5.10-stable patches

added patches:
	wifi-mac80211-fix-potential-key-use-after-free.patch

diff --git a/queue-5.10/series b/queue-5.10/series
index 8910beed593f3cae21e58633ed7c4a4d48742b28..9320436755652e2ddfb826c38f8f97487599aaf6 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -7,3 +7,4 @@ net-macb-avoid-20s-boot-delay-by-skipping-mdio-bus-registration-for-fixed-link-p
 irqchip-gic-v3-its-fix-vsync-referencing-an-unmapped-vpe-on-gic-v4.1.patch
 fat-fix-uninitialized-variable.patch
 mm-swapfile-skip-hugetlb-pages-for-unuse_vma.patch
+wifi-mac80211-fix-potential-key-use-after-free.patch

diff --git a/queue-5.10/wifi-mac80211-fix-potential-key-use-after-free.patch b/queue-5.10/wifi-mac80211-fix-potential-key-use-after-free.patch
new file mode 100644 (file)
index 0000000..bedfa4b
--- /dev/null
+++ b/queue-5.10/wifi-mac80211-fix-potential-key-use-after-free.patch
@@ -0,0 +1,58 @@
+From 31db78a4923ef5e2008f2eed321811ca79e7f71b Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 19 Sep 2023 08:34:15 +0200
+Subject: wifi: mac80211: fix potential key use-after-free
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 31db78a4923ef5e2008f2eed321811ca79e7f71b upstream.
+
+When ieee80211_key_link() is called by ieee80211_gtk_rekey_add()
+but returns 0 due to KRACK protection (identical key reinstall),
+ieee80211_gtk_rekey_add() will still return a pointer into the
+key, in a potential use-after-free. This normally doesn't happen
+since it's only called by iwlwifi in case of WoWLAN rekey offload
+which has its own KRACK protection, but still better to fix, do
+that by returning an error code and converting that to success on
+the cfg80211 boundary only, leaving the error for bad callers of
+ieee80211_gtk_rekey_add().
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[ Sherry: bp to fix CVE-2023-52530, resolved minor conflicts in
+  net/mac80211/cfg.c because of context change due to missing commit
+  23a5f0af6ff4 ("wifi: mac80211: remove cipher scheme support")
+  ccdde7c74ffd ("wifi: mac80211: properly implement MLO key handling")]
+Signed-off-by: Sherry Yang <sherry.yang@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c |    3 +++
+ net/mac80211/key.c |    2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -509,6 +509,9 @@ static int ieee80211_add_key(struct wiph
+               sta->cipher_scheme = cs;
+ 
+       err = ieee80211_key_link(key, sdata, sta);
++      /* KRACK protection, shouldn't happen but just silently accept key */
++      if (err == -EALREADY)
++              err = 0;
+ 
+  out_unlock:
+       mutex_unlock(&local->sta_mtx);
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -843,7 +843,7 @@ int ieee80211_key_link(struct ieee80211_
+        */
+       if (ieee80211_key_identical(sdata, old_key, key)) {
+               ieee80211_key_free_unused(key);
+-              ret = 0;
++              ret = -EALREADY;
+               goto out;
+       }
+