From: Greg Kroah-Hartman Date: Mon, 4 Nov 2019 10:25:09 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.199~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d197332875981faf7aab67c46ef5e7475a47eb0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: nl80211-fix-validation-of-mesh-path-nexthop.patch rtlwifi-fix-potential-overflow-on-p2p-code.patch s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch --- diff --git a/queue-4.4/nl80211-fix-validation-of-mesh-path-nexthop.patch b/queue-4.4/nl80211-fix-validation-of-mesh-path-nexthop.patch new file mode 100644 index 00000000000..4a998a187af --- /dev/null +++ b/queue-4.4/nl80211-fix-validation-of-mesh-path-nexthop.patch @@ -0,0 +1,35 @@ +From 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 Mon Sep 17 00:00:00 2001 +From: Markus Theil +Date: Tue, 29 Oct 2019 10:30:03 +0100 +Subject: nl80211: fix validation of mesh path nexthop + +From: Markus Theil + +commit 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 upstream. + +Mesh path nexthop should be a ethernet address, but current validation +checks against 4 byte integers. + +Cc: stable@vger.kernel.org +Fixes: 2ec600d672e74 ("nl80211/cfg80211: support for mesh, sta dumping") +Signed-off-by: Markus Theil +Link: https://lore.kernel.org/r/20191029093003.10355-1-markus.theil@tu-ilmenau.de +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -292,7 +292,8 @@ static const struct nla_policy nl80211_p + [NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ }, + [NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY, + .len = IEEE80211_MAX_MESH_ID_LEN }, +- [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 }, ++ [NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_BINARY, ++ .len = ETH_ALEN }, + + [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 }, + [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED }, diff --git a/queue-4.4/rtlwifi-fix-potential-overflow-on-p2p-code.patch b/queue-4.4/rtlwifi-fix-potential-overflow-on-p2p-code.patch new file mode 100644 index 00000000000..7962a7dd409 --- /dev/null +++ b/queue-4.4/rtlwifi-fix-potential-overflow-on-p2p-code.patch @@ -0,0 +1,46 @@ +From 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Fri, 18 Oct 2019 07:43:21 -0400 +Subject: rtlwifi: Fix potential overflow on P2P code + +From: Laura Abbott + +commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream. + +Nicolas Waisman noticed that even though noa_len is checked for +a compatible length it's still possible to overrun the buffers +of p2pinfo since there's no check on the upper bound of noa_num. +Bound noa_num against P2P_MAX_NOA_NUM. + +Reported-by: Nicolas Waisman +Signed-off-by: Laura Abbott +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/ps.c ++++ b/drivers/net/wireless/realtek/rtlwifi/ps.c +@@ -781,6 +781,9 @@ static void rtl_p2p_noa_ie(struct ieee80 + return; + } else { + noa_num = (noa_len - 2) / 13; ++ if (noa_num > P2P_MAX_NOA_NUM) ++ noa_num = P2P_MAX_NOA_NUM; ++ + } + noa_index = ie[3]; + if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == +@@ -875,6 +878,9 @@ static void rtl_p2p_action_ie(struct iee + return; + } else { + noa_num = (noa_len - 2) / 13; ++ if (noa_num > P2P_MAX_NOA_NUM) ++ noa_num = P2P_MAX_NOA_NUM; ++ + } + noa_index = ie[3]; + if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == diff --git a/queue-4.4/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch b/queue-4.4/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch new file mode 100644 index 00000000000..fcb9605b20b --- /dev/null +++ b/queue-4.4/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch @@ -0,0 +1,66 @@ +From b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f Mon Sep 17 00:00:00 2001 +From: Yihui ZENG +Date: Fri, 25 Oct 2019 12:31:48 +0300 +Subject: s390/cmm: fix information leak in cmm_timeout_handler() + +From: Yihui ZENG + +commit b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f upstream. + +The problem is that we were putting the NUL terminator too far: + + buf[sizeof(buf) - 1] = '\0'; + +If the user input isn't NUL terminated and they haven't initialized the +whole buffer then it leads to an info leak. The NUL terminator should +be: + + buf[len - 1] = '\0'; + +Signed-off-by: Yihui Zeng +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +[heiko.carstens@de.ibm.com: keep semantics of how *lenp and *ppos are handled] +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/mm/cmm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/s390/mm/cmm.c ++++ b/arch/s390/mm/cmm.c +@@ -306,16 +306,16 @@ static int cmm_timeout_handler(struct ct + } + + if (write) { +- len = *lenp; +- if (copy_from_user(buf, buffer, +- len > sizeof(buf) ? sizeof(buf) : len)) ++ len = min(*lenp, sizeof(buf)); ++ if (copy_from_user(buf, buffer, len)) + return -EFAULT; +- buf[sizeof(buf) - 1] = '\0'; ++ buf[len - 1] = '\0'; + cmm_skip_blanks(buf, &p); + nr = simple_strtoul(p, &p, 0); + cmm_skip_blanks(p, &p); + seconds = simple_strtoul(p, &p, 0); + cmm_set_timeout(nr, seconds); ++ *ppos += *lenp; + } else { + len = sprintf(buf, "%ld %ld\n", + cmm_timeout_pages, cmm_timeout_seconds); +@@ -323,9 +323,9 @@ static int cmm_timeout_handler(struct ct + len = *lenp; + if (copy_to_user(buffer, buf, len)) + return -EFAULT; ++ *lenp = len; ++ *ppos += len; + } +- *lenp = len; +- *ppos += len; + return 0; + } + diff --git a/queue-4.4/series b/queue-4.4/series index c3530ed7b4f..c1265b077e5 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -33,3 +33,6 @@ usb-serial-whiteheat-fix-potential-slab-corruption.patch usb-serial-whiteheat-fix-line-speed-endianness.patch hid-fix-assumption-that-devices-have-inputs.patch hid-fix-error-message-in-hid_open_report.patch +nl80211-fix-validation-of-mesh-path-nexthop.patch +s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch +rtlwifi-fix-potential-overflow-on-p2p-code.patch