This is a note to let you know that I've just added the patch titled
wifi: mac80211: Fix UAF in ieee80211_scan_rx()
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
wifi-mac80211-fix-uaf-in-ieee80211_scan_rx.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 53151d8d30a93d142a784d488c6e95bcb7df6aa3
Author: Siddh Raman Pant <code@xxxxxxxx>
Date: Sat Aug 20 01:33:40 2022 +0530
wifi: mac80211: Fix UAF in ieee80211_scan_rx()
[ Upstream commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c ]
ieee80211_scan_rx() tries to access scan_req->flags after a
null check, but a UAF is observed when the scan is completed
and __ieee80211_scan_completed() executes, which then calls
cfg80211_scan_done() leading to the freeing of scan_req.
Since scan_req is rcu_dereference()'d, prevent the racing in
__ieee80211_scan_completed() by ensuring that from mac80211's
POV it is no longer accessed from an RCU read critical section
before we call cfg80211_scan_done().
Cc: stable@xxxxxxxxxxxxxxx
Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d
Reported-by: syzbot+f9acff9bf08a845f225d@xxxxxxxxxxxxxxxxxxxxxxxxx
Suggested-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
Signed-off-by: Siddh Raman Pant <code@xxxxxxxx>
Link: https://lore.kernel.org/r/20220819200340.34826-1-code@xxxxxxxx
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 344b2c22e75b..c353162e81ae 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -431,10 +431,6 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted)
scan_req = rcu_dereference_protected(local->scan_req,
lockdep_is_held(&local->mtx));
- if (scan_req != local->int_scan_req) {
- local->scan_info.aborted = aborted;
- cfg80211_scan_done(scan_req, &local->scan_info);
- }
RCU_INIT_POINTER(local->scan_req, NULL);
scan_sdata = rcu_dereference_protected(local->scan_sdata,
@@ -444,6 +440,13 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted)
local->scanning = 0;
local->scan_chandef.chan = NULL;
+ synchronize_rcu();
+
+ if (scan_req != local->int_scan_req) {
+ local->scan_info.aborted = aborted;
+ cfg80211_scan_done(scan_req, &local->scan_info);
+ }
+
/* Set power back to normal operating levels. */
ieee80211_hw_config(local, 0);
