On Thu, Oct 13, 2022 at 07:52:15PM +0200, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@xxxxxxxxx>
>
> Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream.
>
> When we parse a multi-BSSID element, we might point some
> element pointers into the allocated nontransmitted_profile.
> However, we free this before returning, causing UAF when the
> relevant pointers in the parsed elements are accessed.
>
> Fix this by not allocating the scratch buffer separately but
> as part of the returned structure instead, that way, there
> are no lifetime issues with it.
>
> The scratch buffer introduction as part of the returned data
> here is taken from MLO feature work done by Ilan.
>
> This fixes CVE-2022-42719.
>
> Fixes: 5023b14cf4df ("mac80211: support profile split between elements")
> Co-developed-by: Ilan Peer <ilan.peer@xxxxxxxxx>
> Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx>
> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
> Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
> ---
> net/mac80211/ieee80211_i.h | 8 ++++++++
> net/mac80211/util.c | 30 +++++++++++++++---------------
> 2 files changed, 23 insertions(+), 15 deletions(-)
Thanks, my attempt was almost the same as yours, except for one
whitespace difference. I've taken yours as a replacement now.
greg k-h
