_rate_ctrl", "file": "net/mac80211/tx.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aafca50e71dc8f3192a5bfb325135a7908f3ef9e", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-da10114d" }, { "digest": { "length": 4427.0, "function_hash": "328002763749827757067495882265874426457" }, "target": { "function": "ieee80211_mgmt_tx", "file": "net/mac80211/offchannel.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aafca50e71dc8f3192a5bfb325135a7908f3ef9e", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-efdd0236" }, { "digest": { "length": 671.0, "function_hash": "71806819843978298024613418417892653407" }, "target": { "function": "ieee80211_get_tx_rates", "file": "net/mac80211/rate.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aafca50e71dc8f3192a5bfb325135a7908f3ef9e", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-f4d5cb85" }, { "digest": { "line_hashes": [ "102986810846790561773567650021844740916", "205580349902176211687481600950883038598", "21061597437101898087486211303448452718", "50673748695753676825425162548435427382" ], "threshold": 0.9 }, "target": { "file": "net/mac80211/offchannel.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aafca50e71dc8f3192a5bfb325135a7908f3ef9e", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-f64c6059" }, { "digest": { "line_hashes": [ "123035020667352387069746054490007823959", "2030591917770939297513646348350374962", "248515520455334026826017166184429555021", "6076710052380250227737731930553799496", "125999747287372561873632845791408815553", "44788758953955620335169608255675316177", "200082999076609744330637806538513658734" ], "threshold": 0.9 }, "target": { "file": "include/net/mac80211.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-47738-fe7ac6cd" } ] }