diff options
| author | Justin M. Forbes <jforbes@fedoraproject.org> | 2019-04-18 11:06:47 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2019-04-18 11:06:47 -0500 |
| commit | 779c0a5a92e8e62fc33407df5c3b43413e4852e8 (patch) | |
| tree | df0b5b4509f668089f5ed939350430ff88fac530 | |
| parent | 343771e0340ceb48b08f45722d8e4bccc35b8e0b (diff) | |
| download | kernel-779c0a5a92e8e62fc33407df5c3b43413e4852e8.tar.gz kernel-779c0a5a92e8e62fc33407df5c3b43413e4852e8.tar.xz kernel-779c0a5a92e8e62fc33407df5c3b43413e4852e8.zip | |
Fix CVE-2019-9500 (rhbz 1701224 1701226)
| -rw-r--r-- | 0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch | 33 | ||||
| -rw-r--r-- | kernel.spec | 6 |
2 files changed, 39 insertions, 0 deletions
diff --git a/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch b/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch new file mode 100644 index 000000000..23d43d725 --- /dev/null +++ b/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch @@ -0,0 +1,33 @@ +From 1b5e2423164b3670e8bc9174e4762d297990deff Mon Sep 17 00:00:00 2001 +From: Arend van Spriel <arend.vanspriel@broadcom.com> +Date: Thu, 14 Feb 2019 13:43:47 +0100 +Subject: [PATCH] brcmfmac: assure SSID length from firmware is limited + +The SSID length as received from firmware should not exceed +IEEE80211_MAX_SSID_LEN as that would result in heap overflow. + +Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> +Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> +Reviewed-by: Franky Lin <franky.lin@broadcom.com> +Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index b5e291ed9496..012275fc3bf7 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -3507,6 +3507,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e, + } + + netinfo = brcmf_get_netinfo_array(pfn_result); ++ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN) ++ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN; + memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len); + cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len; + cfg->wowl.nd->n_channels = 1; +-- +2.20.1 + diff --git a/kernel.spec b/kernel.spec index ac2ce70d7..a740b32af 100644 --- a/kernel.spec +++ b/kernel.spec @@ -625,6 +625,9 @@ Patch516: 0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch # CVE-2019-3882 rhbz 1689426 1695571 Patch517: vfio-type1-limit-dma-mappings-per-container.patch +# CVE-2019-9500 rhbz 1701224 1701226 +Patch518: 0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch + # END OF PATCH DEFINITIONS %endif @@ -1912,6 +1915,9 @@ fi # # %changelog +* Thu Apr 18 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2019-9500 (rhbz 1701224 1701226) + * Wed Apr 17 2019 Laura Abbott <labbott@redhat.com> - 5.0.8-100 - Linux v5.0.8 |