brcmfmac: add subtype check for event handling in data path

For USB there is no separate channel being used to pass events
from firmware to the host driver and as such are passed over the
data path. In order to detect mock event messages an additional
check is needed on event subtype. This check is added conditionally
using unlikely() keyword.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
CVE-2019-9503

(cherry picked from commit a4176ec356c73a46c07c181c6d04039fafa34a9f)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index 930e423f83a86803e02c9e7795a7f4cfc013fa43..913fed8b9c2ee07cffb35bdc3bd4f9d7457659dd 100644 (file)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -382,7 +382,8 @@ void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_event)
        } else {
                /* Process special event packets */
                if (handle_event)
-                       brcmf_fweh_process_skb(ifp->drvr, skb);
+                       brcmf_fweh_process_skb(ifp->drvr, skb,
+                                              BCMILCP_SUBTYPE_VENDOR_LONG);
 
                brcmf_netif_rx(ifp, skb);
        }
@@ -399,7 +400,7 @@ void brcmf_rx_event(struct device *dev, struct sk_buff *skb)
        if (brcmf_rx_hdrpull(drvr, skb, &ifp))
                return;
 
-       brcmf_fweh_process_skb(ifp->drvr, skb);
+       brcmf_fweh_process_skb(ifp->drvr, skb, 0);
        brcmu_pkt_buf_free_skb(skb);
 }
 

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
index 816f80ea925b110d79d0845617a70a1ac7e92ba8..ebd66fe0d949c96b91707c61029a81c285a3839d 100644 (file)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
@@ -211,7 +211,7 @@ enum brcmf_fweh_event_code {
  */
 #define BRCM_OUI                               "\x00\x10\x18"
 #define BCMILCP_BCM_SUBTYPE_EVENT              1
-
+#define BCMILCP_SUBTYPE_VENDOR_LONG            32769
 
 /**
  * struct brcm_ethhdr - broadcom specific ether header.
@@ -334,10 +334,10 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
 void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing);
 
 static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
-                                         struct sk_buff *skb)
+                                         struct sk_buff *skb, u16 stype)
 {
        struct brcmf_event *event_packet;
-       u16 usr_stype;
+       u16 subtype, usr_stype;
 
        /* only process events when protocol matches */
        if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL))
@@ -346,8 +346,16 @@ static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
        if ((skb->len + ETH_HLEN) < sizeof(*event_packet))
                return;
 
-       /* check for BRCM oui match */
        event_packet = (struct brcmf_event *)skb_mac_header(skb);
+
+       /* check subtype if needed */
+       if (unlikely(stype)) {
+               subtype = get_unaligned_be16(&event_packet->hdr.subtype);
+               if (subtype != stype)
+                       return;
+       }
+
+       /* check for BRCM oui match */
        if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0],
                   sizeof(event_packet->hdr.oui)))
                return;

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
index d2c834c3b2fc9c1f1f2133cba343057369117771..65e16e3646ecfa3b10eece38712e1cdd79983f1c 100644 (file)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
@@ -1112,7 +1112,7 @@ static void brcmf_msgbuf_process_event(struct brcmf_msgbuf *msgbuf, void *buf)
 
        skb->protocol = eth_type_trans(skb, ifp->ndev);
 
-       brcmf_fweh_process_skb(ifp->drvr, skb);
+       brcmf_fweh_process_skb(ifp->drvr, skb, 0);
 
 exit:
        brcmu_pkt_buf_free_skb(skb);