Home Explore Help
Register Sign In
OpenWrt
/
openwrt
mirror of https://github.com/openwrt/openwrt.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: 9f6cbc78cd
Branches Tags
openwrt
/
package
/
kernel
/
mac80211
/
patches
/
subsys
/
362-wifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch

362-wifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch 2.0 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 
  1. From 5d20c6f932f2758078d0454729129c894fe353e7 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Siddh Raman Pant <[email protected]>
    3. 

  3. Date: Sat, 20 Aug 2022 01:33:40 +0530
    4. 

  4. Subject: [PATCH] wifi: mac80211: Fix UAF in ieee80211_scan_rx()
    5. 

  5. 

  6. commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c upstream.
    7. 

  7. 

  8. ieee80211_scan_rx() tries to access scan_req->flags after a
    9. 

  9. null check, but a UAF is observed when the scan is completed
    10. 

  10. and __ieee80211_scan_completed() executes, which then calls
    11. 

  11. cfg80211_scan_done() leading to the freeing of scan_req.
    12. 

  12. 

  13. Since scan_req is rcu_dereference()'d, prevent the racing in
    14. 

  14. __ieee80211_scan_completed() by ensuring that from mac80211's
    15. 

  15. POV it is no longer accessed from an RCU read critical section
    16. 

  16. before we call cfg80211_scan_done().
    17. 

  17. 

  18. Cc: [email protected]
    19. 

  19. Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d
    20. 

  20. Reported-by: [email protected]
    21. 

  21. Suggested-by: Johannes Berg <[email protected]>
    22. 

  22. Signed-off-by: Siddh Raman Pant <[email protected]>
    23. 

  23. Link: https://lore.kernel.org/r/[email protected]
    24. 

  24. Signed-off-by: Johannes Berg <[email protected]>
    25. 

  25. Signed-off-by: Greg Kroah-Hartman <[email protected]>
    26. 

  26. ---
    27. 

  27.  net/mac80211/scan.c | 11 +++++++----
    28. 

  28.  1 file changed, 7 insertions(+), 4 deletions(-)
    29. 

  29. 

  30. --- a/net/mac80211/scan.c
    31. 

  31. +++ b/net/mac80211/scan.c
    32. 

  32. @@ -465,16 +465,19 @@ static void __ieee80211_scan_completed(s
    33. 

  33.  	scan_req = rcu_dereference_protected(local->scan_req,
    34. 

  34.  					     lockdep_is_held(&local->mtx));
    35. 

  35.  
    36. 

  36. -	if (scan_req != local->int_scan_req) {
    37. 

  37. -		local->scan_info.aborted = aborted;
    38. 

  38. -		cfg80211_scan_done(scan_req, &local->scan_info);
    39. 

  39. -	}
    40. 

  40.  	RCU_INIT_POINTER(local->scan_req, NULL);
    41. 

  41.  	RCU_INIT_POINTER(local->scan_sdata, NULL);
    42. 

  42.  
    43. 

  43.  	local->scanning = 0;
    44. 

  44.  	local->scan_chandef.chan = NULL;
    45. 

  45.  
    46. 

  46. +	synchronize_rcu();
    47. 

  47. +
    48. 

  48. +	if (scan_req != local->int_scan_req) {
    49. 

  49. +		local->scan_info.aborted = aborted;
    50. 

  50. +		cfg80211_scan_done(scan_req, &local->scan_info);
    51. 

  51. +	}
    52. 

  52. +
    53. 

  53.  	/* Set power back to normal operating levels. */
    54. 

  54.  	ieee80211_hw_config(local, 0);
    55. 

  55.  
    56.