diff options
Diffstat (limited to '0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch')
-rw-r--r-- | 0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch b/0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch deleted file mode 100644 index f776ae1f3bde..000000000000 --- a/0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch +++ /dev/null @@ -1,57 +0,0 @@ -From d6eee5062ee22666776128a759f4ae1c7fda975e Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Sat, 1 Oct 2022 00:01:44 +0200 -Subject: [PATCH 09/13] wifi: cfg80211: avoid nontransmitted BSS list - corruption -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. - -If a non-transmitted BSS shares enough information (both -SSID and BSSID!) with another non-transmitted BSS of a -different AP, then we can find and update it, and then -try to add it to the non-transmitted BSS list. We do a -search for it on the transmitted BSS, but if it's not -there (but belongs to another transmitted BSS), the list -gets corrupted. - -Since this is an erroneous situation, simply fail the -list insertion in this case and free the non-transmitted -BSS. - -This fixes CVE-2022-42721. - -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/wireless/scan.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/net/wireless/scan.c b/net/wireless/scan.c -index 56a876b15598..a12c30ad9e5a 100644 ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -423,6 +423,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, - - rcu_read_unlock(); - -+ /* -+ * This is a bit weird - it's not on the list, but already on another -+ * one! The only way that could happen is if there's some BSSID/SSID -+ * shared by multiple APs in their multi-BSSID profiles, potentially -+ * with hidden SSID mixed in ... ignore it. -+ */ -+ if (!list_empty(&nontrans_bss->nontrans_list)) -+ return -EINVAL; -+ - /* add to the list */ - list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); - return 0; --- -2.38.0 - |