[kernel/f20] CVE-2013-4579: ath9k_htc improper MAC update (rhbz 1032753 1033072)
Josh Boyer
jwboyer at fedoraproject.org
Mon Jan 6 12:59:02 UTC 2014
commit e8f3e3c9f051130f7ae450e60bf285b969abcfab
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Jan 6 07:57:49 2014 -0500
CVE-2013-4579: ath9k_htc improper MAC update (rhbz 1032753 1033072)
...c-properly-set-MAC-address-and-BSSID-mask.patch | 103 ++++++++++++++++++++
kernel.spec | 9 ++
2 files changed, 112 insertions(+), 0 deletions(-)
---
diff --git a/ath9k_htc-properly-set-MAC-address-and-BSSID-mask.patch b/ath9k_htc-properly-set-MAC-address-and-BSSID-mask.patch
new file mode 100644
index 0000000..d643af6
--- /dev/null
+++ b/ath9k_htc-properly-set-MAC-address-and-BSSID-mask.patch
@@ -0,0 +1,103 @@
+Bugzilla: 1032753
+Upstream-status: 3.13
+
+From 657eb17d87852c42b55c4b06d5425baa08b2ddb3 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <vanhoefm at gmail.com>
+Date: Thu, 28 Nov 2013 12:21:45 +0100
+Subject: [PATCH] ath9k_htc: properly set MAC address and BSSID mask
+
+Pick the MAC address of the first virtual interface as the new hardware MAC
+address. Set BSSID mask according to this MAC address. This fixes CVE-2013-4579.
+
+Signed-off-by: Mathy Vanhoef <vanhoefm at gmail.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+---
+ drivers/net/wireless/ath/ath9k/htc_drv_main.c | 25 +++++++++++++++++--------
+ drivers/net/wireless/ath/ath9k/main.c | 5 +++--
+ 2 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+index 9a2657f..608d739 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+@@ -127,21 +127,26 @@ static void ath9k_htc_bssid_iter(void *data, u8 *mac, struct ieee80211_vif *vif)
+ struct ath9k_vif_iter_data *iter_data = data;
+ int i;
+
+- for (i = 0; i < ETH_ALEN; i++)
+- iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
++ if (iter_data->hw_macaddr != NULL) {
++ for (i = 0; i < ETH_ALEN; i++)
++ iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
++ } else {
++ iter_data->hw_macaddr = mac;
++ }
+ }
+
+-static void ath9k_htc_set_bssid_mask(struct ath9k_htc_priv *priv,
++static void ath9k_htc_set_mac_bssid_mask(struct ath9k_htc_priv *priv,
+ struct ieee80211_vif *vif)
+ {
+ struct ath_common *common = ath9k_hw_common(priv->ah);
+ struct ath9k_vif_iter_data iter_data;
+
+ /*
+- * Use the hardware MAC address as reference, the hardware uses it
+- * together with the BSSID mask when matching addresses.
++ * Pick the MAC address of the first interface as the new hardware
++ * MAC address. The hardware will use it together with the BSSID mask
++ * when matching addresses.
+ */
+- iter_data.hw_macaddr = common->macaddr;
++ iter_data.hw_macaddr = NULL;
+ memset(&iter_data.mask, 0xff, ETH_ALEN);
+
+ if (vif)
+@@ -153,6 +158,10 @@ static void ath9k_htc_set_bssid_mask(struct ath9k_htc_priv *priv,
+ ath9k_htc_bssid_iter, &iter_data);
+
+ memcpy(common->bssidmask, iter_data.mask, ETH_ALEN);
++
++ if (iter_data.hw_macaddr)
++ memcpy(common->macaddr, iter_data.hw_macaddr, ETH_ALEN);
++
+ ath_hw_setbssidmask(common);
+ }
+
+@@ -1063,7 +1072,7 @@ static int ath9k_htc_add_interface(struct ieee80211_hw *hw,
+ goto out;
+ }
+
+- ath9k_htc_set_bssid_mask(priv, vif);
++ ath9k_htc_set_mac_bssid_mask(priv, vif);
+
+ priv->vif_slot |= (1 << avp->index);
+ priv->nvifs++;
+@@ -1128,7 +1137,7 @@ static void ath9k_htc_remove_interface(struct ieee80211_hw *hw,
+
+ ath9k_htc_set_opmode(priv);
+
+- ath9k_htc_set_bssid_mask(priv, vif);
++ ath9k_htc_set_mac_bssid_mask(priv, vif);
+
+ /*
+ * Stop ANI only if there are no associated station interfaces.
+diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
+index 74f452c..21aa09e 100644
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -965,8 +965,9 @@ void ath9k_calculate_iter_data(struct ieee80211_hw *hw,
+ struct ath_common *common = ath9k_hw_common(ah);
+
+ /*
+- * Use the hardware MAC address as reference, the hardware uses it
+- * together with the BSSID mask when matching addresses.
++ * Pick the MAC address of the first interface as the new hardware
++ * MAC address. The hardware will use it together with the BSSID mask
++ * when matching addresses.
+ */
+ memset(iter_data, 0, sizeof(*iter_data));
+ memset(&iter_data->mask, 0xff, ETH_ALEN);
+--
+1.8.4.2
+
diff --git a/kernel.spec b/kernel.spec
index 48d9770..696affc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -751,6 +751,9 @@ Patch25176: br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
#rhbz 1024002
Patch25177: libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch
+#CVE-2013-4579 rhbz 1032753 1033072
+Patch25178: ath9k_htc-properly-set-MAC-address-and-BSSID-mask.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1457,6 +1460,9 @@ ApplyPatch br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch
#rhbz 1024002
ApplyPatch libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch
+#CVE-2013-4579 rhbz 1032753 1033072
+ApplyPatch ath9k_htc-properly-set-MAC-address-and-BSSID-mask.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2259,6 +2265,9 @@ fi
# ||----w |
# || ||
%changelog
+* Mon Jan 06 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2013-4579: ath9k_htc improper MAC update (rhbz 1032753 1033072)
+
* Sat Dec 28 2013 Peter Robinson <pbrobinson at fedoraproject.org>
- Update am33xx (BeagleBone) cpsw patch to upstream version
More information about the scm-commits
mailing list