CVE-2021-47194 cfg80211: call cfg80211_stop_ap when switch from P2P_GO type

2024-04-1018:56:31

Linux

github.com

linux kernel

cfg80211

nl80211_iftype_p2p_go

nl80211_iftype_adhoc

initialization

data corruption

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

cfg80211: call cfg80211_stop_ap when switch from P2P_GO type

If the userspace tools switch from NL80211_IFTYPE_P2P_GO to
NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it
does not call the cleanup cfg80211_stop_ap(), this leads to the
initialization of in-use data. For example, this path re-init the
sdata->assigned_chanctx_list while it is still an element of
assigned_vifs list, and makes that linked list corrupt.

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "ac800140c20e",
        "lessThan": "8f06bb8c216b",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "ac800140c20e",
        "lessThan": "0738cdb636c2",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "ac800140c20e",
        "lessThan": "4e458abbb4a5",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "ac800140c20e",
        "lessThan": "b8a045e2a9b2",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "ac800140c20e",
        "lessThan": "52affc201fc2",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "ac800140c20e",
        "lessThan": "7b97b5776daa",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "ac800140c20e",
        "lessThan": "5a9b671c8d74",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "ac800140c20e",
        "lessThan": "563fbefed46a",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "net/wireless/util.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "3.6"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "3.6",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "4.4.293",
        "versionType": "custom",
        "lessThanOrEqual": "4.4.*"
      },
      {
        "status": "unaffected",
        "version": "4.9.291",
        "versionType": "custom",
        "lessThanOrEqual": "4.9.*"
      },
      {
        "status": "unaffected",
        "version": "4.14.256",
        "versionType": "custom",
        "lessThanOrEqual": "4.14.*"
      },
      {
        "status": "unaffected",
        "version": "4.19.218",
        "versionType": "custom",
        "lessThanOrEqual": "4.19.*"
      },
      {
        "status": "unaffected",
        "version": "5.4.162",
        "versionType": "custom",
        "lessThanOrEqual": "5.4.*"
      },
      {
        "status": "unaffected",
        "version": "5.10.82",
        "versionType": "custom",
        "lessThanOrEqual": "5.10.*"
      },
      {
        "status": "unaffected",
        "version": "5.15.5",
        "versionType": "custom",
        "lessThanOrEqual": "5.15.*"
      },
      {
        "status": "unaffected",
        "version": "5.16",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "net/wireless/util.c"
    ],
    "defaultStatus": "affected"
  }
]