cve/published/2022/CVE-2022-49416.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49416: wifi: mac80211: fix use-after-free in chanctx code

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 wifi: mac80211: fix use-after-free in chanctx code

 In ieee80211_vif_use_reserved_context(), when we have an
 old context and the new context's replace_state is set to
 IEEE80211_CHANCTX_REPLACE_NONE, we free the old context
 in ieee80211_vif_use_reserved_reassign(). Therefore, we
 cannot check the old_ctx anymore, so we should set it to
 NULL after this point.

 However, since the new_ctx replace state is clearly not
 IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do
 anything else in this function and can just return to
 avoid accessing the freed old_ctx.

 The Linux kernel CVE team has assigned CVE-2022-49416 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 4.9.318 with commit 88cc8f963febe192d6ded9df7217f92f380b449a
 	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 4.14.283 with commit 4ba81e794f0fad6234f644c2da1ae14d5b95e1c4
 	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 4.19.247 with commit 9f1e5cc85ad77e52f54049a94db0407445ae2a34
 	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.4.198 with commit 265bec4779a38b65e86a25120370f200822dfa76
 	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.10.121 with commit 6118bbdf69f4718b02d26bbcf2e497eb66004331
 	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.15.46 with commit b79110f2bf6022e60e590d2e094728a8eec3e79e
 	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.17.14 with commit 82c8e7bbdd06c7ed58e22450cc5b37f33a25bb2c
 	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.18.3 with commit 4f05a9e15edcdf5b97e0d86ab6ecd5f187289f6c
 	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.19 with commit 2965c4cdf7ad9ce0796fac5e57debb9519ea721e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49416
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mac80211/chan.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/88cc8f963febe192d6ded9df7217f92f380b449a
 	https://git.kernel.org/stable/c/4ba81e794f0fad6234f644c2da1ae14d5b95e1c4
 	https://git.kernel.org/stable/c/9f1e5cc85ad77e52f54049a94db0407445ae2a34
 	https://git.kernel.org/stable/c/265bec4779a38b65e86a25120370f200822dfa76
 	https://git.kernel.org/stable/c/6118bbdf69f4718b02d26bbcf2e497eb66004331
 	https://git.kernel.org/stable/c/b79110f2bf6022e60e590d2e094728a8eec3e79e
 	https://git.kernel.org/stable/c/82c8e7bbdd06c7ed58e22450cc5b37f33a25bb2c
 	https://git.kernel.org/stable/c/4f05a9e15edcdf5b97e0d86ab6ecd5f187289f6c
 	https://git.kernel.org/stable/c/2965c4cdf7ad9ce0796fac5e57debb9519ea721e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49416: wifi: mac80211: fix use-after-free in chanctx code

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	wifi: mac80211: fix use-after-free in chanctx code

	In ieee80211_vif_use_reserved_context(), when we have an
	old context and the new context's replace_state is set to
	IEEE80211_CHANCTX_REPLACE_NONE, we free the old context
	in ieee80211_vif_use_reserved_reassign(). Therefore, we
	cannot check the old_ctx anymore, so we should set it to
	NULL after this point.

	However, since the new_ctx replace state is clearly not
	IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do
	anything else in this function and can just return to
	avoid accessing the freed old_ctx.

	The Linux kernel CVE team has assigned CVE-2022-49416 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 4.9.318 with commit 88cc8f963febe192d6ded9df7217f92f380b449a
	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 4.14.283 with commit 4ba81e794f0fad6234f644c2da1ae14d5b95e1c4
	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 4.19.247 with commit 9f1e5cc85ad77e52f54049a94db0407445ae2a34
	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.4.198 with commit 265bec4779a38b65e86a25120370f200822dfa76
	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.10.121 with commit 6118bbdf69f4718b02d26bbcf2e497eb66004331
	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.15.46 with commit b79110f2bf6022e60e590d2e094728a8eec3e79e
	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.17.14 with commit 82c8e7bbdd06c7ed58e22450cc5b37f33a25bb2c
	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.18.3 with commit 4f05a9e15edcdf5b97e0d86ab6ecd5f187289f6c
	Issue introduced in 3.17 with commit 5bcae31d9cb1ebfad3ad5a3eea04c8cdc329a04f and fixed in 5.19 with commit 2965c4cdf7ad9ce0796fac5e57debb9519ea721e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49416
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mac80211/chan.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/88cc8f963febe192d6ded9df7217f92f380b449a
	https://git.kernel.org/stable/c/4ba81e794f0fad6234f644c2da1ae14d5b95e1c4
	https://git.kernel.org/stable/c/9f1e5cc85ad77e52f54049a94db0407445ae2a34
	https://git.kernel.org/stable/c/265bec4779a38b65e86a25120370f200822dfa76
	https://git.kernel.org/stable/c/6118bbdf69f4718b02d26bbcf2e497eb66004331
	https://git.kernel.org/stable/c/b79110f2bf6022e60e590d2e094728a8eec3e79e
	https://git.kernel.org/stable/c/82c8e7bbdd06c7ed58e22450cc5b37f33a25bb2c
	https://git.kernel.org/stable/c/4f05a9e15edcdf5b97e0d86ab6ecd5f187289f6c
	https://git.kernel.org/stable/c/2965c4cdf7ad9ce0796fac5e57debb9519ea721e