From: Greg Kroah-Hartman Date: Thu, 11 Jul 2019 12:53:15 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.2.1~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=84414e8a559e2ccd18b4f4387858aad53d95c940;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: mwifiex-abort-at-too-short-bss-descriptor-element.patch --- diff --git a/queue-4.19/mwifiex-abort-at-too-short-bss-descriptor-element.patch b/queue-4.19/mwifiex-abort-at-too-short-bss-descriptor-element.patch new file mode 100644 index 00000000000..2c2fd75dd54 --- /dev/null +++ b/queue-4.19/mwifiex-abort-at-too-short-bss-descriptor-element.patch @@ -0,0 +1,85 @@ +From 685c9b7750bfacd6fc1db50d86579980593b7869 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 29 May 2019 14:52:20 +0200 +Subject: mwifiex: Abort at too short BSS descriptor element + +From: Takashi Iwai + +commit 685c9b7750bfacd6fc1db50d86579980593b7869 upstream. + +Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that +the source descriptor entries contain the enough size for each type +and performs copying without checking the source size. This may lead +to read over boundary. + +Fix this by putting the source size check in appropriate places. + +Signed-off-by: Takashi Iwai +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 64ab6fe78c0d..c269a0de9413 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, + break; + + case WLAN_EID_FH_PARAMS: ++ if (element_len + 2 < sizeof(*fh_param_set)) ++ return -EINVAL; + fh_param_set = + (struct ieee_types_fh_param_set *) current_ptr; + memcpy(&bss_entry->phy_param_set.fh_param_set, +@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, + break; + + case WLAN_EID_DS_PARAMS: ++ if (element_len + 2 < sizeof(*ds_param_set)) ++ return -EINVAL; + ds_param_set = + (struct ieee_types_ds_param_set *) current_ptr; + +@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, + break; + + case WLAN_EID_CF_PARAMS: ++ if (element_len + 2 < sizeof(*cf_param_set)) ++ return -EINVAL; + cf_param_set = + (struct ieee_types_cf_param_set *) current_ptr; + memcpy(&bss_entry->ss_param_set.cf_param_set, +@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, + break; + + case WLAN_EID_IBSS_PARAMS: ++ if (element_len + 2 < sizeof(*ibss_param_set)) ++ return -EINVAL; + ibss_param_set = + (struct ieee_types_ibss_param_set *) + current_ptr; +@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, + break; + + case WLAN_EID_ERP_INFO: ++ if (!element_len) ++ return -EINVAL; + bss_entry->erp_flags = *(current_ptr + 2); + break; + + case WLAN_EID_PWR_CONSTRAINT: ++ if (!element_len) ++ return -EINVAL; + bss_entry->local_constraint = *(current_ptr + 2); + bss_entry->sensed_11h = true; + break; +@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, + break; + + case WLAN_EID_VENDOR_SPECIFIC: ++ if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) ++ return -EINVAL; ++ + vendor_ie = (struct ieee_types_vendor_specific *) + current_ptr; + diff --git a/queue-4.19/series b/queue-4.19/series index fe3203f9eb2..049a626d0a1 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -64,3 +64,4 @@ x86-ptrace-fix-possible-spectre-v1-in-ptrace_get_debugreg.patch x86-tls-fix-possible-spectre-v1-in-do_get_thread_area.patch documentation-add-section-about-cpu-vulnerabilities-for-spectre.patch documentation-admin-remove-the-vsyscall-native-documentation.patch +mwifiex-abort-at-too-short-bss-descriptor-element.patch