This is a note to let you know that I've just added the patch titled
wifi: mac80211: fix crash in beacon protection for P2P-device
to the 6.0-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
wifi-mac80211-fix-crash-in-beacon-protection-for-p2p-device.patch
and it can be found in the queue-6.0 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From b2d03cabe2b2e150ff5a381731ea0355459be09f Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@xxxxxxxxx>
Date: Wed, 5 Oct 2022 21:24:10 +0200
Subject: wifi: mac80211: fix crash in beacon protection for P2P-device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Johannes Berg <johannes.berg@xxxxxxxxx>
commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.
If beacon protection is active but the beacon cannot be
decrypted or is otherwise malformed, we call the cfg80211
API to report this to userspace, but that uses a netdev
pointer, which isn't present for P2P-Device. Fix this to
call it only conditionally to ensure cfg80211 won't crash
in the case of P2P-Device.
This fixes CVE-2022-42722.
Reported-by: Sönke Huster <shuster@xxxxxxxxxxxxxxxxxxxxxx>
Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space")
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/mac80211/rx.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1967,10 +1967,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_
if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
- NUM_DEFAULT_BEACON_KEYS) {
- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
- skb->data,
- skb->len);
+ NUM_DEFAULT_BEACON_KEYS) {
+ if (rx->sdata->dev)
+ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
+ skb->data,
+ skb->len);
return RX_DROP_MONITOR; /* unexpected BIP keyidx */
}
@@ -2121,7 +2122,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_
/* either the frame has been decrypted or will be dropped */
status->flag |= RX_FLAG_DECRYPTED;
- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
+ if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
+ rx->sdata->dev))
cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
skb->data, skb->len);
Patches currently in stable-queue which might be from johannes.berg@xxxxxxxxx are
queue-6.0/wifi-mac80211-fix-crash-in-beacon-protection-for-p2p-device.patch
queue-6.0/wifi-cfg80211-avoid-nontransmitted-bss-list-corruption.patch
queue-6.0/wifi-cfg80211-mac80211-reject-bad-mbssid-elements.patch
queue-6.0/wifi-mac80211-fix-mbssid-parsing-use-after-free.patch
queue-6.0/wifi-cfg80211-ensure-length-byte-is-present-before-access.patch
queue-6.0/wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-rate.patch
queue-6.0/wifi-cfg80211-update-hidden-bsses-to-avoid-warn_on.patch
queue-6.0/wifi-cfg80211-fix-bss-refcounting-bugs.patch
queue-6.0/wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_notlisted_nontrans.patch
