Message ID | 20241015222030.1105765-1-sherry.yang@oracle.com (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [5.15.y,5.10.y,5.4.y] wifi: mac80211: fix potential key use-after-free | expand |
Context | Check | Description |
---|---|---|
netdev/tree_selection | success | Guessing tree name failed - patch did not apply |
On Tue, Oct 15, 2024 at 03:20:30PM -0700, Sherry Yang wrote: > From: Johannes Berg <johannes.berg@intel.com> > > [ Upstream commit 31db78a4923ef5e2008f2eed321811ca79e7f71b ] > > When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() > but returns 0 due to KRACK protection (identical key reinstall), > ieee80211_gtk_rekey_add() will still return a pointer into the > key, in a potential use-after-free. This normally doesn't happen > since it's only called by iwlwifi in case of WoWLAN rekey offload > which has its own KRACK protection, but still better to fix, do > that by returning an error code and converting that to success on > the cfg80211 boundary only, leaving the error for bad callers of > ieee80211_gtk_rekey_add(). > > Reported-by: Dan Carpenter <dan.carpenter@linaro.org> > Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > Signed-off-by: Sasha Levin <sashal@kernel.org> > [Sherry: bp to fix CVE-2023-52530, resolved minor conflicts in > net/mac80211/cfg.c because of context change due to missing commit > 23a5f0af6ff4 ("wifi: mac80211: remove cipher scheme support") > ccdde7c74ffd ("wifi: mac80211: properly implement MLO key handling")] > Signed-off-by: Sherry Yang <sherry.yang@oracle.com> Now queued up, thanks. greg k-h
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index f652982a106b..c54b3be62c0a 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -511,6 +511,9 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev, sta->cipher_scheme = cs; err = ieee80211_key_link(key, sdata, sta); + /* KRACK protection, shouldn't happen but just silently accept key */ + if (err == -EALREADY) + err = 0; out_unlock: mutex_unlock(&local->sta_mtx); diff --git a/net/mac80211/key.c b/net/mac80211/key.c index f695fc80088b..7b427e39831b 100644 --- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -843,7 +843,7 @@ int ieee80211_key_link(struct ieee80211_key *key, */ if (ieee80211_key_identical(sdata, old_key, key)) { ieee80211_key_free_unused(key); - ret = 0; + ret = -EALREADY; goto out; }