cve/published/2022/CVE-2022-48876.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48876: wifi: mac80211: fix initialization of rx->link and rx->link_sta

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: mac80211: fix initialization of rx->link and rx->link_sta

 There are some codepaths that do not initialize rx->link_sta properly. This
 causes a crash in places which assume that rx->link_sta is valid if rx->sta
 is valid.
 One known instance is triggered by __ieee80211_rx_h_amsdu being called from
 fast-rx. It results in a crash like this one:

  BUG: kernel NULL pointer dereference, address: 00000000000000a8
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page PGD 0 P4D 0
  Oops: 0002 [#1] PREEMPT SMP PTI
  CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G            E      6.1.0-debian64x+1.7 #3
  Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014
  RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211]
  Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48
        83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 <48> 83 84 d0 a8 00 00 00 01 41 8b 86 c0
        11 00 00 8d 50 fd 83 fa 01
  RSP: 0018:ffff999040803b10 EFLAGS: 00010286
  RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000
  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
  RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900
  R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000
  FS:  0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0
  Call Trace:
   <TASK>
   __ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211]
   ? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]
   ? __local_bh_enable_ip+0x3b/0xa0
   ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]
   ? prepare_transfer+0x109/0x1a0 [xhci_hcd]
   ieee80211_rx_list+0xa80/0xda0 [mac80211]
   mt76_rx_complete+0x207/0x2e0 [mt76]
   mt76_rx_poll_complete+0x357/0x5a0 [mt76]
   mt76u_rx_worker+0x4f5/0x600 [mt76_usb]
   ? mt76_get_min_avg_rssi+0x140/0x140 [mt76]
   __mt76_worker_fn+0x50/0x80 [mt76]
   kthread+0xed/0x120
   ? kthread_complete_and_exit+0x20/0x20
   ret_from_fork+0x22/0x30

 Since the initialization of rx->link and rx->link_sta is rather convoluted
 and duplicated in many places, clean it up by using a helper function to
 set it.

 [remove unnecessary rx->sta->sta.mlo check]

 The Linux kernel CVE team has assigned CVE-2022-48876 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1 with commit ccdde7c74ffd7e8bdd3cf685bbfa41231c8e3131 and fixed in 6.1.8 with commit a57c981d9f24d2bd89eaa76dc477e8ca252e22e8
 	Issue introduced in 6.1 with commit ccdde7c74ffd7e8bdd3cf685bbfa41231c8e3131 and fixed in 6.2 with commit e66b7920aa5ac5b1a1997a454004ba9246a3c005

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48876
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mac80211/rx.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a57c981d9f24d2bd89eaa76dc477e8ca252e22e8
 	https://git.kernel.org/stable/c/e66b7920aa5ac5b1a1997a454004ba9246a3c005
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48876: wifi: mac80211: fix initialization of rx->link and rx->link_sta

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: mac80211: fix initialization of rx->link and rx->link_sta

	There are some codepaths that do not initialize rx->link_sta properly. This
	causes a crash in places which assume that rx->link_sta is valid if rx->sta
	is valid.
	One known instance is triggered by __ieee80211_rx_h_amsdu being called from
	fast-rx. It results in a crash like this one:

	BUG: kernel NULL pointer dereference, address: 00000000000000a8
	#PF: supervisor write access in kernel mode
	#PF: error_code(0x0002) - not-present page PGD 0 P4D 0
	Oops: 0002 [#1] PREEMPT SMP PTI
	CPU: 1 PID: 506 Comm: mt76-usb-rx phy Tainted: G E 6.1.0-debian64x+1.7 #3
	Hardware name: ZOTAC ZBOX-ID92/ZBOX-IQ01/ZBOX-ID92/ZBOX-IQ01, BIOS B220P007 05/21/2014
	RIP: 0010:ieee80211_deliver_skb+0x62/0x1f0 [mac80211]
	Code: 00 48 89 04 24 e8 9e a7 c3 df 89 c0 48 03 1c c5 a0 ea 39 a1 4c 01 6b 08 48 ff 03 48
	83 7d 28 00 74 11 48 8b 45 30 48 63 55 44 <48> 83 84 d0 a8 00 00 00 01 41 8b 86 c0
	11 00 00 8d 50 fd 83 fa 01
	RSP: 0018:ffff999040803b10 EFLAGS: 00010286
	RAX: 0000000000000000 RBX: ffffb9903f496480 RCX: 0000000000000000
	RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
	RBP: ffff999040803ce0 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d21828ac900
	R13: 000000000000004a R14: ffff8d2198ed89c0 R15: ffff8d2198ed8000
	FS: 0000000000000000(0000) GS:ffff8d24afe80000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00000000000000a8 CR3: 0000000429810002 CR4: 00000000001706e0
	Call Trace:
	<TASK>
	__ieee80211_rx_h_amsdu+0x1b5/0x240 [mac80211]
	? ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]
	? __local_bh_enable_ip+0x3b/0xa0
	ieee80211_prepare_and_rx_handle+0xcdd/0x1320 [mac80211]
	? prepare_transfer+0x109/0x1a0 [xhci_hcd]
	ieee80211_rx_list+0xa80/0xda0 [mac80211]
	mt76_rx_complete+0x207/0x2e0 [mt76]
	mt76_rx_poll_complete+0x357/0x5a0 [mt76]
	mt76u_rx_worker+0x4f5/0x600 [mt76_usb]
	? mt76_get_min_avg_rssi+0x140/0x140 [mt76]
	__mt76_worker_fn+0x50/0x80 [mt76]
	kthread+0xed/0x120
	? kthread_complete_and_exit+0x20/0x20
	ret_from_fork+0x22/0x30

	Since the initialization of rx->link and rx->link_sta is rather convoluted
	and duplicated in many places, clean it up by using a helper function to
	set it.

	[remove unnecessary rx->sta->sta.mlo check]

	The Linux kernel CVE team has assigned CVE-2022-48876 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1 with commit ccdde7c74ffd7e8bdd3cf685bbfa41231c8e3131 and fixed in 6.1.8 with commit a57c981d9f24d2bd89eaa76dc477e8ca252e22e8
	Issue introduced in 6.1 with commit ccdde7c74ffd7e8bdd3cf685bbfa41231c8e3131 and fixed in 6.2 with commit e66b7920aa5ac5b1a1997a454004ba9246a3c005

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48876
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mac80211/rx.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a57c981d9f24d2bd89eaa76dc477e8ca252e22e8
	https://git.kernel.org/stable/c/e66b7920aa5ac5b1a1997a454004ba9246a3c005