From patchwork Thu Oct 13 17:52:51 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 2185
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp408215wrs;
        Thu, 13 Oct 2022 11:03:12 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM7JP5Fij+4ER+KNZ1W5ZwYXYoB+Y8DLYu/qAbdRRiojojeMEbaxMEaQIMjYTi6lzn4I1nFn
X-Received: by 2002:a05:6a00:998:b0:563:3428:65a0 with SMTP id
 u24-20020a056a00099800b00563342865a0mr747011pfg.22.1665684191888;
        Thu, 13 Oct 2022 11:03:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1665684191; cv=none;
        d=google.com; s=arc-20160816;
        b=ERxnRd2qCtW+IAcjT8NnfFGIxnwYCpbgad8/LJbgMdzo+8d7enlPjUWGpS0LTiZXOe
         ngiFIRngjxIvT7jqhGZLb3dx/6orAOq8Vjhzt2EJ+bG7RA4K855D5BJ5PGkj3GLtR5ok
         450fbTMjhtAqhgIIyIAf/q4BOdoi28LmbJQhBgsC2UqEyZ85w3RNeVuPl+mcWxr+5/WO
         Z9MrL7oK73DKPOqpn3xq8CFa/x2dE/VO7WV2YZUQ/AVQBDbmhr9bc9ioKtB05BeJpOcG
         UIrLVZMutIlRRL1KMCMLZCQKRylp/ntD75z2he98PZaECnmCtVy4fDOIHGkkANuZjWcm
         8V5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=d8H3DV7xi74etblbwK73F6pSSbsNRQ+RqZ3eh6MjtR4=;
        b=jgiCH+4MdvRkSMGuuteo71tPQsL3yTzNSSfDuxOz0xgXCEgHvv9aaMJxF5s+dz+9Vx
         EOpGdOpV7w2dAr3qThBatCZboxDN84fRF3+vwxkrsH8xBiCoQCUaxifOqotlo7A5JtU9
         hd/+b+XKWh+QwfeIoS0ktdvH4zYsJFfYFfJg3OrewMHwHMON2ZNWU1yUDXJWB1f2A1tW
         Xn5nbMgXY8suNrsesySiic6PKVZ+ilS1vTk1oauumKj6YTpUy4drMpAtpO8zpHzvxU8d
         Wvg/FWIgy5gxlFBrpzGSLjc6ZntpuKJfbbGCMhMb/PEWopraPfInCpYyoThJ3SeQ8SEp
         teUw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=Of1Xo8nD;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 s12-20020a632c0c000000b0043bed49f325si93145pgs.13.2022.10.13.11.02.53;
        Thu, 13 Oct 2022 11:03:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=Of1Xo8nD;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230401AbiJMSCS (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others);
        Thu, 13 Oct 2022 14:02:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59366 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230387AbiJMSBt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Oct 2022 14:01:49 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A894B160EC4;
        Thu, 13 Oct 2022 11:01:36 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id DD12061910;
        Thu, 13 Oct 2022 17:58:13 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id F191DC433D6;
        Thu, 13 Oct 2022 17:58:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1665683893;
        bh=GA/zqaLurWyQIiyR2z2ZlBS2lsSicER8WDIT2Epwul8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Of1Xo8nD/8wzWLzJe6CM7sCJ7q81OoepH71qHILM7UYexwIk7wMg9lo4DoHCKHF1l
         AHSZypu8EBZUxMlLPfuGhWgHRZO7YmYw6LIu/ZmBUIQwAWtczQs+KsEWEE/g4pdQb8
         cBAPSOMtECIFVe/KEdHOSAvnrbvP5HKJ+3twfRTM=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org,
	=?utf-8?q?S=C3=B6nke_Huster?= <shuster@seemoo.tu-darmstadt.de>,
 Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.15 22/27] wifi: mac80211: fix crash in beacon protection for
 P2P-device
Date: Thu, 13 Oct 2022 19:52:51 +0200
Message-Id: <20221013175144.356052246@linuxfoundation.org>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221013175143.518476113@linuxfoundation.org>
References: <20221013175143.518476113@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1746596467482411028?=
X-GMAIL-MSGID: =?utf-8?q?1746596467482411028?=

From: Johannes Berg <johannes.berg@intel.com>

commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.

If beacon protection is active but the beacon cannot be
decrypted or is otherwise malformed, we call the cfg80211
API to report this to userspace, but that uses a netdev
pointer, which isn't present for P2P-Device. Fix this to
call it only conditionally to ensure cfg80211 won't crash
in the case of P2P-Device.

This fixes CVE-2022-42722.

Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/rx.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1982,10 +1982,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_
 
 		if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
 		    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
-		    NUM_DEFAULT_BEACON_KEYS) {
-			cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
-						     skb->data,
-						     skb->len);
+				   NUM_DEFAULT_BEACON_KEYS) {
+			if (rx->sdata->dev)
+				cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
+							     skb->data,
+							     skb->len);
 			return RX_DROP_MONITOR; /* unexpected BIP keyidx */
 		}
 
@@ -2133,7 +2134,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_
 	/* either the frame has been decrypted or will be dropped */
 	status->flag |= RX_FLAG_DECRYPTED;
 
-	if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
+	if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
+		     rx->sdata->dev))
 		cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
 					     skb->data, skb->len);