From patchwork Thu Oct 13 17:52:48 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 2262
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp414675wrs;
        Thu, 13 Oct 2022 11:16:01 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM61eE6nW8L0Ga+6rorSrycJmQNQ5EjlVuPoj/TQd9fRGgLjZwONJ9yAPJ6sJh8F3a0QpPDp
X-Received: by 2002:a17:902:8b83:b0:17f:5de5:c5ff with SMTP id
 ay3-20020a1709028b8300b0017f5de5c5ffmr1204983plb.52.1665684961257;
        Thu, 13 Oct 2022 11:16:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1665684961; cv=none;
        d=google.com; s=arc-20160816;
        b=Y08CHM5SIeJd2aOQykoGm3Z4qIevLZ5BO1LshsIuGahnWb7ZkveY4YuMUzXAnBAqw3
         rjXR+btqEcMOQMP/X+XKuh3onIl6UcEADtdChCl+/mqdKJbYlwukGW6E6tB+Bz5VNstf
         yGau+glwIDXR7ftu5BaeiqS37qzyhvFhSd7NLJ4ERrDdRAtuJG4BXejRSN7fZ6rqMkyR
         KI5W4y8uiIqe1s24MS0mSh5o2YKFVB0z8opwLFXm4+cl+hIxxQiijvq50Lvsg2XdBqUt
         VwcntR4INhaw9rm92GVaA4WtIicM13PcLib6hIcTWRbTZLB/7gyclZVhzOJ/RtP76Gca
         I+GA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=a+7PRlP5UNZu8nSDspwfYcZi3RM9aA2i0H5XK5v5LmI=;
        b=dSpSF+g3E8O8G+29AHUIkHZbYS+mkJh+yR2h35V/BsuWVMFPyv58EcfTZAJqi5zzFo
         KGhA1ZEMx5R7E2qquEpD3lTIdUTveg0oZYMUal/riImIA16MA5BabJURb4/N2+vkSM8B
         SCYazCnxDmn2VdKVxgauFX80IRuF5DerQnENanP2CJ56SzT4FOoW07Hs1tVIk1K2jWXD
         Tz6qQs6yyZWAzbab7hEXr0t2jhuDskgOwepM/JBaBe1TJin2YNkl+XcAeIKPeSLRgUU+
         Kr4fIfCoUQpLzhH61cKD1jpDHX86NmsrWRMrh26SMsRxcGUp6Ihjvm+81hSZ9lIfAJnz
         wd+Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=A3E07aXz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 gt19-20020a17090af2d300b0020053614bd0si5383554pjb.148.2022.10.13.11.15.48;
        Thu, 13 Oct 2022 11:16:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=A3E07aXz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232088AbiJMSOF (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others);
        Thu, 13 Oct 2022 14:14:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38120 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231670AbiJMSMn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Oct 2022 14:12:43 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org
 [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 567F1DBE4C;
        Thu, 13 Oct 2022 11:09:30 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 56568B8203C;
        Thu, 13 Oct 2022 17:57:51 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9A147C433D6;
        Thu, 13 Oct 2022 17:57:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1665683870;
        bh=UKF8TMaennwEzj2kTNFiz0KGvFT3hjGwzvVddy+SOcg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=A3E07aXzG0ntnBrpvnFPDxASLylelmTEnaY94F7hy1+ZF5CdT1W4trDNVZnqjG+Rr
         Ko2NUUY4kbuKcpdxnSKgrncU6M7tqw8P+uWoZ8oA/Pi2c2hFTib+qlrOLX+QtQRdLe
         3E+SpGXqo5wsWHEfOm2731F2BWNA6tJ5lrULnAu4=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org,
	=?utf-8?q?S=C3=B6nke_Huster?= <shuster@seemoo.tu-darmstadt.de>,
 Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.15 19/27] wifi: cfg80211: fix BSS refcounting bugs
Date: Thu, 13 Oct 2022 19:52:48 +0200
Message-Id: <20221013175144.261946484@linuxfoundation.org>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221013175143.518476113@linuxfoundation.org>
References: <20221013175143.518476113@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1746597273431539900?=
X-GMAIL-MSGID: =?utf-8?q?1746597273431539900?=

From: Johannes Berg <johannes.berg@intel.com>

commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream.

There are multiple refcounting bugs related to multi-BSSID:
 - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
   the bss pointer is overwritten before checking for the
   transmitted BSS, which is clearly wrong. Fix this by using
   the bss_from_pub() macro.

 - In cfg80211_bss_update() we copy the transmitted_bss pointer
   from tmp into new, but then if we release new, we'll unref
   it erroneously. We already set the pointer and ref it, but
   need to NULL it since it was copied from the tmp data.

 - In cfg80211_inform_single_bss_data(), if adding to the non-
   transmitted list fails, we unlink the BSS and yet still we
   return it, but this results in returning an entry without
   a reference. We shouldn't return it anyway if it was broken
   enough to not get added there.

This fixes CVE-2022-42720.

Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/wireless/scan.c |   27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cf
 	lockdep_assert_held(&rdev->bss_lock);
 
 	bss->refcount++;
-	if (bss->pub.hidden_beacon_bss) {
-		bss = container_of(bss->pub.hidden_beacon_bss,
-				   struct cfg80211_internal_bss,
-				   pub);
-		bss->refcount++;
-	}
-	if (bss->pub.transmitted_bss) {
-		bss = container_of(bss->pub.transmitted_bss,
-				   struct cfg80211_internal_bss,
-				   pub);
-		bss->refcount++;
-	}
+
+	if (bss->pub.hidden_beacon_bss)
+		bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++;
+
+	if (bss->pub.transmitted_bss)
+		bss_from_pub(bss->pub.transmitted_bss)->refcount++;
 }
 
 static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
@@ -1743,6 +1737,8 @@ cfg80211_bss_update(struct cfg80211_regi
 		new->refcount = 1;
 		INIT_LIST_HEAD(&new->hidden_list);
 		INIT_LIST_HEAD(&new->pub.nontrans_list);
+		/* we'll set this later if it was non-NULL */
+		new->pub.transmitted_bss = NULL;
 
 		if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
 			hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
@@ -1983,10 +1979,15 @@ cfg80211_inform_single_bss_data(struct w
 		spin_lock_bh(&rdev->bss_lock);
 		if (cfg80211_add_nontrans_list(non_tx_data->tx_bss,
 					       &res->pub)) {
-			if (__cfg80211_unlink_bss(rdev, res))
+			if (__cfg80211_unlink_bss(rdev, res)) {
 				rdev->bss_generation++;
+				res = NULL;
+			}
 		}
 		spin_unlock_bh(&rdev->bss_lock);
+
+		if (!res)
+			return NULL;
 	}
 
 	trace_cfg80211_return_bss(&res->pub);