From: Greg Kroah-Hartman Date: Sat, 15 Oct 2022 15:27:35 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.219~195 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e0d0afc46cd7662d73b70a19089156fea2ebd512;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: mac80211-mlme-find-auth-challenge-directly.patch wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch wifi-mac80211-fix-mbssid-parsing-use-after-free.patch --- diff --git a/queue-5.10/mac80211-mlme-find-auth-challenge-directly.patch b/queue-5.10/mac80211-mlme-find-auth-challenge-directly.patch new file mode 100644 index 00000000000..226547dea6c --- /dev/null +++ b/queue-5.10/mac80211-mlme-find-auth-challenge-directly.patch @@ -0,0 +1,86 @@ +From foo@baz Sat Oct 15 05:26:34 PM CEST 2022 +From: Johannes Berg +Date: Fri, 14 Oct 2022 18:41:48 +0200 +Subject: mac80211: mlme: find auth challenge directly +To: linux-wireless@vger.kernel.org, stable@vger.kernel.org +Cc: Felix Fietkau , Thadeu Lima de Souza Cascardo , Marcus Meissner , Jiri Kosina , Johannes Berg +Message-ID: <20221014164150.24310-2-johannes@sipsolutions.net> + +From: Johannes Berg + +There's no need to parse all elements etc. just to find the +authentication challenge - use cfg80211_find_elem() instead. +This also allows us to remove WLAN_EID_CHALLENGE handling +from the element parsing entirely. + +Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 2 -- + net/mac80211/mlme.c | 11 ++++++----- + net/mac80211/util.c | 4 ---- + 3 files changed, 6 insertions(+), 11 deletions(-) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1485,7 +1485,6 @@ struct ieee802_11_elems { + const u8 *supp_rates; + const u8 *ds_params; + const struct ieee80211_tim_ie *tim; +- const u8 *challenge; + const u8 *rsn; + const u8 *rsnx; + const u8 *erp_info; +@@ -1538,7 +1537,6 @@ struct ieee802_11_elems { + u8 ssid_len; + u8 supp_rates_len; + u8 tim_len; +- u8 challenge_len; + u8 rsn_len; + u8 rsnx_len; + u8 ext_supp_rates_len; +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2899,14 +2899,14 @@ static void ieee80211_auth_challenge(str + { + struct ieee80211_local *local = sdata->local; + struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data; ++ const struct element *challenge; + u8 *pos; +- struct ieee802_11_elems elems; + u32 tx_flags = 0; + + pos = mgmt->u.auth.variable; +- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, +- mgmt->bssid, auth_data->bss->bssid); +- if (!elems.challenge) ++ challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos, ++ len - (pos - (u8 *)mgmt)); ++ if (!challenge) + return; + auth_data->expected_transaction = 4; + drv_mgd_prepare_tx(sdata->local, sdata, 0); +@@ -2914,7 +2914,8 @@ static void ieee80211_auth_challenge(str + tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS | + IEEE80211_TX_INTFL_MLME_CONN_TX; + ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0, +- elems.challenge - 2, elems.challenge_len + 2, ++ (void *)challenge, ++ challenge->datalen + sizeof(*challenge), + auth_data->bss->bssid, auth_data->bss->bssid, + auth_data->key, auth_data->key_len, + auth_data->key_idx, tx_flags); +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -1124,10 +1124,6 @@ _ieee802_11_parse_elems_crc(const u8 *st + } else + elem_parse_failed = true; + break; +- case WLAN_EID_CHALLENGE: +- elems->challenge = pos; +- elems->challenge_len = elen; +- break; + case WLAN_EID_VENDOR_SPECIFIC: + if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && + pos[2] == 0xf2) { diff --git a/queue-5.10/series b/queue-5.10/series index 6338472dbbf..87c2e912b65 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1 +1,4 @@ revert-fs-check-fmode_lseek-to-control-internal-pipe.patch +mac80211-mlme-find-auth-challenge-directly.patch +wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch +wifi-mac80211-fix-mbssid-parsing-use-after-free.patch diff --git a/queue-5.10/wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch b/queue-5.10/wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch new file mode 100644 index 00000000000..3ad001b2326 --- /dev/null +++ b/queue-5.10/wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Oct 15 05:26:34 PM CEST 2022 +From: Johannes Berg +Date: Fri, 14 Oct 2022 18:41:49 +0200 +Subject: wifi: mac80211: don't parse mbssid in assoc response +To: linux-wireless@vger.kernel.org, stable@vger.kernel.org +Cc: Felix Fietkau , Thadeu Lima de Souza Cascardo , Marcus Meissner , Jiri Kosina , Johannes Berg +Message-ID: <20221014184133.c1c3a823db3d.I6c0186979a2872e7f7da75f9f8f93b07046afcf2@changeid> + +From: Johannes Berg + +This is simply not valid and simplifies the next commit. +I'll make a separate patch for this in the current main +tree as well. + +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -3300,7 +3300,7 @@ static bool ieee80211_assoc_success(stru + } + capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info); + ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems, +- mgmt->bssid, assoc_data->bss->bssid); ++ mgmt->bssid, NULL); + + if (elems->aid_resp) + aid = le16_to_cpu(elems->aid_resp->aid); +@@ -3708,7 +3708,7 @@ static void ieee80211_rx_mgmt_assoc_resp + return; + + ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, +- mgmt->bssid, assoc_data->bss->bssid); ++ mgmt->bssid, NULL); + + if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY && + elems.timeout_int && diff --git a/queue-5.10/wifi-mac80211-fix-mbssid-parsing-use-after-free.patch b/queue-5.10/wifi-mac80211-fix-mbssid-parsing-use-after-free.patch new file mode 100644 index 00000000000..049951cd94e --- /dev/null +++ b/queue-5.10/wifi-mac80211-fix-mbssid-parsing-use-after-free.patch @@ -0,0 +1,125 @@ +From foo@baz Sat Oct 15 05:26:34 PM CEST 2022 +From: Johannes Berg +Date: Fri, 14 Oct 2022 18:41:50 +0200 +Subject: wifi: mac80211: fix MBSSID parsing use-after-free +To: linux-wireless@vger.kernel.org, stable@vger.kernel.org +Cc: Felix Fietkau , Thadeu Lima de Souza Cascardo , Marcus Meissner , Jiri Kosina , Johannes Berg , Ilan Peer , Kees Cook +Message-ID: <20221014184133.bbea30b40ae3.I4691a91b83e1325524f786a638e853ccb49c2443@changeid> + +From: Johannes Berg + +Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. +This is a different version of the commit, changed to store +the non-transmitted profile in the elems, and freeing it in +the few places where it's relevant, since that is only the +case when the last argument for parsing (the non-tx BSSID) +is non-NULL. + +When we parse a multi-BSSID element, we might point some +element pointers into the allocated nontransmitted_profile. +However, we free this before returning, causing UAF when the +relevant pointers in the parsed elements are accessed. + +Fix this by not allocating the scratch buffer separately but +as part of the returned structure instead, that way, there +are no lifetime issues with it. + +The scratch buffer introduction as part of the returned data +here is taken from MLO feature work done by Ilan. + +This fixes CVE-2022-42719. + +Fixes: 5023b14cf4df ("mac80211: support profile split between elements") +Co-developed-by: Ilan Peer +Signed-off-by: Ilan Peer +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 2 ++ + net/mac80211/mlme.c | 6 +++++- + net/mac80211/scan.c | 2 ++ + net/mac80211/util.c | 7 ++++++- + 4 files changed, 15 insertions(+), 2 deletions(-) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1551,6 +1551,8 @@ struct ieee802_11_elems { + u8 country_elem_len; + u8 bssid_index_len; + ++ void *nontx_profile; ++ + /* whether a parse error occurred while retrieving these elements */ + bool parse_error; + }; +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -3394,6 +3394,7 @@ static bool ieee80211_assoc_success(stru + sdata_info(sdata, + "AP bug: VHT operation missing from AssocResp\n"); + } ++ kfree(bss_elems.nontx_profile); + } + + /* +@@ -4045,6 +4046,7 @@ static void ieee80211_rx_mgmt_beacon(str + ifmgd->assoc_data->timeout = jiffies; + ifmgd->assoc_data->timeout_started = true; + run_again(sdata, ifmgd->assoc_data->timeout); ++ kfree(elems.nontx_profile); + return; + } + +@@ -4222,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(str + ieee80211_report_disconnect(sdata, deauth_buf, + sizeof(deauth_buf), true, + WLAN_REASON_DEAUTH_LEAVING); +- return; ++ goto free; + } + + if (sta && elems.opmode_notif) +@@ -4237,6 +4239,8 @@ static void ieee80211_rx_mgmt_beacon(str + elems.cisco_dtpc_elem); + + ieee80211_bss_info_change_notify(sdata, changed); ++free: ++ kfree(elems.nontx_profile); + } + + void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata, +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -227,6 +227,8 @@ ieee80211_bss_info_update(struct ieee802 + rx_status, beacon); + } + ++ kfree(elems.nontx_profile); ++ + return bss; + } + +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -1483,6 +1483,11 @@ u32 ieee802_11_parse_elems_crc(const u8 + cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, + nontransmitted_profile, + nontransmitted_profile_len); ++ if (!nontransmitted_profile_len) { ++ nontransmitted_profile_len = 0; ++ kfree(nontransmitted_profile); ++ nontransmitted_profile = NULL; ++ } + } + + crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter, +@@ -1512,7 +1517,7 @@ u32 ieee802_11_parse_elems_crc(const u8 + offsetofend(struct ieee80211_bssid_index, dtim_count)) + elems->dtim_count = elems->bssid_index->dtim_count; + +- kfree(nontransmitted_profile); ++ elems->nontx_profile = nontransmitted_profile; + + return crc; + }