44b8729977f0bdb58aac9e8fc7991a2214f16f28
[openwrt/staging/hauke.git] /
1 From: Johannes Berg <johannes.berg@intel.com>
2 Date: Wed, 5 Oct 2022 21:24:10 +0200
3 Subject: [PATCH] wifi: mac80211: fix crash in beacon protection for
4 P2P-device
5 MIME-Version: 1.0
6 Content-Type: text/plain; charset=UTF-8
7 Content-Transfer-Encoding: 8bit
8
9 commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.
10
11 If beacon protection is active but the beacon cannot be
12 decrypted or is otherwise malformed, we call the cfg80211
13 API to report this to userspace, but that uses a netdev
14 pointer, which isn't present for P2P-Device. Fix this to
15 call it only conditionally to ensure cfg80211 won't crash
16 in the case of P2P-Device.
17
18 This fixes CVE-2022-42722.
19
20 Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
21 Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space")
22 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
23 ---
24
25 --- a/net/mac80211/rx.c
26 +++ b/net/mac80211/rx.c
27 @@ -1986,10 +1986,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_
28
29 if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
30 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
31 - NUM_DEFAULT_BEACON_KEYS) {
32 - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
33 - skb->data,
34 - skb->len);
35 + NUM_DEFAULT_BEACON_KEYS) {
36 + if (rx->sdata->dev)
37 + cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
38 + skb->data,
39 + skb->len);
40 return RX_DROP_MONITOR; /* unexpected BIP keyidx */
41 }
42
43 @@ -2137,7 +2138,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_
44 /* either the frame has been decrypted or will be dropped */
45 status->flag |= RX_FLAG_DECRYPTED;
46
47 - if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
48 + if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
49 + rx->sdata->dev))
50 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
51 skb->data, skb->len);
52