CVE-2025-21910

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: regulatory: improve invalid hints checking

Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into useralpha2[] via regulatoryhint_user() call. Such invalid regulatory hints should be rejected.

While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: reject invalid hints") looks to be enough to deter these very cases, there is a way to get around it due to 2 reasons.

1) The way isalpha() works, symbols other than latin lower and upper letters may be used to determine a country/domain. For instance, greek letters will also be considered upper/lower letters and for such characters isalpha() will return true as well. However, ISO-3166-1 alpha2 codes should only hold latin characters.

2) While processing a user regulatory request, between regprocesshintuser() and regulatoryhintuser() there happens to be a call to queueregulatory_request() which modifies letters in request->alpha2[] with toupper(). This works fine for latin symbols, less so for weird letter characters from the second part of _ctype[].

Syzbot triggers a warning in isuserregdom_saved() by first sending over an unexpected non-latin letter that gets malformed by toupper() into a character that ends up failing isalpha() check.

Prevent this by enhancing isanalpha2() to ensure that incoming symbols are latin letters and nothing else.

[1] Syzbot report: ------------[ cut here ]------------ Unexpected user alpha2: A� WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 isuserregdomsaved net/wireless/reg.c:440 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restorealpha2 net/wireless/reg.c:3424 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restoreregulatorysettings+0x3c0/0x1e50 net/wireless/reg.c:3516 Modules linked in: CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: eventspowerefficient crdatimeoutwork RIP: 0010:isuserregdomsaved net/wireless/reg.c:440 [inline] RIP: 0010:restorealpha2 net/wireless/reg.c:3424 [inline] RIP: 0010:restoreregulatorysettings+0x3c0/0x1e50 net/wireless/reg.c:3516 ... Call Trace: <TASK> crdatimeoutwork+0x27/0x50 net/wireless/reg.c:542 processonework kernel/workqueue.c:3229 [inline] processscheduledworks+0xa65/0x1850 kernel/workqueue.c:3310 workerthread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 retfromfork+0x4d/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>