cve/published/2024/CVE-2024-27410.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-27410: wifi: nl80211: reject iftype change with mesh ID change

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: nl80211: reject iftype change with mesh ID change

 It's currently possible to change the mesh ID when the
 interface isn't yet in mesh mode, at the same time as
 changing it into mesh mode. This leads to an overwrite
 of data in the wdev->u union for the interface type it
 currently has, causing cfg80211_change_iface() to do
 wrong things when switching.

 We could probably allow setting an interface to mesh
 while setting the mesh ID at the same time by doing a
 different order of operations here, but realistically
 there's no userspace that's going to do this, so just
 disallow changes in iftype when setting mesh ID.

 The Linux kernel CVE team has assigned CVE-2024-27410 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 4.19.309 with commit d38d31bbbb9dc0d4d71a45431eafba03d0bc150d
 	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 5.4.271 with commit 0cfbb26ee5e7b3d6483a73883f9f6157bca22ec9
 	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 5.10.212 with commit 99eb2159680af8786104dac80528acd5acd45980
 	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 5.15.151 with commit 063715c33b4c37587aeca2c83cf08ead0c542995
 	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 6.1.81 with commit 930e826962d9f01dcd2220176134427358d112f2
 	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 6.6.21 with commit 177d574be4b58f832354ab1ef5a297aa0c9aa2df
 	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 6.7.9 with commit a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838
 	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 6.8 with commit f78c1375339a291cba492a70eaf12ec501d28a8e
 	Issue introduced in 5.19.2 with commit 7a53ad13c09150076b7ddde96c2dfc5622c90b45

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-27410
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/wireless/nl80211.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d38d31bbbb9dc0d4d71a45431eafba03d0bc150d
 	https://git.kernel.org/stable/c/0cfbb26ee5e7b3d6483a73883f9f6157bca22ec9
 	https://git.kernel.org/stable/c/99eb2159680af8786104dac80528acd5acd45980
 	https://git.kernel.org/stable/c/063715c33b4c37587aeca2c83cf08ead0c542995
 	https://git.kernel.org/stable/c/930e826962d9f01dcd2220176134427358d112f2
 	https://git.kernel.org/stable/c/177d574be4b58f832354ab1ef5a297aa0c9aa2df
 	https://git.kernel.org/stable/c/a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838
 	https://git.kernel.org/stable/c/f78c1375339a291cba492a70eaf12ec501d28a8e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-27410: wifi: nl80211: reject iftype change with mesh ID change

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: nl80211: reject iftype change with mesh ID change

	It's currently possible to change the mesh ID when the
	interface isn't yet in mesh mode, at the same time as
	changing it into mesh mode. This leads to an overwrite
	of data in the wdev->u union for the interface type it
	currently has, causing cfg80211_change_iface() to do
	wrong things when switching.

	We could probably allow setting an interface to mesh
	while setting the mesh ID at the same time by doing a
	different order of operations here, but realistically
	there's no userspace that's going to do this, so just
	disallow changes in iftype when setting mesh ID.

	The Linux kernel CVE team has assigned CVE-2024-27410 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 4.19.309 with commit d38d31bbbb9dc0d4d71a45431eafba03d0bc150d
	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 5.4.271 with commit 0cfbb26ee5e7b3d6483a73883f9f6157bca22ec9
	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 5.10.212 with commit 99eb2159680af8786104dac80528acd5acd45980
	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 5.15.151 with commit 063715c33b4c37587aeca2c83cf08ead0c542995
	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 6.1.81 with commit 930e826962d9f01dcd2220176134427358d112f2
	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 6.6.21 with commit 177d574be4b58f832354ab1ef5a297aa0c9aa2df
	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 6.7.9 with commit a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838
	Issue introduced in 6.0 with commit 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 and fixed in 6.8 with commit f78c1375339a291cba492a70eaf12ec501d28a8e
	Issue introduced in 5.19.2 with commit 7a53ad13c09150076b7ddde96c2dfc5622c90b45

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-27410
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/wireless/nl80211.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d38d31bbbb9dc0d4d71a45431eafba03d0bc150d
	https://git.kernel.org/stable/c/0cfbb26ee5e7b3d6483a73883f9f6157bca22ec9
	https://git.kernel.org/stable/c/99eb2159680af8786104dac80528acd5acd45980
	https://git.kernel.org/stable/c/063715c33b4c37587aeca2c83cf08ead0c542995
	https://git.kernel.org/stable/c/930e826962d9f01dcd2220176134427358d112f2
	https://git.kernel.org/stable/c/177d574be4b58f832354ab1ef5a297aa0c9aa2df
	https://git.kernel.org/stable/c/a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838
	https://git.kernel.org/stable/c/f78c1375339a291cba492a70eaf12ec501d28a8e