[people/pmueller/ipfire-2.x.git] / src / patches / linux / linux-5.15-wifi-security-patches-1.patch

From 9a8ef2030510a9d6ce86fd535b8d10720230811f Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@intel.com>
Date: Wed, 28 Sep 2022 21:56:15 +0200
Subject: [PATCH] wifi: cfg80211: fix u8 overflow in
 cfg80211_update_notlisted_nontrans()

commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.

In the copy code of the elements, we do the following calculation
to reach the end of the MBSSID element:

	/* copy the IEs after MBSSID */
	cpy_len = mbssid[1] + 2;

This looks fine, however, cpy_len is a u8, the same as mbssid[1],
so the addition of two can overflow. In this case the subsequent
memcpy() will overflow the allocated buffer, since it copies 256
bytes too much due to the way the allocation and memcpy() sizes
are calculated.

Fix this by using size_t for the cpy_len variable.

This fixes CVE-2022-41674.

Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/wireless/scan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 1a8b76c9dd56..d9ab37a798f4 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
 	size_t new_ie_len;
 	struct cfg80211_bss_ies *new_ies;
 	const struct cfg80211_bss_ies *old;
-	u8 cpy_len;
+	size_t cpy_len;
 
 	lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
 
-- 
2.30.2
Commit	Line	Data
ee2e7db9 PM	1	From 9a8ef2030510a9d6ce86fd535b8d10720230811f Mon Sep 17 00:00:00 2001
	2	From: Johannes Berg <johannes.berg@intel.com>
	3	Date: Wed, 28 Sep 2022 21:56:15 +0200
	4	Subject: [PATCH] wifi: cfg80211: fix u8 overflow in
	5	cfg80211_update_notlisted_nontrans()
	6
	7	commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
	8
	9	In the copy code of the elements, we do the following calculation
	10	to reach the end of the MBSSID element:
	11
	12	/* copy the IEs after MBSSID */
	13	cpy_len = mbssid[1] + 2;
	14
	15	This looks fine, however, cpy_len is a u8, the same as mbssid[1],
	16	so the addition of two can overflow. In this case the subsequent
	17	memcpy() will overflow the allocated buffer, since it copies 256
	18	bytes too much due to the way the allocation and memcpy() sizes
	19	are calculated.
	20
	21	Fix this by using size_t for the cpy_len variable.
	22
	23	This fixes CVE-2022-41674.
	24
	25	Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
	26	Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
	27	Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
	28	Reviewed-by: Kees Cook <keescook@chromium.org>
	29	Signed-off-by: Johannes Berg <johannes.berg@intel.com>
	30	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	31	---
	32	net/wireless/scan.c \| 2 +-
	33	1 file changed, 1 insertion(+), 1 deletion(-)
	34
	35	diff --git a/net/wireless/scan.c b/net/wireless/scan.c
	36	index 1a8b76c9dd56..d9ab37a798f4 100644
	37	--- a/net/wireless/scan.c
	38	+++ b/net/wireless/scan.c
	39	@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
	40	size_t new_ie_len;
	41	struct cfg80211_bss_ies *new_ies;
	42	const struct cfg80211_bss_ies *old;
	43	- u8 cpy_len;
	44	+ size_t cpy_len;
	45
	46	lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
	47
	48	--
	49	2.30.2
	50