[SRU E/D/B/X 0/3] Multiple buffer overflows in Marvell driver

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU E/D/B/X 0/3] Multiple buffer overflows in Marvell driver

Stefan Bader-2
Multiple buffer overflows have been found and fixed in the Marvell
wireless driver. For Xenial the main change is that the Marvell driver
has not yet its own subdirectory. So all paths had to be adjusted.

-Stefan

Wen Huang (2):
  mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
  libertas: Fix two buffer overflows at parsing bss descriptor

wangqize (1):
  mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()

 drivers/net/wireless/marvell/libertas/cfg.c   |  8 +++
 .../net/wireless/marvell/mwifiex/sta_ioctl.c  |  3 +-
 drivers/net/wireless/marvell/mwifiex/tdls.c   | 70 +++++++++++++++++--
 3 files changed, 74 insertions(+), 7 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH E/D/B 1/3] UBUNTU: SAUCE: mwifiex: fix possible heap overflow in mwifiex_process_country_ie()

Stefan Bader-2
From: Wen Huang <[hidden email]>

mwifiex_process_country_ie() function parse elements of bss
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
element, there is no upper limit check for country_ie_len before
calling memcpy. The destination buffer domain_info->triplet is an
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
attacker can build a fake AP with the same ssid as real AP, and
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
(country_ie_len > 83). Attacker can  force STA connect to fake AP
on a different channel. When the victim STA connects to fake AP,
will trigger the heap buffer overflow. Fix this by checking for
length and if found invalid, don not connect to the AP.

This fix addresses CVE-2019-14895.

Reported-by: huangwen <[hidden email]>
Signed-off-by: Ganapathi Bhat <[hidden email]>

CVE-2019-14895

(cherry picked from https://patchwork.kernel.org/patch/11256477/)
Signed-off-by: Stefan Bader <[hidden email]>
---
 drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index 72b5dfdda668..97bc7b616c38 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -229,6 +229,13 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
     "11D: skip setting domain info in FW\n");
  return 0;
  }
+
+ if (country_ie_len >
+    (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
+ mwifiex_dbg(priv->adapter, ERROR,
+    "11D: country_ie_len overflow!, deauth AP\n");
+ return -EINVAL;
+ }
  memcpy(priv->adapter->country_code, &country_ie[2], 2);
 
  domain_info->country_code[0] = country_ie[2];
@@ -272,8 +279,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
  priv->scan_block = false;
 
  if (bss) {
- if (adapter->region_code == 0x00)
- mwifiex_process_country_ie(priv, bss);
+ if (adapter->region_code == 0x00 &&
+    mwifiex_process_country_ie(priv, bss))
+ return -EINVAL;
 
  /* Allocate and fill new bss descriptor */
  bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH E/D/B 2/3] UBUNTU: SAUCE: libertas: Fix two buffer overflows at parsing bss descriptor

Stefan Bader-2
In reply to this post by Stefan Bader-2
From: Wen Huang <[hidden email]>

add_ie_rates() copys rates without checking the length
in bss descriptor from remote AP.when victim connects to
remote attacker, this may trigger buffer overflow.
lbs_ibss_join_existing() copys rates without checking the length
in bss descriptor from remote IBSS node.when victim connects to
remote attacker, this may trigger buffer overflow.
Fix them by putting the length check before performing copy.

This fix addresses CVE-2019-14896 and CVE-2019-14897.

Signed-off-by: Wen Huang <[hidden email]>

CVE-2019-14896
CVE-2019-14897

(cherry picked from https://patchwork.kernel.org/patch/11257187/)
Signed-off-by: Stefan Bader <[hidden email]>
---
 drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
index 57edfada0665..290280764884 100644
--- a/drivers/net/wireless/marvell/libertas/cfg.c
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates)
  int hw, ap, ap_max = ie[1];
  u8 hw_rate;
 
+ if (ap_max > MAX_RATES) {
+ lbs_deb_assoc("invalid rates\n");
+ return tlv;
+ }
  /* Advance past IE header */
  ie += 2;
 
@@ -1777,6 +1781,10 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
  } else {
  int hw, i;
  u8 rates_max = rates_eid[1];
+ if (rates_max > MAX_RATES) {
+ lbs_deb_join("invalid rates");
+ goto out;
+ }
  u8 *rates = cmd.bss.rates;
  for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
  u8 hw_rate = lbs_rates[hw].bitrate / 5;
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH E/D/B 3/3] UBUNTU: SAUCE: mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()

Stefan Bader-2
In reply to this post by Stefan Bader-2
From: qize wang <[hidden email]>

mwifiex_process_tdls_action_frame() without checking
the incoming tdls infomation element's vality before use it,
this may cause multi heap buffer overflows.

Fix them by putting vality check before use it.

Signed-off-by: qize wang <[hidden email]>

CVE-2019-14901

(cherry picked from https://patchwork.kernel.org/patch/11257535/)
Signed-off-by: Stefan Bader <[hidden email]>
---
 drivers/net/wireless/marvell/mwifiex/tdls.c | 70 +++++++++++++++++++--
 1 file changed, 64 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
index 18e654dc34c6..7f60214852c0 100644
--- a/drivers/net/wireless/marvell/mwifiex/tdls.c
+++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
@@ -954,59 +954,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
 
  switch (*pos) {
  case WLAN_EID_SUPP_RATES:
+ if (pos[1] > 32)
+ return;
  sta_ptr->tdls_cap.rates_len = pos[1];
  for (i = 0; i < pos[1]; i++)
  sta_ptr->tdls_cap.rates[i] = pos[i + 2];
  break;
 
  case WLAN_EID_EXT_SUPP_RATES:
+ if (pos[1] > 32)
+ return;
  basic = sta_ptr->tdls_cap.rates_len;
+ if (pos[1] > 32 - basic)
+ return;
  for (i = 0; i < pos[1]; i++)
  sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
  sta_ptr->tdls_cap.rates_len += pos[1];
  break;
  case WLAN_EID_HT_CAPABILITY:
- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
+ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
+ return;
+ if (pos[1] != sizeof(struct ieee80211_ht_cap))
+ return;
+ /* copy the ie's value into ht_capb*/
+ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
        sizeof(struct ieee80211_ht_cap));
  sta_ptr->is_11n_enabled = 1;
  break;
  case WLAN_EID_HT_OPERATION:
- memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
+ if (pos > end -
+    sizeof(struct ieee80211_ht_operation) - 2)
+ return;
+ if (pos[1] != sizeof(struct ieee80211_ht_operation))
+ return;
+ /* copy the ie's value into ht_oper*/
+ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
        sizeof(struct ieee80211_ht_operation));
  break;
  case WLAN_EID_BSS_COEX_2040:
+ if (pos > end - 3)
+ return;
+ if (pos[1] != 1)
+ return;
  sta_ptr->tdls_cap.coex_2040 = pos[2];
  break;
  case WLAN_EID_EXT_CAPABILITY:
+ if (pos > end - sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] < sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] > 8)
+ return;
  memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
        sizeof(struct ieee_types_header) +
        min_t(u8, pos[1], 8));
  break;
  case WLAN_EID_RSN:
+ if (pos > end - sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] < sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] > IEEE_MAX_IE_SIZE -
+    sizeof(struct ieee_types_header))
+ return;
  memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
        sizeof(struct ieee_types_header) +
        min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
      sizeof(struct ieee_types_header)));
  break;
  case WLAN_EID_QOS_CAPA:
+ if (pos > end - 3)
+ return;
+ if (pos[1] != 1)
+ return;
  sta_ptr->tdls_cap.qos_info = pos[2];
  break;
  case WLAN_EID_VHT_OPERATION:
- if (priv->adapter->is_hw_11ac_capable)
- memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
+ if (priv->adapter->is_hw_11ac_capable) {
+ if (pos > end -
+    sizeof(struct ieee80211_vht_operation) - 2)
+ return;
+ if (pos[1] !=
+    sizeof(struct ieee80211_vht_operation))
+ return;
+ /* copy the ie's value into vhtoper*/
+ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
        sizeof(struct ieee80211_vht_operation));
+ }
  break;
  case WLAN_EID_VHT_CAPABILITY:
  if (priv->adapter->is_hw_11ac_capable) {
- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
+ if (pos > end -
+    sizeof(struct ieee80211_vht_cap) - 2)
+ return;
+ if (pos[1] != sizeof(struct ieee80211_vht_cap))
+ return;
+ /* copy the ie's value into vhtcap*/
+ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
        sizeof(struct ieee80211_vht_cap));
  sta_ptr->is_11ac_enabled = 1;
  }
  break;
  case WLAN_EID_AID:
- if (priv->adapter->is_hw_11ac_capable)
+ if (priv->adapter->is_hw_11ac_capable) {
+ if (pos > end - 4)
+ return;
+ if (pos[1] != 2)
+ return;
  sta_ptr->tdls_cap.aid =
  get_unaligned_le16((pos + 2));
+ }
+ break;
  default:
  break;
  }
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH X 1/3] UBUNTU: SAUCE: mwifiex: fix possible heap overflow in mwifiex_process_country_ie()

Stefan Bader-2
In reply to this post by Stefan Bader-2
From: Wen Huang <[hidden email]>

mwifiex_process_country_ie() function parse elements of bss
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
element, there is no upper limit check for country_ie_len before
calling memcpy. The destination buffer domain_info->triplet is an
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
attacker can build a fake AP with the same ssid as real AP, and
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
(country_ie_len > 83). Attacker can  force STA connect to fake AP
on a different channel. When the victim STA connects to fake AP,
will trigger the heap buffer overflow. Fix this by checking for
length and if found invalid, don not connect to the AP.

This fix addresses CVE-2019-14895.

Reported-by: huangwen <[hidden email]>
Signed-off-by: Ganapathi Bhat <[hidden email]>

CVE-2019-14895

(backported from https://patchwork.kernel.org/patch/11256477/)
[smb: drop marvell subdirectory from path]
Signed-off-by: Stefan Bader <[hidden email]>
---
 drivers/net/wireless/mwifiex/sta_ioctl.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
index abe195974d79..7c730aa3354d 100644
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -231,6 +231,13 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
     "11D: skip setting domain info in FW\n");
  return 0;
  }
+
+ if (country_ie_len >
+    (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
+ mwifiex_dbg(priv->adapter, ERROR,
+    "11D: country_ie_len overflow!, deauth AP\n");
+ return -EINVAL;
+ }
  memcpy(priv->adapter->country_code, &country_ie[2], 2);
 
  domain_info->country_code[0] = country_ie[2];
@@ -274,8 +281,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss,
  priv->scan_block = false;
 
  if (bss) {
- if (adapter->region_code == 0x00)
- mwifiex_process_country_ie(priv, bss);
+ if (adapter->region_code == 0x00 &&
+    mwifiex_process_country_ie(priv, bss))
+ return -EINVAL;
 
  /* Allocate and fill new bss descriptor */
  bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH X 2/3] UBUNTU: SAUCE: libertas: Fix two buffer overflows at parsing bss descriptor

Stefan Bader-2
In reply to this post by Stefan Bader-2
From: Wen Huang <[hidden email]>

add_ie_rates() copys rates without checking the length
in bss descriptor from remote AP.when victim connects to
remote attacker, this may trigger buffer overflow.
lbs_ibss_join_existing() copys rates without checking the length
in bss descriptor from remote IBSS node.when victim connects to
remote attacker, this may trigger buffer overflow.
Fix them by putting the length check before performing copy.

This fix addresses CVE-2019-14896 and CVE-2019-14897.

Signed-off-by: Wen Huang <[hidden email]>

CVE-2019-14896
CVE-2019-14897

(backported from https://patchwork.kernel.org/patch/11257187/)
[smb: drop marvell subdirectory from path]
Signed-off-by: Stefan Bader <[hidden email]>
---
 drivers/net/wireless/libertas/cfg.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/libertas/cfg.c b/drivers/net/wireless/libertas/cfg.c
index 8317afd065b4..0787b1a309b5 100644
--- a/drivers/net/wireless/libertas/cfg.c
+++ b/drivers/net/wireless/libertas/cfg.c
@@ -272,6 +272,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates)
  int hw, ap, ap_max = ie[1];
  u8 hw_rate;
 
+ if (ap_max > MAX_RATES) {
+ lbs_deb_assoc("invalid rates\n");
+ return tlv;
+ }
  /* Advance past IE header */
  ie += 2;
 
@@ -1845,6 +1849,10 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
  } else {
  int hw, i;
  u8 rates_max = rates_eid[1];
+ if (rates_max > MAX_RATES) {
+ lbs_deb_join("invalid rates");
+ goto out;
+ }
  u8 *rates = cmd.bss.rates;
  for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
  u8 hw_rate = lbs_rates[hw].bitrate / 5;
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH X 3/3] UBUNTU: SAUCE: mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()

Stefan Bader-2
In reply to this post by Stefan Bader-2
From: qize wang <[hidden email]>

mwifiex_process_tdls_action_frame() without checking
the incoming tdls infomation element's vality before use it,
this may cause multi heap buffer overflows.

Fix them by putting vality check before use it.

Signed-off-by: qize wang <[hidden email]>

(backported from https://patchwork.kernel.org/patch/11257535/)
[smb: drop marvell subdirectory from path, plus manual context
      adjustments]
Signed-off-by: Stefan Bader <[hidden email]>
---
 drivers/net/wireless/mwifiex/tdls.c | 69 ++++++++++++++++++++++++++---
 1 file changed, 63 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/mwifiex/tdls.c b/drivers/net/wireless/mwifiex/tdls.c
index 9275f9c3f869..de59251158ad 100644
--- a/drivers/net/wireless/mwifiex/tdls.c
+++ b/drivers/net/wireless/mwifiex/tdls.c
@@ -910,59 +910,116 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
 
  switch (*pos) {
  case WLAN_EID_SUPP_RATES:
+ if (pos[1] > 32)
+ return;
  sta_ptr->tdls_cap.rates_len = pos[1];
  for (i = 0; i < pos[1]; i++)
  sta_ptr->tdls_cap.rates[i] = pos[i + 2];
  break;
 
  case WLAN_EID_EXT_SUPP_RATES:
+ if (pos[1] > 32)
+ return;
  basic = sta_ptr->tdls_cap.rates_len;
+ if (pos[1] > 32 - basic)
+ return;
  for (i = 0; i < pos[1]; i++)
  sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
  sta_ptr->tdls_cap.rates_len += pos[1];
  break;
  case WLAN_EID_HT_CAPABILITY:
- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
+ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
+ return;
+ if (pos[1] != sizeof(struct ieee80211_ht_cap))
+ return;
+ /* copy the ie's value into ht_capb*/
+ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
        sizeof(struct ieee80211_ht_cap));
  sta_ptr->is_11n_enabled = 1;
  break;
  case WLAN_EID_HT_OPERATION:
- memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
+ if (pos > end -
+    sizeof(struct ieee80211_ht_operation) - 2)
+ return;
+ if (pos[1] != sizeof(struct ieee80211_ht_operation))
+ return;
+ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
        sizeof(struct ieee80211_ht_operation));
  break;
  case WLAN_EID_BSS_COEX_2040:
+ if (pos > end - 3)
+ return;
+ if (pos[1] != 1)
+ return;
  sta_ptr->tdls_cap.coex_2040 = pos[2];
  break;
  case WLAN_EID_EXT_CAPABILITY:
+ if (pos > end - sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] < sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] > 8)
+ return;
  memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
        sizeof(struct ieee_types_header) +
        min_t(u8, pos[1], 8));
  break;
  case WLAN_EID_RSN:
+ if (pos > end - sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] < sizeof(struct ieee_types_header))
+ return;
+ if (pos[1] > IEEE_MAX_IE_SIZE -
+    sizeof(struct ieee_types_header))
+ return;
  memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
        sizeof(struct ieee_types_header) +
        min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
      sizeof(struct ieee_types_header)));
  break;
  case WLAN_EID_QOS_CAPA:
+ if (pos > end - 3)
+ return;
+ if (pos[1] != 1)
+ return;
  sta_ptr->tdls_cap.qos_info = pos[2];
  break;
  case WLAN_EID_VHT_OPERATION:
- if (priv->adapter->is_hw_11ac_capable)
- memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
+ if (priv->adapter->is_hw_11ac_capable) {
+ if (pos > end -
+    sizeof(struct ieee80211_vht_operation) - 2)
+ return;
+ if (pos[1] !=
+    sizeof(struct ieee80211_vht_operation))
+ return;
+ /* copy the ie's value into vhtoper*/
+ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
        sizeof(struct ieee80211_vht_operation));
+ }
  break;
  case WLAN_EID_VHT_CAPABILITY:
  if (priv->adapter->is_hw_11ac_capable) {
- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
+ if (pos > end -
+    sizeof(struct ieee80211_vht_cap) - 2)
+ return;
+ if (pos[1] != sizeof(struct ieee80211_vht_cap))
+ return;
+ /* copy the ie's value into vhtcap*/
+ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
        sizeof(struct ieee80211_vht_cap));
  sta_ptr->is_11ac_enabled = 1;
  }
  break;
  case WLAN_EID_AID:
- if (priv->adapter->is_hw_11ac_capable)
+ if (priv->adapter->is_hw_11ac_capable) {
+ if (pos > end - 4)
+ return;
+ if (pos[1] != 2)
+ return;
  sta_ptr->tdls_cap.aid =
       le16_to_cpu(*(__le16 *)(pos + 2));
+ }
+ break;
  default:
  break;
  }
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH X 3/3] UBUNTU: SAUCE: mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()

Kleber Souza
On 26.11.19 09:39, Stefan Bader wrote:
> From: qize wang <[hidden email]>
>
> mwifiex_process_tdls_action_frame() without checking
> the incoming tdls infomation element's vality before use it,
> this may cause multi heap buffer overflows.
>
> Fix them by putting vality check before use it.
>
> Signed-off-by: qize wang <[hidden email]>

CVE-2019-14901

>
> (backported from https://patchwork.kernel.org/patch/11257535/)
> [smb: drop marvell subdirectory from path, plus manual context
>       adjustments]
> Signed-off-by: Stefan Bader <[hidden email]>
> ---
>  drivers/net/wireless/mwifiex/tdls.c | 69 ++++++++++++++++++++++++++---
>  1 file changed, 63 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/net/wireless/mwifiex/tdls.c b/drivers/net/wireless/mwifiex/tdls.c
> index 9275f9c3f869..de59251158ad 100644
> --- a/drivers/net/wireless/mwifiex/tdls.c
> +++ b/drivers/net/wireless/mwifiex/tdls.c
> @@ -910,59 +910,116 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
>  
>   switch (*pos) {
>   case WLAN_EID_SUPP_RATES:
> + if (pos[1] > 32)
> + return;
>   sta_ptr->tdls_cap.rates_len = pos[1];
>   for (i = 0; i < pos[1]; i++)
>   sta_ptr->tdls_cap.rates[i] = pos[i + 2];
>   break;
>  
>   case WLAN_EID_EXT_SUPP_RATES:
> + if (pos[1] > 32)
> + return;
>   basic = sta_ptr->tdls_cap.rates_len;
> + if (pos[1] > 32 - basic)
> + return;
>   for (i = 0; i < pos[1]; i++)
>   sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
>   sta_ptr->tdls_cap.rates_len += pos[1];
>   break;
>   case WLAN_EID_HT_CAPABILITY:
> - memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
> + if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
> + return;
> + if (pos[1] != sizeof(struct ieee80211_ht_cap))
> + return;
> + /* copy the ie's value into ht_capb*/
> + memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
>         sizeof(struct ieee80211_ht_cap));
>   sta_ptr->is_11n_enabled = 1;
>   break;
>   case WLAN_EID_HT_OPERATION:
> - memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
> + if (pos > end -
> +    sizeof(struct ieee80211_ht_operation) - 2)
> + return;
> + if (pos[1] != sizeof(struct ieee80211_ht_operation))
> + return;
> + memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
>         sizeof(struct ieee80211_ht_operation));
>   break;
>   case WLAN_EID_BSS_COEX_2040:
> + if (pos > end - 3)
> + return;
> + if (pos[1] != 1)
> + return;
>   sta_ptr->tdls_cap.coex_2040 = pos[2];
>   break;
>   case WLAN_EID_EXT_CAPABILITY:
> + if (pos > end - sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] < sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] > 8)
> + return;
>   memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
>         sizeof(struct ieee_types_header) +
>         min_t(u8, pos[1], 8));
>   break;
>   case WLAN_EID_RSN:
> + if (pos > end - sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] < sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] > IEEE_MAX_IE_SIZE -
> +    sizeof(struct ieee_types_header))
> + return;
>   memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
>         sizeof(struct ieee_types_header) +
>         min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
>       sizeof(struct ieee_types_header)));
>   break;
>   case WLAN_EID_QOS_CAPA:
> + if (pos > end - 3)
> + return;
> + if (pos[1] != 1)
> + return;
>   sta_ptr->tdls_cap.qos_info = pos[2];
>   break;
>   case WLAN_EID_VHT_OPERATION:
> - if (priv->adapter->is_hw_11ac_capable)
> - memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
> + if (priv->adapter->is_hw_11ac_capable) {
> + if (pos > end -
> +    sizeof(struct ieee80211_vht_operation) - 2)
> + return;
> + if (pos[1] !=
> +    sizeof(struct ieee80211_vht_operation))
> + return;
> + /* copy the ie's value into vhtoper*/
> + memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
>         sizeof(struct ieee80211_vht_operation));
> + }
>   break;
>   case WLAN_EID_VHT_CAPABILITY:
>   if (priv->adapter->is_hw_11ac_capable) {
> - memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
> + if (pos > end -
> +    sizeof(struct ieee80211_vht_cap) - 2)
> + return;
> + if (pos[1] != sizeof(struct ieee80211_vht_cap))
> + return;
> + /* copy the ie's value into vhtcap*/
> + memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
>         sizeof(struct ieee80211_vht_cap));
>   sta_ptr->is_11ac_enabled = 1;
>   }
>   break;
>   case WLAN_EID_AID:
> - if (priv->adapter->is_hw_11ac_capable)
> + if (priv->adapter->is_hw_11ac_capable) {
> + if (pos > end - 4)
> + return;
> + if (pos[1] != 2)
> + return;
>   sta_ptr->tdls_cap.aid =
>        le16_to_cpu(*(__le16 *)(pos + 2));
> + }
> + break;
>   default:
>   break;
>   }
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH E/D/B 3/3] UBUNTU: SAUCE: mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()

Kleber Souza
In reply to this post by Stefan Bader-2
On 26.11.19 09:39, Stefan Bader wrote:

> From: qize wang <[hidden email]>
>
> mwifiex_process_tdls_action_frame() without checking
> the incoming tdls infomation element's vality before use it,
> this may cause multi heap buffer overflows.
>
> Fix them by putting vality check before use it.
>
> Signed-off-by: qize wang <[hidden email]>
>
> CVE-2019-14901
>
> (cherry picked from https://patchwork.kernel.org/patch/11257535/)
> Signed-off-by: Stefan Bader <[hidden email]>
> ---
>  drivers/net/wireless/marvell/mwifiex/tdls.c | 70 +++++++++++++++++++--
>  1 file changed, 64 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
> index 18e654dc34c6..7f60214852c0 100644
> --- a/drivers/net/wireless/marvell/mwifiex/tdls.c
> +++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
> @@ -954,59 +954,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
>  
>   switch (*pos) {
>   case WLAN_EID_SUPP_RATES:
> + if (pos[1] > 32)
> + return;
>   sta_ptr->tdls_cap.rates_len = pos[1];
>   for (i = 0; i < pos[1]; i++)
>   sta_ptr->tdls_cap.rates[i] = pos[i + 2];
>   break;
>  
>   case WLAN_EID_EXT_SUPP_RATES:
> + if (pos[1] > 32)
> + return;
>   basic = sta_ptr->tdls_cap.rates_len;
> + if (pos[1] > 32 - basic)
> + return;
>   for (i = 0; i < pos[1]; i++)
>   sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
>   sta_ptr->tdls_cap.rates_len += pos[1];
>   break;
>   case WLAN_EID_HT_CAPABILITY:
> - memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
> + if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
> + return;
> + if (pos[1] != sizeof(struct ieee80211_ht_cap))
> + return;
> + /* copy the ie's value into ht_capb*/
> + memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,

This is changing the memcpy to start the copy from 'pos' to 'pos + 2',
but following the discussion on the patchwork link it seems the original
code was wrong and it was fixed here but without a comment on the commit
message. So if accepted upstream the commit message might get changed.

>         sizeof(struct ieee80211_ht_cap));
>   sta_ptr->is_11n_enabled = 1;
>   break;
>   case WLAN_EID_HT_OPERATION:
> - memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
> + if (pos > end -
> +    sizeof(struct ieee80211_ht_operation) - 2)
> + return;
> + if (pos[1] != sizeof(struct ieee80211_ht_operation))
> + return;
> + /* copy the ie's value into ht_oper*/
> + memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
>         sizeof(struct ieee80211_ht_operation));
>   break;
>   case WLAN_EID_BSS_COEX_2040:
> + if (pos > end - 3)
> + return;
> + if (pos[1] != 1)
> + return;
>   sta_ptr->tdls_cap.coex_2040 = pos[2];
>   break;
>   case WLAN_EID_EXT_CAPABILITY:
> + if (pos > end - sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] < sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] > 8)
> + return;
>   memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
>         sizeof(struct ieee_types_header) +
>         min_t(u8, pos[1], 8));
>   break;
>   case WLAN_EID_RSN:
> + if (pos > end - sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] < sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] > IEEE_MAX_IE_SIZE -
> +    sizeof(struct ieee_types_header))
> + return;
>   memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
>         sizeof(struct ieee_types_header) +
>         min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
>       sizeof(struct ieee_types_header)));
>   break;
>   case WLAN_EID_QOS_CAPA:
> + if (pos > end - 3)
> + return;
> + if (pos[1] != 1)
> + return;
>   sta_ptr->tdls_cap.qos_info = pos[2];
>   break;
>   case WLAN_EID_VHT_OPERATION:
> - if (priv->adapter->is_hw_11ac_capable)
> - memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
> + if (priv->adapter->is_hw_11ac_capable) {
> + if (pos > end -
> +    sizeof(struct ieee80211_vht_operation) - 2)
> + return;
> + if (pos[1] !=
> +    sizeof(struct ieee80211_vht_operation))
> + return;
> + /* copy the ie's value into vhtoper*/
> + memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
>         sizeof(struct ieee80211_vht_operation));
> + }
>   break;
>   case WLAN_EID_VHT_CAPABILITY:
>   if (priv->adapter->is_hw_11ac_capable) {
> - memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
> + if (pos > end -
> +    sizeof(struct ieee80211_vht_cap) - 2)
> + return;
> + if (pos[1] != sizeof(struct ieee80211_vht_cap))
> + return;
> + /* copy the ie's value into vhtcap*/
> + memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
>         sizeof(struct ieee80211_vht_cap));
>   sta_ptr->is_11ac_enabled = 1;
>   }
>   break;
>   case WLAN_EID_AID:
> - if (priv->adapter->is_hw_11ac_capable)
> + if (priv->adapter->is_hw_11ac_capable) {
> + if (pos > end - 4)
> + return;
> + if (pos[1] != 2)
> + return;
>   sta_ptr->tdls_cap.aid =
>   get_unaligned_le16((pos + 2));
> + }
> + break;
>   default:
>   break;
>   }
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU E/D/B/X 0/3] Multiple buffer overflows in Marvell driver

Kleber Souza
In reply to this post by Stefan Bader-2
On 26.11.19 09:39, Stefan Bader wrote:

> Multiple buffer overflows have been found and fixed in the Marvell
> wireless driver. For Xenial the main change is that the Marvell driver
> has not yet its own subdirectory. So all paths had to be adjusted.
>
> -Stefan
>
> Wen Huang (2):
>   mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
>   libertas: Fix two buffer overflows at parsing bss descriptor
>
> wangqize (1):
>   mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()
>
>  drivers/net/wireless/marvell/libertas/cfg.c   |  8 +++
>  .../net/wireless/marvell/mwifiex/sta_ioctl.c  |  3 +-
>  drivers/net/wireless/marvell/mwifiex/tdls.c   | 70 +++++++++++++++++--
>  3 files changed, 74 insertions(+), 7 deletions(-)
>

Apart from the missing CVE reference in Patch 3/3 for Xenial
the changes look good.

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH E/D/B 3/3] UBUNTU: SAUCE: mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()

Stefan Bader-2
In reply to this post by Kleber Souza
On 27.11.19 17:21, Kleber Souza wrote:

> On 26.11.19 09:39, Stefan Bader wrote:
>> From: qize wang <[hidden email]>
>>
>> mwifiex_process_tdls_action_frame() without checking
>> the incoming tdls infomation element's vality before use it,
>> this may cause multi heap buffer overflows.
>>
>> Fix them by putting vality check before use it.
>>
>> Signed-off-by: qize wang <[hidden email]>
>>
>> CVE-2019-14901
>>
>> (cherry picked from https://patchwork.kernel.org/patch/11257535/)
>> Signed-off-by: Stefan Bader <[hidden email]>
>> ---
>>  drivers/net/wireless/marvell/mwifiex/tdls.c | 70 +++++++++++++++++++--
>>  1 file changed, 64 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
>> index 18e654dc34c6..7f60214852c0 100644
>> --- a/drivers/net/wireless/marvell/mwifiex/tdls.c
>> +++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
>> @@ -954,59 +954,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
>>  
>>   switch (*pos) {
>>   case WLAN_EID_SUPP_RATES:
>> + if (pos[1] > 32)
>> + return;
>>   sta_ptr->tdls_cap.rates_len = pos[1];
>>   for (i = 0; i < pos[1]; i++)
>>   sta_ptr->tdls_cap.rates[i] = pos[i + 2];
>>   break;
>>  
>>   case WLAN_EID_EXT_SUPP_RATES:
>> + if (pos[1] > 32)
>> + return;
>>   basic = sta_ptr->tdls_cap.rates_len;
>> + if (pos[1] > 32 - basic)
>> + return;
>>   for (i = 0; i < pos[1]; i++)
>>   sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
>>   sta_ptr->tdls_cap.rates_len += pos[1];
>>   break;
>>   case WLAN_EID_HT_CAPABILITY:
>> - memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
>> + if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
>> + return;
>> + if (pos[1] != sizeof(struct ieee80211_ht_cap))
>> + return;
>> + /* copy the ie's value into ht_capb*/
>> + memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
>
> This is changing the memcpy to start the copy from 'pos' to 'pos + 2',
> but following the discussion on the patchwork link it seems the original
> code was wrong and it was fixed here but without a comment on the commit
> message. So if accepted upstream the commit message might get changed.
What I understood from the upstream discussion there is two different targets of
memcpy's. Some are of type header which still need the additional 2 bytes. The
others are of a different type which does not contain the header part.

>
>>         sizeof(struct ieee80211_ht_cap));
>>   sta_ptr->is_11n_enabled = 1;
>>   break;
>>   case WLAN_EID_HT_OPERATION:
>> - memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
>> + if (pos > end -
>> +    sizeof(struct ieee80211_ht_operation) - 2)
>> + return;
>> + if (pos[1] != sizeof(struct ieee80211_ht_operation))
>> + return;
>> + /* copy the ie's value into ht_oper*/
>> + memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
>>         sizeof(struct ieee80211_ht_operation));
>>   break;
>>   case WLAN_EID_BSS_COEX_2040:
>> + if (pos > end - 3)
>> + return;
>> + if (pos[1] != 1)
>> + return;
>>   sta_ptr->tdls_cap.coex_2040 = pos[2];
>>   break;
>>   case WLAN_EID_EXT_CAPABILITY:
>> + if (pos > end - sizeof(struct ieee_types_header))
>> + return;
>> + if (pos[1] < sizeof(struct ieee_types_header))
>> + return;
>> + if (pos[1] > 8)
>> + return;
>>   memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
>>         sizeof(struct ieee_types_header) +
>>         min_t(u8, pos[1], 8));
>>   break;
>>   case WLAN_EID_RSN:
>> + if (pos > end - sizeof(struct ieee_types_header))
>> + return;
>> + if (pos[1] < sizeof(struct ieee_types_header))
>> + return;
>> + if (pos[1] > IEEE_MAX_IE_SIZE -
>> +    sizeof(struct ieee_types_header))
>> + return;
>>   memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
>>         sizeof(struct ieee_types_header) +
>>         min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
>>       sizeof(struct ieee_types_header)));
>>   break;
>>   case WLAN_EID_QOS_CAPA:
>> + if (pos > end - 3)
>> + return;
>> + if (pos[1] != 1)
>> + return;
>>   sta_ptr->tdls_cap.qos_info = pos[2];
>>   break;
>>   case WLAN_EID_VHT_OPERATION:
>> - if (priv->adapter->is_hw_11ac_capable)
>> - memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
>> + if (priv->adapter->is_hw_11ac_capable) {
>> + if (pos > end -
>> +    sizeof(struct ieee80211_vht_operation) - 2)
>> + return;
>> + if (pos[1] !=
>> +    sizeof(struct ieee80211_vht_operation))
>> + return;
>> + /* copy the ie's value into vhtoper*/
>> + memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
>>         sizeof(struct ieee80211_vht_operation));
>> + }
>>   break;
>>   case WLAN_EID_VHT_CAPABILITY:
>>   if (priv->adapter->is_hw_11ac_capable) {
>> - memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
>> + if (pos > end -
>> +    sizeof(struct ieee80211_vht_cap) - 2)
>> + return;
>> + if (pos[1] != sizeof(struct ieee80211_vht_cap))
>> + return;
>> + /* copy the ie's value into vhtcap*/
>> + memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
>>         sizeof(struct ieee80211_vht_cap));
>>   sta_ptr->is_11ac_enabled = 1;
>>   }
>>   break;
>>   case WLAN_EID_AID:
>> - if (priv->adapter->is_hw_11ac_capable)
>> + if (priv->adapter->is_hw_11ac_capable) {
>> + if (pos > end - 4)
>> + return;
>> + if (pos[1] != 2)
>> + return;
>>   sta_ptr->tdls_cap.aid =
>>   get_unaligned_le16((pos + 2));
>> + }
>> + break;
>>   default:
>>   break;
>>   }
>>
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SRU E/D/B/X 0/3] Multiple buffer overflows in Marvell driver

Andrea Righi
In reply to this post by Stefan Bader-2
On Tue, Nov 26, 2019 at 09:39:11AM +0100, Stefan Bader wrote:

> Multiple buffer overflows have been found and fixed in the Marvell
> wireless driver. For Xenial the main change is that the Marvell driver
> has not yet its own subdirectory. So all paths had to be adjusted.
>
> -Stefan
>
> Wen Huang (2):
>   mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
>   libertas: Fix two buffer overflows at parsing bss descriptor
>
> wangqize (1):
>   mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()
>
>  drivers/net/wireless/marvell/libertas/cfg.c   |  8 +++
>  .../net/wireless/marvell/mwifiex/sta_ioctl.c  |  3 +-
>  drivers/net/wireless/marvell/mwifiex/tdls.c   | 70 +++++++++++++++++--
>  3 files changed, 74 insertions(+), 7 deletions(-)
>

All the fixes make sense to me.

Acked-by: Andrea Righi <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU E/D/B/X 0/3] Multiple buffer overflows in Marvell driver

Kleber Souza
In reply to this post by Stefan Bader-2
On 2019-11-26 09:39, Stefan Bader wrote:

> Multiple buffer overflows have been found and fixed in the Marvell
> wireless driver. For Xenial the main change is that the Marvell driver
> has not yet its own subdirectory. So all paths had to be adjusted.
>
> -Stefan
>
> Wen Huang (2):
>   mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
>   libertas: Fix two buffer overflows at parsing bss descriptor
>
> wangqize (1):
>   mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()
>
>  drivers/net/wireless/marvell/libertas/cfg.c   |  8 +++
>  .../net/wireless/marvell/mwifiex/sta_ioctl.c  |  3 +-
>  drivers/net/wireless/marvell/mwifiex/tdls.c   | 70 +++++++++++++++++--
>  3 files changed, 74 insertions(+), 7 deletions(-)
>

Applied to xenial, bionic, disco and eoan master-next branches.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED[Unstable]: [SRU E/D/B/X 0/3] Multiple buffer overflows in Marvell driver

Seth Forshee
In reply to this post by Stefan Bader-2
On Tue, Nov 26, 2019 at 09:39:11AM +0100, Stefan Bader wrote:
> Multiple buffer overflows have been found and fixed in the Marvell
> wireless driver. For Xenial the main change is that the Marvell driver
> has not yet its own subdirectory. So all paths had to be adjusted.

Applied to unstable/master, thanks!

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team