[people/pmueller/ipfire-2.x.git] / src / patches / linux / linux-5.15-wifi-security-patches-2.patch

From 0a861bd25dad508e492c48169509d8c6b9246895 Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@intel.com>
Date: Wed, 28 Sep 2022 22:01:37 +0200
Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements

commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.

Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
and the minimum is 1 since a multiple BSSID set with just one BSSID
doesn't make sense (the # of BSSIDs is limited by 2^n).

Limit this in the parsing in both cfg80211 and mac80211, rejecting
any elements with an invalid value.

This fixes potentially bad shifts in the processing of these inside
the cfg80211_gen_new_bssid() function later.

I found this during the investigation of CVE-2022-41674 fixed by the
previous patch.

Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/util.c | 2 ++
 net/wireless/scan.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index be1911d8089f..00543ea9c6b5 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1414,6 +1414,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
 	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
 		if (elem->datalen < 2)
 			continue;
+		if (elem->data[0] < 1 || elem->data[0] > 8)
+			continue;
 
 		for_each_element(sub, elem->data + 1, elem->datalen - 1) {
 			u8 new_bssid[ETH_ALEN];
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index d9ab37a798f4..84c642eae4d8 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
 	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
 		if (elem->datalen < 4)
 			continue;
+		if (elem->data[0] < 1 || (int)elem->data[0] > 8)
+			continue;
 		for_each_element(sub, elem->data + 1, elem->datalen - 1) {
 			u8 profile_len;
 
-- 
2.30.2
Commit	Line	Data
ee2e7db9 PM	1	From 0a861bd25dad508e492c48169509d8c6b9246895 Mon Sep 17 00:00:00 2001
	2	From: Johannes Berg <johannes.berg@intel.com>
	3	Date: Wed, 28 Sep 2022 22:01:37 +0200
	4	Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements
	5
	6	commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.
	7
	8	Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
	9	and the minimum is 1 since a multiple BSSID set with just one BSSID
	10	doesn't make sense (the # of BSSIDs is limited by 2^n).
	11
	12	Limit this in the parsing in both cfg80211 and mac80211, rejecting
	13	any elements with an invalid value.
	14
	15	This fixes potentially bad shifts in the processing of these inside
	16	the cfg80211_gen_new_bssid() function later.
	17
	18	I found this during the investigation of CVE-2022-41674 fixed by the
	19	previous patch.
	20
	21	Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
	22	Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
	23	Reviewed-by: Kees Cook <keescook@chromium.org>
	24	Signed-off-by: Johannes Berg <johannes.berg@intel.com>
	25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	26	---
	27	net/mac80211/util.c \| 2 ++
	28	net/wireless/scan.c \| 2 ++
	29	2 files changed, 4 insertions(+)
	30
	31	diff --git a/net/mac80211/util.c b/net/mac80211/util.c
	32	index be1911d8089f..00543ea9c6b5 100644
	33	--- a/net/mac80211/util.c
	34	+++ b/net/mac80211/util.c
	35	@@ -1414,6 +1414,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
	36	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
	37	if (elem->datalen < 2)
	38	continue;
	39	+ if (elem->data[0] < 1 \|\| elem->data[0] > 8)
	40	+ continue;
	41
	42	for_each_element(sub, elem->data + 1, elem->datalen - 1) {
	43	u8 new_bssid[ETH_ALEN];
	44	diff --git a/net/wireless/scan.c b/net/wireless/scan.c
	45	index d9ab37a798f4..84c642eae4d8 100644
	46	--- a/net/wireless/scan.c
	47	+++ b/net/wireless/scan.c
	48	@@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
	49	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
	50	if (elem->datalen < 4)
	51	continue;
	52	+ if (elem->data[0] < 1 \|\| (int)elem->data[0] > 8)
	53	+ continue;
	54	for_each_element(sub, elem->data + 1, elem->datalen - 1) {
	55	u8 profile_len;
	56
	57	--
	58	2.30.2
	59