From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com [209.85.219.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE0533A641A for ; Tue, 21 Apr 2026 22:45:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776811558; cv=none; b=S5gUgThx/y5yemx+EtzUZApe3RLgbQCCi3k0C0bsg3Wn53qJ4G1F/sYjDYm/7KLTMKtDAkFnFaJfrV/UTbH390Xux9DeGNQGyIlKbCvmHlr9oeFL2bOydrnXt45M8wN1ASRhbBC1j8DpCQnbDR0mXrOHJ2Hn9IAtxMRuCTc7kjU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776811558; c=relaxed/simple; bh=B2/Ez1izkInqG37lggXZuxiIY/sMrJx1Ctg3Ihhqogw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=FhwfuVB9INkxZCHydAAS+7hhn4b/whOMmM3igcFULQEZtOJAKZrGgmqLpFW0htK+1wXe6O6Y4yoc24udngAgbPYevV444jYUk3Oe/D1hV+fH0V3W1+gDO2AdMBh95ALw9mfkSDhexyPJ9fJYRJvGXLaRpbiQSGy0xiFBKrDaJ2I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=K//XKi2m; arc=none smtp.client-ip=209.85.219.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="K//XKi2m" Received: by mail-qv1-f45.google.com with SMTP id 6a1803df08f44-8a3b0242631so59314756d6.3 for ; Tue, 21 Apr 2026 15:45:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776811556; x=1777416356; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qONHLEV3GkdjuXjKWyFx4xK6vZA47+HY6O2Lx2BENmI=; b=K//XKi2mTefdZFmnoYzL2Vrkl5JWDRrHCik7a7RGAQLvexABNM9JC5ftKB3qCJXJFE 7K8YT+SU14Sk8JrMYpGVh5QvlpvCac93Wo9LWGH2CCtik9fgZPXkXXD2fPGbywADWFaX lxMRjI0hW639InuUByy3j7DEVg5sllDnpijvq1Rs29TUjRoPygblmui9L8g/4o7kN7GW bEXiH2KeEHsgDN3JSPl1VOg4FClrOKbipoZVxmUPB53KZPFds7/e83D78BxcU2yaFgcq SGprqXX1dK3S8dHoMDZS54Kre9KZdi1twFkhulzaWlox49aScrzdvJjHFJx3/FB0SJQz Vnjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776811556; x=1777416356; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=qONHLEV3GkdjuXjKWyFx4xK6vZA47+HY6O2Lx2BENmI=; b=iAHtLjB6C6qB1OacZ+0o2gT2l50iRcmQRboY9bVS70hpd1ZDUMcnI7AkhJLjGQLo0T Yh9qNVXhq79nfpLkGbAaf+0BicVU7YpoSPgCjPnUPc3YM9ICYqXpRO6qP2qktSWC5xwM 9MHhgX6SbziN+8xU0QrASSNsldIkSNZBgwn0UVOQmTPmEdMrPwxdh3LXPeWpGQs9FAyt 3eb+vIMYvgM6PLd41+WStTEhU1lURW2OkPfZ8hq8F+kbewDVRj1TR5CpvA+FDPhmpS+y u3xvt6j6D/4b9Fit1tH6cx4t3zcE5X0InfAhTdPSJ0yk+CWT2AP49qVC2aHtMZpgYePa OKww== X-Forwarded-Encrypted: i=1; AFNElJ+cMtipQlNNL8XVGAjtoapaJhAY+0FHk4NBUKGcbeVZzIGqqkmuUjtE1TTk3CHOA9vCO1o1QnHX72Ij93c=@vger.kernel.org X-Gm-Message-State: AOJu0YxouOg5ggwD4nQTTk0ICfh4Ct/omtf/N6TME96RfPLwHU/4XeuI cg1IwG52gCtD9s8fm23FEAyV75PzxO/4ysJidDAHgohq3nZpR68KOsA6 X-Gm-Gg: AeBDievfZvWEjOGYfQ3loYvUicngfUiMCllJUxHxFIyOPO9ow8O6vDh3NPzEXcZ8sK3 dHzYGXJurYaSxVyUmfvuMcGAqeuzI/WTA74f15lk1YFRjh0NNtqYsMzZh3JUVeoOjwktjd+DT3G btiUWms31aXirwKOjLlOE0SoDephq5ZGBhF9Wvurc9d5gYSxS6w+PX0fc3PuSywRwZBO0027wNo 9BMQqdUIc64jkdjU8jhVLzCSTLgtVbbT4qo6SyGPhexRetl/obEJEp/8YCwa/Vy4E65JEnuJJoE L7eHFIgL+W56qYOZY5RKEUPZdeAmsQoyKA1UBz0ybp58MWtIBRMYbTwmVzq4LSLkOu6Cko9Gwuj SV+nPwYlYbSvQ9yrVbz5F9EF1gNZ5eroMEoEq9FdM/AC55+Y7niuHEsB1loXSiCtYbqTIdRz0HM HnTw2riySRs0Xb89b2/DLcE/FnsJH/dFZaz6Wnvhm6JhLsTzXSJ1u3Fesf+az9AkznJPzbC9A/6 /BDNLodBoLXuXQqR5OBYadUOkYCxOo= X-Received: by 2002:a05:6214:5295:b0:8a1:478a:e58a with SMTP id 6a1803df08f44-8b0280fc448mr326122326d6.36.1776811555709; Tue, 21 Apr 2026 15:45:55 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b02ac42b3bsm111120146d6.5.2026.04.21.15.45.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 15:45:55 -0700 (PDT) From: Michael Bommarito To: linux-wireless@vger.kernel.org Cc: Johannes Berg , Avraham Stern , Arend van Spriel , linux-kernel@vger.kernel.org, Michael Bommarito Subject: [PATCH] wifi: nl80211: require admin perm on SET_PMK / DEL_PMK Date: Tue, 21 Apr 2026 18:45:52 -0400 Message-ID: <20260421224552.4044147-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit NL80211_CMD_SET_PMK and NL80211_CMD_DEL_PMK manage the offloaded 4-way-handshake PMK state used by drivers advertising NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X. The only in-tree driver that wires up both ->set_pmk / ->del_pmk and advertises the feature today is brcmfmac, so the practical reach of this patch is narrow. Both ops were introduced without a .flags gate, so the generic netlink layer dispatches them to an unprivileged caller instead of rejecting with -EPERM at the permission check. Every other connection-state op in the adjacent block (CONNECT, ASSOCIATE, AUTHENTICATE, SET_KEY, ...) carries GENL_UNS_ADMIN_PERM; SET_PMK / DEL_PMK were introduced without the flag in 2017 and left unchanged by later refactors. Johannes checked the original Intel submission history and confirmed there is no admin check in any prior revision either, so this seems likely to be a simple oversight rather than an intentional carve-out. Require GENL_UNS_ADMIN_PERM so the genl layer performs the same capable(CAP_NET_ADMIN) check as its siblings. wpa_supplicant already needs CAP_NET_ADMIN for every other nl80211 op it issues, so supplicant operation is unaffected. The worst case the missing gate enables today is an unprivileged local process on a multi-user system invalidating the offloaded PMK state of another user's 4-way-handshake session, forcing a full EAP re-auth on the next reconnect. Verified in UML: an unprivileged probe (uid=1000) sees SET_MULTICAST_TO_UNICAST (sibling op with GENL_UNS_ADMIN_PERM) return -EPERM on both pre- and post-fix kernels, while SET_PMK / DEL_PMK return -ENODEV from nl80211_pre_doit()'s wdev lookup pre- fix (proving dispatch crossed the genl permission check) and -EPERM post-fix (rejected at the genl layer as intended). Suggested-by: Johannes Berg Fixes: 3a00df5707b6 ("cfg80211: support 4-way handshake offloading for 802.1X") Signed-off-by: Michael Bommarito Assisted-by: Claude:claude-opus-4-7 --- net/wireless/nl80211.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index b94231c8441c..1f5124cb284d 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -19016,6 +19016,7 @@ static const struct genl_small_ops nl80211_small_ops[] = { .cmd = NL80211_CMD_SET_PMK, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, .doit = nl80211_set_pmk, + .flags = GENL_UNS_ADMIN_PERM, .internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP | NL80211_FLAG_CLEAR_SKB), }, @@ -19023,6 +19024,7 @@ static const struct genl_small_ops nl80211_small_ops[] = { .cmd = NL80211_CMD_DEL_PMK, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, .doit = nl80211_del_pmk, + .flags = GENL_UNS_ADMIN_PERM, .internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP), }, { -- 2.53.0