From patchwork Thu Oct 13 17:52:59 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 2211
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp410834wrs;
        Thu, 13 Oct 2022 11:07:26 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM5pjqal87SMzjgLwnOUsBkjs0UyQMmcCIcKCIfbJ0/H7LhFBUzfi1VhdRPjc1W3M8bSs0hb
X-Received: by 2002:a17:902:f64d:b0:178:a963:d400 with SMTP id
 m13-20020a170902f64d00b00178a963d400mr1154688plg.6.1665684445883;
        Thu, 13 Oct 2022 11:07:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1665684445; cv=none;
        d=google.com; s=arc-20160816;
        b=beOhpLNw1eacrBsabboEubWFOnWmbyMP4ZiIWKKQ5DVYNuvbumrecrKBELX+r7s+tG
         DqHVOHs/Y1NIZsIJgktFF+TBUi4KmctkH+Ynd2tF324HsVcpE0v5rGmxsr25WBdtZWF8
         J318YFmJrm7W7XBdQ2mLnPc86LoLYNpkJT2SWA4PUtQ1cyHbdUPptqi5Y5OlX6wf+I7c
         uc5sbMEkZxXwm5ONQz+FYkSBaeVLzwUZXljmyg6w013f2I/hT51IOSZOOTpLi4Q+3JqM
         xstWyM4Qx7NPBM6jA42D44AQxF1FFnv0CpPohvsGJzl4BlwkkOxmOYMBiO8+4WZLFLzX
         yXBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=gc21Kq2kP7log8xcKbwf7sJLzLUNB/cgqAnbYys1yzQ=;
        b=0RDRGIXAxMKFQh17k6v5jDUXA4lEaaQUKME/qzG0pmOej59hWNP3T2uN07dR2HaNNE
         zNZIFWOCLmkyS6ntPOM8bkr2Dxkw8HM5q/CDLUt3BgSUjOq4VnDxPmty1YpfQfaTm+2y
         MAxSLYKQQxSc8eI/qki6UoHQQGPwQJWMJ/FwmLAppSipN+e5+QfjTEWH9UCiIBu4wO4T
         mVNZPmIhO6Mxmx2ZEqDEPw9Gn3ehg1m/va1fwINonEz5LpsDEnrIJRlJv+6LODoF/ud0
         2Zj3dejFBDjdrAtKj+5lAQRltK96l7lWza3wbyuhgTO5GFbdxSmz2N+PFWmhLvjPYI5j
         wDlA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=DPIs34uM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 e13-20020a170902d38d00b0017a0a815e17si317416pld.487.2022.10.13.11.07.14;
        Thu, 13 Oct 2022 11:07:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=DPIs34uM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231228AbiJMSG6 (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others);
        Thu, 13 Oct 2022 14:06:58 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37302 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231467AbiJMSEc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Oct 2022 14:04:32 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org
 [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D37A152C69;
        Thu, 13 Oct 2022 11:04:16 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 8B9ECB8204C;
        Thu, 13 Oct 2022 18:00:00 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 029F7C433C1;
        Thu, 13 Oct 2022 17:59:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1665683999;
        bh=Jp73yVrOmRE+jNa8WTnBD8qKwn5yRM6gc/u9VefjL6E=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=DPIs34uMs/LIbiRtKsG/mcnLtu/q5aMQ99/AUXHa4Cy7kZ2lXm5LrVcTQRhZnLWa6
         tJoJPLzR1yoEfFabURq9eo0Mylx680TMfkAwDU98CaCejTqPpGNbdqCNfsQBNanmFm
         0h1nescFmJ6odj49bpGpEklkpiBcisZQ7QxvA3lU=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org,
	=?utf-8?q?S=C3=B6nke_Huster?= <shuster@seemoo.tu-darmstadt.de>,
 Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.19 27/33] wifi: mac80211: fix crash in beacon protection for
 P2P-device
Date: Thu, 13 Oct 2022 19:52:59 +0200
Message-Id: <20221013175146.167857089@linuxfoundation.org>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221013175145.236739253@linuxfoundation.org>
References: <20221013175145.236739253@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1746596733439810063?=
X-GMAIL-MSGID: =?utf-8?q?1746596733439810063?=

From: Johannes Berg <johannes.berg@intel.com>

commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.

If beacon protection is active but the beacon cannot be
decrypted or is otherwise malformed, we call the cfg80211
API to report this to userspace, but that uses a netdev
pointer, which isn't present for P2P-Device. Fix this to
call it only conditionally to ensure cfg80211 won't crash
in the case of P2P-Device.

This fixes CVE-2022-42722.

Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/rx.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1988,10 +1988,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_
 
 		if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
 		    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
-		    NUM_DEFAULT_BEACON_KEYS) {
-			cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
-						     skb->data,
-						     skb->len);
+				   NUM_DEFAULT_BEACON_KEYS) {
+			if (rx->sdata->dev)
+				cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
+							     skb->data,
+							     skb->len);
 			return RX_DROP_MONITOR; /* unexpected BIP keyidx */
 		}
 
@@ -2139,7 +2140,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_
 	/* either the frame has been decrypted or will be dropped */
 	status->flag |= RX_FLAG_DECRYPTED;
 
-	if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
+	if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
+		     rx->sdata->dev))
 		cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
 					     skb->data, skb->len);