<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/wireless, branch v3.16.83</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()</title>
<updated>2020-04-28T18:02:16+00:00</updated>
<author>
<name>qize wang</name>
<email>wangqize888888888@gmail.com</email>
</author>
<published>2019-11-29T10:10:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ef0449fb4c94e52c1f5f7170b52a738acf9af5ff'/>
<id>ef0449fb4c94e52c1f5f7170b52a738acf9af5ff</id>
<content type='text'>
commit 1e58252e334dc3f3756f424a157d1b7484464c40 upstream.

mwifiex_process_tdls_action_frame() without checking
the incoming tdls infomation element's vality before use it,
this may cause multi heap buffer overflows.

Fix them by putting vality check before use it.

IE is TLV struct, but ht_cap and  ht_oper aren’t TLV struct.
the origin marvell driver code is wrong:

memcpy(&amp;sta_ptr-&gt;tdls_cap.ht_oper, pos,....
memcpy((u8 *)&amp;sta_ptr-&gt;tdls_cap.ht_capb, pos,...

Fix the bug by changing pos(the address of IE) to
pos+2 ( the address of IE value ).

Signed-off-by: qize wang &lt;wangqize888888888@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1e58252e334dc3f3756f424a157d1b7484464c40 upstream.

mwifiex_process_tdls_action_frame() without checking
the incoming tdls infomation element's vality before use it,
this may cause multi heap buffer overflows.

Fix them by putting vality check before use it.

IE is TLV struct, but ht_cap and  ht_oper aren’t TLV struct.
the origin marvell driver code is wrong:

memcpy(&amp;sta_ptr-&gt;tdls_cap.ht_oper, pos,....
memcpy((u8 *)&amp;sta_ptr-&gt;tdls_cap.ht_capb, pos,...

Fix the bug by changing pos(the address of IE) to
pos+2 ( the address of IE value ).

Signed-off-by: qize wang &lt;wangqize888888888@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: fix probable memory corruption while processing TDLS frame</title>
<updated>2020-04-28T18:02:16+00:00</updated>
<author>
<name>Avinash Patil</name>
<email>patila@marvell.com</email>
</author>
<published>2014-09-12T14:38:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=585453f1881a2f6b650d38a6f9e45621faa0b273'/>
<id>585453f1881a2f6b650d38a6f9e45621faa0b273</id>
<content type='text'>
commit 3c99832d74777c9ec5545a92450fac5d37b0d0e1 upstream.

Size of RSN IE buffer in driver is 254 while maximum size of received buffer
to be copied to RSN IE buffer can be 255. Add boundary check to copy maximum
of 254 bytes into RSN IE buffer.

Reported-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Avinash Patil &lt;patila@marvell.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3c99832d74777c9ec5545a92450fac5d37b0d0e1 upstream.

Size of RSN IE buffer in driver is 254 while maximum size of received buffer
to be copied to RSN IE buffer can be 255. Add boundary check to copy maximum
of 254 bytes into RSN IE buffer.

Reported-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Avinash Patil &lt;patila@marvell.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libertas: make lbs_ibss_join_existing() return error code on rates overflow</title>
<updated>2020-04-28T18:02:16+00:00</updated>
<author>
<name>Nicolai Stange</name>
<email>nstange@suse.de</email>
</author>
<published>2020-01-14T10:39:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2485578fc363bfc01012027cca4a746993a5df52'/>
<id>2485578fc363bfc01012027cca4a746993a5df52</id>
<content type='text'>
commit 1754c4f60aaf1e17d886afefee97e94d7f27b4cb upstream.

Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing() and made it to return on overflow.

However, the aforementioned commit doesn't set the return value accordingly
and thus, lbs_ibss_join_existing() would return with zero even though it
failed.

Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
number of supplied rates fails.

Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
Signed-off-by: Nicolai Stange &lt;nstange@suse.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1754c4f60aaf1e17d886afefee97e94d7f27b4cb upstream.

Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing() and made it to return on overflow.

However, the aforementioned commit doesn't set the return value accordingly
and thus, lbs_ibss_join_existing() would return with zero even though it
failed.

Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
number of supplied rates fails.

Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
Signed-off-by: Nicolai Stange &lt;nstange@suse.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held</title>
<updated>2020-04-28T18:02:15+00:00</updated>
<author>
<name>Nicolai Stange</name>
<email>nstange@suse.de</email>
</author>
<published>2020-01-14T10:39:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f19d773f4a3192baf31500e77d4088c8e1be248c'/>
<id>f19d773f4a3192baf31500e77d4088c8e1be248c</id>
<content type='text'>
commit c7bf1fb7ddca331780b9a733ae308737b39f1ad4 upstream.

Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing().

Unfortunately, it introduced a return path from within a RCU read side
critical section without a corresponding rcu_read_unlock(). Fix this.

Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
Signed-off-by: Nicolai Stange &lt;nstange@suse.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c7bf1fb7ddca331780b9a733ae308737b39f1ad4 upstream.

Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing().

Unfortunately, it introduced a return path from within a RCU read side
critical section without a corresponding rcu_read_unlock(). Fix this.

Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
Signed-off-by: Nicolai Stange &lt;nstange@suse.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libertas: Fix two buffer overflows at parsing bss descriptor</title>
<updated>2020-04-28T18:02:15+00:00</updated>
<author>
<name>Wen Huang</name>
<email>huangwenabc@gmail.com</email>
</author>
<published>2019-11-28T10:51:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e4646070f91312414af0ca9332a79b7153150fae'/>
<id>e4646070f91312414af0ca9332a79b7153150fae</id>
<content type='text'>
commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream.

add_ie_rates() copys rates without checking the length
in bss descriptor from remote AP.when victim connects to
remote attacker, this may trigger buffer overflow.
lbs_ibss_join_existing() copys rates without checking the length
in bss descriptor from remote IBSS node.when victim connects to
remote attacker, this may trigger buffer overflow.
Fix them by putting the length check before performing copy.

This fix addresses CVE-2019-14896 and CVE-2019-14897.
This also fix build warning of mixed declarations and code.

Reported-by: kbuild test robot &lt;lkp@intel.com&gt;
Signed-off-by: Wen Huang &lt;huangwenabc@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream.

add_ie_rates() copys rates without checking the length
in bss descriptor from remote AP.when victim connects to
remote attacker, this may trigger buffer overflow.
lbs_ibss_join_existing() copys rates without checking the length
in bss descriptor from remote IBSS node.when victim connects to
remote attacker, this may trigger buffer overflow.
Fix them by putting the length check before performing copy.

This fix addresses CVE-2019-14896 and CVE-2019-14897.
This also fix build warning of mixed declarations and code.

Reported-by: kbuild test robot &lt;lkp@intel.com&gt;
Signed-off-by: Wen Huang &lt;huangwenabc@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: fix unbalanced locking in mwifiex_process_country_ie()</title>
<updated>2020-04-28T18:02:14+00:00</updated>
<author>
<name>Brian Norris</name>
<email>briannorris@chromium.org</email>
</author>
<published>2020-01-06T22:42:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6d8764d3b222716eda5050ecda0bc461080ce435'/>
<id>6d8764d3b222716eda5050ecda0bc461080ce435</id>
<content type='text'>
commit 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c upstream.

We called rcu_read_lock(), so we need to call rcu_read_unlock() before
we return.

Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()")
Cc: huangwen &lt;huangwenabc@gmail.com&gt;
Cc: Ganapathi Bhat &lt;ganapathi.bhat@nxp.com&gt;
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Acked-by: Ganapathi Bhat &lt;ganapathi.bhat@nxp.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c upstream.

We called rcu_read_lock(), so we need to call rcu_read_unlock() before
we return.

Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()")
Cc: huangwen &lt;huangwenabc@gmail.com&gt;
Cc: Ganapathi Bhat &lt;ganapathi.bhat@nxp.com&gt;
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Acked-by: Ganapathi Bhat &lt;ganapathi.bhat@nxp.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iwlwifi: check kasprintf() return value</title>
<updated>2020-02-11T20:03:45+00:00</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2019-11-05T13:50:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=89993c305905e3e567b1a9ed41e97a74b9af8224'/>
<id>89993c305905e3e567b1a9ed41e97a74b9af8224</id>
<content type='text'>
commit 5974fbb5e10b018fdbe3c3b81cb4cc54e1105ab9 upstream.

kasprintf() can fail, we should check the return value.

Fixes: 5ed540aecc2a ("iwlwifi: use mac80211 throughput trigger")
Fixes: 8ca151b568b6 ("iwlwifi: add the MVM driver")
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Luca Coelho &lt;luciano.coelho@intel.com&gt;
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5974fbb5e10b018fdbe3c3b81cb4cc54e1105ab9 upstream.

kasprintf() can fail, we should check the return value.

Fixes: 5ed540aecc2a ("iwlwifi: use mac80211 throughput trigger")
Fixes: 8ca151b568b6 ("iwlwifi: add the MVM driver")
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Luca Coelho &lt;luciano.coelho@intel.com&gt;
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ar5523: check NULL before memcpy() in ar5523_cmd()</title>
<updated>2020-02-11T20:03:14+00:00</updated>
<author>
<name>Denis Efremov</name>
<email>efremov@linux.com</email>
</author>
<published>2019-09-30T20:31:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=20066aeb7f3ca4525ca83df904e86a0e9bb6a592'/>
<id>20066aeb7f3ca4525ca83df904e86a0e9bb6a592</id>
<content type='text'>
commit 315cee426f87658a6799815845788fde965ddaad upstream.

memcpy() call with "idata == NULL &amp;&amp; ilen == 0" results in undefined
behavior in ar5523_cmd(). For example, NULL is passed in callchain
"ar5523_stat_work() -&gt; ar5523_cmd_write() -&gt; ar5523_cmd()". This patch
adds ilen check before memcpy() call in ar5523_cmd() to prevent an
undefined behavior.

Cc: Pontus Fuchs &lt;pontus.fuchs@gmail.com&gt;
Cc: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Cc: David Laight &lt;David.Laight@ACULAB.COM&gt;
Signed-off-by: Denis Efremov &lt;efremov@linux.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 315cee426f87658a6799815845788fde965ddaad upstream.

memcpy() call with "idata == NULL &amp;&amp; ilen == 0" results in undefined
behavior in ar5523_cmd(). For example, NULL is passed in callchain
"ar5523_stat_work() -&gt; ar5523_cmd_write() -&gt; ar5523_cmd()". This patch
adds ilen check before memcpy() call in ar5523_cmd() to prevent an
undefined behavior.

Cc: Pontus Fuchs &lt;pontus.fuchs@gmail.com&gt;
Cc: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Cc: David Laight &lt;David.Laight@ACULAB.COM&gt;
Signed-off-by: Denis Efremov &lt;efremov@linux.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cw1200: Fix a signedness bug in cw1200_load_firmware()</title>
<updated>2020-02-11T20:03:14+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2019-10-01T11:45:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6bdd5513e4726fd54990ac4c5d61581056ec6379'/>
<id>6bdd5513e4726fd54990ac4c5d61581056ec6379</id>
<content type='text'>
commit 4a50d454502f1401171ff061a5424583f91266db upstream.

The "priv-&gt;hw_type" is an enum and in this context GCC will treat it
as an unsigned int so the error handling will never trigger.

Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 &amp; CW1200 WLAN chipsets")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4a50d454502f1401171ff061a5424583f91266db upstream.

The "priv-&gt;hw_type" is an enum and in this context GCC will treat it
as an unsigned int so the error handling will never trigger.

Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 &amp; CW1200 WLAN chipsets")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath9k_hw: fix uninitialized variable data</title>
<updated>2020-02-11T20:03:12+00:00</updated>
<author>
<name>Denis Efremov</name>
<email>efremov@linux.com</email>
</author>
<published>2019-09-26T22:56:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=135dfdaf7216b41cc098c7674c70c40a797a8b9e'/>
<id>135dfdaf7216b41cc098c7674c70c40a797a8b9e</id>
<content type='text'>
commit 80e84f36412e0c5172447b6947068dca0d04ee82 upstream.

Currently, data variable in ar9003_hw_thermo_cal_apply() could be
uninitialized if ar9300_otp_read_word() will fail to read the value.
Initialize data variable with 0 to prevent an undefined behavior. This
will be enough to handle error case when ar9300_otp_read_word() fails.

Fixes: 80fe43f2bbd5 ("ath9k_hw: Read and configure thermocal for AR9462")
Cc: Rajkumar Manoharan &lt;rmanohar@qca.qualcomm.com&gt;
Cc: John W. Linville &lt;linville@tuxdriver.com&gt;
Cc: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Signed-off-by: Denis Efremov &lt;efremov@linux.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 80e84f36412e0c5172447b6947068dca0d04ee82 upstream.

Currently, data variable in ar9003_hw_thermo_cal_apply() could be
uninitialized if ar9300_otp_read_word() will fail to read the value.
Initialize data variable with 0 to prevent an undefined behavior. This
will be enough to handle error case when ar9300_otp_read_word() fails.

Fixes: 80fe43f2bbd5 ("ath9k_hw: Read and configure thermocal for AR9462")
Cc: Rajkumar Manoharan &lt;rmanohar@qca.qualcomm.com&gt;
Cc: John W. Linville &lt;linville@tuxdriver.com&gt;
Cc: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Signed-off-by: Denis Efremov &lt;efremov@linux.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
