diff -Nru backport-iwlwifi-dkms-9858/debian/changelog backport-iwlwifi-dkms-9858/debian/changelog --- backport-iwlwifi-dkms-9858/debian/changelog 2022-04-19 06:20:09.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/changelog 2022-10-24 15:25:35.000000000 -0300 @@ -1,3 +1,10 @@ +backport-iwlwifi-dkms (9858-0ubuntu4) jammy; urgency=medium + + * Apply fixes for CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, + CVE-2022-42721 and CVE-2022-42722. (LP: #1994525) + + -- Thadeu Lima de Souza Cascardo Mon, 24 Oct 2022 15:25:35 -0300 + backport-iwlwifi-dkms (9858-0ubuntu3) jammy; urgency=medium * Fix FTBFS dkms module during kernel builds with a non-default diff -Nru backport-iwlwifi-dkms-9858/debian/patches/0001-cfg80211-hold-bss_lock-while-updating-nontrans_list.patch backport-iwlwifi-dkms-9858/debian/patches/0001-cfg80211-hold-bss_lock-while-updating-nontrans_list.patch --- backport-iwlwifi-dkms-9858/debian/patches/0001-cfg80211-hold-bss_lock-while-updating-nontrans_list.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/0001-cfg80211-hold-bss_lock-while-updating-nontrans_list.patch 2022-10-24 15:24:56.000000000 -0300 @@ -0,0 +1,37 @@ +From a5199b5626cd6913cf8776a835bc63d40e0686ad Mon Sep 17 00:00:00 2001 +From: Rameshkumar Sundaram +Date: Mon, 11 Apr 2022 14:37:51 +0530 +Subject: [PATCH] cfg80211: hold bss_lock while updating nontrans_list + +Synchronize additions to nontrans_list of transmitting BSS with +bss_lock to avoid races. Also when cfg80211_add_nontrans_list() fails +__cfg80211_unlink_bss() needs bss_lock to be held (has lockdep assert +on bss_lock). So protect the whole block with bss_lock to avoid +races and warnings. Found during code review. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Rameshkumar Sundaram +Link: https://lore.kernel.org/r/1649668071-9370-1-git-send-email-quic_ramess@quicinc.com +Signed-off-by: Johannes Berg +--- + net/wireless/scan.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: backport-iwlwifi-dkms-9858/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-9858/net/wireless/scan.c +@@ -2020,11 +2020,13 @@ cfg80211_inform_single_bss_data(struct w + /* this is a nontransmitting bss, we need to add it to + * transmitting bss' list if it is not there + */ ++ spin_lock_bh(&rdev->bss_lock); + if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, + &res->pub)) { + if (__cfg80211_unlink_bss(rdev, res)) + rdev->bss_generation++; + } ++ spin_unlock_bh(&rdev->bss_lock); + } + + trace_cfg80211_return_bss(&res->pub); diff -Nru backport-iwlwifi-dkms-9858/debian/patches/0001-UBUNTU-SAUCE-wifi-cfg80211-fix-u8-overflow-in-cfg802.patch backport-iwlwifi-dkms-9858/debian/patches/0001-UBUNTU-SAUCE-wifi-cfg80211-fix-u8-overflow-in-cfg802.patch --- backport-iwlwifi-dkms-9858/debian/patches/0001-UBUNTU-SAUCE-wifi-cfg80211-fix-u8-overflow-in-cfg802.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/0001-UBUNTU-SAUCE-wifi-cfg80211-fix-u8-overflow-in-cfg802.patch 2022-10-24 15:24:44.000000000 -0300 @@ -0,0 +1,48 @@ +From 56bb60990443e74bc4ef92d09f910f38cfc6bb54 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 28 Sep 2022 21:56:15 +0200 +Subject: [PATCH 01/13] UBUNTU: SAUCE: wifi: cfg80211: fix u8 overflow in + cfg80211_update_notlisted_nontrans() + +In the copy code of the elements, we do the following calculation +to reach the end of the MBSSID element: + + /* copy the IEs after MBSSID */ + cpy_len = mbssid[1] + 2; + +This looks fine, however, cpy_len is a u8, the same as mbssid[1], +so the addition of two can overflow. In this case the subsequent +memcpy() will overflow the allocated buffer, since it copies 256 +bytes too much due to the way the allocation and memcpy() sizes +are calculated. + +Fix this by using size_t for the cpy_len variable. + +This fixes CVE-2022-41674. + +Reported-by: Soenke Huster +Tested-by: Soenke Huster +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +CVE-2022-41674 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/wireless/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: backport-iwlwifi-dkms-9858/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-9858/net/wireless/scan.c +@@ -2277,7 +2277,7 @@ cfg80211_update_notlisted_nontrans(struc + size_t new_ie_len; + struct cfg80211_bss_ies *new_ies; + const struct cfg80211_bss_ies *old; +- u8 cpy_len; ++ size_t cpy_len; + + lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); + diff -Nru backport-iwlwifi-dkms-9858/debian/patches/0002-UBUNTU-SAUCE-wifi-cfg80211-mac80211-reject-bad-MBSSI.patch backport-iwlwifi-dkms-9858/debian/patches/0002-UBUNTU-SAUCE-wifi-cfg80211-mac80211-reject-bad-MBSSI.patch --- backport-iwlwifi-dkms-9858/debian/patches/0002-UBUNTU-SAUCE-wifi-cfg80211-mac80211-reject-bad-MBSSI.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/0002-UBUNTU-SAUCE-wifi-cfg80211-mac80211-reject-bad-MBSSI.patch 2022-10-24 15:24:48.000000000 -0300 @@ -0,0 +1,58 @@ +From 751dac7a0026f162f337a54ebf758af12646b02b Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 28 Sep 2022 22:01:37 +0200 +Subject: [PATCH 02/13] UBUNTU: SAUCE: wifi: cfg80211/mac80211: reject bad + MBSSID elements + +Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, +and the minimum is 1 since a multiple BSSID set with just one BSSID +doesn't make sense (the # of BSSIDs is limited by 2^n). + +Limit this in the parsing in both cfg80211 and mac80211, rejecting +any elements with an invalid value. + +This fixes potentially bad shifts in the processing of these inside +the cfg80211_gen_new_bssid() function later. + +I found this during the investigation of CVE-2022-41674 fixed by the +previous patch. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Fixes: 78ac51f81532 ("mac80211: support multi-bssid") +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +CVE-2022-41674 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/mac80211/util.c | 2 ++ + net/wireless/scan.c | 2 ++ + 2 files changed, 4 insertions(+) + +Index: backport-iwlwifi-dkms-9858/net/mac80211/util.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/mac80211/util.c ++++ backport-iwlwifi-dkms-9858/net/mac80211/util.c +@@ -1436,6 +1436,8 @@ static size_t ieee802_11_find_bssid_prof + for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { + if (elem->datalen < 2) + continue; ++ if (elem->data[0] < 1 || elem->data[0] > 8) ++ continue; + + for_each_element(sub, elem->data + 1, elem->datalen - 1) { + u8 new_bssid[ETH_ALEN]; +Index: backport-iwlwifi-dkms-9858/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-9858/net/wireless/scan.c +@@ -2141,6 +2141,8 @@ static void cfg80211_parse_mbssid_data(s + for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { + if (elem->datalen < 4) + continue; ++ if (elem->data[0] < 1 || (int)elem->data[0] > 8) ++ continue; + for_each_element(sub, elem->data + 1, elem->datalen - 1) { + u8 profile_len; + diff -Nru backport-iwlwifi-dkms-9858/debian/patches/0003-UBUNTU-SAUCE-wifi-mac80211-fix-MBSSID-parsing-use-af.patch backport-iwlwifi-dkms-9858/debian/patches/0003-UBUNTU-SAUCE-wifi-mac80211-fix-MBSSID-parsing-use-af.patch --- backport-iwlwifi-dkms-9858/debian/patches/0003-UBUNTU-SAUCE-wifi-mac80211-fix-MBSSID-parsing-use-af.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/0003-UBUNTU-SAUCE-wifi-mac80211-fix-MBSSID-parsing-use-af.patch 2022-10-24 15:24:51.000000000 -0300 @@ -0,0 +1,110 @@ +From f8e11323f36ff13a37d58b6071a2f2d8e5762bba Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 28 Sep 2022 22:07:15 +0200 +Subject: [PATCH 03/13] UBUNTU: SAUCE: wifi: mac80211: fix MBSSID parsing + use-after-free + +When we parse a multi-BSSID element, we might point some +element pointers into the allocated nontransmitted_profile. +However, we free this before returning, causing UAF when the +relevant pointers in the parsed elements are accessed. + +Fix this by not allocating the scratch buffer separately but +as part of the returned structure instead, that way, there +are no lifetime issues with it. + +The scratch buffer introduction as part of the returned data +here is taken from MLO feature work done by Ilan. + +This fixes CVE-2022-42719. + +Fixes: 5023b14cf4df ("mac80211: support profile split between elements") +Co-developed-by: Ilan Peer +Signed-off-by: Ilan Peer +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +[cascardo: missing commit fd17bf041b40e3dac705c4313854becbe07b7557 + "wifi: mac80211: refactor elements parsing with parameter struct"] +CVE-2022-42719 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/mac80211/ieee80211_i.h | 8 ++++++++ + net/mac80211/util.c | 33 +++++++++++++++++---------------- + 2 files changed, 25 insertions(+), 16 deletions(-) + +Index: backport-iwlwifi-dkms-9858/net/mac80211/ieee80211_i.h +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/mac80211/ieee80211_i.h ++++ backport-iwlwifi-dkms-9858/net/mac80211/ieee80211_i.h +@@ -1619,6 +1619,14 @@ struct ieee802_11_elems { + + /* whether a parse error occurred while retrieving these elements */ + bool parse_error; ++ ++ /* ++ * scratch buffer that can be used for various element parsing related ++ * tasks, e.g., element de-fragmentation etc. ++ */ ++ size_t scratch_len; ++ u8 *scratch_pos; ++ u8 scratch[]; + }; + + static inline struct ieee80211_local *hw_to_local( +Index: backport-iwlwifi-dkms-9858/net/mac80211/util.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/mac80211/util.c ++++ backport-iwlwifi-dkms-9858/net/mac80211/util.c +@@ -1500,25 +1500,28 @@ struct ieee802_11_elems *ieee802_11_pars + const struct element *non_inherit = NULL; + u8 *nontransmitted_profile; + int nontransmitted_profile_len = 0; ++ size_t scratch_len = len; + +- elems = kzalloc(sizeof(*elems), GFP_ATOMIC); ++ elems = kzalloc(sizeof(*elems) + scratch_len, GFP_ATOMIC); + if (!elems) + return NULL; + elems->ie_start = start; + elems->total_len = len; ++ elems->scratch_len = scratch_len; ++ elems->scratch_pos = elems->scratch; + +- nontransmitted_profile = kmalloc(len, GFP_ATOMIC); +- if (nontransmitted_profile) { +- nontransmitted_profile_len = +- ieee802_11_find_bssid_profile(start, len, elems, +- transmitter_bssid, +- bss_bssid, +- nontransmitted_profile); +- non_inherit = +- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, +- nontransmitted_profile, +- nontransmitted_profile_len); +- } ++ nontransmitted_profile = elems->scratch_pos; ++ nontransmitted_profile_len = ++ ieee802_11_find_bssid_profile(start, len, elems, ++ transmitter_bssid, ++ bss_bssid, ++ nontransmitted_profile); ++ elems->scratch_pos += nontransmitted_profile_len; ++ elems->scratch_len -= nontransmitted_profile_len; ++ non_inherit = ++ cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, ++ nontransmitted_profile, ++ nontransmitted_profile_len); + + crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter, + crc, non_inherit); +@@ -1547,8 +1550,6 @@ struct ieee802_11_elems *ieee802_11_pars + offsetofend(struct ieee80211_bssid_index, dtim_count)) + elems->dtim_count = elems->bssid_index->dtim_count; + +- kfree(nontransmitted_profile); +- + elems->crc = crc; + + return elems; diff -Nru backport-iwlwifi-dkms-9858/debian/patches/0004-UBUNTU-SAUCE-wifi-cfg80211-ensure-length-byte-is-pre.patch backport-iwlwifi-dkms-9858/debian/patches/0004-UBUNTU-SAUCE-wifi-cfg80211-ensure-length-byte-is-pre.patch --- backport-iwlwifi-dkms-9858/debian/patches/0004-UBUNTU-SAUCE-wifi-cfg80211-ensure-length-byte-is-pre.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/0004-UBUNTU-SAUCE-wifi-cfg80211-ensure-length-byte-is-pre.patch 2022-10-24 15:24:54.000000000 -0300 @@ -0,0 +1,48 @@ +From 8009632aba31723212236e92133302c0f16ebcbe Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 29 Sep 2022 21:50:44 +0200 +Subject: [PATCH 04/13] UBUNTU: SAUCE: wifi: cfg80211: ensure length byte is + present before access + +When iterating the elements here, ensure the length byte is +present before checking it to see if the entire element will +fit into the buffer. + +Longer term, we should rewrite this code using the type-safe +element iteration macros that check all of this. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Reported-by: Soenke Huster +Signed-off-by: Johannes Berg +CVE-2022-41674 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/wireless/scan.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: backport-iwlwifi-dkms-9858/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-9858/net/wireless/scan.c +@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const + tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); + tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; + +- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { ++ while (tmp_old + 2 - ie <= ielen && ++ tmp_old + tmp_old[1] + 2 - ie <= ielen) { + if (tmp_old[0] == 0) { + tmp_old++; + continue; +@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const + * copied to new ie, skip ssid, capability, bssid-index ie + */ + tmp_new = sub_copy; +- while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { ++ while (tmp_new + 2 - sub_copy <= subie_len && ++ tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { + if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || + tmp_new[0] == WLAN_EID_SSID)) { + memcpy(pos, tmp_new, tmp_new[1] + 2); diff -Nru backport-iwlwifi-dkms-9858/debian/patches/0005-UBUNTU-SAUCE-wifi-cfg80211-fix-BSS-refcounting-bugs.patch backport-iwlwifi-dkms-9858/debian/patches/0005-UBUNTU-SAUCE-wifi-cfg80211-fix-BSS-refcounting-bugs.patch --- backport-iwlwifi-dkms-9858/debian/patches/0005-UBUNTU-SAUCE-wifi-cfg80211-fix-BSS-refcounting-bugs.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/0005-UBUNTU-SAUCE-wifi-cfg80211-fix-BSS-refcounting-bugs.patch 2022-10-24 15:24:58.000000000 -0300 @@ -0,0 +1,94 @@ +From 2dfbee70bd9f4378b811fa92e519e1e03a3e8354 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 30 Sep 2022 23:44:23 +0200 +Subject: [PATCH 05/13] UBUNTU: SAUCE: wifi: cfg80211: fix BSS refcounting bugs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There are multiple refcounting bugs related to multi-BSSID: + - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then + the bss pointer is overwritten before checking for the + transmitted BSS, which is clearly wrong. Fix this by using + the bss_from_pub() macro. + + - In cfg80211_bss_update() we copy the transmitted_bss pointer + from tmp into new, but then if we release new, we'll unref + it erroneously. We already set the pointer and ref it, but + need to NULL it since it was copied from the tmp data. + + - In cfg80211_inform_single_bss_data(), if adding to the non- + transmitted list fails, we unlink the BSS and yet still we + return it, but this results in returning an entry without + a reference. We shouldn't return it anyway if it was broken + enough to not get added there. + +This fixes CVE-2022-42720. + +Reported-by: Sönke Huster +Tested-by: Sönke Huster +Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS") +Signed-off-by: Johannes Berg +CVE-2022-42720 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/wireless/scan.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +Index: backport-iwlwifi-dkms-9858/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-9858/net/wireless/scan.c +@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cf + lockdep_assert_held(&rdev->bss_lock); + + bss->refcount++; +- if (bss->pub.hidden_beacon_bss) { +- bss = container_of(bss->pub.hidden_beacon_bss, +- struct cfg80211_internal_bss, +- pub); +- bss->refcount++; +- } +- if (bss->pub.transmitted_bss) { +- bss = container_of(bss->pub.transmitted_bss, +- struct cfg80211_internal_bss, +- pub); +- bss->refcount++; +- } ++ ++ if (bss->pub.hidden_beacon_bss) ++ bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; ++ ++ if (bss->pub.transmitted_bss) ++ bss_from_pub(bss->pub.transmitted_bss)->refcount++; + } + + static inline void bss_ref_put(struct cfg80211_registered_device *rdev, +@@ -1741,6 +1735,8 @@ cfg80211_bss_update(struct cfg80211_regi + new->refcount = 1; + INIT_LIST_HEAD(&new->hidden_list); + INIT_LIST_HEAD(&new->pub.nontrans_list); ++ /* we'll set this later if it was non-NULL */ ++ new->pub.transmitted_bss = NULL; + + if (rcu_access_pointer(tmp->pub.proberesp_ies)) { + hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); +@@ -2023,10 +2019,15 @@ cfg80211_inform_single_bss_data(struct w + spin_lock_bh(&rdev->bss_lock); + if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, + &res->pub)) { +- if (__cfg80211_unlink_bss(rdev, res)) ++ if (__cfg80211_unlink_bss(rdev, res)) { + rdev->bss_generation++; ++ res = NULL; ++ } + } + spin_unlock_bh(&rdev->bss_lock); ++ ++ if (!res) ++ return NULL; + } + + trace_cfg80211_return_bss(&res->pub); diff -Nru backport-iwlwifi-dkms-9858/debian/patches/0006-UBUNTU-SAUCE-wifi-cfg80211-avoid-nontransmitted-BSS-.patch backport-iwlwifi-dkms-9858/debian/patches/0006-UBUNTU-SAUCE-wifi-cfg80211-avoid-nontransmitted-BSS-.patch --- backport-iwlwifi-dkms-9858/debian/patches/0006-UBUNTU-SAUCE-wifi-cfg80211-avoid-nontransmitted-BSS-.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/0006-UBUNTU-SAUCE-wifi-cfg80211-avoid-nontransmitted-BSS-.patch 2022-10-24 15:25:00.000000000 -0300 @@ -0,0 +1,55 @@ +From 02c503419f6e53002ffe50220077fc0b1cc1b042 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sat, 1 Oct 2022 00:01:44 +0200 +Subject: [PATCH 06/13] UBUNTU: SAUCE: wifi: cfg80211: avoid nontransmitted BSS + list corruption +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a non-transmitted BSS shares enough information (both +SSID and BSSID!) with another non-transmitted BSS of a +different AP, then we can find and update it, and then +try to add it to the non-transmitted BSS list. We do a +search for it on the transmitted BSS, but if it's not +there (but belongs to another transmitted BSS), the list +gets corrupted. + +Since this is an erroneous situation, simply fail the +list insertion in this case and free the non-transmitted +BSS. + +This fixes CVE-2022-42721. + +Reported-by: Sönke Huster +Tested-by: Sönke Huster +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Johannes Berg +CVE-2022-42721 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/wireless/scan.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +Index: backport-iwlwifi-dkms-9858/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-9858/net/wireless/scan.c +@@ -423,6 +423,15 @@ cfg80211_add_nontrans_list(struct cfg802 + + rcu_read_unlock(); + ++ /* ++ * This is a bit weird - it's not on the list, but already on another ++ * one! The only way that could happen is if there's some BSSID/SSID ++ * shared by multiple APs in their multi-BSSID profiles, potentially ++ * with hidden SSID mixed in ... ignore it. ++ */ ++ if (!list_empty(&nontrans_bss->nontrans_list)) ++ return -EINVAL; ++ + /* add to the list */ + list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); + return 0; diff -Nru backport-iwlwifi-dkms-9858/debian/patches/0007-UBUNTU-SAUCE-wifi-mac80211_hwsim-avoid-mac80211-warn.patch backport-iwlwifi-dkms-9858/debian/patches/0007-UBUNTU-SAUCE-wifi-mac80211_hwsim-avoid-mac80211-warn.patch --- backport-iwlwifi-dkms-9858/debian/patches/0007-UBUNTU-SAUCE-wifi-mac80211_hwsim-avoid-mac80211-warn.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/0007-UBUNTU-SAUCE-wifi-mac80211_hwsim-avoid-mac80211-warn.patch 2022-10-24 15:25:02.000000000 -0300 @@ -0,0 +1,38 @@ +From 080d4c4914355ae854b3e5d8eea0194937fbae12 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 5 Oct 2022 15:10:09 +0200 +Subject: [PATCH 07/13] UBUNTU: SAUCE: wifi: mac80211_hwsim: avoid mac80211 + warning on bad rate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the tool on the other side (e.g. wmediumd) gets confused +about the rate, we hit a warning in mac80211. Silence that +by effectively duplicating the check here and dropping the +frame silently (in mac80211 it's dropped with the warning). + +Reported-by: Sönke Huster +Tested-by: Sönke Huster +Signed-off-by: Johannes Berg +CVE-2022-41674 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + drivers/net/wireless/mac80211_hwsim.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: backport-iwlwifi-dkms-9858/drivers/net/wireless/mac80211_hwsim.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/drivers/net/wireless/mac80211_hwsim.c ++++ backport-iwlwifi-dkms-9858/drivers/net/wireless/mac80211_hwsim.c +@@ -4247,6 +4247,8 @@ static int hwsim_cloned_frame_received_n + + rx_status.band = channel->band; + rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]); ++ if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates) ++ goto out; + rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]); + + hdr = (void *)skb->data; diff -Nru backport-iwlwifi-dkms-9858/debian/patches/0008-UBUNTU-SAUCE-wifi-mac80211-fix-crash-in-beacon-prote.patch backport-iwlwifi-dkms-9858/debian/patches/0008-UBUNTU-SAUCE-wifi-mac80211-fix-crash-in-beacon-prote.patch --- backport-iwlwifi-dkms-9858/debian/patches/0008-UBUNTU-SAUCE-wifi-mac80211-fix-crash-in-beacon-prote.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/0008-UBUNTU-SAUCE-wifi-mac80211-fix-crash-in-beacon-prote.patch 2022-10-24 15:25:04.000000000 -0300 @@ -0,0 +1,59 @@ +From 412a357b58bcca09095ffe94a34f64f10709dde5 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 5 Oct 2022 21:24:10 +0200 +Subject: [PATCH 08/13] UBUNTU: SAUCE: wifi: mac80211: fix crash in beacon + protection for P2P-device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If beacon protection is active but the beacon cannot be +decrypted or is otherwise malformed, we call the cfg80211 +API to report this to userspace, but that uses a netdev +pointer, which isn't present for P2P-Device. Fix this to +call it only conditionally to ensure cfg80211 won't crash +in the case of P2P-Device. + +This fixes CVE-2022-42722. + +Reported-by: Sönke Huster +Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space") +Signed-off-by: Johannes Berg +CVE-2022-42722 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/mac80211/rx.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +Index: backport-iwlwifi-dkms-9858/net/mac80211/rx.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/mac80211/rx.c ++++ backport-iwlwifi-dkms-9858/net/mac80211/rx.c +@@ -1963,10 +1963,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_ + + if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS || + mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS + +- NUM_DEFAULT_BEACON_KEYS) { +- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, +- skb->data, +- skb->len); ++ NUM_DEFAULT_BEACON_KEYS) { ++ if (rx->sdata->dev) ++ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, ++ skb->data, ++ skb->len); + return RX_DROP_MONITOR; /* unexpected BIP keyidx */ + } + +@@ -2114,7 +2115,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_ + /* either the frame has been decrypted or will be dropped */ + status->flag |= RX_FLAG_DECRYPTED; + +- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE)) ++ if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE && ++ rx->sdata->dev)) + cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, + skb->data, skb->len); + diff -Nru backport-iwlwifi-dkms-9858/debian/patches/0009-UBUNTU-SAUCE-wifi-cfg80211-update-hidden-BSSes-to-av.patch backport-iwlwifi-dkms-9858/debian/patches/0009-UBUNTU-SAUCE-wifi-cfg80211-update-hidden-BSSes-to-av.patch --- backport-iwlwifi-dkms-9858/debian/patches/0009-UBUNTU-SAUCE-wifi-cfg80211-update-hidden-BSSes-to-av.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/0009-UBUNTU-SAUCE-wifi-cfg80211-update-hidden-BSSes-to-av.patch 2022-10-24 15:25:07.000000000 -0300 @@ -0,0 +1,93 @@ +From 91a6dd40c6ea0905c8c571e377b1cbfb2189a646 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 5 Oct 2022 23:11:43 +0200 +Subject: [PATCH 09/13] UBUNTU: SAUCE: wifi: cfg80211: update hidden BSSes to + avoid WARN_ON +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When updating beacon elements in a non-transmitted BSS, +also update the hidden sub-entries to the same beacon +elements, so that a future update through other paths +won't trigger a WARN_ON(). + +The warning is triggered because the beacon elements in +the hidden BSSes that are children of the BSS should +always be the same as in the parent. + +Reported-by: Sönke Huster +Tested-by: Sönke Huster +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Johannes Berg +CVE-2022-41674 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/wireless/scan.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +Index: backport-iwlwifi-dkms-9858/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-9858.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-9858/net/wireless/scan.c +@@ -1607,6 +1607,23 @@ struct cfg80211_non_tx_bss { + u8 bssid_index; + }; + ++static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, ++ const struct cfg80211_bss_ies *new_ies, ++ const struct cfg80211_bss_ies *old_ies) ++{ ++ struct cfg80211_internal_bss *bss; ++ ++ /* Assign beacon IEs to all sub entries */ ++ list_for_each_entry(bss, &known->hidden_list, hidden_list) { ++ const struct cfg80211_bss_ies *ies; ++ ++ ies = rcu_access_pointer(bss->pub.beacon_ies); ++ WARN_ON(ies != old_ies); ++ ++ rcu_assign_pointer(bss->pub.beacon_ies, new_ies); ++ } ++} ++ + static bool + cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + struct cfg80211_internal_bss *known, +@@ -1630,7 +1647,6 @@ cfg80211_update_known_bss(struct cfg8021 + kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); + } else if (rcu_access_pointer(new->pub.beacon_ies)) { + const struct cfg80211_bss_ies *old; +- struct cfg80211_internal_bss *bss; + + if (known->pub.hidden_beacon_bss && + !list_empty(&known->hidden_list)) { +@@ -1658,16 +1674,7 @@ cfg80211_update_known_bss(struct cfg8021 + if (old == rcu_access_pointer(known->pub.ies)) + rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); + +- /* Assign beacon IEs to all sub entries */ +- list_for_each_entry(bss, &known->hidden_list, hidden_list) { +- const struct cfg80211_bss_ies *ies; +- +- ies = rcu_access_pointer(bss->pub.beacon_ies); +- WARN_ON(ies != old); +- +- rcu_assign_pointer(bss->pub.beacon_ies, +- new->pub.beacon_ies); +- } ++ cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old); + + if (old) + kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); +@@ -2360,6 +2367,8 @@ cfg80211_update_notlisted_nontrans(struc + } else { + old = rcu_access_pointer(nontrans_bss->beacon_ies); + rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies); ++ cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss), ++ new_ies, old); + rcu_assign_pointer(nontrans_bss->ies, new_ies); + if (old) + kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); diff -Nru backport-iwlwifi-dkms-9858/debian/patches/series backport-iwlwifi-dkms-9858/debian/patches/series --- backport-iwlwifi-dkms-9858/debian/patches/series 2022-03-25 08:27:00.000000000 -0300 +++ backport-iwlwifi-dkms-9858/debian/patches/series 2022-10-24 15:24:37.000000000 -0300 @@ -1,3 +1,13 @@ 0001-keep-zconf-in-make-clean.patch 0002-fix-format-overflow-compile-error-in-kconf-confdata..patch 0005-Makefile.kernel-pass-fno-stack-clash-protection-and-.patch +0001-UBUNTU-SAUCE-wifi-cfg80211-fix-u8-overflow-in-cfg802.patch +0002-UBUNTU-SAUCE-wifi-cfg80211-mac80211-reject-bad-MBSSI.patch +0003-UBUNTU-SAUCE-wifi-mac80211-fix-MBSSID-parsing-use-af.patch +0004-UBUNTU-SAUCE-wifi-cfg80211-ensure-length-byte-is-pre.patch +0001-cfg80211-hold-bss_lock-while-updating-nontrans_list.patch +0005-UBUNTU-SAUCE-wifi-cfg80211-fix-BSS-refcounting-bugs.patch +0006-UBUNTU-SAUCE-wifi-cfg80211-avoid-nontransmitted-BSS-.patch +0007-UBUNTU-SAUCE-wifi-mac80211_hwsim-avoid-mac80211-warn.patch +0008-UBUNTU-SAUCE-wifi-mac80211-fix-crash-in-beacon-prote.patch +0009-UBUNTU-SAUCE-wifi-cfg80211-update-hidden-BSSes-to-av.patch