--- /dev/null
+From e466af75c074e76107ae1cd5a2823e9c61894ffb Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Oct 2017 02:50:07 -0700
+Subject: netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e466af75c074e76107ae1cd5a2823e9c61894ffb upstream.
+
+syzkaller reports an out of bound read in strlcpy(), triggered
+by xt_copy_counters_from_user()
+
+Fix this by using memcpy(), then forcing a zero byte at the last position
+of the destination, as Florian did for the non COMPAT code.
+
+Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/x_tables.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -877,7 +877,7 @@ void *xt_copy_counters_from_user(const v
+ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
+ return ERR_PTR(-EFAULT);
+
+- strlcpy(info->name, compat_tmp.name, sizeof(info->name));
++ memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
+ info->num_counters = compat_tmp.num_counters;
+ user += sizeof(compat_tmp);
+ } else
+@@ -890,9 +890,9 @@ void *xt_copy_counters_from_user(const v
+ if (copy_from_user(info, user, sizeof(*info)) != 0)
+ return ERR_PTR(-EFAULT);
+
+- info->name[sizeof(info->name) - 1] = '\0';
+ user += sizeof(*info);
+ }
++ info->name[sizeof(info->name) - 1] = '\0';
+
+ size = sizeof(struct xt_counters);
+ size *= info->num_counters;
--- /dev/null
+From 44a182b9d17765514fa2b1cc911e4e65134eef93 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 3 May 2018 17:30:07 +0300
+Subject: xhci: Fix use-after-free in xhci_free_virt_device
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream.
+
+KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
+where xhci_free_virt_device() sets slot id to 0 if udev exists:
+if (dev->udev && dev->udev->slot_id)
+ dev->udev->slot_id = 0;
+
+dev->udev will be true even if udev is freed because dev->udev is
+not set to NULL.
+
+set dev->udev pointer to NULL in xhci_free_dev()
+
+The original patch went to stable so this fix needs to be applied
+there as well.
+
+Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
+Cc: <stable@vger.kernel.org>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3630,6 +3630,9 @@ void xhci_free_dev(struct usb_hcd *hcd,
+ }
+
+ spin_lock_irqsave(&xhci->lock, flags);
++
++ virt_dev->udev = NULL;
++
+ /* Don't disable the slot if the host controller is dead. */
+ state = readl(&xhci->op_regs->status);
+ if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) ||
projects / thirdparty / kernel / stable-queue.git / commitdiff
