From: Greg Kroah-Hartman Date: Fri, 25 Mar 2022 14:03:18 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.309~24 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4658abc59f4faae4a24a061b51fb400e92c2dead;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: mac80211-fix-potential-double-free-on-mesh-join.patch --- diff --git a/queue-4.9/mac80211-fix-potential-double-free-on-mesh-join.patch b/queue-4.9/mac80211-fix-potential-double-free-on-mesh-join.patch new file mode 100644 index 00000000000..84cdc80c3de --- /dev/null +++ b/queue-4.9/mac80211-fix-potential-double-free-on-mesh-join.patch @@ -0,0 +1,83 @@ +From 4a2d4496e15ea5bb5c8e83b94ca8ca7fb045e7d3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Thu, 10 Mar 2022 19:35:13 +0100 +Subject: mac80211: fix potential double free on mesh join +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +commit 4a2d4496e15ea5bb5c8e83b94ca8ca7fb045e7d3 upstream. + +While commit 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving +mesh") fixed a memory leak on mesh leave / teardown it introduced a +potential memory corruption caused by a double free when rejoining the +mesh: + + ieee80211_leave_mesh() + -> kfree(sdata->u.mesh.ie); + ... + ieee80211_join_mesh() + -> copy_mesh_setup() + -> old_ie = ifmsh->ie; + -> kfree(old_ie); + +This double free / kernel panics can be reproduced by using wpa_supplicant +with an encrypted mesh (if set up without encryption via "iw" then +ifmsh->ie is always NULL, which avoids this issue). And then calling: + + $ iw dev mesh0 mesh leave + $ iw dev mesh0 mesh join my-mesh + +Note that typically these commands are not used / working when using +wpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going +through a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join +where the NETDEV_UP resets the mesh.ie to NULL via a memcpy of +default_mesh_setup in cfg80211_netdev_notifier_call, which then avoids +the memory corruption, too. + +The issue was first observed in an application which was not using +wpa_supplicant but "Senf" instead, which implements its own calls to +nl80211. + +Fixing the issue by removing the kfree()'ing of the mesh IE in the mesh +join function and leaving it solely up to the mesh leave to free the +mesh IE. + +Cc: stable@vger.kernel.org +Fixes: 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving mesh") +Reported-by: Matthias Kretschmer +Signed-off-by: Linus Lüssing +Tested-by: Mathias Kretschmer +Link: https://lore.kernel.org/r/20220310183513.28589-1-linus.luessing@c0d3.blue +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1776,13 +1776,11 @@ static int copy_mesh_setup(struct ieee80 + const struct mesh_setup *setup) + { + u8 *new_ie; +- const u8 *old_ie; + struct ieee80211_sub_if_data *sdata = container_of(ifmsh, + struct ieee80211_sub_if_data, u.mesh); + + /* allocate information elements */ + new_ie = NULL; +- old_ie = ifmsh->ie; + + if (setup->ie_len) { + new_ie = kmemdup(setup->ie, setup->ie_len, +@@ -1792,7 +1790,6 @@ static int copy_mesh_setup(struct ieee80 + } + ifmsh->ie_len = setup->ie_len; + ifmsh->ie = new_ie; +- kfree(old_ie); + + /* now copy the rest of the setup parameters */ + ifmsh->mesh_id_len = setup->mesh_id_len; diff --git a/queue-4.9/series b/queue-4.9/series index 2309d428987..ebc21431d5c 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -11,3 +11,4 @@ acpi-x86-work-around-broken-xsdt-on-advantech-dac-bj01-board.patch acpi-battery-add-device-hid-and-quirk-for-microsoft-surface-go-3.patch acpi-video-force-backlight-native-for-clevo-nl5xru-and-nl5xnu.patch crypto-qat-disable-registration-of-algorithms.patch +mac80211-fix-potential-double-free-on-mesh-join.patch