mirror of
https://github.com/coolsnowwolf/lede.git
synced 2025-04-16 04:13:31 +00:00
d05fbef769
* mac80211: backport security fixes
This mainly affects scanning and beacon parsing, especially with MBSSID enabled
Fixes: CVE-2022-41674
Fixes: CVE-2022-42719
Fixes: CVE-2022-42720
Fixes: CVE-2022-42721
Fixes: CVE-2022-42722
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 26f400210d6b3780fcc0deb89b9741837df9c8b8)
* mac80211: refresh patches
355-wifi-cfg80211-fix-BSS-refcounting-bugs.patch - 5a52384a51
Co-authored-by: Felix Fietkau <nbd@nbd.name>
Co-authored-by: 1054009064 <1054009064@users.noreply.github.com>
91 lines
3.0 KiB
Diff
91 lines
3.0 KiB
Diff
From: Johannes Berg <johannes.berg@intel.com>
|
|
Date: Fri, 30 Sep 2022 23:44:23 +0200
|
|
Subject: [PATCH] wifi: cfg80211: fix BSS refcounting bugs
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream.
|
|
|
|
There are multiple refcounting bugs related to multi-BSSID:
|
|
- In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
|
|
the bss pointer is overwritten before checking for the
|
|
transmitted BSS, which is clearly wrong. Fix this by using
|
|
the bss_from_pub() macro.
|
|
|
|
- In cfg80211_bss_update() we copy the transmitted_bss pointer
|
|
from tmp into new, but then if we release new, we'll unref
|
|
it erroneously. We already set the pointer and ref it, but
|
|
need to NULL it since it was copied from the tmp data.
|
|
|
|
- In cfg80211_inform_single_bss_data(), if adding to the non-
|
|
transmitted list fails, we unlink the BSS and yet still we
|
|
return it, but this results in returning an entry without
|
|
a reference. We shouldn't return it anyway if it was broken
|
|
enough to not get added there.
|
|
|
|
This fixes CVE-2022-42720.
|
|
|
|
Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
|
|
Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
|
|
Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS")
|
|
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
---
|
|
|
|
--- a/net/wireless/scan.c
|
|
+++ b/net/wireless/scan.c
|
|
@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cf
|
|
lockdep_assert_held(&rdev->bss_lock);
|
|
|
|
bss->refcount++;
|
|
- if (bss->pub.hidden_beacon_bss) {
|
|
- bss = container_of(bss->pub.hidden_beacon_bss,
|
|
- struct cfg80211_internal_bss,
|
|
- pub);
|
|
- bss->refcount++;
|
|
- }
|
|
- if (bss->pub.transmitted_bss) {
|
|
- bss = container_of(bss->pub.transmitted_bss,
|
|
- struct cfg80211_internal_bss,
|
|
- pub);
|
|
- bss->refcount++;
|
|
- }
|
|
+
|
|
+ if (bss->pub.hidden_beacon_bss)
|
|
+ bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++;
|
|
+
|
|
+ if (bss->pub.transmitted_bss)
|
|
+ bss_from_pub(bss->pub.transmitted_bss)->refcount++;
|
|
}
|
|
|
|
static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
|
|
@@ -1736,6 +1730,8 @@ cfg80211_bss_update(struct cfg80211_regi
|
|
new->refcount = 1;
|
|
INIT_LIST_HEAD(&new->hidden_list);
|
|
INIT_LIST_HEAD(&new->pub.nontrans_list);
|
|
+ /* we'll set this later if it was non-NULL */
|
|
+ new->pub.transmitted_bss = NULL;
|
|
|
|
if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
|
|
hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
|
|
@@ -1973,11 +1969,18 @@ cfg80211_inform_single_bss_data(struct w
|
|
/* this is a nontransmitting bss, we need to add it to
|
|
* transmitting bss' list if it is not there
|
|
*/
|
|
+ spin_lock_bh(&rdev->bss_lock);
|
|
if (cfg80211_add_nontrans_list(non_tx_data->tx_bss,
|
|
&res->pub)) {
|
|
- if (__cfg80211_unlink_bss(rdev, res))
|
|
+ if (__cfg80211_unlink_bss(rdev, res)) {
|
|
rdev->bss_generation++;
|
|
+ res = NULL;
|
|
+ }
|
|
}
|
|
+ spin_unlock_bh(&rdev->bss_lock);
|
|
+
|
|
+ if (!res)
|
|
+ return NULL;
|
|
}
|
|
|
|
trace_cfg80211_return_bss(&res->pub);
|