wifi: cfg80211: fix BSS refcounting bugs

stable inclusion from stable-v5.10.148 commit 6b944845031356f3e0c0f6695f9252a8ddc8b02f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5VM7D?from=project-issue CVE: CVE-2022-42720 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6b944845031356f3e0c0f6695f9252a8ddc8b02f -------------------------------- commit 0b780881 upstream. There are multiple refcounting bugs related to multi-BSSID: - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro. - In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data. - In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there. This fixes CVE-2022-42720. Reported-by: N Sönke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: N Sönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: a3584f56 ("cfg80211: Properly track transmitting and non-transmitting BSS") Signed-off-by: N Johannes Berg <johannes.berg@intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Ziyang Xuan <william.xuanziyang@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

wifi: cfg80211: fix BSS refcounting bugs
stable inclusion from stable-v5.10.148 commit 6b944845031356f3e0c0f6695f9252a8ddc8b02f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5VM7D?from=project-issue CVE: CVE-2022-42720 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6b944845031356f3e0c0f6695f9252a8ddc8b02f -------------------------------- commit 0b780881 upstream. There are multiple refcounting bugs related to multi-BSSID: - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro. - In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data. - In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there. This fixes CVE-2022-42720. Reported-by: N Sönke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: N Sönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: a3584f56 ("cfg80211: Properly track transmitting and non-transmitting BSS") Signed-off-by: N Johannes Berg <johannes.berg@intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Ziyang Xuan <william.xuanziyang@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
7e196351 · Johannes Berg · Zheng Zengkai · 186f2898 · 7e196351
隐藏空白更改
内联并排

Showing with 14 addition and 13 deletion

net/wireless/scan.c net/wireless/scan.c +14 -13

未找到文件。
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cfg80211_registered_device *rdev,
 	lockdep_assert_held(&rdev->bss_lock);

 	bss->refcount++;
-	if (bss->pub.hidden_beacon_bss) {
-		bss = container_of(bss->pub.hidden_beacon_bss,
-				   struct cfg80211_internal_bss,
-				   pub);
-		bss->refcount++;
-	}
-	if (bss->pub.transmitted_bss) {
-		bss = container_of(bss->pub.transmitted_bss,
-				   struct cfg80211_internal_bss,
-				   pub);
-		bss->refcount++;
-	}
+
+	if (bss->pub.hidden_beacon_bss)
+		bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++;
+
+	if (bss->pub.transmitted_bss)
+		bss_from_pub(bss->pub.transmitted_bss)->refcount++;
 }

 static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
@@ -1734,6 +1728,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
 		new->refcount = 1;
 		INIT_LIST_HEAD(&new->hidden_list);
 		INIT_LIST_HEAD(&new->pub.nontrans_list);
+		/* we'll set this later if it was non-NULL */
+		new->pub.transmitted_bss = NULL;

 		if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
 			hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
@@ -1971,10 +1967,15 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
 		spin_lock_bh(&rdev->bss_lock);
 		if (cfg80211_add_nontrans_list(non_tx_data->tx_bss,
 					       &res->pub)) {
-			if (__cfg80211_unlink_bss(rdev, res))
+			if (__cfg80211_unlink_bss(rdev, res)) {
 				rdev->bss_generation++;
+				res = NULL;
+			}
 		}
 		spin_unlock_bh(&rdev->bss_lock);
+
+		if (!res)
+			return NULL;
 	}

 	trace_cfg80211_return_bss(&res->pub);