diff --git a/ath10k-fix-memory-leak.patch b/ath10k-fix-memory-leak.patch new file mode 100644 index 000000000..f7120b81f --- /dev/null +++ b/ath10k-fix-memory-leak.patch @@ -0,0 +1,154 @@ +From patchwork Fri Sep 20 01:36:26 2019 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: Navid Emamdoost +X-Patchwork-Id: 11153701 +Return-Path: + +Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org + [172.30.200.123]) + by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D3F0714DB + for ; + Fri, 20 Sep 2019 01:36:54 +0000 (UTC) +Received: from bombadil.infradead.org (bombadil.infradead.org + [198.137.202.133]) + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) + (No client certificate requested) + by mail.kernel.org (Postfix) with ESMTPS id B1A2E206C2 + for ; + Fri, 20 Sep 2019 01:36:54 +0000 (UTC) +Authentication-Results: mail.kernel.org; + dkim=pass (2048-bit key) header.d=lists.infradead.org + header.i=@lists.infradead.org header.b="bhsKgarK"; + dkim=fail reason="signature verification failed" (2048-bit key) + header.d=gmail.com header.i=@gmail.com header.b="nljLTTHa" +DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B1A2E206C2 +Authentication-Results: mail.kernel.org; + dmarc=fail (p=none dis=none) header.from=gmail.com +Authentication-Results: mail.kernel.org; + spf=none + smtp.mailfrom=ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org +DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; + d=lists.infradead.org; s=bombadil.20170209; h=Sender: + Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: + List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: + Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: + Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: + References:List-Owner; bh=TgqIPzTUSDBMffxK6MmqtQ+I81SfWmrbmWLuWLbhwV8=; b=bhs + KgarKUaVoFaf/6TPo+T+LIemPUgT0DioZ9Aa4cXD7m02vV5SrBodW911B9amgDGQ4ipx7UyAgOokS + QqumgU8MLbC9VEmDHseDYkrMDJvPAVL/+Ou5bAAoDDa4G14hJi1RWh5lsdIJBMKmjMI9KcW7qFdEj + eQ6JBoJXliaYp31BoAPEbyBnG4b8RQxO6wT9wA+/Bs8gR8bBQN9Wjo7zsIKHobQbKfAXTTRwn46dt + J7kt19264hkIv2Dr3UQc7W8kYL09TmllYFjEGYTOuGFEOoHlejt6CpbUnh0mdPtDggPPxsQ+e/f/h + 0dGNUqgR/L7R5/70DbHnF24DnXzwfQw==; +Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) + by bombadil.infradead.org with esmtp (Exim 4.92.2 #3 (Red Hat Linux)) + id 1iB7qu-0006An-U6; Fri, 20 Sep 2019 01:36:52 +0000 +Received: from mail-io1-xd43.google.com ([2607:f8b0:4864:20::d43]) + by bombadil.infradead.org with esmtps (Exim 4.92.2 #3 (Red Hat Linux)) + id 1iB7qr-0006A2-PC + for ath10k@lists.infradead.org; Fri, 20 Sep 2019 01:36:51 +0000 +Received: by mail-io1-xd43.google.com with SMTP id q10so12531160iop.2 + for ; Thu, 19 Sep 2019 18:36:47 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; + h=from:to:cc:subject:date:message-id; + bh=2vkYM2Vw9GpvccAiSSIMhifEzfuK8Ld4R3bwXVgh1ps=; + b=nljLTTHaQr3RenMHyxOGrtAwE/I0ES0GK9UJLdYkS7iEalzRrwu+/ygif0A/YnEFuE + fMLFG5zBRN2I7SpqvTBqaxAYJbA+a5Nnb5ymeV3s6Ef+CcGHE165IRfi+4dxEt/RvV3k + 4CjBDTDWGnnBO1wfDcS0WW9TqjJEoxFKWNCL+8oAzUyMten4zs8XPRUPlZVc5dHnkqC9 + LmLWnaSBjm2g5JG0GJKSrT8KrYP2mv4yGUR0HaWruQWwfQQ8NJc2RyXm1Ml99KZkoU73 + TG98jQSy2dcHrVqaNRfpAtyj0WEwXdLqMfT1ggk69p1ZfC7ol/7QEQxzgDIU0EFn2r59 + owvA== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:from:to:cc:subject:date:message-id; + bh=2vkYM2Vw9GpvccAiSSIMhifEzfuK8Ld4R3bwXVgh1ps=; + b=h6uidvjJA/lvtevOi6n+lWV9vjtx5XM1d7kRlAFgObUBjJMIap329Jxa7uA0de8dx/ + 4ANBCQj9/8psgTYwWqBv0bJH+7IC+ewxZb2m3z1dMYwsFp8coTyMryaBVWb4trh0My3B + XT2OseKTL0iAiy35/SDbWV/5FljTuVmto5Jgglq6lB3uPpQVIGu46UY8kNKwuIdNseow + y4r+4w82KCHMoANJmlEPlFYb7xnmENPIdx0ZITs6ISjjvTICaf8nyA3OgqPCI5l3/DCb + 3plewsEuTwGiFXPqJx2ldY3gIwfH8D7w1MLxadUUL6o2fDRt0ZjFbJuUk/tiX/EM5MOL + W3dQ== +X-Gm-Message-State: APjAAAWIX+IMQ2tM7gV9yX2n6iqisUO1ysXCEYfl/P1BcWwlYgTk8xNq + /djn9P594uwGss08Ku8JA9E= +X-Google-Smtp-Source: + APXvYqzLPqJkNUviwDSfcaSYJH+eUFOLc0fBeZpgji797e/U5UAY6XAi9Cq7iKldElsnElvAmFWNCw== +X-Received: by 2002:a6b:8f15:: with SMTP id r21mr3490587iod.259.1568943406715; + Thu, 19 Sep 2019 18:36:46 -0700 (PDT) +Received: from cs-dulles.cs.umn.edu (cs-dulles.cs.umn.edu. [128.101.35.54]) + by smtp.googlemail.com with ESMTPSA id x12sm335602ioh.76.2019.09.19.18.36.45 + (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); + Thu, 19 Sep 2019 18:36:45 -0700 (PDT) +From: Navid Emamdoost +To: +Subject: [PATCH] ath10k: fix memory leak +Date: Thu, 19 Sep 2019 20:36:26 -0500 +Message-Id: <20190920013632.30796-1-navid.emamdoost@gmail.com> +X-Mailer: git-send-email 2.17.1 +X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 +X-CRM114-CacheID: sfid-20190919_183649_845813_A1A80F7F +X-CRM114-Status: UNSURE ( 7.25 ) +X-CRM114-Notice: Please train this message. +X-Spam-Score: -0.2 (/) +X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: + Content analysis details: (-0.2 points) + pts rule name description + ---- ---------------------- + -------------------------------------------------- + -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, + no trust [2607:f8b0:4864:20:0:0:0:d43 listed in] + [list.dnswl.org] + 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record + -0.0 SPF_PASS SPF: sender matches SPF record + 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail + provider (navid.emamdoost[at]gmail.com) + -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature + -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from + author's domain + -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from + envelope-from domain + 0.1 DKIM_SIGNED Message has a DKIM or DK signature, + not necessarily + valid +X-BeenThere: ath10k@lists.infradead.org +X-Mailman-Version: 2.1.29 +Precedence: list +List-Id: +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +Cc: linux-wireless@vger.kernel.org, kjlu@umn.edu, + linux-kernel@vger.kernel.org, + ath10k@lists.infradead.org, emamd001@umn.edu, smccaman@umn.edu, + netdev@vger.kernel.org, "David S. Miller" , + Kalle Valo , + Navid Emamdoost +MIME-Version: 1.0 +Sender: "ath10k" +Errors-To: + ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org + +In ath10k_usb_hif_tx_sg the allocated urb should be released if +usb_submit_urb fails. + +Signed-off-by: Navid Emamdoost +--- + drivers/net/wireless/ath/ath10k/usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c +index e1420f67f776..730ed22e08a0 100644 +--- a/drivers/net/wireless/ath/ath10k/usb.c ++++ b/drivers/net/wireless/ath/ath10k/usb.c +@@ -435,6 +435,7 @@ static int ath10k_usb_hif_tx_sg(struct ath10k *ar, u8 pipe_id, + ath10k_dbg(ar, ATH10K_DBG_USB_BULK, + "usb bulk transmit failed: %d\n", ret); + usb_unanchor_urb(urb); ++ usb_free_urb(urb); + ret = -EINVAL; + goto err_free_urb_to_pipe; + } diff --git a/kernel.spec b/kernel.spec index 2fe02f8f1..1a75dcae8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -840,6 +840,19 @@ Patch522: mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch # CVE-2019-19054 rhbz 1775063 1775117 Patch524: media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch +# CVE-2019-14895 rhbz 1774870 1776139 +Patch525: mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch + +# CVE-2019-14896 rhbz 1774875 1776143 +# CVE-2019-14897 rhbz 1774879 1776146 +Patch526: libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch + +# CVE-2019-14901 rhbz 1773519 1776184 +Patch527: mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch + +# CVE-2019-19078 rhbz 1776354 1776353 +Patch528: ath10k-fix-memory-leak.patch + # END OF PATCH DEFINITIONS %endif @@ -2538,6 +2551,13 @@ fi # # %changelog +* Mon Nov 25 2019 Justin M. Forbes +- Fix CVE-2019-14895 (rhbz 1774870 1776139) +- Fix CVE-2019-14896 (rhbz 1774875 1776143) +- Fix CVE-2019-14897 (rhbz 1774879 1776146) +- Fix CVE-2019-14901 (rhbz 1773519 1776184) +- Fix CVE-2019-19078 (rhbz 1776354 1776353) + * Mon Nov 25 2019 Jeremy Cline - 5.4.0-1 - Linux v5.4.0 diff --git a/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch b/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch new file mode 100644 index 000000000..e8c4c4b64 --- /dev/null +++ b/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch @@ -0,0 +1,120 @@ +From patchwork Fri Nov 22 05:29:17 2019 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: huangwenabc@gmail.com +X-Patchwork-Id: 11257187 +X-Patchwork-Delegate: kvalo@adurom.com +Return-Path: +Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org + [172.30.200.123]) + by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 032DA112B + for ; + Fri, 22 Nov 2019 05:29:36 +0000 (UTC) +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.kernel.org (Postfix) with ESMTP id D68A920707 + for ; + Fri, 22 Nov 2019 05:29:35 +0000 (UTC) +Authentication-Results: mail.kernel.org; + dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com + header.b="WaDUta6X" +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1726719AbfKVF3f (ORCPT + ); + Fri, 22 Nov 2019 00:29:35 -0500 +Received: from mail-pf1-f194.google.com ([209.85.210.194]:43041 "EHLO + mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1726529AbfKVF3e (ORCPT + ); + Fri, 22 Nov 2019 00:29:34 -0500 +Received: by mail-pf1-f194.google.com with SMTP id 3so2912048pfb.10 + for ; + Thu, 21 Nov 2019 21:29:34 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20161025; + h=from:to:cc:subject:date:message-id; + bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=; + b=WaDUta6XODn4hzzqR0np+iPcfBChaSE05EpSM8UrALWvgf7x/9f0e8SMvgXTGXaN74 + Irmx+lKSr5piR/mhpfRO+HVN7bu7ukOSsxCxlNav6kvJn3SG/q0TV9VGoWEKM+8yISrK + Bc5MtndhyGLDrWQFgc5fSdMf+/79HC0AWnnavMoEKxnAti/HKBQnIPreGoLnrWIpbhXZ + EdU3ei0kxlwAUbNl8/FywUG2qzQeoeh5RranVfooFhbBQ0QfNtx3k3ARWrVdT9uV7QtX + pcpYtJsjn94TXL0llHTzpE182eTvmUrzxf89ubigJh+EYnryHC+HUHZoVtjYtbjidWoV + I0FQ== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:from:to:cc:subject:date:message-id; + bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=; + b=gNC3IOfmB1H65frnsn63mdzaxphxG6xvR0SHEIOJSaWI/Jx9VK+CfnGr+7pOQZ/Pyw + wORhpVi6EbFsE7mVKbjlJ7O96hk14FnUKSPVOhl9NH4xXBktd7sJc5Z36N3J6RRv9Cfc + gQWPy1otHKeNz1riMgHcbkaiKj3CANpJ6gaAE/R8EjWLXjS7Bw/vBgQSr5WnAVV27Ppw + Flrks3Qv8BGkRUCymKArD05r646Fx1ew/FI7oGyKQhxxWJPuv5RoVTGPbAC1unU+zjfN + 2XNdr1yKKfY4R5S8q49FeHsN5Mb+lmriUPdLPL062UzQ7x/pTzfh3rI9Lf92jMJiJ9/n + 9zPw== +X-Gm-Message-State: APjAAAVgSeSrlZfb2Ch2KXDFaNq6RLCJCvq40zW4toublIDi1zh7feyc + srNh0xN+iNrBCzEMbsxDKJS2IOoUYXc= +X-Google-Smtp-Source: + APXvYqwPwHZStvNKOZtUBWgPYiEFiNFqEQLMngqNoFN6jFqDKFjISduUPDUYh2y907mFwD+Qn6zs9w== +X-Received: by 2002:a63:7456:: with SMTP id + e22mr14245471pgn.314.1574400573682; + Thu, 21 Nov 2019 21:29:33 -0800 (PST) +Received: from localhost ([38.121.20.202]) + by smtp.gmail.com with ESMTPSA id + x192sm5658165pfd.96.2019.11.21.21.29.32 + (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); + Thu, 21 Nov 2019 21:29:32 -0800 (PST) +From: huangwenabc@gmail.com +To: linux-wireless@vger.kernel.org +Cc: linux-distros@vs.openwall.org, security@kernel.org, + libertas-dev@lists.infradead.org +Subject: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor +Date: Fri, 22 Nov 2019 13:29:17 +0800 +Message-Id: <20191122052917.11309-1-huangwenabc@gmail.com> +X-Mailer: git-send-email 2.17.1 +Sender: linux-wireless-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-wireless@vger.kernel.org + +From: Wen Huang + +add_ie_rates() copys rates without checking the length +in bss descriptor from remote AP.when victim connects to +remote attacker, this may trigger buffer overflow. +lbs_ibss_join_existing() copys rates without checking the length +in bss descriptor from remote IBSS node.when victim connects to +remote attacker, this may trigger buffer overflow. +Fix them by putting the length check before performing copy. + +This fix addresses CVE-2019-14896 and CVE-2019-14897. + +Signed-off-by: Wen Huang +--- + drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index 57edfada0..290280764 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates) + int hw, ap, ap_max = ie[1]; + u8 hw_rate; + ++ if (ap_max > MAX_RATES) { ++ lbs_deb_assoc("invalid rates\n"); ++ return tlv; ++ } + /* Advance past IE header */ + ie += 2; + +@@ -1777,6 +1781,10 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, + } else { + int hw, i; + u8 rates_max = rates_eid[1]; ++ if (rates_max > MAX_RATES) { ++ lbs_deb_join("invalid rates"); ++ goto out; ++ } + u8 *rates = cmd.bss.rates; + for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { + u8 hw_rate = lbs_rates[hw].bitrate / 5; diff --git a/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch b/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch new file mode 100644 index 000000000..bfd39e5a9 --- /dev/null +++ b/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch @@ -0,0 +1,226 @@ +From patchwork Fri Nov 22 09:43:49 2019 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: qize wang +X-Patchwork-Id: 11257535 +X-Patchwork-Delegate: kvalo@adurom.com +Return-Path: +Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org + [172.30.200.123]) + by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 311581390 + for ; + Fri, 22 Nov 2019 09:44:01 +0000 (UTC) +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.kernel.org (Postfix) with ESMTP id 09A6920708 + for ; + Fri, 22 Nov 2019 09:44:01 +0000 (UTC) +Authentication-Results: mail.kernel.org; + dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com + header.b="gFC1GPvm" +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1726802AbfKVJoA (ORCPT + ); + Fri, 22 Nov 2019 04:44:00 -0500 +Received: from mail-pj1-f65.google.com ([209.85.216.65]:35154 "EHLO + mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1726500AbfKVJoA (ORCPT + ); + Fri, 22 Nov 2019 04:44:00 -0500 +Received: by mail-pj1-f65.google.com with SMTP id s8so2836990pji.2 + for ; + Fri, 22 Nov 2019 01:43:57 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20161025; + h=from:content-transfer-encoding:mime-version:subject:message-id:date + :cc:to; + bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=; + b=gFC1GPvmciglvQH3QRWVdrtGLMliah1xCIA8nZta7Mis7sATxTwTG/XMZ/G4Zb8efA + bvc58q+E3uHBiZOOCVFqZrDhJzM1SJVkOtFKPIquJLhmKms1Rd7FLwLFKwbq9DKE28C4 + crZUPOja7RMESC2jajleQdZ9YO/o/LEA+6QmEKIQFZ11R7j/qT/bNTdf08hDTINa7VVq + r20OL/q5iTBYBqodQaQVOPHH7f8iRs46gS/23GSX8E8Lo920r4wtTUPXXBidt0bay7ID + L2CF8vLLDGRe4Dohd71wCJgl54yVxF1Fi9qAvQluyVTulAtDVNw8Ol9hFdLa9R7j2M2z + 9wWw== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:from:content-transfer-encoding:mime-version + :subject:message-id:date:cc:to; + bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=; + b=lGAdjvr9L1WcGIvtpY5RO07jVV2t+CQ7rGsSqHcqyoDarWzcfl+FowtU0U+OV0Uf0k + Dxs4mJ+rml43X7SrPljpiHzQB1mRWWnTcIKwO9YFH1DbuMxYpTV/AdDtkyLGwQEPCTu2 + U/RIv2CvLNWTGQYXAqUH4wZJ0MAo0w2fWX8QeMCWarAPRgOsyeT9LEZQT6ypWzy9bAKs + ri4P+HqxmhlvDFb3ij0pl0x7hhOOhDCSdzZEfy8MGL/wmxdbOLM5AV8DevGNLEZHZrJ9 + AHHgRlkUPn5esIeIhTiYu3hox+z4GLrcRZccqcL3O9QM9rKX6SyNF9MjoEIgD5WK7ycl + Tlvg== +X-Gm-Message-State: APjAAAVLU8HZian8Pqy8r1Iwnjga8cqc70tKNQWQHXIQ/WEWDgKWDzip + dkM+yuOUv3M4BD3u8wHsttGE4Sk9BqOSqA== +X-Google-Smtp-Source: + APXvYqxWR1wx4sFD+yyfHofiemrR7B+b6xLDxQu9tS4dKDTYtMBUggkRWVG0Y4CUsP1DbHGVYW2rGg== +X-Received: by 2002:a17:90a:c004:: with SMTP id + p4mr17937350pjt.104.1574415837353; + Fri, 22 Nov 2019 01:43:57 -0800 (PST) +Received: from [127.0.0.1] (187.220.92.34.bc.googleusercontent.com. + [34.92.220.187]) + by smtp.gmail.com with ESMTPSA id + 71sm6800121pfx.107.2019.11.22.01.43.52 + (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Fri, 22 Nov 2019 01:43:56 -0800 (PST) +From: qize wang +Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) +Subject: [PATCH] mwifiex: Fix heap overflow in + mmwifiex_process_tdls_action_frame() +Message-Id: +Date: Fri, 22 Nov 2019 17:43:49 +0800 +Cc: amitkarwar , nishants , + gbhat , huxinming820 , + kvalo , Greg KH , + security , + linux-distros , + "dan.carpenter" , + Solar Designer +To: linux-wireless@vger.kernel.org +X-Mailer: Apple Mail (2.3445.6.18) +Sender: linux-wireless-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-wireless@vger.kernel.org + +mwifiex_process_tdls_action_frame() without checking +the incoming tdls infomation element's vality before use it, +this may cause multi heap buffer overflows. + +Fix them by putting vality check before use it. + +Signed-off-by: qize wang +--- +drivers/net/wireless/marvell/mwifiex/tdls.c | 70 ++++++++++++++++++++++++++--- +1 file changed, 64 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c +index 18e654d..7f60214 100644 +--- a/drivers/net/wireless/marvell/mwifiex/tdls.c ++++ b/drivers/net/wireless/marvell/mwifiex/tdls.c +@@ -954,59 +954,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, + + switch (*pos) { + case WLAN_EID_SUPP_RATES: ++ if (pos[1] > 32) ++ return; + sta_ptr->tdls_cap.rates_len = pos[1]; + for (i = 0; i < pos[1]; i++) + sta_ptr->tdls_cap.rates[i] = pos[i + 2]; + break; + + case WLAN_EID_EXT_SUPP_RATES: ++ if (pos[1] > 32) ++ return; + basic = sta_ptr->tdls_cap.rates_len; ++ if (pos[1] > 32 - basic) ++ return; + for (i = 0; i < pos[1]; i++) + sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2]; + sta_ptr->tdls_cap.rates_len += pos[1]; + break; + case WLAN_EID_HT_CAPABILITY: +- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos, ++ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2) ++ return; ++ if (pos[1] != sizeof(struct ieee80211_ht_cap)) ++ return; ++ /* copy the ie's value into ht_capb*/ ++ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2, + sizeof(struct ieee80211_ht_cap)); + sta_ptr->is_11n_enabled = 1; + break; + case WLAN_EID_HT_OPERATION: +- memcpy(&sta_ptr->tdls_cap.ht_oper, pos, ++ if (pos > end - ++ sizeof(struct ieee80211_ht_operation) - 2) ++ return; ++ if (pos[1] != sizeof(struct ieee80211_ht_operation)) ++ return; ++ /* copy the ie's value into ht_oper*/ ++ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2, + sizeof(struct ieee80211_ht_operation)); + break; + case WLAN_EID_BSS_COEX_2040: ++ if (pos > end - 3) ++ return; ++ if (pos[1] != 1) ++ return; + sta_ptr->tdls_cap.coex_2040 = pos[2]; + break; + case WLAN_EID_EXT_CAPABILITY: ++ if (pos > end - sizeof(struct ieee_types_header)) ++ return; ++ if (pos[1] < sizeof(struct ieee_types_header)) ++ return; ++ if (pos[1] > 8) ++ return; + memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos, + sizeof(struct ieee_types_header) + + min_t(u8, pos[1], 8)); + break; + case WLAN_EID_RSN: ++ if (pos > end - sizeof(struct ieee_types_header)) ++ return; ++ if (pos[1] < sizeof(struct ieee_types_header)) ++ return; ++ if (pos[1] > IEEE_MAX_IE_SIZE - ++ sizeof(struct ieee_types_header)) ++ return; + memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos, + sizeof(struct ieee_types_header) + + min_t(u8, pos[1], IEEE_MAX_IE_SIZE - + sizeof(struct ieee_types_header))); + break; + case WLAN_EID_QOS_CAPA: ++ if (pos > end - 3) ++ return; ++ if (pos[1] != 1) ++ return; + sta_ptr->tdls_cap.qos_info = pos[2]; + break; + case WLAN_EID_VHT_OPERATION: +- if (priv->adapter->is_hw_11ac_capable) +- memcpy(&sta_ptr->tdls_cap.vhtoper, pos, ++ if (priv->adapter->is_hw_11ac_capable) { ++ if (pos > end - ++ sizeof(struct ieee80211_vht_operation) - 2) ++ return; ++ if (pos[1] != ++ sizeof(struct ieee80211_vht_operation)) ++ return; ++ /* copy the ie's value into vhtoper*/ ++ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2, + sizeof(struct ieee80211_vht_operation)); ++ } + break; + case WLAN_EID_VHT_CAPABILITY: + if (priv->adapter->is_hw_11ac_capable) { +- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos, ++ if (pos > end - ++ sizeof(struct ieee80211_vht_cap) - 2) ++ return; ++ if (pos[1] != sizeof(struct ieee80211_vht_cap)) ++ return; ++ /* copy the ie's value into vhtcap*/ ++ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2, + sizeof(struct ieee80211_vht_cap)); + sta_ptr->is_11ac_enabled = 1; + } + break; + case WLAN_EID_AID: +- if (priv->adapter->is_hw_11ac_capable) ++ if (priv->adapter->is_hw_11ac_capable) { ++ if (pos > end - 4) ++ return; ++ if (pos[1] != 2) ++ return; + sta_ptr->tdls_cap.aid = + get_unaligned_le16((pos + 2)); ++ } ++ break; + default: + break; + } diff --git a/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch b/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch new file mode 100644 index 000000000..c006a9b2c --- /dev/null +++ b/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch @@ -0,0 +1,129 @@ +From patchwork Thu Nov 21 16:04:38 2019 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: Ganapathi Bhat +X-Patchwork-Id: 11256477 +X-Patchwork-Delegate: kvalo@adurom.com +Return-Path: +Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org + [172.30.200.123]) + by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AAABF138C + for ; + Thu, 21 Nov 2019 16:04:48 +0000 (UTC) +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.kernel.org (Postfix) with ESMTP id 8950220637 + for ; + Thu, 21 Nov 2019 16:04:48 +0000 (UTC) +Authentication-Results: mail.kernel.org; + dkim=pass (2048-bit key) header.d=marvell.com header.i=@marvell.com + header.b="nkGygBtm" +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1727141AbfKUQEs (ORCPT + ); + Thu, 21 Nov 2019 11:04:48 -0500 +Received: from mx0b-0016f401.pphosted.com ([67.231.156.173]:6582 "EHLO + mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-OK) + by vger.kernel.org with ESMTP id S1726980AbfKUQEr (ORCPT + ); + Thu, 21 Nov 2019 11:04:47 -0500 +Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) + by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id + xALFu718003199; + Thu, 21 Nov 2019 08:04:44 -0800 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; + h=from : to : cc : + subject : date : message-id : mime-version : content-type; s=pfpt0818; + bh=o/oIGGHPmwt5MFTKPl2GcISKabBWhPBOdPXPhlV+8H8=; + b=nkGygBtmdc1LxIp0VzpsKssm8mQFI+syng1Rek/N5Fx3Vz4o2KAlRceJkhXNdV7WpjTG + XDtRj/LiYd+OAIqSLM6J2VNtOKOhaNSDydtTUnIi4imHPzYoAdESDQW5aFV8JKZqOfYx + 0oQTjw6AhdjJCsngL+bImzmnJoZsc2gUu3BAic/kW+6Uj0JCgQwoUFBH9rNaO+Q33BY+ + dZy9MdKD905LxSBE7A5xWx5GEgrqRcvfxSOu2K78FQhsJ20suhvWSobxpYE0LIrajl6s + oQGuDbTsdOO/8v7D9Xn7zObUH6qZ08AMxDZNaBLqiKpjFY/RA7LbR2eulwEnhjCLDQfK uA== +Received: from sc-exch03.marvell.com ([199.233.58.183]) + by mx0b-0016f401.pphosted.com with ESMTP id 2wd090yntp-1 + (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); + Thu, 21 Nov 2019 08:04:44 -0800 +Received: from SC-EXCH01.marvell.com (10.93.176.81) by SC-EXCH03.marvell.com + (10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 21 Nov + 2019 08:04:43 -0800 +Received: from maili.marvell.com (10.93.176.43) by SC-EXCH01.marvell.com + (10.93.176.81) with Microsoft SMTP Server id 15.0.1367.3 via Frontend + Transport; Thu, 21 Nov 2019 08:04:43 -0800 +Received: from testmailhost.marvell.com (testmailhost.marvell.com + [10.31.130.105]) + by maili.marvell.com (Postfix) with ESMTP id 898743F703F; + Thu, 21 Nov 2019 08:04:40 -0800 (PST) +From: Ganapathi Bhat +To: +CC: Cathy Luo , Zhiyuan Yang , + James Cao , + Rakesh Parmar , + Brian Norris , + Mohammad Tausif Siddiqui , + huangwen , + Ganapathi Bhat +Subject: [PATCH] mwifiex: fix possible heap overflow in + mwifiex_process_country_ie() +Date: Thu, 21 Nov 2019 21:34:38 +0530 +Message-ID: <1574352278-7592-1-git-send-email-gbhat@marvell.com> +X-Mailer: git-send-email 1.9.1 +MIME-Version: 1.0 +X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 + definitions=2019-11-21_03:2019-11-21,2019-11-21 signatures=0 +Sender: linux-wireless-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-wireless@vger.kernel.org + +mwifiex_process_country_ie() function parse elements of bss +descriptor in beacon packet. When processing WLAN_EID_COUNTRY +element, there is no upper limit check for country_ie_len before +calling memcpy. The destination buffer domain_info->triplet is an +array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote +attacker can build a fake AP with the same ssid as real AP, and +send malicous beacon packet with long WLAN_EID_COUNTRY elemen +(country_ie_len > 83). Attacker can force STA connect to fake AP +on a different channel. When the victim STA connects to fake AP, +will trigger the heap buffer overflow. Fix this by checking for +length and if found invalid, don not connect to the AP. + +This fix addresses CVE-2019-14895. + +Reported-by: huangwen +Signed-off-by: Ganapathi Bhat +--- + drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +index 74e5056..6dd835f 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv, + "11D: skip setting domain info in FW\n"); + return 0; + } ++ ++ if (country_ie_len > ++ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) { ++ mwifiex_dbg(priv->adapter, ERROR, ++ "11D: country_ie_len overflow!, deauth AP\n"); ++ return -EINVAL; ++ } ++ + memcpy(priv->adapter->country_code, &country_ie[2], 2); + + domain_info->country_code[0] = country_ie[2]; +@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss, + priv->scan_block = false; + + if (bss) { +- if (adapter->region_code == 0x00) +- mwifiex_process_country_ie(priv, bss); ++ if (adapter->region_code == 0x00 && ++ mwifiex_process_country_ie(priv, bss)) ++ return -EINVAL; + + /* Allocate and fill new bss descriptor */ + bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),