From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ganapathi Bhat <gbhat@marvell.com>,
huangwen <huangwenabc@gmail.com>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 01/38] mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
Date: Fri, 27 Dec 2019 13:13:58 -0500 [thread overview]
Message-ID: <20191227181435.7644-1-sashal@kernel.org> (raw)
From: Ganapathi Bhat <gbhat@marvell.com>
[ Upstream commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b ]
mwifiex_process_country_ie() function parse elements of bss
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
element, there is no upper limit check for country_ie_len before
calling memcpy. The destination buffer domain_info->triplet is an
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
attacker can build a fake AP with the same ssid as real AP, and
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
(country_ie_len > 83). Attacker can force STA connect to fake AP
on a different channel. When the victim STA connects to fake AP,
will trigger the heap buffer overflow. Fix this by checking for
length and if found invalid, don not connect to the AP.
This fix addresses CVE-2019-14895.
Reported-by: huangwen <huangwenabc@gmail.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index 478885afb6c6..be3be7a63cf0 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -271,6 +271,14 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
"11D: skip setting domain info in FW\n");
return 0;
}
+
+ if (country_ie_len >
+ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
+ mwifiex_dbg(priv->adapter, ERROR,
+ "11D: country_ie_len overflow!, deauth AP\n");
+ return -EINVAL;
+ }
+
memcpy(priv->adapter->country_code, &country_ie[2], 2);
domain_info->country_code[0] = country_ie[2];
@@ -314,8 +322,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
priv->scan_block = false;
if (bss) {
- if (adapter->region_code == 0x00)
- mwifiex_process_country_ie(priv, bss);
+ if (adapter->region_code == 0x00 &&
+ mwifiex_process_country_ie(priv, bss))
+ return -EINVAL;
/* Allocate and fill new bss descriptor */
bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
--
2.20.1
next reply other threads:[~2019-12-27 18:20 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-27 18:13 Sasha Levin [this message]
2019-12-27 18:13 ` [PATCH AUTOSEL 4.9 02/38] locking/spinlock/debug: Fix various data races Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 03/38] netfilter: ctnetlink: netns exit must wait for callbacks Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 04/38] efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 05/38] efi/gop: Return EFI_SUCCESS if a usable GOP was found Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 06/38] efi/gop: Fix memory leak in __gop_query32/64() Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 07/38] ARM: vexpress: Set-up shared OPP table instead of individual for each CPU Sasha Levin
2019-12-27 18:14 ` Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 08/38] netfilter: uapi: Avoid undefined left-shift in xt_sctp.h Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 09/38] netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() Sasha Levin
2019-12-27 18:14 ` [Bridge] " Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 10/38] spi: spi-cavium-thunderx: Add missing pci_release_regions() Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 11/38] af_packet: set defaule value for tmo Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 12/38] fjes: fix missed check in fjes_acpi_add Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 13/38] net: ena: fix napi handler misbehavior when the napi budget is zero Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 14/38] ARM: dts: am437x-gp/epos-evm: fix panel compatible Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 15/38] samples: bpf: Replace symbol compare of trace_event Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 16/38] tty: serial: msm_serial: Fix lockup for sysrq and oops Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 17/38] net: usb: lan78xx: Fix suspend/resume PHY register access error Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 18/38] powerpc: Ensure that swiotlb buffer is allocated from low memory Sasha Levin
2019-12-27 18:14 ` Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 19/38] 6pack,mkiss: fix possible deadlock Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 20/38] bnx2x: Do not handle requests from VFs after parity Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 21/38] bnx2x: Fix logic to get total no. of PFs per engine Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 22/38] gtp: fix wrong condition in gtp_genl_dump_pdp() Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 23/38] gtp: avoid zero size hashtable Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 24/38] net: usb: lan78xx: Fix error message format specifier Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 25/38] rfkill: Fix incorrect check to avoid NULL pointer dereference Sasha Levin
2019-12-28 1:48 ` Justin Capella
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 26/38] ASoC: wm8962: fix lambda value Sasha Levin
2019-12-27 18:14 ` [alsa-devel] " Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 27/38] regulator: rn5t618: fix module aliases Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 28/38] kconfig: don't crash on NULL expressions in expr_eq() Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 29/38] perf/x86/intel: Fix PT PMI handling Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 30/38] net: qlogic: Fix error paths in ql_alloc_large_buffers() Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 31/38] net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 32/38] net: stmmac: RX buffer size must be 16 byte aligned Sasha Levin
2019-12-27 18:14 ` Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 33/38] net, sysctl: Fix compiler warning when only cBPF is present Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 34/38] block: fix memleak when __blk_rq_map_user_iov() is failed Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 35/38] parisc: Fix compiler warnings in debug_core.c Sasha Levin
2019-12-27 18:14 ` [PATCH AUTOSEL 4.9 36/38] net: hisilicon: Fix a BUG trigered by wrong bytes_compl Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191227181435.7644-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gbhat@marvell.com \
--cc=huangwenabc@gmail.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.