From 869f809aaa03b5475f8a8b9993ce55827e3bdf3f Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 23 Dec 2019 09:13:46 -0600 Subject: [PATCH] Linux v5.5-rc3 --- kernel.spec | 16 +- ...n-mmwifiex_process_tdls_action_frame.patch | 226 ------------------ netfilter_ppc_fix.patch | 69 ------ sources | 3 +- 4 files changed, 6 insertions(+), 308 deletions(-) delete mode 100644 mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch delete mode 100644 netfilter_ppc_fix.patch diff --git a/kernel.spec b/kernel.spec index 76730ed85..e676bb327 100644 --- a/kernel.spec +++ b/kernel.spec @@ -102,9 +102,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%global rcrev 2 +%global rcrev 3 # The git snapshot level -%define gitrev 3 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 5.%{upstream_sublevel}.0 %endif @@ -850,19 +850,10 @@ Patch504: 0001-mm-kmemleak-skip-late_init-if-not-skip-disable.patch # https://lkml.org/lkml/2019/8/29/1772 Patch505: ARM-fix-__get_user_check-in-case-uaccess_-calls-are-not-inlined.patch -# CVE-2019-14895 rhbz 1774870 1776139 -Patch525: mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch - # CVE-2019-14896 rhbz 1774875 1776143 # CVE-2019-14897 rhbz 1774879 1776146 Patch526: libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch -# CVE-2019-14901 rhbz 1773519 1776184 -Patch527: mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch - -# Test fix for PPC build -Patch528: netfilter_ppc_fix.patch - # END OF PATCH DEFINITIONS %endif @@ -2898,6 +2889,9 @@ fi # # %changelog +* Mon Dec 23 2019 Justin M. Forbes - 5.5.0-0.rc3.git0.1 +- Linux v5.5-rc3 + * Mon Dec 23 2019 Justin M. Forbes - Disable debugging options. diff --git a/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch b/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch deleted file mode 100644 index bfd39e5a9..000000000 --- a/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch +++ /dev/null @@ -1,226 +0,0 @@ -From patchwork Fri Nov 22 09:43:49 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: qize wang -X-Patchwork-Id: 11257535 -X-Patchwork-Delegate: kvalo@adurom.com -Return-Path: -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 311581390 - for ; - Fri, 22 Nov 2019 09:44:01 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 09A6920708 - for ; - Fri, 22 Nov 2019 09:44:01 +0000 (UTC) -Authentication-Results: mail.kernel.org; - dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com - header.b="gFC1GPvm" -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1726802AbfKVJoA (ORCPT - ); - Fri, 22 Nov 2019 04:44:00 -0500 -Received: from mail-pj1-f65.google.com ([209.85.216.65]:35154 "EHLO - mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1726500AbfKVJoA (ORCPT - ); - Fri, 22 Nov 2019 04:44:00 -0500 -Received: by mail-pj1-f65.google.com with SMTP id s8so2836990pji.2 - for ; - Fri, 22 Nov 2019 01:43:57 -0800 (PST) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=gmail.com; s=20161025; - h=from:content-transfer-encoding:mime-version:subject:message-id:date - :cc:to; - bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=; - b=gFC1GPvmciglvQH3QRWVdrtGLMliah1xCIA8nZta7Mis7sATxTwTG/XMZ/G4Zb8efA - bvc58q+E3uHBiZOOCVFqZrDhJzM1SJVkOtFKPIquJLhmKms1Rd7FLwLFKwbq9DKE28C4 - crZUPOja7RMESC2jajleQdZ9YO/o/LEA+6QmEKIQFZ11R7j/qT/bNTdf08hDTINa7VVq - r20OL/q5iTBYBqodQaQVOPHH7f8iRs46gS/23GSX8E8Lo920r4wtTUPXXBidt0bay7ID - L2CF8vLLDGRe4Dohd71wCJgl54yVxF1Fi9qAvQluyVTulAtDVNw8Ol9hFdLa9R7j2M2z - 9wWw== -X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=1e100.net; s=20161025; - h=x-gm-message-state:from:content-transfer-encoding:mime-version - :subject:message-id:date:cc:to; - bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=; - b=lGAdjvr9L1WcGIvtpY5RO07jVV2t+CQ7rGsSqHcqyoDarWzcfl+FowtU0U+OV0Uf0k - Dxs4mJ+rml43X7SrPljpiHzQB1mRWWnTcIKwO9YFH1DbuMxYpTV/AdDtkyLGwQEPCTu2 - U/RIv2CvLNWTGQYXAqUH4wZJ0MAo0w2fWX8QeMCWarAPRgOsyeT9LEZQT6ypWzy9bAKs - ri4P+HqxmhlvDFb3ij0pl0x7hhOOhDCSdzZEfy8MGL/wmxdbOLM5AV8DevGNLEZHZrJ9 - AHHgRlkUPn5esIeIhTiYu3hox+z4GLrcRZccqcL3O9QM9rKX6SyNF9MjoEIgD5WK7ycl - Tlvg== -X-Gm-Message-State: APjAAAVLU8HZian8Pqy8r1Iwnjga8cqc70tKNQWQHXIQ/WEWDgKWDzip - dkM+yuOUv3M4BD3u8wHsttGE4Sk9BqOSqA== -X-Google-Smtp-Source: - APXvYqxWR1wx4sFD+yyfHofiemrR7B+b6xLDxQu9tS4dKDTYtMBUggkRWVG0Y4CUsP1DbHGVYW2rGg== -X-Received: by 2002:a17:90a:c004:: with SMTP id - p4mr17937350pjt.104.1574415837353; - Fri, 22 Nov 2019 01:43:57 -0800 (PST) -Received: from [127.0.0.1] (187.220.92.34.bc.googleusercontent.com. - [34.92.220.187]) - by smtp.gmail.com with ESMTPSA id - 71sm6800121pfx.107.2019.11.22.01.43.52 - (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); - Fri, 22 Nov 2019 01:43:56 -0800 (PST) -From: qize wang -Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) -Subject: [PATCH] mwifiex: Fix heap overflow in - mmwifiex_process_tdls_action_frame() -Message-Id: -Date: Fri, 22 Nov 2019 17:43:49 +0800 -Cc: amitkarwar , nishants , - gbhat , huxinming820 , - kvalo , Greg KH , - security , - linux-distros , - "dan.carpenter" , - Solar Designer -To: linux-wireless@vger.kernel.org -X-Mailer: Apple Mail (2.3445.6.18) -Sender: linux-wireless-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-wireless@vger.kernel.org - -mwifiex_process_tdls_action_frame() without checking -the incoming tdls infomation element's vality before use it, -this may cause multi heap buffer overflows. - -Fix them by putting vality check before use it. - -Signed-off-by: qize wang ---- -drivers/net/wireless/marvell/mwifiex/tdls.c | 70 ++++++++++++++++++++++++++--- -1 file changed, 64 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c -index 18e654d..7f60214 100644 ---- a/drivers/net/wireless/marvell/mwifiex/tdls.c -+++ b/drivers/net/wireless/marvell/mwifiex/tdls.c -@@ -954,59 +954,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, - - switch (*pos) { - case WLAN_EID_SUPP_RATES: -+ if (pos[1] > 32) -+ return; - sta_ptr->tdls_cap.rates_len = pos[1]; - for (i = 0; i < pos[1]; i++) - sta_ptr->tdls_cap.rates[i] = pos[i + 2]; - break; - - case WLAN_EID_EXT_SUPP_RATES: -+ if (pos[1] > 32) -+ return; - basic = sta_ptr->tdls_cap.rates_len; -+ if (pos[1] > 32 - basic) -+ return; - for (i = 0; i < pos[1]; i++) - sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2]; - sta_ptr->tdls_cap.rates_len += pos[1]; - break; - case WLAN_EID_HT_CAPABILITY: -- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos, -+ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2) -+ return; -+ if (pos[1] != sizeof(struct ieee80211_ht_cap)) -+ return; -+ /* copy the ie's value into ht_capb*/ -+ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2, - sizeof(struct ieee80211_ht_cap)); - sta_ptr->is_11n_enabled = 1; - break; - case WLAN_EID_HT_OPERATION: -- memcpy(&sta_ptr->tdls_cap.ht_oper, pos, -+ if (pos > end - -+ sizeof(struct ieee80211_ht_operation) - 2) -+ return; -+ if (pos[1] != sizeof(struct ieee80211_ht_operation)) -+ return; -+ /* copy the ie's value into ht_oper*/ -+ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2, - sizeof(struct ieee80211_ht_operation)); - break; - case WLAN_EID_BSS_COEX_2040: -+ if (pos > end - 3) -+ return; -+ if (pos[1] != 1) -+ return; - sta_ptr->tdls_cap.coex_2040 = pos[2]; - break; - case WLAN_EID_EXT_CAPABILITY: -+ if (pos > end - sizeof(struct ieee_types_header)) -+ return; -+ if (pos[1] < sizeof(struct ieee_types_header)) -+ return; -+ if (pos[1] > 8) -+ return; - memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos, - sizeof(struct ieee_types_header) + - min_t(u8, pos[1], 8)); - break; - case WLAN_EID_RSN: -+ if (pos > end - sizeof(struct ieee_types_header)) -+ return; -+ if (pos[1] < sizeof(struct ieee_types_header)) -+ return; -+ if (pos[1] > IEEE_MAX_IE_SIZE - -+ sizeof(struct ieee_types_header)) -+ return; - memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos, - sizeof(struct ieee_types_header) + - min_t(u8, pos[1], IEEE_MAX_IE_SIZE - - sizeof(struct ieee_types_header))); - break; - case WLAN_EID_QOS_CAPA: -+ if (pos > end - 3) -+ return; -+ if (pos[1] != 1) -+ return; - sta_ptr->tdls_cap.qos_info = pos[2]; - break; - case WLAN_EID_VHT_OPERATION: -- if (priv->adapter->is_hw_11ac_capable) -- memcpy(&sta_ptr->tdls_cap.vhtoper, pos, -+ if (priv->adapter->is_hw_11ac_capable) { -+ if (pos > end - -+ sizeof(struct ieee80211_vht_operation) - 2) -+ return; -+ if (pos[1] != -+ sizeof(struct ieee80211_vht_operation)) -+ return; -+ /* copy the ie's value into vhtoper*/ -+ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2, - sizeof(struct ieee80211_vht_operation)); -+ } - break; - case WLAN_EID_VHT_CAPABILITY: - if (priv->adapter->is_hw_11ac_capable) { -- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos, -+ if (pos > end - -+ sizeof(struct ieee80211_vht_cap) - 2) -+ return; -+ if (pos[1] != sizeof(struct ieee80211_vht_cap)) -+ return; -+ /* copy the ie's value into vhtcap*/ -+ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2, - sizeof(struct ieee80211_vht_cap)); - sta_ptr->is_11ac_enabled = 1; - } - break; - case WLAN_EID_AID: -- if (priv->adapter->is_hw_11ac_capable) -+ if (priv->adapter->is_hw_11ac_capable) { -+ if (pos > end - 4) -+ return; -+ if (pos[1] != 2) -+ return; - sta_ptr->tdls_cap.aid = - get_unaligned_le16((pos + 2)); -+ } -+ break; - default: - break; - } diff --git a/netfilter_ppc_fix.patch b/netfilter_ppc_fix.patch deleted file mode 100644 index 421f80d41..000000000 --- a/netfilter_ppc_fix.patch +++ /dev/null @@ -1,69 +0,0 @@ -From: Pablo Neira Ayuso -Date: Sat, 07 Dec 2019 17:38:05 +0000 -To: netfilter-devel -Subject: Re: [PATCH] netfilter: nf_flow_table_offload: Correct memcpy size for flow_overload_mangle - -I'm attaching a tentative patch to address this problem. - -Thanks. - -diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c -index c54c9a6cc981..3d6b2bea9a63 100644 ---- a/net/netfilter/nf_flow_table_offload.c -+++ b/net/netfilter/nf_flow_table_offload.c -@@ -326,23 +326,23 @@ static void flow_offload_port_snat(struct net *net, - struct nf_flow_rule *flow_rule) - { - struct flow_action_entry *entry = flow_action_entry_next(flow_rule); -- u32 mask = ~htonl(0xffff0000); -- __be16 port; -+ u32 mask = ~htonl(0xffff0000), port; - u32 offset; - - switch (dir) { - case FLOW_OFFLOAD_DIR_ORIGINAL: -- port = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port; -+ port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port); - offset = 0; /* offsetof(struct tcphdr, source); */ - break; - case FLOW_OFFLOAD_DIR_REPLY: -- port = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port; -+ port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port); - offset = 0; /* offsetof(struct tcphdr, dest); */ - break; - default: - break; - } - -+ port = htonl(port << 16); - flow_offload_mangle(entry, flow_offload_l4proto(flow), offset, - (u8 *)&port, (u8 *)&mask); - } -@@ -353,23 +353,23 @@ static void flow_offload_port_dnat(struct net *net, - struct nf_flow_rule *flow_rule) - { - struct flow_action_entry *entry = flow_action_entry_next(flow_rule); -- u32 mask = ~htonl(0xffff); -- __be16 port; -+ u32 mask = ~htonl(0xffff), port; - u32 offset; - - switch (dir) { - case FLOW_OFFLOAD_DIR_ORIGINAL: -- port = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port; -+ port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port); - offset = 0; /* offsetof(struct tcphdr, source); */ - break; - case FLOW_OFFLOAD_DIR_REPLY: -- port = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port; -+ port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port); - offset = 0; /* offsetof(struct tcphdr, dest); */ - break; - default: - break; - } - -+ port = htonl(port); - flow_offload_mangle(entry, flow_offload_l4proto(flow), offset, - (u8 *)&port, (u8 *)&mask); - } diff --git a/sources b/sources index df3570765..a317232a9 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ SHA512 (linux-5.4.tar.xz) = 9f60f77e8ab972b9438ac648bed17551c8491d6585a5e85f694b2eaa4c623fbc61eb18419b2656b6795eac5deec0edaa04547fc6723fbda52256bd7f3486898f -SHA512 (patch-5.5-rc2.xz) = cc16ea1a423626ba6a03140a140a77b16202bedb9f2cb11cf0443c7381c005f65868054a2328744e9c40a361a91df1f9d041235df3bc0706fbcec9e9840e6b9a -SHA512 (patch-5.5-rc2-git3.xz) = 22a758cf19d8df70bb53420737d11eb0ef23cf982726bfd4108bda042d89cd7da31d95ca062818c680766c4e43db4af6edba989547ca574145a9a289bb8bd6ff +SHA512 (patch-5.5-rc3.xz) = 9fec378a1e4c0bf420e3cb879bf3ece57d92802b092f2e1320c3d07bb6f7eea2a002f7c774506ef1b32d89160a05bc6aab0a86ba860101004c321ea7fe7a6c31