diff --git a/debian/changelog b/debian/changelog index bf445046d..81a989d4a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -669,6 +669,10 @@ linux (4.15.11-1) UNRELEASED; urgency=medium * [arm64] Apply patch from linux-next to fix eMMC corruption on Odroid-C2 (Closes: #879072). + [ Salvatore Bonaccorso ] + * mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl() + (CVE-2018-8087) + -- Salvatore Bonaccorso Tue, 20 Feb 2018 21:51:39 +0100 linux (4.15.4-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch b/debian/patches/bugfix/all/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch new file mode 100644 index 000000000..910907ae3 --- /dev/null +++ b/debian/patches/bugfix/all/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch @@ -0,0 +1,37 @@ +From: "weiyongjun (A)" +Date: Thu, 18 Jan 2018 02:23:34 +0000 +Subject: mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl() +Origin: https://git.kernel.org/linus/0ddcff49b672239dda94d70d0fcf50317a9f4b51 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-8087 + +'hwname' is malloced in hwsim_new_radio_nl() and should be freed +before leaving from the error handling cases, otherwise it will cause +memory leak. + +Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length") +Signed-off-by: Wei Yongjun +Reviewed-by: Ben Hutchings +Signed-off-by: Johannes Berg +--- + drivers/net/wireless/mac80211_hwsim.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 6bf063adcbde..66c2ac0397da 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3197,8 +3197,10 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info) + if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) { + u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]); + +- if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) ++ if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) { ++ kfree(hwname); + return -EINVAL; ++ } + param.regd = hwsim_world_regdom_custom[idx]; + } + +-- +2.16.2 + diff --git a/debian/patches/series b/debian/patches/series index b1afa0a18..d4a97c7f3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -119,6 +119,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch