| Message ID | 20180202043737.23885-1-po-hsu.lin@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [CVE-2017-11089,Trusty,SRU] cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE | expand |
On 02/02/18 05:37, Po-Hsu Lin wrote: > From: Srinivas Dasari <dasaris@qti.qualcomm.com> > > CVE-2017-11089 > > Buffer overread may happen as nl80211_set_station() reads 4 bytes > from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without > validating the size of data received when userspace sends less > than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE. > Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid > the buffer overread. > > Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access") > Cc: stable@vger.kernel.org > Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com> > Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > (cherry picked from commit 8feb69c7bd89513be80eb19198d48f154b254021) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > net/wireless/nl80211.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > index a71cec5..eeaf56a 100644 > --- a/net/wireless/nl80211.c > +++ b/net/wireless/nl80211.c > @@ -355,6 +355,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = { > [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 }, > [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 }, > [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 }, > + [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 }, > [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 }, > [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED }, > [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 }, >
On 02/02/18 04:37, Po-Hsu Lin wrote: > From: Srinivas Dasari <dasaris@qti.qualcomm.com> > > CVE-2017-11089 > > Buffer overread may happen as nl80211_set_station() reads 4 bytes > from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without > validating the size of data received when userspace sends less > than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE. > Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid > the buffer overread. > > Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access") > Cc: stable@vger.kernel.org > Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com> > Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > (cherry picked from commit 8feb69c7bd89513be80eb19198d48f154b254021) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > net/wireless/nl80211.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > index a71cec5..eeaf56a 100644 > --- a/net/wireless/nl80211.c > +++ b/net/wireless/nl80211.c > @@ -355,6 +355,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = { > [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 }, > [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 }, > [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 }, > + [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 }, > [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 }, > [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED }, > [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 }, > Clean upstream cherry pick. Looks sane to me. Acked-by: Colin Ian King <colin.king@canonical.com>
On 02/02/18 05:37, Po-Hsu Lin wrote: > From: Srinivas Dasari <dasaris@qti.qualcomm.com> > > CVE-2017-11089 > > Buffer overread may happen as nl80211_set_station() reads 4 bytes > from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without > validating the size of data received when userspace sends less > than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE. > Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid > the buffer overread. > > Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access") > Cc: stable@vger.kernel.org > Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com> > Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > (cherry picked from commit 8feb69c7bd89513be80eb19198d48f154b254021) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > net/wireless/nl80211.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > index a71cec5..eeaf56a 100644 > --- a/net/wireless/nl80211.c > +++ b/net/wireless/nl80211.c > @@ -355,6 +355,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = { > [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 }, > [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 }, > [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 }, > + [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 }, > [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 }, > [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED }, > [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 }, > Applied to trusty/master-next-backlog branch. Thanks, Kleber
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index a71cec5..eeaf56a 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -355,6 +355,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = { [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 }, [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 }, [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 }, + [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 }, [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 }, [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED }, [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },