On Thu, Oct 13, 2022 at 07:52:15PM +0200, Johannes Berg wrote:
From: Johannes Berg johannes.berg@intel.com
Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream.
When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed.
Fix this by not allocating the scratch buffer separately but as part of the returned structure instead, that way, there are no lifetime issues with it.
The scratch buffer introduction as part of the returned data here is taken from MLO feature work done by Ilan.
This fixes CVE-2022-42719.
Fixes: 5023b14cf4df ("mac80211: support profile split between elements") Co-developed-by: Ilan Peer ilan.peer@intel.com Signed-off-by: Ilan Peer ilan.peer@intel.com Reviewed-by: Kees Cook keescook@chromium.org Signed-off-by: Johannes Berg johannes.berg@intel.com
net/mac80211/ieee80211_i.h | 8 ++++++++ net/mac80211/util.c | 30 +++++++++++++++--------------- 2 files changed, 23 insertions(+), 15 deletions(-)
Thanks, my attempt was almost the same as yours, except for one whitespace difference. I've taken yours as a replacement now.
greg k-h