From: Sasha Levin Date: Thu, 13 Feb 2020 04:33:43 +0000 (-0500) Subject: fixes for 4.9 X-Git-Tag: v4.4.214~16^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eff93e0a66d2f9c7bfbc71302c849bf7564f5863;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/libertas-don-t-exit-from-lbs_ibss_join_existing-with.patch b/queue-4.9/libertas-don-t-exit-from-lbs_ibss_join_existing-with.patch new file mode 100644 index 00000000000..26f44040514 --- /dev/null +++ b/queue-4.9/libertas-don-t-exit-from-lbs_ibss_join_existing-with.patch @@ -0,0 +1,40 @@ +From ce6ee97f8d531e561496dc723b3381f108e1ad9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2020 11:39:02 +0100 +Subject: libertas: don't exit from lbs_ibss_join_existing() with RCU read lock + held + +From: Nicolai Stange + +[ Upstream commit c7bf1fb7ddca331780b9a733ae308737b39f1ad4 ] + +Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss +descriptor") introduced a bounds check on the number of supplied rates to +lbs_ibss_join_existing(). + +Unfortunately, it introduced a return path from within a RCU read side +critical section without a corresponding rcu_read_unlock(). Fix this. + +Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") +Signed-off-by: Nicolai Stange +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index 3eab802c7d3f3..0b61942fedd90 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1859,6 +1859,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, + rates_max = rates_eid[1]; + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); ++ rcu_read_unlock(); + goto out; + } + rates = cmd.bss.rates; +-- +2.20.1 + diff --git a/queue-4.9/libertas-make-lbs_ibss_join_existing-return-error-co.patch b/queue-4.9/libertas-make-lbs_ibss_join_existing-return-error-co.patch new file mode 100644 index 00000000000..1906ae3820f --- /dev/null +++ b/queue-4.9/libertas-make-lbs_ibss_join_existing-return-error-co.patch @@ -0,0 +1,44 @@ +From 9abff94cd5092b94849cd80b49b75fefe883ed0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2020 11:39:03 +0100 +Subject: libertas: make lbs_ibss_join_existing() return error code on rates + overflow + +From: Nicolai Stange + +[ Upstream commit 1754c4f60aaf1e17d886afefee97e94d7f27b4cb ] + +Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss +descriptor") introduced a bounds check on the number of supplied rates to +lbs_ibss_join_existing() and made it to return on overflow. + +However, the aforementioned commit doesn't set the return value accordingly +and thus, lbs_ibss_join_existing() would return with zero even though it +failed. + +Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the +number of supplied rates fails. + +Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") +Signed-off-by: Nicolai Stange +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index 0b61942fedd90..ece6d72cf90c8 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1860,6 +1860,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); + rcu_read_unlock(); ++ ret = -EINVAL; + goto out; + } + rates = cmd.bss.rates; +-- +2.20.1 + diff --git a/queue-4.9/mwifiex-fix-possible-buffer-overflows-in-mwifiex_cmd.patch b/queue-4.9/mwifiex-fix-possible-buffer-overflows-in-mwifiex_cmd.patch new file mode 100644 index 00000000000..8522145156d --- /dev/null +++ b/queue-4.9/mwifiex-fix-possible-buffer-overflows-in-mwifiex_cmd.patch @@ -0,0 +1,44 @@ +From aeb71bf85b3eb95b512da41a73fe72be72e5eb98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2020 10:39:27 +0800 +Subject: mwifiex: Fix possible buffer overflows in + mwifiex_cmd_append_vsie_tlv() + +From: Qing Xu + +[ Upstream commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d ] + +mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking +the destination size may trigger a buffer overflower, +which a local user could use to cause denial of service +or the execution of arbitrary code. +Fix it by putting the length check before calling memcpy(). + +Signed-off-by: Qing Xu +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 828c6f5eb83c8..5fde2e2f1fea8 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2878,6 +2878,13 @@ mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv, + vs_param_set->header.len = + cpu_to_le16((((u16) priv->vs_ie[id].ie[1]) + & 0x00FF) + 2); ++ if (le16_to_cpu(vs_param_set->header.len) > ++ MWIFIEX_MAX_VSIE_LEN) { ++ mwifiex_dbg(priv->adapter, ERROR, ++ "Invalid param length!\n"); ++ break; ++ } ++ + memcpy(vs_param_set->ie, priv->vs_ie[id].ie, + le16_to_cpu(vs_param_set->header.len)); + *buffer += le16_to_cpu(vs_param_set->header.len) + +-- +2.20.1 + diff --git a/queue-4.9/mwifiex-fix-possible-buffer-overflows-in-mwifiex_ret.patch b/queue-4.9/mwifiex-fix-possible-buffer-overflows-in-mwifiex_ret.patch new file mode 100644 index 00000000000..c698a4bb534 --- /dev/null +++ b/queue-4.9/mwifiex-fix-possible-buffer-overflows-in-mwifiex_ret.patch @@ -0,0 +1,41 @@ +From 36ef89a7630c4f3bcdabd50792e694ef6851583a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2020 10:39:26 +0800 +Subject: mwifiex: Fix possible buffer overflows in + mwifiex_ret_wmm_get_status() + +From: Qing Xu + +[ Upstream commit 3a9b153c5591548612c3955c9600a98150c81875 ] + +mwifiex_ret_wmm_get_status() calls memcpy() without checking the +destination size.Since the source is given from remote AP which +contains illegal wmm elements , this may trigger a heap buffer +overflow. +Fix it by putting the length check before calling memcpy(). + +Signed-off-by: Qing Xu +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/wmm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wireless/marvell/mwifiex/wmm.c +index 9843560e784fe..c93fcafbcc7a6 100644 +--- a/drivers/net/wireless/marvell/mwifiex/wmm.c ++++ b/drivers/net/wireless/marvell/mwifiex/wmm.c +@@ -980,6 +980,10 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv, + "WMM Parameter Set Count: %d\n", + wmm_param_ie->qos_info_bitmap & mask); + ++ if (wmm_param_ie->vend_hdr.len + 2 > ++ sizeof(struct ieee_types_wmm_parameter)) ++ break; ++ + memcpy((u8 *) &priv->curr_bss_params.bss_descriptor. + wmm_ie, wmm_param_ie, + wmm_param_ie->vend_hdr.len + 2); +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 191623fb210..78e2d0b0557 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -108,3 +108,7 @@ arm-dts-at91-sama5d3-define-clock-rate-range-for-tcb1.patch tools-power-acpi-fix-compilation-error.patch powerpc-pseries-allow-not-having-ibm-hypertas-functions-hcall-multi-tce-for-ddw.patch pinctrl-sh-pfc-r8a7778-fix-duplicate-sdself_b-and-sd1_clk_b.patch +mwifiex-fix-possible-buffer-overflows-in-mwifiex_ret.patch +mwifiex-fix-possible-buffer-overflows-in-mwifiex_cmd.patch +libertas-don-t-exit-from-lbs_ibss_join_existing-with.patch +libertas-make-lbs_ibss_join_existing-return-error-co.patch