From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 18 Oct 2024 08:59:48 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v5.10.228~62
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5367e631a63c7296fab6436b5b7c67d301ac2e7b;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	wifi-mac80211-fix-potential-key-use-after-free.patch
---

diff --git a/queue-5.4/series b/queue-5.4/series
index 456c37abf93..644558096ef 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -357,3 +357,4 @@ tracing-kprobes-fix-symbol-counting-logic-by-looking-at-modules-as-well.patch
 pci-add-function-0-dma-alias-quirk-for-glenfly-arise-chip.patch
 fat-fix-uninitialized-variable.patch
 mm-swapfile-skip-hugetlb-pages-for-unuse_vma.patch
+wifi-mac80211-fix-potential-key-use-after-free.patch
diff --git a/queue-5.4/wifi-mac80211-fix-potential-key-use-after-free.patch b/queue-5.4/wifi-mac80211-fix-potential-key-use-after-free.patch
new file mode 100644
index 00000000000..9bf01b1e49a
--- /dev/null
+++ b/queue-5.4/wifi-mac80211-fix-potential-key-use-after-free.patch
@@ -0,0 +1,58 @@
+From 31db78a4923ef5e2008f2eed321811ca79e7f71b Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 19 Sep 2023 08:34:15 +0200
+Subject: wifi: mac80211: fix potential key use-after-free
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 31db78a4923ef5e2008f2eed321811ca79e7f71b upstream.
+
+When ieee80211_key_link() is called by ieee80211_gtk_rekey_add()
+but returns 0 due to KRACK protection (identical key reinstall),
+ieee80211_gtk_rekey_add() will still return a pointer into the
+key, in a potential use-after-free. This normally doesn't happen
+since it's only called by iwlwifi in case of WoWLAN rekey offload
+which has its own KRACK protection, but still better to fix, do
+that by returning an error code and converting that to success on
+the cfg80211 boundary only, leaving the error for bad callers of
+ieee80211_gtk_rekey_add().
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[ Sherry: bp to fix CVE-2023-52530, resolved minor conflicts in
+  net/mac80211/cfg.c because of context change due to missing commit
+  23a5f0af6ff4 ("wifi: mac80211: remove cipher scheme support")
+  ccdde7c74ffd ("wifi: mac80211: properly implement MLO key handling")]
+Signed-off-by: Sherry Yang <sherry.yang@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c |    3 +++
+ net/mac80211/key.c |    2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -491,6 +491,9 @@ static int ieee80211_add_key(struct wiph
+ 		sta->cipher_scheme = cs;
+ 
+ 	err = ieee80211_key_link(key, sdata, sta);
++	/* KRACK protection, shouldn't happen but just silently accept key */
++	if (err == -EALREADY)
++		err = 0;
+ 
+  out_unlock:
+ 	mutex_unlock(&local->sta_mtx);
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -808,7 +808,7 @@ int ieee80211_key_link(struct ieee80211_
+ 	 */
+ 	if (ieee80211_key_identical(sdata, old_key, key)) {
+ 		ieee80211_key_free_unused(key);
+-		ret = 0;
++		ret = -EALREADY;
+ 		goto out;
+ 	}
+