src/patches/linux/linux-5.15-wifi-security-patches-2.patch

   1 From 0a861bd25dad508e492c48169509d8c6b9246895 Mon Sep 17 00:00:00 2001
   2 From: Johannes Berg <johannes.berg@intel.com>
   3 Date: Wed, 28 Sep 2022 22:01:37 +0200
   4 Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements
   5
   6 commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.
   7
   8 Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
   9 and the minimum is 1 since a multiple BSSID set with just one BSSID
  10 doesn't make sense (the # of BSSIDs is limited by 2^n).
  11
  12 Limit this in the parsing in both cfg80211 and mac80211, rejecting
  13 any elements with an invalid value.
  14
  15 This fixes potentially bad shifts in the processing of these inside
  16 the cfg80211_gen_new_bssid() function later.
  17
  18 I found this during the investigation of CVE-2022-41674 fixed by the
  19 previous patch.
  20
  21 Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
  22 Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
  23 Reviewed-by: Kees Cook <keescook@chromium.org>
  24 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  25 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26 ---
  27  net/mac80211/util.c | 2 ++
  28  net/wireless/scan.c | 2 ++
  29  2 files changed, 4 insertions(+)
  30
  31 diff --git a/net/mac80211/util.c b/net/mac80211/util.c
  32 index be1911d8089f..00543ea9c6b5 100644
  33 --- a/net/mac80211/util.c
  34 +++ b/net/mac80211/util.c
  35 @@ -1414,6 +1414,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
  36         for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
  37                 if (elem->datalen < 2)
  38                         continue;
  39 +               if (elem->data[0] < 1 || elem->data[0] > 8)
  40 +                       continue;
  41
  42                 for_each_element(sub, elem->data + 1, elem->datalen - 1) {
  43                         u8 new_bssid[ETH_ALEN];
  44 diff --git a/net/wireless/scan.c b/net/wireless/scan.c
  45 index d9ab37a798f4..84c642eae4d8 100644
  46 --- a/net/wireless/scan.c
  47 +++ b/net/wireless/scan.c
  48 @@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
  49         for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
  50                 if (elem->datalen < 4)
  51                         continue;
  52 +               if (elem->data[0] < 1 || (int)elem->data[0] > 8)
  53 +                       continue;
  54                 for_each_element(sub, elem->data + 1, elem->datalen - 1) {
  55                         u8 profile_len;
  56
  57 --
  58 2.30.2
  59