AZL-64893

In the Linux kernel, the following vulnerability has been resolved:

wifi: p54: prevent buffer-overflow in p54rxeeprom_readback()

Robert Morris reported:

|If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eepromreadback message with a large |eeprom->v1.len, p54rxeepromreadback() will copy data from the |message beyond the end of priv->eeprom. | |static void p54rxeepromreadback(struct p54common *priv, | struct skbuff *skb) |{ | struct p54hdr *hdr = (struct p54hdr *) skb->data; | struct p54eepromlm86 *eeprom = (struct p54eepromlm86 *) hdr->data; | | if (priv->fwvar >= 0x509) { | memcpy(priv->eeprom, eeprom->v2.data, | le16tocpu(eeprom->v2.len)); | } else { | memcpy(priv->eeprom, eeprom->v1.data, | le16tocpu(eeprom->v1.len)); | } | [...]

The eeprom->v{1,2}.len is set by the driver in p54downloadeeprom(). The device is supposed to provide the same length back to the driver. But yes, it's possible (like shown in the report) to alter the value to something that causes a crash/panic due to overrun.

This patch addresses the issue by adding the size to the common device context, so p54rxeeprom_readback no longer relies on possibly tampered values... That said, it also checks if the "firmware" altered the value and no longer copies them.

The one, small saving grace is: Before the driver tries to read the eeprom, it needs to upload >a< firmware. the vendor firmware has a proprietary license and as a reason, it is not present on most distributions by default.