diff options
Diffstat (limited to 'mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch')
| -rw-r--r-- | mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch | 173 |
1 files changed, 173 insertions, 0 deletions
diff --git a/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch b/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch new file mode 100644 index 000000000..c9a0f13a7 --- /dev/null +++ b/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch @@ -0,0 +1,173 @@ +From patchwork Fri May 31 13:18:41 2019 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de> +X-Patchwork-Id: 10970141 +X-Patchwork-Delegate: kvalo@adurom.com +Return-Path: <linux-wireless-owner@kernel.org> +Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org + [172.30.200.125]) + by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A2FA614C0 + for <patchwork-linux-wireless@patchwork.kernel.org>; + Fri, 31 May 2019 13:19:19 +0000 (UTC) +Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) + by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 914E928CA2 + for <patchwork-linux-wireless@patchwork.kernel.org>; + Fri, 31 May 2019 13:19:19 +0000 (UTC) +Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) + id 858EA28CA3; Fri, 31 May 2019 13:19:19 +0000 (UTC) +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + pdx-wl-mail.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, + RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4AB628CB5 + for <patchwork-linux-wireless@patchwork.kernel.org>; + Fri, 31 May 2019 13:19:18 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1726687AbfEaNTR (ORCPT + <rfc822;patchwork-linux-wireless@patchwork.kernel.org>); + Fri, 31 May 2019 09:19:17 -0400 +Received: from mx2.suse.de ([195.135.220.15]:46148 "EHLO mx1.suse.de" + rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP + id S1726330AbfEaNTR (ORCPT <rfc822;linux-wireless@vger.kernel.org>); + Fri, 31 May 2019 09:19:17 -0400 +X-Virus-Scanned: by amavisd-new at test-mx.suse.de +Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx1.suse.de (Postfix) with ESMTP id A72A4AE4D; + Fri, 31 May 2019 13:19:15 +0000 (UTC) +From: Takashi Iwai <tiwai@suse.de> +To: Kalle Valo <kvalo@codeaurora.org> +Cc: Amitkumar Karwar <amitkarwar@gmail.com>, + Nishant Sarmukadam <nishants@marvell.com>, + Ganapathi Bhat <gbhat@marvell.com>, + Xinming Hu <huxinming820@gmail.com>, + huangwen <huangwen@venustech.com.cn>, + Solar Designer <solar@openwall.com>, + Marcus Meissner <meissner@suse.de>, + linux-wireless@vger.kernel.org +Subject: [PATCH] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() +Date: Fri, 31 May 2019 15:18:41 +0200 +Message-Id: <20190531131841.7552-1-tiwai@suse.de> +X-Mailer: git-send-email 2.16.4 +Sender: linux-wireless-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-wireless.vger.kernel.org> +X-Mailing-List: linux-wireless@vger.kernel.org +X-Virus-Scanned: ClamAV using ClamSMTP + +A few places in mwifiex_uap_parse_tail_ies() perform memcpy() +unconditionally, which may lead to either buffer overflow or read over +boundary. + +This patch addresses the issues by checking the read size and the +destination size at each place more properly. Along with the fixes, +the patch cleans up the code slightly by introducing a temporary +variable for the token size, and unifies the error path with the +standard goto statement. + +Reported-by: huangwen <huangwen@venustech.com.cn> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + drivers/net/wireless/marvell/mwifiex/ie.c | 47 ++++++++++++++++++++----------- + 1 file changed, 31 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c +index 6845eb57b39a..653d347a9a19 100644 +--- a/drivers/net/wireless/marvell/mwifiex/ie.c ++++ b/drivers/net/wireless/marvell/mwifiex/ie.c +@@ -329,6 +329,8 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, + struct ieee80211_vendor_ie *vendorhdr; + u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0; + int left_len, parsed_len = 0; ++ unsigned int token_len; ++ int err = 0; + + if (!info->tail || !info->tail_len) + return 0; +@@ -344,6 +346,12 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, + */ + while (left_len > sizeof(struct ieee_types_header)) { + hdr = (void *)(info->tail + parsed_len); ++ token_len = hdr->len + sizeof(struct ieee_types_header); ++ if (token_len > left_len) { ++ err = -EINVAL; ++ goto out; ++ } ++ + switch (hdr->element_id) { + case WLAN_EID_SSID: + case WLAN_EID_SUPP_RATES: +@@ -361,17 +369,20 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, + if (cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT, + WLAN_OUI_TYPE_MICROSOFT_WMM, + (const u8 *)hdr, +- hdr->len + sizeof(struct ieee_types_header))) ++ token_len)) + break; + /* fall through */ + default: +- memcpy(gen_ie->ie_buffer + ie_len, hdr, +- hdr->len + sizeof(struct ieee_types_header)); +- ie_len += hdr->len + sizeof(struct ieee_types_header); ++ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { ++ err = -EINVAL; ++ goto out; ++ } ++ memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len); ++ ie_len += token_len; + break; + } +- left_len -= hdr->len + sizeof(struct ieee_types_header); +- parsed_len += hdr->len + sizeof(struct ieee_types_header); ++ left_len -= token_len; ++ parsed_len += token_len; + } + + /* parse only WPA vendor IE from tail, WMM IE is configured by +@@ -381,15 +392,17 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, + WLAN_OUI_TYPE_MICROSOFT_WPA, + info->tail, info->tail_len); + if (vendorhdr) { +- memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, +- vendorhdr->len + sizeof(struct ieee_types_header)); +- ie_len += vendorhdr->len + sizeof(struct ieee_types_header); ++ token_len = vendorhdr->len + sizeof(struct ieee_types_header); ++ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { ++ err = -EINVAL; ++ goto out; ++ } ++ memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len); ++ ie_len += token_len; + } + +- if (!ie_len) { +- kfree(gen_ie); +- return 0; +- } ++ if (!ie_len) ++ goto out; + + gen_ie->ie_index = cpu_to_le16(gen_idx); + gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON | +@@ -399,13 +412,15 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, + + if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL, + NULL, NULL)) { +- kfree(gen_ie); +- return -1; ++ err = -EINVAL; ++ goto out; + } + + priv->gen_idx = gen_idx; ++ ++ out: + kfree(gen_ie); +- return 0; ++ return err; + } + + /* This function parses different IEs-head & tail IEs, beacon IEs, |