107 lines
4.1 KiB
Diff
107 lines
4.1 KiB
Diff
From: Arend van Spriel <arend.vanspriel@broadcom.com>
|
|
Date: Thu, 14 Feb 2019 13:43:48 +0100
|
|
Subject: brcmfmac: add subtype check for event handling in data path
|
|
Origin: https://git.kernel.org/linus/a4176ec356c73a46c07c181c6d04039fafa34a9f
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9503
|
|
|
|
For USB there is no separate channel being used to pass events
|
|
from firmware to the host driver and as such are passed over the
|
|
data path. In order to detect mock event messages an additional
|
|
check is needed on event subtype. This check is added conditionally
|
|
using unlikely() keyword.
|
|
|
|
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
|
|
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
|
|
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
|
|
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
|
|
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
|
---
|
|
.../wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++--
|
|
.../wireless/broadcom/brcm80211/brcmfmac/fweh.h | 16 ++++++++++++----
|
|
.../broadcom/brcm80211/brcmfmac/msgbuf.c | 2 +-
|
|
3 files changed, 16 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
|
|
index e772c0845638..a368ba6e7344 100644
|
|
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
|
|
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
|
|
@@ -519,7 +519,8 @@ void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_event)
|
|
} else {
|
|
/* Process special event packets */
|
|
if (handle_event)
|
|
- brcmf_fweh_process_skb(ifp->drvr, skb);
|
|
+ brcmf_fweh_process_skb(ifp->drvr, skb,
|
|
+ BCMILCP_SUBTYPE_VENDOR_LONG);
|
|
|
|
brcmf_netif_rx(ifp, skb);
|
|
}
|
|
@@ -536,7 +537,7 @@ void brcmf_rx_event(struct device *dev, struct sk_buff *skb)
|
|
if (brcmf_rx_hdrpull(drvr, skb, &ifp))
|
|
return;
|
|
|
|
- brcmf_fweh_process_skb(ifp->drvr, skb);
|
|
+ brcmf_fweh_process_skb(ifp->drvr, skb, 0);
|
|
brcmu_pkt_buf_free_skb(skb);
|
|
}
|
|
|
|
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
|
|
index 31f3e8e83a21..7027243db17e 100644
|
|
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
|
|
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
|
|
@@ -211,7 +211,7 @@ enum brcmf_fweh_event_code {
|
|
*/
|
|
#define BRCM_OUI "\x00\x10\x18"
|
|
#define BCMILCP_BCM_SUBTYPE_EVENT 1
|
|
-
|
|
+#define BCMILCP_SUBTYPE_VENDOR_LONG 32769
|
|
|
|
/**
|
|
* struct brcm_ethhdr - broadcom specific ether header.
|
|
@@ -334,10 +334,10 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
|
|
void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing);
|
|
|
|
static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
|
|
- struct sk_buff *skb)
|
|
+ struct sk_buff *skb, u16 stype)
|
|
{
|
|
struct brcmf_event *event_packet;
|
|
- u16 usr_stype;
|
|
+ u16 subtype, usr_stype;
|
|
|
|
/* only process events when protocol matches */
|
|
if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL))
|
|
@@ -346,8 +346,16 @@ static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
|
|
if ((skb->len + ETH_HLEN) < sizeof(*event_packet))
|
|
return;
|
|
|
|
- /* check for BRCM oui match */
|
|
event_packet = (struct brcmf_event *)skb_mac_header(skb);
|
|
+
|
|
+ /* check subtype if needed */
|
|
+ if (unlikely(stype)) {
|
|
+ subtype = get_unaligned_be16(&event_packet->hdr.subtype);
|
|
+ if (subtype != stype)
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ /* check for BRCM oui match */
|
|
if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0],
|
|
sizeof(event_packet->hdr.oui)))
|
|
return;
|
|
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
|
|
index 4e8397a0cbc8..ee922b052561 100644
|
|
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
|
|
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
|
|
@@ -1116,7 +1116,7 @@ static void brcmf_msgbuf_process_event(struct brcmf_msgbuf *msgbuf, void *buf)
|
|
|
|
skb->protocol = eth_type_trans(skb, ifp->ndev);
|
|
|
|
- brcmf_fweh_process_skb(ifp->drvr, skb);
|
|
+ brcmf_fweh_process_skb(ifp->drvr, skb, 0);
|
|
|
|
exit:
|
|
brcmu_pkt_buf_free_skb(skb);
|
|
--
|
|
2.20.1
|
|
|