more patches

4 files changed, 135 insertions, 0 deletions

diff --git a/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch b/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
new file mode 100644
index 0000000..7175e56
--- /dev/null
+++ b/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
@@ -0,0 +1,59 @@
+From 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b Mon Sep 17 00:00:00 2001
+From: Ganapathi Bhat <gbhat@marvell.com>
+Date: Thu, 21 Nov 2019 21:34:38 +0530
+Subject: mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
+
+From: Ganapathi Bhat <gbhat@marvell.com>
+
+commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.
+
+mwifiex_process_country_ie() function parse elements of bss
+descriptor in beacon packet. When processing WLAN_EID_COUNTRY
+element, there is no upper limit check for country_ie_len before
+calling memcpy. The destination buffer domain_info->triplet is an
+array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
+attacker can build a fake AP with the same ssid as real AP, and
+send malicous beacon packet with long WLAN_EID_COUNTRY elemen
+(country_ie_len > 83). Attacker can  force STA connect to fake AP
+on a different channel. When the victim STA connects to fake AP,
+will trigger the heap buffer overflow. Fix this by checking for
+length and if found invalid, don not connect to the AP.
+
+This fix addresses CVE-2019-14895.
+
+Reported-by: huangwen <huangwenabc@gmail.com>
+Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/sta_ioctl.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
+@@ -223,6 +223,14 @@ static int mwifiex_process_country_ie(st
+ 			  "11D: skip setting domain info in FW\n");
+ 		return 0;
+ 	}
++
++	if (country_ie_len >
++	    (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
++		wiphy_dbg(priv->wdev->wiphy,
++			  "11D: country_ie_len overflow!, deauth AP\n");
++		return -EINVAL;
++	}
++
+ 	memcpy(priv->adapter->country_code, &country_ie[2], 2);
+ 
+ 	domain_info->country_code[0] = country_ie[2];
+@@ -266,7 +274,8 @@ int mwifiex_bss_start(struct mwifiex_pri
+ 	priv->scan_block = false;
+ 
+ 	if (bss) {
+-		mwifiex_process_country_ie(priv, bss);
++		if (mwifiex_process_country_ie(priv, bss))
++			return -EINVAL;
+ 
+ 		/* Allocate and fill new bss descriptor */
+ 		bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
diff --git a/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch b/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch
new file mode 100644
index 0000000..e2bc8f6
--- /dev/null
+++ b/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch
@@ -0,0 +1,37 @@
+From db8fd2cde93227e566a412cf53173ffa227998bc Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 4 Oct 2019 15:08:52 -0500
+Subject: mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit db8fd2cde93227e566a412cf53173ffa227998bc upstream.
+
+In mwifiex_pcie_alloc_cmdrsp_buf, a new skb is allocated which should be
+released if mwifiex_map_pci_memory() fails. The release is added.
+
+Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Ganapathi Bhat <gbhat@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/pcie.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mwifiex/pcie.c
++++ b/drivers/net/wireless/mwifiex/pcie.c
+@@ -901,8 +901,10 @@ static int mwifiex_pcie_alloc_cmdrsp_buf
+ 	}
+ 	skb_put(skb, MWIFIEX_UPLD_SIZE);
+ 	if (mwifiex_map_pci_memory(adapter, skb, MWIFIEX_UPLD_SIZE,
+-				   PCI_DMA_FROMDEVICE))
++				   PCI_DMA_FROMDEVICE)) {
++		kfree_skb(skb);
+ 		return -1;
++	}
+ 
+ 	card->cmdrsp_buf = skb;
+ 
diff --git a/scsi-bfa-release-allocated-memory-in-case-of-error.patch b/scsi-bfa-release-allocated-memory-in-case-of-error.patch
new file mode 100644
index 0000000..2895012
--- /dev/null
+++ b/scsi-bfa-release-allocated-memory-in-case-of-error.patch
@@ -0,0 +1,36 @@
+From 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 10 Sep 2019 18:44:15 -0500
+Subject: scsi: bfa: release allocated memory in case of error
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 upstream.
+
+In bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to
+be released.
+
+Link: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/bfa/bfad_attr.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/bfa/bfad_attr.c
++++ b/drivers/scsi/bfa/bfad_attr.c
+@@ -282,8 +282,10 @@ bfad_im_get_stats(struct Scsi_Host *shos
+ 	rc = bfa_port_get_stats(BFA_FCPORT(&bfad->bfa),
+ 				fcstats, bfad_hcb_comp, &fcomp);
+ 	spin_unlock_irqrestore(&bfad->bfad_lock, flags);
+-	if (rc != BFA_STATUS_OK)
++	if (rc != BFA_STATUS_OK) {
++		kfree(fcstats);
+ 		return NULL;
++	}
+ 
+ 	wait_for_completion(&fcomp.comp);
+ 
diff --git a/series b/series
index d0b845f..94f3fe4 100644
--- a/series
+++ b/series
@@ -10,3 +10,6 @@ can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mo
 staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch
 usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
 staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
+mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
+mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch
+scsi-bfa-release-allocated-memory-in-case-of-error.patch