On Wed, Oct 11, 2017 at 10:32:09AM +0200, Johannes Berg wrote: > From: Peng Xu <pxu@xxxxxxxxxxxxxxxx> > > Upstream commit ad670233c9e1d5feb365d870e30083ef1b889177. > > Define a policy for packet pattern attributes in order to fix a > potential read over the end of the buffer during nla_get_u32() > of the NL80211_PKTPAT_OFFSET attribute. > > Note that the data there can always be read due to SKB allocation > (with alignment and struct skb_shared_info at the end), but the > data might be uninitialized. This could be used to leak some data > from uninitialized vmalloc() memory, but most drivers don't allow > an offset (so you'd just get -EINVAL if the data is non-zero) or > just allow it with a fixed value - 100 or 128 bytes, so anything > above that would get -EINVAL. With brcmfmac the limit is 1500 so > (at least) one byte could be obtained. > > Cc: stable@xxxxxxxxxx > Signed-off-by: Peng Xu <pxu@xxxxxxxxxxxxxxxx> > Signed-off-by: Jouni Malinen <jouni@xxxxxxxxxxxxxxxx> > [rewrite description based on SKB allocation knowledge] > Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> > --- > net/wireless/nl80211.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) Thanks for the backports, now queued up. greg k-h