CVE-2013-4579: ath9k_htc improper MAC update (rhbz 1032753 1033072)

ath9k_htc-properly-set-MAC-address-and-BSSID-mask.patch

@@ -0,0 +1,103 @@
+Bugzilla: 1032753
+Upstream-status: 3.13
+
+From 657eb17d87852c42b55c4b06d5425baa08b2ddb3 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <vanhoefm@gmail.com>
+Date: Thu, 28 Nov 2013 12:21:45 +0100
+Subject: [PATCH] ath9k_htc: properly set MAC address and BSSID mask
+
+Pick the MAC address of the first virtual interface as the new hardware MAC
+address. Set BSSID mask according to this MAC address. This fixes CVE-2013-4579.
+
+Signed-off-by: Mathy Vanhoef <vanhoefm@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ drivers/net/wireless/ath/ath9k/htc_drv_main.c | 25 +++++++++++++++++--------
+ drivers/net/wireless/ath/ath9k/main.c         |  5 +++--
+ 2 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+index 9a2657f..608d739 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+@@ -127,21 +127,26 @@ static void ath9k_htc_bssid_iter(void *data, u8 *mac, struct ieee80211_vif *vif)
+ 	struct ath9k_vif_iter_data *iter_data = data;
+ 	int i;
+ 
+-	for (i = 0; i < ETH_ALEN; i++)
+-		iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
++	if (iter_data->hw_macaddr != NULL) {
++		for (i = 0; i < ETH_ALEN; i++)
++			iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
++	} else {
++		iter_data->hw_macaddr = mac;
++	}
+ }
+ 
+-static void ath9k_htc_set_bssid_mask(struct ath9k_htc_priv *priv,
++static void ath9k_htc_set_mac_bssid_mask(struct ath9k_htc_priv *priv,
+ 				     struct ieee80211_vif *vif)
+ {
+ 	struct ath_common *common = ath9k_hw_common(priv->ah);
+ 	struct ath9k_vif_iter_data iter_data;
+ 
+ 	/*
+-	 * Use the hardware MAC address as reference, the hardware uses it
+-	 * together with the BSSID mask when matching addresses.
++	 * Pick the MAC address of the first interface as the new hardware
++	 * MAC address. The hardware will use it together with the BSSID mask
++	 * when matching addresses.
+ 	 */
+-	iter_data.hw_macaddr = common->macaddr;
++	iter_data.hw_macaddr = NULL;
+ 	memset(&iter_data.mask, 0xff, ETH_ALEN);
+ 
+ 	if (vif)
+@@ -153,6 +158,10 @@ static void ath9k_htc_set_bssid_mask(struct ath9k_htc_priv *priv,
+ 		ath9k_htc_bssid_iter, &iter_data);
+ 
+ 	memcpy(common->bssidmask, iter_data.mask, ETH_ALEN);
++
++	if (iter_data.hw_macaddr)
++		memcpy(common->macaddr, iter_data.hw_macaddr, ETH_ALEN);
++
+ 	ath_hw_setbssidmask(common);
+ }
+ 
+@@ -1063,7 +1072,7 @@ static int ath9k_htc_add_interface(struct ieee80211_hw *hw,
+ 		goto out;
+ 	}
+ 
+-	ath9k_htc_set_bssid_mask(priv, vif);
++	ath9k_htc_set_mac_bssid_mask(priv, vif);
+ 
+ 	priv->vif_slot |= (1 << avp->index);
+ 	priv->nvifs++;
+@@ -1128,7 +1137,7 @@ static void ath9k_htc_remove_interface(struct ieee80211_hw *hw,
+ 
+ 	ath9k_htc_set_opmode(priv);
+ 
+-	ath9k_htc_set_bssid_mask(priv, vif);
++	ath9k_htc_set_mac_bssid_mask(priv, vif);
+ 
+ 	/*
+ 	 * Stop ANI only if there are no associated station interfaces.
+diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
+index 74f452c..21aa09e 100644
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -965,8 +965,9 @@ void ath9k_calculate_iter_data(struct ieee80211_hw *hw,
+ 	struct ath_common *common = ath9k_hw_common(ah);
+ 
+ 	/*
+-	 * Use the hardware MAC address as reference, the hardware uses it
+-	 * together with the BSSID mask when matching addresses.
++	 * Pick the MAC address of the first interface as the new hardware
++	 * MAC address. The hardware will use it together with the BSSID mask
++	 * when matching addresses.
+ 	 */
+ 	memset(iter_data, 0, sizeof(*iter_data));
+ 	memset(&iter_data->mask, 0xff, ETH_ALEN);
+-- 
+1.8.4.2
+

kernel.spec

@@ -751,6 +751,9 @@ Patch25176: br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
 #rhbz 1024002
 Patch25177: libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch
 
+#CVE-2013-4579 rhbz 1032753 1033072
+Patch25178: ath9k_htc-properly-set-MAC-address-and-BSSID-mask.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1457,6 +1460,9 @@ ApplyPatch br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
 #rhbz 1024002
 ApplyPatch libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch
 
+#CVE-2013-4579 rhbz 1032753 1033072
+ApplyPatch ath9k_htc-properly-set-MAC-address-and-BSSID-mask.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2259,6 +2265,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon Jan 06 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-4579: ath9k_htc improper MAC update (rhbz 1032753 1033072)
+
 * Sat Dec 28 2013 Peter Robinson <pbrobinson@fedoraproject.org>
 - Update am33xx (BeagleBone) cpsw patch to upstream version