summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ath10k-fix-memory-leak.patch154
-rw-r--r--kernel.spec22
-rw-r--r--libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch120
-rw-r--r--mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch226
-rw-r--r--mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch129
5 files changed, 650 insertions, 1 deletions
diff --git a/ath10k-fix-memory-leak.patch b/ath10k-fix-memory-leak.patch
new file mode 100644
index 000000000..f7120b81f
--- /dev/null
+++ b/ath10k-fix-memory-leak.patch
@@ -0,0 +1,154 @@
+From patchwork Fri Sep 20 01:36:26 2019
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Navid Emamdoost <navid.emamdoost@gmail.com>
+X-Patchwork-Id: 11153701
+Return-Path:
+ <SRS0=bWbZ=XP=lists.infradead.org=ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@kernel.org>
+Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
+ [172.30.200.123])
+ by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D3F0714DB
+ for <patchwork-ath10k@patchwork.kernel.org>;
+ Fri, 20 Sep 2019 01:36:54 +0000 (UTC)
+Received: from bombadil.infradead.org (bombadil.infradead.org
+ [198.137.202.133])
+ (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
+ (No client certificate requested)
+ by mail.kernel.org (Postfix) with ESMTPS id B1A2E206C2
+ for <patchwork-ath10k@patchwork.kernel.org>;
+ Fri, 20 Sep 2019 01:36:54 +0000 (UTC)
+Authentication-Results: mail.kernel.org;
+ dkim=pass (2048-bit key) header.d=lists.infradead.org
+ header.i=@lists.infradead.org header.b="bhsKgarK";
+ dkim=fail reason="signature verification failed" (2048-bit key)
+ header.d=gmail.com header.i=@gmail.com header.b="nljLTTHa"
+DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B1A2E206C2
+Authentication-Results: mail.kernel.org;
+ dmarc=fail (p=none dis=none) header.from=gmail.com
+Authentication-Results: mail.kernel.org;
+ spf=none
+ smtp.mailfrom=ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org
+DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
+ d=lists.infradead.org; s=bombadil.20170209; h=Sender:
+ Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
+ List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
+ Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
+ Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
+ References:List-Owner; bh=TgqIPzTUSDBMffxK6MmqtQ+I81SfWmrbmWLuWLbhwV8=; b=bhs
+ KgarKUaVoFaf/6TPo+T+LIemPUgT0DioZ9Aa4cXD7m02vV5SrBodW911B9amgDGQ4ipx7UyAgOokS
+ QqumgU8MLbC9VEmDHseDYkrMDJvPAVL/+Ou5bAAoDDa4G14hJi1RWh5lsdIJBMKmjMI9KcW7qFdEj
+ eQ6JBoJXliaYp31BoAPEbyBnG4b8RQxO6wT9wA+/Bs8gR8bBQN9Wjo7zsIKHobQbKfAXTTRwn46dt
+ J7kt19264hkIv2Dr3UQc7W8kYL09TmllYFjEGYTOuGFEOoHlejt6CpbUnh0mdPtDggPPxsQ+e/f/h
+ 0dGNUqgR/L7R5/70DbHnF24DnXzwfQw==;
+Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
+ by bombadil.infradead.org with esmtp (Exim 4.92.2 #3 (Red Hat Linux))
+ id 1iB7qu-0006An-U6; Fri, 20 Sep 2019 01:36:52 +0000
+Received: from mail-io1-xd43.google.com ([2607:f8b0:4864:20::d43])
+ by bombadil.infradead.org with esmtps (Exim 4.92.2 #3 (Red Hat Linux))
+ id 1iB7qr-0006A2-PC
+ for ath10k@lists.infradead.org; Fri, 20 Sep 2019 01:36:51 +0000
+Received: by mail-io1-xd43.google.com with SMTP id q10so12531160iop.2
+ for <ath10k@lists.infradead.org>; Thu, 19 Sep 2019 18:36:47 -0700 (PDT)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
+ h=from:to:cc:subject:date:message-id;
+ bh=2vkYM2Vw9GpvccAiSSIMhifEzfuK8Ld4R3bwXVgh1ps=;
+ b=nljLTTHaQr3RenMHyxOGrtAwE/I0ES0GK9UJLdYkS7iEalzRrwu+/ygif0A/YnEFuE
+ fMLFG5zBRN2I7SpqvTBqaxAYJbA+a5Nnb5ymeV3s6Ef+CcGHE165IRfi+4dxEt/RvV3k
+ 4CjBDTDWGnnBO1wfDcS0WW9TqjJEoxFKWNCL+8oAzUyMten4zs8XPRUPlZVc5dHnkqC9
+ LmLWnaSBjm2g5JG0GJKSrT8KrYP2mv4yGUR0HaWruQWwfQQ8NJc2RyXm1Ml99KZkoU73
+ TG98jQSy2dcHrVqaNRfpAtyj0WEwXdLqMfT1ggk69p1ZfC7ol/7QEQxzgDIU0EFn2r59
+ owvA==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=1e100.net; s=20161025;
+ h=x-gm-message-state:from:to:cc:subject:date:message-id;
+ bh=2vkYM2Vw9GpvccAiSSIMhifEzfuK8Ld4R3bwXVgh1ps=;
+ b=h6uidvjJA/lvtevOi6n+lWV9vjtx5XM1d7kRlAFgObUBjJMIap329Jxa7uA0de8dx/
+ 4ANBCQj9/8psgTYwWqBv0bJH+7IC+ewxZb2m3z1dMYwsFp8coTyMryaBVWb4trh0My3B
+ XT2OseKTL0iAiy35/SDbWV/5FljTuVmto5Jgglq6lB3uPpQVIGu46UY8kNKwuIdNseow
+ y4r+4w82KCHMoANJmlEPlFYb7xnmENPIdx0ZITs6ISjjvTICaf8nyA3OgqPCI5l3/DCb
+ 3plewsEuTwGiFXPqJx2ldY3gIwfH8D7w1MLxadUUL6o2fDRt0ZjFbJuUk/tiX/EM5MOL
+ W3dQ==
+X-Gm-Message-State: APjAAAWIX+IMQ2tM7gV9yX2n6iqisUO1ysXCEYfl/P1BcWwlYgTk8xNq
+ /djn9P594uwGss08Ku8JA9E=
+X-Google-Smtp-Source:
+ APXvYqzLPqJkNUviwDSfcaSYJH+eUFOLc0fBeZpgji797e/U5UAY6XAi9Cq7iKldElsnElvAmFWNCw==
+X-Received: by 2002:a6b:8f15:: with SMTP id r21mr3490587iod.259.1568943406715;
+ Thu, 19 Sep 2019 18:36:46 -0700 (PDT)
+Received: from cs-dulles.cs.umn.edu (cs-dulles.cs.umn.edu. [128.101.35.54])
+ by smtp.googlemail.com with ESMTPSA id x12sm335602ioh.76.2019.09.19.18.36.45
+ (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
+ Thu, 19 Sep 2019 18:36:45 -0700 (PDT)
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+To:
+Subject: [PATCH] ath10k: fix memory leak
+Date: Thu, 19 Sep 2019 20:36:26 -0500
+Message-Id: <20190920013632.30796-1-navid.emamdoost@gmail.com>
+X-Mailer: git-send-email 2.17.1
+X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3
+X-CRM114-CacheID: sfid-20190919_183649_845813_A1A80F7F
+X-CRM114-Status: UNSURE ( 7.25 )
+X-CRM114-Notice: Please train this message.
+X-Spam-Score: -0.2 (/)
+X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
+ Content analysis details: (-0.2 points)
+ pts rule name description
+ ---- ----------------------
+ --------------------------------------------------
+ -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
+ no trust [2607:f8b0:4864:20:0:0:0:d43 listed in]
+ [list.dnswl.org]
+ 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
+ -0.0 SPF_PASS SPF: sender matches SPF record
+ 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
+ provider (navid.emamdoost[at]gmail.com)
+ -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
+ -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
+ author's domain
+ -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
+ envelope-from domain
+ 0.1 DKIM_SIGNED Message has a DKIM or DK signature,
+ not necessarily
+ valid
+X-BeenThere: ath10k@lists.infradead.org
+X-Mailman-Version: 2.1.29
+Precedence: list
+List-Id: <ath10k.lists.infradead.org>
+List-Unsubscribe: <http://lists.infradead.org/mailman/options/ath10k>,
+ <mailto:ath10k-request@lists.infradead.org?subject=unsubscribe>
+List-Archive: <http://lists.infradead.org/pipermail/ath10k/>
+List-Post: <mailto:ath10k@lists.infradead.org>
+List-Help: <mailto:ath10k-request@lists.infradead.org?subject=help>
+List-Subscribe: <http://lists.infradead.org/mailman/listinfo/ath10k>,
+ <mailto:ath10k-request@lists.infradead.org?subject=subscribe>
+Cc: linux-wireless@vger.kernel.org, kjlu@umn.edu,
+ linux-kernel@vger.kernel.org,
+ ath10k@lists.infradead.org, emamd001@umn.edu, smccaman@umn.edu,
+ netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
+ Kalle Valo <kvalo@codeaurora.org>,
+ Navid Emamdoost <navid.emamdoost@gmail.com>
+MIME-Version: 1.0
+Sender: "ath10k" <ath10k-bounces@lists.infradead.org>
+Errors-To:
+ ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org
+
+In ath10k_usb_hif_tx_sg the allocated urb should be released if
+usb_submit_urb fails.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+---
+ drivers/net/wireless/ath/ath10k/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c
+index e1420f67f776..730ed22e08a0 100644
+--- a/drivers/net/wireless/ath/ath10k/usb.c
++++ b/drivers/net/wireless/ath/ath10k/usb.c
+@@ -435,6 +435,7 @@ static int ath10k_usb_hif_tx_sg(struct ath10k *ar, u8 pipe_id,
+ ath10k_dbg(ar, ATH10K_DBG_USB_BULK,
+ "usb bulk transmit failed: %d\n", ret);
+ usb_unanchor_urb(urb);
++ usb_free_urb(urb);
+ ret = -EINVAL;
+ goto err_free_urb_to_pipe;
+ }
diff --git a/kernel.spec b/kernel.spec
index 3cf5e696c..c40455fa5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -650,6 +650,19 @@ Patch524: media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch
# CVE-2019-19077 rhbz 1775724 1775725
Patch525: 0001-RDMA-Fix-goto-target-to-release-the-allocated-memory.patch
+# CVE-2019-14895 rhbz 1774870 1776139
+Patch526: mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
+
+# CVE-2019-14896 rhbz 1774875 1776143
+# CVE-2019-14897 rhbz 1774879 1776146
+Patch527: libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
+
+# CVE-2019-14901 rhbz 1773519 1776184
+Patch528: mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
+
+# CVE-2019-19078 rhbz 1776354 1776353
+Patch529: ath10k-fix-memory-leak.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1887,7 +1900,14 @@ fi
#
#
%changelog
-* Mon Nov 25 2019 Laura Abbott <labbott@redhat.com> - 5.3.13-200
+* Mon Nov 25 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.3.13-200
+- Fix CVE-2019-14895 (rhbz 1774870 1776139)
+- Fix CVE-2019-14896 (rhbz 1774875 1776143)
+- Fix CVE-2019-14897 (rhbz 1774879 1776146)
+- Fix CVE-2019-14901 (rhbz 1773519 1776184)
+- Fix CVE-2019-19078 (rhbz 1776354 1776353)
+
+* Mon Nov 25 2019 Laura Abbott <labbott@redhat.com>
- Linux v5.3.13
* Fri Nov 22 2019 Justin M. Forbes <jforbes@fedoraproject.org>
diff --git a/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch b/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
new file mode 100644
index 000000000..e8c4c4b64
--- /dev/null
+++ b/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
@@ -0,0 +1,120 @@
+From patchwork Fri Nov 22 05:29:17 2019
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: huangwenabc@gmail.com
+X-Patchwork-Id: 11257187
+X-Patchwork-Delegate: kvalo@adurom.com
+Return-Path: <SRS0=Y0IC=ZO=vger.kernel.org=linux-wireless-owner@kernel.org>
+Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
+ [172.30.200.123])
+ by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 032DA112B
+ for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Fri, 22 Nov 2019 05:29:36 +0000 (UTC)
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+ by mail.kernel.org (Postfix) with ESMTP id D68A920707
+ for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Fri, 22 Nov 2019 05:29:35 +0000 (UTC)
+Authentication-Results: mail.kernel.org;
+ dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
+ header.b="WaDUta6X"
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+ id S1726719AbfKVF3f (ORCPT
+ <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
+ Fri, 22 Nov 2019 00:29:35 -0500
+Received: from mail-pf1-f194.google.com ([209.85.210.194]:43041 "EHLO
+ mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+ with ESMTP id S1726529AbfKVF3e (ORCPT
+ <rfc822;linux-wireless@vger.kernel.org>);
+ Fri, 22 Nov 2019 00:29:34 -0500
+Received: by mail-pf1-f194.google.com with SMTP id 3so2912048pfb.10
+ for <linux-wireless@vger.kernel.org>;
+ Thu, 21 Nov 2019 21:29:34 -0800 (PST)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=gmail.com; s=20161025;
+ h=from:to:cc:subject:date:message-id;
+ bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=;
+ b=WaDUta6XODn4hzzqR0np+iPcfBChaSE05EpSM8UrALWvgf7x/9f0e8SMvgXTGXaN74
+ Irmx+lKSr5piR/mhpfRO+HVN7bu7ukOSsxCxlNav6kvJn3SG/q0TV9VGoWEKM+8yISrK
+ Bc5MtndhyGLDrWQFgc5fSdMf+/79HC0AWnnavMoEKxnAti/HKBQnIPreGoLnrWIpbhXZ
+ EdU3ei0kxlwAUbNl8/FywUG2qzQeoeh5RranVfooFhbBQ0QfNtx3k3ARWrVdT9uV7QtX
+ pcpYtJsjn94TXL0llHTzpE182eTvmUrzxf89ubigJh+EYnryHC+HUHZoVtjYtbjidWoV
+ I0FQ==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=1e100.net; s=20161025;
+ h=x-gm-message-state:from:to:cc:subject:date:message-id;
+ bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=;
+ b=gNC3IOfmB1H65frnsn63mdzaxphxG6xvR0SHEIOJSaWI/Jx9VK+CfnGr+7pOQZ/Pyw
+ wORhpVi6EbFsE7mVKbjlJ7O96hk14FnUKSPVOhl9NH4xXBktd7sJc5Z36N3J6RRv9Cfc
+ gQWPy1otHKeNz1riMgHcbkaiKj3CANpJ6gaAE/R8EjWLXjS7Bw/vBgQSr5WnAVV27Ppw
+ Flrks3Qv8BGkRUCymKArD05r646Fx1ew/FI7oGyKQhxxWJPuv5RoVTGPbAC1unU+zjfN
+ 2XNdr1yKKfY4R5S8q49FeHsN5Mb+lmriUPdLPL062UzQ7x/pTzfh3rI9Lf92jMJiJ9/n
+ 9zPw==
+X-Gm-Message-State: APjAAAVgSeSrlZfb2Ch2KXDFaNq6RLCJCvq40zW4toublIDi1zh7feyc
+ srNh0xN+iNrBCzEMbsxDKJS2IOoUYXc=
+X-Google-Smtp-Source:
+ APXvYqwPwHZStvNKOZtUBWgPYiEFiNFqEQLMngqNoFN6jFqDKFjISduUPDUYh2y907mFwD+Qn6zs9w==
+X-Received: by 2002:a63:7456:: with SMTP id
+ e22mr14245471pgn.314.1574400573682;
+ Thu, 21 Nov 2019 21:29:33 -0800 (PST)
+Received: from localhost ([38.121.20.202])
+ by smtp.gmail.com with ESMTPSA id
+ x192sm5658165pfd.96.2019.11.21.21.29.32
+ (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
+ Thu, 21 Nov 2019 21:29:32 -0800 (PST)
+From: huangwenabc@gmail.com
+To: linux-wireless@vger.kernel.org
+Cc: linux-distros@vs.openwall.org, security@kernel.org,
+ libertas-dev@lists.infradead.org
+Subject: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor
+Date: Fri, 22 Nov 2019 13:29:17 +0800
+Message-Id: <20191122052917.11309-1-huangwenabc@gmail.com>
+X-Mailer: git-send-email 2.17.1
+Sender: linux-wireless-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-wireless.vger.kernel.org>
+X-Mailing-List: linux-wireless@vger.kernel.org
+
+From: Wen Huang <huangwenabc@gmail.com>
+
+add_ie_rates() copys rates without checking the length
+in bss descriptor from remote AP.when victim connects to
+remote attacker, this may trigger buffer overflow.
+lbs_ibss_join_existing() copys rates without checking the length
+in bss descriptor from remote IBSS node.when victim connects to
+remote attacker, this may trigger buffer overflow.
+Fix them by putting the length check before performing copy.
+
+This fix addresses CVE-2019-14896 and CVE-2019-14897.
+
+Signed-off-by: Wen Huang <huangwenabc@gmail.com>
+---
+ drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
+index 57edfada0..290280764 100644
+--- a/drivers/net/wireless/marvell/libertas/cfg.c
++++ b/drivers/net/wireless/marvell/libertas/cfg.c
+@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates)
+ int hw, ap, ap_max = ie[1];
+ u8 hw_rate;
+
++ if (ap_max > MAX_RATES) {
++ lbs_deb_assoc("invalid rates\n");
++ return tlv;
++ }
+ /* Advance past IE header */
+ ie += 2;
+
+@@ -1777,6 +1781,10 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
+ } else {
+ int hw, i;
+ u8 rates_max = rates_eid[1];
++ if (rates_max > MAX_RATES) {
++ lbs_deb_join("invalid rates");
++ goto out;
++ }
+ u8 *rates = cmd.bss.rates;
+ for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
+ u8 hw_rate = lbs_rates[hw].bitrate / 5;
diff --git a/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch b/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
new file mode 100644
index 000000000..bfd39e5a9
--- /dev/null
+++ b/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
@@ -0,0 +1,226 @@
+From patchwork Fri Nov 22 09:43:49 2019
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: qize wang <wangqize888888888@gmail.com>
+X-Patchwork-Id: 11257535
+X-Patchwork-Delegate: kvalo@adurom.com
+Return-Path: <SRS0=Y0IC=ZO=vger.kernel.org=linux-wireless-owner@kernel.org>
+Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
+ [172.30.200.123])
+ by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 311581390
+ for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Fri, 22 Nov 2019 09:44:01 +0000 (UTC)
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+ by mail.kernel.org (Postfix) with ESMTP id 09A6920708
+ for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Fri, 22 Nov 2019 09:44:01 +0000 (UTC)
+Authentication-Results: mail.kernel.org;
+ dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
+ header.b="gFC1GPvm"
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+ id S1726802AbfKVJoA (ORCPT
+ <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
+ Fri, 22 Nov 2019 04:44:00 -0500
+Received: from mail-pj1-f65.google.com ([209.85.216.65]:35154 "EHLO
+ mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+ with ESMTP id S1726500AbfKVJoA (ORCPT
+ <rfc822;linux-wireless@vger.kernel.org>);
+ Fri, 22 Nov 2019 04:44:00 -0500
+Received: by mail-pj1-f65.google.com with SMTP id s8so2836990pji.2
+ for <linux-wireless@vger.kernel.org>;
+ Fri, 22 Nov 2019 01:43:57 -0800 (PST)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=gmail.com; s=20161025;
+ h=from:content-transfer-encoding:mime-version:subject:message-id:date
+ :cc:to;
+ bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=;
+ b=gFC1GPvmciglvQH3QRWVdrtGLMliah1xCIA8nZta7Mis7sATxTwTG/XMZ/G4Zb8efA
+ bvc58q+E3uHBiZOOCVFqZrDhJzM1SJVkOtFKPIquJLhmKms1Rd7FLwLFKwbq9DKE28C4
+ crZUPOja7RMESC2jajleQdZ9YO/o/LEA+6QmEKIQFZ11R7j/qT/bNTdf08hDTINa7VVq
+ r20OL/q5iTBYBqodQaQVOPHH7f8iRs46gS/23GSX8E8Lo920r4wtTUPXXBidt0bay7ID
+ L2CF8vLLDGRe4Dohd71wCJgl54yVxF1Fi9qAvQluyVTulAtDVNw8Ol9hFdLa9R7j2M2z
+ 9wWw==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=1e100.net; s=20161025;
+ h=x-gm-message-state:from:content-transfer-encoding:mime-version
+ :subject:message-id:date:cc:to;
+ bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=;
+ b=lGAdjvr9L1WcGIvtpY5RO07jVV2t+CQ7rGsSqHcqyoDarWzcfl+FowtU0U+OV0Uf0k
+ Dxs4mJ+rml43X7SrPljpiHzQB1mRWWnTcIKwO9YFH1DbuMxYpTV/AdDtkyLGwQEPCTu2
+ U/RIv2CvLNWTGQYXAqUH4wZJ0MAo0w2fWX8QeMCWarAPRgOsyeT9LEZQT6ypWzy9bAKs
+ ri4P+HqxmhlvDFb3ij0pl0x7hhOOhDCSdzZEfy8MGL/wmxdbOLM5AV8DevGNLEZHZrJ9
+ AHHgRlkUPn5esIeIhTiYu3hox+z4GLrcRZccqcL3O9QM9rKX6SyNF9MjoEIgD5WK7ycl
+ Tlvg==
+X-Gm-Message-State: APjAAAVLU8HZian8Pqy8r1Iwnjga8cqc70tKNQWQHXIQ/WEWDgKWDzip
+ dkM+yuOUv3M4BD3u8wHsttGE4Sk9BqOSqA==
+X-Google-Smtp-Source:
+ APXvYqxWR1wx4sFD+yyfHofiemrR7B+b6xLDxQu9tS4dKDTYtMBUggkRWVG0Y4CUsP1DbHGVYW2rGg==
+X-Received: by 2002:a17:90a:c004:: with SMTP id
+ p4mr17937350pjt.104.1574415837353;
+ Fri, 22 Nov 2019 01:43:57 -0800 (PST)
+Received: from [127.0.0.1] (187.220.92.34.bc.googleusercontent.com.
+ [34.92.220.187])
+ by smtp.gmail.com with ESMTPSA id
+ 71sm6800121pfx.107.2019.11.22.01.43.52
+ (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
+ Fri, 22 Nov 2019 01:43:56 -0800 (PST)
+From: qize wang <wangqize888888888@gmail.com>
+Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
+Subject: [PATCH] mwifiex: Fix heap overflow in
+ mmwifiex_process_tdls_action_frame()
+Message-Id: <E40E893E-D9B4-4C63-8139-1DD5E1C2CECB@gmail.com>
+Date: Fri, 22 Nov 2019 17:43:49 +0800
+Cc: amitkarwar <amitkarwar@gmail.com>, nishants <nishants@marvell.com>,
+ gbhat <gbhat@marvell.com>, huxinming820 <huxinming820@gmail.com>,
+ kvalo <kvalo@codeaurora.org>, Greg KH <greg@kroah.com>,
+ security <security@kernel.org>,
+ linux-distros <linux-distros@vs.openwall.org>,
+ "dan.carpenter" <dan.carpenter@oracle.com>,
+ Solar Designer <solar@openwall.com>
+To: linux-wireless@vger.kernel.org
+X-Mailer: Apple Mail (2.3445.6.18)
+Sender: linux-wireless-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-wireless.vger.kernel.org>
+X-Mailing-List: linux-wireless@vger.kernel.org
+
+mwifiex_process_tdls_action_frame() without checking
+the incoming tdls infomation element's vality before use it,
+this may cause multi heap buffer overflows.
+
+Fix them by putting vality check before use it.
+
+Signed-off-by: qize wang <wangqize888888888@gmail.com>
+---
+drivers/net/wireless/marvell/mwifiex/tdls.c | 70 ++++++++++++++++++++++++++---
+1 file changed, 64 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
+index 18e654d..7f60214 100644
+--- a/drivers/net/wireless/marvell/mwifiex/tdls.c
++++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
+@@ -954,59 +954,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
+
+ switch (*pos) {
+ case WLAN_EID_SUPP_RATES:
++ if (pos[1] > 32)
++ return;
+ sta_ptr->tdls_cap.rates_len = pos[1];
+ for (i = 0; i < pos[1]; i++)
+ sta_ptr->tdls_cap.rates[i] = pos[i + 2];
+ break;
+
+ case WLAN_EID_EXT_SUPP_RATES:
++ if (pos[1] > 32)
++ return;
+ basic = sta_ptr->tdls_cap.rates_len;
++ if (pos[1] > 32 - basic)
++ return;
+ for (i = 0; i < pos[1]; i++)
+ sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
+ sta_ptr->tdls_cap.rates_len += pos[1];
+ break;
+ case WLAN_EID_HT_CAPABILITY:
+- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
++ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
++ return;
++ if (pos[1] != sizeof(struct ieee80211_ht_cap))
++ return;
++ /* copy the ie's value into ht_capb*/
++ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
+ sizeof(struct ieee80211_ht_cap));
+ sta_ptr->is_11n_enabled = 1;
+ break;
+ case WLAN_EID_HT_OPERATION:
+- memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
++ if (pos > end -
++ sizeof(struct ieee80211_ht_operation) - 2)
++ return;
++ if (pos[1] != sizeof(struct ieee80211_ht_operation))
++ return;
++ /* copy the ie's value into ht_oper*/
++ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
+ sizeof(struct ieee80211_ht_operation));
+ break;
+ case WLAN_EID_BSS_COEX_2040:
++ if (pos > end - 3)
++ return;
++ if (pos[1] != 1)
++ return;
+ sta_ptr->tdls_cap.coex_2040 = pos[2];
+ break;
+ case WLAN_EID_EXT_CAPABILITY:
++ if (pos > end - sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] < sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] > 8)
++ return;
+ memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
+ sizeof(struct ieee_types_header) +
+ min_t(u8, pos[1], 8));
+ break;
+ case WLAN_EID_RSN:
++ if (pos > end - sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] < sizeof(struct ieee_types_header))
++ return;
++ if (pos[1] > IEEE_MAX_IE_SIZE -
++ sizeof(struct ieee_types_header))
++ return;
+ memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
+ sizeof(struct ieee_types_header) +
+ min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
+ sizeof(struct ieee_types_header)));
+ break;
+ case WLAN_EID_QOS_CAPA:
++ if (pos > end - 3)
++ return;
++ if (pos[1] != 1)
++ return;
+ sta_ptr->tdls_cap.qos_info = pos[2];
+ break;
+ case WLAN_EID_VHT_OPERATION:
+- if (priv->adapter->is_hw_11ac_capable)
+- memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
++ if (priv->adapter->is_hw_11ac_capable) {
++ if (pos > end -
++ sizeof(struct ieee80211_vht_operation) - 2)
++ return;
++ if (pos[1] !=
++ sizeof(struct ieee80211_vht_operation))
++ return;
++ /* copy the ie's value into vhtoper*/
++ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
+ sizeof(struct ieee80211_vht_operation));
++ }
+ break;
+ case WLAN_EID_VHT_CAPABILITY:
+ if (priv->adapter->is_hw_11ac_capable) {
+- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
++ if (pos > end -
++ sizeof(struct ieee80211_vht_cap) - 2)
++ return;
++ if (pos[1] != sizeof(struct ieee80211_vht_cap))
++ return;
++ /* copy the ie's value into vhtcap*/
++ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
+ sizeof(struct ieee80211_vht_cap));
+ sta_ptr->is_11ac_enabled = 1;
+ }
+ break;
+ case WLAN_EID_AID:
+- if (priv->adapter->is_hw_11ac_capable)
++ if (priv->adapter->is_hw_11ac_capable) {
++ if (pos > end - 4)
++ return;
++ if (pos[1] != 2)
++ return;
+ sta_ptr->tdls_cap.aid =
+ get_unaligned_le16((pos + 2));
++ }
++ break;
+ default:
+ break;
+ }
diff --git a/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch b/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
new file mode 100644
index 000000000..c006a9b2c
--- /dev/null
+++ b/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
@@ -0,0 +1,129 @@
+From patchwork Thu Nov 21 16:04:38 2019
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Ganapathi Bhat <gbhat@marvell.com>
+X-Patchwork-Id: 11256477
+X-Patchwork-Delegate: kvalo@adurom.com
+Return-Path: <SRS0=bi0l=ZN=vger.kernel.org=linux-wireless-owner@kernel.org>
+Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
+ [172.30.200.123])
+ by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AAABF138C
+ for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+ by mail.kernel.org (Postfix) with ESMTP id 8950220637
+ for <patchwork-linux-wireless@patchwork.kernel.org>;
+ Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
+Authentication-Results: mail.kernel.org;
+ dkim=pass (2048-bit key) header.d=marvell.com header.i=@marvell.com
+ header.b="nkGygBtm"
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+ id S1727141AbfKUQEs (ORCPT
+ <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
+ Thu, 21 Nov 2019 11:04:48 -0500
+Received: from mx0b-0016f401.pphosted.com ([67.231.156.173]:6582 "EHLO
+ mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-OK)
+ by vger.kernel.org with ESMTP id S1726980AbfKUQEr (ORCPT
+ <rfc822;linux-wireless@vger.kernel.org>);
+ Thu, 21 Nov 2019 11:04:47 -0500
+Received: from pps.filterd (m0045851.ppops.net [127.0.0.1])
+ by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
+ xALFu718003199;
+ Thu, 21 Nov 2019 08:04:44 -0800
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;
+ h=from : to : cc :
+ subject : date : message-id : mime-version : content-type; s=pfpt0818;
+ bh=o/oIGGHPmwt5MFTKPl2GcISKabBWhPBOdPXPhlV+8H8=;
+ b=nkGygBtmdc1LxIp0VzpsKssm8mQFI+syng1Rek/N5Fx3Vz4o2KAlRceJkhXNdV7WpjTG
+ XDtRj/LiYd+OAIqSLM6J2VNtOKOhaNSDydtTUnIi4imHPzYoAdESDQW5aFV8JKZqOfYx
+ 0oQTjw6AhdjJCsngL+bImzmnJoZsc2gUu3BAic/kW+6Uj0JCgQwoUFBH9rNaO+Q33BY+
+ dZy9MdKD905LxSBE7A5xWx5GEgrqRcvfxSOu2K78FQhsJ20suhvWSobxpYE0LIrajl6s
+ oQGuDbTsdOO/8v7D9Xn7zObUH6qZ08AMxDZNaBLqiKpjFY/RA7LbR2eulwEnhjCLDQfK uA==
+Received: from sc-exch03.marvell.com ([199.233.58.183])
+ by mx0b-0016f401.pphosted.com with ESMTP id 2wd090yntp-1
+ (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);
+ Thu, 21 Nov 2019 08:04:44 -0800
+Received: from SC-EXCH01.marvell.com (10.93.176.81) by SC-EXCH03.marvell.com
+ (10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 21 Nov
+ 2019 08:04:43 -0800
+Received: from maili.marvell.com (10.93.176.43) by SC-EXCH01.marvell.com
+ (10.93.176.81) with Microsoft SMTP Server id 15.0.1367.3 via Frontend
+ Transport; Thu, 21 Nov 2019 08:04:43 -0800
+Received: from testmailhost.marvell.com (testmailhost.marvell.com
+ [10.31.130.105])
+ by maili.marvell.com (Postfix) with ESMTP id 898743F703F;
+ Thu, 21 Nov 2019 08:04:40 -0800 (PST)
+From: Ganapathi Bhat <gbhat@marvell.com>
+To: <linux-wireless@vger.kernel.org>
+CC: Cathy Luo <cluo@marvell.com>, Zhiyuan Yang <yangzy@marvell.com>,
+ James Cao <jcao@marvell.com>,
+ Rakesh Parmar <rakeshp@marvell.com>,
+ Brian Norris <briannorris@chromium.org>,
+ Mohammad Tausif Siddiqui <msiddiqu@redhat.com>,
+ huangwen <huangwenabc@gmail.com>,
+ Ganapathi Bhat <gbhat@marvell.com>
+Subject: [PATCH] mwifiex: fix possible heap overflow in
+ mwifiex_process_country_ie()
+Date: Thu, 21 Nov 2019 21:34:38 +0530
+Message-ID: <1574352278-7592-1-git-send-email-gbhat@marvell.com>
+X-Mailer: git-send-email 1.9.1
+MIME-Version: 1.0
+X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572
+ definitions=2019-11-21_03:2019-11-21,2019-11-21 signatures=0
+Sender: linux-wireless-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-wireless.vger.kernel.org>
+X-Mailing-List: linux-wireless@vger.kernel.org
+
+mwifiex_process_country_ie() function parse elements of bss
+descriptor in beacon packet. When processing WLAN_EID_COUNTRY
+element, there is no upper limit check for country_ie_len before
+calling memcpy. The destination buffer domain_info->triplet is an
+array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
+attacker can build a fake AP with the same ssid as real AP, and
+send malicous beacon packet with long WLAN_EID_COUNTRY elemen
+(country_ie_len > 83). Attacker can force STA connect to fake AP
+on a different channel. When the victim STA connects to fake AP,
+will trigger the heap buffer overflow. Fix this by checking for
+length and if found invalid, don not connect to the AP.
+
+This fix addresses CVE-2019-14895.
+
+Reported-by: huangwen <huangwenabc@gmail.com>
+Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
+---
+ drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+index 74e5056..6dd835f 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
+ "11D: skip setting domain info in FW\n");
+ return 0;
+ }
++
++ if (country_ie_len >
++ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
++ mwifiex_dbg(priv->adapter, ERROR,
++ "11D: country_ie_len overflow!, deauth AP\n");
++ return -EINVAL;
++ }
++
+ memcpy(priv->adapter->country_code, &country_ie[2], 2);
+
+ domain_info->country_code[0] = country_ie[2];
+@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
+ priv->scan_block = false;
+
+ if (bss) {
+- if (adapter->region_code == 0x00)
+- mwifiex_process_country_ie(priv, bss);
++ if (adapter->region_code == 0x00 &&
++ mwifiex_process_country_ie(priv, bss))
++ return -EINVAL;
+
+ /* Allocate and fill new bss descriptor */
+ bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),