[people/mfischer/ipfire-2.x.git] / src / patches / linux / linux-5.15-wifi-security-patches-5.patch

From 0a8ee682e4f992eccce226b012bba600bb2251e2 Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@intel.com>
Date: Sat, 1 Oct 2022 00:01:44 +0200
Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list corruption
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.

If a non-transmitted BSS shares enough information (both
SSID and BSSID!) with another non-transmitted BSS of a
different AP, then we can find and update it, and then
try to add it to the non-transmitted BSS list. We do a
search for it on the transmitted BSS, but if it's not
there (but belongs to another transmitted BSS), the list
gets corrupted.

Since this is an erroneous situation, simply fail the
list insertion in this case and free the non-transmitted
BSS.

This fixes CVE-2022-42721.

Reported-by: SÃ¶nke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: SÃ¶nke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/wireless/scan.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 2e576714e989..a21baf7b3612 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
 
 	rcu_read_unlock();
 
+	/*
+	 * This is a bit weird - it's not on the list, but already on another
+	 * one! The only way that could happen is if there's some BSSID/SSID
+	 * shared by multiple APs in their multi-BSSID profiles, potentially
+	 * with hidden SSID mixed in ... ignore it.
+	 */
+	if (!list_empty(&nontrans_bss->nontrans_list))
+		return -EINVAL;
+
 	/* add to the list */
 	list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
 	return 0;
-- 
2.30.2
Commit	Line	Data
ee2e7db9 PM	1	From 0a8ee682e4f992eccce226b012bba600bb2251e2 Mon Sep 17 00:00:00 2001
	2	From: Johannes Berg <johannes.berg@intel.com>
	3	Date: Sat, 1 Oct 2022 00:01:44 +0200
	4	Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list corruption
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=utf8
	7	Content-Transfer-Encoding: 8bit
	8
	9	commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
	10
	11	If a non-transmitted BSS shares enough information (both
	12	SSID and BSSID!) with another non-transmitted BSS of a
	13	different AP, then we can find and update it, and then
	14	try to add it to the non-transmitted BSS list. We do a
	15	search for it on the transmitted BSS, but if it's not
	16	there (but belongs to another transmitted BSS), the list
	17	gets corrupted.
	18
	19	Since this is an erroneous situation, simply fail the
	20	list insertion in this case and free the non-transmitted
	21	BSS.
	22
	23	This fixes CVE-2022-42721.
	24
	25	Reported-by: SÃ¶nke Huster <shuster@seemoo.tu-darmstadt.de>
	26	Tested-by: SÃ¶nke Huster <shuster@seemoo.tu-darmstadt.de>
	27	Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
	28	Signed-off-by: Johannes Berg <johannes.berg@intel.com>
	29	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	30	---
	31	net/wireless/scan.c \| 9 +++++++++
	32	1 file changed, 9 insertions(+)
	33
	34	diff --git a/net/wireless/scan.c b/net/wireless/scan.c
	35	index 2e576714e989..a21baf7b3612 100644
	36	--- a/net/wireless/scan.c
	37	+++ b/net/wireless/scan.c
	38	@@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
	39
	40	rcu_read_unlock();
	41
	42	+ /*
	43	+ * This is a bit weird - it's not on the list, but already on another
	44	+ * one! The only way that could happen is if there's some BSSID/SSID
	45	+ * shared by multiple APs in their multi-BSSID profiles, potentially
	46	+ * with hidden SSID mixed in ... ignore it.
	47	+ */
	48	+ if (!list_empty(&nontrans_bss->nontrans_list))
	49	+ return -EINVAL;
	50	+
	51	/* add to the list */
	52	list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
	53	return 0;
	54	--
	55	2.30.2
	56