Netdev Archive on lore.kernel.org
 help / color / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Qing Xu <m1s5p6688@gmail.com>, Kalle Valo <kvalo@codeaurora.org>,
	Sasha Levin <sashal@kernel.org>,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.5 485/542] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
Date: Fri, 14 Feb 2020 10:47:57 -0500
Message-ID: <20200214154854.6746-485-sashal@kernel.org> (raw)
In-Reply-To: <20200214154854.6746-1-sashal@kernel.org>

From: Qing Xu <m1s5p6688@gmail.com>

[ Upstream commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d ]

mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().

Signed-off-by: Qing Xu <m1s5p6688@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/marvell/mwifiex/scan.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
index 98f942b797f7b..a7968a84aaf88 100644
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -2884,6 +2884,13 @@ mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv,
 			vs_param_set->header.len =
 				cpu_to_le16((((u16) priv->vs_ie[id].ie[1])
 				& 0x00FF) + 2);
+			if (le16_to_cpu(vs_param_set->header.len) >
+				MWIFIEX_MAX_VSIE_LEN) {
+				mwifiex_dbg(priv->adapter, ERROR,
+					    "Invalid param length!\n");
+				break;
+			}
+
 			memcpy(vs_param_set->ie, priv->vs_ie[id].ie,
 			       le16_to_cpu(vs_param_set->header.len));
 			*buffer += le16_to_cpu(vs_param_set->header.len) +
-- 
2.20.1


  parent reply index

Thread overview: 77+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20200214154854.6746-1-sashal@kernel.org>
2020-02-14 15:39 ` [PATCH AUTOSEL 5.5 004/542] ath10k: Fix qmi init error handling Sasha Levin
2020-02-14 15:39 ` [PATCH AUTOSEL 5.5 005/542] wil6210: fix break that is never reached because of zero'ing of a retry counter Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 026/542] brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 027/542] brcmfmac: Fix use after free in brcmf_sdio_readframes() Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 034/542] gianfar: Fix TX timestamping with a stacked DSA driver Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 057/542] arm64: dts: marvell: clearfog-gt-8k: fix switch cpu port node Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 066/542] net: ethernet: ixp4xx: Standard module init Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 091/542] wan/hdlc_x25: fix skb handling Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 107/542] ath10k: Correct the DMA direction for management tx buffers Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 108/542] IB/mlx5: Return the administrative GUID if exists Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 109/542] rtw88: fix rate mask for 1SS chip Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 110/542] brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 111/542] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 112/542] libertas: make lbs_ibss_join_existing() return error code on rates overflow Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 125/542] netfilter: flowtable: Fix missing flush hardware on table free Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 126/542] netfilter: flowtable: Fix hardware flush order on nf_flow_table_cleanup Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 132/542] mt76: mt7615: fix max_nss in mt7615_eeprom_parse_hw_cap Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 133/542] bpftool: Don't crash on missing xlated program instructions Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 134/542] bpf, sockhash: Synchronize_rcu before free'ing map Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 135/542] bpf, sockmap: Check update requirements after locking Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 136/542] bpf: Improve bucket_log calculation logic Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 137/542] bpf, sockmap: Don't sleep while holding RCU lock on tear-down Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 167/542] ath10k: correct the tlv len of ath10k_wmi_tlv_op_gen_config_pno_start Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 177/542] net/wan/fsl_ucc_hdlc: reject muram offsets above 64K Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 180/542] NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 191/542] enetc: remove variable 'tc_max_sized_frame' set but not used Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 207/542] Revert "nfp: abm: fix memory leak in nfp_abm_u32_knode_replace" Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 209/542] selftests/net: make so_txtime more robust to timer variance Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 212/542] samples/bpf: Set -fno-stack-protector when building BPF programs Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 213/542] r8169: check that Realtek PHY driver module is loaded Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 214/542] fore200e: Fix incorrect checks of NULL pointer dereference Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 215/542] isdn: don't mark kcapi_proc_exit as __exit Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 220/542] netfilter: nft_tunnel: add the missing ERSPAN_VERSION nla_policy Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 226/542] b43legacy: Fix -Wcast-function-type Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 227/542] ipw2x00: " Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 228/542] iwlegacy: " Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 229/542] rtlwifi: rtl_pci: " Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 231/542] orinoco: avoid assertion in case of NULL pointer Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 263/542] bpf: Print error message for bpftool cgroup show Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 264/542] net: phy: realtek: add logging for the RGMII TX delay configuration Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 266/542] net/wan/fsl_ucc_hdlc: remove set but not used variables 'ut_info' and 'ret' Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 278/542] ice: add extra check for null Rx descriptor Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 285/542] net: phy: fixed_phy: fix use-after-free when checking link GPIO Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 286/542] tools lib api fs: Fix gcc9 stringop-truncation compilation error Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 294/542] mlx5: work around high stack usage with gcc Sasha Levin
2020-02-14 15:45 ` [PATCH AUTOSEL 5.5 325/542] bnxt: Detach page from page pool before sending up the stack Sasha Levin
2020-02-14 15:45 ` [PATCH AUTOSEL 5.5 327/542] wan: ixp4xx_hss: fix compile-testing on 64-bit Sasha Levin
2020-02-14 15:45 ` [PATCH AUTOSEL 5.5 352/542] bpf: Return -EBADRQC for invalid map type in __bpf_tx_xdp_map Sasha Levin
2020-02-14 15:46 ` [PATCH AUTOSEL 5.5 386/542] netfilter: flowtable: restrict flow dissector match on meta ingress device Sasha Levin
2020-02-14 15:46 ` [PATCH AUTOSEL 5.5 401/542] enetc: Don't print from enetc_sched_speed_set when link goes down Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 438/542] bpf, btf: Always output invariant hit in pahole DWARF to BTF transform Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 440/542] sunrpc: Fix potential leaks in sunrpc_cache_unhash() Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 443/542] net/mlx5e: Fix printk format warning Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 461/542] selftests: bpf: Reset global state between reuseport test runs Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 471/542] ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 472/542] hostap: Adjust indentation in prism2_hostapd_add_sta Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 473/542] rtw88: fix potential NULL skb access in TX ISR Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 474/542] rtlwifi: rtl8821ae: remove unused variables Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 475/542] rtlwifi: rtl8192ee: " Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 476/542] rtlwifi: rtl8723ae: " Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 477/542] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 482/542] bpf: map_seq_next should always increase position index Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 484/542] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Sasha Levin
2020-02-14 15:47 ` Sasha Levin [this message]
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 502/542] powerpc: Do not consider weak unresolved symbol relocations as bad Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 516/542] iwlwifi: mvm: Fix thermal zone registration Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 517/542] iwlwifi: mvm: avoid use after free for pmsr request Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 518/542] iwlwifi: mvm: Check the sta is not NULL in iwl_mvm_cfg_he_sta() Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 519/542] iwlwifi: mvm: fix TDLS discovery with the new firmware API Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 521/542] netdevsim: fix using uninitialized resources Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 522/542] netdevsim: disable devlink reload when resources are being used Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 523/542] netdevsim: fix panic in nsim_dev_take_snapshot_write() Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 524/542] netdevsim: use __GFP_NOWARN to avoid memalloc warning Sasha Levin
2020-02-14 16:23   ` Jakub Kicinski
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 535/542] i40e: Relax i40e_xsk_wakeup's return value when PF is busy Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 540/542] mlxsw: core: Add validation of hardware device types for MGPIR register Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 541/542] mlxsw: spectrum_dpipe: Add missing error path Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200214154854.6746-485-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=kvalo@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=m1s5p6688@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git