Commit ff05d4b4 authored Sep 28, 2022 by Johannes Berg

wifi: mac80211: fix MBSSID parsing use-after-free



When we parse a multi-BSSID element, we might point some
element pointers into the allocated nontransmitted_profile.
However, we free this before returning, causing UAF when the
relevant pointers in the parsed elements are accessed.

Fix this by not allocating the scratch buffer separately but
as part of the returned structure instead, that way, there
are no lifetime issues with it.

The scratch buffer introduction as part of the returned data
here is taken from MLO feature work done by Ilan.

This fixes CVE-2022-42719.

Fixes: 5023b14c ("mac80211: support profile split between elements")
Co-developed-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent 8f033d2b

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit 7eb63dc3
· Nov 05, 2025

mentioned in commit 7eb63dc3

mentioned in commit 7eb63dc30503b5e6efc773ea7ff33f6a635933e5

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 6c543641
· Nov 05, 2025

mentioned in commit 6c543641

mentioned in commit 6c543641c68ccf3904a08d915f98c1ed633de08e

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 35838118
· Nov 05, 2025

mentioned in commit 35838118

mentioned in commit 35838118bb96646e8d9854a1677b2386037965a4

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 27112b02
· Nov 05, 2025

mentioned in commit 27112b02

mentioned in commit 27112b02f9b4591862b22820ca2581f38b428b2f

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 5fa492b7
· Nov 05, 2025

mentioned in commit 5fa492b7

mentioned in commit 5fa492b79e28c04c87b57f1ccaf4b6134ccf7d8b

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 2adb4cff
· Nov 05, 2025

mentioned in commit 2adb4cff

mentioned in commit 2adb4cff7cf983f92a57f7cb63fbac3458dd0751

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 23e35915
· Nov 05, 2025

mentioned in commit 23e35915

mentioned in commit 23e35915cd097eb4ee9e0e70e5f375dd10f9c655

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 09be19c1
· Nov 05, 2025

mentioned in commit 09be19c1

mentioned in commit 09be19c1c1aaad9df737224a4157ffb3e223e69f

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 55f581c2
· Nov 05, 2025

mentioned in commit 55f581c2

mentioned in commit 55f581c26b9e10d26dac8594a0a372bf6ec0720f

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit c97077f5
· Nov 05, 2025

mentioned in commit c97077f5

mentioned in commit c97077f5b5d8b55e3effaf228c89436d48a15a98

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 8f827a97
· Nov 05, 2025

mentioned in commit 8f827a97

mentioned in commit 8f827a971d32572e86f2f0b5fa08165cd98659ca

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit ae1cbaa6
· Nov 05, 2025

mentioned in commit ae1cbaa6

mentioned in commit ae1cbaa6ec11efd6a330fa97513034a2d010ce91

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 60573ea4
· Nov 05, 2025

mentioned in commit 60573ea4

mentioned in commit 60573ea48f077eaea0009c4756b9a8ef8e74c3e6

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit b4d56d27
· Nov 05, 2025

mentioned in commit b4d56d27

mentioned in commit b4d56d274f07d3f52ad8b349f1a4e4502df61f2f

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 6d045947
· Nov 05, 2025

mentioned in commit 6d045947

mentioned in commit 6d0459473693fd07a476e456d12f049e34e6e8d3

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 37c9f035
· Nov 05, 2025

mentioned in commit 37c9f035

mentioned in commit 37c9f03552c841bc4e1d1e41064ea1f3a82c86f2

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 96a7f6fe
· Nov 05, 2025

mentioned in commit 96a7f6fe

mentioned in commit 96a7f6fe5aea9480256c981d60f813a2a40df179

Toggle commit list

Please to comment