--- /dev/null
+From 06e7e776ca4d36547e503279aeff996cbb292c16 Mon Sep 17 00:00:00 2001
+From: Ben Seri <ben@armis.com>
+Date: Fri, 8 Dec 2017 15:14:47 +0100
+Subject: Bluetooth: Prevent stack info leak from the EFS element.
+
+From: Ben Seri <ben@armis.com>
+
+commit 06e7e776ca4d36547e503279aeff996cbb292c16 upstream.
+
+In the function l2cap_parse_conf_rsp and in the function
+l2cap_parse_conf_req the following variable is declared without
+initialization:
+
+struct l2cap_conf_efs efs;
+
+In addition, when parsing input configuration parameters in both of
+these functions, the switch case for handling EFS elements may skip the
+memcpy call that will write to the efs variable:
+
+...
+case L2CAP_CONF_EFS:
+if (olen == sizeof(efs))
+memcpy(&efs, (void *)val, olen);
+...
+
+The olen in the above if is attacker controlled, and regardless of that
+if, in both of these functions the efs variable would eventually be
+added to the outgoing configuration request that is being built:
+
+l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs);
+
+So by sending a configuration request, or response, that contains an
+L2CAP_CONF_EFS element, but with an element length that is not
+sizeof(efs) - the memcpy to the uninitialized efs variable can be
+avoided, and the uninitialized variable would be returned to the
+attacker (16 bytes).
+
+This issue has been assigned CVE-2017-1000410
+
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: Ben Seri <ben@armis.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/l2cap_core.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -3317,9 +3317,10 @@ static int l2cap_parse_conf_req(struct l
+ break;
+
+ case L2CAP_CONF_EFS:
+- remote_efs = 1;
+- if (olen == sizeof(efs))
++ if (olen == sizeof(efs)) {
++ remote_efs = 1;
+ memcpy(&efs, (void *) val, olen);
++ }
+ break;
+
+ case L2CAP_CONF_EWS:
+@@ -3538,16 +3539,17 @@ static int l2cap_parse_conf_rsp(struct l
+ break;
+
+ case L2CAP_CONF_EFS:
+- if (olen == sizeof(efs))
++ if (olen == sizeof(efs)) {
+ memcpy(&efs, (void *)val, olen);
+
+- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+- efs.stype != L2CAP_SERV_NOTRAFIC &&
+- efs.stype != chan->local_stype)
+- return -ECONNREFUSED;
++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
++ efs.stype != L2CAP_SERV_NOTRAFIC &&
++ efs.stype != chan->local_stype)
++ return -ECONNREFUSED;
+
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+- (unsigned long) &efs, endptr - ptr);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
++ (unsigned long) &efs, endptr - ptr);
++ }
+ break;
+
+ case L2CAP_CONF_FCS:
--- /dev/null
+From 4110e02eb45ea447ec6f5459c9934de0a273fb91 Mon Sep 17 00:00:00 2001
+From: Benjamin Poirier <bpoirier@suse.com>
+Date: Mon, 11 Dec 2017 16:26:40 +0900
+Subject: e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
+
+From: Benjamin Poirier <bpoirier@suse.com>
+
+commit 4110e02eb45ea447ec6f5459c9934de0a273fb91 upstream.
+
+e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
+are the two functions that may be assigned to mac.ops.check_for_link when
+phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
+Separate signaling for link check/link up") changed the meaning of the
+return value of check_for_link for copper media but only adjusted the first
+function. This patch adjusts the second function likewise.
+
+Reported-by: Christian Hesse <list@eworm.de>
+Reported-by: Gabriel C <nix.or.die@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
+Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Tested-by: Christian Hesse <list@eworm.de>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1299,6 +1299,9 @@ out:
+ * Checks to see of the link status of the hardware has changed. If a
+ * change in link status has been detected, then we read the PHY registers
+ * to get the current speed/duplex if link exists.
++ *
++ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
++ * up).
+ **/
+ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ {
+@@ -1313,7 +1316,7 @@ static s32 e1000_check_for_copper_link_i
+ * Change or Rx Sequence Error interrupt.
+ */
+ if (!mac->get_link_status)
+- return 0;
++ return 1;
+
+ /* First we want to see if the MII Status Register reports
+ * link. If so, then we want to get the current speed/duplex
+@@ -1452,10 +1455,12 @@ static s32 e1000_check_for_copper_link_i
+ * different link partner.
+ */
+ ret_val = e1000e_config_fc_after_link_up(hw);
+- if (ret_val)
++ if (ret_val) {
+ e_dbg("Error configuring flow control\n");
++ return ret_val;
++ }
+
+- return ret_val;
++ return 1;
+ }
+
+ static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
usb-fix-usbmon-bug-trigger.patch
usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch
staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch
+bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
+uas-ignore-uas-for-norelsys-ns1068-x-chips.patch
+e1000e-fix-e1000_check_for_copper_link_ich8lan-return-value.patch
--- /dev/null
+From 928afc85270753657b5543e052cc270c279a3fe9 Mon Sep 17 00:00:00 2001
+From: Icenowy Zheng <icenowy@aosc.io>
+Date: Sat, 6 Jan 2018 00:56:44 +0800
+Subject: uas: ignore UAS for Norelsys NS1068(X) chips
+
+From: Icenowy Zheng <icenowy@aosc.io>
+
+commit 928afc85270753657b5543e052cc270c279a3fe9 upstream.
+
+The UAS mode of Norelsys NS1068(X) is reported to fail to work on
+several platforms with the following error message:
+
+xhci-hcd xhci-hcd.0.auto: ERROR Transfer event for unknown stream ring slot 1 ep 8
+xhci-hcd xhci-hcd.0.auto: @00000000bf04a400 00000000 00000000 1b000000 01098001
+
+And when trying to mount a partition on the disk the disk will
+disconnect from the USB controller, then after re-connecting the device
+will be offlined and not working at all.
+
+Falling back to USB mass storage can solve this problem, so ignore UAS
+function of this chip.
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
+Acked-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_uas.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -153,6 +153,13 @@ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x99
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_ATA_1X),
+
++/* Reported-by: Icenowy Zheng <icenowy@aosc.io> */
++UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999,
++ "Norelsys",
++ "NS1068X",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_IGNORE_UAS),
++
+ /* Reported-by: Takeo Nakayama <javhera@gmx.com> */
+ UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999,
+ "JMicron",
projects / thirdparty / kernel / stable-queue.git / commitdiff
