mac80211: fix use-after-free in chanctx code

Message ID	20220601091926.df419d91b165.I17a9b3894ff0b8323ce2afdb153b101124c821e5@changeid
State	New
Headers	show Return-Path: <linux-wireless-owner@kernel.org> From: Johannes Berg <johannes@sipsolutions.net> To: linux-wireless@vger.kernel.org Cc: Johannes Berg <johannes.berg@intel.com>, stable@vger.kernel.org Subject: [PATCH] mac80211: fix use-after-free in chanctx code Date: Wed, 1 Jun 2022 09:19:36 +0200 Message-Id: <20220601091926.df419d91b165.I17a9b3894ff0b8323ce2afdb153b101124c821e5@changeid> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	mac80211: fix use-after-free in chanctx code \| expand mac80211: fix use-after-free in chanctx code

Message ID

20220601091926.df419d91b165.I17a9b3894ff0b8323ce2afdb153b101124c821e5@changeid

State

New

Headers

From: Johannes Berg <johannes@sipsolutions.net>
To: linux-wireless@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>, stable@vger.kernel.org
Subject: [PATCH] mac80211: fix use-after-free in chanctx code
Date: Wed,  1 Jun 2022 09:19:36 +0200
Message-Id: 
 <20220601091926.df419d91b165.I17a9b3894ff0b8323ce2afdb153b101124c821e5@changeid>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

mac80211: fix use-after-free in chanctx code | expand

Commit Message

Johannes Berg June 1, 2022, 7:19 a.m. UTC

From: Johannes Berg <johannes.berg@intel.com>

In ieee80211_vif_use_reserved_context(), when we have an
old context and the new context's replace_state is set to
IEEE80211_CHANCTX_REPLACE_NONE, we free the old context
in ieee80211_vif_use_reserved_reassign(). Therefore, we
cannot check the old_ctx anymore, so we should set it to
NULL after this point.

However, since the new_ctx replace state is clearly not
IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do
anything else in this function and can just return to
avoid accessing the freed old_ctx.

Cc: stable@vger.kernel.org
Fixes: 5bcae31d9cb1 ("mac80211: implement multi-vif in-place reservations")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/chan.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

Comments

Kalle Valo June 1, 2022, 9:41 a.m. UTC | #1

Johannes Berg <johannes@sipsolutions.net> wrote:

> From: Johannes Berg <johannes.berg@intel.com>
> 
> In ieee80211_vif_use_reserved_context(), when we have an
> old context and the new context's replace_state is set to
> IEEE80211_CHANCTX_REPLACE_NONE, we free the old context
> in ieee80211_vif_use_reserved_reassign(). Therefore, we
> cannot check the old_ctx anymore, so we should set it to
> NULL after this point.
> 
> However, since the new_ctx replace state is clearly not
> IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do
> anything else in this function and can just return to
> avoid accessing the freed old_ctx.
> 
> Cc: stable@vger.kernel.org
> Fixes: 5bcae31d9cb1 ("mac80211: implement multi-vif in-place reservations")
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Patch applied to wireless.git, thanks.

2965c4cdf7ad wifi: mac80211: fix use-after-free in chanctx code

diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 7b249264af09..5d8b49f20198 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -1750,12 +1750,9 @@  int ieee80211_vif_use_reserved_context(struct ieee80211_sub_if_data *sdata)
 
 	if (new_ctx->replace_state == IEEE80211_CHANCTX_REPLACE_NONE) {
 		if (old_ctx)
-			err = ieee80211_vif_use_reserved_reassign(sdata);
-		else
-			err = ieee80211_vif_use_reserved_assign(sdata);
+			return ieee80211_vif_use_reserved_reassign(sdata);
 
-		if (err)
-			return err;
+		return ieee80211_vif_use_reserved_assign(sdata);
 	}
 
 	/*