4.14-stable patches

added patches:
	mwifiex-abort-at-too-short-bss-descriptor-element.patch
	mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch

diff --git a/queue-4.14/mwifiex-abort-at-too-short-bss-descriptor-element.patch b/queue-4.14/mwifiex-abort-at-too-short-bss-descriptor-element.patch
new file mode 100644 (file)
index 0000000..14a9c9d
--- /dev/null
+++ b/queue-4.14/mwifiex-abort-at-too-short-bss-descriptor-element.patch
@@ -0,0 +1,87 @@
+From 685c9b7750bfacd6fc1db50d86579980593b7869 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 29 May 2019 14:52:20 +0200
+Subject: mwifiex: Abort at too short BSS descriptor element
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 685c9b7750bfacd6fc1db50d86579980593b7869 upstream.
+
+Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
+the source descriptor entries contain the enough size for each type
+and performs copying without checking the source size.  This may lead
+to read over boundary.
+
+Fix this by putting the source size check in appropriate places.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c |   15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1266,6 +1266,8 @@ int mwifiex_update_bss_desc_with_ie(stru
+                       break;
+ 
+               case WLAN_EID_FH_PARAMS:
++                      if (element_len + 2 < sizeof(*fh_param_set))
++                              return -EINVAL;
+                       fh_param_set =
+                               (struct ieee_types_fh_param_set *) current_ptr;
+                       memcpy(&bss_entry->phy_param_set.fh_param_set,
+@@ -1274,6 +1276,8 @@ int mwifiex_update_bss_desc_with_ie(stru
+                       break;
+ 
+               case WLAN_EID_DS_PARAMS:
++                      if (element_len + 2 < sizeof(*ds_param_set))
++                              return -EINVAL;
+                       ds_param_set =
+                               (struct ieee_types_ds_param_set *) current_ptr;
+ 
+@@ -1285,6 +1289,8 @@ int mwifiex_update_bss_desc_with_ie(stru
+                       break;
+ 
+               case WLAN_EID_CF_PARAMS:
++                      if (element_len + 2 < sizeof(*cf_param_set))
++                              return -EINVAL;
+                       cf_param_set =
+                               (struct ieee_types_cf_param_set *) current_ptr;
+                       memcpy(&bss_entry->ss_param_set.cf_param_set,
+@@ -1293,6 +1299,8 @@ int mwifiex_update_bss_desc_with_ie(stru
+                       break;
+ 
+               case WLAN_EID_IBSS_PARAMS:
++                      if (element_len + 2 < sizeof(*ibss_param_set))
++                              return -EINVAL;
+                       ibss_param_set =
+                               (struct ieee_types_ibss_param_set *)
+                               current_ptr;
+@@ -1302,10 +1310,14 @@ int mwifiex_update_bss_desc_with_ie(stru
+                       break;
+ 
+               case WLAN_EID_ERP_INFO:
++                      if (!element_len)
++                              return -EINVAL;
+                       bss_entry->erp_flags = *(current_ptr + 2);
+                       break;
+ 
+               case WLAN_EID_PWR_CONSTRAINT:
++                      if (!element_len)
++                              return -EINVAL;
+                       bss_entry->local_constraint = *(current_ptr + 2);
+                       bss_entry->sensed_11h = true;
+                       break;
+@@ -1345,6 +1357,9 @@ int mwifiex_update_bss_desc_with_ie(stru
+                       break;
+ 
+               case WLAN_EID_VENDOR_SPECIFIC:
++                      if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
++                              return -EINVAL;
++
+                       vendor_ie = (struct ieee_types_vendor_specific *)
+                                       current_ptr;
+ 

diff --git a/queue-4.14/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch b/queue-4.14/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch
new file mode 100644 (file)
index 0000000..69cf66a
--- /dev/null
+++ b/queue-4.14/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch
@@ -0,0 +1,118 @@
+From 69ae4f6aac1578575126319d3f55550e7e440449 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 31 May 2019 15:18:41 +0200
+Subject: mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 69ae4f6aac1578575126319d3f55550e7e440449 upstream.
+
+A few places in mwifiex_uap_parse_tail_ies() perform memcpy()
+unconditionally, which may lead to either buffer overflow or read over
+boundary.
+
+This patch addresses the issues by checking the read size and the
+destination size at each place more properly.  Along with the fixes,
+the patch cleans up the code slightly by introducing a temporary
+variable for the token size, and unifies the error path with the
+standard goto statement.
+
+Reported-by: huangwen <huangwen@venustech.com.cn>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/ie.c |   45 ++++++++++++++++++++----------
+ 1 file changed, 30 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/ie.c
++++ b/drivers/net/wireless/marvell/mwifiex/ie.c
+@@ -329,6 +329,8 @@ static int mwifiex_uap_parse_tail_ies(st
+       struct ieee80211_vendor_ie *vendorhdr;
+       u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0;
+       int left_len, parsed_len = 0;
++      unsigned int token_len;
++      int err = 0;
+ 
+       if (!info->tail || !info->tail_len)
+               return 0;
+@@ -344,6 +346,12 @@ static int mwifiex_uap_parse_tail_ies(st
+        */
+       while (left_len > sizeof(struct ieee_types_header)) {
+               hdr = (void *)(info->tail + parsed_len);
++              token_len = hdr->len + sizeof(struct ieee_types_header);
++              if (token_len > left_len) {
++                      err = -EINVAL;
++                      goto out;
++              }
++
+               switch (hdr->element_id) {
+               case WLAN_EID_SSID:
+               case WLAN_EID_SUPP_RATES:
+@@ -357,13 +365,16 @@ static int mwifiex_uap_parse_tail_ies(st
+               case WLAN_EID_VENDOR_SPECIFIC:
+                       break;
+               default:
+-                      memcpy(gen_ie->ie_buffer + ie_len, hdr,
+-                             hdr->len + sizeof(struct ieee_types_header));
+-                      ie_len += hdr->len + sizeof(struct ieee_types_header);
++                      if (ie_len + token_len > IEEE_MAX_IE_SIZE) {
++                              err = -EINVAL;
++                              goto out;
++                      }
++                      memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len);
++                      ie_len += token_len;
+                       break;
+               }
+-              left_len -= hdr->len + sizeof(struct ieee_types_header);
+-              parsed_len += hdr->len + sizeof(struct ieee_types_header);
++              left_len -= token_len;
++              parsed_len += token_len;
+       }
+ 
+       /* parse only WPA vendor IE from tail, WMM IE is configured by
+@@ -373,15 +384,17 @@ static int mwifiex_uap_parse_tail_ies(st
+                                                   WLAN_OUI_TYPE_MICROSOFT_WPA,
+                                                   info->tail, info->tail_len);
+       if (vendorhdr) {
+-              memcpy(gen_ie->ie_buffer + ie_len, vendorhdr,
+-                     vendorhdr->len + sizeof(struct ieee_types_header));
+-              ie_len += vendorhdr->len + sizeof(struct ieee_types_header);
++              token_len = vendorhdr->len + sizeof(struct ieee_types_header);
++              if (ie_len + token_len > IEEE_MAX_IE_SIZE) {
++                      err = -EINVAL;
++                      goto out;
++              }
++              memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len);
++              ie_len += token_len;
+       }
+ 
+-      if (!ie_len) {
+-              kfree(gen_ie);
+-              return 0;
+-      }
++      if (!ie_len)
++              goto out;
+ 
+       gen_ie->ie_index = cpu_to_le16(gen_idx);
+       gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON |
+@@ -391,13 +404,15 @@ static int mwifiex_uap_parse_tail_ies(st
+ 
+       if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL,
+                                        NULL, NULL)) {
+-              kfree(gen_ie);
+-              return -1;
++              err = -EINVAL;
++              goto out;
+       }
+ 
+       priv->gen_idx = gen_idx;
++
++ out:
+       kfree(gen_ie);
+-      return 0;
++      return err;
+ }
+ 
+ /* This function parses different IEs-head & tail IEs, beacon IEs,

diff --git a/queue-4.14/series b/queue-4.14/series
index c6fc9c2806501eba4008050c60e644dfb223c5d7..ddaa62b43060c65540c5a0ef55c333765dc9a01e 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -39,3 +39,5 @@ block-bfq-null-out-the-bic-when-it-s-no-longer-valid.patch
 x86-ptrace-fix-possible-spectre-v1-in-ptrace_get_debugreg.patch
 x86-tls-fix-possible-spectre-v1-in-do_get_thread_area.patch
 documentation-add-section-about-cpu-vulnerabilities-for-spectre.patch
+mwifiex-abort-at-too-short-bss-descriptor-element.patch
+mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch