CVE-2022-49942

Summary

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected

When we are not connected to a channel, sending channel "switch" announcement doesn't make any sense.

The BSS list is empty in that case. This causes the for loop in cfg80211_get_bss() to be bypassed, so the function returns NULL (check line 1424 of net/wireless/scan.c), causing the WARN_ON() in ieee80211_ibss_csa_beacon() to get triggered (check line 500 of net/mac80211/ibss.c), which was consequently reported on the syzkaller dashboard.

Thus, check if we have an existing connection before generating the CSA beacon in ieee80211_ibss_finish_csa().

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxcd7760e62c2ac8581f050b2d36501d1a60beaf83 < cdb9a8da9b84800eb15506cd9363cf0cf059e677affected
LinuxLinuxcd7760e62c2ac8581f050b2d36501d1a60beaf83 < 1691a48aef0a82d1754b9853dae7e3f5cacdf70baffected
LinuxLinuxcd7760e62c2ac8581f050b2d36501d1a60beaf83 < d9eb37db6a28b59a95a3461450ee209654c5f95baffected
LinuxLinuxcd7760e62c2ac8581f050b2d36501d1a60beaf83 < 66689c5c02acd4d76c28498fe220998610aec61eaffected
LinuxLinuxcd7760e62c2ac8581f050b2d36501d1a60beaf83 < dd649b49219a0388cc10fc40e4c2ea681566a780affected
LinuxLinuxcd7760e62c2ac8581f050b2d36501d1a60beaf83 < 552ba102a6898630a7d16887f29e606d6fabe508affected
LinuxLinuxcd7760e62c2ac8581f050b2d36501d1a60beaf83 < 864e280cb3a9a0f5212b16ef5057c4e692f7039daffected
LinuxLinuxcd7760e62c2ac8581f050b2d36501d1a60beaf83 < 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0affected
LinuxLinux3.13affected
LinuxLinux0 < 3.13unaffected
LinuxLinux4.9.328 <= 4.9.*unaffected
LinuxLinux4.14.293 <= 4.14.*unaffected
LinuxLinux4.19.258 <= 4.19.*unaffected
LinuxLinux5.4.213 <= 5.4.*unaffected
LinuxLinux5.10.142 <= 5.10.*unaffected
LinuxLinux5.15.66 <= 5.15.*unaffected
LinuxLinux5.19.8 <= 5.19.*unaffected
LinuxLinux6.0 <= *unaffected

Weaknesses

References