From patchwork Thu Oct 13 17:52:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 2286 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp425540wrs; Thu, 13 Oct 2022 11:44:24 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5hZCJys6WvdjoKh1m/sE7VYuEJAHmAJQgCcXprP9+1MwJrJ5wig03SybvWchakDLen+Pic X-Received: by 2002:a17:902:ef89:b0:17f:8097:83bb with SMTP id iz9-20020a170902ef8900b0017f809783bbmr1041196plb.20.1665686664424; Thu, 13 Oct 2022 11:44:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665686664; cv=none; d=google.com; s=arc-20160816; b=lpQo0gmLIrXJjkof78OFCt+LDSr+ktub3vWiGk5i9UazI1jN0xke2Xn9znMMnCt5gX E+r3BtEVor9szyvlji6j4Et0pUpVCVeDOL1q2V0zvoN4NVf4UReUHmngKakpKdFQ/Ks+ 7QMTUnwxWIzeAU1twL7xc6HU9DAPQA75LD8gQPEs5F7t/ILc82PQcTX/QAJr1VrvKNv9 nzMad317tdQOY1ENFihK8uVDTQNkhBDYvv++tCoQ5b1gbfF/Mt9Kd9nug9sgTiKjxvOR 8Zd/c4Ef9Ticle+nTMxKYe/rzRDIMEnXUZoj5exnHR2dlYEsc4OUeXdVUDpXwoP+gwlm P6+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6qtI4ewGAghKNg6M5lurU+D80RYsSRe1CLfXYibzRkM=; b=jvQnRnBQyydQTSULwdyb8rhGgc2X9La92sx3byGaBOTJUfJLxTQpfWKED8/3VzXvzO OrKcLYotCEWRRKdUsgQa0N5epQ0k3j86pkNzqTE3x5ODuHyIjts3B6Y5DF+Ob6vgyf6G sGPB/MmtwqcXFG8yKjzokJf+fKsFT9XBO8N6LUH9R3+nHkHMHfp9ys3avd+ZaRv5uaQU NFAv76uhh7pc27PyXG34bAAKG7ro21/wJ5CS1XG1CPnfLCnQrQe7383w/9Gl2Wl7f9su yL1Ne7m7LEifcl4oSslckz7Ak3Rif2Lb39QR+yQziKJBY7WDP0YXU2fBggovVsJCEt7M nBxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=w4MxXcHO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z20-20020aa78894000000b0053e7495a394si172440pfe.141.2022.10.13.11.44.10; Thu, 13 Oct 2022 11:44:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=w4MxXcHO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231866AbiJMS1c (ORCPT + 99 others); Thu, 13 Oct 2022 14:27:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229646AbiJMS1H (ORCPT ); Thu, 13 Oct 2022 14:27:07 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4995F18811C; Thu, 13 Oct 2022 11:22:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0C5ECB8206D; Thu, 13 Oct 2022 18:00:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5DA34C433C1; Thu, 13 Oct 2022 18:00:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684040; bh=GLtAHWxXyJx3NijczFxtqRQxyiQ/itl74fwTwCHfKGk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=w4MxXcHO5wllpIw8nOarbLHH+1koEZ/Cfyxm8eZo4/lUC/Fg/FfFTAs1iSscVe9ZV NX0dDdvPrD9IXcC4LsKlQpY7kikJ8B+5Bv3cKdHylMC/wojE024ydo5WS12jTUEEIh DAlxj61pK+d9jh/DwftsT5UYMrZnkVCUX7uGlJf8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?utf-8?q?S=C3=B6nke_Huster?= , Johannes Berg Subject: [PATCH 5.19 24/33] wifi: cfg80211: fix BSS refcounting bugs Date: Thu, 13 Oct 2022 19:52:56 +0200 Message-Id: <20221013175146.079038869@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175145.236739253@linuxfoundation.org> References: <20221013175145.236739253@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746599060115426672?= X-GMAIL-MSGID: =?utf-8?q?1746599060115426672?= From: Johannes Berg commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream. There are multiple refcounting bugs related to multi-BSSID: - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro. - In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data. - In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there. This fixes CVE-2022-42720. Reported-by: Sönke Huster Tested-by: Sönke Huster Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cf lockdep_assert_held(&rdev->bss_lock); bss->refcount++; - if (bss->pub.hidden_beacon_bss) { - bss = container_of(bss->pub.hidden_beacon_bss, - struct cfg80211_internal_bss, - pub); - bss->refcount++; - } - if (bss->pub.transmitted_bss) { - bss = container_of(bss->pub.transmitted_bss, - struct cfg80211_internal_bss, - pub); - bss->refcount++; - } + + if (bss->pub.hidden_beacon_bss) + bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; + + if (bss->pub.transmitted_bss) + bss_from_pub(bss->pub.transmitted_bss)->refcount++; } static inline void bss_ref_put(struct cfg80211_registered_device *rdev, @@ -1741,6 +1735,8 @@ cfg80211_bss_update(struct cfg80211_regi new->refcount = 1; INIT_LIST_HEAD(&new->hidden_list); INIT_LIST_HEAD(&new->pub.nontrans_list); + /* we'll set this later if it was non-NULL */ + new->pub.transmitted_bss = NULL; if (rcu_access_pointer(tmp->pub.proberesp_ies)) { hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); @@ -2023,10 +2019,15 @@ cfg80211_inform_single_bss_data(struct w spin_lock_bh(&rdev->bss_lock); if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, &res->pub)) { - if (__cfg80211_unlink_bss(rdev, res)) + if (__cfg80211_unlink_bss(rdev, res)) { rdev->bss_generation++; + res = NULL; + } } spin_unlock_bh(&rdev->bss_lock); + + if (!res) + return NULL; } trace_cfg80211_return_bss(&res->pub);