diff --git a/Patches/Linux_CVEs/CVE-2017-11015/prima/0001.patch b/Patches/Linux_CVEs/CVE-2017-11015/prima/0001.patch new file mode 100644 index 00000000..d54a44b4 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11015/prima/0001.patch @@ -0,0 +1,52 @@ +From ac39bfffe109a6cffcaf3b537505130712161dce Mon Sep 17 00:00:00 2001 +From: Sridhar Selvaraj +Date: Fri, 14 Jul 2017 16:08:23 +0530 +Subject: [PATCH] qcacld-2.0: Update limComputeCrc32 to pass uint16_t + +qcacld-3.0 to qcacld-2.0 propagation + +Update limComputeCrc32() to pass uint16_t as a length type. +Currently uint8_t is being passed as length and there will be type +mismatch when authentication frame to be encrypted will be larger +than 255 bytes. + +Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba +CRs-Fixed: 2072937 +--- + drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c | 2 +- + drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c +index 85f12dfb876..8f754c77e9f 100644 +--- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c ++++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c +@@ -609,7 +609,7 @@ limEncryptAuthFrame(tpAniSirGlobal pMac, tANI_U8 keyId, tANI_U8 *pKey, tANI_U8 * + */ + + void +-limComputeCrc32(tANI_U8 *pDest, tANI_U8 * pSrc, tANI_U8 len) ++limComputeCrc32(tANI_U8 *pDest, tANI_U8 * pSrc, tANI_U16 len) + { + tANI_U32 crc; + int i; +diff --git a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h +index 5eafbd7b747..dd097607a18 100644 +--- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h ++++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2012-2013, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved. + * + * Previously licensed under the ISC license by Qualcomm Atheros, Inc. + * +@@ -73,7 +73,7 @@ void limRestoreFromAuthState(tpAniSirGlobal, + + // Encryption/Decryption related functions + tCfgWepKeyEntry *limLookUpKeyMappings(tSirMacAddr); +-void limComputeCrc32(tANI_U8 *, tANI_U8 *, tANI_U8); ++void limComputeCrc32(tANI_U8 *, tANI_U8 *, tANI_U16); + void limRC4(tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32, tANI_U16); + void limEncryptAuthFrame(tpAniSirGlobal, tANI_U8, tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32); + tANI_U8 limDecryptAuthFrame(tpAniSirGlobal, tANI_U8 *, tANI_U8 *, tANI_U8 *, tANI_U32, tANI_U16); diff --git a/Patches/Linux_CVEs/CVE-2017-11015/prima/0002.patch b/Patches/Linux_CVEs/CVE-2017-11015/prima/0002.patch new file mode 100644 index 00000000..dd125558 --- /dev/null +++ b/Patches/Linux_CVEs/CVE-2017-11015/prima/0002.patch @@ -0,0 +1,33 @@ +From d0cd3ede7c17ee7fcf0f9b6d125d027bc28640be Mon Sep 17 00:00:00 2001 +From: Sridhar Selvaraj +Date: Fri, 14 Jul 2017 15:53:09 +0530 +Subject: [PATCH] qcacld-2.0: Update SIR_MAC_AUTH_CHALLENGE_LENGTH as per IEEE + spec + +qcacld-3.0 to qcacld-2.0 propagation + +Update SIR_MAC_AUTH_CHALLENGE_LENGTH to 253 as per IEEE spec. +Currently value of SIR_MAC_AUTH_CHALLENGE_LENGTH is set to 128. +This may result in potential buffer overflow since frame parser +allows challenge text of length upto 253 but driver can not handle +challenge text longer than 128 bytes. + +Change-Id: I7baf860fdde51a14a6573b4f0f26817f5071193e +CRs-Fixed: 2072937 +--- + drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h b/drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h +index cd548457338..7ee9a613e64 100644 +--- a/drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h ++++ b/drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h +@@ -579,7 +579,7 @@ + #define SIR_MAC_MAX_NUMBER_OF_RATES 12 + #define SIR_MAC_MAX_NUM_OF_DEFAULT_KEYS 4 + #define SIR_MAC_KEY_LENGTH 13 // WEP Maximum key length size +-#define SIR_MAC_AUTH_CHALLENGE_LENGTH 128 ++#define SIR_MAC_AUTH_CHALLENGE_LENGTH 253 + #define SIR_MAC_WEP_IV_LENGTH 4 + #define SIR_MAC_WEP_ICV_LENGTH 4 + diff --git a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0001.patch b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0003.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0001.patch rename to Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0003.patch diff --git a/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0002.patch b/Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0004.patch similarity index 100% rename from Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0002.patch rename to Patches/Linux_CVEs/CVE-2017-11015/qcacld-3.0/0004.patch diff --git a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt index c28d4f70..6efd5580 100644 --- a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt +++ b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt @@ -1447,6 +1447,8 @@ CVE-2017-11013 CVE-2017-11014 Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ec58bc99e29d89f8e164954999ef8a45cec21754 CVE-2017-11015 + Link - prima - https://github.com/LineageOS/lge-kernel-mako/commit/ac39bfffe109a6cffcaf3b537505130712161dce + Link - prima - https://github.com/LineageOS/lge-kernel-mako/commit/d0cd3ede7c17ee7fcf0f9b6d125d027bc28640be Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ec58bc99e29d89f8e164954999ef8a45cec21754 Link - qcacld-3.0 - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=1ef6add65a36de6c4da788f776de2b5b5c528d8e CVE-2017-11018 diff --git a/Scripts/LineageOS-14.1/Rebrand.sh b/Scripts/LineageOS-14.1/Rebrand.sh index f5af39e1..a2db0d89 100644 --- a/Scripts/LineageOS-14.1/Rebrand.sh +++ b/Scripts/LineageOS-14.1/Rebrand.sh @@ -19,6 +19,9 @@ echo "Rebranding..." +cd $base"bootable/recovery" +sed -i 's|Android Recovery|DivestOS Recovery|' *_ui.cpp; + cd $base"build" sed -i 's|echo "ro.build.user=$USER"|echo "ro.build.user=emy"|' tools/buildinfo.sh; #Override build user sed -i 's|echo "ro.build.host=`hostname`"|echo "ro.build.host=dosbm"|' tools/buildinfo.sh; #Override build host