From nobody Tue Dec 16 12:35:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FD7BC433FE for ; Thu, 13 Oct 2022 17:55:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230079AbiJMRzW (ORCPT ); Thu, 13 Oct 2022 13:55:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229927AbiJMRy1 (ORCPT ); Thu, 13 Oct 2022 13:54:27 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4606715201B; Thu, 13 Oct 2022 10:53:52 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B97C9B82026; Thu, 13 Oct 2022 17:53:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0F790C433D6; Thu, 13 Oct 2022 17:53:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683630; bh=+hWHjzuNL4/uWC9zqXql+Q2XpFqifgfw5cukpFp5D5I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dL2+05V5FlEPwL1rk5AmL8rtqNvPxMZ/P+XwlknWhJ/Ui9QclB6OIU8FSg9RobnIl gTpxGdAolIbXR5r5/Bdj0ewZtBw7bXmiuydIRj5atBfNGSgZhbQG7yhQD7SdA9TMxN Z8nU3FYCsBEfuMdzLPErZ3Mmrag09LaxEbMvf9kE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?S=C3=B6nke=20Huster?= , Johannes Berg Subject: [PATCH 5.4 34/38] wifi: cfg80211: avoid nontransmitted BSS list corruption Date: Thu, 13 Oct 2022 19:52:35 +0200 Message-Id: <20221013175145.382242160@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175144.245431424@linuxfoundation.org> References: <20221013175144.245431424@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. If a non-transmitted BSS shares enough information (both SSID and BSSID!) with another non-transmitted BSS of a different AP, then we can find and update it, and then try to add it to the non-transmitted BSS list. We do a search for it on the transmitted BSS, but if it's not there (but belongs to another transmitted BSS), the list gets corrupted. Since this is an erroneous situation, simply fail the list insertion in this case and free the non-transmitted BSS. This fixes CVE-2022-42721. Reported-by: S=C3=B6nke Huster Tested-by: S=C3=B6nke Huster Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in sc= anning") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -386,6 +386,15 @@ cfg80211_add_nontrans_list(struct cfg802 =20 rcu_read_unlock(); =20 + /* + * This is a bit weird - it's not on the list, but already on another + * one! The only way that could happen is if there's some BSSID/SSID + * shared by multiple APs in their multi-BSSID profiles, potentially + * with hidden SSID mixed in ... ignore it. + */ + if (!list_empty(&nontrans_bss->nontrans_list)) + return -EINVAL; + /* add to the list */ list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); return 0;