diff options
| author | David Chu <david.chu@mediatek.com> | 2018-08-06 18:39:15 -0700 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2018-11-27 16:39:48 +0100 |
| commit | c8d53cd6e731efa326449ccc6292cac871d5ab60 (patch) | |
| tree | 6c509c34d6f056370578215d1f542e8e3b0d4606 /drivers | |
| parent | 68cd0ffd58c19350e772dd8e39793159c1e07a2d (diff) | |
Security Patch: WLAN Gen2: Security Vulnerability Issue 72312071
[Detail]
Multiple Kernel Memory Corruption Issues in Mediatek cfg80211 Subsystem
[Solution]
In mtk_cfg80211_vendor_set_config the value num_buckets must be
validated to ensure it is not greater than size of the buckets array.
CVE-2018-9395
Change-Id: If07b758108922dd12ac4eb5d93ce2eab0ce06dae
Signed-off-by: Ben Fennema <fennema@google.com>
Signed-off-by: Moyster <oysterized@gmail.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c | 6 | ||||
| -rw-r--r-- | drivers/misc/mediatek/connectivity/wlan/gen3/os/linux/gl_vendor.c | 6 |
2 files changed, 10 insertions, 2 deletions
diff --git a/drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c b/drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c index d4c84297d..1c45387d2 100644 --- a/drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c +++ b/drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c @@ -242,6 +242,7 @@ int mtk_cfg80211_vendor_set_config(struct wiphy *wiphy, struct wireless_dev *wde struct nlattr *pbucket, *pchannel; UINT_32 len_basic, len_bucket, len_channel; int i, j, k; + UINT_32 u4ArySize; ASSERT(wiphy); ASSERT(wdev); @@ -268,7 +269,10 @@ int mtk_cfg80211_vendor_set_config(struct wiphy *wiphy, struct wireless_dev *wde len_basic += NLA_ALIGN(attr[k]->nla_len); break; case GSCAN_ATTRIBUTE_NUM_BUCKETS: - prWifiScanCmd->num_buckets = nla_get_u32(attr[k]); + u4ArySize = nla_get_u32(attr[k]); + prWifiScanCmd->num_buckets = + (u4ArySize <= GSCAN_MAX_BUCKETS) + ? u4ArySize : GSCAN_MAX_BUCKETS; len_basic += NLA_ALIGN(attr[k]->nla_len); DBGLOG(REQ, TRACE, "attr=0x%x, num_buckets=%d nla_len=%d, \r\n", *(UINT_32 *) attr[k], prWifiScanCmd->num_buckets, attr[k]->nla_len); diff --git a/drivers/misc/mediatek/connectivity/wlan/gen3/os/linux/gl_vendor.c b/drivers/misc/mediatek/connectivity/wlan/gen3/os/linux/gl_vendor.c index 81a4d0296..faebc4fbe 100644 --- a/drivers/misc/mediatek/connectivity/wlan/gen3/os/linux/gl_vendor.c +++ b/drivers/misc/mediatek/connectivity/wlan/gen3/os/linux/gl_vendor.c @@ -270,6 +270,7 @@ int mtk_cfg80211_vendor_set_config(struct wiphy *wiphy, struct wireless_dev *wde struct nlattr *pbucket, *pchannel; UINT_32 len_basic, len_bucket, len_channel; int i, j, k; + UINT_32 u4ArySize; static struct nla_policy policy[GSCAN_ATTRIBUTE_REPORT_EVENTS + 1] = { [GSCAN_ATTRIBUTE_NUM_BUCKETS] = {.type = NLA_U32}, [GSCAN_ATTRIBUTE_BASE_PERIOD] = {.type = NLA_U32}, @@ -306,7 +307,10 @@ int mtk_cfg80211_vendor_set_config(struct wiphy *wiphy, struct wireless_dev *wde len_basic += NLA_ALIGN(attr[k]->nla_len); break; case GSCAN_ATTRIBUTE_NUM_BUCKETS: - prWifiScanCmd->num_buckets = nla_get_u32(attr[k]); + u4ArySize = nla_get_u32(attr[k]); + prWifiScanCmd->num_buckets = + (u4ArySize <= GSCAN_MAX_BUCKETS) + ? u4ArySize : GSCAN_MAX_BUCKETS; len_basic += NLA_ALIGN(attr[k]->nla_len); DBGLOG(REQ, TRACE, "attr=0x%x, num_buckets=%d nla_len=%d\r\n", *(UINT_32 *) attr[k], prWifiScanCmd->num_buckets, attr[k]->nla_len); |