Update Linux CVE patches

Patches/Linux_CVEs/CVE-2017-11062/ANY/0.patch

@@ -0,0 +1,74 @@
+From 954bdf216ce56a860092fd9549229b036e08c97b Mon Sep 17 00:00:00 2001
+From: Ashish Kumar Dhanotiya <adhanoti@codeaurora.org>
+Date: Tue, 13 Jun 2017 18:41:49 +0530
+Subject: qcacld-2.0: Validate vendor command do_acs
+
+Currently attributes are not validated in __wlan_hdd_cfg80211_do_acs,
+this can lead to a buffer overread.
+
+To resolve this issue, Define an nla_policy and validate the
+attributes.
+
+CRs-Fixed: 2058448
+Change-Id: Ic1bd5abbef09407f925625b709f10cf9cb7c3d7f
+---
+ CORE/HDD/src/wlan_hdd_cfg80211.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
+index 2ec3d68..c87f7c0 100644
+--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
++++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
+@@ -9170,9 +9170,20 @@ static void
+ wlan_hdd_set_mcc_to_scc_switch(hdd_adapter_t *adapter)
+ {}
+ #endif
++static const struct nla_policy
++wlan_hdd_cfg80211_do_acs_policy[QCA_WLAN_VENDOR_ATTR_ACS_MAX+1] = {
++	[QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 },
++	[QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG },
++	[QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG },
++	[QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG },
++	[QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 },
++	[QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_UNSPEC },
++};
++
+ 
+ /**
+- * __wlan_hdd_cfg80211_do_acs : CFG80211 handler fucntion for DO_ACS Vendor CMD
++ * __wlan_hdd_cfg80211_do_acs() : CFG80211 handler fucntion for DO_ACS
++ * Vendor CMD
+  * @wiphy:  Linux wiphy struct pointer
+  * @wdev:   Linux wireless device struct pointer
+  * @data:   ACS information from hostapd
+@@ -9216,18 +9227,6 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy,
+ 	 * config shall be set only from start_acs.
+ 	 */
+ 
+-	/* nla_policy Policy template. Policy not applied as some attributes are
+-	 * optional and QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST has variable length
+-	 *
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 },
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG },
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG },
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG },
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 },
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_NESTED },
+-	 */
+-
+-
+ 	status = wlan_hdd_validate_context(hdd_ctx);
+ 	if (0 != status)
+ 		return status;
+@@ -9257,7 +9256,7 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy,
+ 	vos_mem_zero(&sap_config->acs_cfg, sizeof(struct sap_acs_cfg));
+ 
+ 	status = nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ACS_MAX, data, data_len,
+-						NULL);
++						wlan_hdd_cfg80211_do_acs_policy);
+ 	if (status) {
+ 		hddLog(VOS_TRACE_LEVEL_ERROR, FL("Invalid ATTR"));
+ 		goto out;
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2017-11062/ANY/1.patch

@@ -0,0 +1,68 @@
+From 6d19d7d4e0ff7e7e4c80c49414a016035ac70a3c Mon Sep 17 00:00:00 2001
+From: Ashish Kumar Dhanotiya <adhanoti@codeaurora.org>
+Date: Tue, 13 Jun 2017 18:41:49 +0530
+Subject: [PATCH] qcacld-2.0: Validate vendor command do_acs
+
+Currently attributes are not validated in __wlan_hdd_cfg80211_do_acs,
+this can lead to a buffer overread.
+
+To resolve this issue, Define an nla_policy and validate the
+attributes.
+
+Bug: 37720349
+CRs-Fixed: 2058448
+Change-Id: Ic1bd5abbef09407f925625b709f10cf9cb7c3d7f
+Signed-off-by: Ecco Park <eccopark@google.com>
+---
+ .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 24 ++++++++++------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+index af3ab9bc4bd57..6849a6c82f821 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+@@ -7665,6 +7665,16 @@ static int wlan_hdd_cfg80211_start_acs(hdd_adapter_t *adapter)
+ 	return 0;
+ }
+ 
++static const struct nla_policy
++wlan_hdd_cfg80211_do_acs_policy[QCA_WLAN_VENDOR_ATTR_ACS_MAX+1] = {
++	[QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 },
++	[QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG },
++	[QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG },
++	[QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG },
++	[QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 },
++	[QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_UNSPEC },
++};
++
+ /**
+  * __wlan_hdd_cfg80211_do_acs : CFG80211 handler fucntion for DO_ACS Vendor CMD
+  * @wiphy:  Linux wiphy struct pointer
+@@ -7710,18 +7720,6 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy,
+ 	 * config shall be set only from start_acs.
+ 	 */
+ 
+-	/* nla_policy Policy template. Policy not applied as some attributes are
+-	 * optional and QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST has variable length
+-	 *
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 },
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG },
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG },
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG },
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 },
+-	 * [QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_NESTED },
+-	 */
+-
+-
+ 	status = wlan_hdd_validate_context(hdd_ctx);
+ 	if (0 != status)
+ 		return status;
+@@ -7730,7 +7728,7 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy,
+ 	vos_mem_zero(&sap_config->acs_cfg, sizeof(struct sap_acs_cfg));
+ 
+ 	status = nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ACS_MAX, data, data_len,
+-						NULL);
++						wlan_hdd_cfg80211_do_acs_policy);
+ 	if (status) {
+ 		hddLog(VOS_TRACE_LEVEL_ERROR, FL("Invalid ATTR"));
+ 		goto out;