diff --git a/patches.suse/wifi-wfx-fix-possible-NULL-pointer-dereference-in-wf.patch b/patches.suse/wifi-wfx-fix-possible-NULL-pointer-dereference-in-wf.patch new file mode 100644 index 0000000..a94b6a4 --- /dev/null +++ b/patches.suse/wifi-wfx-fix-possible-NULL-pointer-dereference-in-wf.patch @@ -0,0 +1,93 @@ +From fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d Mon Sep 17 00:00:00 2001 +From: Dmitry Antipov +Date: Mon, 4 Dec 2023 20:11:28 +0300 +Subject: [PATCH] wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap() +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d +Patch-mainline: v6.8-rc1 +References: CVE-2023-52593 bsc#1221042 + +Since 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()' +should check the return value before examining skb data. So convert +the latter to return an appropriate error code and propagate it to +return from 'wfx_start_ap()' as well. Compile tested only. + +Signed-off-by: Dmitry Antipov +Tested-by: Jérôme Pouiller +Acked-by: Jérôme Pouiller +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231204171130.141394-1-dmantipov@yandex.ru +Acked-by: Takashi Iwai + +--- + drivers/staging/wfx/sta.c | 43 +++++++++++++++++++++++++------------------ + 1 file changed, 25 insertions(+), 18 deletions(-) + +--- a/drivers/staging/wfx/sta.c ++++ b/drivers/staging/wfx/sta.c +@@ -341,29 +341,37 @@ static int wfx_upload_ap_templates(struc + return 0; + } + +-static void wfx_set_mfp_ap(struct wfx_vif *wvif) ++static int wfx_set_mfp_ap(struct wfx_vif *wvif) + { + struct sk_buff *skb = ieee80211_beacon_get(wvif->wdev->hw, wvif->vif); + const int ieoffset = offsetof(struct ieee80211_mgmt, u.beacon.variable); +- const u16 *ptr = (u16 *)cfg80211_find_ie(WLAN_EID_RSN, +- skb->data + ieoffset, +- skb->len - ieoffset); ++ const u16 *ptr; + const int pairwise_cipher_suite_count_offset = 8 / sizeof(u16); + const int pairwise_cipher_suite_size = 4 / sizeof(u16); + const int akm_suite_size = 4 / sizeof(u16); + +- if (ptr) { +- ptr += pairwise_cipher_suite_count_offset; +- if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) +- return; +- ptr += 1 + pairwise_cipher_suite_size * *ptr; +- if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) +- return; +- ptr += 1 + akm_suite_size * *ptr; +- if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) +- return; +- hif_set_mfp(wvif, *ptr & BIT(7), *ptr & BIT(6)); +- } ++ if (unlikely(!skb)) ++ return -ENOMEM; ++ ++ ptr = (u16 *)cfg80211_find_ie(WLAN_EID_RSN, skb->data + ieoffset, ++ skb->len - ieoffset); ++ if (unlikely(!ptr)) ++ return -EINVAL; ++ ++ ptr += pairwise_cipher_suite_count_offset; ++ if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) ++ return -EINVAL; ++ ++ ptr += 1 + pairwise_cipher_suite_size * *ptr; ++ if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) ++ return -EINVAL; ++ ++ ptr += 1 + akm_suite_size * *ptr; ++ if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) ++ return -EINVAL; ++ ++ hif_set_mfp(wvif, *ptr & BIT(7), *ptr & BIT(6)); ++ return 0; + } + + int wfx_start_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif) +@@ -380,8 +388,7 @@ int wfx_start_ap(struct ieee80211_hw *hw + ret = hif_start(wvif, &vif->bss_conf, wvif->channel); + if (ret > 0) + return -EIO; +- wfx_set_mfp_ap(wvif); +- return ret; ++ return wfx_set_mfp_ap(wvif); + } + + void wfx_stop_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif) diff --git a/series.conf b/series.conf index 3461bc6..f3b0ce1 100644 --- a/series.conf +++ b/series.conf @@ -45283,6 +45283,7 @@ patches.suse/wifi-rtlwifi-Convert-LNKCTL-change-to-PCIe-cap-RMW-a.patch patches.suse/wifi-mt76-fix-broken-precal-loading-from-MTD-for-mt7.patch patches.suse/wifi-mt76-mt7921s-fix-workqueue-problem-causes-STA-a.patch + patches.suse/wifi-wfx-fix-possible-NULL-pointer-dereference-in-wf.patch patches.suse/wifi-mwifiex-configure-BSSID-consistently-when-start.patch patches.suse/wifi-ath11k-Defer-on-rproc_get-failure.patch patches.suse/wifi-ath9k-Fix-potential-array-index-out-of-bounds-r.patch