diff options
Diffstat (limited to '0006-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch')
| -rw-r--r-- | 0006-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch | 107 |
1 files changed, 0 insertions, 107 deletions
diff --git a/0006-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch b/0006-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch deleted file mode 100644 index 298ab5a7ef95..000000000000 --- a/0006-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 384bd01f765209d69225481340a19707553ccf45 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 28 Sep 2022 22:07:15 +0200 -Subject: [PATCH 06/13] wifi: mac80211: fix MBSSID parsing use-after-free - -commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. - -When we parse a multi-BSSID element, we might point some -element pointers into the allocated nontransmitted_profile. -However, we free this before returning, causing UAF when the -relevant pointers in the parsed elements are accessed. - -Fix this by not allocating the scratch buffer separately but -as part of the returned structure instead, that way, there -are no lifetime issues with it. - -The scratch buffer introduction as part of the returned data -here is taken from MLO feature work done by Ilan. - -This fixes CVE-2022-42719. - -Fixes: 5023b14cf4df ("mac80211: support profile split between elements") -Co-developed-by: Ilan Peer <ilan.peer@intel.com> -Signed-off-by: Ilan Peer <ilan.peer@intel.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/mac80211/ieee80211_i.h | 8 ++++++++ - net/mac80211/util.c | 30 +++++++++++++++--------------- - 2 files changed, 23 insertions(+), 15 deletions(-) - -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h -index e192e1ec0261..9583643b7033 100644 ---- a/net/mac80211/ieee80211_i.h -+++ b/net/mac80211/ieee80211_i.h -@@ -1704,6 +1704,14 @@ struct ieee802_11_elems { - - /* whether a parse error occurred while retrieving these elements */ - bool parse_error; -+ -+ /* -+ * scratch buffer that can be used for various element parsing related -+ * tasks, e.g., element de-fragmentation etc. -+ */ -+ size_t scratch_len; -+ u8 *scratch_pos; -+ u8 scratch[]; - }; - - static inline struct ieee80211_local *hw_to_local( -diff --git a/net/mac80211/util.c b/net/mac80211/util.c -index 3d097386b2b9..4fc3d545e666 100644 ---- a/net/mac80211/util.c -+++ b/net/mac80211/util.c -@@ -1503,24 +1503,26 @@ ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) - const struct element *non_inherit = NULL; - u8 *nontransmitted_profile; - int nontransmitted_profile_len = 0; -+ size_t scratch_len = params->len; - -- elems = kzalloc(sizeof(*elems), GFP_ATOMIC); -+ elems = kzalloc(sizeof(*elems) + scratch_len, GFP_ATOMIC); - if (!elems) - return NULL; - elems->ie_start = params->start; - elems->total_len = params->len; -- -- nontransmitted_profile = kmalloc(params->len, GFP_ATOMIC); -- if (nontransmitted_profile) { -- nontransmitted_profile_len = -- ieee802_11_find_bssid_profile(params->start, params->len, -- elems, params->bss, -- nontransmitted_profile); -- non_inherit = -- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, -- nontransmitted_profile, -- nontransmitted_profile_len); -- } -+ elems->scratch_len = scratch_len; -+ elems->scratch_pos = elems->scratch; -+ -+ nontransmitted_profile = elems->scratch_pos; -+ nontransmitted_profile_len = -+ ieee802_11_find_bssid_profile(params->start, params->len, -+ elems, params->bss, -+ nontransmitted_profile); -+ elems->scratch_pos += nontransmitted_profile_len; -+ elems->scratch_len -= nontransmitted_profile_len; -+ non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, -+ nontransmitted_profile, -+ nontransmitted_profile_len); - - elems->crc = _ieee802_11_parse_elems_full(params, elems, non_inherit); - -@@ -1554,8 +1556,6 @@ ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) - offsetofend(struct ieee80211_bssid_index, dtim_count)) - elems->dtim_count = elems->bssid_index->dtim_count; - -- kfree(nontransmitted_profile); -- - return elems; - } - --- -2.38.0 - |