From: Greg Kroah-Hartman Date: Thu, 19 Sep 2019 14:18:58 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.194~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9a21dbcca80f1dfe2de41d0bdac42117ed636cbf;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch --- diff --git a/queue-4.14/mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch b/queue-4.14/mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch new file mode 100644 index 00000000000..2ad749229ff --- /dev/null +++ b/queue-4.14/mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch @@ -0,0 +1,73 @@ +From 7caac62ed598a196d6ddf8d9c121e12e082cac3a Mon Sep 17 00:00:00 2001 +From: Wen Huang +Date: Wed, 28 Aug 2019 10:07:51 +0800 +Subject: mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings + +From: Wen Huang + +commit 7caac62ed598a196d6ddf8d9c121e12e082cac3a upstream. + +mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and +mwifiex_set_wmm_params() call memcpy() without checking +the destination size.Since the source is given from +user-space, this may trigger a heap buffer overflow. + +Fix them by putting the length check before performing memcpy(). + +This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816. + +Signed-off-by: Wen Huang +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/ie.c | 3 +++ + drivers/net/wireless/marvell/mwifiex/uap_cmd.c | 9 ++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/ie.c ++++ b/drivers/net/wireless/marvell/mwifiex/ie.c +@@ -241,6 +241,9 @@ static int mwifiex_update_vs_ie(const u8 + } + + vs_ie = (struct ieee_types_header *)vendor_ie; ++ if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 > ++ IEEE_MAX_IE_SIZE) ++ return -EINVAL; + memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length), + vs_ie, vs_ie->len + 2); + le16_unaligned_add_cpu(&ie->ie_length, vs_ie->len + 2); +--- a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c +@@ -265,6 +265,8 @@ mwifiex_set_uap_rates(struct mwifiex_uap + + rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len); + if (rate_ie) { ++ if (rate_ie->len > MWIFIEX_SUPPORTED_RATES) ++ return; + memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len); + rate_len = rate_ie->len; + } +@@ -272,8 +274,11 @@ mwifiex_set_uap_rates(struct mwifiex_uap + rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, + params->beacon.tail, + params->beacon.tail_len); +- if (rate_ie) ++ if (rate_ie) { ++ if (rate_ie->len > MWIFIEX_SUPPORTED_RATES - rate_len) ++ return; + memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len); ++ } + + return; + } +@@ -391,6 +396,8 @@ mwifiex_set_wmm_params(struct mwifiex_pr + params->beacon.tail_len); + if (vendor_ie) { + wmm_ie = vendor_ie; ++ if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info)) ++ return; + memcpy(&bss_cfg->wmm_info, wmm_ie + + sizeof(struct ieee_types_header), *(wmm_ie + 1)); + priv->wmm_enabled = 1; diff --git a/queue-4.14/nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch b/queue-4.14/nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch new file mode 100644 index 00000000000..1e83c83b528 --- /dev/null +++ b/queue-4.14/nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch @@ -0,0 +1,42 @@ +From 4b2c5a14cd8005a900075f7dfec87473c6ee66fb Mon Sep 17 00:00:00 2001 +From: Masashi Honma +Date: Sun, 8 Sep 2019 09:56:53 +0900 +Subject: nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds + +From: Masashi Honma + +commit 4b2c5a14cd8005a900075f7dfec87473c6ee66fb upstream. + +commit 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM +RSSI thresholds") was incomplete and requires one more fix to +prevent accessing to rssi_thresholds[n] because user can control +rssi_thresholds[i] values to make i reach to n. For example, +rssi_thresholds = {-400, -300, -200, -100} when last is -34. + +Cc: stable@vger.kernel.org +Fixes: 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds") +Reported-by: Dan Carpenter +Signed-off-by: Masashi Honma +Link: https://lore.kernel.org/r/20190908005653.17433-1-masashi.honma@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -9753,9 +9753,11 @@ static int cfg80211_cqm_rssi_update(stru + hyst = wdev->cqm_config->rssi_hyst; + n = wdev->cqm_config->n_rssi_thresholds; + +- for (i = 0; i < n; i++) ++ for (i = 0; i < n; i++) { ++ i = array_index_nospec(i, n); + if (last < wdev->cqm_config->rssi_thresholds[i]) + break; ++ } + + low_index = i - 1; + if (low_index >= 0) { diff --git a/queue-4.14/series b/queue-4.14/series index bade85c401f..c4026a2ddfb 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -10,3 +10,5 @@ kvm-coalesced_mmio-add-bounds-checking.patch firmware-google-check-if-size-is-valid-when-decoding-vpd-data.patch serial-sprd-correct-the-wrong-sequence-of-arguments.patch tty-serial-atmel-reschedule-tx-after-rx-was-started.patch +mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch +nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch