* [PATCH] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
@ 2016-09-15 11:41 Arend van Spriel
0 siblings, 0 replies; 4+ messages in thread
From: Arend van Spriel @ 2016-09-15 11:41 UTC (permalink / raw)
To: stable; +Cc: linux-wireless, Arend van Spriel, Kalle Valo
commit ded89912156b1a47d940a0c954c43afbabd0c42c upstream
User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.
Cc: stable@vger.kernel.org # v4.4, v4.1
Reported-by: Daxing Guo <freener.gdx@gmail.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
---
drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
index 5db56a7..b8aec5e5 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
@@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
(u8 *)&settings->beacon.head[ie_offset],
settings->beacon.head_len - ie_offset,
WLAN_EID_SSID);
- if (!ssid_ie)
+ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
return -EINVAL;
memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
@ 2016-09-15 11:43 Arend van Spriel
0 siblings, 0 replies; 4+ messages in thread
From: Arend van Spriel @ 2016-09-15 11:43 UTC (permalink / raw)
To: stable; +Cc: linux-wireless, Arend van Spriel, Kalle Valo
commit ded89912156b1a47d940a0c954c43afbabd0c42c upstream
User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.
Cc: stable@vger.kernel.org # v3.18, v3.16, v3.14, v3.12, v3.10
Reported-by: Daxing Guo <freener.gdx@gmail.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
---
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
index 5db56a7..b8aec5e5 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
(u8 *)&settings->beacon.head[ie_offset],
settings->beacon.head_len - ie_offset,
WLAN_EID_SSID);
- if (!ssid_ie)
+ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
return -EINVAL;
memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
2016-09-05 9:45 Arend van Spriel
@ 2016-09-05 10:37 ` Arend Van Spriel
0 siblings, 0 replies; 4+ messages in thread
From: Arend Van Spriel @ 2016-09-05 10:37 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless
On 5-9-2016 11:45, Arend van Spriel wrote:
> User-space can choose to omit NL80211_ATTR_SSID and only provide raw
> IE TLV data. When doing so it can provide SSID IE with length exceeding
> the allowed size. The driver further processes this IE copying it
> into a local variable without checking the length. Hence stack can be
> corrupted and used as exploit.
This patch is intended for wireless-drivers repository, ie. for v4.8.
Regards,
Arend
> Cc: stable@vger.kernel.org # v4.7
> Reported-by: Daxing Guo <freener.gdx@gmail.com>
> Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
> Reviewed-by: Franky Lin <franky.lin@broadcom.com>
> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index 5db56a7..b8aec5e5 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
> (u8 *)&settings->beacon.head[ie_offset],
> settings->beacon.head_len - ie_offset,
> WLAN_EID_SSID);
> - if (!ssid_ie)
> + if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
> return -EINVAL;
>
> memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
@ 2016-09-05 9:45 Arend van Spriel
2016-09-05 10:37 ` Arend Van Spriel
0 siblings, 1 reply; 4+ messages in thread
From: Arend van Spriel @ 2016-09-05 9:45 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Arend van Spriel
User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.
Cc: stable@vger.kernel.org # v4.7
Reported-by: Daxing Guo <freener.gdx@gmail.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 5db56a7..b8aec5e5 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
(u8 *)&settings->beacon.head[ie_offset],
settings->beacon.head_len - ie_offset,
WLAN_EID_SSID);
- if (!ssid_ie)
+ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
return -EINVAL;
memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-09-15 11:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-15 11:41 [PATCH] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() Arend van Spriel
-- strict thread matches above, loose matches on Subject: below --
2016-09-15 11:43 Arend van Spriel
2016-09-05 9:45 Arend van Spriel
2016-09-05 10:37 ` Arend Van Spriel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.