cve/published/2022/CVE-2022-48875.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48875: wifi: mac80211: sdata can be NULL during AMPDU start

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: mac80211: sdata can be NULL during AMPDU start

 ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a
 deauthentication is ongoing.

 Here a trace triggering the race with the hostapd test
 multi_ap_fronthaul_on_ap:

 (gdb) list *drv_ampdu_action+0x46
 0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).
 391             int ret = -EOPNOTSUPP;
 392
 393             might_sleep();
 394
 395             sdata = get_bss_sdata(sdata);
 396             if (!check_sdata_in_driver(sdata))
 397                     return -EIO;
 398
 399             trace_drv_ampdu_action(local, sdata, params);
 400

 wlan0: moving STA 02:00:00:00:03:00 to state 3
 wlan0: associated
 wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)
 wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0
 wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)
 wlan0: moving STA 02:00:00:00:03:00 to state 2
 wlan0: moving STA 02:00:00:00:03:00 to state 1
 wlan0: Removed STA 02:00:00:00:03:00
 wlan0: Destroyed STA 02:00:00:00:03:00
 BUG: unable to handle page fault for address: fffffffffffffb48
 PGD 11814067 P4D 11814067 PUD 11816067 PMD 0
 Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G        W          6.1.0-rc8-wt+ #59
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
 Workqueue: phy3 ieee80211_ba_session_work [mac80211]
 RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]
 Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85
 RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287
 RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240
 RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40
 RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001
 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0
 R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8
 FS:  0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0
 Call Trace:
  <TASK>
  ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]
  ieee80211_ba_session_work+0xff/0x2e0 [mac80211]
  process_one_work+0x29f/0x620
  worker_thread+0x4d/0x3d0
  ? process_one_work+0x620/0x620
  kthread+0xfb/0x120
  ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork+0x22/0x30
  </TASK>

 The Linux kernel CVE team has assigned CVE-2022-48875 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.165 with commit 187523fa7c2d4c780f775cb869216865c4a909ef
 	Fixed in 5.15.90 with commit a12fd43bd175fa52c82f9740179d38c34ca1b62e
 	Fixed in 6.1.8 with commit c838df8461a601b20dc1b9fb1834d2aad8e2f949
 	Fixed in 6.2 with commit 69403bad97aa0162e3d7911b27e25abe774093df

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48875
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mac80211/agg-tx.c
 	net/mac80211/driver-ops.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef
 	https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e
 	https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949
 	https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48875: wifi: mac80211: sdata can be NULL during AMPDU start

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: mac80211: sdata can be NULL during AMPDU start

	ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a
	deauthentication is ongoing.

	Here a trace triggering the race with the hostapd test
	multi_ap_fronthaul_on_ap:

	(gdb) list *drv_ampdu_action+0x46
	0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).
	391 int ret = -EOPNOTSUPP;
	392
	393 might_sleep();
	394
	395 sdata = get_bss_sdata(sdata);
	396 if (!check_sdata_in_driver(sdata))
	397 return -EIO;
	398
	399 trace_drv_ampdu_action(local, sdata, params);
	400

	wlan0: moving STA 02:00:00:00:03:00 to state 3
	wlan0: associated
	wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)
	wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0
	wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)
	wlan0: moving STA 02:00:00:00:03:00 to state 2
	wlan0: moving STA 02:00:00:00:03:00 to state 1
	wlan0: Removed STA 02:00:00:00:03:00
	wlan0: Destroyed STA 02:00:00:00:03:00
	BUG: unable to handle page fault for address: fffffffffffffb48
	PGD 11814067 P4D 11814067 PUD 11816067 PMD 0
	Oops: 0000 [#1] PREEMPT SMP PTI
	CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
	Workqueue: phy3 ieee80211_ba_session_work [mac80211]
	RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]
	Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85
	RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287
	RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240
	RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40
	RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001
	R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0
	R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8
	FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0
	Call Trace:
	<TASK>
	ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]
	ieee80211_ba_session_work+0xff/0x2e0 [mac80211]
	process_one_work+0x29f/0x620
	worker_thread+0x4d/0x3d0
	? process_one_work+0x620/0x620
	kthread+0xfb/0x120
	? kthread_complete_and_exit+0x20/0x20
	ret_from_fork+0x22/0x30
	</TASK>

	The Linux kernel CVE team has assigned CVE-2022-48875 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.165 with commit 187523fa7c2d4c780f775cb869216865c4a909ef
	Fixed in 5.15.90 with commit a12fd43bd175fa52c82f9740179d38c34ca1b62e
	Fixed in 6.1.8 with commit c838df8461a601b20dc1b9fb1834d2aad8e2f949
	Fixed in 6.2 with commit 69403bad97aa0162e3d7911b27e25abe774093df

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48875
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mac80211/agg-tx.c
	net/mac80211/driver-ops.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/187523fa7c2d4c780f775cb869216865c4a909ef
	https://git.kernel.org/stable/c/a12fd43bd175fa52c82f9740179d38c34ca1b62e
	https://git.kernel.org/stable/c/c838df8461a601b20dc1b9fb1834d2aad8e2f949
	https://git.kernel.org/stable/c/69403bad97aa0162e3d7911b27e25abe774093df