diff options
author | David Chu <david.chu@mediatek.com> | 2018-08-06 18:39:15 -0700 |
---|---|---|
committer | Ben Fennema <fennema@google.com> | 2018-08-16 15:52:11 -0700 |
commit | 5f7ba64dbb0f566149f5190db8c229da623a54bb (patch) | |
tree | 01516a711965c2065a82d6dd725728579ebb149e | |
parent | 4afa485f96571c751e4295b92effc95328c22b8b (diff) | |
download | mediatek-android-mediatek-pike-3.10-oreo-wear-dr.tar.gz |
Security Patch: WLAN Gen2: Security Vulnerability Issue 72312071android-wear-8.0.0_r0.50android-mediatek-pike-3.10-oreo-wear-dr
[Detail]
Multiple Kernel Memory Corruption Issues in Mediatek cfg80211 Subsystem
[Solution]
In mtk_cfg80211_vendor_set_config the value num_buckets must be
validated to ensure it is not greater than size of the buckets array.
CVE-2018-9395
Change-Id: If07b758108922dd12ac4eb5d93ce2eab0ce06dae
Signed-off-by: Ben Fennema <fennema@google.com>
-rw-r--r-- | drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_vendor.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_vendor.c b/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_vendor.c index 511d5996d5ef..0174cade617f 100644 --- a/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_vendor.c +++ b/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_vendor.c @@ -134,6 +134,7 @@ int mtk_cfg80211_vendor_set_config(struct wiphy *wiphy, struct wireless_dev *wde struct nlattr *pbucket, *pchannel; UINT_32 len_basic, len_bucket, len_channel; int i, j, k; + UINT_32 u4ArySize; static struct nla_policy policy[GSCAN_ATTRIBUTE_REPORT_EVENTS + 1] = { [GSCAN_ATTRIBUTE_NUM_BUCKETS] = {.type = NLA_U32}, [GSCAN_ATTRIBUTE_BASE_PERIOD] = {.type = NLA_U32}, @@ -174,7 +175,10 @@ int mtk_cfg80211_vendor_set_config(struct wiphy *wiphy, struct wireless_dev *wde len_basic += NLA_ALIGN(attr[k]->nla_len); break; case GSCAN_ATTRIBUTE_NUM_BUCKETS: - prWifiScanCmd->num_buckets = nla_get_u32(attr[k]); + u4ArySize = nla_get_u32(attr[k]); + prWifiScanCmd->num_buckets = + (u4ArySize <= GSCAN_MAX_BUCKETS) + ? u4ArySize : GSCAN_MAX_BUCKETS; len_basic += NLA_ALIGN(attr[k]->nla_len); DBGLOG(SCN, INFO, "attr=0x%x, num_buckets=%d nla_len=%d, \r\n", *(UINT_32 *) attr[k], prWifiScanCmd->num_buckets, attr[k]->nla_len); |