From 43e10bfec937226756b79ceb019ef0de21b4ac4e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 14 Jan 2020 09:24:10 +0100 Subject: [PATCH] 4.19-stable patches added patches: ath10k-fix-memory-leak.patch mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch rtl8xxxu-prevent-leaking-urb.patch scsi-bfa-release-allocated-memory-in-case-of-error.patch --- queue-4.19/ath10k-fix-memory-leak.patch | 31 ++++++++++ ...erflow-in-mwifiex_process_country_ie.patch | 62 +++++++++++++++++++ ...eak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch | 37 +++++++++++ queue-4.19/rtl8xxxu-prevent-leaking-urb.patch | 32 ++++++++++ ...se-allocated-memory-in-case-of-error.patch | 36 +++++++++++ queue-4.19/series | 5 ++ 6 files changed, 203 insertions(+) create mode 100644 queue-4.19/ath10k-fix-memory-leak.patch create mode 100644 queue-4.19/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch create mode 100644 queue-4.19/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch create mode 100644 queue-4.19/rtl8xxxu-prevent-leaking-urb.patch create mode 100644 queue-4.19/scsi-bfa-release-allocated-memory-in-case-of-error.patch diff --git a/queue-4.19/ath10k-fix-memory-leak.patch b/queue-4.19/ath10k-fix-memory-leak.patch new file mode 100644 index 00000000000..be9c680acaa --- /dev/null +++ b/queue-4.19/ath10k-fix-memory-leak.patch @@ -0,0 +1,31 @@ +From b8d17e7d93d2beb89e4f34c59996376b8b544792 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Thu, 19 Sep 2019 20:36:26 -0500 +Subject: ath10k: fix memory leak + +From: Navid Emamdoost + +commit b8d17e7d93d2beb89e4f34c59996376b8b544792 upstream. + +In ath10k_usb_hif_tx_sg the allocated urb should be released if +usb_submit_urb fails. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Kalle Valo +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ath/ath10k/usb.c ++++ b/drivers/net/wireless/ath/ath10k/usb.c +@@ -454,6 +454,7 @@ static int ath10k_usb_hif_tx_sg(struct a + ath10k_dbg(ar, ATH10K_DBG_USB_BULK, + "usb bulk transmit failed: %d\n", ret); + usb_unanchor_urb(urb); ++ usb_free_urb(urb); + ret = -EINVAL; + goto err_free_urb_to_pipe; + } diff --git a/queue-4.19/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch b/queue-4.19/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch new file mode 100644 index 00000000000..a4a29edcb61 --- /dev/null +++ b/queue-4.19/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch @@ -0,0 +1,62 @@ +From 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b Mon Sep 17 00:00:00 2001 +From: Ganapathi Bhat +Date: Thu, 21 Nov 2019 21:34:38 +0530 +Subject: mwifiex: fix possible heap overflow in mwifiex_process_country_ie() + +From: Ganapathi Bhat + +commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream. + +mwifiex_process_country_ie() function parse elements of bss +descriptor in beacon packet. When processing WLAN_EID_COUNTRY +element, there is no upper limit check for country_ie_len before +calling memcpy. The destination buffer domain_info->triplet is an +array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote +attacker can build a fake AP with the same ssid as real AP, and +send malicous beacon packet with long WLAN_EID_COUNTRY elemen +(country_ie_len > 83). Attacker can force STA connect to fake AP +on a different channel. When the victim STA connects to fake AP, +will trigger the heap buffer overflow. Fix this by checking for +length and if found invalid, don not connect to the AP. + +This fix addresses CVE-2019-14895. + +Reported-by: huangwen +Signed-off-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(st + "11D: skip setting domain info in FW\n"); + return 0; + } ++ ++ if (country_ie_len > ++ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) { ++ mwifiex_dbg(priv->adapter, ERROR, ++ "11D: country_ie_len overflow!, deauth AP\n"); ++ return -EINVAL; ++ } ++ + memcpy(priv->adapter->country_code, &country_ie[2], 2); + + domain_info->country_code[0] = country_ie[2]; +@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_pri + priv->scan_block = false; + + if (bss) { +- if (adapter->region_code == 0x00) +- mwifiex_process_country_ie(priv, bss); ++ if (adapter->region_code == 0x00 && ++ mwifiex_process_country_ie(priv, bss)) ++ return -EINVAL; + + /* Allocate and fill new bss descriptor */ + bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor), diff --git a/queue-4.19/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch b/queue-4.19/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch new file mode 100644 index 00000000000..0d434c90939 --- /dev/null +++ b/queue-4.19/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch @@ -0,0 +1,37 @@ +From db8fd2cde93227e566a412cf53173ffa227998bc Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Fri, 4 Oct 2019 15:08:52 -0500 +Subject: mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf + +From: Navid Emamdoost + +commit db8fd2cde93227e566a412cf53173ffa227998bc upstream. + +In mwifiex_pcie_alloc_cmdrsp_buf, a new skb is allocated which should be +released if mwifiex_map_pci_memory() fails. The release is added. + +Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe") +Signed-off-by: Navid Emamdoost +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -1036,8 +1036,10 @@ static int mwifiex_pcie_alloc_cmdrsp_buf + } + skb_put(skb, MWIFIEX_UPLD_SIZE); + if (mwifiex_map_pci_memory(adapter, skb, MWIFIEX_UPLD_SIZE, +- PCI_DMA_FROMDEVICE)) ++ PCI_DMA_FROMDEVICE)) { ++ kfree_skb(skb); + return -1; ++ } + + card->cmdrsp_buf = skb; + diff --git a/queue-4.19/rtl8xxxu-prevent-leaking-urb.patch b/queue-4.19/rtl8xxxu-prevent-leaking-urb.patch new file mode 100644 index 00000000000..1eb575a1d01 --- /dev/null +++ b/queue-4.19/rtl8xxxu-prevent-leaking-urb.patch @@ -0,0 +1,32 @@ +From a2cdd07488e666aa93a49a3fc9c9b1299e27ef3c Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Thu, 19 Sep 2019 22:00:41 -0500 +Subject: rtl8xxxu: prevent leaking urb + +From: Navid Emamdoost + +commit a2cdd07488e666aa93a49a3fc9c9b1299e27ef3c upstream. + +In rtl8xxxu_submit_int_urb if usb_submit_urb fails the allocated urb +should be released. + +Signed-off-by: Navid Emamdoost +Reviewed-by: Chris Chiu +Signed-off-by: Kalle Valo +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5453,6 +5453,7 @@ static int rtl8xxxu_submit_int_urb(struc + ret = usb_submit_urb(urb, GFP_KERNEL); + if (ret) { + usb_unanchor_urb(urb); ++ usb_free_urb(urb); + goto error; + } + diff --git a/queue-4.19/scsi-bfa-release-allocated-memory-in-case-of-error.patch b/queue-4.19/scsi-bfa-release-allocated-memory-in-case-of-error.patch new file mode 100644 index 00000000000..b6699e0a496 --- /dev/null +++ b/queue-4.19/scsi-bfa-release-allocated-memory-in-case-of-error.patch @@ -0,0 +1,36 @@ +From 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Tue, 10 Sep 2019 18:44:15 -0500 +Subject: scsi: bfa: release allocated memory in case of error + +From: Navid Emamdoost + +commit 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 upstream. + +In bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to +be released. + +Link: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost +Signed-off-by: Martin K. Petersen +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/bfa/bfad_attr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/bfa/bfad_attr.c ++++ b/drivers/scsi/bfa/bfad_attr.c +@@ -283,8 +283,10 @@ bfad_im_get_stats(struct Scsi_Host *shos + rc = bfa_port_get_stats(BFA_FCPORT(&bfad->bfa), + fcstats, bfad_hcb_comp, &fcomp); + spin_unlock_irqrestore(&bfad->bfad_lock, flags); +- if (rc != BFA_STATUS_OK) ++ if (rc != BFA_STATUS_OK) { ++ kfree(fcstats); + return NULL; ++ } + + wait_for_completion(&fcomp.comp); + diff --git a/queue-4.19/series b/queue-4.19/series index 50ddd31a960..ce715316ede 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -32,3 +32,8 @@ staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch serdev-don-t-claim-unsupported-acpi-serial-devices.patch tty-link-tty-and-port-before-configuring-it-as-console.patch tty-always-relink-the-port.patch +mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch +mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch +scsi-bfa-release-allocated-memory-in-case-of-error.patch +rtl8xxxu-prevent-leaking-urb.patch +ath10k-fix-memory-leak.patch -- 2.47.3