WSL2-Linux-Kernel/net
Johannes Berg de124365a7 wifi: mac80211: fix MBSSID parsing use-after-free
commit ff05d4b45d

When we parse a multi-BSSID element, we might point some
element pointers into the allocated nontransmitted_profile.
However, we free this before returning, causing UAF when the
relevant pointers in the parsed elements are accessed.

Fix this by not allocating the scratch buffer separately but
as part of the returned structure instead, that way, there
are no lifetime issues with it.

The scratch buffer introduction as part of the returned data
here is taken from MLO feature work done by Ilan.

This fixes CVE-2022-42719.

Fixes: 5023b14cf4 ("mac80211: support profile split between elements")
Co-developed-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-10-15 07:59:05 +02:00
..
6lowpan 6lowpan: iphc: Fix an off-by-one check of array index 2021-07-22 16:19:03 +02:00
9p net/9p: Initialize the iounit field during fid creation 2022-08-17 14:24:23 +02:00
802 net: 802: remove dead leftover after ipx driver removal 2021-08-13 16:30:35 -07:00
8021q net: use eth_hw_addr_set() instead of ether_addr_copy() 2022-08-31 17:16:37 +02:00
appletalk net: socket: rework compat_ifreq_ioctl() 2021-07-23 14:20:25 +01:00
atm atm: Use list_for_each_entry() to simplify code in resources.c 2021-06-10 14:08:09 -07:00
ax25 net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg 2022-06-22 14:22:01 +02:00
batman-adv batman-adv: Use netif_rx_any_context() any. 2022-07-29 17:25:07 +02:00
bluetooth Bluetooth: L2CAP: Fix build errors in some archs 2022-09-05 10:30:06 +02:00
bpf bpf: Don't redirect packets with invalid pkt_len 2022-09-05 10:30:07 +02:00
bpfilter bpfilter: Specify the log level for the kmsg message 2021-06-25 13:13:50 +02:00
bridge netfilter: ebtables: fix memory leak when blob is malformed 2022-09-28 11:11:52 +02:00
caif net-caif: avoid user-triggerable WARN_ON(1) 2021-09-14 12:51:15 +01:00
can can: j1939: j1939_sk_queue_activate_next_locked(): replace WARN_ON_ONCE with netdev_warn_once() 2022-08-25 11:40:46 +02:00
ceph libceph: fix potential use-after-free on linger ping and resends 2022-05-25 09:57:28 +02:00
core net: core: fix flow symmetric hash 2022-09-28 11:11:47 +02:00
dcb net: dcb: disable softirqs in dcbnl_flush_dev() 2022-03-08 19:12:52 +01:00
dccp dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock 2022-08-17 14:23:37 +02:00
decnet net: Fix data-races around sysctl_[rw]mem(_offset)?. 2022-08-03 12:03:51 +02:00
dns_resolver
dsa net: dsa: hellcreek: Print warning only once 2022-09-20 12:39:45 +02:00
ethernet move netdev_boot_setup into Space.c 2021-08-03 13:05:26 +01:00
ethtool ethtool: Fix get module eeprom fallback 2022-06-29 09:03:23 +02:00
hsr net: use eth_hw_addr_set() instead of ether_addr_copy() 2022-08-31 17:16:37 +02:00
ieee802154 net/ieee802154: fix uninit value bug in dgram_sendmsg 2022-10-12 09:53:27 +02:00
ife
ipv4 net: Find dst with sk's xfrm policy not ctl_sk 2022-09-23 14:15:51 +02:00
ipv6 net: Find dst with sk's xfrm policy not ctl_sk 2022-09-23 14:15:51 +02:00
iucv net/iucv: Replace deprecated CPU-hotplug functions. 2021-08-09 10:13:32 +01:00
kcm kcm: fix strp_init() order and cleanup 2022-09-08 12:28:03 +02:00
key af_key: Do not call xfrm_probe_algs in parallel 2022-08-31 17:16:36 +02:00
l2tp ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg 2022-06-22 14:21:58 +02:00
l3mdev l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu 2022-04-27 14:38:53 +02:00
lapb net: lapb: Use list_for_each_entry() to simplify code in lapb_iface.c 2021-06-08 16:31:25 -07:00
llc llc: only change llc->dev when bind() succeeds 2022-03-28 09:58:46 +02:00
mac80211 wifi: mac80211: fix MBSSID parsing use-after-free 2022-10-15 07:59:05 +02:00
mac802154 net: mac802154: Fix a condition in the receive path 2022-09-08 12:28:07 +02:00
mctp mctp: Fix check for dev_hard_header() result 2022-04-13 20:59:16 +02:00
mpls net: Use u64_stats_fetch_begin_irq() for stats fetch. 2022-09-08 12:28:07 +02:00
mptcp mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb 2022-08-31 17:16:50 +02:00
ncsi net/ncsi: check for error return from call to nla_put_u32 2022-01-05 12:42:37 +01:00
netfilter netfilter: nf_tables: fix percpu memory leak at nf_tables_addchain() 2022-09-28 11:11:51 +02:00
netlabel netlabel: fix out-of-bounds memory accesses 2022-04-13 20:59:10 +02:00
netlink net: genl: fix error path memory leak in policy dumping 2022-08-25 11:40:25 +02:00
netrom netrom: fix api breakage in nr_setsockopt() 2022-01-27 11:04:00 +01:00
nfc NFC: NULL out the dev->rfkill to prevent UAF 2022-06-09 10:22:46 +02:00
nsh
openvswitch openvswitch: fix memory leak at failed datapath creation 2022-09-08 12:28:02 +02:00
packet net/af_packet: check len when min_header_len equals to 0 2022-09-05 10:30:12 +02:00
phonet phonet: refcount leak in pep_sock_accep 2022-01-11 15:35:16 +01:00
psample
qrtr net: qrtr: start MHI channel after endpoit creation 2022-08-25 11:40:29 +02:00
rds rds: add missing barrier to release_refill 2022-08-25 11:39:54 +02:00
rfkill rfkill: make new event layout opt-in 2022-04-08 14:23:00 +02:00
rose rose: check NULL rose_loopback_neigh->loopback 2022-08-31 17:16:38 +02:00
rxrpc rxrpc: Fix calc of resend age 2022-09-23 14:15:50 +02:00
sched net: sched: act_ct: fix possible refcount leak in tcf_ct_init() 2022-10-05 10:39:42 +02:00
sctp sctp: leave the err path free in sctp_stream_init to sctp_stream_free 2022-08-03 12:03:54 +02:00
smc net/smc: Stop the CLC flow if no link to map buffers on 2022-09-28 11:11:53 +02:00
strparser bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding 2021-11-18 19:17:11 +01:00
sunrpc SUNRPC: RPC level errors should set task->tk_rpc_status 2022-08-31 17:16:37 +02:00
switchdev net: make switchdev_bridge_port_{,unoffload} loosely coupled with the bridge 2021-08-04 12:35:07 +01:00
tipc tipc: fix shift wrapping bug in map_get() 2022-09-15 11:30:05 +02:00
tls net/tls: Remove the context from the list in tls_device_down 2022-08-03 12:03:47 +02:00
unix af_unix: Fix a data-race in unix_dgram_peer_wake_me(). 2022-06-14 18:36:17 +02:00
vmw_vsock vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout() 2022-08-25 11:40:11 +02:00
wireless wifi: cfg80211: update hidden BSSes to avoid WARN_ON 2022-10-15 07:59:03 +02:00
x25 net/x25: Fix null-ptr-deref caused by x25_disconnect 2022-04-08 14:23:53 +02:00
xdp xsk: Inherit need_wakeup flag for shared sockets 2022-10-12 09:53:26 +02:00
xfrm net: Fix data-races around netdev_max_backlog. 2022-08-31 17:16:42 +02:00
Kconfig mctp: Add MCTP base 2021-07-29 15:06:49 +01:00
Makefile mctp: Add MCTP base 2021-07-29 15:06:49 +01:00
compat.c net: Return the correct errno code 2021-06-03 15:13:56 -07:00
devres.c net: devres: Correct a grammatical error 2021-06-11 12:55:28 -07:00
socket.c net: Fix a data-race around sysctl_somaxconn. 2022-08-31 17:16:45 +02:00
sysctl_net.c