CVE-2013-4579: ath9k_htc improper MAC update (rhbz 1032753 1033072)
This commit is contained in:
parent
5c9cd87667
commit
7be728813c
|
@ -0,0 +1,103 @@
|
|||
Bugzilla: 1032753
|
||||
Upstream-status: 3.13
|
||||
|
||||
From 657eb17d87852c42b55c4b06d5425baa08b2ddb3 Mon Sep 17 00:00:00 2001
|
||||
From: Mathy Vanhoef <vanhoefm@gmail.com>
|
||||
Date: Thu, 28 Nov 2013 12:21:45 +0100
|
||||
Subject: [PATCH] ath9k_htc: properly set MAC address and BSSID mask
|
||||
|
||||
Pick the MAC address of the first virtual interface as the new hardware MAC
|
||||
address. Set BSSID mask according to this MAC address. This fixes CVE-2013-4579.
|
||||
|
||||
Signed-off-by: Mathy Vanhoef <vanhoefm@gmail.com>
|
||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||
---
|
||||
drivers/net/wireless/ath/ath9k/htc_drv_main.c | 25 +++++++++++++++++--------
|
||||
drivers/net/wireless/ath/ath9k/main.c | 5 +++--
|
||||
2 files changed, 20 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
|
||||
index 9a2657f..608d739 100644
|
||||
--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
|
||||
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
|
||||
@@ -127,21 +127,26 @@ static void ath9k_htc_bssid_iter(void *data, u8 *mac, struct ieee80211_vif *vif)
|
||||
struct ath9k_vif_iter_data *iter_data = data;
|
||||
int i;
|
||||
|
||||
- for (i = 0; i < ETH_ALEN; i++)
|
||||
- iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
|
||||
+ if (iter_data->hw_macaddr != NULL) {
|
||||
+ for (i = 0; i < ETH_ALEN; i++)
|
||||
+ iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
|
||||
+ } else {
|
||||
+ iter_data->hw_macaddr = mac;
|
||||
+ }
|
||||
}
|
||||
|
||||
-static void ath9k_htc_set_bssid_mask(struct ath9k_htc_priv *priv,
|
||||
+static void ath9k_htc_set_mac_bssid_mask(struct ath9k_htc_priv *priv,
|
||||
struct ieee80211_vif *vif)
|
||||
{
|
||||
struct ath_common *common = ath9k_hw_common(priv->ah);
|
||||
struct ath9k_vif_iter_data iter_data;
|
||||
|
||||
/*
|
||||
- * Use the hardware MAC address as reference, the hardware uses it
|
||||
- * together with the BSSID mask when matching addresses.
|
||||
+ * Pick the MAC address of the first interface as the new hardware
|
||||
+ * MAC address. The hardware will use it together with the BSSID mask
|
||||
+ * when matching addresses.
|
||||
*/
|
||||
- iter_data.hw_macaddr = common->macaddr;
|
||||
+ iter_data.hw_macaddr = NULL;
|
||||
memset(&iter_data.mask, 0xff, ETH_ALEN);
|
||||
|
||||
if (vif)
|
||||
@@ -153,6 +158,10 @@ static void ath9k_htc_set_bssid_mask(struct ath9k_htc_priv *priv,
|
||||
ath9k_htc_bssid_iter, &iter_data);
|
||||
|
||||
memcpy(common->bssidmask, iter_data.mask, ETH_ALEN);
|
||||
+
|
||||
+ if (iter_data.hw_macaddr)
|
||||
+ memcpy(common->macaddr, iter_data.hw_macaddr, ETH_ALEN);
|
||||
+
|
||||
ath_hw_setbssidmask(common);
|
||||
}
|
||||
|
||||
@@ -1063,7 +1072,7 @@ static int ath9k_htc_add_interface(struct ieee80211_hw *hw,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- ath9k_htc_set_bssid_mask(priv, vif);
|
||||
+ ath9k_htc_set_mac_bssid_mask(priv, vif);
|
||||
|
||||
priv->vif_slot |= (1 << avp->index);
|
||||
priv->nvifs++;
|
||||
@@ -1128,7 +1137,7 @@ static void ath9k_htc_remove_interface(struct ieee80211_hw *hw,
|
||||
|
||||
ath9k_htc_set_opmode(priv);
|
||||
|
||||
- ath9k_htc_set_bssid_mask(priv, vif);
|
||||
+ ath9k_htc_set_mac_bssid_mask(priv, vif);
|
||||
|
||||
/*
|
||||
* Stop ANI only if there are no associated station interfaces.
|
||||
diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
|
||||
index 74f452c..21aa09e 100644
|
||||
--- a/drivers/net/wireless/ath/ath9k/main.c
|
||||
+++ b/drivers/net/wireless/ath/ath9k/main.c
|
||||
@@ -965,8 +965,9 @@ void ath9k_calculate_iter_data(struct ieee80211_hw *hw,
|
||||
struct ath_common *common = ath9k_hw_common(ah);
|
||||
|
||||
/*
|
||||
- * Use the hardware MAC address as reference, the hardware uses it
|
||||
- * together with the BSSID mask when matching addresses.
|
||||
+ * Pick the MAC address of the first interface as the new hardware
|
||||
+ * MAC address. The hardware will use it together with the BSSID mask
|
||||
+ * when matching addresses.
|
||||
*/
|
||||
memset(iter_data, 0, sizeof(*iter_data));
|
||||
memset(&iter_data->mask, 0xff, ETH_ALEN);
|
||||
--
|
||||
1.8.4.2
|
||||
|
|
@ -754,6 +754,9 @@ Patch25176: br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
|
|||
#rhbz 1024002
|
||||
Patch25177: libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch
|
||||
|
||||
#CVE-2013-4579 rhbz 1032753 1033072
|
||||
Patch25178: ath9k_htc-properly-set-MAC-address-and-BSSID-mask.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1447,6 +1450,9 @@ ApplyPatch br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
|
|||
#rhbz 1024002
|
||||
ApplyPatch libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch
|
||||
|
||||
#CVE-2013-4579 rhbz 1032753 1033072
|
||||
ApplyPatch ath9k_htc-properly-set-MAC-address-and-BSSID-mask.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2259,6 +2265,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon Jan 06 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2013-4579: ath9k_htc improper MAC update (rhbz 1032753 1033072)
|
||||
|
||||
* Mon Dec 23 2013 Justin M. Forbes <jforbes@fedoraproject.org - 3.12.6-200
|
||||
- Linux v3.12.6
|
||||
|
||||
|
|
Loading…
Reference in New Issue