This is a note to let you know that I've just added the patch titled
wifi: cfg80211: avoid nontransmitted BSS list corruption
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
wifi-cfg80211-avoid-nontransmitted-bss-list-corruption.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From bcca852027e5878aec911a347407ecc88d6fff7f Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@xxxxxxxxx>
Date: Sat, 1 Oct 2022 00:01:44 +0200
Subject: wifi: cfg80211: avoid nontransmitted BSS list corruption
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Johannes Berg <johannes.berg@xxxxxxxxx>
commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
If a non-transmitted BSS shares enough information (both
SSID and BSSID!) with another non-transmitted BSS of a
different AP, then we can find and update it, and then
try to add it to the non-transmitted BSS list. We do a
search for it on the transmitted BSS, but if it's not
there (but belongs to another transmitted BSS), the list
gets corrupted.
Since this is an erroneous situation, simply fail the
list insertion in this case and free the non-transmitted
BSS.
This fixes CVE-2022-42721.
Reported-by: Sönke Huster <shuster@xxxxxxxxxxxxxxxxxxxxxx>
Tested-by: Sönke Huster <shuster@xxxxxxxxxxxxxxxxxxxxxx>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/wireless/scan.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -386,6 +386,15 @@ cfg80211_add_nontrans_list(struct cfg802
rcu_read_unlock();
+ /*
+ * This is a bit weird - it's not on the list, but already on another
+ * one! The only way that could happen is if there's some BSSID/SSID
+ * shared by multiple APs in their multi-BSSID profiles, potentially
+ * with hidden SSID mixed in ... ignore it.
+ */
+ if (!list_empty(&nontrans_bss->nontrans_list))
+ return -EINVAL;
+
/* add to the list */
list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
return 0;
Patches currently in stable-queue which might be from johannes.berg@xxxxxxxxx are
queue-5.4/wifi-cfg80211-avoid-nontransmitted-bss-list-corruption.patch
queue-5.4/wifi-cfg80211-mac80211-reject-bad-mbssid-elements.patch
queue-5.4/wifi-cfg80211-ensure-length-byte-is-present-before-access.patch
queue-5.4/wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-rate.patch
queue-5.4/wifi-cfg80211-update-hidden-bsses-to-avoid-warn_on.patch
queue-5.4/wifi-cfg80211-fix-bss-refcounting-bugs.patch
queue-5.4/wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_notlisted_nontrans.patch
