[CVE-2017-11089,Trusty,SRU] cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE

Message ID 20180202043737.23885-1-po-hsu.lin@canonical.com
State New
Headers show
Series
  • [CVE-2017-11089,Trusty,SRU] cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE
Related show

Commit Message

Po-Hsu Lin Feb. 2, 2018, 4:37 a.m.
From: Srinivas Dasari <dasaris@qti.qualcomm.com>

CVE-2017-11089

Buffer overread may happen as nl80211_set_station() reads 4 bytes
from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
validating the size of data received when userspace sends less
than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
the buffer overread.

Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
(cherry picked from commit 8feb69c7bd89513be80eb19198d48f154b254021)
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 net/wireless/nl80211.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Kleber Souza Feb. 2, 2018, 10:06 a.m. | #1
On 02/02/18 05:37, Po-Hsu Lin wrote:
> From: Srinivas Dasari <dasaris@qti.qualcomm.com>
> 
> CVE-2017-11089
> 
> Buffer overread may happen as nl80211_set_station() reads 4 bytes
> from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
> validating the size of data received when userspace sends less
> than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
> Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
> the buffer overread.
> 
> Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
> Cc: stable@vger.kernel.org
> Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> (cherry picked from commit 8feb69c7bd89513be80eb19198d48f154b254021)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

> ---
>  net/wireless/nl80211.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index a71cec5..eeaf56a 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -355,6 +355,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
>  	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
>  	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
>  	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
> +	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
>  	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
>  	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
>  	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
>
Colin King Feb. 2, 2018, 4:03 p.m. | #2
On 02/02/18 04:37, Po-Hsu Lin wrote:
> From: Srinivas Dasari <dasaris@qti.qualcomm.com>
> 
> CVE-2017-11089
> 
> Buffer overread may happen as nl80211_set_station() reads 4 bytes
> from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
> validating the size of data received when userspace sends less
> than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
> Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
> the buffer overread.
> 
> Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
> Cc: stable@vger.kernel.org
> Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> (cherry picked from commit 8feb69c7bd89513be80eb19198d48f154b254021)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
> ---
>  net/wireless/nl80211.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index a71cec5..eeaf56a 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -355,6 +355,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
>  	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
>  	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
>  	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
> +	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
>  	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
>  	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
>  	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
> 

Clean upstream cherry pick. Looks sane to me.

Acked-by: Colin Ian King <colin.king@canonical.com>
Kleber Souza March 1, 2018, 11:42 a.m. | #3
On 02/02/18 05:37, Po-Hsu Lin wrote:
> From: Srinivas Dasari <dasaris@qti.qualcomm.com>
> 
> CVE-2017-11089
> 
> Buffer overread may happen as nl80211_set_station() reads 4 bytes
> from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
> validating the size of data received when userspace sends less
> than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
> Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
> the buffer overread.
> 
> Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
> Cc: stable@vger.kernel.org
> Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> (cherry picked from commit 8feb69c7bd89513be80eb19198d48f154b254021)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
> ---
>  net/wireless/nl80211.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index a71cec5..eeaf56a 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -355,6 +355,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
>  	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
>  	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
>  	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
> +	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
>  	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
>  	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
>  	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
> 

Applied to trusty/master-next-backlog branch.

Thanks,
Kleber

Patch

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index a71cec5..eeaf56a 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -355,6 +355,7 @@  static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
+	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },