From patchwork Tue Oct 18 17:43:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1691650 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=WTjweWtl; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MsLpR6Gy4z23jx for ; Wed, 19 Oct 2022 04:44:31 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1okqdc-0003vb-Hd; Tue, 18 Oct 2022 17:44:24 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1okqdY-0003mM-2F for kernel-team@lists.ubuntu.com; Tue, 18 Oct 2022 17:44:20 +0000 Received: from localhost.localdomain (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id B517C3FE11 for ; Tue, 18 Oct 2022 17:44:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1666115058; bh=H+RHStW67bDAzpoyxiU+LOR9g81GYfm8BwZM9v6O7/g=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=WTjweWtlxfgVoA9U68RGR5GgvHJFfaDTM5dDCeoth9zufjP1ISUh6w/TZc5qar8rl 2yLyhpi2y2nwvfJRGZCaGCh6RpUWRGQ29e4mZpNFP4+FyjWsmOilUG5Ff5o35r3wPW bzDo+cYZBAn/V4ScY/SYtAW2SNUxpfJSeCfHxtv0lVWgbPVeMd7kGMbRpmXofBMqUk 7AdS7nQfxEmCJ7LlFY03XyAEKF7qELYl5yAxRnyj6vBoYT5arBS10ZIVHtS1xf6sgQ OnptypeRhe01DBFrv2ZIhfRnUz8yBgjwpEFDAGSkduL8FaIl0kdS26AvyQg5Ic1PbW ZuFAYslKN1Mrg== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-6.0 6/9] wifi: cfg80211: avoid nontransmitted BSS list corruption Date: Tue, 18 Oct 2022 14:43:09 -0300 Message-Id: <20221018174312.3383944-7-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221018174312.3383944-1-cascardo@canonical.com> References: <20221018174312.3383944-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Johannes Berg If a non-transmitted BSS shares enough information (both SSID and BSSID!) with another non-transmitted BSS of a different AP, then we can find and update it, and then try to add it to the non-transmitted BSS list. We do a search for it on the transmitted BSS, but if it's not there (but belongs to another transmitted BSS), the list gets corrupted. Since this is an erroneous situation, simply fail the list insertion in this case and free the non-transmitted BSS. This fixes CVE-2022-42721. Reported-by: Sönke Huster Tested-by: Sönke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg (cherry picked from commit bcca852027e5878aec911a347407ecc88d6fff7f) CVE-2022-42721 Signed-off-by: Thadeu Lima de Souza Cascardo --- net/wireless/scan.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 56a876b15598..a12c30ad9e5a 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -423,6 +423,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, rcu_read_unlock(); + /* + * This is a bit weird - it's not on the list, but already on another + * one! The only way that could happen is if there's some BSSID/SSID + * shared by multiple APs in their multi-BSSID profiles, potentially + * with hidden SSID mixed in ... ignore it. + */ + if (!list_empty(&nontrans_bss->nontrans_list)) + return -EINVAL; + /* add to the list */ list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); return 0;