From patchwork Wed Jul 28 14:36:38 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Bader <stefan.bader@canonical.com>
X-Patchwork-Id: 1510881
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=Tcd4Y9gJ;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GZbp56Vnvz9sT6;
	Thu, 29 Jul 2021 00:36:45 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1m8kfp-0005ST-3l; Wed, 28 Jul 2021 14:36:41 +0000
Received: from smtp-relay-canonical-0.internal ([10.131.114.83]
 helo=smtp-relay-canonical-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <stefan.bader@canonical.com>) id 1m8kfn-0005SD-Fu
 for kernel-team@lists.ubuntu.com; Wed, 28 Jul 2021 14:36:39 +0000
Received: from canonical.com (1.general.smb.uk.vpn [10.172.193.28])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest
 SHA256) (No client certificate requested)
 by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 3B29D3F24F
 for <kernel-team@lists.ubuntu.com>; Wed, 28 Jul 2021 14:36:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1627482999;
 bh=KOaO54WZj3if7yjX6pAjtkWR4zu9Uiyg6gBI/kDgSLY=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=Tcd4Y9gJ0nEdn25M7ZqN2Ff9bNLn5xuwysWBypY2mNq1gM0JMCLEfNRntGETOMU0+
 50tQ2Lns/H3mxmdGnhSvzQ/jFmrLIMyvUkJdalyLQdDgCABjs3SJAlS4P/14GbB+Ru
 CtHu0iiLPnABysd9U5d4hTGl/do/Nx3Iz8yOmTKA2AVCW5EFwGQVpQ6TlWjdP6NzUT
 fHxxBVLDI6XrwBQ7sD8F118ih/acLOkVBJZmKXTacuthSBzU9KCtbsyTTdGEc4a/We
 X3t2Dxh+9qEOp3CEcL8MlThl+Zq64vpfAm+TuOpKWiCzlsnnj1BwcU610tjDbO0oBP
 ocHA9cl44oFEg==
From: Stefan Bader <stefan.bader@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Bionic PATCH 1/1] mac80211: fix memory corruption in EAPOL
 handling
Date: Wed, 28 Jul 2021 16:36:38 +0200
Message-Id: <20210728143638.150591-2-stefan.bader@canonical.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210728143638.150591-1-stefan.bader@canonical.com>
References: <20210728143638.150591-1-stefan.bader@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Davis Mosenkovs <davis@mosenkovs.lv>

BugLink: https://bugs.launchpad.net/bugs/1938013

Commit e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL
frames") uses skb_mac_header() before eth_type_trans() is called
leading to incorrect pointer, the pointer gets written to. This issue
has appeared during backporting to 4.4, 4.9 and 4.14.

Fixes: e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL frames")
Link: https://lore.kernel.org/r/CAHQn7pKcyC_jYmGyTcPCdk9xxATwW5QPNph=bsZV8d-HPwNsyA@mail.gmail.com
Cc: <stable@vger.kernel.org> # 4.4.x
Signed-off-by: Davis Mosenkovs <davis@mosenkovs.lv>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

(cherry picked from commit 3b6d3d1884fa31f701603772732c404020b0598d linux.4.14.y)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Tested-by: Juerg Haefliger <juerg.haefliger@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Juerg Haefliger <juergh@canonical.com>
---
 net/mac80211/rx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 95e6d41626d6..7847b168c9ce 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2407,7 +2407,7 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
 #endif
 
 	if (skb) {
-		struct ethhdr *ehdr = (void *)skb_mac_header(skb);
+		struct ethhdr *ehdr = (struct ethhdr *)skb->data;
 
 		/* deliver to local stack */
 		skb->protocol = eth_type_trans(skb, dev);