From: Sasha Levin Date: Thu, 13 Feb 2020 04:33:42 +0000 (-0500) Subject: fixes for 4.19 X-Git-Tag: v4.4.214~16^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2f141a9757031dcaa815a782f8ddc47ebcffa7f2;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/libertas-don-t-exit-from-lbs_ibss_join_existing-with.patch b/queue-4.19/libertas-don-t-exit-from-lbs_ibss_join_existing-with.patch new file mode 100644 index 00000000000..dcc604695bc --- /dev/null +++ b/queue-4.19/libertas-don-t-exit-from-lbs_ibss_join_existing-with.patch @@ -0,0 +1,40 @@ +From d60ae009d8172d89ba0d2035fe43a07919f7c5f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2020 11:39:02 +0100 +Subject: libertas: don't exit from lbs_ibss_join_existing() with RCU read lock + held + +From: Nicolai Stange + +[ Upstream commit c7bf1fb7ddca331780b9a733ae308737b39f1ad4 ] + +Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss +descriptor") introduced a bounds check on the number of supplied rates to +lbs_ibss_join_existing(). + +Unfortunately, it introduced a return path from within a RCU read side +critical section without a corresponding rcu_read_unlock(). Fix this. + +Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") +Signed-off-by: Nicolai Stange +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index c9401c121a14e..68985d7663491 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1785,6 +1785,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, + rates_max = rates_eid[1]; + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); ++ rcu_read_unlock(); + goto out; + } + rates = cmd.bss.rates; +-- +2.20.1 + diff --git a/queue-4.19/libertas-make-lbs_ibss_join_existing-return-error-co.patch b/queue-4.19/libertas-make-lbs_ibss_join_existing-return-error-co.patch new file mode 100644 index 00000000000..e9d18206f8f --- /dev/null +++ b/queue-4.19/libertas-make-lbs_ibss_join_existing-return-error-co.patch @@ -0,0 +1,44 @@ +From baf6b1fbcce2379f8c958299ea0567189bbc3bc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2020 11:39:03 +0100 +Subject: libertas: make lbs_ibss_join_existing() return error code on rates + overflow + +From: Nicolai Stange + +[ Upstream commit 1754c4f60aaf1e17d886afefee97e94d7f27b4cb ] + +Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss +descriptor") introduced a bounds check on the number of supplied rates to +lbs_ibss_join_existing() and made it to return on overflow. + +However, the aforementioned commit doesn't set the return value accordingly +and thus, lbs_ibss_join_existing() would return with zero even though it +failed. + +Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the +number of supplied rates fails. + +Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") +Signed-off-by: Nicolai Stange +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cfg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index 68985d7663491..4e3de684928bf 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1786,6 +1786,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); + rcu_read_unlock(); ++ ret = -EINVAL; + goto out; + } + rates = cmd.bss.rates; +-- +2.20.1 + diff --git a/queue-4.19/mwifiex-fix-possible-buffer-overflows-in-mwifiex_cmd.patch b/queue-4.19/mwifiex-fix-possible-buffer-overflows-in-mwifiex_cmd.patch new file mode 100644 index 00000000000..c72c975fdfb --- /dev/null +++ b/queue-4.19/mwifiex-fix-possible-buffer-overflows-in-mwifiex_cmd.patch @@ -0,0 +1,44 @@ +From 0b5313fae179433f7c2869df69d854f86344c9b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2020 10:39:27 +0800 +Subject: mwifiex: Fix possible buffer overflows in + mwifiex_cmd_append_vsie_tlv() + +From: Qing Xu + +[ Upstream commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d ] + +mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking +the destination size may trigger a buffer overflower, +which a local user could use to cause denial of service +or the execution of arbitrary code. +Fix it by putting the length check before calling memcpy(). + +Signed-off-by: Qing Xu +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index dd02bbd9544e7..85d6d5f3dce5b 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2894,6 +2894,13 @@ mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv, + vs_param_set->header.len = + cpu_to_le16((((u16) priv->vs_ie[id].ie[1]) + & 0x00FF) + 2); ++ if (le16_to_cpu(vs_param_set->header.len) > ++ MWIFIEX_MAX_VSIE_LEN) { ++ mwifiex_dbg(priv->adapter, ERROR, ++ "Invalid param length!\n"); ++ break; ++ } ++ + memcpy(vs_param_set->ie, priv->vs_ie[id].ie, + le16_to_cpu(vs_param_set->header.len)); + *buffer += le16_to_cpu(vs_param_set->header.len) + +-- +2.20.1 + diff --git a/queue-4.19/mwifiex-fix-possible-buffer-overflows-in-mwifiex_ret.patch b/queue-4.19/mwifiex-fix-possible-buffer-overflows-in-mwifiex_ret.patch new file mode 100644 index 00000000000..e80bbad9316 --- /dev/null +++ b/queue-4.19/mwifiex-fix-possible-buffer-overflows-in-mwifiex_ret.patch @@ -0,0 +1,41 @@ +From 78996559275f2a58f0a55b1b74115b260e9786ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2020 10:39:26 +0800 +Subject: mwifiex: Fix possible buffer overflows in + mwifiex_ret_wmm_get_status() + +From: Qing Xu + +[ Upstream commit 3a9b153c5591548612c3955c9600a98150c81875 ] + +mwifiex_ret_wmm_get_status() calls memcpy() without checking the +destination size.Since the source is given from remote AP which +contains illegal wmm elements , this may trigger a heap buffer +overflow. +Fix it by putting the length check before calling memcpy(). + +Signed-off-by: Qing Xu +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/wmm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wireless/marvell/mwifiex/wmm.c +index 64916ba15df5d..429ea2752e6aa 100644 +--- a/drivers/net/wireless/marvell/mwifiex/wmm.c ++++ b/drivers/net/wireless/marvell/mwifiex/wmm.c +@@ -977,6 +977,10 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv, + "WMM Parameter Set Count: %d\n", + wmm_param_ie->qos_info_bitmap & mask); + ++ if (wmm_param_ie->vend_hdr.len + 2 > ++ sizeof(struct ieee_types_wmm_parameter)) ++ break; ++ + memcpy((u8 *) &priv->curr_bss_params.bss_descriptor. + wmm_ie, wmm_param_ie, + wmm_param_ie->vend_hdr.len + 2); +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index d2062c81465..a9bad0f5388 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -43,3 +43,7 @@ crypto-artpec6-return-correct-error-code-for-failed-setkey.patch crypto-atmel-sha-fix-error-handling-when-setting-hmac-key.patch media-i2c-adv748x-fix-unsafe-macros.patch pinctrl-sh-pfc-r8a7778-fix-duplicate-sdself_b-and-sd1_clk_b.patch +mwifiex-fix-possible-buffer-overflows-in-mwifiex_ret.patch +mwifiex-fix-possible-buffer-overflows-in-mwifiex_cmd.patch +libertas-don-t-exit-from-lbs_ibss_join_existing-with.patch +libertas-make-lbs_ibss_join_existing-return-error-co.patch