From c8d53cd6e731efa326449ccc6292cac871d5ab60 Mon Sep 17 00:00:00 2001
From: David Chu <david.chu@mediatek.com>
Date: Mon, 6 Aug 2018 18:39:15 -0700
Subject: Security Patch: WLAN Gen2: Security Vulnerability Issue 72312071

[Detail]
Multiple Kernel Memory Corruption Issues in Mediatek cfg80211 Subsystem

[Solution]
In mtk_cfg80211_vendor_set_config the value num_buckets must be
validated to ensure it is not greater than size of the buckets array.

CVE-2018-9395

Change-Id: If07b758108922dd12ac4eb5d93ce2eab0ce06dae
Signed-off-by: Ben Fennema <fennema@google.com>
Signed-off-by: Moyster <oysterized@gmail.com>
---
 drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c | 6 +++++-
 drivers/misc/mediatek/connectivity/wlan/gen3/os/linux/gl_vendor.c | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c b/drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c
index d4c84297d..1c45387d2 100644
--- a/drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c
+++ b/drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c
@@ -242,6 +242,7 @@ int mtk_cfg80211_vendor_set_config(struct wiphy *wiphy, struct wireless_dev *wde
 	struct nlattr *pbucket, *pchannel;
 	UINT_32 len_basic, len_bucket, len_channel;
 	int i, j, k;
+	UINT_32 u4ArySize;
 
 	ASSERT(wiphy);
 	ASSERT(wdev);
@@ -268,7 +269,10 @@ int mtk_cfg80211_vendor_set_config(struct wiphy *wiphy, struct wireless_dev *wde
 				len_basic += NLA_ALIGN(attr[k]->nla_len);
 				break;
 			case GSCAN_ATTRIBUTE_NUM_BUCKETS:
-				prWifiScanCmd->num_buckets = nla_get_u32(attr[k]);
+				u4ArySize = nla_get_u32(attr[k]);
+				prWifiScanCmd->num_buckets =
+				(u4ArySize <= GSCAN_MAX_BUCKETS)
+				? u4ArySize : GSCAN_MAX_BUCKETS;
 				len_basic += NLA_ALIGN(attr[k]->nla_len);
 				DBGLOG(REQ, TRACE, "attr=0x%x, num_buckets=%d nla_len=%d, \r\n",
 				       *(UINT_32 *) attr[k], prWifiScanCmd->num_buckets, attr[k]->nla_len);
diff --git a/drivers/misc/mediatek/connectivity/wlan/gen3/os/linux/gl_vendor.c b/drivers/misc/mediatek/connectivity/wlan/gen3/os/linux/gl_vendor.c
index 81a4d0296..faebc4fbe 100644
--- a/drivers/misc/mediatek/connectivity/wlan/gen3/os/linux/gl_vendor.c
+++ b/drivers/misc/mediatek/connectivity/wlan/gen3/os/linux/gl_vendor.c
@@ -270,6 +270,7 @@ int mtk_cfg80211_vendor_set_config(struct wiphy *wiphy, struct wireless_dev *wde
 	struct nlattr *pbucket, *pchannel;
 	UINT_32 len_basic, len_bucket, len_channel;
 	int i, j, k;
+	UINT_32 u4ArySize;
 	static struct nla_policy policy[GSCAN_ATTRIBUTE_REPORT_EVENTS + 1] = {
 		[GSCAN_ATTRIBUTE_NUM_BUCKETS] = {.type = NLA_U32},
 		[GSCAN_ATTRIBUTE_BASE_PERIOD] = {.type = NLA_U32},
@@ -306,7 +307,10 @@ int mtk_cfg80211_vendor_set_config(struct wiphy *wiphy, struct wireless_dev *wde
 				len_basic += NLA_ALIGN(attr[k]->nla_len);
 				break;
 			case GSCAN_ATTRIBUTE_NUM_BUCKETS:
-				prWifiScanCmd->num_buckets = nla_get_u32(attr[k]);
+				u4ArySize = nla_get_u32(attr[k]);
+				prWifiScanCmd->num_buckets =
+				(u4ArySize <= GSCAN_MAX_BUCKETS)
+				? u4ArySize : GSCAN_MAX_BUCKETS;
 				len_basic += NLA_ALIGN(attr[k]->nla_len);
 				DBGLOG(REQ, TRACE, "attr=0x%x, num_buckets=%d nla_len=%d\r\n",
 				       *(UINT_32 *) attr[k], prWifiScanCmd->num_buckets, attr[k]->nla_len);
-- 
cgit v1.2.3