5.4-stable patches

added patches:
	wifi-mac80211-fix-potential-key-use-after-free.patch

diff --git a/queue-5.4/series b/queue-5.4/series
index 456c37abf9330356bd743cb07562c8c8cf3606aa..644558096ef7e373773b6004efcfbf615a5d43c4 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -357,3 +357,4 @@ tracing-kprobes-fix-symbol-counting-logic-by-looking-at-modules-as-well.patch
 pci-add-function-0-dma-alias-quirk-for-glenfly-arise-chip.patch
 fat-fix-uninitialized-variable.patch
 mm-swapfile-skip-hugetlb-pages-for-unuse_vma.patch
+wifi-mac80211-fix-potential-key-use-after-free.patch

diff --git a/queue-5.4/wifi-mac80211-fix-potential-key-use-after-free.patch b/queue-5.4/wifi-mac80211-fix-potential-key-use-after-free.patch
new file mode 100644 (file)
index 0000000..9bf01b1
--- /dev/null
+++ b/queue-5.4/wifi-mac80211-fix-potential-key-use-after-free.patch
@@ -0,0 +1,58 @@
+From 31db78a4923ef5e2008f2eed321811ca79e7f71b Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 19 Sep 2023 08:34:15 +0200
+Subject: wifi: mac80211: fix potential key use-after-free
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 31db78a4923ef5e2008f2eed321811ca79e7f71b upstream.
+
+When ieee80211_key_link() is called by ieee80211_gtk_rekey_add()
+but returns 0 due to KRACK protection (identical key reinstall),
+ieee80211_gtk_rekey_add() will still return a pointer into the
+key, in a potential use-after-free. This normally doesn't happen
+since it's only called by iwlwifi in case of WoWLAN rekey offload
+which has its own KRACK protection, but still better to fix, do
+that by returning an error code and converting that to success on
+the cfg80211 boundary only, leaving the error for bad callers of
+ieee80211_gtk_rekey_add().
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[ Sherry: bp to fix CVE-2023-52530, resolved minor conflicts in
+  net/mac80211/cfg.c because of context change due to missing commit
+  23a5f0af6ff4 ("wifi: mac80211: remove cipher scheme support")
+  ccdde7c74ffd ("wifi: mac80211: properly implement MLO key handling")]
+Signed-off-by: Sherry Yang <sherry.yang@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c |    3 +++
+ net/mac80211/key.c |    2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -491,6 +491,9 @@ static int ieee80211_add_key(struct wiph
+               sta->cipher_scheme = cs;
+ 
+       err = ieee80211_key_link(key, sdata, sta);
++      /* KRACK protection, shouldn't happen but just silently accept key */
++      if (err == -EALREADY)
++              err = 0;
+ 
+  out_unlock:
+       mutex_unlock(&local->sta_mtx);
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -808,7 +808,7 @@ int ieee80211_key_link(struct ieee80211_
+        */
+       if (ieee80211_key_identical(sdata, old_key, key)) {
+               ieee80211_key_free_unused(key);
+-              ret = 0;
++              ret = -EALREADY;
+               goto out;
+       }
+