diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-01-14 10:12:18 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-01-14 10:12:18 +0100 |
commit | 18fdc71eb7a875c4cb90b8690d47ec6903020b53 (patch) | |
tree | c46c8a5c9b0afc848da074e3fecb12d684874a57 | |
parent | af43f8ea5fbcc567a5324e9bff63ef9a24ec4889 (diff) | |
download | queue-3.18-18fdc71eb7a875c4cb90b8690d47ec6903020b53.tar.gz |
more patches
-rw-r--r-- | mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch | 59 | ||||
-rw-r--r-- | mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch | 37 | ||||
-rw-r--r-- | scsi-bfa-release-allocated-memory-in-case-of-error.patch | 36 | ||||
-rw-r--r-- | series | 3 |
4 files changed, 135 insertions, 0 deletions
diff --git a/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch b/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch new file mode 100644 index 0000000..7175e56 --- /dev/null +++ b/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch @@ -0,0 +1,59 @@ +From 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b Mon Sep 17 00:00:00 2001 +From: Ganapathi Bhat <gbhat@marvell.com> +Date: Thu, 21 Nov 2019 21:34:38 +0530 +Subject: mwifiex: fix possible heap overflow in mwifiex_process_country_ie() + +From: Ganapathi Bhat <gbhat@marvell.com> + +commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream. + +mwifiex_process_country_ie() function parse elements of bss +descriptor in beacon packet. When processing WLAN_EID_COUNTRY +element, there is no upper limit check for country_ie_len before +calling memcpy. The destination buffer domain_info->triplet is an +array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote +attacker can build a fake AP with the same ssid as real AP, and +send malicous beacon packet with long WLAN_EID_COUNTRY elemen +(country_ie_len > 83). Attacker can force STA connect to fake AP +on a different channel. When the victim STA connects to fake AP, +will trigger the heap buffer overflow. Fix this by checking for +length and if found invalid, don not connect to the AP. + +This fix addresses CVE-2019-14895. + +Reported-by: huangwen <huangwenabc@gmail.com> +Signed-off-by: Ganapathi Bhat <gbhat@marvell.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/wireless/mwifiex/sta_ioctl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/mwifiex/sta_ioctl.c +@@ -223,6 +223,14 @@ static int mwifiex_process_country_ie(st + "11D: skip setting domain info in FW\n"); + return 0; + } ++ ++ if (country_ie_len > ++ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) { ++ wiphy_dbg(priv->wdev->wiphy, ++ "11D: country_ie_len overflow!, deauth AP\n"); ++ return -EINVAL; ++ } ++ + memcpy(priv->adapter->country_code, &country_ie[2], 2); + + domain_info->country_code[0] = country_ie[2]; +@@ -266,7 +274,8 @@ int mwifiex_bss_start(struct mwifiex_pri + priv->scan_block = false; + + if (bss) { +- mwifiex_process_country_ie(priv, bss); ++ if (mwifiex_process_country_ie(priv, bss)) ++ return -EINVAL; + + /* Allocate and fill new bss descriptor */ + bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor), diff --git a/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch b/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch new file mode 100644 index 0000000..e2bc8f6 --- /dev/null +++ b/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch @@ -0,0 +1,37 @@ +From db8fd2cde93227e566a412cf53173ffa227998bc Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Fri, 4 Oct 2019 15:08:52 -0500 +Subject: mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf + +From: Navid Emamdoost <navid.emamdoost@gmail.com> + +commit db8fd2cde93227e566a412cf53173ffa227998bc upstream. + +In mwifiex_pcie_alloc_cmdrsp_buf, a new skb is allocated which should be +released if mwifiex_map_pci_memory() fails. The release is added. + +Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe") +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +Acked-by: Ganapathi Bhat <gbhat@marvell.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Cc: Ben Hutchings <ben.hutchings@codethink.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/wireless/mwifiex/pcie.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/mwifiex/pcie.c ++++ b/drivers/net/wireless/mwifiex/pcie.c +@@ -901,8 +901,10 @@ static int mwifiex_pcie_alloc_cmdrsp_buf + } + skb_put(skb, MWIFIEX_UPLD_SIZE); + if (mwifiex_map_pci_memory(adapter, skb, MWIFIEX_UPLD_SIZE, +- PCI_DMA_FROMDEVICE)) ++ PCI_DMA_FROMDEVICE)) { ++ kfree_skb(skb); + return -1; ++ } + + card->cmdrsp_buf = skb; + diff --git a/scsi-bfa-release-allocated-memory-in-case-of-error.patch b/scsi-bfa-release-allocated-memory-in-case-of-error.patch new file mode 100644 index 0000000..2895012 --- /dev/null +++ b/scsi-bfa-release-allocated-memory-in-case-of-error.patch @@ -0,0 +1,36 @@ +From 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Tue, 10 Sep 2019 18:44:15 -0500 +Subject: scsi: bfa: release allocated memory in case of error + +From: Navid Emamdoost <navid.emamdoost@gmail.com> + +commit 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 upstream. + +In bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to +be released. + +Link: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Cc: Ben Hutchings <ben.hutchings@codethink.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/scsi/bfa/bfad_attr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/bfa/bfad_attr.c ++++ b/drivers/scsi/bfa/bfad_attr.c +@@ -282,8 +282,10 @@ bfad_im_get_stats(struct Scsi_Host *shos + rc = bfa_port_get_stats(BFA_FCPORT(&bfad->bfa), + fcstats, bfad_hcb_comp, &fcomp); + spin_unlock_irqrestore(&bfad->bfad_lock, flags); +- if (rc != BFA_STATUS_OK) ++ if (rc != BFA_STATUS_OK) { ++ kfree(fcstats); + return NULL; ++ } + + wait_for_completion(&fcomp.comp); + @@ -10,3 +10,6 @@ can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mo staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch usb-musb-dma-correct-parameter-passed-to-irq-handler.patch staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch +mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch +mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch +scsi-bfa-release-allocated-memory-in-case-of-error.patch |