]>
Commit | Line | Data |
---|---|---|
67307134 GKH |
1 | From ad670233c9e1d5feb365d870e30083ef1b889177 Mon Sep 17 00:00:00 2001 |
2 | From: Peng Xu <pxu@qti.qualcomm.com> | |
3 | Date: Tue, 3 Oct 2017 23:21:51 +0300 | |
4 | Subject: nl80211: Define policy for packet pattern attributes | |
5 | ||
6 | From: Peng Xu <pxu@qti.qualcomm.com> | |
7 | ||
8 | commit ad670233c9e1d5feb365d870e30083ef1b889177 upstream. | |
9 | ||
10 | Define a policy for packet pattern attributes in order to fix a | |
11 | potential read over the end of the buffer during nla_get_u32() | |
12 | of the NL80211_PKTPAT_OFFSET attribute. | |
13 | ||
14 | Note that the data there can always be read due to SKB allocation | |
15 | (with alignment and struct skb_shared_info at the end), but the | |
16 | data might be uninitialized. This could be used to leak some data | |
17 | from uninitialized vmalloc() memory, but most drivers don't allow | |
18 | an offset (so you'd just get -EINVAL if the data is non-zero) or | |
19 | just allow it with a fixed value - 100 or 128 bytes, so anything | |
20 | above that would get -EINVAL. With brcmfmac the limit is 1500 so | |
21 | (at least) one byte could be obtained. | |
22 | ||
23 | Cc: stable@kernel.org | |
24 | Signed-off-by: Peng Xu <pxu@qti.qualcomm.com> | |
25 | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> | |
26 | [rewrite description based on SKB allocation knowledge] | |
27 | Signed-off-by: Johannes Berg <johannes.berg@intel.com> | |
28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
29 | ||
30 | --- | |
31 | net/wireless/nl80211.c | 12 ++++++++++-- | |
32 | 1 file changed, 10 insertions(+), 2 deletions(-) | |
33 | ||
34 | --- a/net/wireless/nl80211.c | |
35 | +++ b/net/wireless/nl80211.c | |
36 | @@ -485,6 +485,14 @@ nl80211_plan_policy[NL80211_SCHED_SCAN_P | |
37 | [NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 }, | |
38 | }; | |
39 | ||
40 | +/* policy for packet pattern attributes */ | |
41 | +static const struct nla_policy | |
42 | +nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = { | |
43 | + [NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, }, | |
44 | + [NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, }, | |
45 | + [NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 }, | |
46 | +}; | |
47 | + | |
48 | static int nl80211_prepare_wdev_dump(struct sk_buff *skb, | |
49 | struct netlink_callback *cb, | |
50 | struct cfg80211_registered_device **rdev, | |
51 | @@ -9410,7 +9418,7 @@ static int nl80211_set_wowlan(struct sk_ | |
52 | u8 *mask_pat; | |
53 | ||
54 | nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat), | |
55 | - nla_len(pat), NULL); | |
56 | + nla_len(pat), nl80211_packet_pattern_policy); | |
57 | err = -EINVAL; | |
58 | if (!pat_tb[NL80211_PKTPAT_MASK] || | |
59 | !pat_tb[NL80211_PKTPAT_PATTERN]) | |
60 | @@ -9660,7 +9668,7 @@ static int nl80211_parse_coalesce_rule(s | |
61 | u8 *mask_pat; | |
62 | ||
63 | nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat), | |
64 | - nla_len(pat), NULL); | |
65 | + nla_len(pat), nl80211_packet_pattern_policy); | |
66 | if (!pat_tb[NL80211_PKTPAT_MASK] || | |
67 | !pat_tb[NL80211_PKTPAT_PATTERN]) | |
68 | return -EINVAL; |