|
 |
be6041e |
From patchwork Thu Nov 21 16:04:38 2019
|
|
|
be6041e |
Content-Type: text/plain; charset="utf-8"
|
|
|
be6041e |
MIME-Version: 1.0
|
|
|
be6041e |
Content-Transfer-Encoding: 7bit
|
|
|
be6041e |
X-Patchwork-Submitter: Ganapathi Bhat <gbhat@marvell.com>
|
|
|
be6041e |
X-Patchwork-Id: 11256477
|
|
|
be6041e |
X-Patchwork-Delegate: kvalo@adurom.com
|
|
|
be6041e |
Return-Path: <SRS0=bi0l=ZN=vger.kernel.org=linux-wireless-owner@kernel.org>
|
|
|
be6041e |
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
|
|
|
be6041e |
[172.30.200.123])
|
|
|
be6041e |
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AAABF138C
|
|
|
be6041e |
for <patchwork-linux-wireless@patchwork.kernel.org>;
|
|
|
be6041e |
Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
|
|
|
be6041e |
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
|
|
|
be6041e |
by mail.kernel.org (Postfix) with ESMTP id 8950220637
|
|
|
be6041e |
for <patchwork-linux-wireless@patchwork.kernel.org>;
|
|
|
be6041e |
Thu, 21 Nov 2019 16:04:48 +0000 (UTC)
|
|
|
be6041e |
Authentication-Results: mail.kernel.org;
|
|
|
be6041e |
dkim=pass (2048-bit key) header.d=marvell.com header.i=@marvell.com
|
|
|
be6041e |
header.b="nkGygBtm"
|
|
|
be6041e |
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
|
|
be6041e |
id S1727141AbfKUQEs (ORCPT
|
|
|
be6041e |
<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
|
|
|
be6041e |
Thu, 21 Nov 2019 11:04:48 -0500
|
|
|
be6041e |
Received: from mx0b-0016f401.pphosted.com ([67.231.156.173]:6582 "EHLO
|
|
|
be6041e |
mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-OK)
|
|
|
be6041e |
by vger.kernel.org with ESMTP id S1726980AbfKUQEr (ORCPT
|
|
|
be6041e |
<rfc822;linux-wireless@vger.kernel.org>);
|
|
|
be6041e |
Thu, 21 Nov 2019 11:04:47 -0500
|
|
|
be6041e |
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1])
|
|
|
be6041e |
by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
|
|
|
be6041e |
xALFu718003199;
|
|
|
be6041e |
Thu, 21 Nov 2019 08:04:44 -0800
|
|
|
be6041e |
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;
|
|
|
be6041e |
h=from : to : cc :
|
|
|
be6041e |
subject : date : message-id : mime-version : content-type; s=pfpt0818;
|
|
|
be6041e |
bh=o/oIGGHPmwt5MFTKPl2GcISKabBWhPBOdPXPhlV+8H8=;
|
|
|
be6041e |
b=nkGygBtmdc1LxIp0VzpsKssm8mQFI+syng1Rek/N5Fx3Vz4o2KAlRceJkhXNdV7WpjTG
|
|
|
be6041e |
XDtRj/LiYd+OAIqSLM6J2VNtOKOhaNSDydtTUnIi4imHPzYoAdESDQW5aFV8JKZqOfYx
|
|
|
be6041e |
0oQTjw6AhdjJCsngL+bImzmnJoZsc2gUu3BAic/kW+6Uj0JCgQwoUFBH9rNaO+Q33BY+
|
|
|
be6041e |
dZy9MdKD905LxSBE7A5xWx5GEgrqRcvfxSOu2K78FQhsJ20suhvWSobxpYE0LIrajl6s
|
|
|
be6041e |
oQGuDbTsdOO/8v7D9Xn7zObUH6qZ08AMxDZNaBLqiKpjFY/RA7LbR2eulwEnhjCLDQfK uA==
|
|
|
be6041e |
Received: from sc-exch03.marvell.com ([199.233.58.183])
|
|
|
be6041e |
by mx0b-0016f401.pphosted.com with ESMTP id 2wd090yntp-1
|
|
|
be6041e |
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);
|
|
|
be6041e |
Thu, 21 Nov 2019 08:04:44 -0800
|
|
|
be6041e |
Received: from SC-EXCH01.marvell.com (10.93.176.81) by SC-EXCH03.marvell.com
|
|
|
be6041e |
(10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 21 Nov
|
|
|
be6041e |
2019 08:04:43 -0800
|
|
|
be6041e |
Received: from maili.marvell.com (10.93.176.43) by SC-EXCH01.marvell.com
|
|
|
be6041e |
(10.93.176.81) with Microsoft SMTP Server id 15.0.1367.3 via Frontend
|
|
|
be6041e |
Transport; Thu, 21 Nov 2019 08:04:43 -0800
|
|
|
be6041e |
Received: from testmailhost.marvell.com (testmailhost.marvell.com
|
|
|
be6041e |
[10.31.130.105])
|
|
|
be6041e |
by maili.marvell.com (Postfix) with ESMTP id 898743F703F;
|
|
|
be6041e |
Thu, 21 Nov 2019 08:04:40 -0800 (PST)
|
|
|
be6041e |
From: Ganapathi Bhat <gbhat@marvell.com>
|
|
|
be6041e |
To: <linux-wireless@vger.kernel.org>
|
|
|
be6041e |
CC: Cathy Luo <cluo@marvell.com>, Zhiyuan Yang <yangzy@marvell.com>,
|
|
|
be6041e |
James Cao <jcao@marvell.com>,
|
|
|
be6041e |
Rakesh Parmar <rakeshp@marvell.com>,
|
|
|
be6041e |
Brian Norris <briannorris@chromium.org>,
|
|
|
be6041e |
Mohammad Tausif Siddiqui <msiddiqu@redhat.com>,
|
|
|
be6041e |
huangwen <huangwenabc@gmail.com>,
|
|
|
be6041e |
Ganapathi Bhat <gbhat@marvell.com>
|
|
|
be6041e |
Subject: [PATCH] mwifiex: fix possible heap overflow in
|
|
|
be6041e |
mwifiex_process_country_ie()
|
|
|
be6041e |
Date: Thu, 21 Nov 2019 21:34:38 +0530
|
|
|
be6041e |
Message-ID: <1574352278-7592-1-git-send-email-gbhat@marvell.com>
|
|
|
be6041e |
X-Mailer: git-send-email 1.9.1
|
|
|
be6041e |
MIME-Version: 1.0
|
|
|
be6041e |
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572
|
|
|
be6041e |
definitions=2019-11-21_03:2019-11-21,2019-11-21 signatures=0
|
|
|
be6041e |
Sender: linux-wireless-owner@vger.kernel.org
|
|
|
be6041e |
Precedence: bulk
|
|
|
be6041e |
List-ID: <linux-wireless.vger.kernel.org>
|
|
|
be6041e |
X-Mailing-List: linux-wireless@vger.kernel.org
|
|
|
be6041e |
|
|
|
be6041e |
mwifiex_process_country_ie() function parse elements of bss
|
|
|
be6041e |
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
|
|
|
be6041e |
element, there is no upper limit check for country_ie_len before
|
|
|
be6041e |
calling memcpy. The destination buffer domain_info->triplet is an
|
|
|
be6041e |
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
|
|
|
be6041e |
attacker can build a fake AP with the same ssid as real AP, and
|
|
|
be6041e |
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
|
|
|
be6041e |
(country_ie_len > 83). Attacker can force STA connect to fake AP
|
|
|
be6041e |
on a different channel. When the victim STA connects to fake AP,
|
|
|
be6041e |
will trigger the heap buffer overflow. Fix this by checking for
|
|
|
be6041e |
length and if found invalid, don not connect to the AP.
|
|
|
be6041e |
|
|
|
be6041e |
This fix addresses CVE-2019-14895.
|
|
|
be6041e |
|
|
|
be6041e |
Reported-by: huangwen <huangwenabc@gmail.com>
|
|
|
be6041e |
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
|
|
|
be6041e |
---
|
|
|
be6041e |
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++--
|
|
|
be6041e |
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
be6041e |
|
|
|
be6041e |
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
|
|
|
be6041e |
index 74e5056..6dd835f 100644
|
|
|
be6041e |
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
|
|
|
be6041e |
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
|
|
|
be6041e |
@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
|
|
|
be6041e |
"11D: skip setting domain info in FW\n");
|
|
|
be6041e |
return 0;
|
|
|
be6041e |
}
|
|
|
be6041e |
+
|
|
|
be6041e |
+ if (country_ie_len >
|
|
|
be6041e |
+ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
|
|
|
be6041e |
+ mwifiex_dbg(priv->adapter, ERROR,
|
|
|
be6041e |
+ "11D: country_ie_len overflow!, deauth AP\n");
|
|
|
be6041e |
+ return -EINVAL;
|
|
|
be6041e |
+ }
|
|
|
be6041e |
+
|
|
|
be6041e |
memcpy(priv->adapter->country_code, &country_ie[2], 2);
|
|
|
be6041e |
|
|
|
be6041e |
domain_info->country_code[0] = country_ie[2];
|
|
|
be6041e |
@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
|
|
|
be6041e |
priv->scan_block = false;
|
|
|
be6041e |
|
|
|
be6041e |
if (bss) {
|
|
|
be6041e |
- if (adapter->region_code == 0x00)
|
|
|
be6041e |
- mwifiex_process_country_ie(priv, bss);
|
|
|
be6041e |
+ if (adapter->region_code == 0x00 &&
|
|
|
be6041e |
+ mwifiex_process_country_ie(priv, bss))
|
|
|
be6041e |
+ return -EINVAL;
|
|
|
be6041e |
|
|
|
be6041e |
/* Allocate and fill new bss descriptor */
|
|
|
be6041e |
bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
|