From 3e24af975546552b17c8856ccfd6b5542d1f6e8d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 18 Oct 2024 11:00:06 +0200 Subject: [PATCH] 5.10-stable patches added patches: wifi-mac80211-fix-potential-key-use-after-free.patch --- queue-5.10/series | 1 + ...211-fix-potential-key-use-after-free.patch | 58 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 queue-5.10/wifi-mac80211-fix-potential-key-use-after-free.patch diff --git a/queue-5.10/series b/queue-5.10/series index 8910beed593..93204367556 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -7,3 +7,4 @@ net-macb-avoid-20s-boot-delay-by-skipping-mdio-bus-registration-for-fixed-link-p irqchip-gic-v3-its-fix-vsync-referencing-an-unmapped-vpe-on-gic-v4.1.patch fat-fix-uninitialized-variable.patch mm-swapfile-skip-hugetlb-pages-for-unuse_vma.patch +wifi-mac80211-fix-potential-key-use-after-free.patch diff --git a/queue-5.10/wifi-mac80211-fix-potential-key-use-after-free.patch b/queue-5.10/wifi-mac80211-fix-potential-key-use-after-free.patch new file mode 100644 index 00000000000..bedfa4b20db --- /dev/null +++ b/queue-5.10/wifi-mac80211-fix-potential-key-use-after-free.patch @@ -0,0 +1,58 @@ +From 31db78a4923ef5e2008f2eed321811ca79e7f71b Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 19 Sep 2023 08:34:15 +0200 +Subject: wifi: mac80211: fix potential key use-after-free + +From: Johannes Berg + +commit 31db78a4923ef5e2008f2eed321811ca79e7f71b upstream. + +When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() +but returns 0 due to KRACK protection (identical key reinstall), +ieee80211_gtk_rekey_add() will still return a pointer into the +key, in a potential use-after-free. This normally doesn't happen +since it's only called by iwlwifi in case of WoWLAN rekey offload +which has its own KRACK protection, but still better to fix, do +that by returning an error code and converting that to success on +the cfg80211 boundary only, leaving the error for bad callers of +ieee80211_gtk_rekey_add(). + +Reported-by: Dan Carpenter +Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +[ Sherry: bp to fix CVE-2023-52530, resolved minor conflicts in + net/mac80211/cfg.c because of context change due to missing commit + 23a5f0af6ff4 ("wifi: mac80211: remove cipher scheme support") + ccdde7c74ffd ("wifi: mac80211: properly implement MLO key handling")] +Signed-off-by: Sherry Yang +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 3 +++ + net/mac80211/key.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -509,6 +509,9 @@ static int ieee80211_add_key(struct wiph + sta->cipher_scheme = cs; + + err = ieee80211_key_link(key, sdata, sta); ++ /* KRACK protection, shouldn't happen but just silently accept key */ ++ if (err == -EALREADY) ++ err = 0; + + out_unlock: + mutex_unlock(&local->sta_mtx); +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -843,7 +843,7 @@ int ieee80211_key_link(struct ieee80211_ + */ + if (ieee80211_key_identical(sdata, old_key, key)) { + ieee80211_key_free_unused(key); +- ret = 0; ++ ret = -EALREADY; + goto out; + } + -- 2.47.3