Fix a number of CVEs
This commit is contained in:
parent
facf80d5e3
commit
be6041e7ff
154
ath10k-fix-memory-leak.patch
Normal file
154
ath10k-fix-memory-leak.patch
Normal file
@ -0,0 +1,154 @@
|
|||||||
|
From patchwork Fri Sep 20 01:36:26 2019
|
||||||
|
Content-Type: text/plain; charset="utf-8"
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Transfer-Encoding: 7bit
|
||||||
|
X-Patchwork-Submitter: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||||
|
X-Patchwork-Id: 11153701
|
||||||
|
Return-Path:
|
||||||
|
<SRS0=bWbZ=XP=lists.infradead.org=ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@kernel.org>
|
||||||
|
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
|
||||||
|
[172.30.200.123])
|
||||||
|
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D3F0714DB
|
||||||
|
for <patchwork-ath10k@patchwork.kernel.org>;
|
||||||
|
Fri, 20 Sep 2019 01:36:54 +0000 (UTC)
|
||||||
|
Received: from bombadil.infradead.org (bombadil.infradead.org
|
||||||
|
[198.137.202.133])
|
||||||
|
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
|
||||||
|
(No client certificate requested)
|
||||||
|
by mail.kernel.org (Postfix) with ESMTPS id B1A2E206C2
|
||||||
|
for <patchwork-ath10k@patchwork.kernel.org>;
|
||||||
|
Fri, 20 Sep 2019 01:36:54 +0000 (UTC)
|
||||||
|
Authentication-Results: mail.kernel.org;
|
||||||
|
dkim=pass (2048-bit key) header.d=lists.infradead.org
|
||||||
|
header.i=@lists.infradead.org header.b="bhsKgarK";
|
||||||
|
dkim=fail reason="signature verification failed" (2048-bit key)
|
||||||
|
header.d=gmail.com header.i=@gmail.com header.b="nljLTTHa"
|
||||||
|
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B1A2E206C2
|
||||||
|
Authentication-Results: mail.kernel.org;
|
||||||
|
dmarc=fail (p=none dis=none) header.from=gmail.com
|
||||||
|
Authentication-Results: mail.kernel.org;
|
||||||
|
spf=none
|
||||||
|
smtp.mailfrom=ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org
|
||||||
|
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
|
||||||
|
d=lists.infradead.org; s=bombadil.20170209; h=Sender:
|
||||||
|
Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
|
||||||
|
List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
|
||||||
|
Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
|
||||||
|
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
|
||||||
|
References:List-Owner; bh=TgqIPzTUSDBMffxK6MmqtQ+I81SfWmrbmWLuWLbhwV8=; b=bhs
|
||||||
|
KgarKUaVoFaf/6TPo+T+LIemPUgT0DioZ9Aa4cXD7m02vV5SrBodW911B9amgDGQ4ipx7UyAgOokS
|
||||||
|
QqumgU8MLbC9VEmDHseDYkrMDJvPAVL/+Ou5bAAoDDa4G14hJi1RWh5lsdIJBMKmjMI9KcW7qFdEj
|
||||||
|
eQ6JBoJXliaYp31BoAPEbyBnG4b8RQxO6wT9wA+/Bs8gR8bBQN9Wjo7zsIKHobQbKfAXTTRwn46dt
|
||||||
|
J7kt19264hkIv2Dr3UQc7W8kYL09TmllYFjEGYTOuGFEOoHlejt6CpbUnh0mdPtDggPPxsQ+e/f/h
|
||||||
|
0dGNUqgR/L7R5/70DbHnF24DnXzwfQw==;
|
||||||
|
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
|
||||||
|
by bombadil.infradead.org with esmtp (Exim 4.92.2 #3 (Red Hat Linux))
|
||||||
|
id 1iB7qu-0006An-U6; Fri, 20 Sep 2019 01:36:52 +0000
|
||||||
|
Received: from mail-io1-xd43.google.com ([2607:f8b0:4864:20::d43])
|
||||||
|
by bombadil.infradead.org with esmtps (Exim 4.92.2 #3 (Red Hat Linux))
|
||||||
|
id 1iB7qr-0006A2-PC
|
||||||
|
for ath10k@lists.infradead.org; Fri, 20 Sep 2019 01:36:51 +0000
|
||||||
|
Received: by mail-io1-xd43.google.com with SMTP id q10so12531160iop.2
|
||||||
|
for <ath10k@lists.infradead.org>; Thu, 19 Sep 2019 18:36:47 -0700 (PDT)
|
||||||
|
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
|
||||||
|
h=from:to:cc:subject:date:message-id;
|
||||||
|
bh=2vkYM2Vw9GpvccAiSSIMhifEzfuK8Ld4R3bwXVgh1ps=;
|
||||||
|
b=nljLTTHaQr3RenMHyxOGrtAwE/I0ES0GK9UJLdYkS7iEalzRrwu+/ygif0A/YnEFuE
|
||||||
|
fMLFG5zBRN2I7SpqvTBqaxAYJbA+a5Nnb5ymeV3s6Ef+CcGHE165IRfi+4dxEt/RvV3k
|
||||||
|
4CjBDTDWGnnBO1wfDcS0WW9TqjJEoxFKWNCL+8oAzUyMten4zs8XPRUPlZVc5dHnkqC9
|
||||||
|
LmLWnaSBjm2g5JG0GJKSrT8KrYP2mv4yGUR0HaWruQWwfQQ8NJc2RyXm1Ml99KZkoU73
|
||||||
|
TG98jQSy2dcHrVqaNRfpAtyj0WEwXdLqMfT1ggk69p1ZfC7ol/7QEQxzgDIU0EFn2r59
|
||||||
|
owvA==
|
||||||
|
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||||
|
d=1e100.net; s=20161025;
|
||||||
|
h=x-gm-message-state:from:to:cc:subject:date:message-id;
|
||||||
|
bh=2vkYM2Vw9GpvccAiSSIMhifEzfuK8Ld4R3bwXVgh1ps=;
|
||||||
|
b=h6uidvjJA/lvtevOi6n+lWV9vjtx5XM1d7kRlAFgObUBjJMIap329Jxa7uA0de8dx/
|
||||||
|
4ANBCQj9/8psgTYwWqBv0bJH+7IC+ewxZb2m3z1dMYwsFp8coTyMryaBVWb4trh0My3B
|
||||||
|
XT2OseKTL0iAiy35/SDbWV/5FljTuVmto5Jgglq6lB3uPpQVIGu46UY8kNKwuIdNseow
|
||||||
|
y4r+4w82KCHMoANJmlEPlFYb7xnmENPIdx0ZITs6ISjjvTICaf8nyA3OgqPCI5l3/DCb
|
||||||
|
3plewsEuTwGiFXPqJx2ldY3gIwfH8D7w1MLxadUUL6o2fDRt0ZjFbJuUk/tiX/EM5MOL
|
||||||
|
W3dQ==
|
||||||
|
X-Gm-Message-State: APjAAAWIX+IMQ2tM7gV9yX2n6iqisUO1ysXCEYfl/P1BcWwlYgTk8xNq
|
||||||
|
/djn9P594uwGss08Ku8JA9E=
|
||||||
|
X-Google-Smtp-Source:
|
||||||
|
APXvYqzLPqJkNUviwDSfcaSYJH+eUFOLc0fBeZpgji797e/U5UAY6XAi9Cq7iKldElsnElvAmFWNCw==
|
||||||
|
X-Received: by 2002:a6b:8f15:: with SMTP id r21mr3490587iod.259.1568943406715;
|
||||||
|
Thu, 19 Sep 2019 18:36:46 -0700 (PDT)
|
||||||
|
Received: from cs-dulles.cs.umn.edu (cs-dulles.cs.umn.edu. [128.101.35.54])
|
||||||
|
by smtp.googlemail.com with ESMTPSA id x12sm335602ioh.76.2019.09.19.18.36.45
|
||||||
|
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
|
||||||
|
Thu, 19 Sep 2019 18:36:45 -0700 (PDT)
|
||||||
|
From: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||||
|
To:
|
||||||
|
Subject: [PATCH] ath10k: fix memory leak
|
||||||
|
Date: Thu, 19 Sep 2019 20:36:26 -0500
|
||||||
|
Message-Id: <20190920013632.30796-1-navid.emamdoost@gmail.com>
|
||||||
|
X-Mailer: git-send-email 2.17.1
|
||||||
|
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3
|
||||||
|
X-CRM114-CacheID: sfid-20190919_183649_845813_A1A80F7F
|
||||||
|
X-CRM114-Status: UNSURE ( 7.25 )
|
||||||
|
X-CRM114-Notice: Please train this message.
|
||||||
|
X-Spam-Score: -0.2 (/)
|
||||||
|
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
|
||||||
|
Content analysis details: (-0.2 points)
|
||||||
|
pts rule name description
|
||||||
|
---- ----------------------
|
||||||
|
--------------------------------------------------
|
||||||
|
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
|
||||||
|
no trust [2607:f8b0:4864:20:0:0:0:d43 listed in]
|
||||||
|
[list.dnswl.org]
|
||||||
|
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
|
||||||
|
-0.0 SPF_PASS SPF: sender matches SPF record
|
||||||
|
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
|
||||||
|
provider (navid.emamdoost[at]gmail.com)
|
||||||
|
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
|
||||||
|
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
|
||||||
|
author's domain
|
||||||
|
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
|
||||||
|
envelope-from domain
|
||||||
|
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
|
||||||
|
not necessarily
|
||||||
|
valid
|
||||||
|
X-BeenThere: ath10k@lists.infradead.org
|
||||||
|
X-Mailman-Version: 2.1.29
|
||||||
|
Precedence: list
|
||||||
|
List-Id: <ath10k.lists.infradead.org>
|
||||||
|
List-Unsubscribe: <http://lists.infradead.org/mailman/options/ath10k>,
|
||||||
|
<mailto:ath10k-request@lists.infradead.org?subject=unsubscribe>
|
||||||
|
List-Archive: <http://lists.infradead.org/pipermail/ath10k/>
|
||||||
|
List-Post: <mailto:ath10k@lists.infradead.org>
|
||||||
|
List-Help: <mailto:ath10k-request@lists.infradead.org?subject=help>
|
||||||
|
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/ath10k>,
|
||||||
|
<mailto:ath10k-request@lists.infradead.org?subject=subscribe>
|
||||||
|
Cc: linux-wireless@vger.kernel.org, kjlu@umn.edu,
|
||||||
|
linux-kernel@vger.kernel.org,
|
||||||
|
ath10k@lists.infradead.org, emamd001@umn.edu, smccaman@umn.edu,
|
||||||
|
netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
|
||||||
|
Kalle Valo <kvalo@codeaurora.org>,
|
||||||
|
Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Sender: "ath10k" <ath10k-bounces@lists.infradead.org>
|
||||||
|
Errors-To:
|
||||||
|
ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org
|
||||||
|
|
||||||
|
In ath10k_usb_hif_tx_sg the allocated urb should be released if
|
||||||
|
usb_submit_urb fails.
|
||||||
|
|
||||||
|
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||||
|
---
|
||||||
|
drivers/net/wireless/ath/ath10k/usb.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c
|
||||||
|
index e1420f67f776..730ed22e08a0 100644
|
||||||
|
--- a/drivers/net/wireless/ath/ath10k/usb.c
|
||||||
|
+++ b/drivers/net/wireless/ath/ath10k/usb.c
|
||||||
|
@@ -435,6 +435,7 @@ static int ath10k_usb_hif_tx_sg(struct ath10k *ar, u8 pipe_id,
|
||||||
|
ath10k_dbg(ar, ATH10K_DBG_USB_BULK,
|
||||||
|
"usb bulk transmit failed: %d\n", ret);
|
||||||
|
usb_unanchor_urb(urb);
|
||||||
|
+ usb_free_urb(urb);
|
||||||
|
ret = -EINVAL;
|
||||||
|
goto err_free_urb_to_pipe;
|
||||||
|
}
|
20
kernel.spec
20
kernel.spec
@ -840,6 +840,19 @@ Patch522: mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch
|
|||||||
# CVE-2019-19054 rhbz 1775063 1775117
|
# CVE-2019-19054 rhbz 1775063 1775117
|
||||||
Patch524: media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch
|
Patch524: media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch
|
||||||
|
|
||||||
|
# CVE-2019-14895 rhbz 1774870 1776139
|
||||||
|
Patch525: mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
|
||||||
|
|
||||||
|
# CVE-2019-14896 rhbz 1774875 1776143
|
||||||
|
# CVE-2019-14897 rhbz 1774879 1776146
|
||||||
|
Patch526: libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
|
||||||
|
|
||||||
|
# CVE-2019-14901 rhbz 1773519 1776184
|
||||||
|
Patch527: mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
|
||||||
|
|
||||||
|
# CVE-2019-19078 rhbz 1776354 1776353
|
||||||
|
Patch528: ath10k-fix-memory-leak.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2538,6 +2551,13 @@ fi
|
|||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 25 2019 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||||
|
- Fix CVE-2019-14895 (rhbz 1774870 1776139)
|
||||||
|
- Fix CVE-2019-14896 (rhbz 1774875 1776143)
|
||||||
|
- Fix CVE-2019-14897 (rhbz 1774879 1776146)
|
||||||
|
- Fix CVE-2019-14901 (rhbz 1773519 1776184)
|
||||||
|
- Fix CVE-2019-19078 (rhbz 1776354 1776353)
|
||||||
|
|
||||||
* Mon Nov 25 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-1
|
* Mon Nov 25 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-1
|
||||||
- Linux v5.4.0
|
- Linux v5.4.0
|
||||||
|
|
||||||
|
@ -0,0 +1,120 @@
|
|||||||
|
From patchwork Fri Nov 22 05:29:17 2019
|
||||||
|
Content-Type: text/plain; charset="utf-8"
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Transfer-Encoding: 7bit
|
||||||
|
X-Patchwork-Submitter: huangwenabc@gmail.com
|
||||||
|
X-Patchwork-Id: 11257187
|
||||||
|
X-Patchwork-Delegate: kvalo@adurom.com
|
||||||
|
Return-Path: <SRS0=Y0IC=ZO=vger.kernel.org=linux-wireless-owner@kernel.org>
|
||||||
|
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
|
||||||
|
[172.30.200.123])
|
||||||
|
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 032DA112B
|
||||||
|
for <patchwork-linux-wireless@patchwork.kernel.org>;
|
||||||
|
Fri, 22 Nov 2019 05:29:36 +0000 (UTC)
|
||||||
|
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
|
||||||
|
by mail.kernel.org (Postfix) with ESMTP id D68A920707
|
||||||
|
for <patchwork-linux-wireless@patchwork.kernel.org>;
|
||||||
|
Fri, 22 Nov 2019 05:29:35 +0000 (UTC)
|
||||||
|
Authentication-Results: mail.kernel.org;
|
||||||
|
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
|
||||||
|
header.b="WaDUta6X"
|
||||||
|
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||||
|
id S1726719AbfKVF3f (ORCPT
|
||||||
|
<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
|
||||||
|
Fri, 22 Nov 2019 00:29:35 -0500
|
||||||
|
Received: from mail-pf1-f194.google.com ([209.85.210.194]:43041 "EHLO
|
||||||
|
mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||||
|
with ESMTP id S1726529AbfKVF3e (ORCPT
|
||||||
|
<rfc822;linux-wireless@vger.kernel.org>);
|
||||||
|
Fri, 22 Nov 2019 00:29:34 -0500
|
||||||
|
Received: by mail-pf1-f194.google.com with SMTP id 3so2912048pfb.10
|
||||||
|
for <linux-wireless@vger.kernel.org>;
|
||||||
|
Thu, 21 Nov 2019 21:29:34 -0800 (PST)
|
||||||
|
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||||
|
d=gmail.com; s=20161025;
|
||||||
|
h=from:to:cc:subject:date:message-id;
|
||||||
|
bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=;
|
||||||
|
b=WaDUta6XODn4hzzqR0np+iPcfBChaSE05EpSM8UrALWvgf7x/9f0e8SMvgXTGXaN74
|
||||||
|
Irmx+lKSr5piR/mhpfRO+HVN7bu7ukOSsxCxlNav6kvJn3SG/q0TV9VGoWEKM+8yISrK
|
||||||
|
Bc5MtndhyGLDrWQFgc5fSdMf+/79HC0AWnnavMoEKxnAti/HKBQnIPreGoLnrWIpbhXZ
|
||||||
|
EdU3ei0kxlwAUbNl8/FywUG2qzQeoeh5RranVfooFhbBQ0QfNtx3k3ARWrVdT9uV7QtX
|
||||||
|
pcpYtJsjn94TXL0llHTzpE182eTvmUrzxf89ubigJh+EYnryHC+HUHZoVtjYtbjidWoV
|
||||||
|
I0FQ==
|
||||||
|
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||||
|
d=1e100.net; s=20161025;
|
||||||
|
h=x-gm-message-state:from:to:cc:subject:date:message-id;
|
||||||
|
bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=;
|
||||||
|
b=gNC3IOfmB1H65frnsn63mdzaxphxG6xvR0SHEIOJSaWI/Jx9VK+CfnGr+7pOQZ/Pyw
|
||||||
|
wORhpVi6EbFsE7mVKbjlJ7O96hk14FnUKSPVOhl9NH4xXBktd7sJc5Z36N3J6RRv9Cfc
|
||||||
|
gQWPy1otHKeNz1riMgHcbkaiKj3CANpJ6gaAE/R8EjWLXjS7Bw/vBgQSr5WnAVV27Ppw
|
||||||
|
Flrks3Qv8BGkRUCymKArD05r646Fx1ew/FI7oGyKQhxxWJPuv5RoVTGPbAC1unU+zjfN
|
||||||
|
2XNdr1yKKfY4R5S8q49FeHsN5Mb+lmriUPdLPL062UzQ7x/pTzfh3rI9Lf92jMJiJ9/n
|
||||||
|
9zPw==
|
||||||
|
X-Gm-Message-State: APjAAAVgSeSrlZfb2Ch2KXDFaNq6RLCJCvq40zW4toublIDi1zh7feyc
|
||||||
|
srNh0xN+iNrBCzEMbsxDKJS2IOoUYXc=
|
||||||
|
X-Google-Smtp-Source:
|
||||||
|
APXvYqwPwHZStvNKOZtUBWgPYiEFiNFqEQLMngqNoFN6jFqDKFjISduUPDUYh2y907mFwD+Qn6zs9w==
|
||||||
|
X-Received: by 2002:a63:7456:: with SMTP id
|
||||||
|
e22mr14245471pgn.314.1574400573682;
|
||||||
|
Thu, 21 Nov 2019 21:29:33 -0800 (PST)
|
||||||
|
Received: from localhost ([38.121.20.202])
|
||||||
|
by smtp.gmail.com with ESMTPSA id
|
||||||
|
x192sm5658165pfd.96.2019.11.21.21.29.32
|
||||||
|
(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
|
||||||
|
Thu, 21 Nov 2019 21:29:32 -0800 (PST)
|
||||||
|
From: huangwenabc@gmail.com
|
||||||
|
To: linux-wireless@vger.kernel.org
|
||||||
|
Cc: linux-distros@vs.openwall.org, security@kernel.org,
|
||||||
|
libertas-dev@lists.infradead.org
|
||||||
|
Subject: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor
|
||||||
|
Date: Fri, 22 Nov 2019 13:29:17 +0800
|
||||||
|
Message-Id: <20191122052917.11309-1-huangwenabc@gmail.com>
|
||||||
|
X-Mailer: git-send-email 2.17.1
|
||||||
|
Sender: linux-wireless-owner@vger.kernel.org
|
||||||
|
Precedence: bulk
|
||||||
|
List-ID: <linux-wireless.vger.kernel.org>
|
||||||
|
X-Mailing-List: linux-wireless@vger.kernel.org
|
||||||
|
|
||||||
|
From: Wen Huang <huangwenabc@gmail.com>
|
||||||
|
|
||||||
|
add_ie_rates() copys rates without checking the length
|
||||||
|
in bss descriptor from remote AP.when victim connects to
|
||||||
|
remote attacker, this may trigger buffer overflow.
|
||||||
|
lbs_ibss_join_existing() copys rates without checking the length
|
||||||
|
in bss descriptor from remote IBSS node.when victim connects to
|
||||||
|
remote attacker, this may trigger buffer overflow.
|
||||||
|
Fix them by putting the length check before performing copy.
|
||||||
|
|
||||||
|
This fix addresses CVE-2019-14896 and CVE-2019-14897.
|
||||||
|
|
||||||
|
Signed-off-by: Wen Huang <huangwenabc@gmail.com>
|
||||||
|
---
|
||||||
|
drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
|
||||||
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
|
||||||
|
index 57edfada0..290280764 100644
|
||||||
|
--- a/drivers/net/wireless/marvell/libertas/cfg.c
|
||||||
|
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
|
||||||
|
@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates)
|
||||||
|
int hw, ap, ap_max = ie[1];
|
||||||
|
u8 hw_rate;
|
||||||
|
|
||||||
|
+ if (ap_max > MAX_RATES) {
|
||||||
|
+ lbs_deb_assoc("invalid rates\n");
|
||||||
|
+ return tlv;
|
||||||
|
+ }
|
||||||
|
/* Advance past IE header */
|
||||||
|
ie += 2;
|
||||||
|
|
||||||
|
@@ -1777,6 +1781,10 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
|
||||||
|
} else {
|
||||||
|
int hw, i;
|
||||||
|
u8 rates_max = rates_eid[1];
|
||||||
|
+ if (rates_max > MAX_RATES) {
|
||||||
|
+ lbs_deb_join("invalid rates");
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
u8 *rates = cmd.bss.rates;
|
||||||
|
for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
|
||||||
|
u8 hw_rate = lbs_rates[hw].bitrate / 5;
|
@ -0,0 +1,226 @@
|
|||||||
|
From patchwork Fri Nov 22 09:43:49 2019
|
||||||
|
Content-Type: text/plain; charset="utf-8"
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Transfer-Encoding: 7bit
|
||||||
|
X-Patchwork-Submitter: qize wang <wangqize888888888@gmail.com>
|
||||||
|
X-Patchwork-Id: 11257535
|
||||||
|
X-Patchwork-Delegate: kvalo@adurom.com
|
||||||
|
Return-Path: <SRS0=Y0IC=ZO=vger.kernel.org=linux-wireless-owner@kernel.org>
|
||||||
|
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
|
||||||
|
[172.30.200.123])
|
||||||
|
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 311581390
|
||||||
|
for <patchwork-linux-wireless@patchwork.kernel.org>;
|
||||||
|
Fri, 22 Nov 2019 09:44:01 +0000 (UTC)
|
||||||
|
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
|
||||||
|
by mail.kernel.org (Postfix) with ESMTP id 09A6920708
|
||||||
|
for <patchwork-linux-wireless@patchwork.kernel.org>;
|
||||||
|
Fri, 22 Nov 2019 09:44:01 +0000 (UTC)
|
||||||
|
Authentication-Results: mail.kernel.org;
|
||||||
|
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
|
||||||
|
header.b="gFC1GPvm"
|
||||||
|
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||||
|
id S1726802AbfKVJoA (ORCPT
|
||||||
|
<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
|
||||||
|
Fri, 22 Nov 2019 04:44:00 -0500
|
||||||
|
Received: from mail-pj1-f65.google.com ([209.85.216.65]:35154 "EHLO
|
||||||
|
mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||||
|
with ESMTP id S1726500AbfKVJoA (ORCPT
|
||||||
|
<rfc822;linux-wireless@vger.kernel.org>);
|
||||||
|
Fri, 22 Nov 2019 04:44:00 -0500
|
||||||
|
Received: by mail-pj1-f65.google.com with SMTP id s8so2836990pji.2
|
||||||
|
for <linux-wireless@vger.kernel.org>;
|
||||||
|
Fri, 22 Nov 2019 01:43:57 -0800 (PST)
|
||||||
|
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||||
|
d=gmail.com; s=20161025;
|
||||||
|
h=from:content-transfer-encoding:mime-version:subject:message-id:date
|
||||||
|
:cc:to;
|
||||||
|
bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=;
|
||||||
|
b=gFC1GPvmciglvQH3QRWVdrtGLMliah1xCIA8nZta7Mis7sATxTwTG/XMZ/G4Zb8efA
|
||||||
|
bvc58q+E3uHBiZOOCVFqZrDhJzM1SJVkOtFKPIquJLhmKms1Rd7FLwLFKwbq9DKE28C4
|
||||||
|
crZUPOja7RMESC2jajleQdZ9YO/o/LEA+6QmEKIQFZ11R7j/qT/bNTdf08hDTINa7VVq
|
||||||
|
r20OL/q5iTBYBqodQaQVOPHH7f8iRs46gS/23GSX8E8Lo920r4wtTUPXXBidt0bay7ID
|
||||||
|
L2CF8vLLDGRe4Dohd71wCJgl54yVxF1Fi9qAvQluyVTulAtDVNw8Ol9hFdLa9R7j2M2z
|
||||||
|
9wWw==
|
||||||
|
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||||
|
d=1e100.net; s=20161025;
|
||||||
|
h=x-gm-message-state:from:content-transfer-encoding:mime-version
|
||||||
|
:subject:message-id:date:cc:to;
|
||||||
|
bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=;
|
||||||
|
b=lGAdjvr9L1WcGIvtpY5RO07jVV2t+CQ7rGsSqHcqyoDarWzcfl+FowtU0U+OV0Uf0k
|
||||||
|
Dxs4mJ+rml43X7SrPljpiHzQB1mRWWnTcIKwO9YFH1DbuMxYpTV/AdDtkyLGwQEPCTu2
|
||||||
|
U/RIv2CvLNWTGQYXAqUH4wZJ0MAo0w2fWX8QeMCWarAPRgOsyeT9LEZQT6ypWzy9bAKs
|
||||||
|
ri4P+HqxmhlvDFb3ij0pl0x7hhOOhDCSdzZEfy8MGL/wmxdbOLM5AV8DevGNLEZHZrJ9
|
||||||
|
AHHgRlkUPn5esIeIhTiYu3hox+z4GLrcRZccqcL3O9QM9rKX6SyNF9MjoEIgD5WK7ycl
|
||||||
|
Tlvg==
|
||||||
|
X-Gm-Message-State: APjAAAVLU8HZian8Pqy8r1Iwnjga8cqc70tKNQWQHXIQ/WEWDgKWDzip
|
||||||
|
dkM+yuOUv3M4BD3u8wHsttGE4Sk9BqOSqA==
|
||||||
|
X-Google-Smtp-Source:
|
||||||
|
APXvYqxWR1wx4sFD+yyfHofiemrR7B+b6xLDxQu9tS4dKDTYtMBUggkRWVG0Y4CUsP1DbHGVYW2rGg==
|
||||||
|
X-Received: by 2002:a17:90a:c004:: with SMTP id
|
||||||
|
p4mr17937350pjt.104.1574415837353;
|
||||||
|
Fri, 22 Nov 2019 01:43:57 -0800 (PST)
|
||||||
|
Received: from [127.0.0.1] (187.220.92.34.bc.googleusercontent.com.
|
||||||
|
[34.92.220.187])
|
||||||
|
by smtp.gmail.com with ESMTPSA id
|
||||||
|
71sm6800121pfx.107.2019.11.22.01.43.52
|
||||||
|
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
|
||||||
|
Fri, 22 Nov 2019 01:43:56 -0800 (PST)
|
||||||
|
From: qize wang <wangqize888888888@gmail.com>
|
||||||
|
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
|
||||||
|
Subject: [PATCH] mwifiex: Fix heap overflow in
|
||||||
|
mmwifiex_process_tdls_action_frame()
|
||||||
|
Message-Id: <E40E893E-D9B4-4C63-8139-1DD5E1C2CECB@gmail.com>
|
||||||
|
Date: Fri, 22 Nov 2019 17:43:49 +0800
|
||||||
|
Cc: amitkarwar <amitkarwar@gmail.com>, nishants <nishants@marvell.com>,
|
||||||
|
gbhat <gbhat@marvell.com>, huxinming820 <huxinming820@gmail.com>,
|
||||||
|
kvalo <kvalo@codeaurora.org>, Greg KH <greg@kroah.com>,
|
||||||
|
security <security@kernel.org>,
|
||||||
|
linux-distros <linux-distros@vs.openwall.org>,
|
||||||
|
"dan.carpenter" <dan.carpenter@oracle.com>,
|
||||||
|
Solar Designer <solar@openwall.com>
|
||||||
|
To: linux-wireless@vger.kernel.org
|
||||||
|
X-Mailer: Apple Mail (2.3445.6.18)
|
||||||
|
Sender: linux-wireless-owner@vger.kernel.org
|
||||||
|
Precedence: bulk
|
||||||
|
List-ID: <linux-wireless.vger.kernel.org>
|
||||||
|
X-Mailing-List: linux-wireless@vger.kernel.org
|
||||||
|
|
||||||
|
mwifiex_process_tdls_action_frame() without checking
|
||||||
|
the incoming tdls infomation element's vality before use it,
|
||||||
|
this may cause multi heap buffer overflows.
|
||||||
|
|
||||||
|
Fix them by putting vality check before use it.
|
||||||
|
|
||||||
|
Signed-off-by: qize wang <wangqize888888888@gmail.com>
|
||||||
|
---
|
||||||
|
drivers/net/wireless/marvell/mwifiex/tdls.c | 70 ++++++++++++++++++++++++++---
|
||||||
|
1 file changed, 64 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
|
||||||
|
index 18e654d..7f60214 100644
|
||||||
|
--- a/drivers/net/wireless/marvell/mwifiex/tdls.c
|
||||||
|
+++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
|
||||||
|
@@ -954,59 +954,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
|
||||||
|
|
||||||
|
switch (*pos) {
|
||||||
|
case WLAN_EID_SUPP_RATES:
|
||||||
|
+ if (pos[1] > 32)
|
||||||
|
+ return;
|
||||||
|
sta_ptr->tdls_cap.rates_len = pos[1];
|
||||||
|
for (i = 0; i < pos[1]; i++)
|
||||||
|
sta_ptr->tdls_cap.rates[i] = pos[i + 2];
|
||||||
|
break;
|
||||||
|
|
||||||
|
case WLAN_EID_EXT_SUPP_RATES:
|
||||||
|
+ if (pos[1] > 32)
|
||||||
|
+ return;
|
||||||
|
basic = sta_ptr->tdls_cap.rates_len;
|
||||||
|
+ if (pos[1] > 32 - basic)
|
||||||
|
+ return;
|
||||||
|
for (i = 0; i < pos[1]; i++)
|
||||||
|
sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
|
||||||
|
sta_ptr->tdls_cap.rates_len += pos[1];
|
||||||
|
break;
|
||||||
|
case WLAN_EID_HT_CAPABILITY:
|
||||||
|
- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
|
||||||
|
+ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] != sizeof(struct ieee80211_ht_cap))
|
||||||
|
+ return;
|
||||||
|
+ /* copy the ie's value into ht_capb*/
|
||||||
|
+ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
|
||||||
|
sizeof(struct ieee80211_ht_cap));
|
||||||
|
sta_ptr->is_11n_enabled = 1;
|
||||||
|
break;
|
||||||
|
case WLAN_EID_HT_OPERATION:
|
||||||
|
- memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
|
||||||
|
+ if (pos > end -
|
||||||
|
+ sizeof(struct ieee80211_ht_operation) - 2)
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] != sizeof(struct ieee80211_ht_operation))
|
||||||
|
+ return;
|
||||||
|
+ /* copy the ie's value into ht_oper*/
|
||||||
|
+ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
|
||||||
|
sizeof(struct ieee80211_ht_operation));
|
||||||
|
break;
|
||||||
|
case WLAN_EID_BSS_COEX_2040:
|
||||||
|
+ if (pos > end - 3)
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] != 1)
|
||||||
|
+ return;
|
||||||
|
sta_ptr->tdls_cap.coex_2040 = pos[2];
|
||||||
|
break;
|
||||||
|
case WLAN_EID_EXT_CAPABILITY:
|
||||||
|
+ if (pos > end - sizeof(struct ieee_types_header))
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] < sizeof(struct ieee_types_header))
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] > 8)
|
||||||
|
+ return;
|
||||||
|
memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
|
||||||
|
sizeof(struct ieee_types_header) +
|
||||||
|
min_t(u8, pos[1], 8));
|
||||||
|
break;
|
||||||
|
case WLAN_EID_RSN:
|
||||||
|
+ if (pos > end - sizeof(struct ieee_types_header))
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] < sizeof(struct ieee_types_header))
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] > IEEE_MAX_IE_SIZE -
|
||||||
|
+ sizeof(struct ieee_types_header))
|
||||||
|
+ return;
|
||||||
|
memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
|
||||||
|
sizeof(struct ieee_types_header) +
|
||||||
|
min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
|
||||||
|
sizeof(struct ieee_types_header)));
|
||||||
|
break;
|
||||||
|
case WLAN_EID_QOS_CAPA:
|
||||||
|
+ if (pos > end - 3)
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] != 1)
|
||||||
|
+ return;
|
||||||
|
sta_ptr->tdls_cap.qos_info = pos[2];
|
||||||
|
break;
|
||||||
|
case WLAN_EID_VHT_OPERATION:
|
||||||
|
- if (priv->adapter->is_hw_11ac_capable)
|
||||||
|
- memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
|
||||||
|
+ if (priv->adapter->is_hw_11ac_capable) {
|
||||||
|
+ if (pos > end -
|
||||||
|
+ sizeof(struct ieee80211_vht_operation) - 2)
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] !=
|
||||||
|
+ sizeof(struct ieee80211_vht_operation))
|
||||||
|
+ return;
|
||||||
|
+ /* copy the ie's value into vhtoper*/
|
||||||
|
+ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
|
||||||
|
sizeof(struct ieee80211_vht_operation));
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case WLAN_EID_VHT_CAPABILITY:
|
||||||
|
if (priv->adapter->is_hw_11ac_capable) {
|
||||||
|
- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
|
||||||
|
+ if (pos > end -
|
||||||
|
+ sizeof(struct ieee80211_vht_cap) - 2)
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] != sizeof(struct ieee80211_vht_cap))
|
||||||
|
+ return;
|
||||||
|
+ /* copy the ie's value into vhtcap*/
|
||||||
|
+ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
|
||||||
|
sizeof(struct ieee80211_vht_cap));
|
||||||
|
sta_ptr->is_11ac_enabled = 1;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case WLAN_EID_AID:
|
||||||
|
- if (priv->adapter->is_hw_11ac_capable)
|
||||||
|
+ if (priv->adapter->is_hw_11ac_capable) {
|
||||||
|
+ if (pos > end - 4)
|
||||||
|
+ return;
|
||||||
|
+ if (pos[1] != 2)
|
||||||
|
+ return;
|
||||||
|
sta_ptr->tdls_cap.aid =
|
||||||
|
get_unaligned_le16((pos + 2));
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
@ -0,0 +1,129 @@
|
|||||||
|
From patchwork Thu Nov 21 16:04:38 2019
|
||||||
|
Content-Type: text/plain; charset="utf-8"
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Transfer-Encoding: 7bit
|
||||||
|
X-Patchwork-Submitter: Ganapathi Bhat <gbhat@marvell.com>
|
||||||
|
X-Patchwork-Id: 11256477
|
||||||
|
X-Patchwork-Delegate: kvalo@adurom.com
|
||||||
|
Return-Path: <SRS0=bi0l=ZN=vger.kernel.org=linux-wireless-owner@kernel.org>
|
||||||
|
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
|
||||||
|
[172.30.200.123])
|
||||||
|
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AAABF138C
|
||||||
|
for <patchwork-linux-wireless@patchwork.kernel.org>;
|
||||||
|
Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
|
||||||
|
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
|
||||||
|
by mail.kernel.org (Postfix) with ESMTP id 8950220637
|
||||||
|
for <patchwork-linux-wireless@patchwork.kernel.org>;
|
||||||
|
Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
|
||||||
|
Authentication-Results: mail.kernel.org;
|
||||||
|
dkim=pass (2048-bit key) header.d=marvell.com header.i=@marvell.com
|
||||||
|
header.b="nkGygBtm"
|
||||||
|
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||||
|
id S1727141AbfKUQEs (ORCPT
|
||||||
|
<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
|
||||||
|
Thu, 21 Nov 2019 11:04:48 -0500
|
||||||
|
Received: from mx0b-0016f401.pphosted.com ([67.231.156.173]:6582 "EHLO
|
||||||
|
mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-OK)
|
||||||
|
by vger.kernel.org with ESMTP id S1726980AbfKUQEr (ORCPT
|
||||||
|
<rfc822;linux-wireless@vger.kernel.org>);
|
||||||
|
Thu, 21 Nov 2019 11:04:47 -0500
|
||||||
|
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1])
|
||||||
|
by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
|
||||||
|
xALFu718003199;
|
||||||
|
Thu, 21 Nov 2019 08:04:44 -0800
|
||||||
|
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;
|
||||||
|
h=from : to : cc :
|
||||||
|
subject : date : message-id : mime-version : content-type; s=pfpt0818;
|
||||||
|
bh=o/oIGGHPmwt5MFTKPl2GcISKabBWhPBOdPXPhlV+8H8=;
|
||||||
|
b=nkGygBtmdc1LxIp0VzpsKssm8mQFI+syng1Rek/N5Fx3Vz4o2KAlRceJkhXNdV7WpjTG
|
||||||
|
XDtRj/LiYd+OAIqSLM6J2VNtOKOhaNSDydtTUnIi4imHPzYoAdESDQW5aFV8JKZqOfYx
|
||||||
|
0oQTjw6AhdjJCsngL+bImzmnJoZsc2gUu3BAic/kW+6Uj0JCgQwoUFBH9rNaO+Q33BY+
|
||||||
|
dZy9MdKD905LxSBE7A5xWx5GEgrqRcvfxSOu2K78FQhsJ20suhvWSobxpYE0LIrajl6s
|
||||||
|
oQGuDbTsdOO/8v7D9Xn7zObUH6qZ08AMxDZNaBLqiKpjFY/RA7LbR2eulwEnhjCLDQfK uA==
|
||||||
|
Received: from sc-exch03.marvell.com ([199.233.58.183])
|
||||||
|
by mx0b-0016f401.pphosted.com with ESMTP id 2wd090yntp-1
|
||||||
|
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);
|
||||||
|
Thu, 21 Nov 2019 08:04:44 -0800
|
||||||
|
Received: from SC-EXCH01.marvell.com (10.93.176.81) by SC-EXCH03.marvell.com
|
||||||
|
(10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 21 Nov
|
||||||
|
2019 08:04:43 -0800
|
||||||
|
Received: from maili.marvell.com (10.93.176.43) by SC-EXCH01.marvell.com
|
||||||
|
(10.93.176.81) with Microsoft SMTP Server id 15.0.1367.3 via Frontend
|
||||||
|
Transport; Thu, 21 Nov 2019 08:04:43 -0800
|
||||||
|
Received: from testmailhost.marvell.com (testmailhost.marvell.com
|
||||||
|
[10.31.130.105])
|
||||||
|
by maili.marvell.com (Postfix) with ESMTP id 898743F703F;
|
||||||
|
Thu, 21 Nov 2019 08:04:40 -0800 (PST)
|
||||||
|
From: Ganapathi Bhat <gbhat@marvell.com>
|
||||||
|
To: <linux-wireless@vger.kernel.org>
|
||||||
|
CC: Cathy Luo <cluo@marvell.com>, Zhiyuan Yang <yangzy@marvell.com>,
|
||||||
|
James Cao <jcao@marvell.com>,
|
||||||
|
Rakesh Parmar <rakeshp@marvell.com>,
|
||||||
|
Brian Norris <briannorris@chromium.org>,
|
||||||
|
Mohammad Tausif Siddiqui <msiddiqu@redhat.com>,
|
||||||
|
huangwen <huangwenabc@gmail.com>,
|
||||||
|
Ganapathi Bhat <gbhat@marvell.com>
|
||||||
|
Subject: [PATCH] mwifiex: fix possible heap overflow in
|
||||||
|
mwifiex_process_country_ie()
|
||||||
|
Date: Thu, 21 Nov 2019 21:34:38 +0530
|
||||||
|
Message-ID: <1574352278-7592-1-git-send-email-gbhat@marvell.com>
|
||||||
|
X-Mailer: git-send-email 1.9.1
|
||||||
|
MIME-Version: 1.0
|
||||||
|
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572
|
||||||
|
definitions=2019-11-21_03:2019-11-21,2019-11-21 signatures=0
|
||||||
|
Sender: linux-wireless-owner@vger.kernel.org
|
||||||
|
Precedence: bulk
|
||||||
|
List-ID: <linux-wireless.vger.kernel.org>
|
||||||
|
X-Mailing-List: linux-wireless@vger.kernel.org
|
||||||
|
|
||||||
|
mwifiex_process_country_ie() function parse elements of bss
|
||||||
|
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
|
||||||
|
element, there is no upper limit check for country_ie_len before
|
||||||
|
calling memcpy. The destination buffer domain_info->triplet is an
|
||||||
|
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
|
||||||
|
attacker can build a fake AP with the same ssid as real AP, and
|
||||||
|
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
|
||||||
|
(country_ie_len > 83). Attacker can force STA connect to fake AP
|
||||||
|
on a different channel. When the victim STA connects to fake AP,
|
||||||
|
will trigger the heap buffer overflow. Fix this by checking for
|
||||||
|
length and if found invalid, don not connect to the AP.
|
||||||
|
|
||||||
|
This fix addresses CVE-2019-14895.
|
||||||
|
|
||||||
|
Reported-by: huangwen <huangwenabc@gmail.com>
|
||||||
|
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
|
||||||
|
---
|
||||||
|
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++--
|
||||||
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
|
||||||
|
index 74e5056..6dd835f 100644
|
||||||
|
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
|
||||||
|
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
|
||||||
|
@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
|
||||||
|
"11D: skip setting domain info in FW\n");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (country_ie_len >
|
||||||
|
+ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
|
||||||
|
+ mwifiex_dbg(priv->adapter, ERROR,
|
||||||
|
+ "11D: country_ie_len overflow!, deauth AP\n");
|
||||||
|
+ return -EINVAL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
memcpy(priv->adapter->country_code, &country_ie[2], 2);
|
||||||
|
|
||||||
|
domain_info->country_code[0] = country_ie[2];
|
||||||
|
@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
|
||||||
|
priv->scan_block = false;
|
||||||
|
|
||||||
|
if (bss) {
|
||||||
|
- if (adapter->region_code == 0x00)
|
||||||
|
- mwifiex_process_country_ie(priv, bss);
|
||||||
|
+ if (adapter->region_code == 0x00 &&
|
||||||
|
+ mwifiex_process_country_ie(priv, bss))
|
||||||
|
+ return -EINVAL;
|
||||||
|
|
||||||
|
/* Allocate and fill new bss descriptor */
|
||||||
|
bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
|
Loading…
Reference in New Issue
Block a user