mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-06 10:57:46 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Luca Coelho 6b524bc36a iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() 
[ Upstream commit de1887c064 ]

We don't check for the validity of the lengths in the packet received
from the firmware.  If the MPDU length received in the rx descriptor
is too short to contain the header length and the crypt length
together, we may end up trying to copy a negative number of bytes
(headlen - hdrlen < 0) which will underflow and cause us to try to
copy a huge amount of data.  This causes oopses such as this one:

BUG: unable to handle kernel paging request at ffff896be2970000
PGD 5e201067 P4D 5e201067 PUD 5e205067 PMD 16110d063 PTE 8000000162970161
Oops: 0003 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 1824 Comm: irq/134-iwlwifi Not tainted 4.19.33-04308-geea41cf4930f #1
Hardware name: [...]
RIP: 0010:memcpy_erms+0x6/0x10
Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3
 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
RSP: 0018:ffffa4630196fc60 EFLAGS: 00010287
RAX: ffff896be2924618 RBX: ffff896bc8ecc600 RCX: 00000000fffb4610
RDX: 00000000fffffff8 RSI: ffff896a835e2a38 RDI: ffff896be2970000
RBP: ffffa4630196fd30 R08: ffff896bc8ecc600 R09: ffff896a83597000
R10: ffff896bd6998400 R11: 000000000200407f R12: ffff896a83597050
R13: 00000000fffffff8 R14: 0000000000000010 R15: ffff896a83597038
FS:  0000000000000000(0000) GS:ffff896be8280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff896be2970000 CR3: 000000005dc12002 CR4: 00000000003606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 iwl_mvm_rx_mpdu_mq+0xb51/0x121b [iwlmvm]
 iwl_pcie_rx_handle+0x58c/0xa89 [iwlwifi]
 iwl_pcie_irq_rx_msix_handler+0xd9/0x12a [iwlwifi]
 irq_thread_fn+0x24/0x49
 irq_thread+0xb0/0x122
 kthread+0x138/0x140
 ret_from_fork+0x1f/0x40

Fix that by checking the lengths for correctness and trigger a warning
to show that we have received wrong data.

Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-05-25 18:25:36 +02:00
..
accessibility
acpi ACPICA: Namespace: remove address node from global list after method termination 2019-05-16 19:42:30 +02:00
amba
android binder: fix handling of misaligned binder object 2019-05-02 09:40:31 +02:00
ata libata: fix using DMA buffers on stack 2019-05-04 09:15:22 +02:00
atm atm: he: fix sign-extension overflow on large shift 2019-02-27 10:08:05 +01:00
auxdisplay auxdisplay: hd44780: Fix memory leak on ->remove() 2019-04-20 09:15:00 +02:00
base devres: Align data[] to ARCH_KMALLOC_MINALIGN 2019-05-16 19:42:29 +02:00
bcma
block virtio-blk: limit number of hw queues by nr_cpu_ids 2019-05-10 17:53:12 +02:00
bluetooth Bluetooth: btusb: request wake pin with NOAUTOEN 2019-05-08 07:20:51 +02:00
bus
cdrom cdrom: Fix race condition in cdrom_sysctl_register 2019-04-05 22:31:35 +02:00
char ipmi:ssif: compare block number correctly for multi-part return messages 2019-05-21 18:50:19 +02:00
clk clk: rockchip: fix wrong clock definitions for rk3328 2019-05-25 18:25:21 +02:00
clocksource clocksource/drivers/oxnas: Fix OX820 compatible 2019-05-16 19:42:21 +02:00
connector
cpufreq x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:18:42 +02:00
cpuidle
crypto crypto: rockchip - update IV buffer to contain the next IV 2019-05-21 18:50:15 +02:00
dax
dca
devfreq
dio
dma dmaengine: sh: rcar-dmac: With cyclic DMA residue 0 is valid 2019-05-02 09:40:30 +02:00
dma-buf
edac x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:18:42 +02:00
eisa
extcon
firewire
firmware efi/arm/arm64: Allow SetVirtualAddressMap() to be omitted 2019-04-05 22:31:36 +02:00
fmc
fpga
fsi
gpio gpio: of: Fix of_gpiochip_add() error path 2019-05-04 09:15:22 +02:00
gpu drm/rockchip: fix for mailbox read validation. 2019-05-16 19:42:30 +02:00
hid HID: input: add mapping for "Toggle Display" key 2019-05-16 19:42:20 +02:00
hsi
hv Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup() 2019-05-10 17:53:08 +02:00
hwmon hwmon: (pwm-fan) Disable PWM if fetching cooling data fails 2019-05-16 19:42:19 +02:00
hwspinlock
hwtracing intel_th: msu: Fix single mode with IOMMU 2019-05-25 18:25:19 +02:00
i2c i2c: i2c-stm32f7: Fix SDADEL minimum formula 2019-05-08 07:20:53 +02:00
ide
idle x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:18:42 +02:00
iio iio: adc: xilinx: fix potential use-after-free on remove 2019-05-16 19:42:19 +02:00
infiniband RDMA/vmw_pvrdma: Return the correct opcode when creating WR 2019-05-16 19:42:29 +02:00
input Input: elan_i2c - add hardware ID for multiple Lenovo laptops 2019-05-16 19:42:30 +02:00
iommu iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 2019-05-25 18:25:22 +02:00
ipack
irqchip MIPS: perf: ath79: Fix perfcount IRQ assignment 2019-05-16 19:42:23 +02:00
isdn mISDN: Check address length before reading address family 2019-05-16 19:42:21 +02:00
leds leds: pwm: silently error out on EPROBE_DEFER 2019-05-16 19:42:29 +02:00
lightnvm
macintosh
mailbox mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue 2019-03-23 14:35:15 +01:00
mcb
md dm delay: fix a crash when invalid device is specified 2019-05-25 18:25:33 +02:00
media media: ov6650: Fix sensor possibly not detected on probe 2019-05-25 18:25:19 +02:00
memory memory: tegra: Fix integer overflow on tick value calculation 2019-05-25 18:25:25 +02:00
memstick
message
mfd mfd: mc13xxx: Fix a missing check of a register-read failure 2019-02-27 10:08:03 +01:00
misc lkdtm: Add tests for NULL pointer dereference 2019-04-20 09:15:06 +02:00
mmc x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:18:42 +02:00
mtd mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on read/write 2019-05-21 18:50:17 +02:00
mux
net iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() 2019-05-25 18:25:36 +02:00
nfc spi: ST ST95HF NFC: declare missing of table 2019-05-16 19:42:24 +02:00
ntb
nubus
nvdimm libnvdimm/btt: Fix a kmemdup failure check 2019-05-16 19:42:20 +02:00
nvme nvme-loop: init nvmet_ctrl fatal_err_work when allocate 2019-05-08 07:20:47 +02:00
nvmem
of
oprofile
parisc parisc: Skip registering LED when running in QEMU 2019-05-25 18:25:18 +02:00
parport parport_pc: fix find_superio io compare code, should use equal test. 2019-03-23 14:35:24 +01:00
pci PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum 2019-05-25 18:25:32 +02:00
pcmcia
perf
phy phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs 2019-04-03 06:25:19 +02:00
pinctrl pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins 2019-03-23 14:35:14 +01:00
platform platform/x86: thinkpad_acpi: Disable Bluetooth for some machines 2019-05-16 19:42:19 +02:00
pnp
power power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG 2019-05-25 18:25:35 +02:00
powercap x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:18:42 +02:00
pps
ps3
ptp
pwm
rapidio
ras
regulator regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting 2019-04-05 22:31:39 +02:00
remoteproc
reset
rpmsg
rtc rtc: da9063: set uie_unsupported when relevant 2019-05-08 07:20:49 +02:00
s390 s390: ctcm: fix ctcm_new_device error return code 2019-05-16 19:42:24 +02:00
sbus
scsi scsi: raid_attrs: fix unused variable warning 2019-05-16 19:42:27 +02:00
sfi
sh
sn
soc soc/tegra: pmc: Drop locking from tegra_powergate_is_powered() 2019-04-20 09:15:06 +02:00
spi spi: pxa2xx: Setup maximum supported DMA transfer length 2019-03-23 14:35:19 +01:00
spmi
ssb
staging staging: olpc_dcon: add a missing dependency 2019-05-16 19:42:28 +02:00
target scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock 2019-03-23 14:35:20 +01:00
tc
tee
thermal x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:18:42 +02:00
thunderbolt
tty tty/vt: fix write/write race in ioctl(KDSKBSENT) handler 2019-05-21 18:50:18 +02:00
uio
usb USB: serial: fix unthrottle races 2019-05-16 19:42:19 +02:00
uwb
vfio vfio/pci: use correct format characters 2019-05-08 07:20:49 +02:00
vhost vhost: reject zero size iova range 2019-04-27 09:35:34 +02:00
video fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting 2019-05-25 18:25:30 +02:00
virt drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl 2019-05-16 19:42:35 +02:00
virtio virtio_pci: fix a NULL pointer reference in vp_del_vqs 2019-05-10 17:53:11 +02:00
vlynq
vme
w1 USB: w1 ds2490: Fix bug caused by improper use of altsetting array 2019-05-08 07:20:46 +02:00
watchdog
xen xen/pvcalls: remove set but not used variable 'intf' 2019-02-27 10:08:03 +01:00
zorro
Kconfig
Makefile