[LTS 8.6] CVE-2022-42720 #593

pvts-mat · 2025-09-25T17:42:06Z

[LTS 8.6]
CVE-2022-42720
VULN-3807

Problem

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0b7808818cb9df6680f98996b8e9a439fa7bcc2f

wifi: cfg80211: fix BSS refcounting bugs

There are multiple refcounting bugs related to multi-BSSID:

In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
the bss pointer is overwritten before checking for the
transmitted BSS, which is clearly wrong. Fix this by using
the bss_from_pub() macro.

In cfg80211_bss_update() we copy the transmitted_bss pointer
from tmp into new, but then if we release new, we'll unref
it erroneously. We already set the pointer and ref it, but
need to NULL it since it was copied from the tmp data.

In cfg80211_inform_single_bss_data(), if adding to the non-
transmitted list fails, we unlink the BSS and yet still we
return it, but this results in returning an entry without
a reference. We shouldn't return it anyway if it was broken
enough to not get added there.

This fixes CVE-2022-42720.

Affected: yes

The official bug source tagged by the bug fix 0b78088 is a3584f5. This commit can't be found in ciqlts8_6's history neither natively nor as a backport, although the code introduced by a3584f5 can be found in the bulk commit e19ec64. Along with the naive cherry-pick generating conflicts this situation required a case-by-case analysis of the issues addressed by 0b78088 to confirm their applicability to LTS 8.6 codebase.

`bss_ref_get()`

In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro.

This bug applies to LTS 8.6 with the code path being

kernel-src-tree/net/wireless/scan.c

Lines 147 to 149 in 0f0d831

    
           bss = container_of(bss->pub.hidden_beacon_bss, 
        
           		   struct cfg80211_internal_bss, 
        
           		   pub);

then

kernel-src-tree/net/wireless/scan.c

Line 152 in 0f0d831

if (bss->pub.transmitted_bss) {

`cfg80211_bss_update()`

In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data.

This bug applies to LTS 8.6. Below the description interspersed with links to the relevant ciqlts8_6 code fragments:

In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new

kernel-src-tree/net/wireless/scan.c

Line 1733 in 0f0d831

memcpy(new, tmp, sizeof(*new));

but then if we release new,

kernel-src-tree/net/wireless/scan.c

Line 1759 in 0f0d831

bss_ref_put(rdev, new);

kernel-src-tree/net/wireless/scan.c

Line 1766 in 0f0d831

bss_ref_put(rdev, new);

we'll unref it erroneously

kernel-src-tree/net/wireless/scan.c

Line 181 in 0f0d831

tbss->refcount--;

We already set the pointer and ref it

kernel-src-tree/net/wireless/scan.c

Lines 1777 to 1778 in 0f0d831

    
           new->pub.transmitted_bss = tmp->pub.transmitted_bss; 
        
           bss_ref_get(rdev, pbss);

but need to NULL it since it was copied from the tmp data.

`cfg80211_inform_single_bss_data()`

In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there.

This bug applies to LTS 8.6. Failure of adding to the nontransmitted list and unlinking:

kernel-src-tree/net/wireless/scan.c

Lines 1985 to 1989 in 0f0d831

    
           if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, 
        
           			       &res->pub)) { 
        
           	if (__cfg80211_unlink_bss(rdev, res)) 
        
           		rdev->bss_generation++; 
        
           }

Returning the value without a reference:

kernel-src-tree/net/wireless/scan.c

Line 1994 in 0f0d831

return &res->pub;

It was arguably introduced earlier than a3584f5, namely in 0b8fb82.

Solution

Applying 0b78088 required pulling in 8a610cf to avoid conflicts for the cfg80211_inform_single_bss_data() case. Coincidentally, another bug was fixed with it (no CVE associated). From the commit's message:

Synchronize additions to nontrans_list of transmitting BSS with
bss_lock to avoid races. Also when cfg80211_add_nontrans_list() fails
__cfg80211_unlink_bss() needs bss_lock to be held (has lockdep assert
on bss_lock). So protect the whole block with bss_lock to avoid
races and warnings. Found during code review.

kABI check: passed

$ DEBUG=1 CVE=CVE-2022-42720 ./ninja.sh _kabi_checked__x86_64--test--ciqlts8_6-CVE-2022-42720

[0/1] Check ABI of kernel [ciqlts8_6-CVE-2022-42720]
++ uname -m
+ python3 /data/src/ctrliq-github/kernel-dist-git-el-8.6/SOURCES/check-kabi -k /data/src/ctrliq-github/kernel-dist-git-el-8.6/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts8_6/build_files/kernel-src-tree-ciqlts8_6-CVE-2022-42720/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts8_6-CVE-2022-42720/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Reference

kselftests–ciqlts8_6–run1.log

Patch

kselftests–ciqlts8_6-CVE-2022-42720–run1.log
kselftests–ciqlts8_6-CVE-2022-42720–run2.log

Comparison

The tests results for the reference and the patch are the same.

$ ktests.xsh diff  kselftests*.log

Column    File
--------  ----------------------------------------------
Status0   kselftests--ciqlts8_6--run1.log
Status1   kselftests--ciqlts8_6-CVE-2022-42720--run1.log
Status2   kselftests--ciqlts8_6-CVE-2022-42720--run2.log

TestCase                                     Status0  Status1  Status2  Summary
android:run.sh                               skip     skip     skip     same
bpf:get_cgroup_id_user                       pass     pass     pass     same
bpf:test_bpftool.sh                          pass     pass     pass     same
bpf:test_bpftool_build.sh                    pass     pass     pass     same
bpf:test_bpftool_metadata.sh                 pass     pass     pass     same
bpf:test_cgroup_storage                      pass     pass     pass     same
bpf:test_dev_cgroup                          pass     pass     pass     same
bpf:test_doc_build.sh                        pass     pass     pass     same
bpf:test_flow_dissector.sh                   pass     pass     pass     same
bpf:test_lirc_mode2.sh                       pass     pass     pass     same
bpf:test_lpm_map                             pass     pass     pass     same
bpf:test_lru_map                             fail     fail     fail     same
bpf:test_lwt_ip_encap.sh                     pass     pass     pass     same
bpf:test_lwt_seg6local.sh                    pass     pass     pass     same
bpf:test_netcnt                              pass     pass     pass     same
bpf:test_offload.py                          pass     pass     pass     same
bpf:test_skb_cgroup_id.sh                    pass     pass     pass     same
bpf:test_sock                                pass     pass     pass     same
bpf:test_sock_addr.sh                        pass     pass     pass     same
bpf:test_sysctl                              pass     pass     pass     same
bpf:test_tag                                 pass     pass     pass     same
bpf:test_tc_edt.sh                           pass     pass     pass     same
bpf:test_tc_tunnel.sh                        pass     pass     pass     same
bpf:test_tcp_check_syncookie.sh              pass     pass     pass     same
bpf:test_tcpnotify_user                      pass     pass     pass     same
bpf:test_tunnel.sh                           pass     pass     pass     same
bpf:test_verifier                            pass     pass     pass     same
bpf:test_verifier_log                        pass     pass     pass     same
bpf:test_xdp_meta.sh                         pass     pass     pass     same
bpf:test_xdp_redirect.sh                     pass     pass     pass     same
bpf:test_xdp_veth.sh                         pass     pass     pass     same
bpf:test_xdp_vlan_mode_generic.sh            pass     pass     pass     same
bpf:test_xdp_vlan_mode_native.sh             pass     pass     pass     same
bpf:test_xdping.sh                           pass     pass     pass     same
bpf:urandom_read                             pass     pass     pass     same
breakpoints:breakpoint_test                  pass     pass     pass     same
capabilities:test_execve                     pass     pass     pass     same
core:close_range_test                        pass     pass     pass     same
cpu-hotplug:cpu-on-off-test.sh               pass     pass     pass     same
cpufreq:main.sh                              fail     fail     fail     same
exec:execveat                                pass     pass     pass     same
firmware:fw_run_tests.sh                     skip     skip     skip     same
fpu:run_test_fpu.sh                          skip     skip     skip     same
fpu:test_fpu                                 pass     pass     pass     same
ftrace:ftracetest                            fail     fail     fail     same
futex:run.sh                                 pass     pass     pass     same
gpio:gpio-mockup.sh                          fail     fail     fail     same
intel_pstate:run.sh                          pass     pass     pass     same
ipc:msgque                                   pass     pass     pass     same
kcmp:kcmp_test                               pass     pass     pass     same
kexec:test_kexec_file_load.sh                skip     skip     skip     same
kexec:test_kexec_load.sh                     skip     skip     skip     same
kvm:access_tracking_perf_test                fail     fail     fail     same
kvm:amx_test                                 fail     fail     fail     same
kvm:cr4_cpuid_sync_test                      fail     fail     fail     same
kvm:debug_regs                               fail     fail     fail     same
kvm:demand_paging_test                       pass     pass     pass     same
kvm:dirty_log_perf_test                      pass     pass     pass     same
kvm:dirty_log_test                           fail     fail     fail     same
kvm:emulator_error_test                      fail     fail     fail     same
kvm:evmcs_test                               fail     fail     fail     same
kvm:get_cpuid_test                           fail     fail     fail     same
kvm:get_msr_index_features                   fail     fail     fail     same
kvm:hardware_disable_test                    pass     pass     pass     same
kvm:hyperv_clock                             fail     fail     fail     same
kvm:hyperv_cpuid                             fail     fail     fail     same
kvm:hyperv_features                          fail     fail     fail     same
kvm:kvm_binary_stats_test                    pass     pass     pass     same
kvm:kvm_create_max_vcpus                     skip     skip     skip     same
kvm:kvm_page_table_test                      pass     pass     pass     same
kvm:kvm_pv_test                              fail     fail     fail     same
kvm:memslot_modification_stress_test         pass     pass     pass     same
kvm:memslot_perf_test                        fail     fail     fail     same
kvm:mmio_warning_test                        fail     fail     fail     same
kvm:mmu_role_test                            fail     fail     fail     same
kvm:platform_info_test                       fail     fail     fail     same
kvm:rseq_test                                fail     fail     fail     same
kvm:set_boot_cpu_id                          fail     fail     fail     same
kvm:set_memory_region_test                   pass     pass     pass     same
kvm:set_sregs_test                           fail     fail     fail     same
kvm:smm_test                                 fail     fail     fail     same
kvm:state_test                               fail     fail     fail     same
kvm:steal_time                               pass     pass     pass     same
kvm:svm_int_ctl_test                         fail     fail     fail     same
kvm:svm_vmcall_test                          fail     fail     fail     same
kvm:sync_regs_test                           fail     fail     fail     same
kvm:tsc_msrs_test                            fail     fail     fail     same
kvm:userspace_msr_exit_test                  fail     fail     fail     same
kvm:vmx_apic_access_test                     fail     fail     fail     same
kvm:vmx_close_while_nested_test              fail     fail     fail     same
kvm:vmx_dirty_log_test                       fail     fail     fail     same
kvm:vmx_nested_tsc_scaling_test              fail     fail     fail     same
kvm:vmx_pmu_msrs_test                        fail     fail     fail     same
kvm:vmx_preemption_timer_test                fail     fail     fail     same
kvm:vmx_set_nested_state_test                fail     fail     fail     same
kvm:vmx_tsc_adjust_test                      fail     fail     fail     same
kvm:xapic_ipi_test                           fail     fail     fail     same
kvm:xen_shinfo_test                          fail     fail     fail     same
kvm:xen_vmcall_test                          fail     fail     fail     same
kvm:xss_msr_test                             fail     fail     fail     same
lib:bitmap.sh                                skip     skip     skip     same
lib:prime_numbers.sh                         skip     skip     skip     same
lib:printf.sh                                skip     skip     skip     same
lib:scanf.sh                                 fail     fail     fail     same
livepatch:test-callbacks.sh                  pass     pass     pass     same
livepatch:test-ftrace.sh                     pass     pass     pass     same
livepatch:test-livepatch.sh                  pass     pass     pass     same
livepatch:test-shadow-vars.sh                pass     pass     pass     same
livepatch:test-state.sh                      pass     pass     pass     same
membarrier:membarrier_test_multi_thread      pass     pass     pass     same
membarrier:membarrier_test_single_thread     pass     pass     pass     same
memfd:memfd_test                             pass     pass     pass     same
memfd:run_fuse_test.sh                       fail     fail     fail     same
memfd:run_hugetlbfs_test.sh                  pass     pass     pass     same
memory-hotplug:mem-on-off-test.sh            pass     pass     pass     same
mount:run_tests.sh                           pass     pass     pass     same
net/forwarding:bridge_port_isolation.sh      pass     pass     pass     same
net/forwarding:bridge_sticky_fdb.sh          pass     pass     pass     same
net/forwarding:bridge_vlan_aware.sh          fail     fail     fail     same
net/forwarding:bridge_vlan_unaware.sh        pass     pass     pass     same
net/forwarding:ethtool.sh                    fail     fail     fail     same
net/forwarding:gre_multipath.sh              fail     fail     fail     same
net/forwarding:ip6_forward_instats_vrf.sh    fail     fail     fail     same
net/forwarding:ipip_flat_gre.sh              pass     pass     pass     same
net/forwarding:ipip_flat_gre_key.sh          pass     pass     pass     same
net/forwarding:ipip_flat_gre_keys.sh         pass     pass     pass     same
net/forwarding:ipip_hier_gre.sh              pass     pass     pass     same
net/forwarding:ipip_hier_gre_key.sh          pass     pass     pass     same
net/forwarding:loopback.sh                   skip     skip     skip     same
net/forwarding:mirror_gre.sh                 fail     fail     fail     same
net/forwarding:mirror_gre_bound.sh           pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1d.sh       pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q.sh       pass     pass     pass     same
net/forwarding:mirror_gre_bridge_1q_lag.sh   pass     pass     pass     same
net/forwarding:mirror_gre_changes.sh         fail     fail     fail     same
net/forwarding:mirror_gre_flower.sh          fail     fail     fail     same
net/forwarding:mirror_gre_lag_lacp.sh        pass     pass     pass     same
net/forwarding:mirror_gre_neigh.sh           pass     pass     pass     same
net/forwarding:mirror_gre_nh.sh              pass     pass     pass     same
net/forwarding:mirror_gre_vlan.sh            pass     pass     pass     same
net/forwarding:mirror_vlan.sh                pass     pass     pass     same
net/forwarding:router.sh                     fail     fail     fail     same
net/forwarding:router_bridge.sh              pass     pass     pass     same
net/forwarding:router_bridge_vlan.sh         pass     pass     pass     same
net/forwarding:router_broadcast.sh           fail     fail     fail     same
net/forwarding:router_multicast.sh           fail     fail     fail     same
net/forwarding:router_multipath.sh           fail     fail     fail     same
net/forwarding:router_vid_1.sh               pass     pass     pass     same
net/forwarding:tc_chains.sh                  pass     pass     pass     same
net/forwarding:tc_flower.sh                  pass     pass     pass     same
net/forwarding:tc_flower_router.sh           pass     pass     pass     same
net/forwarding:tc_mpls_l2vpn.sh              pass     pass     pass     same
net/forwarding:tc_shblocks.sh                pass     pass     pass     same
net/forwarding:tc_vlan_modify.sh             pass     pass     pass     same
net/forwarding:vxlan_asymmetric.sh           pass     pass     pass     same
net/forwarding:vxlan_bridge_1d.sh            fail     fail     fail     same
net/forwarding:vxlan_bridge_1d_port_8472.sh  pass     pass     pass     same
net/forwarding:vxlan_bridge_1q.sh            fail     fail     fail     same
net/forwarding:vxlan_bridge_1q_port_8472.sh  pass     pass     pass     same
net/forwarding:vxlan_symmetric.sh            pass     pass     pass     same
net/mptcp:diag.sh                            pass     pass     pass     same
net/mptcp:mptcp_connect.sh                   pass     pass     pass     same
net/mptcp:mptcp_sockopt.sh                   pass     pass     pass     same
net/mptcp:pm_netlink.sh                      pass     pass     pass     same
net:bareudp.sh                               pass     pass     pass     same
net:devlink_port_split.py                    pass     pass     pass     same
net:drop_monitor_tests.sh                    skip     skip     skip     same
net:fcnal-test.sh                            pass     pass     pass     same
net:fib-onlink-tests.sh                      pass     pass     pass     same
net:fib_rule_tests.sh                        fail     fail     fail     same
net:fib_tests.sh                             pass     pass     pass     same
net:gre_gso.sh                               pass     pass     pass     same
net:icmp_redirect.sh                         pass     pass     pass     same
net:ip6_gre_headroom.sh                      pass     pass     pass     same
net:ipv6_flowlabel.sh                        pass     pass     pass     same
net:l2tp.sh                                  pass     pass     pass     same
net:msg_zerocopy.sh                          fail     fail     fail     same
net:netdevice.sh                             pass     pass     pass     same
net:pmtu.sh                                  pass     pass     pass     same
net:psock_snd.sh                             fail     fail     fail     same
net:reuseaddr_conflict                       pass     pass     pass     same
net:reuseport_bpf                            pass     pass     pass     same
net:reuseport_bpf_cpu                        pass     pass     pass     same
net:reuseport_bpf_numa                       pass     pass     pass     same
net:reuseport_dualstack                      pass     pass     pass     same
net:rtnetlink.sh                             skip     skip     skip     same
net:run_afpackettests                        pass     pass     pass     same
net:run_netsocktests                         pass     pass     pass     same
net:rxtimestamp.sh                           pass     pass     pass     same
net:so_txtime.sh                             fail     fail     fail     same
net:test_bpf.sh                              pass     pass     pass     same
net:test_vxlan_fdb_changelink.sh             pass     pass     pass     same
net:tls                                      pass     pass     pass     same
net:traceroute.sh                            pass     pass     pass     same
net:udpgro.sh                                fail     fail     fail     same
net:udpgro_bench.sh                          fail     fail     fail     same
net:udpgso.sh                                pass     pass     pass     same
net:veth.sh                                  fail     fail     fail     same
net:vrf-xfrm-tests.sh                        pass     pass     pass     same
netfilter:conntrack_icmp_related.sh          fail     fail     fail     same
netfilter:conntrack_tcp_unreplied.sh         fail     fail     fail     same
netfilter:ipvs.sh                            skip     skip     skip     same
netfilter:nft_flowtable.sh                   fail     fail     fail     same
netfilter:nft_meta.sh                        pass     pass     pass     same
netfilter:nft_nat.sh                         skip     skip     skip     same
netfilter:nft_queue.sh                       skip     skip     skip     same
nsfs:owner                                   pass     pass     pass     same
nsfs:pidns                                   pass     pass     pass     same
proc:fd-001-lookup                           pass     pass     pass     same
proc:fd-002-posix-eq                         pass     pass     pass     same
proc:fd-003-kthread                          pass     pass     pass     same
proc:proc-loadavg-001                        pass     pass     pass     same
proc:proc-self-map-files-001                 pass     pass     pass     same
proc:proc-self-map-files-002                 fail     fail     fail     same
proc:proc-self-syscall                       pass     pass     pass     same
proc:proc-self-wchan                         pass     pass     pass     same
proc:proc-uptime-001                         pass     pass     pass     same
proc:proc-uptime-002                         pass     pass     pass     same
proc:read                                    pass     pass     pass     same
proc:setns-dcache                            fail     fail     fail     same
pstore:pstore_post_reboot_tests              skip     skip     skip     same
pstore:pstore_tests                          fail     fail     fail     same
ptrace:peeksiginfo                           pass     pass     pass     same
ptrace:vmaccess                              fail     fail     fail     same
rseq:basic_percpu_ops_test                   pass     pass     pass     same
rseq:basic_test                              pass     pass     pass     same
rseq:param_test                              pass     pass     pass     same
rseq:param_test_benchmark                    pass     pass     pass     same
rseq:param_test_compare_twice                pass     pass     pass     same
rseq:run_param_test.sh                       fail     fail     fail     same
sgx:test_sgx                                 fail     fail     fail     same
sigaltstack:sas                              pass     pass     pass     same
size:get_size                                pass     pass     pass     same
splice:default_file_splice_read.sh           pass     pass     pass     same
static_keys:test_static_keys.sh              skip     skip     skip     same
tc-testing:tdc.sh                            pass     pass     pass     same
timens:clock_nanosleep                       pass     pass     pass     same
timens:exec                                  pass     pass     pass     same
timens:procfs                                pass     pass     pass     same
timens:timens                                pass     pass     pass     same
timens:timer                                 pass     pass     pass     same
timens:timerfd                               pass     pass     pass     same
timers:inconsistency-check                   fail     fail     fail     same
timers:mqueue-lat                            pass     pass     pass     same
timers:nanosleep                             pass     pass     pass     same
timers:nsleep-lat                            fail     fail     fail     same
timers:posix_timers                          pass     pass     pass     same
timers:rtcpie                                pass     pass     pass     same
timers:set-timer-lat                         fail     fail     fail     same
timers:threadtest                            pass     pass     pass     same
tpm2:test_smoke.sh                           fail     fail     fail     same
tpm2:test_space.sh                           fail     fail     fail     same
vm:run_vmtests                               fail     fail     fail     same
x86:amx_64                                   fail     fail     fail     same
x86:check_initial_reg_state_64               pass     pass     pass     same
x86:corrupt_xstate_header_64                 pass     pass     pass     same
x86:fsgsbase_64                              pass     pass     pass     same
x86:fsgsbase_restore_64                      pass     pass     pass     same
x86:ioperm_64                                pass     pass     pass     same
x86:iopl_64                                  pass     pass     pass     same
x86:mov_ss_trap_64                           pass     pass     pass     same
x86:mpx-mini-test_64                         fail     fail     fail     same
x86:protection_keys_64                       pass     pass     pass     same
x86:sigaltstack_64                           pass     pass     pass     same
x86:sigreturn_64                             pass     pass     pass     same
x86:single_step_syscall_64                   pass     pass     pass     same
x86:syscall_nt_64                            pass     pass     pass     same
x86:sysret_rip_64                            pass     pass     pass     same
x86:sysret_ss_attrs_64                       pass     pass     pass     same
x86:test_mremap_vdso_64                      pass     pass     pass     same
x86:test_vdso_64                             pass     pass     pass     same
x86:test_vsyscall_64                         pass     pass     pass     same
zram:zram.sh                                 pass     pass     pass     same

jira VULN-3807 cve-pre CVE-2022-42720 commit-author Rameshkumar Sundaram <[email protected]> commit a5199b5 Synchronize additions to nontrans_list of transmitting BSS with bss_lock to avoid races. Also when cfg80211_add_nontrans_list() fails __cfg80211_unlink_bss() needs bss_lock to be held (has lockdep assert on bss_lock). So protect the whole block with bss_lock to avoid races and warnings. Found during code review. Fixes: 0b8fb82 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Rameshkumar Sundaram <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Johannes Berg <[email protected]> (cherry picked from commit a5199b5) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-3807 cve CVE-2022-42720 commit-author Johannes Berg <[email protected]> commit 0b78088 There are multiple refcounting bugs related to multi-BSSID: - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro. - In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data. - In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there. This fixes CVE-2022-42720. Reported-by: Sönke Huster <[email protected]> Tested-by: Sönke Huster <[email protected]> Fixes: a3584f5 ("cfg80211: Properly track transmitting and non-transmitting BSS") Signed-off-by: Johannes Berg <[email protected]> (cherry picked from commit 0b78088) Signed-off-by: Marcin Wcisło <[email protected]>

bmastbergen

🥌

PlaidCat

pvts-mat added 2 commits September 23, 2025 01:17

PlaidCat requested review from PlaidCat, kerneltoast, bmastbergen and shreeya-patel98 September 25, 2025 20:34

bmastbergen approved these changes Sep 26, 2025

View reviewed changes

PlaidCat approved these changes Sep 26, 2025

View reviewed changes

PlaidCat merged commit 1809bd0 into ctrliq:ciqlts8_6 Sep 26, 2025
2 of 3 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[LTS 8.6] CVE-2022-42720 #593

[LTS 8.6] CVE-2022-42720 #593

Uh oh!

pvts-mat commented Sep 25, 2025

Uh oh!

bmastbergen left a comment

Uh oh!

PlaidCat left a comment

Uh oh!

Uh oh!

Uh oh!

	bss = container_of(bss->pub.hidden_beacon_bss,
	struct cfg80211_internal_bss,
	pub);

	new->pub.transmitted_bss = tmp->pub.transmitted_bss;
	bss_ref_get(rdev, pbss);

	if (cfg80211_add_nontrans_list(non_tx_data->tx_bss,
	&res->pub)) {
	if (__cfg80211_unlink_bss(rdev, res))
	rdev->bss_generation++;
	}

[LTS 8.6] CVE-2022-42720 #593

[LTS 8.6] CVE-2022-42720 #593

Uh oh!

Conversation

pvts-mat commented Sep 25, 2025

Problem

Affected: yes

bss_ref_get()

cfg80211_bss_update()

cfg80211_inform_single_bss_data()

Solution

kABI check: passed

Boot test: passed

Kselftests: passed relative

Reference

Patch

Comparison

Uh oh!

bmastbergen left a comment

Choose a reason for hiding this comment

Uh oh!

PlaidCat left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

`bss_ref_get()`

`cfg80211_bss_update()`

`cfg80211_inform_single_bss_data()`