mac80211: backport security fixes

This mainly affects scanning and beacon parsing, especially with MBSSID enabled Fixes: CVE-2022-41674 Fixes: CVE-2022-42719 Fixes: CVE-2022-42720 Fixes: CVE-2022-42721 Fixes: CVE-2022-42722 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 26f400210d6b3780fcc0deb89b9741837df9c8b8)
author: Felix Fietkau <nbd@nbd.name> 2022-10-13 14:29:53 +0200
committer: Felix Fietkau <nbd@nbd.name> 2022-10-13 15:10:56 +0200
commit: f1de43d0a045a154c74281bc60bf1c44c990071b (patch)
tree: 12445d4bcd3a18a65346e5c24cb6eea22927b348 /package/kernel/mac80211/patches/subsys/350-mac80211-fix-memory-leaks-with-element-parsing.patch
parent: a077c6da98c80d66c40a0760bdeef376c82bc656 (diff)
download: upstream-f1de43d0a045a154c74281bc60bf1c44c990071b.tar.gz
upstream-f1de43d0a045a154c74281bc60bf1c44c990071b.tar.bz2
upstream-f1de43d0a045a154c74281bc60bf1c44c990071b.zip
1 files changed, 115 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/subsys/350-mac80211-fix-memory-leaks-with-element-parsing.patch b/package/kernel/mac80211/patches/subsys/350-mac80211-fix-memory-leaks-with-element-parsing.patch
new file mode 100644
index 0000000000..f4906e8c03
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/350-mac80211-fix-memory-leaks-with-element-parsing.patch
@@ -0,0 +1,115 @@
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 1 Oct 2021 21:11:08 +0200
+Subject: [PATCH] mac80211: fix memory leaks with element parsing
+
+commit 8223ac199a3849257e86ec27865dc63f034b1cf1 upstream.
+
+My previous commit 5d24828d05f3 ("mac80211: always allocate
+struct ieee802_11_elems") had a few bugs and leaked the new
+allocated struct in a few error cases, fix that.
+
+Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20211001211108.9839928e42e0.Ib81ca187d3d3af7ed1bfeac2e00d08a4637c8025@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -499,13 +499,14 @@ void ieee80211_process_addba_request(str
+ 		elems = ieee802_11_parse_elems(mgmt->u.action.u.addba_req.variable,
+ 					       ies_len, true, mgmt->bssid, NULL);
+ 		if (!elems || elems->parse_error)
+-			return;
++			goto free;
+ 	}
+ 
+ 	__ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
+ 					start_seq_num, ba_policy, tid,
+ 					buf_size, true, false,
+ 					elems ? elems->addba_ext_ie : NULL);
++free:
+ 	kfree(elems);
+ }
+ 
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -1659,11 +1659,11 @@ void ieee80211_ibss_rx_queued_mgmt(struc
+ 				mgmt->u.action.u.chan_switch.variable,
+ 				ies_len, true, mgmt->bssid, NULL);
+ 
+-			if (!elems || elems->parse_error)
+-				break;
+-
+-			ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt, skb->len,
+-							rx_status, elems);
++			if (elems && !elems->parse_error)
++				ieee80211_rx_mgmt_spectrum_mgmt(sdata, mgmt,
++								skb->len,
++								rx_status,
++								elems);
+ 			kfree(elems);
+ 			break;
+ 		}
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -3374,8 +3374,10 @@ static bool ieee80211_assoc_success(stru
+ 			bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
+ 					  GFP_ATOMIC);
+ 		rcu_read_unlock();
+-		if (!bss_ies)
+-			return false;
++		if (!bss_ies) {
++			ret = false;
++			goto out;
++		}
+ 
+ 		bss_elems = ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
+ 						   false, mgmt->bssid,
+@@ -4358,13 +4360,11 @@ void ieee80211_sta_rx_queued_mgmt(struct
+ 					mgmt->u.action.u.chan_switch.variable,
+ 					ies_len, true, mgmt->bssid, NULL);
+ 
+-			if (!elems || elems->parse_error)
+-				break;
+-
+-			ieee80211_sta_process_chanswitch(sdata,
+-						 rx_status->mactime,
+-						 rx_status->device_timestamp,
+-						 elems, false);
++			if (elems && !elems->parse_error)
++				ieee80211_sta_process_chanswitch(sdata,
++								 rx_status->mactime,
++								 rx_status->device_timestamp,
++								 elems, false);
+ 			kfree(elems);
+ 		} else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
+ 			struct ieee802_11_elems *elems;
+@@ -4384,17 +4384,17 @@ void ieee80211_sta_rx_queued_mgmt(struct
+ 					mgmt->u.action.u.ext_chan_switch.variable,
+ 					ies_len, true, mgmt->bssid, NULL);
+ 
+-			if (!elems || elems->parse_error)
+-				break;
++			if (elems && !elems->parse_error) {
++				/* for the handling code pretend it was an IE */
++				elems->ext_chansw_ie =
++					&mgmt->u.action.u.ext_chan_switch.data;
++
++				ieee80211_sta_process_chanswitch(sdata,
++								 rx_status->mactime,
++								 rx_status->device_timestamp,
++								 elems, false);
++			}
+ 
+-			/* for the handling code pretend this was also an IE */
+-			elems->ext_chansw_ie =
+-				&mgmt->u.action.u.ext_chan_switch.data;
+-
+-			ieee80211_sta_process_chanswitch(sdata,
+-						 rx_status->mactime,
+-						 rx_status->device_timestamp,
+-						 elems, false);
+ 			kfree(elems);
+ 		}
+ 		break;
author	Felix Fietkau <nbd@nbd.name>	2022-10-13 14:29:53 +0200
committer	Felix Fietkau <nbd@nbd.name>	2022-10-13 15:10:56 +0200
commit	f1de43d0a045a154c74281bc60bf1c44c990071b (patch)
tree	12445d4bcd3a18a65346e5c24cb6eea22927b348 /package/kernel/mac80211/patches/subsys/350-mac80211-fix-memory-leaks-with-element-parsing.patch
parent	a077c6da98c80d66c40a0760bdeef376c82bc656 (diff)
download	upstream-f1de43d0a045a154c74281bc60bf1c44c990071b.tar.gz upstream-f1de43d0a045a154c74281bc60bf1c44c990071b.tar.bz2 upstream-f1de43d0a045a154c74281bc60bf1c44c990071b.zip