linux: Add upstream patches for CVE-2022-4{1674,2719-2722}

[people/pmueller/ipfire-2.x.git] / src / patches / linux / linux-5.15-wifi-security-patches-5.patch

diff --git a/src/patches/linux/linux-5.15-wifi-security-patches-5.patch b/src/patches/linux/linux-5.15-wifi-security-patches-5.patch
new file mode 100644 (file)
index 0000000..c0c4dad
--- /dev/null
+++ b/src/patches/linux/linux-5.15-wifi-security-patches-5.patch
@@ -0,0 +1,56 @@
+From 0a8ee682e4f992eccce226b012bba600bb2251e2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sat, 1 Oct 2022 00:01:44 +0200
+Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list corruption
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
+
+If a non-transmitted BSS shares enough information (both
+SSID and BSSID!) with another non-transmitted BSS of a
+different AP, then we can find and update it, and then
+try to add it to the non-transmitted BSS list. We do a
+search for it on the transmitted BSS, but if it's not
+there (but belongs to another transmitted BSS), the list
+gets corrupted.
+
+Since this is an erroneous situation, simply fail the
+list insertion in this case and free the non-transmitted
+BSS.
+
+This fixes CVE-2022-42721.
+
+Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
+Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
+Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/scan.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 2e576714e989..a21baf7b3612 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
+ 
+       rcu_read_unlock();
+ 
++      /*
++       * This is a bit weird - it's not on the list, but already on another
++       * one! The only way that could happen is if there's some BSSID/SSID
++       * shared by multiple APs in their multi-BSSID profiles, potentially
++       * with hidden SSID mixed in ... ignore it.
++       */
++      if (!list_empty(&nontrans_bss->nontrans_list))
++              return -EINVAL;
++
+       /* add to the list */
+       list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
+       return 0;
+-- 
+2.30.2
+