]>
Commit | Line | Data |
---|---|---|
ee2e7db9 PM |
1 | From 0a8ee682e4f992eccce226b012bba600bb2251e2 Mon Sep 17 00:00:00 2001 |
2 | From: Johannes Berg <johannes.berg@intel.com> | |
3 | Date: Sat, 1 Oct 2022 00:01:44 +0200 | |
4 | Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list corruption | |
5 | MIME-Version: 1.0 | |
6 | Content-Type: text/plain; charset=utf8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. | |
10 | ||
11 | If a non-transmitted BSS shares enough information (both | |
12 | SSID and BSSID!) with another non-transmitted BSS of a | |
13 | different AP, then we can find and update it, and then | |
14 | try to add it to the non-transmitted BSS list. We do a | |
15 | search for it on the transmitted BSS, but if it's not | |
16 | there (but belongs to another transmitted BSS), the list | |
17 | gets corrupted. | |
18 | ||
19 | Since this is an erroneous situation, simply fail the | |
20 | list insertion in this case and free the non-transmitted | |
21 | BSS. | |
22 | ||
23 | This fixes CVE-2022-42721. | |
24 | ||
25 | Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> | |
26 | Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> | |
27 | Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") | |
28 | Signed-off-by: Johannes Berg <johannes.berg@intel.com> | |
29 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
30 | --- | |
31 | net/wireless/scan.c | 9 +++++++++ | |
32 | 1 file changed, 9 insertions(+) | |
33 | ||
34 | diff --git a/net/wireless/scan.c b/net/wireless/scan.c | |
35 | index 2e576714e989..a21baf7b3612 100644 | |
36 | --- a/net/wireless/scan.c | |
37 | +++ b/net/wireless/scan.c | |
38 | @@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, | |
39 | ||
40 | rcu_read_unlock(); | |
41 | ||
42 | + /* | |
43 | + * This is a bit weird - it's not on the list, but already on another | |
44 | + * one! The only way that could happen is if there's some BSSID/SSID | |
45 | + * shared by multiple APs in their multi-BSSID profiles, potentially | |
46 | + * with hidden SSID mixed in ... ignore it. | |
47 | + */ | |
48 | + if (!list_empty(&nontrans_bss->nontrans_list)) | |
49 | + return -EINVAL; | |
50 | + | |
51 | /* add to the list */ | |
52 | list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); | |
53 | return 0; | |
54 | -- | |
55 | 2.30.2 | |
56 |