diff options
Diffstat (limited to '0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch')
| -rw-r--r-- | 0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch b/0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch new file mode 100644 index 000000000000..f776ae1f3bde --- /dev/null +++ b/0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch @@ -0,0 +1,57 @@ +From d6eee5062ee22666776128a759f4ae1c7fda975e Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Sat, 1 Oct 2022 00:01:44 +0200 +Subject: [PATCH 09/13] wifi: cfg80211: avoid nontransmitted BSS list + corruption +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. + +If a non-transmitted BSS shares enough information (both +SSID and BSSID!) with another non-transmitted BSS of a +different AP, then we can find and update it, and then +try to add it to the non-transmitted BSS list. We do a +search for it on the transmitted BSS, but if it's not +there (but belongs to another transmitted BSS), the list +gets corrupted. + +Since this is an erroneous situation, simply fail the +list insertion in this case and free the non-transmitted +BSS. + +This fixes CVE-2022-42721. + +Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> +Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/wireless/scan.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 56a876b15598..a12c30ad9e5a 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -423,6 +423,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, + + rcu_read_unlock(); + ++ /* ++ * This is a bit weird - it's not on the list, but already on another ++ * one! The only way that could happen is if there's some BSSID/SSID ++ * shared by multiple APs in their multi-BSSID profiles, potentially ++ * with hidden SSID mixed in ... ignore it. ++ */ ++ if (!list_empty(&nontrans_bss->nontrans_list)) ++ return -EINVAL; ++ + /* add to the list */ + list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); + return 0; +-- +2.38.0 + |