Home Home > GIT Browse > SLE12-SP5-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-09-12 07:01:15 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-09-12 07:01:15 +0200
commit643bef099d7792fe2c015224e7809e0c496b161c (patch)
tree48b4ebf096b019dd3c5bee5390718ceef004dc52
parent52c17bb196ed9bd04f472eaf09667ccab7df0912 (diff)
parentfd4c627b5ceae72114194a89d0e8bb4af974db89 (diff)
Merge branch 'SLE12-SP5' into SLE12-SP5-AZURESLE12-SP5-AZURE
-rw-r--r--patches.suse/0001-mwifiex-Fix-possible-buffer-overflows-at-parsing-bss.patch51
-rw-r--r--series.conf1
2 files changed, 52 insertions, 0 deletions
diff --git a/patches.suse/0001-mwifiex-Fix-possible-buffer-overflows-at-parsing-bss.patch b/patches.suse/0001-mwifiex-Fix-possible-buffer-overflows-at-parsing-bss.patch
new file mode 100644
index 0000000000..c1375d52a3
--- /dev/null
+++ b/patches.suse/0001-mwifiex-Fix-possible-buffer-overflows-at-parsing-bss.patch
@@ -0,0 +1,51 @@
+From 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 29 May 2019 14:52:19 +0200
+Subject: [PATCH] mwifiex: Fix possible buffer overflows at parsing bss
+ descriptor
+References: bsc#1136424 CVE-2019-3846
+Patch-mainline: v5.2-rc5
+Git-commit: 13ec7f10b87f5fc04c4ccbd491c94c7980236a74
+
+mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
+a couple places without checking the destination size. Since the
+source is given from user-space, this may trigger a heap buffer
+overflow.
+
+Fix it by putting the length check before performing memcpy().
+
+This fix addresses CVE-2019-3846.
+
+Reported-by: huangwen <huangwen@venustech.com.cn>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 935778ec9a1b..64ab6fe78c0d 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1247,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ }
+ switch (element_id) {
+ case WLAN_EID_SSID:
++ if (element_len > IEEE80211_MAX_SSID_LEN)
++ return -EINVAL;
+ bss_entry->ssid.ssid_len = element_len;
+ memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
+ element_len);
+@@ -1256,6 +1258,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_SUPP_RATES:
++ if (element_len > MWIFIEX_SUPPORTED_RATES)
++ return -EINVAL;
+ memcpy(bss_entry->data_rates, current_ptr + 2,
+ element_len);
+ memcpy(bss_entry->supported_rates, current_ptr + 2,
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 61bd3727c1..bdfdf8a12b 100644
--- a/series.conf
+++ b/series.conf
@@ -48761,6 +48761,7 @@
patches.suse/x86-resctrl-don-t-stop-walking-closids-when-a-locksetup-group-is-found.patch
patches.suse/x86-resctrl-prevent-null-pointer-dereference-when-local-mbm-is-disabled.patch
patches.suse/x86-microcode-cpuhotplug-add-a-microcode-loader-cpu-hotplug-callback.patch
+ patches.suse/0001-mwifiex-Fix-possible-buffer-overflows-at-parsing-bss.patch
patches.suse/0001-mwifiex-Abort-at-too-short-BSS-descriptor-element.patch
patches.suse/iwlwifi-Fix-double-free-problems-in-iwl_req_fw_callb.patch
patches.suse/0001-mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch