Arend van Spriel afaf5e9a94 UPSTREAM: brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() ...

commit ded8991215 upstream

User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.

Cc: stable@vger.kernel.org # v4.4, v4.1
Reported-by: Daxing Guo <freener.gdx@gmail.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

2016-10-12 17:34:22 +05:30

..

accessibility

…

acpi

ACPI / SRAT: fix SRAT parsing order with both LAPIC and X2APIC present

2016-09-07 08:32:45 +02:00

amba

…

android

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-03-14 15:32:21 +08:00

ata

libata: LITE-ON CX1-JB256-HP needs lower max_sectors

2016-08-10 11:49:29 +02:00

atm

…

auxdisplay

…

base

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-07-29 21:38:37 +01:00

bcma

x86/quirks: Add early quirk to reset Apple AirPort card

2016-08-10 11:49:24 +02:00

block

nbd: ratelimit error msgs after socket close

2016-05-11 11:21:10 +02:00

bluetooth

Bluetooth: Add support for Intel Bluetooth device 8265 [8087:0a2b]

2016-09-15 08:27:49 +02:00

bus

bus: arm-ccn: Fix XP watchpoint settings bitmask

2016-09-24 10:07:40 +02:00

cdrom

…

char

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-09-20 15:18:54 +08:00

clk

clk: xgene: Fix divider with non-zero shift value

2016-09-15 08:27:39 +02:00

clocksource

clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function

2016-09-24 10:07:35 +02:00

connector

connector: bump skb->users before callback invocation

2016-01-04 21:46:45 -05:00

cpufreq

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-09-20 15:18:54 +08:00

cpuidle

sched, cpuidle: Track cpuidle state index in the scheduler

2016-09-14 14:48:50 +05:30

crypto

crypto: caam - fix IV loading for authenc (giv)decryption

2016-09-15 08:27:53 +02:00

dca

…

devfreq

…

dio

…

dma

dmaengine: usb-dmac: check CHCR.DE bit in usb_dmac_isr_channel()

2016-09-07 08:32:44 +02:00

dma-buf

CHROMIUM: android: fix warning when releasing active sync point

2016-02-16 13:53:25 -08:00

edac

EDAC: Increment correct counter in edac_inc_ue_error()

2016-09-07 08:32:41 +02:00

eisa

…

extcon

extcon: max77843: Use correct size for reading the interrupt register

2016-05-04 14:48:54 -07:00

firewire

Merge tag 'firewire-update' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394

2015-11-11 10:21:34 -08:00

firmware

arm64: kaslr: increase randomization granularity

2016-07-29 18:59:49 +02:00

fmc

…

fpga

fpga manager: Fix firmware resource leak on error

2015-11-24 15:25:46 -08:00

gpio

gpio: Fix OF build problem on UM

2016-09-07 08:32:43 +02:00

gpu

Merge remote-tracking branch 'lts/linux-4.4.y' into linux-linaro-lsk-v4.4

2016-10-05 14:53:08 +02:00

hid

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-09-20 15:18:54 +08:00

hsi

hsi: controllers:remove redundant code

2015-10-30 16:10:40 +01:00

hv

drivers:hv: Lock access to hyperv_mmio resource tree

2016-09-15 08:27:50 +02:00

hwmon

hwmon: (iio_hwmon) fix memory leak in name attribute

2016-09-07 08:32:46 +02:00

hwspinlock

drivers/hwspinlock: fix race between radix tree insertion and lookup

2016-02-25 12:01:23 -08:00

hwtracing

Merge tag 'v4.4.17' into linux-linaro-lsk-v4.4

2016-08-11 12:15:51 +08:00

i2c

i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended

2016-09-30 10:18:38 +02:00

ide

mm, page_alloc: rename __GFP_WAIT to __GFP_RECLAIM

2015-11-06 17:50:42 -08:00

idle

intel_idle: Support for Intel Xeon Phi Processor x200 Product Family

2016-09-15 08:27:46 +02:00

iio

include/linux/kernel.h: change abs() macro so it uses consistent return type

2016-09-30 10:18:33 +02:00

infiniband

IB/uverbs: Fix race between uverbs_close and remove_one

2016-09-24 10:07:37 +02:00

input

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-09-20 15:18:54 +08:00

iommu

Add braces to avoid "ambiguous ‘else’" compiler warnings

2016-09-30 10:18:35 +02:00

ipack

…

irqchip

irqchip/atmel-aic: Fix potential deadlock in ->xlate()

2016-09-24 10:07:43 +02:00

isdn

ser_gigaset: remove unnecessary kfree() calls from release method

2015-12-15 13:24:21 -05:00

leds

Merge tag 'spi-v4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

2015-11-05 13:15:12 -08:00

lguest

…

lightnvm

lightnvm: put bio before return

2016-09-24 10:07:35 +02:00

macintosh

…

mailbox

mailbox: mailbox-test: avoid reading iomem twice

2015-11-04 14:03:04 +05:30

mcb

mcb: Fixed bar number assignment for the gdd

2016-06-01 12:15:53 -07:00

md

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-10-11 23:33:37 +02:00

media

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-10-11 23:33:37 +02:00

memory

memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing

2016-07-27 09:47:35 -07:00

memstick

…

message

Merge tag '4.4-scsi-mkp' into misc

2015-11-12 07:06:18 -05:00

mfd

mfd: qcom_rpm: Parametrize also ack selector size

2016-08-20 18:09:18 +02:00

misc

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-09-20 15:18:54 +08:00

mmc

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-10-11 23:33:37 +02:00

mtd

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-10-11 23:33:37 +02:00

net

UPSTREAM: brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()

2016-10-12 17:34:22 +05:30

nfc

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2015-11-10 18:11:41 -08:00

ntb

NTB: fix 32-bit compiler warning

2015-11-08 16:24:43 -05:00

nubus

…

nvdimm

libnvdimm, pfn: fix uuid validation

2016-04-20 15:41:54 +09:00

nvme

nvme: Call pci_disable_device on the error path.

2016-09-15 08:27:51 +02:00

nvmem

nvmem: mxs-ocotp: fix buffer overflow in read

2016-05-11 11:21:21 +02:00

of

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-09-20 15:18:54 +08:00

oprofile

…

parisc

parisc iommu: fix panic due to trying to allocate too large region

2015-12-12 16:07:25 +01:00

parport

…

pci

genirq/msi: Make sure PCI MSIs are activated early

2016-09-07 08:32:38 +02:00

pcmcia

pcmcia: db1xxx_ss: fix last irq_to_gpio user

2016-04-20 15:42:09 +09:00

perf

Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

2015-11-04 14:47:13 -08:00

phy

phy: core: fix wrong err handle for phy_power_on

2016-03-03 15:07:28 -08:00

pinctrl

pinctrl: at91-pio4: use %pr format string for resource

2016-09-24 10:07:42 +02:00

platform

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-09-20 15:18:54 +08:00

pnp

PNP: Add Broadwell to Intel MCH size workaround

2016-08-16 09:30:48 +02:00

power

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-10-11 23:33:37 +02:00

powercap

powercap / RAPL: fix BIOS lock check

2015-12-12 02:31:11 +01:00

pps

pps: do not crash when failed to register

2016-08-10 11:49:25 +02:00

ps3

…

ptp

…

pwm

pwm: Mark all devices as "might sleep"

2016-09-30 10:18:37 +02:00

rapidio

…

ras

…

regulator

regulator: anatop: allow regulator to be in bypass mode

2016-09-15 08:27:54 +02:00

remoteproc

remoteproc: Fix potential race condition in rproc_add

2016-08-20 18:09:20 +02:00

reset

…

rpmsg

…

rtc

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-09-20 15:18:54 +08:00

s390

s390/sclp_ctl: fix potential information leak with /dev/sclp

2016-09-15 08:27:51 +02:00

sbus

…

scsi

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-10-11 23:33:37 +02:00

sfi

…

sh

drivers: sh: Restore legacy clock domain on SuperH platforms

2016-03-09 15:34:49 -08:00

sn

…

soc

soc: qcom/spm: shut up uninitialized variable warning

2016-09-24 10:07:42 +02:00

spi

spi: pxa2xx: Clear all RFT bits in reset_sccr1() on Intel Quark

2016-08-20 18:09:19 +02:00

spmi

Merge tag 'char-misc-4.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

2015-11-04 22:15:15 -08:00

ssb

ssb: add Kconfig entry for compiling SoC related code

2015-10-28 21:05:21 +02:00

staging

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-10-11 23:33:37 +02:00

target

target: Fix ordered task CHECK_CONDITION early exception handling

2016-08-20 18:09:26 +02:00

tc

…

thermal

thermal: cpu_cooling: fix improper order during initialization

2016-07-27 09:47:29 -07:00

thunderbolt

thunderbolt: Fix double free of drom buffer

2016-06-01 12:15:53 -07:00

tty

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-10-11 23:33:37 +02:00

uio

…

usb

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-10-11 23:33:37 +02:00

uwb

Merge tag 'driver-core-4.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

2015-11-04 21:50:37 -08:00

vfio

vfio/pci: Fix NULL pointer oops in error interrupt setup handling

2016-09-07 08:32:37 +02:00

vhost

vhost/scsi: fix reuse of &vq->iov[out] in response

2016-09-15 08:27:53 +02:00

video

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-05-12 09:27:18 +08:00

virt

…

virtio

virtio: fix memory leak in virtqueue_add()

2016-09-07 08:32:36 +02:00

vlynq

…

vme

Merge tag 'char-misc-4.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

2015-11-04 22:15:15 -08:00

w1

Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

2016-09-20 15:18:54 +08:00

watchdog

watchdog: rc32434_wdt: fix ioctl error handling

2016-04-12 09:08:54 -07:00

xen

xenbus: don't bail early from xenbus_dev_request_and_reply()

2016-08-10 11:49:26 +02:00

zorro

…

Kconfig

Revert "switch: switch class and GPIO drivers."

2016-05-19 12:32:41 +05:30

Makefile

Revert "switch: switch class and GPIO drivers."

2016-05-19 12:32:41 +05:30