From: Greg Kroah-Hartman Date: Thu, 19 Sep 2019 14:18:42 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.194~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be9175376dd6e26a833be80496002aa1b0b1ba88;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch --- diff --git a/queue-4.9/mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch b/queue-4.9/mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch new file mode 100644 index 00000000000..9f5418b339e --- /dev/null +++ b/queue-4.9/mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch @@ -0,0 +1,73 @@ +From 7caac62ed598a196d6ddf8d9c121e12e082cac3a Mon Sep 17 00:00:00 2001 +From: Wen Huang +Date: Wed, 28 Aug 2019 10:07:51 +0800 +Subject: mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings + +From: Wen Huang + +commit 7caac62ed598a196d6ddf8d9c121e12e082cac3a upstream. + +mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and +mwifiex_set_wmm_params() call memcpy() without checking +the destination size.Since the source is given from +user-space, this may trigger a heap buffer overflow. + +Fix them by putting the length check before performing memcpy(). + +This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816. + +Signed-off-by: Wen Huang +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/ie.c | 3 +++ + drivers/net/wireless/marvell/mwifiex/uap_cmd.c | 9 ++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/ie.c ++++ b/drivers/net/wireless/marvell/mwifiex/ie.c +@@ -240,6 +240,9 @@ static int mwifiex_update_vs_ie(const u8 + } + + vs_ie = (struct ieee_types_header *)vendor_ie; ++ if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 > ++ IEEE_MAX_IE_SIZE) ++ return -EINVAL; + memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length), + vs_ie, vs_ie->len + 2); + le16_add_cpu(&ie->ie_length, vs_ie->len + 2); +--- a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c +@@ -287,6 +287,8 @@ mwifiex_set_uap_rates(struct mwifiex_uap + + rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len); + if (rate_ie) { ++ if (rate_ie->len > MWIFIEX_SUPPORTED_RATES) ++ return; + memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len); + rate_len = rate_ie->len; + } +@@ -294,8 +296,11 @@ mwifiex_set_uap_rates(struct mwifiex_uap + rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, + params->beacon.tail, + params->beacon.tail_len); +- if (rate_ie) ++ if (rate_ie) { ++ if (rate_ie->len > MWIFIEX_SUPPORTED_RATES - rate_len) ++ return; + memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len); ++ } + + return; + } +@@ -413,6 +418,8 @@ mwifiex_set_wmm_params(struct mwifiex_pr + params->beacon.tail_len); + if (vendor_ie) { + wmm_ie = (struct ieee_types_header *)vendor_ie; ++ if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info)) ++ return; + memcpy(&bss_cfg->wmm_info, wmm_ie + 1, + sizeof(bss_cfg->wmm_info)); + priv->wmm_enabled = 1; diff --git a/queue-4.9/series b/queue-4.9/series index ae588821fca..21f4f35d37b 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -40,3 +40,4 @@ xen-netfront-do-not-assume-sk_buff_head-list-is-empty-in-error-handling.patch kvm-coalesced_mmio-add-bounds-checking.patch serial-sprd-correct-the-wrong-sequence-of-arguments.patch tty-serial-atmel-reschedule-tx-after-rx-was-started.patch +mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch