Add various security fixes not yet in 4.19-stable
All of these are already fixed in jessie, and upgrades shouldn't regress.
This commit is contained in:
Ben Hutchings
parent
72ff5abae4
commit
56dd5fa07e
|
|
@ -1253,6 +1253,11 @@ linux (4.19.97-1) UNRELEASED; urgency=medium
|
|||
* aufs: Update support patchset to aufs4.19.63+ 20200113; no functional
|
||||
changes
|
||||
* Bump ABI to 8
|
||||
* libertas: Fix two buffer overflows at parsing bss descriptor
|
||||
(CVE-2019-14896, CVE-2019-14897)
|
||||
* wimax: i2400: fix memory leak (CVE-2019-19051)
|
||||
* wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
|
||||
(CVE-2019-19051)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 14 Dec 2019 22:00:16 +0100
|
||||
|
||||
|
|
|
|||
64
debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
vendored
Normal file
64
debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
vendored
Normal file
|
|
@ -0,0 +1,64 @@
|
|||
From: Wen Huang <huangwenabc@gmail.com>
|
||||
Date: Thu, 28 Nov 2019 18:51:04 +0800
|
||||
Subject: libertas: Fix two buffer overflows at parsing bss descriptor
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit/?id=e5e884b42639c74b5b57dc277909915c0aefc8bb
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14896
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14897
|
||||
|
||||
add_ie_rates() copys rates without checking the length
|
||||
in bss descriptor from remote AP.when victim connects to
|
||||
remote attacker, this may trigger buffer overflow.
|
||||
lbs_ibss_join_existing() copys rates without checking the length
|
||||
in bss descriptor from remote IBSS node.when victim connects to
|
||||
remote attacker, this may trigger buffer overflow.
|
||||
Fix them by putting the length check before performing copy.
|
||||
|
||||
This fix addresses CVE-2019-14896 and CVE-2019-14897.
|
||||
This also fix build warning of mixed declarations and code.
|
||||
|
||||
Reported-by: kbuild test robot <lkp@intel.com>
|
||||
Signed-off-by: Wen Huang <huangwenabc@gmail.com>
|
||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||
---
|
||||
drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
--- a/drivers/net/wireless/marvell/libertas/cfg.c
|
||||
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
|
||||
@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int
|
||||
int hw, ap, ap_max = ie[1];
|
||||
u8 hw_rate;
|
||||
|
||||
+ if (ap_max > MAX_RATES) {
|
||||
+ lbs_deb_assoc("invalid rates\n");
|
||||
+ return tlv;
|
||||
+ }
|
||||
/* Advance past IE header */
|
||||
ie += 2;
|
||||
|
||||
@@ -1717,6 +1721,9 @@ static int lbs_ibss_join_existing(struct
|
||||
struct cmd_ds_802_11_ad_hoc_join cmd;
|
||||
u8 preamble = RADIO_PREAMBLE_SHORT;
|
||||
int ret = 0;
|
||||
+ int hw, i;
|
||||
+ u8 rates_max;
|
||||
+ u8 *rates;
|
||||
|
||||
/* TODO: set preamble based on scan result */
|
||||
ret = lbs_set_radio(priv, preamble, 1);
|
||||
@@ -1775,9 +1782,12 @@ static int lbs_ibss_join_existing(struct
|
||||
if (!rates_eid) {
|
||||
lbs_add_rates(cmd.bss.rates);
|
||||
} else {
|
||||
- int hw, i;
|
||||
- u8 rates_max = rates_eid[1];
|
||||
- u8 *rates = cmd.bss.rates;
|
||||
+ rates_max = rates_eid[1];
|
||||
+ if (rates_max > MAX_RATES) {
|
||||
+ lbs_deb_join("invalid rates");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ rates = cmd.bss.rates;
|
||||
for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
|
||||
u8 hw_rate = lbs_rates[hw].bitrate / 5;
|
||||
for (i = 0; i < rates_max; i++) {
|
||||
37
debian/patches/bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
vendored
Normal file
37
debian/patches/bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
vendored
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
From: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||
Date: Fri, 25 Oct 2019 23:53:30 -0500
|
||||
Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
|
||||
Origin: https://git.kernel.org/linus/6f3ef5c25cc762687a7341c18cbea5af54461407
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15217
|
||||
|
||||
In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
|
||||
buffer for cmd should be released before returning. The
|
||||
documentation for i2400m_msg_to_dev() says when it returns the buffer
|
||||
can be reused. Meaning cmd should be released in either case. Move
|
||||
kfree(cmd) before return to be reached by all execution paths.
|
||||
|
||||
Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak")
|
||||
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/net/wimax/i2400m/op-rfkill.c
|
||||
+++ b/drivers/net/wimax/i2400m/op-rfkill.c
|
||||
@@ -142,12 +142,12 @@ int i2400m_op_rfkill_sw_toggle(struct wi
|
||||
"%d\n", result);
|
||||
result = 0;
|
||||
error_cmd:
|
||||
- kfree(cmd);
|
||||
kfree_skb(ack_skb);
|
||||
error_msg_to_dev:
|
||||
error_alloc:
|
||||
d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n",
|
||||
wimax_dev, state, result);
|
||||
+ kfree(cmd);
|
||||
return result;
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
From: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||
Date: Tue, 10 Sep 2019 18:01:40 -0500
|
||||
Subject: wimax: i2400: fix memory leak
|
||||
Origin: https://git.kernel.org/linus/2507e6ab7a9a440773be476141a255934468c5ef
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19051
|
||||
|
||||
In i2400m_op_rfkill_sw_toggle cmd buffer should be released along with
|
||||
skb response.
|
||||
|
||||
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/net/wimax/i2400m/op-rfkill.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/drivers/net/wimax/i2400m/op-rfkill.c
|
||||
+++ b/drivers/net/wimax/i2400m/op-rfkill.c
|
||||
@@ -142,6 +142,7 @@ int i2400m_op_rfkill_sw_toggle(struct wi
|
||||
"%d\n", result);
|
||||
result = 0;
|
||||
error_cmd:
|
||||
+ kfree(cmd);
|
||||
kfree_skb(ack_skb);
|
||||
error_msg_to_dev:
|
||||
error_alloc:
|
||||
|
|
@ -301,5 +301,8 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
debian/ntfs-mark-it-as-broken.patch
|
||||
bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
|
||||
bugfix/all/wimax-i2400-fix-memory-leak.patch
|
||||
bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
|
|
|||
Loading…
Reference in New Issue