From: Greg Kroah-Hartman Date: Tue, 10 Oct 2017 19:31:35 +0000 (+0200) Subject: drop broken 4.4 brcm patch X-Git-Tag: v3.18.75~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=94bbabaac4cb6f0170c5220a9ca14b1626585bc4;p=thirdparty%2Fkernel%2Fstable-queue.git drop broken 4.4 brcm patch --- diff --git a/queue-4.4/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch b/queue-4.4/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch deleted file mode 100644 index 2140cb59043..00000000000 --- a/queue-4.4/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 17df6453d4be17910456e99c5a85025aa1b7a246 Mon Sep 17 00:00:00 2001 -From: Arend Van Spriel -Date: Tue, 12 Sep 2017 10:47:53 +0200 -Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler() - -From: Arend Van Spriel - -commit 17df6453d4be17910456e99c5a85025aa1b7a246 upstream. - -Upon handling the firmware notification for scans the length was -checked properly and may result in corrupting kernel heap memory -due to buffer overruns. This fix addresses CVE-2017-0786. - -Cc: Kevin Cernekee -Reviewed-by: Hante Meuleman -Reviewed-by: Pieter-Paul Giesberts -Reviewed-by: Franky Lin -Signed-off-by: Arend van Spriel -Signed-off-by: Kalle Valo -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - ---- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c -+++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c -@@ -2914,6 +2914,7 @@ brcmf_cfg80211_escan_handler(struct brcm - struct brcmf_cfg80211_info *cfg = ifp->drvr->config; - s32 status; - struct brcmf_escan_result_le *escan_result_le; -+ u32 escan_buflen; - struct brcmf_bss_info_le *bss_info_le; - struct brcmf_bss_info_le *bss = NULL; - u32 bi_length; -@@ -2930,11 +2931,23 @@ brcmf_cfg80211_escan_handler(struct brcm - - if (status == BRCMF_E_STATUS_PARTIAL) { - brcmf_dbg(SCAN, "ESCAN Partial result\n"); -+ if (e->datalen < sizeof(*escan_result_le)) { -+ brcmf_err("invalid event data length\n"); -+ goto exit; -+ } - escan_result_le = (struct brcmf_escan_result_le *) data; - if (!escan_result_le) { - brcmf_err("Invalid escan result (NULL pointer)\n"); - goto exit; - } -+ escan_buflen = le32_to_cpu(escan_result_le->buflen); -+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE || -+ escan_buflen > e->datalen || -+ escan_buflen < sizeof(*escan_result_le)) { -+ brcmf_err("Invalid escan buffer length: %d\n", -+ escan_buflen); -+ goto exit; -+ } - if (le16_to_cpu(escan_result_le->bss_count) != 1) { - brcmf_err("Invalid bss_count %d: ignoring\n", - escan_result_le->bss_count); -@@ -2951,9 +2964,8 @@ brcmf_cfg80211_escan_handler(struct brcm - } - - bi_length = le32_to_cpu(bss_info_le->length); -- if (bi_length != (le32_to_cpu(escan_result_le->buflen) - -- WL_ESCAN_RESULTS_FIXED_SIZE)) { -- brcmf_err("Invalid bss_info length %d: ignoring\n", -+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) { -+ brcmf_err("Ignoring invalid bss_info length: %d\n", - bi_length); - goto exit; - } diff --git a/queue-4.4/series b/queue-4.4/series index a0881260502..9d48ba18be6 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -38,7 +38,6 @@ iio-adc-mcp320x-fix-readout-of-negative-voltages.patch iio-adc-mcp320x-fix-oops-on-module-unload.patch uwb-properly-check-kthread_run-return-value.patch uwb-ensure-that-endpoint-is-interrupt.patch -brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch brcmfmac-setup-passive-scan-if-requested-by-user-space.patch drm-i915-bios-ignore-hdmi-on-port-a.patch nvme-protect-against-simultaneous-shutdown-invocations.patch