[linux] 08/09: brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() (CVE-2016-8658)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Dec 1 00:23:47 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 0f6c24a4f46d50ecc10d815bafc1e9a5490bdd4b
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Nov 30 20:51:02 2016 +0000
brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() (CVE-2016-8658)
---
debian/changelog | 2 ++
...stack-overflow-in-brcmf_cfg80211_start_ap.patch | 34 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 37 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index fe28ed0..fab542f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,8 @@ linux (3.16.36-1+deb8u3) UNRELEASED; urgency=medium
* block: fix use-after-free in seq file (CVE-2016-7910)
* block: fix use-after-free in sys_ioprio_get() (CVE-2016-7911)
* firewire: net: guard against rx buffer overflows (CVE-2016-8633)
+ * brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
+ (CVE-2016-8658)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 30 Nov 2016 04:06:41 +0000
diff --git a/debian/patches/bugfix/all/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch b/debian/patches/bugfix/all/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch
new file mode 100644
index 0000000..373fc1f
--- /dev/null
+++ b/debian/patches/bugfix/all/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch
@@ -0,0 +1,34 @@
+From: Arend Van Spriel <arend.vanspriel at broadcom.com>
+Date: Mon, 5 Sep 2016 10:45:47 +0100
+Subject: brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
+Origin: https://git.kernel.org/linus/ded89912156b1a47d940a0c954c43afbabd0c42c
+
+User-space can choose to omit NL80211_ATTR_SSID and only provide raw
+IE TLV data. When doing so it can provide SSID IE with length exceeding
+the allowed size. The driver further processes this IE copying it
+into a local variable without checking the length. Hence stack can be
+corrupted and used as exploit.
+
+Reported-by: Daxing Guo <freener.gdx at gmail.com>
+Reviewed-by: Hante Meuleman <hante.meuleman at broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts at broadcom.com>
+Reviewed-by: Franky Lin <franky.lin at broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel at broadcom.com>
+Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+@@ -3822,7 +3822,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+ (u8 *)&settings->beacon.head[ie_offset],
+ settings->beacon.head_len - ie_offset,
+ WLAN_EID_SSID);
+- if (!ssid_ie)
++ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
+ return -EINVAL;
+
+ memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
diff --git a/debian/patches/series b/debian/patches/series
index 346b7f0..19f9761 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -693,6 +693,7 @@ bugfix/all//posix_acl-clear-sgid-bit-when-setting-file-permissions.patch
bugfix/all/block-fix-use-after-free-in-seq-file.patch
bugfix/all/block-fix-use-after-free-in-sys_ioprio_get.patch
bugfix/all/firewire-net-guard-against-rx-buffer-overflows.patch
+bugfix/all/brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg80211_start_ap.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list