4.19-stable patches

added patches:
	mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch
	nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch

diff --git a/queue-4.19/mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch b/queue-4.19/mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch
new file mode 100644 (file)
index 0000000..2ad7492
--- /dev/null
+++ b/queue-4.19/mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch
@@ -0,0 +1,73 @@
+From 7caac62ed598a196d6ddf8d9c121e12e082cac3a Mon Sep 17 00:00:00 2001
+From: Wen Huang <huangwenabc@gmail.com>
+Date: Wed, 28 Aug 2019 10:07:51 +0800
+Subject: mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
+
+From: Wen Huang <huangwenabc@gmail.com>
+
+commit 7caac62ed598a196d6ddf8d9c121e12e082cac3a upstream.
+
+mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and
+mwifiex_set_wmm_params() call memcpy() without checking
+the destination size.Since the source is given from
+user-space, this may trigger a heap buffer overflow.
+
+Fix them by putting the length check before performing memcpy().
+
+This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816.
+
+Signed-off-by: Wen Huang <huangwenabc@gmail.com>
+Acked-by: Ganapathi Bhat <gbhat@marvell.comg>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/ie.c      |    3 +++
+ drivers/net/wireless/marvell/mwifiex/uap_cmd.c |    9 ++++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/ie.c
++++ b/drivers/net/wireless/marvell/mwifiex/ie.c
+@@ -241,6 +241,9 @@ static int mwifiex_update_vs_ie(const u8
+               }
+ 
+               vs_ie = (struct ieee_types_header *)vendor_ie;
++              if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 >
++                      IEEE_MAX_IE_SIZE)
++                      return -EINVAL;
+               memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length),
+                      vs_ie, vs_ie->len + 2);
+               le16_unaligned_add_cpu(&ie->ie_length, vs_ie->len + 2);
+--- a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
++++ b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
+@@ -265,6 +265,8 @@ mwifiex_set_uap_rates(struct mwifiex_uap
+ 
+       rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len);
+       if (rate_ie) {
++              if (rate_ie->len > MWIFIEX_SUPPORTED_RATES)
++                      return;
+               memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len);
+               rate_len = rate_ie->len;
+       }
+@@ -272,8 +274,11 @@ mwifiex_set_uap_rates(struct mwifiex_uap
+       rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
+                                          params->beacon.tail,
+                                          params->beacon.tail_len);
+-      if (rate_ie)
++      if (rate_ie) {
++              if (rate_ie->len > MWIFIEX_SUPPORTED_RATES - rate_len)
++                      return;
+               memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len);
++      }
+ 
+       return;
+ }
+@@ -391,6 +396,8 @@ mwifiex_set_wmm_params(struct mwifiex_pr
+                                           params->beacon.tail_len);
+       if (vendor_ie) {
+               wmm_ie = vendor_ie;
++              if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info))
++                      return;
+               memcpy(&bss_cfg->wmm_info, wmm_ie +
+                      sizeof(struct ieee_types_header), *(wmm_ie + 1));
+               priv->wmm_enabled = 1;

diff --git a/queue-4.19/nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch b/queue-4.19/nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch
new file mode 100644 (file)
index 0000000..f55641e
--- /dev/null
+++ b/queue-4.19/nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch
@@ -0,0 +1,42 @@
+From 4b2c5a14cd8005a900075f7dfec87473c6ee66fb Mon Sep 17 00:00:00 2001
+From: Masashi Honma <masashi.honma@gmail.com>
+Date: Sun, 8 Sep 2019 09:56:53 +0900
+Subject: nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
+
+From: Masashi Honma <masashi.honma@gmail.com>
+
+commit 4b2c5a14cd8005a900075f7dfec87473c6ee66fb upstream.
+
+commit 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM
+RSSI thresholds") was incomplete and requires one more fix to
+prevent accessing to rssi_thresholds[n] because user can control
+rssi_thresholds[i] values to make i reach to n. For example,
+rssi_thresholds = {-400, -300, -200, -100} when last is -34.
+
+Cc: stable@vger.kernel.org
+Fixes: 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+Link: https://lore.kernel.org/r/20190908005653.17433-1-masashi.honma@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -10270,9 +10270,11 @@ static int cfg80211_cqm_rssi_update(stru
+       hyst = wdev->cqm_config->rssi_hyst;
+       n = wdev->cqm_config->n_rssi_thresholds;
+ 
+-      for (i = 0; i < n; i++)
++      for (i = 0; i < n; i++) {
++              i = array_index_nospec(i, n);
+               if (last < wdev->cqm_config->rssi_thresholds[i])
+                       break;
++      }
+ 
+       low_index = i - 1;
+       if (low_index >= 0) {

diff --git a/queue-4.19/series b/queue-4.19/series
index 7e70e01d6853111f5b5f23c3b44197ba17dbafed..c5fa244cccb65560a64b80f0f47d0b5770446379 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -14,3 +14,5 @@ kvm-coalesced_mmio-add-bounds-checking.patch
 firmware-google-check-if-size-is-valid-when-decoding-vpd-data.patch
 serial-sprd-correct-the-wrong-sequence-of-arguments.patch
 tty-serial-atmel-reschedule-tx-after-rx-was-started.patch
+mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch
+nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch