summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--kernel.spec16
-rw-r--r--mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch226
-rw-r--r--netfilter_ppc_fix.patch69
-rw-r--r--sources3
4 files changed, 6 insertions, 308 deletions
diff --git a/kernel.spec b/kernel.spec
index 76730ed85..e676bb327 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -102,9 +102,9 @@ Summary: The Linux kernel
# The next upstream release sublevel (base_sublevel+1)
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
# The rc snapshot level
-%global rcrev 2
+%global rcrev 3
# The git snapshot level
-%define gitrev 3
+%define gitrev 0
# Set rpm version accordingly
%define rpmversion 5.%{upstream_sublevel}.0
%endif
@@ -850,19 +850,10 @@ Patch504: 0001-mm-kmemleak-skip-late_init-if-not-skip-disable.patch
# https://lkml.org/lkml/2019/8/29/1772
Patch505: ARM-fix-__get_user_check-in-case-uaccess_-calls-are-not-inlined.patch
-# CVE-2019-14895 rhbz 1774870 1776139
-Patch525: mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
-
# CVE-2019-14896 rhbz 1774875 1776143
# CVE-2019-14897 rhbz 1774879 1776146
Patch526: libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
-# CVE-2019-14901 rhbz 1773519 1776184
-Patch527: mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
-
-# Test fix for PPC build
-Patch528: netfilter_ppc_fix.patch
-
# END OF PATCH DEFINITIONS
%endif
@@ -2898,6 +2889,9 @@ fi
#
#
%changelog
+* Mon Dec 23 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.5.0-0.rc3.git0.1
+- Linux v5.5-rc3
+
* Mon Dec 23 2019 Justin M. Forbes <jforbes@fedoraproject.org>
- Disable debugging options.
diff --git a/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch b/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
deleted file mode 100644
index bfd39e5a9..000000000
--- a/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
+++ /dev/null
@@ -1,226 +0,0 @@
-From patchwork Fri Nov 22 09:43:49 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: qize wang <wangqize888888888@gmail.com>
-X-Patchwork-Id: 11257535
-X-Patchwork-Delegate: kvalo@adurom.com
-Return-Path: <SRS0=Y0IC=ZO=vger.kernel.org=linux-wireless-owner@kernel.org>
-Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
- [172.30.200.123])
- by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 311581390
- for <patchwork-linux-wireless@patchwork.kernel.org>;
- Fri, 22 Nov 2019 09:44:01 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
- by mail.kernel.org (Postfix) with ESMTP id 09A6920708
- for <patchwork-linux-wireless@patchwork.kernel.org>;
- Fri, 22 Nov 2019 09:44:01 +0000 (UTC)
-Authentication-Results: mail.kernel.org;
- dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
- header.b="gFC1GPvm"
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
- id S1726802AbfKVJoA (ORCPT
- <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
- Fri, 22 Nov 2019 04:44:00 -0500
-Received: from mail-pj1-f65.google.com ([209.85.216.65]:35154 "EHLO
- mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
- with ESMTP id S1726500AbfKVJoA (ORCPT
- <rfc822;linux-wireless@vger.kernel.org>);
- Fri, 22 Nov 2019 04:44:00 -0500
-Received: by mail-pj1-f65.google.com with SMTP id s8so2836990pji.2
- for <linux-wireless@vger.kernel.org>;
- Fri, 22 Nov 2019 01:43:57 -0800 (PST)
-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
- d=gmail.com; s=20161025;
- h=from:content-transfer-encoding:mime-version:subject:message-id:date
- :cc:to;
- bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=;
- b=gFC1GPvmciglvQH3QRWVdrtGLMliah1xCIA8nZta7Mis7sATxTwTG/XMZ/G4Zb8efA
- bvc58q+E3uHBiZOOCVFqZrDhJzM1SJVkOtFKPIquJLhmKms1Rd7FLwLFKwbq9DKE28C4
- crZUPOja7RMESC2jajleQdZ9YO/o/LEA+6QmEKIQFZ11R7j/qT/bNTdf08hDTINa7VVq
- r20OL/q5iTBYBqodQaQVOPHH7f8iRs46gS/23GSX8E8Lo920r4wtTUPXXBidt0bay7ID
- L2CF8vLLDGRe4Dohd71wCJgl54yVxF1Fi9qAvQluyVTulAtDVNw8Ol9hFdLa9R7j2M2z
- 9wWw==
-X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
- d=1e100.net; s=20161025;
- h=x-gm-message-state:from:content-transfer-encoding:mime-version
- :subject:message-id:date:cc:to;
- bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=;
- b=lGAdjvr9L1WcGIvtpY5RO07jVV2t+CQ7rGsSqHcqyoDarWzcfl+FowtU0U+OV0Uf0k
- Dxs4mJ+rml43X7SrPljpiHzQB1mRWWnTcIKwO9YFH1DbuMxYpTV/AdDtkyLGwQEPCTu2
- U/RIv2CvLNWTGQYXAqUH4wZJ0MAo0w2fWX8QeMCWarAPRgOsyeT9LEZQT6ypWzy9bAKs
- ri4P+HqxmhlvDFb3ij0pl0x7hhOOhDCSdzZEfy8MGL/wmxdbOLM5AV8DevGNLEZHZrJ9
- AHHgRlkUPn5esIeIhTiYu3hox+z4GLrcRZccqcL3O9QM9rKX6SyNF9MjoEIgD5WK7ycl
- Tlvg==
-X-Gm-Message-State: APjAAAVLU8HZian8Pqy8r1Iwnjga8cqc70tKNQWQHXIQ/WEWDgKWDzip
- dkM+yuOUv3M4BD3u8wHsttGE4Sk9BqOSqA==
-X-Google-Smtp-Source:
- APXvYqxWR1wx4sFD+yyfHofiemrR7B+b6xLDxQu9tS4dKDTYtMBUggkRWVG0Y4CUsP1DbHGVYW2rGg==
-X-Received: by 2002:a17:90a:c004:: with SMTP id
- p4mr17937350pjt.104.1574415837353;
- Fri, 22 Nov 2019 01:43:57 -0800 (PST)
-Received: from [127.0.0.1] (187.220.92.34.bc.googleusercontent.com.
- [34.92.220.187])
- by smtp.gmail.com with ESMTPSA id
- 71sm6800121pfx.107.2019.11.22.01.43.52
- (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
- Fri, 22 Nov 2019 01:43:56 -0800 (PST)
-From: qize wang <wangqize888888888@gmail.com>
-Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
-Subject: [PATCH] mwifiex: Fix heap overflow in
- mmwifiex_process_tdls_action_frame()
-Message-Id: <E40E893E-D9B4-4C63-8139-1DD5E1C2CECB@gmail.com>
-Date: Fri, 22 Nov 2019 17:43:49 +0800
-Cc: amitkarwar <amitkarwar@gmail.com>, nishants <nishants@marvell.com>,
- gbhat <gbhat@marvell.com>, huxinming820 <huxinming820@gmail.com>,
- kvalo <kvalo@codeaurora.org>, Greg KH <greg@kroah.com>,
- security <security@kernel.org>,
- linux-distros <linux-distros@vs.openwall.org>,
- "dan.carpenter" <dan.carpenter@oracle.com>,
- Solar Designer <solar@openwall.com>
-To: linux-wireless@vger.kernel.org
-X-Mailer: Apple Mail (2.3445.6.18)
-Sender: linux-wireless-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-wireless.vger.kernel.org>
-X-Mailing-List: linux-wireless@vger.kernel.org
-
-mwifiex_process_tdls_action_frame() without checking
-the incoming tdls infomation element's vality before use it,
-this may cause multi heap buffer overflows.
-
-Fix them by putting vality check before use it.
-
-Signed-off-by: qize wang <wangqize888888888@gmail.com>
----
-drivers/net/wireless/marvell/mwifiex/tdls.c | 70 ++++++++++++++++++++++++++---
-1 file changed, 64 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
-index 18e654d..7f60214 100644
---- a/drivers/net/wireless/marvell/mwifiex/tdls.c
-+++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
-@@ -954,59 +954,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
-
- switch (*pos) {
- case WLAN_EID_SUPP_RATES:
-+ if (pos[1] > 32)
-+ return;
- sta_ptr->tdls_cap.rates_len = pos[1];
- for (i = 0; i < pos[1]; i++)
- sta_ptr->tdls_cap.rates[i] = pos[i + 2];
- break;
-
- case WLAN_EID_EXT_SUPP_RATES:
-+ if (pos[1] > 32)
-+ return;
- basic = sta_ptr->tdls_cap.rates_len;
-+ if (pos[1] > 32 - basic)
-+ return;
- for (i = 0; i < pos[1]; i++)
- sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
- sta_ptr->tdls_cap.rates_len += pos[1];
- break;
- case WLAN_EID_HT_CAPABILITY:
-- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
-+ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
-+ return;
-+ if (pos[1] != sizeof(struct ieee80211_ht_cap))
-+ return;
-+ /* copy the ie's value into ht_capb*/
-+ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
- sizeof(struct ieee80211_ht_cap));
- sta_ptr->is_11n_enabled = 1;
- break;
- case WLAN_EID_HT_OPERATION:
-- memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
-+ if (pos > end -
-+ sizeof(struct ieee80211_ht_operation) - 2)
-+ return;
-+ if (pos[1] != sizeof(struct ieee80211_ht_operation))
-+ return;
-+ /* copy the ie's value into ht_oper*/
-+ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
- sizeof(struct ieee80211_ht_operation));
- break;
- case WLAN_EID_BSS_COEX_2040:
-+ if (pos > end - 3)
-+ return;
-+ if (pos[1] != 1)
-+ return;
- sta_ptr->tdls_cap.coex_2040 = pos[2];
- break;
- case WLAN_EID_EXT_CAPABILITY:
-+ if (pos > end - sizeof(struct ieee_types_header))
-+ return;
-+ if (pos[1] < sizeof(struct ieee_types_header))
-+ return;
-+ if (pos[1] > 8)
-+ return;
- memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
- sizeof(struct ieee_types_header) +
- min_t(u8, pos[1], 8));
- break;
- case WLAN_EID_RSN:
-+ if (pos > end - sizeof(struct ieee_types_header))
-+ return;
-+ if (pos[1] < sizeof(struct ieee_types_header))
-+ return;
-+ if (pos[1] > IEEE_MAX_IE_SIZE -
-+ sizeof(struct ieee_types_header))
-+ return;
- memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
- sizeof(struct ieee_types_header) +
- min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
- sizeof(struct ieee_types_header)));
- break;
- case WLAN_EID_QOS_CAPA:
-+ if (pos > end - 3)
-+ return;
-+ if (pos[1] != 1)
-+ return;
- sta_ptr->tdls_cap.qos_info = pos[2];
- break;
- case WLAN_EID_VHT_OPERATION:
-- if (priv->adapter->is_hw_11ac_capable)
-- memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
-+ if (priv->adapter->is_hw_11ac_capable) {
-+ if (pos > end -
-+ sizeof(struct ieee80211_vht_operation) - 2)
-+ return;
-+ if (pos[1] !=
-+ sizeof(struct ieee80211_vht_operation))
-+ return;
-+ /* copy the ie's value into vhtoper*/
-+ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
- sizeof(struct ieee80211_vht_operation));
-+ }
- break;
- case WLAN_EID_VHT_CAPABILITY:
- if (priv->adapter->is_hw_11ac_capable) {
-- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
-+ if (pos > end -
-+ sizeof(struct ieee80211_vht_cap) - 2)
-+ return;
-+ if (pos[1] != sizeof(struct ieee80211_vht_cap))
-+ return;
-+ /* copy the ie's value into vhtcap*/
-+ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
- sizeof(struct ieee80211_vht_cap));
- sta_ptr->is_11ac_enabled = 1;
- }
- break;
- case WLAN_EID_AID:
-- if (priv->adapter->is_hw_11ac_capable)
-+ if (priv->adapter->is_hw_11ac_capable) {
-+ if (pos > end - 4)
-+ return;
-+ if (pos[1] != 2)
-+ return;
- sta_ptr->tdls_cap.aid =
- get_unaligned_le16((pos + 2));
-+ }
-+ break;
- default:
- break;
- }
diff --git a/netfilter_ppc_fix.patch b/netfilter_ppc_fix.patch
deleted file mode 100644
index 421f80d41..000000000
--- a/netfilter_ppc_fix.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From: Pablo Neira Ayuso <pablo () netfilter ! org>
-Date: Sat, 07 Dec 2019 17:38:05 +0000
-To: netfilter-devel
-Subject: Re: [PATCH] netfilter: nf_flow_table_offload: Correct memcpy size for flow_overload_mangle
-
-I'm attaching a tentative patch to address this problem.
-
-Thanks.
-
-diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
-index c54c9a6cc981..3d6b2bea9a63 100644
---- a/net/netfilter/nf_flow_table_offload.c
-+++ b/net/netfilter/nf_flow_table_offload.c
-@@ -326,23 +326,23 @@ static void flow_offload_port_snat(struct net *net,
- struct nf_flow_rule *flow_rule)
- {
- struct flow_action_entry *entry = flow_action_entry_next(flow_rule);
-- u32 mask = ~htonl(0xffff0000);
-- __be16 port;
-+ u32 mask = ~htonl(0xffff0000), port;
- u32 offset;
-
- switch (dir) {
- case FLOW_OFFLOAD_DIR_ORIGINAL:
-- port = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port;
-+ port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port);
- offset = 0; /* offsetof(struct tcphdr, source); */
- break;
- case FLOW_OFFLOAD_DIR_REPLY:
-- port = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port;
-+ port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port);
- offset = 0; /* offsetof(struct tcphdr, dest); */
- break;
- default:
- break;
- }
-
-+ port = htonl(port << 16);
- flow_offload_mangle(entry, flow_offload_l4proto(flow), offset,
- (u8 *)&port, (u8 *)&mask);
- }
-@@ -353,23 +353,23 @@ static void flow_offload_port_dnat(struct net *net,
- struct nf_flow_rule *flow_rule)
- {
- struct flow_action_entry *entry = flow_action_entry_next(flow_rule);
-- u32 mask = ~htonl(0xffff);
-- __be16 port;
-+ u32 mask = ~htonl(0xffff), port;
- u32 offset;
-
- switch (dir) {
- case FLOW_OFFLOAD_DIR_ORIGINAL:
-- port = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port;
-+ port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port);
- offset = 0; /* offsetof(struct tcphdr, source); */
- break;
- case FLOW_OFFLOAD_DIR_REPLY:
-- port = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port;
-+ port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port);
- offset = 0; /* offsetof(struct tcphdr, dest); */
- break;
- default:
- break;
- }
-
-+ port = htonl(port);
- flow_offload_mangle(entry, flow_offload_l4proto(flow), offset,
- (u8 *)&port, (u8 *)&mask);
- }
diff --git a/sources b/sources
index df3570765..a317232a9 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,2 @@
SHA512 (linux-5.4.tar.xz) = 9f60f77e8ab972b9438ac648bed17551c8491d6585a5e85f694b2eaa4c623fbc61eb18419b2656b6795eac5deec0edaa04547fc6723fbda52256bd7f3486898f
-SHA512 (patch-5.5-rc2.xz) = cc16ea1a423626ba6a03140a140a77b16202bedb9f2cb11cf0443c7381c005f65868054a2328744e9c40a361a91df1f9d041235df3bc0706fbcec9e9840e6b9a
-SHA512 (patch-5.5-rc2-git3.xz) = 22a758cf19d8df70bb53420737d11eb0ef23cf982726bfd4108bda042d89cd7da31d95ca062818c680766c4e43db4af6edba989547ca574145a9a289bb8bd6ff
+SHA512 (patch-5.5-rc3.xz) = 9fec378a1e4c0bf420e3cb879bf3ece57d92802b092f2e1320c3d07bb6f7eea2a002f7c774506ef1b32d89160a05bc6aab0a86ba860101004c321ea7fe7a6c31