DivestOS/Patches/Linux_CVEs/CVE-2017-11001/ANY/0001.patch

From d5d2c9baff89932e822ceae74b1569af07d55f19 Mon Sep 17 00:00:00 2001
From: Srinivas Girigowda <sgirigow@codeaurora.org>
Date: Fri, 7 Jul 2017 11:58:04 -0700
Subject: qcacld-2.0: Fix out of bound read issue in get link properties

Length of the MAC address is not checked which may cause out of bound
read issue.

To resolve this add a check for MAC address length.

CRs-Fixed: 2051433
Change-Id: I58454b84c28b157cef35984d612a9bc6fdd9ec56
Bug: 36815555
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
---
 drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
index c153928..6d99f2d 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -8481,7 +8481,8 @@ static int __wlan_hdd_cfg80211_wifi_logger_start(struct wiphy *wiphy,
 static const struct
 nla_policy
 qca_wlan_vendor_attr_policy[QCA_WLAN_VENDOR_ATTR_MAX+1] = {
-	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = { .type = NLA_UNSPEC },
+	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = {
+		.type = NLA_BINARY, .len = VOS_MAC_ADDR_SIZE },
 };
 
 /**
@@ -8536,6 +8537,13 @@ static int __wlan_hdd_cfg80211_get_link_properties(struct wiphy *wiphy,
 		return -EINVAL;
 	}
 
+	if (nla_len(tb[QCA_WLAN_VENDOR_ATTR_MAC_ADDR]) < sizeof(peer_mac)) {
+		hddLog(VOS_TRACE_LEVEL_ERROR,
+			FL("Attribute peerMac is invalid=%d"),
+			adapter->device_mode);
+		return -EINVAL;
+	}
+
 	memcpy(peer_mac, nla_data(tb[QCA_WLAN_VENDOR_ATTR_MAC_ADDR]),
 	       sizeof(peer_mac));
 	hddLog(VOS_TRACE_LEVEL_INFO,
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From d5d2c9baff89932e822ceae74b1569af07d55f19 Mon Sep 17 00:00:00 2001`
			`From: Srinivas Girigowda <sgirigow@codeaurora.org>`
			`Date: Fri, 7 Jul 2017 11:58:04 -0700`
			`Subject: qcacld-2.0: Fix out of bound read issue in get link properties`

			`Length of the MAC address is not checked which may cause out of bound`
			`read issue.`

			`To resolve this add a check for MAC address length.`

			`CRs-Fixed: 2051433`
			`Change-Id: I58454b84c28b157cef35984d612a9bc6fdd9ec56`
			`Bug: 36815555`
			`Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>`
			`---`
			`drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c \| 10 +++++++++-`
			`1 file changed, 9 insertions(+), 1 deletion(-)`

			`diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c`
			`index c153928..6d99f2d 100644`
			`--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c`
			`+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c`
			`@@ -8481,7 +8481,8 @@ static int __wlan_hdd_cfg80211_wifi_logger_start(struct wiphy *wiphy,`
			`static const struct`
			`nla_policy`
			`qca_wlan_vendor_attr_policy[QCA_WLAN_VENDOR_ATTR_MAX+1] = {`
			`- [QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = { .type = NLA_UNSPEC },`
			`+ [QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = {`
			`+ .type = NLA_BINARY, .len = VOS_MAC_ADDR_SIZE },`
			`};`

			`/**`
			`@@ -8536,6 +8537,13 @@ static int __wlan_hdd_cfg80211_get_link_properties(struct wiphy *wiphy,`
			`return -EINVAL;`
			`}`

			`+ if (nla_len(tb[QCA_WLAN_VENDOR_ATTR_MAC_ADDR]) < sizeof(peer_mac)) {`
			`+ hddLog(VOS_TRACE_LEVEL_ERROR,`
			`+ FL("Attribute peerMac is invalid=%d"),`
			`+ adapter->device_mode);`
			`+ return -EINVAL;`
			`+ }`
			`+`
			`memcpy(peer_mac, nla_data(tb[QCA_WLAN_VENDOR_ATTR_MAC_ADDR]),`
			`sizeof(peer_mac));`
			`hddLog(VOS_TRACE_LEVEL_INFO,`
			`--`
			`cgit v1.1`