--- /dev/null
+From foo@baz Sat Oct 15 05:26:34 PM CEST 2022
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Fri, 14 Oct 2022 18:41:48 +0200
+Subject: mac80211: mlme: find auth challenge directly
+To: linux-wireless@vger.kernel.org, stable@vger.kernel.org
+Cc: Felix Fietkau <nbd@nbd.name>, Thadeu Lima de Souza Cascardo <cascardo@canonical.com>, Marcus Meissner <meissner@suse.de>, Jiri Kosina <jkosina@suse.de>, Johannes Berg <johannes.berg@intel.com>
+Message-ID: <20221014164150.24310-2-johannes@sipsolutions.net>
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+There's no need to parse all elements etc. just to find the
+authentication challenge - use cfg80211_find_elem() instead.
+This also allows us to remove WLAN_EID_CHALLENGE handling
+from the element parsing entirely.
+
+Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ieee80211_i.h | 2 --
+ net/mac80211/mlme.c | 11 ++++++-----
+ net/mac80211/util.c | 4 ----
+ 3 files changed, 6 insertions(+), 11 deletions(-)
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1485,7 +1485,6 @@ struct ieee802_11_elems {
+ const u8 *supp_rates;
+ const u8 *ds_params;
+ const struct ieee80211_tim_ie *tim;
+- const u8 *challenge;
+ const u8 *rsn;
+ const u8 *rsnx;
+ const u8 *erp_info;
+@@ -1538,7 +1537,6 @@ struct ieee802_11_elems {
+ u8 ssid_len;
+ u8 supp_rates_len;
+ u8 tim_len;
+- u8 challenge_len;
+ u8 rsn_len;
+ u8 rsnx_len;
+ u8 ext_supp_rates_len;
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2899,14 +2899,14 @@ static void ieee80211_auth_challenge(str
+ {
+ struct ieee80211_local *local = sdata->local;
+ struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
++ const struct element *challenge;
+ u8 *pos;
+- struct ieee802_11_elems elems;
+ u32 tx_flags = 0;
+
+ pos = mgmt->u.auth.variable;
+- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
+- mgmt->bssid, auth_data->bss->bssid);
+- if (!elems.challenge)
++ challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos,
++ len - (pos - (u8 *)mgmt));
++ if (!challenge)
+ return;
+ auth_data->expected_transaction = 4;
+ drv_mgd_prepare_tx(sdata->local, sdata, 0);
+@@ -2914,7 +2914,8 @@ static void ieee80211_auth_challenge(str
+ tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
+ IEEE80211_TX_INTFL_MLME_CONN_TX;
+ ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
+- elems.challenge - 2, elems.challenge_len + 2,
++ (void *)challenge,
++ challenge->datalen + sizeof(*challenge),
+ auth_data->bss->bssid, auth_data->bss->bssid,
+ auth_data->key, auth_data->key_len,
+ auth_data->key_idx, tx_flags);
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -1124,10 +1124,6 @@ _ieee802_11_parse_elems_crc(const u8 *st
+ } else
+ elem_parse_failed = true;
+ break;
+- case WLAN_EID_CHALLENGE:
+- elems->challenge = pos;
+- elems->challenge_len = elen;
+- break;
+ case WLAN_EID_VENDOR_SPECIFIC:
+ if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
+ pos[2] == 0xf2) {
revert-fs-check-fmode_lseek-to-control-internal-pipe.patch
+mac80211-mlme-find-auth-challenge-directly.patch
+wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch
+wifi-mac80211-fix-mbssid-parsing-use-after-free.patch
--- /dev/null
+From foo@baz Sat Oct 15 05:26:34 PM CEST 2022
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Fri, 14 Oct 2022 18:41:49 +0200
+Subject: wifi: mac80211: don't parse mbssid in assoc response
+To: linux-wireless@vger.kernel.org, stable@vger.kernel.org
+Cc: Felix Fietkau <nbd@nbd.name>, Thadeu Lima de Souza Cascardo <cascardo@canonical.com>, Marcus Meissner <meissner@suse.de>, Jiri Kosina <jkosina@suse.de>, Johannes Berg <johannes.berg@intel.com>
+Message-ID: <20221014184133.c1c3a823db3d.I6c0186979a2872e7f7da75f9f8f93b07046afcf2@changeid>
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+This is simply not valid and simplifies the next commit.
+I'll make a separate patch for this in the current main
+tree as well.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -3300,7 +3300,7 @@ static bool ieee80211_assoc_success(stru
+ }
+ capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
+ ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems,
+- mgmt->bssid, assoc_data->bss->bssid);
++ mgmt->bssid, NULL);
+
+ if (elems->aid_resp)
+ aid = le16_to_cpu(elems->aid_resp->aid);
+@@ -3708,7 +3708,7 @@ static void ieee80211_rx_mgmt_assoc_resp
+ return;
+
+ ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
+- mgmt->bssid, assoc_data->bss->bssid);
++ mgmt->bssid, NULL);
+
+ if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
+ elems.timeout_int &&
--- /dev/null
+From foo@baz Sat Oct 15 05:26:34 PM CEST 2022
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Fri, 14 Oct 2022 18:41:50 +0200
+Subject: wifi: mac80211: fix MBSSID parsing use-after-free
+To: linux-wireless@vger.kernel.org, stable@vger.kernel.org
+Cc: Felix Fietkau <nbd@nbd.name>, Thadeu Lima de Souza Cascardo <cascardo@canonical.com>, Marcus Meissner <meissner@suse.de>, Jiri Kosina <jkosina@suse.de>, Johannes Berg <johannes.berg@intel.com>, Ilan Peer <ilan.peer@intel.com>, Kees Cook <keescook@chromium.org>
+Message-ID: <20221014184133.bbea30b40ae3.I4691a91b83e1325524f786a638e853ccb49c2443@changeid>
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream.
+This is a different version of the commit, changed to store
+the non-transmitted profile in the elems, and freeing it in
+the few places where it's relevant, since that is only the
+case when the last argument for parsing (the non-tx BSSID)
+is non-NULL.
+
+When we parse a multi-BSSID element, we might point some
+element pointers into the allocated nontransmitted_profile.
+However, we free this before returning, causing UAF when the
+relevant pointers in the parsed elements are accessed.
+
+Fix this by not allocating the scratch buffer separately but
+as part of the returned structure instead, that way, there
+are no lifetime issues with it.
+
+The scratch buffer introduction as part of the returned data
+here is taken from MLO feature work done by Ilan.
+
+This fixes CVE-2022-42719.
+
+Fixes: 5023b14cf4df ("mac80211: support profile split between elements")
+Co-developed-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ieee80211_i.h | 2 ++
+ net/mac80211/mlme.c | 6 +++++-
+ net/mac80211/scan.c | 2 ++
+ net/mac80211/util.c | 7 ++++++-
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1551,6 +1551,8 @@ struct ieee802_11_elems {
+ u8 country_elem_len;
+ u8 bssid_index_len;
+
++ void *nontx_profile;
++
+ /* whether a parse error occurred while retrieving these elements */
+ bool parse_error;
+ };
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -3394,6 +3394,7 @@ static bool ieee80211_assoc_success(stru
+ sdata_info(sdata,
+ "AP bug: VHT operation missing from AssocResp\n");
+ }
++ kfree(bss_elems.nontx_profile);
+ }
+
+ /*
+@@ -4045,6 +4046,7 @@ static void ieee80211_rx_mgmt_beacon(str
+ ifmgd->assoc_data->timeout = jiffies;
+ ifmgd->assoc_data->timeout_started = true;
+ run_again(sdata, ifmgd->assoc_data->timeout);
++ kfree(elems.nontx_profile);
+ return;
+ }
+
+@@ -4222,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(str
+ ieee80211_report_disconnect(sdata, deauth_buf,
+ sizeof(deauth_buf), true,
+ WLAN_REASON_DEAUTH_LEAVING);
+- return;
++ goto free;
+ }
+
+ if (sta && elems.opmode_notif)
+@@ -4237,6 +4239,8 @@ static void ieee80211_rx_mgmt_beacon(str
+ elems.cisco_dtpc_elem);
+
+ ieee80211_bss_info_change_notify(sdata, changed);
++free:
++ kfree(elems.nontx_profile);
+ }
+
+ void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@ -227,6 +227,8 @@ ieee80211_bss_info_update(struct ieee802
+ rx_status, beacon);
+ }
+
++ kfree(elems.nontx_profile);
++
+ return bss;
+ }
+
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -1483,6 +1483,11 @@ u32 ieee802_11_parse_elems_crc(const u8
+ cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
+ nontransmitted_profile,
+ nontransmitted_profile_len);
++ if (!nontransmitted_profile_len) {
++ nontransmitted_profile_len = 0;
++ kfree(nontransmitted_profile);
++ nontransmitted_profile = NULL;
++ }
+ }
+
+ crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter,
+@@ -1512,7 +1517,7 @@ u32 ieee802_11_parse_elems_crc(const u8
+ offsetofend(struct ieee80211_bssid_index, dtim_count))
+ elems->dtim_count = elems->bssid_index->dtim_count;
+
+- kfree(nontransmitted_profile);
++ elems->nontx_profile = nontransmitted_profile;
+
+ return crc;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
