brcmfmac: add length check in brcmf_cfg80211_escan_handler() (CVE-2017-0786)
This commit is contained in:
parent
18b1b67002
commit
c68c0840bc
|
@ -1,7 +1,12 @@
|
|||
linux (4.13.4-2) UNRELEASED; urgency=medium
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [armhf,arm64] thermal: Enable BCM2835_THERMAL as module (Closes: #877699)
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* brcmfmac: add length check in brcmf_cfg80211_escan_handler()
|
||||
(CVE-2017-0786)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 04 Oct 2017 23:14:54 +0100
|
||||
|
||||
linux (4.13.4-1) unstable; urgency=medium
|
||||
|
|
72
debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
vendored
Normal file
72
debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
vendored
Normal file
|
@ -0,0 +1,72 @@
|
|||
From: Arend Van Spriel <arend.vanspriel@broadcom.com>
|
||||
Date: Tue, 12 Sep 2017 10:47:53 +0200
|
||||
Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler()
|
||||
Origin: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0786
|
||||
|
||||
Upon handling the firmware notification for scans the length was
|
||||
checked properly and may result in corrupting kernel heap memory
|
||||
due to buffer overruns. This fix addresses CVE-2017-0786.
|
||||
|
||||
Cc: stable@vger.kernel.org # v4.0.x
|
||||
Cc: Kevin Cernekee <cernekee@chromium.org>
|
||||
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
|
||||
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
|
||||
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
|
||||
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
|
||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||
---
|
||||
.../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 18 +++++++++++++++---
|
||||
1 file changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
index aaed4ab503ad..26a0de371c26 100644
|
||||
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
@@ -3162,6 +3162,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
|
||||
struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
|
||||
s32 status;
|
||||
struct brcmf_escan_result_le *escan_result_le;
|
||||
+ u32 escan_buflen;
|
||||
struct brcmf_bss_info_le *bss_info_le;
|
||||
struct brcmf_bss_info_le *bss = NULL;
|
||||
u32 bi_length;
|
||||
@@ -3181,11 +3182,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
|
||||
|
||||
if (status == BRCMF_E_STATUS_PARTIAL) {
|
||||
brcmf_dbg(SCAN, "ESCAN Partial result\n");
|
||||
+ if (e->datalen < sizeof(*escan_result_le)) {
|
||||
+ brcmf_err("invalid event data length\n");
|
||||
+ goto exit;
|
||||
+ }
|
||||
escan_result_le = (struct brcmf_escan_result_le *) data;
|
||||
if (!escan_result_le) {
|
||||
brcmf_err("Invalid escan result (NULL pointer)\n");
|
||||
goto exit;
|
||||
}
|
||||
+ escan_buflen = le32_to_cpu(escan_result_le->buflen);
|
||||
+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
|
||||
+ escan_buflen > e->datalen ||
|
||||
+ escan_buflen < sizeof(*escan_result_le)) {
|
||||
+ brcmf_err("Invalid escan buffer length: %d\n",
|
||||
+ escan_buflen);
|
||||
+ goto exit;
|
||||
+ }
|
||||
if (le16_to_cpu(escan_result_le->bss_count) != 1) {
|
||||
brcmf_err("Invalid bss_count %d: ignoring\n",
|
||||
escan_result_le->bss_count);
|
||||
@@ -3202,9 +3215,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
|
||||
}
|
||||
|
||||
bi_length = le32_to_cpu(bss_info_le->length);
|
||||
- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
|
||||
- WL_ESCAN_RESULTS_FIXED_SIZE)) {
|
||||
- brcmf_err("Invalid bss_info length %d: ignoring\n",
|
||||
+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
|
||||
+ brcmf_err("Ignoring invalid bss_info length: %d\n",
|
||||
bi_length);
|
||||
goto exit;
|
||||
}
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -119,6 +119,7 @@ bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
|
|||
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
|
||||
bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
|
||||
bugfix/all/fix-infoleak-in-waitid-2.patch
|
||||
bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||
|
|
Loading…
Reference in New Issue