mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
A few places in mwifiex_uap_parse_tail_ies() perform memcpy()
unconditionally, which may lead to either buffer overflow or read over
boundary.
This patch addresses the issues by checking the read size and the
destination size at each place more properly. Along with the fixes,
the patch cleans up the code slightly by introducing a temporary
variable for the token size, and unifies the error path with the
standard goto statement.
Reported-by: huangwen <email address hidden>
Signed-off-by: Takashi Iwai <email address hidden>
Signed-off-by: Kalle Valo <email address hidden>
CVE-2019-10126
(backported from commit 69ae4f6aac1578575126319d3f55550e7e440449)
[tyhicks: Backport to Xenial:
- There's no need to adjust the WLAN_EID_VENDOR_SPECIFIC case due to
missing commit bfc83ea196ad ("mwifiex: Fix skipped vendor specific
IEs")
- Adjust file path due to missing commit 277b024e5e3d ("mwifiex: move
under marvell vendor directory")]
Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Connor Kuehl <email address hidden>
Acked-by: Kleber Souza <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
mwifiex: Fix possible buffer overflows at parsing bss descriptor
mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size. Since the
source is given from user-space, this may trigger a heap buffer
overflow.
Fix it by putting the length check before performing memcpy().
This fix addresses CVE-2019-3846.
Reported-by: huangwen <email address hidden>
Signed-off-by: Takashi Iwai <email address hidden>
Signed-off-by: Kalle Valo <email address hidden>
When IPv6 is compiled but disabled at runtime, geneve_sock_add
returns -EAFNOSUPPORT. For metadata based tunnels, this causes
failure of the whole operation of bringing up the tunnel.
Ignore failure of IPv6 socket creation for metadata based tunnels
caused by IPv6 not being available.
This is the same fix as what commit d074bf960044 ("vxlan: correctly
handle ipv6.disable module parameter") is doing for vxlan.
Note there's also commit c0a47e44c098 ("geneve: should not call
rt6_lookup() when ipv6 was disabled") which fixes a similar issue
but for regular tunnels, while this patch is needed for metadata
based tunnels.
Signed-off-by: Jiri Benc <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(backported from commit cf1c9ccba7308e48a68fa77f476287d9d614e4c7)
[ niv: infra.mode omitted and remote.sa.sa_family == AF_INET6
check retained to avoid pulling in lot of new infrastructure ]
Signed-off-by: Nivedita Singhvi <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
recordmcount.pl uses a set of regular expressions to parse the output of
objdump(1). However, if objdump(1) output is localized, it may not match
the regular expressions, thereby preventing recordmcount.pl from parsing
object files correctly.
In order to allow recordmcount.pl to function correctly regardless of the
current locale settings, set LANG=C when running objdump(1). LC_ALL is
already unset in the top-level Makefile, so it is not necessary to also
override that environment variable.
Signed-off-by: Daniel Dadap <email address hidden>
Reviewed-by: Robert Morell <email address hidden>
Signed-off-by: Masahiro Yamada <email address hidden>
(cherry picked from commit e46b94d228458aefc2553ee7c34ab18c2e3288e3)
Signed-off-by: Kai-Heng Feng <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
proc_get_long() is a funny function. It uses simple_strtoul() and for a
good reason. proc_get_long() wants to always succeed the parse and
return the maybe incorrect value and the trailing characters to check
against a pre-defined list of acceptable trailing values. However,
simple_strtoul() explicitly ignores overflows which can cause funny
things like the following to happen:
(Which will cause your system to silently die behind your back.)
On the other hand kstrtoul() does do overflow detection but does not
return the trailing characters, and also fails the parse when anything
other than '\n' is a trailing character whereas proc_get_long() wants to
be more lenient.
Now, before adding another kstrtoul() function let's simply add a static
parse strtoul_lenient() which:
- fails on overflow with -ERANGE
- returns the trailing characters to the caller
The reason why we should fail on ERANGE is that we already do a partial
fail on overflow right now. Namely, when the TMPBUFLEN is exceeded. So
we already reject values such as 184467440737095516160 (21 chars) but
accept values such as 18446744073709551616 (20 chars) but both are
overflows. So we should just always reject 64bit overflows and not
special-case this based on the number of chars.
Link: http://<email address hidden>
Signed-off-by: Christian Brauner <email address hidden>
Acked-by: Kees Cook <email address hidden>
Cc: "Eric W. Biederman" <email address hidden>
Cc: Luis Chamberlain <email address hidden>
Cc: Joe Lawrence <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Dominik Brodowski <email address hidden>
Cc: Al Viro <email address hidden>
Cc: Alexey Dobriyan <email address hidden>
Signed-off-by: Andrew Morton <email address hidden>
Signed-off-by: Linus Torvalds <email address hidden>
(backported from commit 7f2923c4f73f21cfd714d12a2d48de8c21f11cfe)
[PHLin: Content adjustment for the headers section]
Signed-off-by: Po-Hsu Lin <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
edd6380...
by
Greg Kroah-Hartman <email address hidden>
