db0e51edc26772643035f6a2ea74ae567a3690b4
[openwrt/openwrt.git] /
1 From: Johannes Berg <johannes.berg@intel.com>
2 Date: Sat, 1 Oct 2022 00:01:44 +0200
3 Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list
4 corruption
5 MIME-Version: 1.0
6 Content-Type: text/plain; charset=UTF-8
7 Content-Transfer-Encoding: 8bit
8
9 commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
10
11 If a non-transmitted BSS shares enough information (both
12 SSID and BSSID!) with another non-transmitted BSS of a
13 different AP, then we can find and update it, and then
14 try to add it to the non-transmitted BSS list. We do a
15 search for it on the transmitted BSS, but if it's not
16 there (but belongs to another transmitted BSS), the list
17 gets corrupted.
18
19 Since this is an erroneous situation, simply fail the
20 list insertion in this case and free the non-transmitted
21 BSS.
22
23 This fixes CVE-2022-42721.
24
25 Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
26 Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
27 Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
28 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
29 ---
30
31 --- a/net/wireless/scan.c
32 +++ b/net/wireless/scan.c
33 @@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg802
34
35 rcu_read_unlock();
36
37 + /*
38 + * This is a bit weird - it's not on the list, but already on another
39 + * one! The only way that could happen is if there's some BSSID/SSID
40 + * shared by multiple APs in their multi-BSSID profiles, potentially
41 + * with hidden SSID mixed in ... ignore it.
42 + */
43 + if (!list_empty(&nontrans_bss->nontrans_list))
44 + return -EINVAL;
45 +
46 /* add to the list */
47 list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
48 return 0;