[linux] 01/01: brcmfmac: add length check in brcmf_cfg80211_escan_handler() (CVE-2017-0786)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Oct 9 19:45:59 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit c68c0840bc35702e2c4b2bfbcb590fdc707b6daa
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Mon Oct 9 21:09:15 2017 +0200
brcmfmac: add length check in brcmf_cfg80211_escan_handler() (CVE-2017-0786)
---
debian/changelog | 5 ++
...d-length-check-in-brcmf_cfg80211_escan_ha.patch | 72 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 78 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index a93294c..16eb4e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,12 @@
linux (4.13.4-2) UNRELEASED; urgency=medium
+ [ Ben Hutchings ]
* [armhf,arm64] thermal: Enable BCM2835_THERMAL as module (Closes: #877699)
+ [ Salvatore Bonaccorso ]
+ * brcmfmac: add length check in brcmf_cfg80211_escan_handler()
+ (CVE-2017-0786)
+
-- Ben Hutchings <ben at decadent.org.uk> Wed, 04 Oct 2017 23:14:54 +0100
linux (4.13.4-1) unstable; urgency=medium
diff --git a/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch b/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
new file mode 100644
index 0000000..0ada348
--- /dev/null
+++ b/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
@@ -0,0 +1,72 @@
+From: Arend Van Spriel <arend.vanspriel at broadcom.com>
+Date: Tue, 12 Sep 2017 10:47:53 +0200
+Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler()
+Origin: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0786
+
+Upon handling the firmware notification for scans the length was
+checked properly and may result in corrupting kernel heap memory
+due to buffer overruns. This fix addresses CVE-2017-0786.
+
+Cc: stable at vger.kernel.org # v4.0.x
+Cc: Kevin Cernekee <cernekee at chromium.org>
+Reviewed-by: Hante Meuleman <hante.meuleman at broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts at broadcom.com>
+Reviewed-by: Franky Lin <franky.lin at broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel at broadcom.com>
+Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index aaed4ab503ad..26a0de371c26 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3162,6 +3162,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
+ struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
+ s32 status;
+ struct brcmf_escan_result_le *escan_result_le;
++ u32 escan_buflen;
+ struct brcmf_bss_info_le *bss_info_le;
+ struct brcmf_bss_info_le *bss = NULL;
+ u32 bi_length;
+@@ -3181,11 +3182,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
+
+ if (status == BRCMF_E_STATUS_PARTIAL) {
+ brcmf_dbg(SCAN, "ESCAN Partial result\n");
++ if (e->datalen < sizeof(*escan_result_le)) {
++ brcmf_err("invalid event data length\n");
++ goto exit;
++ }
+ escan_result_le = (struct brcmf_escan_result_le *) data;
+ if (!escan_result_le) {
+ brcmf_err("Invalid escan result (NULL pointer)\n");
+ goto exit;
+ }
++ escan_buflen = le32_to_cpu(escan_result_le->buflen);
++ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
++ escan_buflen > e->datalen ||
++ escan_buflen < sizeof(*escan_result_le)) {
++ brcmf_err("Invalid escan buffer length: %d\n",
++ escan_buflen);
++ goto exit;
++ }
+ if (le16_to_cpu(escan_result_le->bss_count) != 1) {
+ brcmf_err("Invalid bss_count %d: ignoring\n",
+ escan_result_le->bss_count);
+@@ -3202,9 +3215,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
+ }
+
+ bi_length = le32_to_cpu(bss_info_le->length);
+- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
+- WL_ESCAN_RESULTS_FIXED_SIZE)) {
+- brcmf_err("Invalid bss_info length %d: ignoring\n",
++ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
++ brcmf_err("Ignoring invalid bss_info length: %d\n",
+ bi_length);
+ goto exit;
+ }
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index c69216e..13d1986 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -119,6 +119,7 @@ bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
bugfix/all/fix-infoleak-in-waitid-2.patch
+bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
# Fix exported symbol versions
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list