ACK: [CVE-2017-11089][Trusty][SRU][PATCH] cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE

[Colin Ian King]

On 02/02/18 04:37, Po-Hsu Lin wrote:
> From: Srinivas Dasari <dasaris at qti.qualcomm.com>
> 
> CVE-2017-11089
> 
> Buffer overread may happen as nl80211_set_station() reads 4 bytes
> from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
> validating the size of data received when userspace sends less
> than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
> Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
> the buffer overread.
> 
> Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
> Cc: stable at vger.kernel.org
> Signed-off-by: Srinivas Dasari <dasaris at qti.qualcomm.com>
> Signed-off-by: Jouni Malinen <jouni at qca.qualcomm.com>
> Signed-off-by: Johannes Berg <johannes.berg at intel.com>
> (cherry picked from commit 8feb69c7bd89513be80eb19198d48f154b254021)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
> ---
>  net/wireless/nl80211.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index a71cec5..eeaf56a 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -355,6 +355,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
>  	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
>  	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
>  	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
> +	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
>  	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
>  	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
>  	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
> 

Clean upstream cherry pick. Looks sane to me.

Acked-by: Colin Ian King <colin.king at canonical.com>