From: Greg Kroah-Hartman Date: Thu, 11 Jul 2019 12:52:42 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.2.1~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=153fedb58ff0ae89794c9ada9c812662ce352a70;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: mwifiex-abort-at-too-short-bss-descriptor-element.patch mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch --- diff --git a/queue-4.9/mwifiex-abort-at-too-short-bss-descriptor-element.patch b/queue-4.9/mwifiex-abort-at-too-short-bss-descriptor-element.patch new file mode 100644 index 00000000000..da1c956ea22 --- /dev/null +++ b/queue-4.9/mwifiex-abort-at-too-short-bss-descriptor-element.patch @@ -0,0 +1,87 @@ +From 685c9b7750bfacd6fc1db50d86579980593b7869 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 29 May 2019 14:52:20 +0200 +Subject: mwifiex: Abort at too short BSS descriptor element + +From: Takashi Iwai + +commit 685c9b7750bfacd6fc1db50d86579980593b7869 upstream. + +Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that +the source descriptor entries contain the enough size for each type +and performs copying without checking the source size. This may lead +to read over boundary. + +Fix this by putting the source size check in appropriate places. + +Signed-off-by: Takashi Iwai +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -1258,6 +1258,8 @@ int mwifiex_update_bss_desc_with_ie(stru + break; + + case WLAN_EID_FH_PARAMS: ++ if (element_len + 2 < sizeof(*fh_param_set)) ++ return -EINVAL; + fh_param_set = + (struct ieee_types_fh_param_set *) current_ptr; + memcpy(&bss_entry->phy_param_set.fh_param_set, +@@ -1266,6 +1268,8 @@ int mwifiex_update_bss_desc_with_ie(stru + break; + + case WLAN_EID_DS_PARAMS: ++ if (element_len + 2 < sizeof(*ds_param_set)) ++ return -EINVAL; + ds_param_set = + (struct ieee_types_ds_param_set *) current_ptr; + +@@ -1277,6 +1281,8 @@ int mwifiex_update_bss_desc_with_ie(stru + break; + + case WLAN_EID_CF_PARAMS: ++ if (element_len + 2 < sizeof(*cf_param_set)) ++ return -EINVAL; + cf_param_set = + (struct ieee_types_cf_param_set *) current_ptr; + memcpy(&bss_entry->ss_param_set.cf_param_set, +@@ -1285,6 +1291,8 @@ int mwifiex_update_bss_desc_with_ie(stru + break; + + case WLAN_EID_IBSS_PARAMS: ++ if (element_len + 2 < sizeof(*ibss_param_set)) ++ return -EINVAL; + ibss_param_set = + (struct ieee_types_ibss_param_set *) + current_ptr; +@@ -1294,10 +1302,14 @@ int mwifiex_update_bss_desc_with_ie(stru + break; + + case WLAN_EID_ERP_INFO: ++ if (!element_len) ++ return -EINVAL; + bss_entry->erp_flags = *(current_ptr + 2); + break; + + case WLAN_EID_PWR_CONSTRAINT: ++ if (!element_len) ++ return -EINVAL; + bss_entry->local_constraint = *(current_ptr + 2); + bss_entry->sensed_11h = true; + break; +@@ -1337,6 +1349,9 @@ int mwifiex_update_bss_desc_with_ie(stru + break; + + case WLAN_EID_VENDOR_SPECIFIC: ++ if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) ++ return -EINVAL; ++ + vendor_ie = (struct ieee_types_vendor_specific *) + current_ptr; + diff --git a/queue-4.9/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch b/queue-4.9/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch new file mode 100644 index 00000000000..5308390033d --- /dev/null +++ b/queue-4.9/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch @@ -0,0 +1,118 @@ +From 69ae4f6aac1578575126319d3f55550e7e440449 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 31 May 2019 15:18:41 +0200 +Subject: mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() + +From: Takashi Iwai + +commit 69ae4f6aac1578575126319d3f55550e7e440449 upstream. + +A few places in mwifiex_uap_parse_tail_ies() perform memcpy() +unconditionally, which may lead to either buffer overflow or read over +boundary. + +This patch addresses the issues by checking the read size and the +destination size at each place more properly. Along with the fixes, +the patch cleans up the code slightly by introducing a temporary +variable for the token size, and unifies the error path with the +standard goto statement. + +Reported-by: huangwen +Signed-off-by: Takashi Iwai +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/ie.c | 45 ++++++++++++++++++++---------- + 1 file changed, 30 insertions(+), 15 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/ie.c ++++ b/drivers/net/wireless/marvell/mwifiex/ie.c +@@ -328,6 +328,8 @@ static int mwifiex_uap_parse_tail_ies(st + struct ieee80211_vendor_ie *vendorhdr; + u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0; + int left_len, parsed_len = 0; ++ unsigned int token_len; ++ int err = 0; + + if (!info->tail || !info->tail_len) + return 0; +@@ -343,6 +345,12 @@ static int mwifiex_uap_parse_tail_ies(st + */ + while (left_len > sizeof(struct ieee_types_header)) { + hdr = (void *)(info->tail + parsed_len); ++ token_len = hdr->len + sizeof(struct ieee_types_header); ++ if (token_len > left_len) { ++ err = -EINVAL; ++ goto out; ++ } ++ + switch (hdr->element_id) { + case WLAN_EID_SSID: + case WLAN_EID_SUPP_RATES: +@@ -356,13 +364,16 @@ static int mwifiex_uap_parse_tail_ies(st + case WLAN_EID_VENDOR_SPECIFIC: + break; + default: +- memcpy(gen_ie->ie_buffer + ie_len, hdr, +- hdr->len + sizeof(struct ieee_types_header)); +- ie_len += hdr->len + sizeof(struct ieee_types_header); ++ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { ++ err = -EINVAL; ++ goto out; ++ } ++ memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len); ++ ie_len += token_len; + break; + } +- left_len -= hdr->len + sizeof(struct ieee_types_header); +- parsed_len += hdr->len + sizeof(struct ieee_types_header); ++ left_len -= token_len; ++ parsed_len += token_len; + } + + /* parse only WPA vendor IE from tail, WMM IE is configured by +@@ -372,15 +383,17 @@ static int mwifiex_uap_parse_tail_ies(st + WLAN_OUI_TYPE_MICROSOFT_WPA, + info->tail, info->tail_len); + if (vendorhdr) { +- memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, +- vendorhdr->len + sizeof(struct ieee_types_header)); +- ie_len += vendorhdr->len + sizeof(struct ieee_types_header); ++ token_len = vendorhdr->len + sizeof(struct ieee_types_header); ++ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { ++ err = -EINVAL; ++ goto out; ++ } ++ memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len); ++ ie_len += token_len; + } + +- if (!ie_len) { +- kfree(gen_ie); +- return 0; +- } ++ if (!ie_len) ++ goto out; + + gen_ie->ie_index = cpu_to_le16(gen_idx); + gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON | +@@ -390,13 +403,15 @@ static int mwifiex_uap_parse_tail_ies(st + + if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL, + NULL, NULL)) { +- kfree(gen_ie); +- return -1; ++ err = -EINVAL; ++ goto out; + } + + priv->gen_idx = gen_idx; ++ ++ out: + kfree(gen_ie); +- return 0; ++ return err; + } + + /* This function parses different IEs-head & tail IEs, beacon IEs, diff --git a/queue-4.9/series b/queue-4.9/series index e69073d29ab..9a874136444 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -22,3 +22,5 @@ net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch udf-fix-incorrect-final-not_allocated-hole-extent-length.patch x86-ptrace-fix-possible-spectre-v1-in-ptrace_get_debugreg.patch x86-tls-fix-possible-spectre-v1-in-do_get_thread_area.patch +mwifiex-abort-at-too-short-bss-descriptor-element.patch +mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch