From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF824C4332F for ; Thu, 13 Oct 2022 18:02:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230435AbiJMSCT (ORCPT ); Thu, 13 Oct 2022 14:02:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59366 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230387AbiJMSBt (ORCPT ); Thu, 13 Oct 2022 14:01:49 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A894B160EC4; Thu, 13 Oct 2022 11:01:36 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id DD12061910; Thu, 13 Oct 2022 17:58:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F191DC433D6; Thu, 13 Oct 2022 17:58:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683893; bh=GA/zqaLurWyQIiyR2z2ZlBS2lsSicER8WDIT2Epwul8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Of1Xo8nD/8wzWLzJe6CM7sCJ7q81OoepH71qHILM7UYexwIk7wMg9lo4DoHCKHF1l AHSZypu8EBZUxMlLPfuGhWgHRZO7YmYw6LIu/ZmBUIQwAWtczQs+KsEWEE/g4pdQb8 cBAPSOMtECIFVe/KEdHOSAvnrbvP5HKJ+3twfRTM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?S=C3=B6nke=20Huster?= , Johannes Berg Subject: [PATCH 5.15 22/27] wifi: mac80211: fix crash in beacon protection for P2P-device Date: Thu, 13 Oct 2022 19:52:51 +0200 Message-Id: <20221013175144.356052246@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175143.518476113@linuxfoundation.org> References: <20221013175143.518476113@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream. If beacon protection is active but the beacon cannot be decrypted or is otherwise malformed, we call the cfg80211 API to report this to userspace, but that uses a netdev pointer, which isn't present for P2P-Device. Fix this to call it only conditionally to ensure cfg80211 won't crash in the case of P2P-Device. This fixes CVE-2022-42722. Reported-by: Sönke Huster Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/rx.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -1982,10 +1982,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_ if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS || mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS + - NUM_DEFAULT_BEACON_KEYS) { - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, - skb->data, - skb->len); + NUM_DEFAULT_BEACON_KEYS) { + if (rx->sdata->dev) + cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, + skb->data, + skb->len); return RX_DROP_MONITOR; /* unexpected BIP keyidx */ } @@ -2133,7 +2134,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_ /* either the frame has been decrypted or will be dropped */ status->flag |= RX_FLAG_DECRYPTED; - if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE)) + if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE && + rx->sdata->dev)) cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, skb->data, skb->len);