Fix a number of CVEs

This commit is contained in:
Justin M. Forbes 2019-11-25 10:19:55 -06:00
parent facf80d5e3
commit be6041e7ff
5 changed files with 649 additions and 0 deletions

View File

@ -0,0 +1,154 @@
From patchwork Fri Sep 20 01:36:26 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Navid Emamdoost <navid.emamdoost@gmail.com>
X-Patchwork-Id: 11153701
Return-Path:
<SRS0=bWbZ=XP=lists.infradead.org=ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
[172.30.200.123])
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D3F0714DB
for <patchwork-ath10k@patchwork.kernel.org>;
Fri, 20 Sep 2019 01:36:54 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org
[198.137.202.133])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.kernel.org (Postfix) with ESMTPS id B1A2E206C2
for <patchwork-ath10k@patchwork.kernel.org>;
Fri, 20 Sep 2019 01:36:54 +0000 (UTC)
Authentication-Results: mail.kernel.org;
dkim=pass (2048-bit key) header.d=lists.infradead.org
header.i=@lists.infradead.org header.b="bhsKgarK";
dkim=fail reason="signature verification failed" (2048-bit key)
header.d=gmail.com header.i=@gmail.com header.b="nljLTTHa"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B1A2E206C2
Authentication-Results: mail.kernel.org;
dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: mail.kernel.org;
spf=none
smtp.mailfrom=ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.infradead.org; s=bombadil.20170209; h=Sender:
Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Owner; bh=TgqIPzTUSDBMffxK6MmqtQ+I81SfWmrbmWLuWLbhwV8=; b=bhs
KgarKUaVoFaf/6TPo+T+LIemPUgT0DioZ9Aa4cXD7m02vV5SrBodW911B9amgDGQ4ipx7UyAgOokS
QqumgU8MLbC9VEmDHseDYkrMDJvPAVL/+Ou5bAAoDDa4G14hJi1RWh5lsdIJBMKmjMI9KcW7qFdEj
eQ6JBoJXliaYp31BoAPEbyBnG4b8RQxO6wT9wA+/Bs8gR8bBQN9Wjo7zsIKHobQbKfAXTTRwn46dt
J7kt19264hkIv2Dr3UQc7W8kYL09TmllYFjEGYTOuGFEOoHlejt6CpbUnh0mdPtDggPPxsQ+e/f/h
0dGNUqgR/L7R5/70DbHnF24DnXzwfQw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
by bombadil.infradead.org with esmtp (Exim 4.92.2 #3 (Red Hat Linux))
id 1iB7qu-0006An-U6; Fri, 20 Sep 2019 01:36:52 +0000
Received: from mail-io1-xd43.google.com ([2607:f8b0:4864:20::d43])
by bombadil.infradead.org with esmtps (Exim 4.92.2 #3 (Red Hat Linux))
id 1iB7qr-0006A2-PC
for ath10k@lists.infradead.org; Fri, 20 Sep 2019 01:36:51 +0000
Received: by mail-io1-xd43.google.com with SMTP id q10so12531160iop.2
for <ath10k@lists.infradead.org>; Thu, 19 Sep 2019 18:36:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:to:cc:subject:date:message-id;
bh=2vkYM2Vw9GpvccAiSSIMhifEzfuK8Ld4R3bwXVgh1ps=;
b=nljLTTHaQr3RenMHyxOGrtAwE/I0ES0GK9UJLdYkS7iEalzRrwu+/ygif0A/YnEFuE
fMLFG5zBRN2I7SpqvTBqaxAYJbA+a5Nnb5ymeV3s6Ef+CcGHE165IRfi+4dxEt/RvV3k
4CjBDTDWGnnBO1wfDcS0WW9TqjJEoxFKWNCL+8oAzUyMten4zs8XPRUPlZVc5dHnkqC9
LmLWnaSBjm2g5JG0GJKSrT8KrYP2mv4yGUR0HaWruQWwfQQ8NJc2RyXm1Ml99KZkoU73
TG98jQSy2dcHrVqaNRfpAtyj0WEwXdLqMfT1ggk69p1ZfC7ol/7QEQxzgDIU0EFn2r59
owvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:cc:subject:date:message-id;
bh=2vkYM2Vw9GpvccAiSSIMhifEzfuK8Ld4R3bwXVgh1ps=;
b=h6uidvjJA/lvtevOi6n+lWV9vjtx5XM1d7kRlAFgObUBjJMIap329Jxa7uA0de8dx/
4ANBCQj9/8psgTYwWqBv0bJH+7IC+ewxZb2m3z1dMYwsFp8coTyMryaBVWb4trh0My3B
XT2OseKTL0iAiy35/SDbWV/5FljTuVmto5Jgglq6lB3uPpQVIGu46UY8kNKwuIdNseow
y4r+4w82KCHMoANJmlEPlFYb7xnmENPIdx0ZITs6ISjjvTICaf8nyA3OgqPCI5l3/DCb
3plewsEuTwGiFXPqJx2ldY3gIwfH8D7w1MLxadUUL6o2fDRt0ZjFbJuUk/tiX/EM5MOL
W3dQ==
X-Gm-Message-State: APjAAAWIX+IMQ2tM7gV9yX2n6iqisUO1ysXCEYfl/P1BcWwlYgTk8xNq
/djn9P594uwGss08Ku8JA9E=
X-Google-Smtp-Source:
APXvYqzLPqJkNUviwDSfcaSYJH+eUFOLc0fBeZpgji797e/U5UAY6XAi9Cq7iKldElsnElvAmFWNCw==
X-Received: by 2002:a6b:8f15:: with SMTP id r21mr3490587iod.259.1568943406715;
Thu, 19 Sep 2019 18:36:46 -0700 (PDT)
Received: from cs-dulles.cs.umn.edu (cs-dulles.cs.umn.edu. [128.101.35.54])
by smtp.googlemail.com with ESMTPSA id x12sm335602ioh.76.2019.09.19.18.36.45
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 19 Sep 2019 18:36:45 -0700 (PDT)
From: Navid Emamdoost <navid.emamdoost@gmail.com>
To:
Subject: [PATCH] ath10k: fix memory leak
Date: Thu, 19 Sep 2019 20:36:26 -0500
Message-Id: <20190920013632.30796-1-navid.emamdoost@gmail.com>
X-Mailer: git-send-email 2.17.1
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3
X-CRM114-CacheID: sfid-20190919_183649_845813_A1A80F7F
X-CRM114-Status: UNSURE ( 7.25 )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
Content analysis details: (-0.2 points)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust [2607:f8b0:4864:20:0:0:0:d43 listed in]
[list.dnswl.org]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (navid.emamdoost[at]gmail.com)
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily
valid
X-BeenThere: ath10k@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ath10k.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/ath10k>,
<mailto:ath10k-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/ath10k/>
List-Post: <mailto:ath10k@lists.infradead.org>
List-Help: <mailto:ath10k-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/ath10k>,
<mailto:ath10k-request@lists.infradead.org?subject=subscribe>
Cc: linux-wireless@vger.kernel.org, kjlu@umn.edu,
linux-kernel@vger.kernel.org,
ath10k@lists.infradead.org, emamd001@umn.edu, smccaman@umn.edu,
netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Kalle Valo <kvalo@codeaurora.org>,
Navid Emamdoost <navid.emamdoost@gmail.com>
MIME-Version: 1.0
Sender: "ath10k" <ath10k-bounces@lists.infradead.org>
Errors-To:
ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org
In ath10k_usb_hif_tx_sg the allocated urb should be released if
usb_submit_urb fails.
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
drivers/net/wireless/ath/ath10k/usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c
index e1420f67f776..730ed22e08a0 100644
--- a/drivers/net/wireless/ath/ath10k/usb.c
+++ b/drivers/net/wireless/ath/ath10k/usb.c
@@ -435,6 +435,7 @@ static int ath10k_usb_hif_tx_sg(struct ath10k *ar, u8 pipe_id,
ath10k_dbg(ar, ATH10K_DBG_USB_BULK,
"usb bulk transmit failed: %d\n", ret);
usb_unanchor_urb(urb);
+ usb_free_urb(urb);
ret = -EINVAL;
goto err_free_urb_to_pipe;
}

View File

@ -840,6 +840,19 @@ Patch522: mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch
# CVE-2019-19054 rhbz 1775063 1775117 # CVE-2019-19054 rhbz 1775063 1775117
Patch524: media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch Patch524: media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch
# CVE-2019-14895 rhbz 1774870 1776139
Patch525: mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
# CVE-2019-14896 rhbz 1774875 1776143
# CVE-2019-14897 rhbz 1774879 1776146
Patch526: libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
# CVE-2019-14901 rhbz 1773519 1776184
Patch527: mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
# CVE-2019-19078 rhbz 1776354 1776353
Patch528: ath10k-fix-memory-leak.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -2538,6 +2551,13 @@ fi
# #
# #
%changelog %changelog
* Mon Nov 25 2019 Justin M. Forbes <jforbes@fedoraproject.org>
- Fix CVE-2019-14895 (rhbz 1774870 1776139)
- Fix CVE-2019-14896 (rhbz 1774875 1776143)
- Fix CVE-2019-14897 (rhbz 1774879 1776146)
- Fix CVE-2019-14901 (rhbz 1773519 1776184)
- Fix CVE-2019-19078 (rhbz 1776354 1776353)
* Mon Nov 25 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-1 * Mon Nov 25 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-1
- Linux v5.4.0 - Linux v5.4.0

View File

@ -0,0 +1,120 @@
From patchwork Fri Nov 22 05:29:17 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: huangwenabc@gmail.com
X-Patchwork-Id: 11257187
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <SRS0=Y0IC=ZO=vger.kernel.org=linux-wireless-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
[172.30.200.123])
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 032DA112B
for <patchwork-linux-wireless@patchwork.kernel.org>;
Fri, 22 Nov 2019 05:29:36 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
by mail.kernel.org (Postfix) with ESMTP id D68A920707
for <patchwork-linux-wireless@patchwork.kernel.org>;
Fri, 22 Nov 2019 05:29:35 +0000 (UTC)
Authentication-Results: mail.kernel.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b="WaDUta6X"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1726719AbfKVF3f (ORCPT
<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
Fri, 22 Nov 2019 00:29:35 -0500
Received: from mail-pf1-f194.google.com ([209.85.210.194]:43041 "EHLO
mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1726529AbfKVF3e (ORCPT
<rfc822;linux-wireless@vger.kernel.org>);
Fri, 22 Nov 2019 00:29:34 -0500
Received: by mail-pf1-f194.google.com with SMTP id 3so2912048pfb.10
for <linux-wireless@vger.kernel.org>;
Thu, 21 Nov 2019 21:29:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=from:to:cc:subject:date:message-id;
bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=;
b=WaDUta6XODn4hzzqR0np+iPcfBChaSE05EpSM8UrALWvgf7x/9f0e8SMvgXTGXaN74
Irmx+lKSr5piR/mhpfRO+HVN7bu7ukOSsxCxlNav6kvJn3SG/q0TV9VGoWEKM+8yISrK
Bc5MtndhyGLDrWQFgc5fSdMf+/79HC0AWnnavMoEKxnAti/HKBQnIPreGoLnrWIpbhXZ
EdU3ei0kxlwAUbNl8/FywUG2qzQeoeh5RranVfooFhbBQ0QfNtx3k3ARWrVdT9uV7QtX
pcpYtJsjn94TXL0llHTzpE182eTvmUrzxf89ubigJh+EYnryHC+HUHZoVtjYtbjidWoV
I0FQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:cc:subject:date:message-id;
bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=;
b=gNC3IOfmB1H65frnsn63mdzaxphxG6xvR0SHEIOJSaWI/Jx9VK+CfnGr+7pOQZ/Pyw
wORhpVi6EbFsE7mVKbjlJ7O96hk14FnUKSPVOhl9NH4xXBktd7sJc5Z36N3J6RRv9Cfc
gQWPy1otHKeNz1riMgHcbkaiKj3CANpJ6gaAE/R8EjWLXjS7Bw/vBgQSr5WnAVV27Ppw
Flrks3Qv8BGkRUCymKArD05r646Fx1ew/FI7oGyKQhxxWJPuv5RoVTGPbAC1unU+zjfN
2XNdr1yKKfY4R5S8q49FeHsN5Mb+lmriUPdLPL062UzQ7x/pTzfh3rI9Lf92jMJiJ9/n
9zPw==
X-Gm-Message-State: APjAAAVgSeSrlZfb2Ch2KXDFaNq6RLCJCvq40zW4toublIDi1zh7feyc
srNh0xN+iNrBCzEMbsxDKJS2IOoUYXc=
X-Google-Smtp-Source:
APXvYqwPwHZStvNKOZtUBWgPYiEFiNFqEQLMngqNoFN6jFqDKFjISduUPDUYh2y907mFwD+Qn6zs9w==
X-Received: by 2002:a63:7456:: with SMTP id
e22mr14245471pgn.314.1574400573682;
Thu, 21 Nov 2019 21:29:33 -0800 (PST)
Received: from localhost ([38.121.20.202])
by smtp.gmail.com with ESMTPSA id
x192sm5658165pfd.96.2019.11.21.21.29.32
(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
Thu, 21 Nov 2019 21:29:32 -0800 (PST)
From: huangwenabc@gmail.com
To: linux-wireless@vger.kernel.org
Cc: linux-distros@vs.openwall.org, security@kernel.org,
libertas-dev@lists.infradead.org
Subject: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor
Date: Fri, 22 Nov 2019 13:29:17 +0800
Message-Id: <20191122052917.11309-1-huangwenabc@gmail.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
From: Wen Huang <huangwenabc@gmail.com>
add_ie_rates() copys rates without checking the length
in bss descriptor from remote AP.when victim connects to
remote attacker, this may trigger buffer overflow.
lbs_ibss_join_existing() copys rates without checking the length
in bss descriptor from remote IBSS node.when victim connects to
remote attacker, this may trigger buffer overflow.
Fix them by putting the length check before performing copy.
This fix addresses CVE-2019-14896 and CVE-2019-14897.
Signed-off-by: Wen Huang <huangwenabc@gmail.com>
---
drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
index 57edfada0..290280764 100644
--- a/drivers/net/wireless/marvell/libertas/cfg.c
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates)
int hw, ap, ap_max = ie[1];
u8 hw_rate;
+ if (ap_max > MAX_RATES) {
+ lbs_deb_assoc("invalid rates\n");
+ return tlv;
+ }
/* Advance past IE header */
ie += 2;
@@ -1777,6 +1781,10 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
} else {
int hw, i;
u8 rates_max = rates_eid[1];
+ if (rates_max > MAX_RATES) {
+ lbs_deb_join("invalid rates");
+ goto out;
+ }
u8 *rates = cmd.bss.rates;
for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
u8 hw_rate = lbs_rates[hw].bitrate / 5;

View File

@ -0,0 +1,226 @@
From patchwork Fri Nov 22 09:43:49 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: qize wang <wangqize888888888@gmail.com>
X-Patchwork-Id: 11257535
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <SRS0=Y0IC=ZO=vger.kernel.org=linux-wireless-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
[172.30.200.123])
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 311581390
for <patchwork-linux-wireless@patchwork.kernel.org>;
Fri, 22 Nov 2019 09:44:01 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
by mail.kernel.org (Postfix) with ESMTP id 09A6920708
for <patchwork-linux-wireless@patchwork.kernel.org>;
Fri, 22 Nov 2019 09:44:01 +0000 (UTC)
Authentication-Results: mail.kernel.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b="gFC1GPvm"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1726802AbfKVJoA (ORCPT
<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
Fri, 22 Nov 2019 04:44:00 -0500
Received: from mail-pj1-f65.google.com ([209.85.216.65]:35154 "EHLO
mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1726500AbfKVJoA (ORCPT
<rfc822;linux-wireless@vger.kernel.org>);
Fri, 22 Nov 2019 04:44:00 -0500
Received: by mail-pj1-f65.google.com with SMTP id s8so2836990pji.2
for <linux-wireless@vger.kernel.org>;
Fri, 22 Nov 2019 01:43:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=from:content-transfer-encoding:mime-version:subject:message-id:date
:cc:to;
bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=;
b=gFC1GPvmciglvQH3QRWVdrtGLMliah1xCIA8nZta7Mis7sATxTwTG/XMZ/G4Zb8efA
bvc58q+E3uHBiZOOCVFqZrDhJzM1SJVkOtFKPIquJLhmKms1Rd7FLwLFKwbq9DKE28C4
crZUPOja7RMESC2jajleQdZ9YO/o/LEA+6QmEKIQFZ11R7j/qT/bNTdf08hDTINa7VVq
r20OL/q5iTBYBqodQaQVOPHH7f8iRs46gS/23GSX8E8Lo920r4wtTUPXXBidt0bay7ID
L2CF8vLLDGRe4Dohd71wCJgl54yVxF1Fi9qAvQluyVTulAtDVNw8Ol9hFdLa9R7j2M2z
9wWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:content-transfer-encoding:mime-version
:subject:message-id:date:cc:to;
bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=;
b=lGAdjvr9L1WcGIvtpY5RO07jVV2t+CQ7rGsSqHcqyoDarWzcfl+FowtU0U+OV0Uf0k
Dxs4mJ+rml43X7SrPljpiHzQB1mRWWnTcIKwO9YFH1DbuMxYpTV/AdDtkyLGwQEPCTu2
U/RIv2CvLNWTGQYXAqUH4wZJ0MAo0w2fWX8QeMCWarAPRgOsyeT9LEZQT6ypWzy9bAKs
ri4P+HqxmhlvDFb3ij0pl0x7hhOOhDCSdzZEfy8MGL/wmxdbOLM5AV8DevGNLEZHZrJ9
AHHgRlkUPn5esIeIhTiYu3hox+z4GLrcRZccqcL3O9QM9rKX6SyNF9MjoEIgD5WK7ycl
Tlvg==
X-Gm-Message-State: APjAAAVLU8HZian8Pqy8r1Iwnjga8cqc70tKNQWQHXIQ/WEWDgKWDzip
dkM+yuOUv3M4BD3u8wHsttGE4Sk9BqOSqA==
X-Google-Smtp-Source:
APXvYqxWR1wx4sFD+yyfHofiemrR7B+b6xLDxQu9tS4dKDTYtMBUggkRWVG0Y4CUsP1DbHGVYW2rGg==
X-Received: by 2002:a17:90a:c004:: with SMTP id
p4mr17937350pjt.104.1574415837353;
Fri, 22 Nov 2019 01:43:57 -0800 (PST)
Received: from [127.0.0.1] (187.220.92.34.bc.googleusercontent.com.
[34.92.220.187])
by smtp.gmail.com with ESMTPSA id
71sm6800121pfx.107.2019.11.22.01.43.52
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 22 Nov 2019 01:43:56 -0800 (PST)
From: qize wang <wangqize888888888@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Subject: [PATCH] mwifiex: Fix heap overflow in
mmwifiex_process_tdls_action_frame()
Message-Id: <E40E893E-D9B4-4C63-8139-1DD5E1C2CECB@gmail.com>
Date: Fri, 22 Nov 2019 17:43:49 +0800
Cc: amitkarwar <amitkarwar@gmail.com>, nishants <nishants@marvell.com>,
gbhat <gbhat@marvell.com>, huxinming820 <huxinming820@gmail.com>,
kvalo <kvalo@codeaurora.org>, Greg KH <greg@kroah.com>,
security <security@kernel.org>,
linux-distros <linux-distros@vs.openwall.org>,
"dan.carpenter" <dan.carpenter@oracle.com>,
Solar Designer <solar@openwall.com>
To: linux-wireless@vger.kernel.org
X-Mailer: Apple Mail (2.3445.6.18)
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
mwifiex_process_tdls_action_frame() without checking
the incoming tdls infomation element's vality before use it,
this may cause multi heap buffer overflows.
Fix them by putting vality check before use it.
Signed-off-by: qize wang <wangqize888888888@gmail.com>
---
drivers/net/wireless/marvell/mwifiex/tdls.c | 70 ++++++++++++++++++++++++++---
1 file changed, 64 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
index 18e654d..7f60214 100644
--- a/drivers/net/wireless/marvell/mwifiex/tdls.c
+++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
@@ -954,59 +954,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
switch (*pos) {
case WLAN_EID_SUPP_RATES:
+ if (pos[1] > 32)
+ return;
sta_ptr->tdls_cap.rates_len = pos[1];
for (i = 0; i < pos[1]; i++)
sta_ptr->tdls_cap.rates[i] = pos[i + 2];
break;
case WLAN_EID_EXT_SUPP_RATES:
+ if (pos[1] > 32)
+ return;
basic = sta_ptr->tdls_cap.rates_len;
+ if (pos[1] > 32 - basic)
+ return;
for (i = 0; i < pos[1]; i++)
sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
sta_ptr->tdls_cap.rates_len += pos[1];
break;
case WLAN_EID_HT_CAPABILITY:
- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
+ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
+ return;
+ if (pos[1] != sizeof(struct ieee80211_ht_cap))
+ return;
+ /* copy the ie's value into ht_capb*/
+ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
sizeof(struct ieee80211_ht_cap));
sta_ptr->is_11n_enabled = 1;
break;
case WLAN_EID_HT_OPERATION:
- memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
+ if (pos > end -
+ sizeof(struct ieee80211_ht_operation) - 2)
+ return;
+ if (pos[1] != sizeof(struct ieee80211_ht_operation))
+ return;
+ /* copy the ie's value into ht_oper*/
+ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
sizeof(struct ieee80211_ht_operation));
break;
case WLAN_EID_BSS_COEX_2040:
+ if (pos > end - 3)
+ return;
+ if (pos[1] != 1)
+ return;
sta_ptr->tdls_cap.coex_2040 = pos[2];
break;
case WLAN_EID_EXT_CAPABILITY:
+ if (pos > end - sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] < sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] > 8)
+ return;
memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
sizeof(struct ieee_types_header) +
min_t(u8, pos[1], 8));
break;
case WLAN_EID_RSN:
+ if (pos > end - sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] < sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] > IEEE_MAX_IE_SIZE -
+ sizeof(struct ieee_types_header))
+ return;
memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
sizeof(struct ieee_types_header) +
min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
sizeof(struct ieee_types_header)));
break;
case WLAN_EID_QOS_CAPA:
+ if (pos > end - 3)
+ return;
+ if (pos[1] != 1)
+ return;
sta_ptr->tdls_cap.qos_info = pos[2];
break;
case WLAN_EID_VHT_OPERATION:
- if (priv->adapter->is_hw_11ac_capable)
- memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
+ if (priv->adapter->is_hw_11ac_capable) {
+ if (pos > end -
+ sizeof(struct ieee80211_vht_operation) - 2)
+ return;
+ if (pos[1] !=
+ sizeof(struct ieee80211_vht_operation))
+ return;
+ /* copy the ie's value into vhtoper*/
+ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
sizeof(struct ieee80211_vht_operation));
+ }
break;
case WLAN_EID_VHT_CAPABILITY:
if (priv->adapter->is_hw_11ac_capable) {
- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
+ if (pos > end -
+ sizeof(struct ieee80211_vht_cap) - 2)
+ return;
+ if (pos[1] != sizeof(struct ieee80211_vht_cap))
+ return;
+ /* copy the ie's value into vhtcap*/
+ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
sizeof(struct ieee80211_vht_cap));
sta_ptr->is_11ac_enabled = 1;
}
break;
case WLAN_EID_AID:
- if (priv->adapter->is_hw_11ac_capable)
+ if (priv->adapter->is_hw_11ac_capable) {
+ if (pos > end - 4)
+ return;
+ if (pos[1] != 2)
+ return;
sta_ptr->tdls_cap.aid =
get_unaligned_le16((pos + 2));
+ }
+ break;
default:
break;
}

View File

@ -0,0 +1,129 @@
From patchwork Thu Nov 21 16:04:38 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ganapathi Bhat <gbhat@marvell.com>
X-Patchwork-Id: 11256477
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <SRS0=bi0l=ZN=vger.kernel.org=linux-wireless-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
[172.30.200.123])
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AAABF138C
for <patchwork-linux-wireless@patchwork.kernel.org>;
Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
by mail.kernel.org (Postfix) with ESMTP id 8950220637
for <patchwork-linux-wireless@patchwork.kernel.org>;
Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
Authentication-Results: mail.kernel.org;
dkim=pass (2048-bit key) header.d=marvell.com header.i=@marvell.com
header.b="nkGygBtm"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1727141AbfKUQEs (ORCPT
<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
Thu, 21 Nov 2019 11:04:48 -0500
Received: from mx0b-0016f401.pphosted.com ([67.231.156.173]:6582 "EHLO
mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-OK)
by vger.kernel.org with ESMTP id S1726980AbfKUQEr (ORCPT
<rfc822;linux-wireless@vger.kernel.org>);
Thu, 21 Nov 2019 11:04:47 -0500
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1])
by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
xALFu718003199;
Thu, 21 Nov 2019 08:04:44 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;
h=from : to : cc :
subject : date : message-id : mime-version : content-type; s=pfpt0818;
bh=o/oIGGHPmwt5MFTKPl2GcISKabBWhPBOdPXPhlV+8H8=;
b=nkGygBtmdc1LxIp0VzpsKssm8mQFI+syng1Rek/N5Fx3Vz4o2KAlRceJkhXNdV7WpjTG
XDtRj/LiYd+OAIqSLM6J2VNtOKOhaNSDydtTUnIi4imHPzYoAdESDQW5aFV8JKZqOfYx
0oQTjw6AhdjJCsngL+bImzmnJoZsc2gUu3BAic/kW+6Uj0JCgQwoUFBH9rNaO+Q33BY+
dZy9MdKD905LxSBE7A5xWx5GEgrqRcvfxSOu2K78FQhsJ20suhvWSobxpYE0LIrajl6s
oQGuDbTsdOO/8v7D9Xn7zObUH6qZ08AMxDZNaBLqiKpjFY/RA7LbR2eulwEnhjCLDQfK uA==
Received: from sc-exch03.marvell.com ([199.233.58.183])
by mx0b-0016f401.pphosted.com with ESMTP id 2wd090yntp-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);
Thu, 21 Nov 2019 08:04:44 -0800
Received: from SC-EXCH01.marvell.com (10.93.176.81) by SC-EXCH03.marvell.com
(10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 21 Nov
2019 08:04:43 -0800
Received: from maili.marvell.com (10.93.176.43) by SC-EXCH01.marvell.com
(10.93.176.81) with Microsoft SMTP Server id 15.0.1367.3 via Frontend
Transport; Thu, 21 Nov 2019 08:04:43 -0800
Received: from testmailhost.marvell.com (testmailhost.marvell.com
[10.31.130.105])
by maili.marvell.com (Postfix) with ESMTP id 898743F703F;
Thu, 21 Nov 2019 08:04:40 -0800 (PST)
From: Ganapathi Bhat <gbhat@marvell.com>
To: <linux-wireless@vger.kernel.org>
CC: Cathy Luo <cluo@marvell.com>, Zhiyuan Yang <yangzy@marvell.com>,
James Cao <jcao@marvell.com>,
Rakesh Parmar <rakeshp@marvell.com>,
Brian Norris <briannorris@chromium.org>,
Mohammad Tausif Siddiqui <msiddiqu@redhat.com>,
huangwen <huangwenabc@gmail.com>,
Ganapathi Bhat <gbhat@marvell.com>
Subject: [PATCH] mwifiex: fix possible heap overflow in
mwifiex_process_country_ie()
Date: Thu, 21 Nov 2019 21:34:38 +0530
Message-ID: <1574352278-7592-1-git-send-email-gbhat@marvell.com>
X-Mailer: git-send-email 1.9.1
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572
definitions=2019-11-21_03:2019-11-21,2019-11-21 signatures=0
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
mwifiex_process_country_ie() function parse elements of bss
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
element, there is no upper limit check for country_ie_len before
calling memcpy. The destination buffer domain_info->triplet is an
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
attacker can build a fake AP with the same ssid as real AP, and
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
(country_ie_len > 83). Attacker can force STA connect to fake AP
on a different channel. When the victim STA connects to fake AP,
will trigger the heap buffer overflow. Fix this by checking for
length and if found invalid, don not connect to the AP.
This fix addresses CVE-2019-14895.
Reported-by: huangwen <huangwenabc@gmail.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
---
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index 74e5056..6dd835f 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
"11D: skip setting domain info in FW\n");
return 0;
}
+
+ if (country_ie_len >
+ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
+ mwifiex_dbg(priv->adapter, ERROR,
+ "11D: country_ie_len overflow!, deauth AP\n");
+ return -EINVAL;
+ }
+
memcpy(priv->adapter->country_code, &country_ie[2], 2);
domain_info->country_code[0] = country_ie[2];
@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
priv->scan_block = false;
if (bss) {
- if (adapter->region_code == 0x00)
- mwifiex_process_country_ie(priv, bss);
+ if (adapter->region_code == 0x00 &&
+ mwifiex_process_country_ie(priv, bss))
+ return -EINVAL;
/* Allocate and fill new bss descriptor */
bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),