wifi: cfg80211: avoid nontransmitted BSS list corruption

stable inclusion from stable-v5.10.148 commit b0e5c5deb7880be5b8a459d584e13e1f9879d307 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5VM77 CVE: CVE-2022-42721 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b0e5c5deb7880be5b8a459d584e13e1f9879d307 -------------------------------- commit bcca8520 upstream. If a non-transmitted BSS shares enough information (both SSID and BSSID!) with another non-transmitted BSS of a different AP, then we can find and update it, and then try to add it to the non-transmitted BSS list. We do a search for it on the transmitted BSS, but if it's not there (but belongs to another transmitted BSS), the list gets corrupted. Since this is an erroneous situation, simply fail the list insertion in this case and free the non-transmitted BSS. This fixes CVE-2022-42721. Reported-by: N Sönke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: N Sönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: N Johannes Berg <johannes.berg@intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Baisong Zhong <zhongbaisong@huawei.com> Reviewed-by: N Liu Jian <liujian56@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

wifi: cfg80211: avoid nontransmitted BSS list corruption
stable inclusion from stable-v5.10.148 commit b0e5c5deb7880be5b8a459d584e13e1f9879d307 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5VM77 CVE: CVE-2022-42721 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b0e5c5deb7880be5b8a459d584e13e1f9879d307 -------------------------------- commit bcca8520 upstream. If a non-transmitted BSS shares enough information (both SSID and BSSID!) with another non-transmitted BSS of a different AP, then we can find and update it, and then try to add it to the non-transmitted BSS list. We do a search for it on the transmitted BSS, but if it's not there (but belongs to another transmitted BSS), the list gets corrupted. Since this is an erroneous situation, simply fail the list insertion in this case and free the non-transmitted BSS. This fixes CVE-2022-42721. Reported-by: N Sönke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: N Sönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: N Johannes Berg <johannes.berg@intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Baisong Zhong <zhongbaisong@huawei.com> Reviewed-by: N Liu Jian <liujian56@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
3330164c · Johannes Berg · Zheng Zengkai · 014ed988 · 3330164c
显示空白变更内容
内联并排

Showing with 9 addition and 0 deletion

net/wireless/scan.c net/wireless/scan.c +9 -0

未找到文件。
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -423,6 +423,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
 	rcu_read_unlock();
+	/*
+	 * This is a bit weird - it's not on the list, but already on another
+	 * one! The only way that could happen is if there's some BSSID/SSID
+	 * shared by multiple APs in their multi-BSSID profiles, potentially
+	 * with hidden SSID mixed in ... ignore it.
+	 */
+	if (!list_empty(&nontrans_bss->nontrans_list))
+		return -EINVAL;
 	/* add to the list */
 	list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
 	return 0;