Date: Thursday, October 13, 2022 @ 20:22:55
Author: heftig
Revision: 458137
5.15.73-2
Added:
linux-lts/trunk/0007-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch
linux-lts/trunk/0008-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch
linux-lts/trunk/0009-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch
linux-lts/trunk/0010-wifi-cfg80211-fix-BSS-refcounting-bugs.patch
linux-lts/trunk/0011-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch
linux-lts/trunk/0012-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch
linux-lts/trunk/0013-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch
linux-lts/trunk/0014-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch
Modified:
linux-lts/trunk/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
linux-lts/trunk/0002-PCI-Add-more-NVIDIA-controllers-to-the-MSI-masking-q.patch
linux-lts/trunk/0003-iommu-intel-do-deep-dma-unmapping-to-avoid-kernel-fl.patch
linux-lts/trunk/0006-Fix-NFSv4-mount-regression.patch
linux-lts/trunk/PKGBUILD
-----------------------------------------------------------------+
0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | 6
0002-PCI-Add-more-NVIDIA-controllers-to-the-MSI-masking-q.patch | 4
0003-iommu-intel-do-deep-dma-unmapping-to-avoid-kernel-fl.patch | 4
0006-Fix-NFSv4-mount-regression.patch | 12 -
0007-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch | 47 ++++
0008-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch | 56 +++++
0009-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch | 46 ++++
0010-wifi-cfg80211-fix-BSS-refcounting-bugs.patch | 93 ++++++++
0011-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch | 53 ++++
0012-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch | 36 +++
0013-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch | 57 +++++
0014-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch | 107
++++++++++
PKGBUILD | 26 +-
13 files changed, 529 insertions(+), 18 deletions(-)
Modified: 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
===================================================================
--- 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
2022-10-13 20:22:47 UTC (rev 458136)
+++ 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
2022-10-13 20:22:55 UTC (rev 458137)
@@ -63,7 +63,7 @@
bool "PID Namespaces"
default y
diff --git a/kernel/fork.c b/kernel/fork.c
-index 89475c994ca9..a00b3f26f241 100644
+index 908ba3c93893..b4982474fb93 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -98,6 +98,10 @@
@@ -77,7 +77,7 @@
#include <asm/pgalloc.h>
#include <linux/uaccess.h>
#include <asm/mmu_context.h>
-@@ -1950,6 +1954,10 @@ static __latent_entropy struct task_struct
*copy_process(
+@@ -1951,6 +1955,10 @@ static __latent_entropy struct task_struct
*copy_process(
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) ==
(CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
@@ -88,7 +88,7 @@
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
-@@ -3066,6 +3074,12 @@ int ksys_unshare(unsigned long unshare_flags)
+@@ -3067,6 +3075,12 @@ int ksys_unshare(unsigned long unshare_flags)
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
Modified: 0002-PCI-Add-more-NVIDIA-controllers-to-the-MSI-masking-q.patch
===================================================================
--- 0002-PCI-Add-more-NVIDIA-controllers-to-the-MSI-masking-q.patch
2022-10-13 20:22:47 UTC (rev 458136)
+++ 0002-PCI-Add-more-NVIDIA-controllers-to-the-MSI-masking-q.patch
2022-10-13 20:22:55 UTC (rev 458137)
@@ -10,10 +10,10 @@
1 file changed, 2 insertions(+)
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 4893b1e82403..6ac303124b69 100644
+index a531064233f9..e1893dde40f6 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
-@@ -5821,3 +5821,5 @@ static void nvidia_ion_ahci_fixup(struct pci_dev *pdev)
+@@ -5824,3 +5824,5 @@ static void nvidia_ion_ahci_fixup(struct pci_dev *pdev)
pdev->dev_flags |= PCI_DEV_FLAGS_HAS_MSI_MASKING;
}
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NVIDIA, 0x0ab8, nvidia_ion_ahci_fixup);
Modified: 0003-iommu-intel-do-deep-dma-unmapping-to-avoid-kernel-fl.patch
===================================================================
--- 0003-iommu-intel-do-deep-dma-unmapping-to-avoid-kernel-fl.patch
2022-10-13 20:22:47 UTC (rev 458136)
+++ 0003-iommu-intel-do-deep-dma-unmapping-to-avoid-kernel-fl.patch
2022-10-13 20:22:55 UTC (rev 458137)
@@ -71,10 +71,10 @@
1 file changed, 2 insertions(+)
diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
-index a1ffb3d6d901..c41788ea1a03 100644
+index 71a932017772..d8f9bec2c1f7 100644
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
-@@ -5113,6 +5113,8 @@ static size_t intel_iommu_unmap(struct iommu_domain
*domain,
+@@ -5123,6 +5123,8 @@ static size_t intel_iommu_unmap(struct iommu_domain
*domain,
gather->freelist = domain_unmap(dmar_domain, start_pfn,
last_pfn, gather->freelist);
Modified: 0006-Fix-NFSv4-mount-regression.patch
===================================================================
--- 0006-Fix-NFSv4-mount-regression.patch 2022-10-13 20:22:47 UTC (rev
458136)
+++ 0006-Fix-NFSv4-mount-regression.patch 2022-10-13 20:22:55 UTC (rev
458137)
@@ -62,10 +62,10 @@
extern struct rpc_clnt *nfs4_proc_lookup_mountpoint(struct inode *,
struct dentry *,
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index cbb39aff8182..3d4dee10cb11 100644
+index a808763c52c1..7c05dbe595ac 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
-@@ -3963,60 +3963,6 @@ int nfs4_server_capabilities(struct nfs_server *server,
struct nfs_fh *fhandle)
+@@ -3962,60 +3962,6 @@ int nfs4_server_capabilities(struct nfs_server *server,
struct nfs_fh *fhandle)
return err;
}
@@ -126,7 +126,7 @@
static int _nfs4_lookup_root(struct nfs_server *server, struct nfs_fh
*fhandle,
struct nfs_fsinfo *info)
{
-@@ -7952,18 +7898,18 @@ int nfs4_proc_fs_locations(struct rpc_clnt *client,
struct inode *dir,
+@@ -7951,18 +7897,18 @@ int nfs4_proc_fs_locations(struct rpc_clnt *client,
struct inode *dir,
* appended to this compound to identify the client ID which is
* performing recovery.
*/
@@ -148,7 +148,7 @@
.page = page,
.bitmask = bitmask,
.migration = 1, /* skip LOOKUP */
-@@ -8009,17 +7955,17 @@ static int _nfs40_proc_get_locations(struct nfs_server
*server,
+@@ -8008,17 +7954,17 @@ static int _nfs40_proc_get_locations(struct nfs_server
*server,
* When the client supports GETATTR(fs_locations_info), it can
* be plumbed in here.
*/
@@ -169,7 +169,7 @@
.page = page,
.bitmask = bitmask,
.migration = 1, /* skip LOOKUP */
-@@ -8068,28 +8014,27 @@ static int _nfs41_proc_get_locations(struct nfs_server
*server,
+@@ -8067,28 +8013,27 @@ static int _nfs41_proc_get_locations(struct nfs_server
*server,
* -NFS4ERR_LEASE_MOVED is returned if the server still has leases
* from this client that require migration recovery.
*/
@@ -202,7 +202,7 @@
if (status != -NFS4ERR_DELAY)
break;
nfs4_handle_exception(server, status, &exception);
-@@ -10586,7 +10531,6 @@ const struct nfs_rpc_ops nfs_v4_clientops = {
+@@ -10588,7 +10533,6 @@ const struct nfs_rpc_ops nfs_v4_clientops = {
.free_client = nfs4_free_client,
.create_server = nfs4_create_server,
.clone_server = nfs_clone_server,
Added: 0007-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch
===================================================================
--- 0007-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch
(rev 0)
+++ 0007-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch
2022-10-13 20:22:55 UTC (rev 458137)
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <[email protected]>
+Date: Wed, 28 Sep 2022 21:56:15 +0200
+Subject: [PATCH] wifi: cfg80211: fix u8 overflow in
+ cfg80211_update_notlisted_nontrans()
+
+commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
+
+In the copy code of the elements, we do the following calculation
+to reach the end of the MBSSID element:
+
+ /* copy the IEs after MBSSID */
+ cpy_len = mbssid[1] + 2;
+
+This looks fine, however, cpy_len is a u8, the same as mbssid[1],
+so the addition of two can overflow. In this case the subsequent
+memcpy() will overflow the allocated buffer, since it copies 256
+bytes too much due to the way the allocation and memcpy() sizes
+are calculated.
+
+Fix this by using size_t for the cpy_len variable.
+
+This fixes CVE-2022-41674.
+
+Reported-by: Soenke Huster <[email protected]>
+Tested-by: Soenke Huster <[email protected]>
+Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in
scanning")
+Reviewed-by: Kees Cook <[email protected]>
+Signed-off-by: Johannes Berg <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+---
+ net/wireless/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 1a8b76c9dd56..d9ab37a798f4 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
+ size_t new_ie_len;
+ struct cfg80211_bss_ies *new_ies;
+ const struct cfg80211_bss_ies *old;
+- u8 cpy_len;
++ size_t cpy_len;
+
+ lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
+
Added: 0008-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch
===================================================================
--- 0008-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch
(rev 0)
+++ 0008-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch
2022-10-13 20:22:55 UTC (rev 458137)
@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <[email protected]>
+Date: Wed, 28 Sep 2022 22:01:37 +0200
+Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements
+
+commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.
+
+Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
+and the minimum is 1 since a multiple BSSID set with just one BSSID
+doesn't make sense (the # of BSSIDs is limited by 2^n).
+
+Limit this in the parsing in both cfg80211 and mac80211, rejecting
+any elements with an invalid value.
+
+This fixes potentially bad shifts in the processing of these inside
+the cfg80211_gen_new_bssid() function later.
+
+I found this during the investigation of CVE-2022-41674 fixed by the
+previous patch.
+
+Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in
scanning")
+Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
+Reviewed-by: Kees Cook <[email protected]>
+Signed-off-by: Johannes Berg <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+---
+ net/mac80211/util.c | 2 ++
+ net/wireless/scan.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index be1911d8089f..00543ea9c6b5 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -1414,6 +1414,8 @@ static size_t ieee802_11_find_bssid_profile(const u8
*start, size_t len,
+ for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
+ if (elem->datalen < 2)
+ continue;
++ if (elem->data[0] < 1 || elem->data[0] > 8)
++ continue;
+
+ for_each_element(sub, elem->data + 1, elem->datalen - 1) {
+ u8 new_bssid[ETH_ALEN];
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index d9ab37a798f4..84c642eae4d8 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy
*wiphy,
+ for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
+ if (elem->datalen < 4)
+ continue;
++ if (elem->data[0] < 1 || (int)elem->data[0] > 8)
++ continue;
+ for_each_element(sub, elem->data + 1, elem->datalen - 1) {
+ u8 profile_len;
+
Added: 0009-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch
===================================================================
--- 0009-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch
(rev 0)
+++ 0009-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch
2022-10-13 20:22:55 UTC (rev 458137)
@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <[email protected]>
+Date: Thu, 29 Sep 2022 21:50:44 +0200
+Subject: [PATCH] wifi: cfg80211: ensure length byte is present before access
+
+commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
+
+When iterating the elements here, ensure the length byte is
+present before checking it to see if the entire element will
+fit into the buffer.
+
+Longer term, we should rewrite this code using the type-safe
+element iteration macros that check all of this.
+
+Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in
scanning")
+Reported-by: Soenke Huster <[email protected]>
+Signed-off-by: Johannes Berg <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+---
+ net/wireless/scan.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 84c642eae4d8..04c9b78b3fec 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t
ielen,
+ tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
+ tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
+
+- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
++ while (tmp_old + 2 - ie <= ielen &&
++ tmp_old + tmp_old[1] + 2 - ie <= ielen) {
+ if (tmp_old[0] == 0) {
+ tmp_old++;
+ continue;
+@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t
ielen,
+ * copied to new ie, skip ssid, capability, bssid-index ie
+ */
+ tmp_new = sub_copy;
+- while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
++ while (tmp_new + 2 - sub_copy <= subie_len &&
++ tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
+ if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
+ tmp_new[0] == WLAN_EID_SSID)) {
+ memcpy(pos, tmp_new, tmp_new[1] + 2);
Added: 0010-wifi-cfg80211-fix-BSS-refcounting-bugs.patch
===================================================================
--- 0010-wifi-cfg80211-fix-BSS-refcounting-bugs.patch
(rev 0)
+++ 0010-wifi-cfg80211-fix-BSS-refcounting-bugs.patch 2022-10-13 20:22:55 UTC
(rev 458137)
@@ -0,0 +1,93 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <[email protected]>
+Date: Fri, 30 Sep 2022 23:44:23 +0200
+Subject: [PATCH] wifi: cfg80211: fix BSS refcounting bugs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream.
+
+There are multiple refcounting bugs related to multi-BSSID:
+ - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
+ the bss pointer is overwritten before checking for the
+ transmitted BSS, which is clearly wrong. Fix this by using
+ the bss_from_pub() macro.
+
+ - In cfg80211_bss_update() we copy the transmitted_bss pointer
+ from tmp into new, but then if we release new, we'll unref
+ it erroneously. We already set the pointer and ref it, but
+ need to NULL it since it was copied from the tmp data.
+
+ - In cfg80211_inform_single_bss_data(), if adding to the non-
+ transmitted list fails, we unlink the BSS and yet still we
+ return it, but this results in returning an entry without
+ a reference. We shouldn't return it anyway if it was broken
+ enough to not get added there.
+
+This fixes CVE-2022-42720.
+
+Reported-by: Sönke Huster <[email protected]>
+Tested-by: Sönke Huster <[email protected]>
+Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and
non-transmitting BSS")
+Signed-off-by: Johannes Berg <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+---
+ net/wireless/scan.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 04c9b78b3fec..2e576714e989 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct
cfg80211_registered_device *rdev,
+ lockdep_assert_held(&rdev->bss_lock);
+
+ bss->refcount++;
+- if (bss->pub.hidden_beacon_bss) {
+- bss = container_of(bss->pub.hidden_beacon_bss,
+- struct cfg80211_internal_bss,
+- pub);
+- bss->refcount++;
+- }
+- if (bss->pub.transmitted_bss) {
+- bss = container_of(bss->pub.transmitted_bss,
+- struct cfg80211_internal_bss,
+- pub);
+- bss->refcount++;
+- }
++
++ if (bss->pub.hidden_beacon_bss)
++ bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++;
++
++ if (bss->pub.transmitted_bss)
++ bss_from_pub(bss->pub.transmitted_bss)->refcount++;
+ }
+
+ static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
+@@ -1743,6 +1737,8 @@ cfg80211_bss_update(struct cfg80211_registered_device
*rdev,
+ new->refcount = 1;
+ INIT_LIST_HEAD(&new->hidden_list);
+ INIT_LIST_HEAD(&new->pub.nontrans_list);
++ /* we'll set this later if it was non-NULL */
++ new->pub.transmitted_bss = NULL;
+
+ if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
+ hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
+@@ -1983,10 +1979,15 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
+ spin_lock_bh(&rdev->bss_lock);
+ if (cfg80211_add_nontrans_list(non_tx_data->tx_bss,
+ &res->pub)) {
+- if (__cfg80211_unlink_bss(rdev, res))
++ if (__cfg80211_unlink_bss(rdev, res)) {
+ rdev->bss_generation++;
++ res = NULL;
++ }
+ }
+ spin_unlock_bh(&rdev->bss_lock);
++
++ if (!res)
++ return NULL;
+ }
+
+ trace_cfg80211_return_bss(&res->pub);
Added: 0011-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch
===================================================================
--- 0011-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch
(rev 0)
+++ 0011-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch
2022-10-13 20:22:55 UTC (rev 458137)
@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <[email protected]>
+Date: Sat, 1 Oct 2022 00:01:44 +0200
+Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list corruption
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
+
+If a non-transmitted BSS shares enough information (both
+SSID and BSSID!) with another non-transmitted BSS of a
+different AP, then we can find and update it, and then
+try to add it to the non-transmitted BSS list. We do a
+search for it on the transmitted BSS, but if it's not
+there (but belongs to another transmitted BSS), the list
+gets corrupted.
+
+Since this is an erroneous situation, simply fail the
+list insertion in this case and free the non-transmitted
+BSS.
+
+This fixes CVE-2022-42721.
+
+Reported-by: Sönke Huster <[email protected]>
+Tested-by: Sönke Huster <[email protected]>
+Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in
scanning")
+Signed-off-by: Johannes Berg <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+---
+ net/wireless/scan.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 2e576714e989..a21baf7b3612 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
+
+ rcu_read_unlock();
+
++ /*
++ * This is a bit weird - it's not on the list, but already on another
++ * one! The only way that could happen is if there's some BSSID/SSID
++ * shared by multiple APs in their multi-BSSID profiles, potentially
++ * with hidden SSID mixed in ... ignore it.
++ */
++ if (!list_empty(&nontrans_bss->nontrans_list))
++ return -EINVAL;
++
+ /* add to the list */
+ list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
+ return 0;
Added: 0012-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch
===================================================================
--- 0012-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch
(rev 0)
+++ 0012-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch
2022-10-13 20:22:55 UTC (rev 458137)
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <[email protected]>
+Date: Wed, 5 Oct 2022 15:10:09 +0200
+Subject: [PATCH] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 1833b6f46d7e2830251a063935ab464256defe22 upstream.
+
+If the tool on the other side (e.g. wmediumd) gets confused
+about the rate, we hit a warning in mac80211. Silence that
+by effectively duplicating the check here and dropping the
+frame silently (in mac80211 it's dropped with the warning).
+
+Reported-by: Sönke Huster <[email protected]>
+Tested-by: Sönke Huster <[email protected]>
+Signed-off-by: Johannes Berg <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c
b/drivers/net/wireless/mac80211_hwsim.c
+index 52a2574b7d13..b228567b2a73 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3749,6 +3749,8 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff
*skb_2,
+
+ rx_status.band = channel->band;
+ rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]);
++ if (rx_status.rate_idx >=
data2->hw->wiphy->bands[rx_status.band]->n_bitrates)
++ goto out;
+ rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]);
+
+ hdr = (void *)skb->data;
Added: 0013-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch
===================================================================
--- 0013-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch
(rev 0)
+++ 0013-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch
2022-10-13 20:22:55 UTC (rev 458137)
@@ -0,0 +1,57 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <[email protected]>
+Date: Wed, 5 Oct 2022 21:24:10 +0200
+Subject: [PATCH] wifi: mac80211: fix crash in beacon protection for P2P-device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.
+
+If beacon protection is active but the beacon cannot be
+decrypted or is otherwise malformed, we call the cfg80211
+API to report this to userspace, but that uses a netdev
+pointer, which isn't present for P2P-Device. Fix this to
+call it only conditionally to ensure cfg80211 won't crash
+in the case of P2P-Device.
+
+This fixes CVE-2022-42722.
+
+Reported-by: Sönke Huster <[email protected]>
+Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user
space")
+Signed-off-by: Johannes Berg <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+---
+ net/mac80211/rx.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 743e97ba352c..175ead6b19cb 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1982,10 +1982,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
+
+ if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
+ mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
+- NUM_DEFAULT_BEACON_KEYS) {
+- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
+- skb->data,
+- skb->len);
++ NUM_DEFAULT_BEACON_KEYS) {
++ if (rx->sdata->dev)
++ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
++ skb->data,
++ skb->len);
+ return RX_DROP_MONITOR; /* unexpected BIP keyidx */
+ }
+
+@@ -2133,7 +2134,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
+ /* either the frame has been decrypted or will be dropped */
+ status->flag |= RX_FLAG_DECRYPTED;
+
+- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
++ if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
++ rx->sdata->dev))
+ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
+ skb->data, skb->len);
+
Added: 0014-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch
===================================================================
--- 0014-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch
(rev 0)
+++ 0014-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch
2022-10-13 20:22:55 UTC (rev 458137)
@@ -0,0 +1,107 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <[email protected]>
+Date: Wed, 5 Oct 2022 23:11:43 +0200
+Subject: [PATCH] wifi: cfg80211: update hidden BSSes to avoid WARN_ON
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream.
+
+When updating beacon elements in a non-transmitted BSS,
+also update the hidden sub-entries to the same beacon
+elements, so that a future update through other paths
+won't trigger a WARN_ON().
+
+The warning is triggered because the beacon elements in
+the hidden BSSes that are children of the BSS should
+always be the same as in the parent.
+
+Reported-by: Sönke Huster <[email protected]>
+Tested-by: Sönke Huster <[email protected]>
+Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in
scanning")
+Signed-off-by: Johannes Berg <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+---
+ net/wireless/scan.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index a21baf7b3612..f0de22a6caf7 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1609,30 +1609,46 @@ struct cfg80211_non_tx_bss {
+ u8 bssid_index;
+ };
+
++static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known,
++ const struct cfg80211_bss_ies *new_ies,
++ const struct cfg80211_bss_ies *old_ies)
++{
++ struct cfg80211_internal_bss *bss;
++
++ /* Assign beacon IEs to all sub entries */
++ list_for_each_entry(bss, &known->hidden_list, hidden_list) {
++ const struct cfg80211_bss_ies *ies;
++
++ ies = rcu_access_pointer(bss->pub.beacon_ies);
++ WARN_ON(ies != old_ies);
++
++ rcu_assign_pointer(bss->pub.beacon_ies, new_ies);
++ }
++}
++
+ static bool
+ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
+ struct cfg80211_internal_bss *known,
+ struct cfg80211_internal_bss *new,
+ bool signal_valid)
+ {
+ lockdep_assert_held(&rdev->bss_lock);
+
+ /* Update IEs */
+ if (rcu_access_pointer(new->pub.proberesp_ies)) {
+ const struct cfg80211_bss_ies *old;
+
+ old = rcu_access_pointer(known->pub.proberesp_ies);
+
+ rcu_assign_pointer(known->pub.proberesp_ies,
+ new->pub.proberesp_ies);
+ /* Override possible earlier Beacon frame IEs */
+ rcu_assign_pointer(known->pub.ies,
+ new->pub.proberesp_ies);
+ if (old)
+ kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
+ } else if (rcu_access_pointer(new->pub.beacon_ies)) {
+ const struct cfg80211_bss_ies *old;
+- struct cfg80211_internal_bss *bss;
+
+ if (known->pub.hidden_beacon_bss &&
+ !list_empty(&known->hidden_list)) {
+@@ -1660,16 +1676,7 @@ cfg80211_update_known_bss(struct
cfg80211_registered_device *rdev,
+ if (old == rcu_access_pointer(known->pub.ies))
+ rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies);
+
+- /* Assign beacon IEs to all sub entries */
+- list_for_each_entry(bss, &known->hidden_list, hidden_list) {
+- const struct cfg80211_bss_ies *ies;
+-
+- ies = rcu_access_pointer(bss->pub.beacon_ies);
+- WARN_ON(ies != old);
+-
+- rcu_assign_pointer(bss->pub.beacon_ies,
+- new->pub.beacon_ies);
+- }
++ cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old);
+
+ if (old)
+ kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
+@@ -2319,6 +2326,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
+ } else {
+ old = rcu_access_pointer(nontrans_bss->beacon_ies);
+ rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies);
++ cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss),
++ new_ies, old);
+ rcu_assign_pointer(nontrans_bss->ies, new_ies);
+ if (old)
+ kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2022-10-13 20:22:47 UTC (rev 458136)
+++ PKGBUILD 2022-10-13 20:22:55 UTC (rev 458137)
@@ -2,7 +2,7 @@
pkgbase=linux-lts
pkgver=5.15.73
-pkgrel=1
+pkgrel=2
pkgdesc='LTS Linux'
url="https://www.kernel.org/";
arch=(x86_64)
@@ -22,6 +22,14 @@
0004-Bluetooth-btintel-Fix-bdaddress-comparison-with-garb.patch
0005-lg-laptop-Recognize-more-models.patch
0006-Fix-NFSv4-mount-regression.patch
+ 0007-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch
+ 0008-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch
+ 0009-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch
+ 0010-wifi-cfg80211-fix-BSS-refcounting-bugs.patch
+ 0011-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch
+ 0012-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch
+ 0013-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch
+ 0014-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -31,12 +39,20 @@
sha256sums=('a822f09525ae8803453939a91e73f18097a3ba2aec73be4fe9ab314a0131715d'
'SKIP'
'f5d9ce7b3f7b9c7003a5af69baf4d84268068eb89ba3bc6ac4f471fb5c251c11'
- '7bd64ff894475b3415d792ba8466ba7e8f872af56dbf1aeed0d261fe4008b8b5'
- '39649dc1dfcb06b411ad124e123769e955a78961b4ea17538c0919a930925549'
- '56c12551e859cc67520909e64feecbf1b190cee8addef150c5b9d1bb1d40981e'
+ '3b5cfc9ca9cf778ea2c4b619b933cda26519969df2d764b5a687f63cf59974cd'
+ 'c175fbb141c3cec013c799f694d88310375ac5456042f6a4a1adc7667836d786'
+ '8357f000b2b622e73dcfd41c2bad42b5e99fffe8f7ee64f774aa771f86cef43c'
'5c1ee81fdd5818442af6081de987f9c1a9ce3c8d183566b3dfc19a8433aa3dde'
'067e8995fcd6f6ed25e0253e9374c0e179a000c154da3e59ce62634945ac5be9'
- '95dad02b01937681af0a207e22a6bf64c33e067bf7a14cb98262dd8f69194eb8')
+ '10801c245064777873b580bea1fc17a4288ec519e0ce9500aa1b7c6e19fe777b'
+ '2bff15b0a83730d3126f327f3a6c99e499ea7656714a25428dc7cd0f9f523133'
+ 'e6d94a6c0976ee41c69b3d38bf1865b0a41936ef286acc93eb7fea18fab00461'
+ '8f8f19527ee033b1a5262e737c309ae015731f4d519829354bbb8f192cca85bf'
+ '9cd69a9a20772a104cd9a3f0d5501d380a8bc8e5aed612172f1bb2888a7c2e7d'
+ '8986c7cf22dfbe18722f0ac22a706b84757a3d44e0cf4ba5e63f7507556302e9'
+ 'af69b08e37bf6a7ba9a35e25e96a46a47d1a614c2b100e4ba5cf5fa346179f1f'
+ 'f65517c4daf7c6cfb07b1843e28df2bc6c8ac04fab41683b2a5c9f399d36434f'
+ '1475d5f0b9823f9f26cc3a684644e8a2fb935fe9885384a07e07b390ea41a6cf')
export KBUILD_BUILD_HOST=archlinux
export KBUILD_BUILD_USER=$pkgbase
