rpms / kernel

Clone
Source Code
GIT

Blame mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   079e0f545a491903a6acb0dc783d162ae84a2e6c
  2.   mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
Blob History Raw
Jeremy Cline 079e0f5 
From patchwork Thu Nov 21 16:04:38 2019
Jeremy Cline 079e0f5 
Content-Type: text/plain; charset="utf-8"
Jeremy Cline 079e0f5 
MIME-Version: 1.0
Jeremy Cline 079e0f5 
Content-Transfer-Encoding: 7bit
Jeremy Cline 079e0f5 
X-Patchwork-Submitter: Ganapathi Bhat <gbhat@marvell.com>
Jeremy Cline 079e0f5 
X-Patchwork-Id: 11256477
Jeremy Cline 079e0f5 
X-Patchwork-Delegate: kvalo@adurom.com
Jeremy Cline 079e0f5 
Return-Path: <SRS0=bi0l=ZN=vger.kernel.org=linux-wireless-owner@kernel.org>
Jeremy Cline 079e0f5 
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
Jeremy Cline 079e0f5 
 [172.30.200.123])
Jeremy Cline 079e0f5 
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AAABF138C
Jeremy Cline 079e0f5 
	for <patchwork-linux-wireless@patchwork.kernel.org>;
Jeremy Cline 079e0f5 
 Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
Jeremy Cline 079e0f5 
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
Jeremy Cline 079e0f5 
	by mail.kernel.org (Postfix) with ESMTP id 8950220637
Jeremy Cline 079e0f5 
	for <patchwork-linux-wireless@patchwork.kernel.org>;
Jeremy Cline 079e0f5 
 Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
Jeremy Cline 079e0f5 
Authentication-Results: mail.kernel.org;
Jeremy Cline 079e0f5 
	dkim=pass (2048-bit key) header.d=marvell.com header.i=@marvell.com
Jeremy Cline 079e0f5 
 header.b="nkGygBtm"
Jeremy Cline 079e0f5 
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
Jeremy Cline 079e0f5 
        id S1727141AbfKUQEs (ORCPT
Jeremy Cline 079e0f5 
        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
Jeremy Cline 079e0f5 
        Thu, 21 Nov 2019 11:04:48 -0500
Jeremy Cline 079e0f5 
Received: from mx0b-0016f401.pphosted.com ([67.231.156.173]:6582 "EHLO
Jeremy Cline 079e0f5 
        mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-OK)
Jeremy Cline 079e0f5 
        by vger.kernel.org with ESMTP id S1726980AbfKUQEr (ORCPT
Jeremy Cline 079e0f5 
        <rfc822;linux-wireless@vger.kernel.org>);
Jeremy Cline 079e0f5 
        Thu, 21 Nov 2019 11:04:47 -0500
Jeremy Cline 079e0f5 
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1])
Jeremy Cline 079e0f5 
        by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
Jeremy Cline 079e0f5 
 xALFu718003199;
Jeremy Cline 079e0f5 
        Thu, 21 Nov 2019 08:04:44 -0800
Jeremy Cline 079e0f5 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;
Jeremy Cline 079e0f5 
 h=from : to : cc :
Jeremy Cline 079e0f5 
 subject : date : message-id : mime-version : content-type; s=pfpt0818;
Jeremy Cline 079e0f5 
 bh=o/oIGGHPmwt5MFTKPl2GcISKabBWhPBOdPXPhlV+8H8=;
Jeremy Cline 079e0f5 
 b=nkGygBtmdc1LxIp0VzpsKssm8mQFI+syng1Rek/N5Fx3Vz4o2KAlRceJkhXNdV7WpjTG
Jeremy Cline 079e0f5 
 XDtRj/LiYd+OAIqSLM6J2VNtOKOhaNSDydtTUnIi4imHPzYoAdESDQW5aFV8JKZqOfYx
Jeremy Cline 079e0f5 
 0oQTjw6AhdjJCsngL+bImzmnJoZsc2gUu3BAic/kW+6Uj0JCgQwoUFBH9rNaO+Q33BY+
Jeremy Cline 079e0f5 
 dZy9MdKD905LxSBE7A5xWx5GEgrqRcvfxSOu2K78FQhsJ20suhvWSobxpYE0LIrajl6s
Jeremy Cline 079e0f5 
 oQGuDbTsdOO/8v7D9Xn7zObUH6qZ08AMxDZNaBLqiKpjFY/RA7LbR2eulwEnhjCLDQfK uA==
Jeremy Cline 079e0f5 
Received: from sc-exch03.marvell.com ([199.233.58.183])
Jeremy Cline 079e0f5 
        by mx0b-0016f401.pphosted.com with ESMTP id 2wd090yntp-1
Jeremy Cline 079e0f5 
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);
Jeremy Cline 079e0f5 
        Thu, 21 Nov 2019 08:04:44 -0800
Jeremy Cline 079e0f5 
Received: from SC-EXCH01.marvell.com (10.93.176.81) by SC-EXCH03.marvell.com
Jeremy Cline 079e0f5 
 (10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 21 Nov
Jeremy Cline 079e0f5 
 2019 08:04:43 -0800
Jeremy Cline 079e0f5 
Received: from maili.marvell.com (10.93.176.43) by SC-EXCH01.marvell.com
Jeremy Cline 079e0f5 
 (10.93.176.81) with Microsoft SMTP Server id 15.0.1367.3 via Frontend
Jeremy Cline 079e0f5 
 Transport; Thu, 21 Nov 2019 08:04:43 -0800
Jeremy Cline 079e0f5 
Received: from testmailhost.marvell.com (testmailhost.marvell.com
Jeremy Cline 079e0f5 
 [10.31.130.105])
Jeremy Cline 079e0f5 
        by maili.marvell.com (Postfix) with ESMTP id 898743F703F;
Jeremy Cline 079e0f5 
        Thu, 21 Nov 2019 08:04:40 -0800 (PST)
Jeremy Cline 079e0f5 
From: Ganapathi Bhat <gbhat@marvell.com>
Jeremy Cline 079e0f5 
To: <linux-wireless@vger.kernel.org>
Jeremy Cline 079e0f5 
CC: Cathy Luo <cluo@marvell.com>, Zhiyuan Yang <yangzy@marvell.com>,
Jeremy Cline 079e0f5 
        James Cao <jcao@marvell.com>,
Jeremy Cline 079e0f5 
        Rakesh Parmar <rakeshp@marvell.com>,
Jeremy Cline 079e0f5 
        Brian Norris <briannorris@chromium.org>,
Jeremy Cline 079e0f5 
        Mohammad Tausif Siddiqui <msiddiqu@redhat.com>,
Jeremy Cline 079e0f5 
        huangwen <huangwenabc@gmail.com>,
Jeremy Cline 079e0f5 
        Ganapathi Bhat <gbhat@marvell.com>
Jeremy Cline 079e0f5 
Subject: [PATCH] mwifiex: fix possible heap overflow in
Jeremy Cline 079e0f5 
 mwifiex_process_country_ie()
Jeremy Cline 079e0f5 
Date: Thu, 21 Nov 2019 21:34:38 +0530
Jeremy Cline 079e0f5 
Message-ID: <1574352278-7592-1-git-send-email-gbhat@marvell.com>
Jeremy Cline 079e0f5 
X-Mailer: git-send-email 1.9.1
Jeremy Cline 079e0f5 
MIME-Version: 1.0
Jeremy Cline 079e0f5 
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572
Jeremy Cline 079e0f5 
 definitions=2019-11-21_03:2019-11-21,2019-11-21 signatures=0
Jeremy Cline 079e0f5 
Sender: linux-wireless-owner@vger.kernel.org
Jeremy Cline 079e0f5 
Precedence: bulk
Jeremy Cline 079e0f5 
List-ID: <linux-wireless.vger.kernel.org>
Jeremy Cline 079e0f5 
X-Mailing-List: linux-wireless@vger.kernel.org
Jeremy Cline 079e0f5
Jeremy Cline 079e0f5 
mwifiex_process_country_ie() function parse elements of bss
Jeremy Cline 079e0f5 
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
Jeremy Cline 079e0f5 
element, there is no upper limit check for country_ie_len before
Jeremy Cline 079e0f5 
calling memcpy. The destination buffer domain_info->triplet is an
Jeremy Cline 079e0f5 
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
Jeremy Cline 079e0f5 
attacker can build a fake AP with the same ssid as real AP, and
Jeremy Cline 079e0f5 
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
Jeremy Cline 079e0f5 
(country_ie_len > 83). Attacker can  force STA connect to fake AP
Jeremy Cline 079e0f5 
on a different channel. When the victim STA connects to fake AP,
Jeremy Cline 079e0f5 
will trigger the heap buffer overflow. Fix this by checking for
Jeremy Cline 079e0f5 
length and if found invalid, don not connect to the AP.
Jeremy Cline 079e0f5
Jeremy Cline 079e0f5 
This fix addresses CVE-2019-14895.
Jeremy Cline 079e0f5
Jeremy Cline 079e0f5 
Reported-by: huangwen <huangwenabc@gmail.com>
Jeremy Cline 079e0f5 
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Jeremy Cline 079e0f5 
---
Jeremy Cline 079e0f5 
 drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++--
Jeremy Cline 079e0f5 
 1 file changed, 11 insertions(+), 2 deletions(-)
Jeremy Cline 079e0f5
Jeremy Cline 079e0f5 
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
Jeremy Cline 079e0f5 
index 74e5056..6dd835f 100644
Jeremy Cline 079e0f5 
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
Jeremy Cline 079e0f5 
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
Jeremy Cline 079e0f5 
@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
Jeremy Cline 079e0f5 
 			    "11D: skip setting domain info in FW\n");
Jeremy Cline 079e0f5 
 		return 0;
Jeremy Cline 079e0f5 
 	}
Jeremy Cline 079e0f5 
+
Jeremy Cline 079e0f5 
+	if (country_ie_len >
Jeremy Cline 079e0f5 
+	    (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
Jeremy Cline 079e0f5 
+		mwifiex_dbg(priv->adapter, ERROR,
Jeremy Cline 079e0f5 
+			    "11D: country_ie_len overflow!, deauth AP\n");
Jeremy Cline 079e0f5 
+		return -EINVAL;
Jeremy Cline 079e0f5 
+	}
Jeremy Cline 079e0f5 
+
Jeremy Cline 079e0f5 
 	memcpy(priv->adapter->country_code, &country_ie[2], 2);
Jeremy Cline 079e0f5
Jeremy Cline 079e0f5 
 	domain_info->country_code[0] = country_ie[2];
Jeremy Cline 079e0f5 
@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
Jeremy Cline 079e0f5 
 	priv->scan_block = false;
Jeremy Cline 079e0f5
Jeremy Cline 079e0f5 
 	if (bss) {
Jeremy Cline 079e0f5 
-		if (adapter->region_code == 0x00)
Jeremy Cline 079e0f5 
-			mwifiex_process_country_ie(priv, bss);
Jeremy Cline 079e0f5 
+		if (adapter->region_code == 0x00 &&
Jeremy Cline 079e0f5 
+		    mwifiex_process_country_ie(priv, bss))
Jeremy Cline 079e0f5 
+			return -EINVAL;
Jeremy Cline 079e0f5
Jeremy Cline 079e0f5 
 		/* Allocate and fill new bss descriptor */
Jeremy Cline 079e0f5 
 		bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.