Add various security fixes not yet in 4.19-stable
All of these are already fixed in jessie, and upgrades shouldn't regress.
This commit is contained in:
parent
72ff5abae4
commit
56dd5fa07e
|
@ -1253,6 +1253,11 @@ linux (4.19.97-1) UNRELEASED; urgency=medium
|
||||||
* aufs: Update support patchset to aufs4.19.63+ 20200113; no functional
|
* aufs: Update support patchset to aufs4.19.63+ 20200113; no functional
|
||||||
changes
|
changes
|
||||||
* Bump ABI to 8
|
* Bump ABI to 8
|
||||||
|
* libertas: Fix two buffer overflows at parsing bss descriptor
|
||||||
|
(CVE-2019-14896, CVE-2019-14897)
|
||||||
|
* wimax: i2400: fix memory leak (CVE-2019-19051)
|
||||||
|
* wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
|
||||||
|
(CVE-2019-19051)
|
||||||
|
|
||||||
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 14 Dec 2019 22:00:16 +0100
|
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 14 Dec 2019 22:00:16 +0100
|
||||||
|
|
||||||
|
|
64
debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
vendored
Normal file
64
debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
vendored
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
From: Wen Huang <huangwenabc@gmail.com>
|
||||||
|
Date: Thu, 28 Nov 2019 18:51:04 +0800
|
||||||
|
Subject: libertas: Fix two buffer overflows at parsing bss descriptor
|
||||||
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit/?id=e5e884b42639c74b5b57dc277909915c0aefc8bb
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14896
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14897
|
||||||
|
|
||||||
|
add_ie_rates() copys rates without checking the length
|
||||||
|
in bss descriptor from remote AP.when victim connects to
|
||||||
|
remote attacker, this may trigger buffer overflow.
|
||||||
|
lbs_ibss_join_existing() copys rates without checking the length
|
||||||
|
in bss descriptor from remote IBSS node.when victim connects to
|
||||||
|
remote attacker, this may trigger buffer overflow.
|
||||||
|
Fix them by putting the length check before performing copy.
|
||||||
|
|
||||||
|
This fix addresses CVE-2019-14896 and CVE-2019-14897.
|
||||||
|
This also fix build warning of mixed declarations and code.
|
||||||
|
|
||||||
|
Reported-by: kbuild test robot <lkp@intel.com>
|
||||||
|
Signed-off-by: Wen Huang <huangwenabc@gmail.com>
|
||||||
|
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||||
|
---
|
||||||
|
drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
|
||||||
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
|
--- a/drivers/net/wireless/marvell/libertas/cfg.c
|
||||||
|
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
|
||||||
|
@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int
|
||||||
|
int hw, ap, ap_max = ie[1];
|
||||||
|
u8 hw_rate;
|
||||||
|
|
||||||
|
+ if (ap_max > MAX_RATES) {
|
||||||
|
+ lbs_deb_assoc("invalid rates\n");
|
||||||
|
+ return tlv;
|
||||||
|
+ }
|
||||||
|
/* Advance past IE header */
|
||||||
|
ie += 2;
|
||||||
|
|
||||||
|
@@ -1717,6 +1721,9 @@ static int lbs_ibss_join_existing(struct
|
||||||
|
struct cmd_ds_802_11_ad_hoc_join cmd;
|
||||||
|
u8 preamble = RADIO_PREAMBLE_SHORT;
|
||||||
|
int ret = 0;
|
||||||
|
+ int hw, i;
|
||||||
|
+ u8 rates_max;
|
||||||
|
+ u8 *rates;
|
||||||
|
|
||||||
|
/* TODO: set preamble based on scan result */
|
||||||
|
ret = lbs_set_radio(priv, preamble, 1);
|
||||||
|
@@ -1775,9 +1782,12 @@ static int lbs_ibss_join_existing(struct
|
||||||
|
if (!rates_eid) {
|
||||||
|
lbs_add_rates(cmd.bss.rates);
|
||||||
|
} else {
|
||||||
|
- int hw, i;
|
||||||
|
- u8 rates_max = rates_eid[1];
|
||||||
|
- u8 *rates = cmd.bss.rates;
|
||||||
|
+ rates_max = rates_eid[1];
|
||||||
|
+ if (rates_max > MAX_RATES) {
|
||||||
|
+ lbs_deb_join("invalid rates");
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ rates = cmd.bss.rates;
|
||||||
|
for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
|
||||||
|
u8 hw_rate = lbs_rates[hw].bitrate / 5;
|
||||||
|
for (i = 0; i < rates_max; i++) {
|
37
debian/patches/bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
vendored
Normal file
37
debian/patches/bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
vendored
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
From: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||||
|
Date: Fri, 25 Oct 2019 23:53:30 -0500
|
||||||
|
Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
|
||||||
|
Origin: https://git.kernel.org/linus/6f3ef5c25cc762687a7341c18cbea5af54461407
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15217
|
||||||
|
|
||||||
|
In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
|
||||||
|
buffer for cmd should be released before returning. The
|
||||||
|
documentation for i2400m_msg_to_dev() says when it returns the buffer
|
||||||
|
can be reused. Meaning cmd should be released in either case. Move
|
||||||
|
kfree(cmd) before return to be reached by all execution paths.
|
||||||
|
|
||||||
|
Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak")
|
||||||
|
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/drivers/net/wimax/i2400m/op-rfkill.c
|
||||||
|
+++ b/drivers/net/wimax/i2400m/op-rfkill.c
|
||||||
|
@@ -142,12 +142,12 @@ int i2400m_op_rfkill_sw_toggle(struct wi
|
||||||
|
"%d\n", result);
|
||||||
|
result = 0;
|
||||||
|
error_cmd:
|
||||||
|
- kfree(cmd);
|
||||||
|
kfree_skb(ack_skb);
|
||||||
|
error_msg_to_dev:
|
||||||
|
error_alloc:
|
||||||
|
d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n",
|
||||||
|
wimax_dev, state, result);
|
||||||
|
+ kfree(cmd);
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
From: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||||
|
Date: Tue, 10 Sep 2019 18:01:40 -0500
|
||||||
|
Subject: wimax: i2400: fix memory leak
|
||||||
|
Origin: https://git.kernel.org/linus/2507e6ab7a9a440773be476141a255934468c5ef
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19051
|
||||||
|
|
||||||
|
In i2400m_op_rfkill_sw_toggle cmd buffer should be released along with
|
||||||
|
skb response.
|
||||||
|
|
||||||
|
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
drivers/net/wimax/i2400m/op-rfkill.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
--- a/drivers/net/wimax/i2400m/op-rfkill.c
|
||||||
|
+++ b/drivers/net/wimax/i2400m/op-rfkill.c
|
||||||
|
@@ -142,6 +142,7 @@ int i2400m_op_rfkill_sw_toggle(struct wi
|
||||||
|
"%d\n", result);
|
||||||
|
result = 0;
|
||||||
|
error_cmd:
|
||||||
|
+ kfree(cmd);
|
||||||
|
kfree_skb(ack_skb);
|
||||||
|
error_msg_to_dev:
|
||||||
|
error_alloc:
|
|
@ -301,5 +301,8 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
debian/ntfs-mark-it-as-broken.patch
|
debian/ntfs-mark-it-as-broken.patch
|
||||||
|
bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
|
||||||
|
bugfix/all/wimax-i2400-fix-memory-leak.patch
|
||||||
|
bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
|
||||||
|
|
||||||
# ABI maintenance
|
# ABI maintenance
|
||||||
|
|
Loading…
Reference in New Issue