From nobody Tue Apr 7 11:14:50 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90A52C4332F for ; Sun, 16 Oct 2022 06:46:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229831AbiJPGqF (ORCPT ); Sun, 16 Oct 2022 02:46:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39250 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229833AbiJPGpz (ORCPT ); Sun, 16 Oct 2022 02:45:55 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8FCD239BBF; Sat, 15 Oct 2022 23:45:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B7CF5B80B65; Sun, 16 Oct 2022 06:45:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 31EBBC433D6; Sun, 16 Oct 2022 06:45:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902748; bh=sa1BrCIQpAgAdJX5QPqJfEmmnRdLvrQoemUIm8UpK2g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kD0R8KiFrc08z00Kho736VfYlk9XRw1jxr3gfCtwFLOnZOISa/NaFZryJ9/oGwJm/ BU0Rj/uiR6uOJaUAnfEs5lzlkl3WBluW3p4+0eB4q2iZR3uzF6KacnPXWgsOmWxiYT +beI+CXCabJ/uDBV87O5S+ORKPMTW5Mt9rxZ2LGk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Saeed Mirzamohammadi , Sasha Levin Subject: [PATCH 5.4 1/4] Revert "fs: check FMODE_LSEEK to control internal pipe splicing" Date: Sun, 16 Oct 2022 08:46:23 +0200 Message-Id: <20221016064454.369430347@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.327821011@linuxfoundation.org> References: <20221016064454.327821011@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This reverts commit fd0a6e99b61e6c08fa5cf585d54fd956f70c73a6. Which was upstream commit 97ef77c52b789ec1411d360ed99dca1efe4b2c81. The commit is missing dependencies and breaks NFS tests, remove it for now. Reported-by: Saeed Mirzamohammadi Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- fs/splice.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/splice.c b/fs/splice.c index ae5623244d5e..e509239d7e06 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -895,15 +895,17 @@ ssize_t splice_direct_to_actor(struct file *in, struc= t splice_desc *sd, { struct pipe_inode_info *pipe; long ret, bytes; + umode_t i_mode; size_t len; int i, flags, more; =20 /* - * We require the input to be seekable, as we don't want to randomly - * drop data for eg socket -> socket splicing. Use the piped splicing - * for that! + * We require the input being a regular file, as we don't want to + * randomly drop data for eg socket -> socket splicing. Use the + * piped splicing for that! */ - if (unlikely(!(in->f_mode & FMODE_LSEEK))) + i_mode =3D file_inode(in)->i_mode; + if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode))) return -EINVAL; =20 /* --=20 2.35.1 From nobody Tue Apr 7 11:14:50 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C0F6C4332F for ; Sun, 16 Oct 2022 06:46:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229884AbiJPGqJ (ORCPT ); Sun, 16 Oct 2022 02:46:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229862AbiJPGqB (ORCPT ); Sun, 16 Oct 2022 02:46:01 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C173399FF; Sat, 15 Oct 2022 23:45:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6FB9AB80B72; Sun, 16 Oct 2022 06:45:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C0AC6C433C1; Sun, 16 Oct 2022 06:45:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902751; bh=NrfyXHsZpZD8Ef+zqhd1NxJ+M4kfoBiBROPTAgZ+V6I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Sj8nArqID4GJ6uyizgKeKLWXp3ZFt33ezPu9PfZBajRG1sQFAgNbDs1vzD9NGJU5J NNS62U7ix+H+jUnCGJejdirugmNa8r9ULNlAoz8R5vonh8odOU5X2vVuuRWJ231TkJ X2wk8ZQAaPBzAjYwCOxqXd6EJuvr6Sj4P5YQELhw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.4 2/4] mac80211: mlme: find auth challenge directly Date: Sun, 16 Oct 2022 08:46:24 +0200 Message-Id: <20221016064454.404903798@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.327821011@linuxfoundation.org> References: <20221016064454.327821011@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg There's no need to parse all elements etc. just to find the authentication challenge - use cfg80211_find_elem() instead. This also allows us to remove WLAN_EID_CHALLENGE handling from the element parsing entirely. Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a0= 07d6154cbf1fb3a8c48489e86f@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/mac80211/ieee80211_i.h | 2 -- net/mac80211/mlme.c | 11 ++++++----- net/mac80211/util.c | 4 ---- 3 files changed, 6 insertions(+), 11 deletions(-) --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1460,7 +1460,6 @@ struct ieee802_11_elems { const u8 *supp_rates; const u8 *ds_params; const struct ieee80211_tim_ie *tim; - const u8 *challenge; const u8 *rsn; const u8 *erp_info; const u8 *ext_supp_rates; @@ -1507,7 +1506,6 @@ struct ieee802_11_elems { u8 ssid_len; u8 supp_rates_len; u8 tim_len; - u8 challenge_len; u8 rsn_len; u8 ext_supp_rates_len; u8 wmm_info_len; --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -2829,14 +2829,14 @@ static void ieee80211_auth_challenge(str { struct ieee80211_local *local =3D sdata->local; struct ieee80211_mgd_auth_data *auth_data =3D sdata->u.mgd.auth_data; + const struct element *challenge; u8 *pos; - struct ieee802_11_elems elems; u32 tx_flags =3D 0; =20 pos =3D mgmt->u.auth.variable; - ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, auth_data->bss->bssid); - if (!elems.challenge) + challenge =3D cfg80211_find_elem(WLAN_EID_CHALLENGE, pos, + len - (pos - (u8 *)mgmt)); + if (!challenge) return; auth_data->expected_transaction =3D 4; drv_mgd_prepare_tx(sdata->local, sdata, 0); @@ -2844,7 +2844,8 @@ static void ieee80211_auth_challenge(str tx_flags =3D IEEE80211_TX_CTL_REQ_TX_STATUS | IEEE80211_TX_INTFL_MLME_CONN_TX; ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0, - elems.challenge - 2, elems.challenge_len + 2, + (void *)challenge, + challenge->datalen + sizeof(*challenge), auth_data->bss->bssid, auth_data->bss->bssid, auth_data->key, auth_data->key_len, auth_data->key_idx, tx_flags); --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1006,10 +1006,6 @@ _ieee802_11_parse_elems_crc(const u8 *st } else elem_parse_failed =3D true; break; - case WLAN_EID_CHALLENGE: - elems->challenge =3D pos; - elems->challenge_len =3D elen; - break; case WLAN_EID_VENDOR_SPECIFIC: if (elen >=3D 4 && pos[0] =3D=3D 0x00 && pos[1] =3D=3D 0x50 && pos[2] =3D=3D 0xf2) { From nobody Tue Apr 7 11:14:50 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21FE6C4332F for ; Sun, 16 Oct 2022 06:46:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229904AbiJPGqO (ORCPT ); Sun, 16 Oct 2022 02:46:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39240 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229882AbiJPGqD (ORCPT ); Sun, 16 Oct 2022 02:46:03 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 396CC3AE5B; Sat, 15 Oct 2022 23:45:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 25C52B80B77; Sun, 16 Oct 2022 06:45:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 85BE2C433D7; Sun, 16 Oct 2022 06:45:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902753; bh=OPUq4AaBA6cqzgAQsUxgbbuBNbAZzLY8pUyPprPooYQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TrBWzdiiQogsYpzs5qRmXDMkEkcP0kEivjac3mPKa0gWoqch8OHf+wEk1wTgYWU3H 8LzYPICFHnfKcNBF1hoYB/p4XD5EO0eBwedAuZESJ4XnujQbLx5l4y69opLVi63VDA ocCHf6Eb+taj7IAgSbmGzYoNwRHQTNjdXIwk+4yQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.4 3/4] wifi: mac80211: dont parse mbssid in assoc response Date: Sun, 16 Oct 2022 08:46:25 +0200 Message-Id: <20221016064454.438611868@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.327821011@linuxfoundation.org> References: <20221016064454.327821011@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg This is simply not valid and simplifies the next commit. I'll make a separate patch for this in the current main tree as well. Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/mac80211/mlme.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3224,7 +3224,7 @@ static bool ieee80211_assoc_success(stru =20 pos =3D mgmt->u.assoc_resp.variable; ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, assoc_data->bss->bssid); + mgmt->bssid, NULL); =20 if (!elems.supp_rates) { sdata_info(sdata, "no SuppRates element in AssocResp\n"); @@ -3576,7 +3576,7 @@ static void ieee80211_rx_mgmt_assoc_resp =20 pos =3D mgmt->u.assoc_resp.variable; ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, assoc_data->bss->bssid); + mgmt->bssid, NULL); =20 if (status_code =3D=3D WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY && elems.timeout_int && From nobody Tue Apr 7 11:14:50 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5549C4332F for ; Sun, 16 Oct 2022 06:46:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229957AbiJPGqc (ORCPT ); Sun, 16 Oct 2022 02:46:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39528 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229849AbiJPGqU (ORCPT ); Sun, 16 Oct 2022 02:46:20 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 47CAF3B71B; Sat, 15 Oct 2022 23:46:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0E43AB80B65; Sun, 16 Oct 2022 06:45:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6585CC4314A; Sun, 16 Oct 2022 06:45:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902756; bh=M6vEigbkIMDybP7BCXxNZ0YbyifLUWjivpBzJbcRlhQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=V1H07BliPDOux2/fxBQr+qy/cmkDBuFdRNE3UnJpCZbgnTIueY0b67vrKw3lLUo8f u10oQk92fvdlJlcTLvpIfqgAWyU78cHkiGBntopDPfEBjEIwec8qbz4BbkizefNEGh 1aNpLfcVVlxmIdlyub4t0LrZBG6fzU6IUKBIih1E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ilan Peer , Kees Cook , Johannes Berg Subject: [PATCH 5.4 4/4] wifi: mac80211: fix MBSSID parsing use-after-free Date: Sun, 16 Oct 2022 08:46:26 +0200 Message-Id: <20221016064454.478100196@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.327821011@linuxfoundation.org> References: <20221016064454.327821011@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. This is a different version of the commit, changed to store the non-transmitted profile in the elems, and freeing it in the few places where it's relevant, since that is only the case when the last argument for parsing (the non-tx BSSID) is non-NULL. When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed. Fix this by not allocating the scratch buffer separately but as part of the returned structure instead, that way, there are no lifetime issues with it. The scratch buffer introduction as part of the returned data here is taken from MLO feature work done by Ilan. This fixes CVE-2022-42719. Fixes: 5023b14cf4df ("mac80211: support profile split between elements") Co-developed-by: Ilan Peer Signed-off-by: Ilan Peer Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/mac80211/ieee80211_i.h | 2 ++ net/mac80211/mlme.c | 6 +++++- net/mac80211/scan.c | 2 ++ net/mac80211/util.c | 7 ++++++- 4 files changed, 15 insertions(+), 2 deletions(-) --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1519,6 +1519,8 @@ struct ieee802_11_elems { u8 country_elem_len; u8 bssid_index_len; =20 + void *nontx_profile; + /* whether a parse error occurred while retrieving these elements */ bool parse_error; }; --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3299,6 +3299,7 @@ static bool ieee80211_assoc_success(stru sdata_info(sdata, "AP bug: VHT operation missing from AssocResp\n"); } + kfree(bss_elems.nontx_profile); } =20 /* @@ -3883,6 +3884,7 @@ static void ieee80211_rx_mgmt_beacon(str ifmgd->assoc_data->timeout =3D jiffies; ifmgd->assoc_data->timeout_started =3D true; run_again(sdata, ifmgd->assoc_data->timeout); + kfree(elems.nontx_profile); return; } =20 @@ -4050,7 +4052,7 @@ static void ieee80211_rx_mgmt_beacon(str ieee80211_report_disconnect(sdata, deauth_buf, sizeof(deauth_buf), true, WLAN_REASON_DEAUTH_LEAVING); - return; + goto free; } =20 if (sta && elems.opmode_notif) @@ -4065,6 +4067,8 @@ static void ieee80211_rx_mgmt_beacon(str elems.cisco_dtpc_elem); =20 ieee80211_bss_info_change_notify(sdata, changed); +free: + kfree(elems.nontx_profile); } =20 void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata, --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -216,6 +216,8 @@ ieee80211_bss_info_update(struct ieee802 rx_status, beacon); } =20 + kfree(elems.nontx_profile); + return bss; } =20 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1363,6 +1363,11 @@ u32 ieee802_11_parse_elems_crc(const u8 cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, nontransmitted_profile, nontransmitted_profile_len); + if (!nontransmitted_profile_len) { + nontransmitted_profile_len =3D 0; + kfree(nontransmitted_profile); + nontransmitted_profile =3D NULL; + } } =20 crc =3D _ieee802_11_parse_elems_crc(start, len, action, elems, filter, @@ -1392,7 +1397,7 @@ u32 ieee802_11_parse_elems_crc(const u8 offsetofend(struct ieee80211_bssid_index, dtim_count)) elems->dtim_count =3D elems->bssid_index->dtim_count; =20 - kfree(nontransmitted_profile); + elems->nontx_profile =3D nontransmitted_profile; =20 return crc; }