| Message ID | 20221013175146.112157722@linuxfoundation.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp428663wrs;
Thu, 13 Oct 2022 11:52:36 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM7N3UEYEfjBfOQ10OZF360Z1YD56CyaAMzhoImDvaJNDREHMllFnV+xWsoVvN8XRVRwr1Cb
X-Received: by 2002:a17:90b:1b42:b0:20d:6ddd:9ed2 with SMTP id
nv2-20020a17090b1b4200b0020d6ddd9ed2mr13185684pjb.232.1665687155936;
Thu, 13 Oct 2022 11:52:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1665687155; cv=none;
d=google.com; s=arc-20160816;
b=XKInO+CiON/c1Hk3pnu9tyCVZLWYIfRBmYXCF+RrI23KG44aWKe8UdV4MD2WKeum43
BD6y1yxKVHigXp6VlgfOklxHmIinqeE/tAMEzDW+X6Cl8uSHV1cFAyDJNmZ8vNI/+Oe5
gf1upea5RS1wNjnVGcFPBBIL4UKmRXn4hvnWF0VOSnhp68gOK3aIFVFbcYleRnHc6T2u
gmvz2OFnhEkKE+3sef1/jzSkNy8wRuLt9ENc8soY3ZO1H+tUzZuSYJTWwhKy/iUzQWbP
Sk6H5XX5AUp2Rg2U3fHfc5DfoDyuOel8SjLWYz13+ItUeFhmi+jvzvwSOt1Ewmzq/+lB
TJEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:user-agent:references:in-reply-to:message-id:date:subject:cc:to
:from:dkim-signature;
bh=dv3Kk0DV/VYeKP/SkwjmD9vtZ6ZgGQfYtEu9WsCBeMk=;
b=Chl0Rcjh3HWW8lv/PJvHmK3HKQ4ndsMUGTZpYCIqIO6wCi8PA1isU1K9d7hOh4IH6g
6VZCT70D6s66h5/vwiw8FMuUc2Y0kLEW9n70aU0zilbE8uZD0Wc+5Ai8hht4laXPBIcD
6mbYc/yzNNZXno1Te9vtEO+bPvaHN2eQNMOo1K2tpbmvTo3JX0xlda4qXiblBJcuA5Q/
oTTmjCSdrUyMyQ+fWC0ZMeVWKXcZxafzNoqn/P+gKaVApi1QYjN1r4oh+9STJZ/HukVb
2gPWr3Yu7en+lD3BtrEFRPXnp40RNHPh4VtyTTBgcHXEFyMGI5G5RWcpcMtaqHQ9OuST
8TPA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@linuxfoundation.org header.s=korg
header.b=XupFSdca;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
fr2-20020a17090ae2c200b0020d4f2e056csi241554pjb.151.2022.10.13.11.52.22;
Thu, 13 Oct 2022 11:52:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@linuxfoundation.org header.s=korg
header.b=XupFSdca;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231386AbiJMSlJ (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others);
Thu, 13 Oct 2022 14:41:09 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44860 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231598AbiJMSku (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 13 Oct 2022 14:40:50 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org
[IPv6:2604:1380:4641:c500::1])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD1E2558ED;
Thu, 13 Oct 2022 11:38:25 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by dfw.source.kernel.org (Postfix) with ESMTPS id 6403561937;
Thu, 13 Oct 2022 17:59:54 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 68E13C433D6;
Thu, 13 Oct 2022 17:59:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
s=korg; t=1665683993;
bh=SsMZnV5IRg+VfGQh81XQuLjXEJU1N9vepNOsf1+r8VU=;
h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
b=XupFSdcanVoqBrR3ZUeCjq/jIhRjzuktdqfchbKbArkX+6LFO4Ye7YxnI6S11TOjt
VEev7W4um+iv8xqeNcJpqSqxIOwviN9C4KJeI8cH+HWhl/N0TtB1Kj/+ADCJlyoi8l
+hMmv+MUYs5V88OF4hk5ueGNeMdjB/ds01wCbebc=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org,
=?utf-8?q?S=C3=B6nke_Huster?= <shuster@seemoo.tu-darmstadt.de>,
Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.19 25/33] wifi: cfg80211: avoid nontransmitted BSS list
corruption
Date: Thu, 13 Oct 2022 19:52:57 +0200
Message-Id: <20221013175146.112157722@linuxfoundation.org>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221013175145.236739253@linuxfoundation.org>
References: <20221013175145.236739253@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1746599575104241025?=
X-GMAIL-MSGID: =?utf-8?q?1746599575104241025?=
|
| Series |
None
|
|
Commit Message
Greg KH
Oct. 13, 2022, 5:52 p.m. UTC
From: Johannes Berg <johannes.berg@intel.com> commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. If a non-transmitted BSS shares enough information (both SSID and BSSID!) with another non-transmitted BSS of a different AP, then we can find and update it, and then try to add it to the non-transmitted BSS list. We do a search for it on the transmitted BSS, but if it's not there (but belongs to another transmitted BSS), the list gets corrupted. Since this is an erroneous situation, simply fail the list insertion in this case and free the non-transmitted BSS. This fixes CVE-2022-42721. Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- net/wireless/scan.c | 9 +++++++++ 1 file changed, 9 insertions(+)
--- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -423,6 +423,15 @@ cfg80211_add_nontrans_list(struct cfg802 rcu_read_unlock(); + /* + * This is a bit weird - it's not on the list, but already on another + * one! The only way that could happen is if there's some BSSID/SSID + * shared by multiple APs in their multi-BSSID profiles, potentially + * with hidden SSID mixed in ... ignore it. + */ + if (!list_empty(&nontrans_bss->nontrans_list)) + return -EINVAL; + /* add to the list */ list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); return 0;