[linux] 04/04: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (CVE-2017-7541)

Thu Jul 27 20:27:19 UTC 2017

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit bf419af6882be703724afe5e7aef4fa45c7a6b99
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Jul 27 22:19:30 2017 +0200

    brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (CVE-2017-7541)
---
 debian/changelog                                   |  2 ++
 ...x-possible-buffer-overflow-in-brcmf_cfg80.patch | 42 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 45 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a1d92cb..92eff24 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ linux (3.16.43-2+deb8u3) UNRELEASED; urgency=medium
     vmw_gb_surface_define_ioctl() (CVE-2017-7346)
   * rxrpc: Fix several cases where a padded len isn't checked in ticket decode
     (CVE-2017-7482)
+  * brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
+    (CVE-2017-7541)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Thu, 27 Jul 2017 22:02:24 +0200
 
diff --git a/debian/patches/bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch b/debian/patches/bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
new file mode 100644
index 0000000..b2dc207
--- /dev/null
+++ b/debian/patches/bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
@@ -0,0 +1,42 @@
+From: Arend van Spriel <arend.vanspriel at broadcom.com>
+Date: Fri, 7 Jul 2017 21:09:06 +0100
+Subject: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/8f44c9a41386729fea410e688959ddaa9d51be7c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7541
+
+The lower level nl80211 code in cfg80211 ensures that "len" is between
+25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
+"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
+only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
+overflow.
+
+	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
+	       le16_to_cpu(action_frame->len));
+
+Cc: stable at vger.kernel.org # 3.9.x
+Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
+Reported-by: "freenerguo(郭大兴)" <freenerguo at tencent.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel at broadcom.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[carnil: backport for 3.16: adjust filename]
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+@@ -4119,6 +4119,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
+ 		cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
+ 					GFP_KERNEL);
+ 	} else if (ieee80211_is_action(mgmt->frame_control)) {
++		if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
++			brcmf_err("invalid action frame length\n");
++			err = -EINVAL;
++			goto exit;
++		}
+ 		af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
+ 		if (af_params == NULL) {
+ 			brcmf_err("unable to allocate frame\n");
diff --git a/debian/patches/series b/debian/patches/series
index 55a0722..d030e04 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -715,6 +715,7 @@ bugfix/all/mm-fix-new-crash-in-unmapped_area_topdown.patch
 bugfix/all/regulator-core-Fix-regualtor_ena_gpio_free-not-to-ac.patch
 bugfix/x86/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch
 bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
+bugfix/all/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

