DivestOS/Patches/Linux_CVEs/CVE-2016-8452/ANY/1.patch

From b05c022755257abacfc6df9e4c649adcdc3099b5 Mon Sep 17 00:00:00 2001
From: Ecco Park <eccopark@google.com>
Date: Tue, 1 Nov 2016 16:54:45 -0700
Subject: [PATCH] qcacld-2.0: Use heap memory for station_info instead of stack

From kernel 3.19-rc4, size of struct station_info is around 600 bytes,
so stack frame size of such routine use this struct will easily
exceed 1024 bytes, the default value of stack frame size.

So use heap memory for this struct instead.

CRs-Fixed: 1050323

Bug: 32506396

Change-Id: I64835329dc2e46ae33c12585f92c6a75401cfc5c
Signed-off-by: Ecco Park <eccopark@google.com>
---
 .../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c   | 17 ++++++++++++-----
 .../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c | 18 ++++++++++++------
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c
index 05bc9524088ca..9225042e4319e 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c
@@ -2694,7 +2694,7 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t
       case eCSR_ROAM_RESULT_IBSS_NEW_PEER:
       {
          hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
-         struct station_info staInfo;
+         struct station_info *stainfo;
 
          pr_info ( "IBSS New Peer indication from SME "
                     "with peerMac " MAC_ADDRESS_STR " BSSID: " MAC_ADDRESS_STR " and stationID= %d",
@@ -2728,13 +2728,20 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t
                vosStatus, vosStatus );
          }
          pHddStaCtx->ibss_sta_generation++;
-         memset(&staInfo, 0, sizeof(staInfo));
-         staInfo.filled = 0;
-         staInfo.generation = pHddStaCtx->ibss_sta_generation;
+         stainfo = vos_mem_malloc(sizeof(*stainfo));
+         if (stainfo == NULL) {
+             VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+                     "memory allocation for station_info failed");
+             return eHAL_STATUS_FAILED_ALLOC;
+         }
+         memset(stainfo, 0, sizeof(*stainfo));
+         stainfo->filled = 0;
+         stainfo->generation = pHddStaCtx->ibss_sta_generation;
 
          cfg80211_new_sta(pAdapter->dev,
                       (const u8 *)pRoamInfo->peerMac,
-                      &staInfo, GFP_KERNEL);
+                      stainfo, GFP_KERNEL);
+         vos_mem_free(stainfo);
 
          if ( eCSR_ENCRYPT_TYPE_WEP40_STATICKEY == pHddStaCtx->ibss_enc_key.encType
             ||eCSR_ENCRYPT_TYPE_WEP104_STATICKEY == pHddStaCtx->ibss_enc_key.encType
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
index 024b3135ee74f..ee90efa1db586 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -1823,21 +1823,27 @@ VOS_STATUS hdd_hostapd_SAPEventCB( tpSap_Event pSapEvent, v_PVOID_t usrDataForCa
                                           HDD_SAP_WAKE_LOCK_DURATION,
                                           WIFI_POWER_EVENT_WAKELOCK_SAP);
             {
-               struct station_info staInfo;
                v_U16_t iesLen =  pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.iesLen;
 
-               memset(&staInfo, 0, sizeof(staInfo));
                if (iesLen <= MAX_ASSOC_IND_IE_LEN )
                {
-                  staInfo.assoc_req_ies =
+                  struct station_info *stainfo;
+                  stainfo = vos_mem_malloc(sizeof(*stainfo));
+                  if (stainfo == NULL) {
+                      hddLog(LOGE, FL("alloc station_info failed"));
+                      return VOS_STATUS_E_NOMEM;
+                  }
+                  memset(stainfo, 0, sizeof(*stainfo));
+                  stainfo->assoc_req_ies =
                      (const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.ies[0];
-                  staInfo.assoc_req_ies_len = iesLen;
+                  stainfo->assoc_req_ies_len = iesLen;
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,0,31)) || defined(WITH_BACKPORTS)
-                  staInfo.filled |= STATION_INFO_ASSOC_REQ_IES;
+                  stainfo->filled |= STATION_INFO_ASSOC_REQ_IES;
 #endif
                   cfg80211_new_sta(dev,
                         (const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.staMac.bytes[0],
-                        &staInfo, GFP_KERNEL);
+                        stainfo, GFP_KERNEL);
+                  vos_mem_free(stainfo);
                }
                else
                {
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From b05c022755257abacfc6df9e4c649adcdc3099b5 Mon Sep 17 00:00:00 2001`
			`From: Ecco Park <eccopark@google.com>`
			`Date: Tue, 1 Nov 2016 16:54:45 -0700`
			`Subject: [PATCH] qcacld-2.0: Use heap memory for station_info instead of stack`

			`From kernel 3.19-rc4, size of struct station_info is around 600 bytes,`
			`so stack frame size of such routine use this struct will easily`
			`exceed 1024 bytes, the default value of stack frame size.`

			`So use heap memory for this struct instead.`

			`CRs-Fixed: 1050323`

			`Bug: 32506396`

			`Change-Id: I64835329dc2e46ae33c12585f92c6a75401cfc5c`
			`Signed-off-by: Ecco Park <eccopark@google.com>`
			`---`
			`.../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c \| 17 ++++++++++++-----`
			`.../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c \| 18 ++++++++++++------`
			`2 files changed, 24 insertions(+), 11 deletions(-)`

			`diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c`
			`index 05bc9524088ca..9225042e4319e 100644`
			`--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c`
			`+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c`
			`@@ -2694,7 +2694,7 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t`
			`case eCSR_ROAM_RESULT_IBSS_NEW_PEER:`
			`{`
			`hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);`
			`- struct station_info staInfo;`
			`+ struct station_info *stainfo;`

			`pr_info ( "IBSS New Peer indication from SME "`
			`"with peerMac " MAC_ADDRESS_STR " BSSID: " MAC_ADDRESS_STR " and stationID= %d",`
			`@@ -2728,13 +2728,20 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t`
			`vosStatus, vosStatus );`
			`}`
			`pHddStaCtx->ibss_sta_generation++;`
			`- memset(&staInfo, 0, sizeof(staInfo));`
			`- staInfo.filled = 0;`
			`- staInfo.generation = pHddStaCtx->ibss_sta_generation;`
			`+ stainfo = vos_mem_malloc(sizeof(*stainfo));`
			`+ if (stainfo == NULL) {`
			`+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,`
			`+ "memory allocation for station_info failed");`
			`+ return eHAL_STATUS_FAILED_ALLOC;`
			`+ }`
			`+ memset(stainfo, 0, sizeof(*stainfo));`
			`+ stainfo->filled = 0;`
			`+ stainfo->generation = pHddStaCtx->ibss_sta_generation;`

			`cfg80211_new_sta(pAdapter->dev,`
			`(const u8 *)pRoamInfo->peerMac,`
			`- &staInfo, GFP_KERNEL);`
			`+ stainfo, GFP_KERNEL);`
			`+ vos_mem_free(stainfo);`

			`if ( eCSR_ENCRYPT_TYPE_WEP40_STATICKEY == pHddStaCtx->ibss_enc_key.encType`
			`\|\|eCSR_ENCRYPT_TYPE_WEP104_STATICKEY == pHddStaCtx->ibss_enc_key.encType`
			`diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c`
			`index 024b3135ee74f..ee90efa1db586 100644`
			`--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c`
			`+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c`
			`@@ -1823,21 +1823,27 @@ VOS_STATUS hdd_hostapd_SAPEventCB( tpSap_Event pSapEvent, v_PVOID_t usrDataForCa`
			`HDD_SAP_WAKE_LOCK_DURATION,`
			`WIFI_POWER_EVENT_WAKELOCK_SAP);`
			`{`
			`- struct station_info staInfo;`
			`v_U16_t iesLen = pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.iesLen;`

			`- memset(&staInfo, 0, sizeof(staInfo));`
			`if (iesLen <= MAX_ASSOC_IND_IE_LEN )`
			`{`
			`- staInfo.assoc_req_ies =`
			`+ struct station_info *stainfo;`
			`+ stainfo = vos_mem_malloc(sizeof(*stainfo));`
			`+ if (stainfo == NULL) {`
			`+ hddLog(LOGE, FL("alloc station_info failed"));`
			`+ return VOS_STATUS_E_NOMEM;`
			`+ }`
			`+ memset(stainfo, 0, sizeof(*stainfo));`
			`+ stainfo->assoc_req_ies =`
			`(const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.ies[0];`
			`- staInfo.assoc_req_ies_len = iesLen;`
			`+ stainfo->assoc_req_ies_len = iesLen;`
			`#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,0,31)) \|\| defined(WITH_BACKPORTS)`
			`- staInfo.filled \|= STATION_INFO_ASSOC_REQ_IES;`
			`+ stainfo->filled \|= STATION_INFO_ASSOC_REQ_IES;`
			`#endif`
			`cfg80211_new_sta(dev,`
			`(const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.staMac.bytes[0],`
			`- &staInfo, GFP_KERNEL);`
			`+ stainfo, GFP_KERNEL);`
			`+ vos_mem_free(stainfo);`
			`}`
			`else`
			`{`