Headline
CVE-2017-7541: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()" has been added to the 4.11-stable tree — Linux Stable Kernel Updates
The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet.
This is a note to let you know that I’ve just added the patch titled
brcmfmac: fix possible buffer overflow in brcmf\_cfg80211\_mgmt\_tx()
to the 4.11-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is: brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80211_mgmt_tx.patch and it can be found in the queue-4.11 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@xxxxxxxxxxxxxxx know about it.
From foo@baz Mon Jul 17 18:47:09 CEST 2017 From: Arend van Spriel arend.vanspriel@xxxxxxxxxxxx Date: Fri, 7 Jul 2017 21:09:06 +0100 Subject: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
From: Arend van Spriel arend.vanspriel@xxxxxxxxxxxx
[ Upstream commit 8f44c9a41386729fea410e688959ddaa9d51be7c ]
The lower level nl80211 code in cfg80211 ensures that “len” is between 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from “len” so thats’s max of 2280. However, the action_frame->data[] buffer is only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can overflow.
memcpy(action\_frame->data, &buf\[DOT11\_MGMT\_HDR\_LEN\],
le16\_to\_cpu(action\_frame->len));
Cc: stable@xxxxxxxxxxxxxxx # 3.9.x Fixes: 18e2f61db3b70 (“brcmfmac: P2P action frame tx.”) Reported-by: "freenerguo(郭大兴)" freenerguo@xxxxxxxxxxx Signed-off-by: Arend van Spriel arend.vanspriel@xxxxxxxxxxxx Signed-off-by: David S. Miller davem@xxxxxxxxxxxxx Signed-off-by: Greg Kroah-Hartman gregkh@xxxxxxxxxxxxxxxxxxx
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++ 1 file changed, 5 insertions(+)
— a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -4835,6 +4835,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true, GFP_KERNEL); } else if (ieee80211_is_action(mgmt->frame_control)) {
if (len > BRCMF\_FIL\_ACTION\_FRAME\_SIZE + DOT11\_MGMT\_HDR\_LEN) {brcmf\_err("invalid action frame length\\n");err = -EINVAL;goto exit;} af\_params = kzalloc(sizeof(\*af\_params), GFP\_KERNEL); if (af\_params == NULL) { brcmf\_err("unable to allocate frame\\n");
Patches currently in stable-queue which might be from arend.vanspriel@xxxxxxxxxxxx are
queue-4.11/brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80211_mgmt_tx.patch