From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.10 15/93] mac80211: fix use-after-free in CCMP/GCMP RX
Date: Mon, 4 Oct 2021 14:52:13 +0200 [thread overview]
Message-ID: <20211004125035.079381229@linuxfoundation.org> (raw)
In-Reply-To: <20211004125034.579439135@linuxfoundation.org>
From: Johannes Berg <johannes.berg@intel.com>
commit 94513069eb549737bcfc3d988d6ed4da948a2de8 upstream.
When PN checking is done in mac80211, for fragmentation we need
to copy the PN to the RX struct so we can later use it to do a
comparison, since commit bf30ca922a0c ("mac80211: check defrag
PN against current frame").
Unfortunately, in that commit I used the 'hdr' variable without
it being necessarily valid, so use-after-free could occur if it
was necessary to reallocate (parts of) the frame.
Fix this by reloading the variable after the code that results
in the reallocations, if any.
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.
Cc: stable@vger.kernel.org
Fixes: bf30ca922a0c ("mac80211: check defrag PN against current frame")
Link: https://lore.kernel.org/r/20210927115838.12b9ac6bb233.I1d066acd5408a662c3b6e828122cd314fcb28cdb@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/wpa.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -520,6 +520,9 @@ ieee80211_crypto_ccmp_decrypt(struct iee
return RX_DROP_UNUSABLE;
}
+ /* reload hdr - skb might have been reallocated */
+ hdr = (void *)rx->skb->data;
+
data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
if (!rx->sta || data_len < 0)
return RX_DROP_UNUSABLE;
@@ -749,6 +752,9 @@ ieee80211_crypto_gcmp_decrypt(struct iee
return RX_DROP_UNUSABLE;
}
+ /* reload hdr - skb might have been reallocated */
+ hdr = (void *)rx->skb->data;
+
data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len;
if (!rx->sta || data_len < 0)
return RX_DROP_UNUSABLE;
next prev parent reply other threads:[~2021-10-04 13:20 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 12:51 [PATCH 5.10 00/93] 5.10.71-rc1 review Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 5.10 01/93] tty: Fix out-of-bound vmalloc access in imageblit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 02/93] cpufreq: schedutil: Use kobject release() method to free sugov_tunables Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 03/93] scsi: qla2xxx: Changes to support kdump kernel for NVMe BFS Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 04/93] cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 05/93] usb: cdns3: fix race condition before setting doorbell Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 06/93] ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 07/93] ACPI: NFIT: Use fallback node id when numa info in NFIT table is incorrect Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 08/93] fs-verity: fix signed integer overflow with i_size near S64_MAX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 09/93] hwmon: (tmp421) handle I2C errors Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 10/93] hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 11/93] hwmon: (w83792d) " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 12/93] hwmon: (w83791d) " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 13/93] gpio: pca953x: do not ignore i2c errors Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 14/93] scsi: ufs: Fix illegal offset in UPIU event trace Greg Kroah-Hartman
2021-10-04 12:52 ` Greg Kroah-Hartman [this message]
2021-10-04 12:52 ` [PATCH 5.10 16/93] x86/kvmclock: Move this_cpu_pvti into kvmclock.h Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 17/93] KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect() Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 18/93] KVM: x86: nSVM: dont copy virt_ext from vmcb12 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 19/93] KVM: nVMX: Filter out all unsupported controls when eVMCS was activated Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 20/93] KVM: rseq: Update rseq when processing NOTIFY_RESUME on xfer to KVM guest Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 21/93] media: ir_toy: prevent device from hanging during transmit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 22/93] RDMA/cma: Do not change route.addr.src_addr.ss_family Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 23/93] drm/amd/display: Pass PCI deviceid into DC Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 24/93] drm/amdgpu: correct initial cp_hqd_quantum for gfx9 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 25/93] ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 26/93] bpf: Handle return value of BPF_PROG_TYPE_STRUCT_OPS prog Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 27/93] IB/cma: Do not send IGMP leaves for sendonly Multicast groups Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 28/93] RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 29/93] bpf, mips: Validate conditional branch offsets Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 30/93] hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 31/93] mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 32/93] mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 33/93] mac80211: mesh: fix potentially unaligned access Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 34/93] mac80211-hwsim: fix late beacon hrtimer handling Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 35/93] sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 36/93] mptcp: dont return sockets in foreign netns Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 37/93] hwmon: (tmp421) report /PVLD condition as fault Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 38/93] hwmon: (tmp421) fix rounding for negative values Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 39/93] net: enetc: fix the incorrect clearing of IF_MODE bits Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 40/93] net: ipv4: Fix rtnexthop len when RTA_FLOW is present Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 41/93] smsc95xx: fix stalled rx after link change Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 42/93] drm/i915/request: fix early tracepoints Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 43/93] dsa: mv88e6xxx: 6161: Use chip wide MAX MTU Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 44/93] dsa: mv88e6xxx: Fix MTU definition Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 45/93] dsa: mv88e6xxx: Include tagger overhead when setting MTU for DSA and CPU ports Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 46/93] e100: fix length calculation in e100_get_regs_len Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 47/93] e100: fix buffer overrun in e100_get_regs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 48/93] RDMA/hns: Fix inaccurate prints Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 49/93] bpf: Exempt CAP_BPF from checks against bpf_jit_limit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 50/93] selftests, bpf: Fix makefile dependencies on libbpf Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 51/93] selftests, bpf: test_lwt_ip_encap: Really disable rp_filter Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 52/93] net: ks8851: fix link error Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 53/93] Revert "block, bfq: honor already-setup queue merges" Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 54/93] scsi: csiostor: Add module softdep on cxgb4 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 55/93] ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 56/93] net: hns3: do not allow call hns3_nic_net_open repeatedly Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 57/93] net: hns3: keep MAC pause mode when multiple TCs are enabled Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 58/93] net: hns3: fix mixed flag HCLGE_FLAG_MQPRIO_ENABLE and HCLGE_FLAG_DCB_ENABLE Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 59/93] net: hns3: fix show wrong state when add existing uc mac address Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 60/93] net: hns3: fix prototype warning Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.10 61/93] net: hns3: reconstruct function hns3_self_test Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 62/93] net: hns3: fix always enable rx vlan filter problem after selftest Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 63/93] net: phy: bcm7xxx: Fixed indirect MMD operations Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 64/93] net: sched: flower: protect fl_walk() with rcu Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 65/93] af_unix: fix races in sk_peer_pid and sk_peer_cred accesses Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 66/93] perf/x86/intel: Update event constraints for ICX Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 67/93] hwmon: (pmbus/mp2975) Add missed POUT attribute for page 1 mp2975 controller Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 68/93] nvme: add command id quirk for apple controllers Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 69/93] elf: dont use MAP_FIXED_NOREPLACE for elf interpreter mappings Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 70/93] debugfs: debugfs_create_file_size(): use IS_ERR to check for error Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 71/93] ipack: ipoctal: fix stack information leak Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 72/93] ipack: ipoctal: fix tty registration race Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 73/93] ipack: ipoctal: fix tty-registration error handling Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 74/93] ipack: ipoctal: fix missing allocation-failure check Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 75/93] ipack: ipoctal: fix module reference leak Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 76/93] ext4: fix loff_t overflow in ext4_max_bitmap_size() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 77/93] ext4: limit the number of blocks in one ADD_RANGE TLV Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 78/93] ext4: fix reserved space counter leakage Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 79/93] ext4: add error checking to ext4_ext_replay_set_iblocks() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 80/93] ext4: fix potential infinite loop in ext4_dx_readdir() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 81/93] HID: u2fzero: ignore incomplete packets without data Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 82/93] net: udp: annotate data race around udp_sk(sk)->corkflag Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 83/93] ASoC: dapm: use component prefix when checking widget names Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 84/93] usb: hso: remove the bailout parameter Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 85/93] crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 86/93] HID: betop: fix slab-out-of-bounds Write in betop_probe Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 87/93] netfilter: ipset: Fix oversized kvmalloc() calls Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 88/93] mm: dont allow " Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 89/93] HID: usbhid: free raw_report buffers in usbhid_stop Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 90/93] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-04 20:58 ` Florian Fainelli
2021-10-04 12:53 ` [PATCH 5.10 91/93] KVM: x86: Handle SRCU initialization failure during page track init Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 92/93] netfilter: conntrack: serialize hash resizes and cleanups Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.10 93/93] netfilter: nf_tables: Fix oversized kvmalloc() calls Greg Kroah-Hartman
2021-10-04 16:31 ` [PATCH 5.10 00/93] 5.10.71-rc1 review Fox Chen
2021-10-04 18:08 ` Pavel Machek
2021-10-04 19:45 ` Shuah Khan
2021-10-04 20:48 ` Florian Fainelli
2021-10-05 2:40 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211004125035.079381229@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).