forked from padavanonly/immortalwrt-mt798x
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
mac80211: backport security fix and disable MBSSID support
Fixes: CVE-2022-41674 Fixes: CVE-2022-42719 Fixes: CVE-2022-42720 Fixes: CVE-2022-42721 Fixes: CVE-2022-42722 Signed-off-by: Felix Fietkau <[email protected]>
- Loading branch information
Showing
2 changed files
with
96 additions
and
0 deletions.
There are no files selected for viewing
52 changes: 52 additions & 0 deletions
52
...el/mac80211/patches/subsys/396-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
From: Johannes Berg <[email protected]> | ||
Date: Wed, 5 Oct 2022 21:24:10 +0200 | ||
Subject: [PATCH] wifi: mac80211: fix crash in beacon protection for | ||
P2P-device | ||
MIME-Version: 1.0 | ||
Content-Type: text/plain; charset=UTF-8 | ||
Content-Transfer-Encoding: 8bit | ||
|
||
commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream. | ||
|
||
If beacon protection is active but the beacon cannot be | ||
decrypted or is otherwise malformed, we call the cfg80211 | ||
API to report this to userspace, but that uses a netdev | ||
pointer, which isn't present for P2P-Device. Fix this to | ||
call it only conditionally to ensure cfg80211 won't crash | ||
in the case of P2P-Device. | ||
|
||
This fixes CVE-2022-42722. | ||
|
||
Reported-by: Sönke Huster <[email protected]> | ||
Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space") | ||
Signed-off-by: Johannes Berg <[email protected]> | ||
--- | ||
|
||
--- a/net/mac80211/rx.c | ||
+++ b/net/mac80211/rx.c | ||
@@ -1972,10 +1972,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_ | ||
|
||
if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS || | ||
mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS + | ||
- NUM_DEFAULT_BEACON_KEYS) { | ||
- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, | ||
- skb->data, | ||
- skb->len); | ||
+ NUM_DEFAULT_BEACON_KEYS) { | ||
+ if (rx->sdata->dev) | ||
+ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, | ||
+ skb->data, | ||
+ skb->len); | ||
return RX_DROP_MONITOR; /* unexpected BIP keyidx */ | ||
} | ||
|
||
@@ -2123,7 +2124,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_ | ||
/* either the frame has been decrypted or will be dropped */ | ||
status->flag |= RX_FLAG_DECRYPTED; | ||
|
||
- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE)) | ||
+ if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE && | ||
+ rx->sdata->dev)) | ||
cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, | ||
skb->data, skb->len); | ||
|
44 changes: 44 additions & 0 deletions
44
package/kernel/mac80211/patches/subsys/397-disable-mbssid.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
--- a/net/mac80211/util.c | ||
+++ b/net/mac80211/util.c | ||
@@ -1406,6 +1406,7 @@ static size_t ieee802_11_find_bssid_prof | ||
if (!bss_bssid || !transmitter_bssid) | ||
return profile_len; | ||
|
||
+ return 0; | ||
for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { | ||
if (elem->datalen < 2) | ||
continue; | ||
--- a/net/wireless/scan.c | ||
+++ b/net/wireless/scan.c | ||
@@ -1982,6 +1982,7 @@ static const struct element | ||
const struct element *next_mbssid; | ||
const struct element *next_sub; | ||
|
||
+ return NULL; | ||
next_mbssid = cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, | ||
mbssid_end, | ||
ielen - (mbssid_end - ie)); | ||
@@ -2063,6 +2064,7 @@ static void cfg80211_parse_mbssid_data(s | ||
u16 capability; | ||
struct cfg80211_bss *bss; | ||
|
||
+ return; | ||
if (!non_tx_data) | ||
return; | ||
if (!cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen)) | ||
@@ -2221,6 +2223,7 @@ cfg80211_update_notlisted_nontrans(struc | ||
const struct cfg80211_bss_ies *old; | ||
u8 cpy_len; | ||
|
||
+ return; | ||
lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); | ||
|
||
ie = mgmt->u.probe_resp.variable; | ||
@@ -2436,6 +2439,7 @@ cfg80211_inform_bss_frame_data(struct wi | ||
|
||
res = cfg80211_inform_single_bss_frame_data(wiphy, data, mgmt, | ||
len, gfp); | ||
+ return res; | ||
if (!res || !wiphy->support_mbssid || | ||
!cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen)) | ||
return res; |