Security Patch: WLAN Gen2: Security Vulnerability Issue 72312071
[Detail]
Multiple Kernel Memory Corruption Issues in Mediatek cfg80211 Subsystem
[Solution]
In mtk_cfg80211_vendor_set_config the value num_buckets must be
validated to ensure it is not greater than size of the buckets array.
CVE-2018-9395
Change-Id: If07b758108922dd12ac4eb5d93ce2eab0ce06dae
Signed-off-by: Ben Fennema <fennema@google.com>
diff --git a/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_vendor.c b/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_vendor.c
index 511d599..0174cad 100644
--- a/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_vendor.c
+++ b/drivers/misc/mediatek/combo/drv_wlan/mt6630/wlan/os/linux/gl_vendor.c
@@ -134,6 +134,7 @@
struct nlattr *pbucket, *pchannel;
UINT_32 len_basic, len_bucket, len_channel;
int i, j, k;
+ UINT_32 u4ArySize;
static struct nla_policy policy[GSCAN_ATTRIBUTE_REPORT_EVENTS + 1] = {
[GSCAN_ATTRIBUTE_NUM_BUCKETS] = {.type = NLA_U32},
[GSCAN_ATTRIBUTE_BASE_PERIOD] = {.type = NLA_U32},
@@ -174,7 +175,10 @@
len_basic += NLA_ALIGN(attr[k]->nla_len);
break;
case GSCAN_ATTRIBUTE_NUM_BUCKETS:
- prWifiScanCmd->num_buckets = nla_get_u32(attr[k]);
+ u4ArySize = nla_get_u32(attr[k]);
+ prWifiScanCmd->num_buckets =
+ (u4ArySize <= GSCAN_MAX_BUCKETS)
+ ? u4ArySize : GSCAN_MAX_BUCKETS;
len_basic += NLA_ALIGN(attr[k]->nla_len);
DBGLOG(SCN, INFO, "attr=0x%x, num_buckets=%d nla_len=%d, \r\n",
*(UINT_32 *) attr[k], prWifiScanCmd->num_buckets, attr[k]->nla_len);
