usbip-fix-vudc-to-check-for-stream-socket.patch
usbip-fix-stub_dev-usbip_sockfd_store-races-leading-to-gpf.patch
usbip-fix-vhci_hcd-attach_store-races-leading-to-gpf.patch
+staging-rtl8192u-fix-ssid-overflow-in-r8192_wx_set_scan.patch
+staging-rtl8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch
+staging-rtl8712-unterminated-string-leads-to-read-overflow.patch
+staging-rtl8188eu-fix-potential-memory-corruption-in-rtw_check_beacon_data.patch
+staging-ks7010-prevent-buffer-overflow-in-ks_wlan_set_scan.patch
+staging-rtl8712-fix-possible-buffer-overflow-in-r8712_sitesurvey_cmd.patch
+staging-rtl8192e-fix-possible-buffer-overflow-in-_rtl92e_wx_set_scan.patch
+staging-comedi-addi_apci_1032-fix-endian-problem-for-cos-sample.patch
+staging-comedi-addi_apci_1500-fix-endian-problem-for-command-sample.patch
+staging-comedi-adv_pci1710-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-das6402-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-das800-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch
--- /dev/null
+From 25317f428a78fde71b2bf3f24d05850f08a73a52 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:42 +0000
+Subject: staging: comedi: addi_apci_1032: Fix endian problem for COS sample
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 25317f428a78fde71b2bf3f24d05850f08a73a52 upstream.
+
+The Change-Of-State (COS) subdevice supports Comedi asynchronous
+commands to read 16-bit change-of-state values. However, the interrupt
+handler is calling `comedi_buf_write_samples()` with the address of a
+32-bit integer `&s->state`. On bigendian architectures, it will copy 2
+bytes from the wrong end of the 32-bit integer. Fix it by transferring
+the value via a 16-bit integer.
+
+Fixes: 6bb45f2b0c86 ("staging: comedi: addi_apci_1032: use comedi_buf_write_samples()")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-2-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/addi_apci_1032.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/addi_apci_1032.c
++++ b/drivers/staging/comedi/drivers/addi_apci_1032.c
+@@ -269,6 +269,7 @@ static irqreturn_t apci1032_interrupt(in
+ struct apci1032_private *devpriv = dev->private;
+ struct comedi_subdevice *s = dev->read_subdev;
+ unsigned int ctrl;
++ unsigned short val;
+
+ /* check interrupt is from this device */
+ if ((inl(devpriv->amcc_iobase + AMCC_OP_REG_INTCSR) &
+@@ -284,7 +285,8 @@ static irqreturn_t apci1032_interrupt(in
+ outl(ctrl & ~APCI1032_CTRL_INT_ENA, dev->iobase + APCI1032_CTRL_REG);
+
+ s->state = inl(dev->iobase + APCI1032_STATUS_REG) & 0xffff;
+- comedi_buf_write_samples(s, &s->state, 1);
++ val = s->state;
++ comedi_buf_write_samples(s, &val, 1);
+ comedi_handle_events(dev, s);
+
+ /* enable the interrupt */
--- /dev/null
+From ac0bbf55ed3be75fde1f8907e91ecd2fd589bde3 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:43 +0000
+Subject: staging: comedi: addi_apci_1500: Fix endian problem for command sample
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit ac0bbf55ed3be75fde1f8907e91ecd2fd589bde3 upstream.
+
+The digital input subdevice supports Comedi asynchronous commands that
+read interrupt status information. This uses 16-bit Comedi samples (of
+which only the bottom 8 bits contain status information). However, the
+interrupt handler is calling `comedi_buf_write_samples()` with the
+address of a 32-bit variable `unsigned int status`. On a bigendian
+machine, this will copy 2 bytes from the wrong end of the variable. Fix
+it by changing the type of the variable to `unsigned short`.
+
+Fixes: a8c66b684efa ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions")
+Cc: <stable@vger.kernel.org> #4.0+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-3-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/addi_apci_1500.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/addi_apci_1500.c
++++ b/drivers/staging/comedi/drivers/addi_apci_1500.c
+@@ -217,7 +217,7 @@ static irqreturn_t apci1500_interrupt(in
+ struct comedi_device *dev = d;
+ struct apci1500_private *devpriv = dev->private;
+ struct comedi_subdevice *s = dev->read_subdev;
+- unsigned int status = 0;
++ unsigned short status = 0;
+ unsigned int val;
+
+ val = inl(devpriv->amcc + AMCC_OP_REG_INTCSR);
+@@ -247,14 +247,14 @@ static irqreturn_t apci1500_interrupt(in
+ *
+ * Mask Meaning
+ * ---------- ------------------------------------------
+- * 0x00000001 Event 1 has occurred
+- * 0x00000010 Event 2 has occurred
+- * 0x00000100 Counter/timer 1 has run down (not implemented)
+- * 0x00001000 Counter/timer 2 has run down (not implemented)
+- * 0x00010000 Counter 3 has run down (not implemented)
+- * 0x00100000 Watchdog has run down (not implemented)
+- * 0x01000000 Voltage error
+- * 0x10000000 Short-circuit error
++ * 0b00000001 Event 1 has occurred
++ * 0b00000010 Event 2 has occurred
++ * 0b00000100 Counter/timer 1 has run down (not implemented)
++ * 0b00001000 Counter/timer 2 has run down (not implemented)
++ * 0b00010000 Counter 3 has run down (not implemented)
++ * 0b00100000 Watchdog has run down (not implemented)
++ * 0b01000000 Voltage error
++ * 0b10000000 Short-circuit error
+ */
+ comedi_buf_write_samples(s, &status, 1);
+ comedi_handle_events(dev, s);
--- /dev/null
+From b2e78630f733a76508b53ba680528ca39c890e82 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:44 +0000
+Subject: staging: comedi: adv_pci1710: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit b2e78630f733a76508b53ba680528ca39c890e82 upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the calls to
+`comedi_buf_write_samples()` are passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variables
+holding the sample value to `unsigned short`. The type of the `val`
+parameter of `pci1710_ai_read_sample()` is changed to `unsigned short *`
+accordingly. The type of the `val` variable in `pci1710_ai_insn_read()`
+is also changed to `unsigned short` since its address is passed to
+`pci1710_ai_read_sample()`.
+
+Fixes: a9c3a015c12f ("staging: comedi: adv_pci1710: use comedi_buf_write_samples()")
+Cc: <stable@vger.kernel.org> # 4.0+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-4-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/adv_pci1710.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/adv_pci1710.c
++++ b/drivers/staging/comedi/drivers/adv_pci1710.c
+@@ -299,11 +299,11 @@ static int pci1710_ai_eoc(struct comedi_
+ static int pci1710_ai_read_sample(struct comedi_device *dev,
+ struct comedi_subdevice *s,
+ unsigned int cur_chan,
+- unsigned int *val)
++ unsigned short *val)
+ {
+ const struct boardtype *board = dev->board_ptr;
+ struct pci1710_private *devpriv = dev->private;
+- unsigned int sample;
++ unsigned short sample;
+ unsigned int chan;
+
+ sample = inw(dev->iobase + PCI171X_AD_DATA_REG);
+@@ -344,7 +344,7 @@ static int pci1710_ai_insn_read(struct c
+ pci1710_ai_setup_chanlist(dev, s, &insn->chanspec, 1, 1);
+
+ for (i = 0; i < insn->n; i++) {
+- unsigned int val;
++ unsigned short val;
+
+ /* start conversion */
+ outw(0, dev->iobase + PCI171X_SOFTTRG_REG);
+@@ -394,7 +394,7 @@ static void pci1710_handle_every_sample(
+ {
+ struct comedi_cmd *cmd = &s->async->cmd;
+ unsigned int status;
+- unsigned int val;
++ unsigned short val;
+ int ret;
+
+ status = inw(dev->iobase + PCI171X_STATUS_REG);
+@@ -454,7 +454,7 @@ static void pci1710_handle_fifo(struct c
+ }
+
+ for (i = 0; i < devpriv->max_samples; i++) {
+- unsigned int val;
++ unsigned short val;
+ int ret;
+
+ ret = pci1710_ai_read_sample(dev, s, s->async->cur_chan, &val);
--- /dev/null
+From 1c0f20b78781b9ca50dc3ecfd396d0db5b141890 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:45 +0000
+Subject: staging: comedi: das6402: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 1c0f20b78781b9ca50dc3ecfd396d0db5b141890 upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the call to
+`comedi_buf_write_samples()` is passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variable
+holding the sample value to `unsigned short`.
+
+Fixes: d1d24cb65ee3 ("staging: comedi: das6402: read analog input samples in interrupt handler")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-5-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/das6402.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/das6402.c
++++ b/drivers/staging/comedi/drivers/das6402.c
+@@ -195,7 +195,7 @@ static irqreturn_t das6402_interrupt(int
+ if (status & DAS6402_STATUS_FFULL) {
+ async->events |= COMEDI_CB_OVERFLOW;
+ } else if (status & DAS6402_STATUS_FFNE) {
+- unsigned int val;
++ unsigned short val;
+
+ val = das6402_ai_read_sample(dev, s);
+ comedi_buf_write_samples(s, &val, 1);
--- /dev/null
+From 459b1e8c8fe97fcba0bd1b623471713dce2c5eaf Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:46 +0000
+Subject: staging: comedi: das800: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 459b1e8c8fe97fcba0bd1b623471713dce2c5eaf upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the call to
+`comedi_buf_write_samples()` is passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variable
+holding the sample value to `unsigned short`.
+
+Fixes: ad9eb43c93d8 ("staging: comedi: das800: use comedi_buf_write_samples()")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-6-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/das800.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/das800.c
++++ b/drivers/staging/comedi/drivers/das800.c
+@@ -436,7 +436,7 @@ static irqreturn_t das800_interrupt(int
+ struct comedi_cmd *cmd;
+ unsigned long irq_flags;
+ unsigned int status;
+- unsigned int val;
++ unsigned short val;
+ bool fifo_empty;
+ bool fifo_overflow;
+ int i;
--- /dev/null
+From 54999c0d94b3c26625f896f8e3460bc029821578 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:47 +0000
+Subject: staging: comedi: dmm32at: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 54999c0d94b3c26625f896f8e3460bc029821578 upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the call to
+`comedi_buf_write_samples()` is passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variable
+holding the sample value to `unsigned short`.
+
+[Note: the bug was introduced in commit 1700529b24cc ("staging: comedi:
+dmm32at: use comedi_buf_write_samples()") but the patch applies better
+to the later (but in the same kernel release) commit 0c0eadadcbe6e
+("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()").]
+
+Fixes: 0c0eadadcbe6e ("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-7-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/dmm32at.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/dmm32at.c
++++ b/drivers/staging/comedi/drivers/dmm32at.c
+@@ -413,7 +413,7 @@ static irqreturn_t dmm32at_isr(int irq,
+ {
+ struct comedi_device *dev = d;
+ unsigned char intstat;
+- unsigned int val;
++ unsigned short val;
+ int i;
+
+ if (!dev->attached) {
--- /dev/null
+From b39dfcced399d31e7c4b7341693b18e01c8f655e Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:48 +0000
+Subject: staging: comedi: me4000: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit b39dfcced399d31e7c4b7341693b18e01c8f655e upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the calls to
+`comedi_buf_write_samples()` are passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variable
+holding the sample value to `unsigned short`.
+
+Fixes: de88924f67d1 ("staging: comedi: me4000: use comedi_buf_write_samples()")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-8-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/me4000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/me4000.c
++++ b/drivers/staging/comedi/drivers/me4000.c
+@@ -933,7 +933,7 @@ static irqreturn_t me4000_ai_isr(int irq
+ struct comedi_subdevice *s = dev->read_subdev;
+ int i;
+ int c = 0;
+- unsigned int lval;
++ unsigned short lval;
+
+ if (!dev->attached)
+ return IRQ_NONE;
--- /dev/null
+From a084303a645896e834883f2c5170d044410dfdb3 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:49 +0000
+Subject: staging: comedi: pcl711: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit a084303a645896e834883f2c5170d044410dfdb3 upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the call to
+`comedi_buf_write_samples()` is passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variable
+holding the sample value to `unsigned short`.
+
+Fixes: 1f44c034de2e ("staging: comedi: pcl711: use comedi_buf_write_samples()")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-9-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/pcl711.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/pcl711.c
++++ b/drivers/staging/comedi/drivers/pcl711.c
+@@ -193,7 +193,7 @@ static irqreturn_t pcl711_interrupt(int
+ struct comedi_device *dev = d;
+ struct comedi_subdevice *s = dev->read_subdev;
+ struct comedi_cmd *cmd = &s->async->cmd;
+- unsigned int data;
++ unsigned short data;
+
+ if (!dev->attached) {
+ dev_err(dev->class_dev, "spurious interrupt\n");
--- /dev/null
+From 148e34fd33d53740642db523724226de14ee5281 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:50 +0000
+Subject: staging: comedi: pcl818: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 148e34fd33d53740642db523724226de14ee5281 upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the call to
+`comedi_buf_write_samples()` is passing the address of a 32-bit integer
+parameter. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the parameter
+holding the sample value to `unsigned short`.
+
+[Note: the bug was introduced in commit edf4537bcbf5 ("staging: comedi:
+pcl818: use comedi_buf_write_samples()") but the patch applies better to
+commit d615416de615 ("staging: comedi: pcl818: introduce
+pcl818_ai_write_sample()").]
+
+Fixes: d615416de615 ("staging: comedi: pcl818: introduce pcl818_ai_write_sample()")
+Cc: <stable@vger.kernel.org> # 4.0+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-10-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/pcl818.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/pcl818.c
++++ b/drivers/staging/comedi/drivers/pcl818.c
+@@ -422,7 +422,7 @@ static int pcl818_ai_eoc(struct comedi_d
+
+ static bool pcl818_ai_write_sample(struct comedi_device *dev,
+ struct comedi_subdevice *s,
+- unsigned int chan, unsigned int val)
++ unsigned int chan, unsigned short val)
+ {
+ struct pcl818_private *devpriv = dev->private;
+ struct comedi_cmd *cmd = &s->async->cmd;
--- /dev/null
+From e163b9823a0b08c3bb8dc4f5b4b5c221c24ec3e5 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 2 Mar 2021 14:19:39 +0300
+Subject: staging: ks7010: prevent buffer overflow in ks_wlan_set_scan()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit e163b9823a0b08c3bb8dc4f5b4b5c221c24ec3e5 upstream.
+
+The user can specify a "req->essid_len" of up to 255 but if it's
+over IW_ESSID_MAX_SIZE (32) that can lead to memory corruption.
+
+Fixes: 13a9930d15b4 ("staging: ks7010: add driver from Nanonote extra-repository")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YD4fS8+HmM/Qmrw6@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/ks7010/ks_wlan_net.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/ks7010/ks_wlan_net.c
++++ b/drivers/staging/ks7010/ks_wlan_net.c
+@@ -1290,6 +1290,7 @@ static int ks_wlan_set_scan(struct net_d
+ {
+ struct ks_wlan_private *priv = netdev_priv(dev);
+ struct iw_scan_req *req = NULL;
++ int len;
+
+ DPRINTK(2, "\n");
+
+@@ -1301,8 +1302,9 @@ static int ks_wlan_set_scan(struct net_d
+ if (wrqu->data.length == sizeof(struct iw_scan_req) &&
+ wrqu->data.flags & IW_SCAN_THIS_ESSID) {
+ req = (struct iw_scan_req *)extra;
+- priv->scan_ssid_len = req->essid_len;
+- memcpy(priv->scan_ssid, req->essid, priv->scan_ssid_len);
++ len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);
++ priv->scan_ssid_len = len;
++ memcpy(priv->scan_ssid, req->essid, len);
+ } else {
+ priv->scan_ssid_len = 0;
+ }
--- /dev/null
+From d4ac640322b06095128a5c45ba4a1e80929fe7f3 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 5 Mar 2021 11:56:32 +0300
+Subject: staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d4ac640322b06095128a5c45ba4a1e80929fe7f3 upstream.
+
+The "ie_len" is a value in the 1-255 range that comes from the user. We
+have to cap it to ensure that it's not too large or it could lead to
+memory corruption.
+
+Fixes: 9a7fe54ddc3a ("staging: r8188eu: Add source files for new driver - part 1")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YEHyQCrFZKTXyT7J@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8188eu/core/rtw_ap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
++++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
+@@ -912,6 +912,7 @@ int rtw_check_beacon_data(struct adapter
+ /* SSID */
+ p = rtw_get_ie(ie + _BEACON_IE_OFFSET_, _SSID_IE_, &ie_len, (pbss_network->IELength - _BEACON_IE_OFFSET_));
+ if (p && ie_len > 0) {
++ ie_len = min_t(int, ie_len, sizeof(pbss_network->Ssid.Ssid));
+ memset(&pbss_network->Ssid, 0, sizeof(struct ndis_802_11_ssid));
+ memcpy(pbss_network->Ssid.Ssid, (p + 2), ie_len);
+ pbss_network->Ssid.SsidLength = ie_len;
+@@ -930,6 +931,7 @@ int rtw_check_beacon_data(struct adapter
+ /* get supported rates */
+ p = rtw_get_ie(ie + _BEACON_IE_OFFSET_, _SUPPORTEDRATES_IE_, &ie_len, (pbss_network->IELength - _BEACON_IE_OFFSET_));
+ if (p) {
++ ie_len = min_t(int, ie_len, NDIS_802_11_LENGTH_RATES_EX);
+ memcpy(supportRate, p + 2, ie_len);
+ supportRateNum = ie_len;
+ }
+@@ -937,6 +939,8 @@ int rtw_check_beacon_data(struct adapter
+ /* get ext_supported rates */
+ p = rtw_get_ie(ie + _BEACON_IE_OFFSET_, _EXT_SUPPORTEDRATES_IE_, &ie_len, pbss_network->IELength - _BEACON_IE_OFFSET_);
+ if (p) {
++ ie_len = min_t(int, ie_len,
++ NDIS_802_11_LENGTH_RATES_EX - supportRateNum);
+ memcpy(supportRate + supportRateNum, p + 2, ie_len);
+ supportRateNum += ie_len;
+ }
+@@ -1050,6 +1054,7 @@ int rtw_check_beacon_data(struct adapter
+
+ pht_cap->mcs.rx_mask[0] = 0xff;
+ pht_cap->mcs.rx_mask[1] = 0x0;
++ ie_len = min_t(int, ie_len, sizeof(pmlmepriv->htpriv.ht_cap));
+ memcpy(&pmlmepriv->htpriv.ht_cap, p+2, ie_len);
+ }
+
--- /dev/null
+From 74b6b20df8cfe90ada777d621b54c32e69e27cd7 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 5 Mar 2021 11:58:03 +0300
+Subject: staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 74b6b20df8cfe90ada777d621b54c32e69e27cd7 upstream.
+
+This code has a check to prevent read overflow but it needs another
+check to prevent writing beyond the end of the ->ssid[] array.
+
+Fixes: a2c60d42d97c ("staging: r8188eu: Add files for new driver - part 16")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YEHymwsnHewzoam7@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+@@ -1169,9 +1169,11 @@ static int rtw_wx_set_scan(struct net_de
+ break;
+ }
+ sec_len = *(pos++); len -= 1;
+- if (sec_len > 0 && sec_len <= len) {
++ if (sec_len > 0 &&
++ sec_len <= len &&
++ sec_len <= 32) {
+ ssid[ssid_index].SsidLength = sec_len;
+- memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength);
++ memcpy(ssid[ssid_index].Ssid, pos, sec_len);
+ ssid_index++;
+ }
+ pos += sec_len;
--- /dev/null
+From 8687bf9ef9551bcf93897e33364d121667b1aadf Mon Sep 17 00:00:00 2001
+From: Lee Gibson <leegib@gmail.com>
+Date: Fri, 26 Feb 2021 14:51:57 +0000
+Subject: staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan
+
+From: Lee Gibson <leegib@gmail.com>
+
+commit 8687bf9ef9551bcf93897e33364d121667b1aadf upstream.
+
+Function _rtl92e_wx_set_scan calls memcpy without checking the length.
+A user could control that length and trigger a buffer overflow.
+Fix by checking the length is within the maximum allowed size.
+
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Lee Gibson <leegib@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210226145157.424065-1-leegib@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192e/rtl8192e/rtl_wx.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c
++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c
+@@ -419,9 +419,10 @@ static int _rtl92e_wx_set_scan(struct ne
+ struct iw_scan_req *req = (struct iw_scan_req *)b;
+
+ if (req->essid_len) {
+- ieee->current_network.ssid_len = req->essid_len;
+- memcpy(ieee->current_network.ssid, req->essid,
+- req->essid_len);
++ int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);
++
++ ieee->current_network.ssid_len = len;
++ memcpy(ieee->current_network.ssid, req->essid, len);
+ }
+ }
+
--- /dev/null
+From 87107518d7a93fec6cdb2559588862afeee800fb Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 5 Mar 2021 11:12:49 +0300
+Subject: staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 87107518d7a93fec6cdb2559588862afeee800fb upstream.
+
+We need to cap len at IW_ESSID_MAX_SIZE (32) to avoid memory corruption.
+This can be controlled by the user via the ioctl.
+
+Fixes: 5f53d8ca3d5d ("Staging: add rtl8192SU wireless usb driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YEHoAWMOSZBUw91F@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192u/r8192U_wx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8192u/r8192U_wx.c
++++ b/drivers/staging/rtl8192u/r8192U_wx.c
+@@ -333,8 +333,10 @@ static int r8192_wx_set_scan(struct net_
+ struct iw_scan_req *req = (struct iw_scan_req *)b;
+
+ if (req->essid_len) {
+- ieee->current_network.ssid_len = req->essid_len;
+- memcpy(ieee->current_network.ssid, req->essid, req->essid_len);
++ int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);
++
++ ieee->current_network.ssid_len = len;
++ memcpy(ieee->current_network.ssid, req->essid, len);
+ }
+ }
+
--- /dev/null
+From b93c1e3981af19527beee1c10a2bef67a228c48c Mon Sep 17 00:00:00 2001
+From: Lee Gibson <leegib@gmail.com>
+Date: Mon, 1 Mar 2021 13:26:48 +0000
+Subject: staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd
+
+From: Lee Gibson <leegib@gmail.com>
+
+commit b93c1e3981af19527beee1c10a2bef67a228c48c upstream.
+
+Function r8712_sitesurvey_cmd calls memcpy without checking the length.
+A user could control that length and trigger a buffer overflow.
+Fix by checking the length is within the maximum allowed size.
+
+Signed-off-by: Lee Gibson <leegib@gmail.com>
+Link: https://lore.kernel.org/r/20210301132648.420296-1-leegib@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8712/rtl871x_cmd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8712/rtl871x_cmd.c
++++ b/drivers/staging/rtl8712/rtl871x_cmd.c
+@@ -242,8 +242,10 @@ u8 r8712_sitesurvey_cmd(struct _adapter
+ psurveyPara->ss_ssidlen = 0;
+ memset(psurveyPara->ss_ssid, 0, IW_ESSID_MAX_SIZE + 1);
+ if ((pssid != NULL) && (pssid->SsidLength)) {
+- memcpy(psurveyPara->ss_ssid, pssid->Ssid, pssid->SsidLength);
+- psurveyPara->ss_ssidlen = cpu_to_le32(pssid->SsidLength);
++ int len = min_t(int, pssid->SsidLength, IW_ESSID_MAX_SIZE);
++
++ memcpy(psurveyPara->ss_ssid, pssid->Ssid, len);
++ psurveyPara->ss_ssidlen = cpu_to_le32(len);
+ }
+ set_fwstate(pmlmepriv, _FW_UNDER_SURVEY);
+ r8712_enqueue_cmd(pcmdpriv, ph2c);
--- /dev/null
+From d660f4f42ccea50262c6ee90c8e7ad19a69fb225 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Feb 2021 11:45:59 +0300
+Subject: staging: rtl8712: unterminated string leads to read overflow
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d660f4f42ccea50262c6ee90c8e7ad19a69fb225 upstream.
+
+The memdup_user() function does not necessarily return a NUL terminated
+string so this can lead to a read overflow. Switch from memdup_user()
+to strndup_user() to fix this bug.
+
+Fixes: c6dc001f2add ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
++++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+@@ -927,7 +927,7 @@ static int r871x_wx_set_priv(struct net_
+ struct iw_point *dwrq = (struct iw_point *)awrq;
+
+ len = dwrq->length;
+- ext = memdup_user(dwrq->pointer, len);
++ ext = strndup_user(dwrq->pointer, len);
+ if (IS_ERR(ext))
+ return PTR_ERR(ext);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
