Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2346555ybz; Thu, 23 Apr 2020 16:27:59 -0700 (PDT) X-Google-Smtp-Source: APiQypKDun5OrvuOrxlEghJO1nZnJ3P2I1FVqBW96gT1UbfIdQoVxSQQVvITRNVNkHlCkhWQVXHt X-Received: by 2002:a05:6402:4:: with SMTP id d4mr4830082edu.344.1587684478963; Thu, 23 Apr 2020 16:27:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587684478; cv=none; d=google.com; s=arc-20160816; b=bczrJKPJvjWtXH7W4cyHpXlevEjcz5w/ewrEynPy46HYdJNAGok/WtCvoOqVwaF4Nf 8o7yPvnH3yJ6gIUx7dhcCLquQ1LHu9zW6iWfTGubUcpU7FxnJ0d2ajdonuWVwRJz/GWh XZi1nbJD0xhTyb5dO+gGya7gctY/RDf/y/bzcnh65PuMPNdS5UQXyA0ipZm/J3i7Ob76 52FQHoaMiNEtFaKNY597k9GZOiPY9OzotFkZCQhj5Q0SkHHAWJbNfAw4iE93k85lLjyw EhBJsirQxUZz2VY7hl+dgNmffGiwxkjTarFv1hnj4gGdb+vo4Bcewifx5s4+5pWtCQRf frCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=D43EBi8o2Q5U7neuXJGwobiPmPOVEQSiZQw1AqOecQs=; b=ITY89EU61UCBFNzfVHNjFxXzrNnaLN/JG68lkNZtkjaj0XYVPLHEhN6JgMNQTnFFa2 3wXyQizThn6DZ9iv44TJtyn6F4M4Q6JvLQu6qJcUnUEk4q0zrn530zgcVVDoi/BCJV/H 7wHrOlK3NbcPnQi1j0RW9L3sZADzHsr/fpcXN9PFaRTwP4CwcCE58GqePmQvBbRosvlD hfPtBB/LU60xQV5Vxuf2qbsXysssb87VUx3efgvg6u/Dzqw6YJRqlk0pY9ZFIB73Dz+k 743SxoqIVcS1sY535ppJx0gQ+O8tjUll6w6bEX2jTAxaDaJB9RD3999zhH54vwQQ+KS/ Dzig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k17si1773646ejg.470.2020.04.23.16.27.35; Thu, 23 Apr 2020 16:27:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728716AbgDWX0R (ORCPT + 99 others); Thu, 23 Apr 2020 19:26:17 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:48136 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727065AbgDWXG0 (ORCPT ); Thu, 23 Apr 2020 19:06:26 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRkvH-0004ZI-SB; Fri, 24 Apr 2020 00:06:23 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jRkvH-00E6eG-EB; Fri, 24 Apr 2020 00:06:23 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Kalle Valo" , "Wen Huang" , "kbuild test robot" Date: Fri, 24 Apr 2020 00:03:49 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 002/245] libertas: Fix two buffer overflows at parsing bss descriptor In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.83-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Wen Huang commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream. add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. This also fix build warning of mixed declarations and code. Reported-by: kbuild test robot Signed-off-by: Wen Huang Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/net/wireless/libertas/cfg.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/drivers/net/wireless/libertas/cfg.c +++ b/drivers/net/wireless/libertas/cfg.c @@ -272,6 +272,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int int hw, ap, ap_max = ie[1]; u8 hw_rate; + if (ap_max > MAX_RATES) { + lbs_deb_assoc("invalid rates\n"); + return tlv; + } /* Advance past IE header */ ie += 2; @@ -1785,6 +1789,9 @@ static int lbs_ibss_join_existing(struct struct cmd_ds_802_11_ad_hoc_join cmd; u8 preamble = RADIO_PREAMBLE_SHORT; int ret = 0; + int hw, i; + u8 rates_max; + u8 *rates; lbs_deb_enter(LBS_DEB_CFG80211); @@ -1845,9 +1852,12 @@ static int lbs_ibss_join_existing(struct if (!rates_eid) { lbs_add_rates(cmd.bss.rates); } else { - int hw, i; - u8 rates_max = rates_eid[1]; - u8 *rates = cmd.bss.rates; + rates_max = rates_eid[1]; + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); + goto out; + } + rates = cmd.bss.rates; for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { u8 hw_rate = lbs_rates[hw].bitrate / 5; for (i = 0; i < rates_max; i++) {