diff mbox series

[SRU,OEM-6.0,6/9] wifi: cfg80211: avoid nontransmitted BSS list corruption

Message ID 20221018174312.3383944-7-cascardo@canonical.com
State New
Headers show
Series wlan CVE fixes | expand

Commit Message

Thadeu Lima de Souza Cascardo Oct. 18, 2022, 5:43 p.m. UTC 
From: Johannes Berg <johannes.berg@intel.com>

If a non-transmitted BSS shares enough information (both
SSID and BSSID!) with another non-transmitted BSS of a
different AP, then we can find and update it, and then
try to add it to the non-transmitted BSS list. We do a
search for it on the transmitted BSS, but if it's not
there (but belongs to another transmitted BSS), the list
gets corrupted.

Since this is an erroneous situation, simply fail the
list insertion in this case and free the non-transmitted
BSS.

This fixes CVE-2022-42721.

Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
(cherry picked from commit bcca852027e5878aec911a347407ecc88d6fff7f)
CVE-2022-42721
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/wireless/scan.c | 9 +++++++++
 1 file changed, 9 insertions(+)
diff mbox series

Patch

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 56a876b15598..a12c30ad9e5a 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -423,6 +423,15 @@  cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
 
 	rcu_read_unlock();
 
+	/*
+	 * This is a bit weird - it's not on the list, but already on another
+	 * one! The only way that could happen is if there's some BSSID/SSID
+	 * shared by multiple APs in their multi-BSSID profiles, potentially
+	 * with hidden SSID mixed in ... ignore it.
+	 */
+	if (!list_empty(&nontrans_bss->nontrans_list))
+		return -EINVAL;
+
 	/* add to the list */
 	list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
 	return 0;