[PATCH] mac80211: null pointer dereference similar to CVE-2022-42722

Chen Yufeng <chenyufeng@xxxxxxxxx> · Mon, 14 Apr 2025 21:37:58 +0800

I found null pointer dereference similar to 
commit b2d03cabe2b2 ("wifi: mac80211: fix crash in beacon protection for P2P-device")
in mac80211.
ieee80211_rx_h_check(), ieee80211_drop_unencrypted_mgmt(),
ieee80211_rx_h_data() and cfg80211_michael_mic_failure(), like 
ieee80211_rx_h_decrypt(), use the netdev pointer, which isn't present 
for P2P-Device. 
Just like CVE-2022-42722, I add a check for the netdev pointer
in these functions.

Signed-off-by: Chen Yufeng <chenyufeng@xxxxxxxxx>
---
 net/mac80211/rx.c  | 16 +++++++++-------
 net/mac80211/wpa.c |  3 ++-
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 09beb65d6108..e5928d2c61dc 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1520,7 +1520,7 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
 				return RX_CONTINUE;
 		}
 
-		if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
+		if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->sdata->dev &&
 		    cfg80211_rx_spurious_frame(rx->sdata->dev,
 					       hdr->addr2,
 					       GFP_ATOMIC))
@@ -2469,8 +2469,8 @@ ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
 				 */
 				if (!rx->key)
 					return RX_CONTINUE;
-
-				cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
+				if (rx->sdata->dev)
+					cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
 							     rx->skb->data,
 							     rx->skb->len);
 			}
@@ -2479,15 +2479,16 @@ ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
 		/* BIP does not use Protected field, so need to check MMIE */
 		if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
 			     ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
-			if (ieee80211_is_deauth(fc) ||
-			    ieee80211_is_disassoc(fc))
+			if ((ieee80211_is_deauth(fc) ||
+			     ieee80211_is_disassoc(fc)) && rx->sdata->dev)
 				cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
 							     rx->skb->data,
 							     rx->skb->len);
 			return RX_DROP_U_UNPROT_MCAST_MGMT;
 		}
 		if (unlikely(ieee80211_is_beacon(fc) && rx->key &&
-			     ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
+				 ieee80211_get_mmie_keyidx(rx->skb) < 0) &&
+				 rx->sdata->dev) {
 			cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
 						     rx->skb->data,
 						     rx->skb->len);
@@ -3185,7 +3186,8 @@ ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
 	if (ieee80211_has_a4(hdr->frame_control) &&
 	    sdata->vif.type == NL80211_IFTYPE_AP) {
 		if (rx->sta &&
-		    !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT))
+		    !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT) &&
+			rx->sdata->dev)
 			cfg80211_rx_unexpected_4addr_frame(
 				rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC);
 		return RX_DROP;
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 40d5d9e48479..54754d1da9dd 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -182,7 +182,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
 	 * a driver that supports HW encryption. Send up the key idx only if
 	 * the key is set.
 	 */
-	cfg80211_michael_mic_failure(rx->sdata->dev, hdr->addr2,
+	if (rx->sdata->dev)
+		cfg80211_michael_mic_failure(rx->sdata->dev, hdr->addr2,
 				     is_multicast_ether_addr(hdr->addr1) ?
 				     NL80211_KEYTYPE_GROUP :
 				     NL80211_KEYTYPE_PAIRWISE,
-- 
2.34.1








