wifi: cfg80211: fix BSS refcounting bugs

There are multiple refcounting bugs related to multi-BSSID:
 - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
   the bss pointer is overwritten before checking for the
   transmitted BSS, which is clearly wrong. Fix this by using
   the bss_from_pub() macro.

 - In cfg80211_bss_update() we copy the transmitted_bss pointer
   from tmp into new, but then if we release new, we'll unref
   it erroneously. We already set the pointer and ref it, but
   need to NULL it since it was copied from the tmp data.

 - In cfg80211_inform_single_bss_data(), if adding to the non-
   transmitted list fails, we unlink the BSS and yet still we
   return it, but this results in returning an entry without
   a reference. We shouldn't return it anyway if it was broken
   enough to not get added there.

This fixes CVE-2022-42720.

Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index a183f2b758742d94e47acd3a0e65db08b2994c9d..249107212c099ff9d071e89399e0cdf60bceca54 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cfg80211_registered_device *rdev,
        lockdep_assert_held(&rdev->bss_lock);
 
        bss->refcount++;
-       if (bss->pub.hidden_beacon_bss) {
-               bss = container_of(bss->pub.hidden_beacon_bss,
-                                  struct cfg80211_internal_bss,
-                                  pub);
-               bss->refcount++;
-       }
-       if (bss->pub.transmitted_bss) {
-               bss = container_of(bss->pub.transmitted_bss,
-                                  struct cfg80211_internal_bss,
-                                  pub);
-               bss->refcount++;
-       }
+
+       if (bss->pub.hidden_beacon_bss)
+               bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++;
+
+       if (bss->pub.transmitted_bss)
+               bss_from_pub(bss->pub.transmitted_bss)->refcount++;
 }
 
 static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
@@ -1741,6 +1735,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
                new->refcount = 1;
                INIT_LIST_HEAD(&new->hidden_list);
                INIT_LIST_HEAD(&new->pub.nontrans_list);
+               /* we'll set this later if it was non-NULL */
+               new->pub.transmitted_bss = NULL;
 
                if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
                        hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
@@ -2023,10 +2019,15 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
                spin_lock_bh(&rdev->bss_lock);
                if (cfg80211_add_nontrans_list(non_tx_data->tx_bss,
                                               &res->pub)) {
-                       if (__cfg80211_unlink_bss(rdev, res))
+                       if (__cfg80211_unlink_bss(rdev, res)) {
                                rdev->bss_generation++;
+                               res = NULL;
+                       }
                }
                spin_unlock_bh(&rdev->bss_lock);
+
+               if (!res)
+                       return NULL;
        }
 
        trace_cfg80211_return_bss(&res->pub);