5.15-stable patches

added patches:
	bluetooth-perform-careful-capability-checks-in-hci_sock_ioctl.patch
	drm-fb-helper-set-x-yres_virtual-in-drm_fb_helper_check_var.patch
	wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_assoc_ies.patch

diff --git a/queue-5.15/bluetooth-perform-careful-capability-checks-in-hci_sock_ioctl.patch b/queue-5.15/bluetooth-perform-careful-capability-checks-in-hci_sock_ioctl.patch
new file mode 100644 (file)
index 0000000..380d4eb
--- /dev/null
+++ b/queue-5.15/bluetooth-perform-careful-capability-checks-in-hci_sock_ioctl.patch
@@ -0,0 +1,50 @@
+From 25c150ac103a4ebeed0319994c742a90634ddf18 Mon Sep 17 00:00:00 2001
+From: Ruihan Li <lrh2000@pku.edu.cn>
+Date: Sun, 16 Apr 2023 16:14:04 +0800
+Subject: bluetooth: Perform careful capability checks in hci_sock_ioctl()
+
+From: Ruihan Li <lrh2000@pku.edu.cn>
+
+commit 25c150ac103a4ebeed0319994c742a90634ddf18 upstream.
+
+Previously, capability was checked using capable(), which verified that the
+caller of the ioctl system call had the required capability. In addition,
+the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
+making it persistent for the socket.
+
+However, malicious programs can abuse this approach by deliberately sharing
+an HCI socket with a privileged task. The HCI socket will be marked as
+trusted when the privileged task occasionally makes an ioctl call.
+
+This problem can be solved by using sk_capable() to check capability, which
+ensures that not only the current task but also the socket opener has the
+specified capability, thus reducing the risk of privilege escalation
+through the previously identified vulnerability.
+
+Cc: stable@vger.kernel.org
+Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
+Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sock.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -996,7 +996,14 @@ static int hci_sock_ioctl(struct socket
+       if (hci_sock_gen_cookie(sk)) {
+               struct sk_buff *skb;
+ 
+-              if (capable(CAP_NET_ADMIN))
++              /* Perform careful checks before setting the HCI_SOCK_TRUSTED
++               * flag. Make sure that not only the current task but also
++               * the socket opener has the required capability, since
++               * privileged programs can be tricked into making ioctl calls
++               * on HCI sockets, and the socket should not be marked as
++               * trusted simply because the ioctl caller is privileged.
++               */
++              if (sk_capable(sk, CAP_NET_ADMIN))
+                       hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
+ 
+               /* Send event to monitor */

diff --git a/queue-5.15/drm-fb-helper-set-x-yres_virtual-in-drm_fb_helper_check_var.patch b/queue-5.15/drm-fb-helper-set-x-yres_virtual-in-drm_fb_helper_check_var.patch
new file mode 100644 (file)
index 0000000..80f98bb
--- /dev/null
+++ b/queue-5.15/drm-fb-helper-set-x-yres_virtual-in-drm_fb_helper_check_var.patch
@@ -0,0 +1,39 @@
+From 1935f0deb6116dd785ea64d8035eab0ff441255b Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Tue, 4 Apr 2023 21:40:36 +0200
+Subject: drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 1935f0deb6116dd785ea64d8035eab0ff441255b upstream.
+
+Drivers are supposed to fix this up if needed if they don't outright
+reject it. Uncovered by 6c11df58fd1a ("fbmem: Check virtual screen
+sizes in fb_set_var()").
+
+Reported-by: syzbot+20dcf81733d43ddff661@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=c5faf983bfa4a607de530cd3bb008888bf06cefc
+Cc: stable@vger.kernel.org # v5.4+
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Javier Martinez Canillas <javierm@redhat.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230404194038.472803-1-daniel.vetter@ffwll.ch
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_fb_helper.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -1327,6 +1327,9 @@ int drm_fb_helper_check_var(struct fb_va
+               return -EINVAL;
+       }
+ 
++      var->xres_virtual = fb->width;
++      var->yres_virtual = fb->height;
++
+       /*
+        * Workaround for SDL 1.2, which is known to be setting all pixel format
+        * fields values to zero in some cases. We treat this situation as a

diff --git a/queue-5.15/series b/queue-5.15/series
index ce71ac7fc04d4c2b1c600ce668884bbc478cd812..5e9550cd83c696f9cdab31a326983e3951b07be5 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -2,3 +2,6 @@ pci-aspm-remove-pcie_aspm_pm_state_change.patch
 selftests-kselftest-runner-run_one-allow-running-non-executable-files.patch
 kvm-arm64-retry-fault-if-vma_lookup-results-become-invalid.patch
 kvm-arm64-fix-buffer-overflow-in-kvm_arm_set_fw_reg.patch
+wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_assoc_ies.patch
+drm-fb-helper-set-x-yres_virtual-in-drm_fb_helper_check_var.patch
+bluetooth-perform-careful-capability-checks-in-hci_sock_ioctl.patch

diff --git a/queue-5.15/wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_assoc_ies.patch b/queue-5.15/wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_assoc_ies.patch
new file mode 100644 (file)
index 0000000..13449e1
--- /dev/null
+++ b/queue-5.15/wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_assoc_ies.patch
@@ -0,0 +1,168 @@
+From 0da40e018fd034d87c9460123fa7f897b69fdee7 Mon Sep 17 00:00:00 2001
+From: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+Date: Thu, 9 Mar 2023 19:44:57 +0900
+Subject: wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
+
+From: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+
+commit 0da40e018fd034d87c9460123fa7f897b69fdee7 upstream.
+
+Fix a slab-out-of-bounds read that occurs in kmemdup() called from
+brcmf_get_assoc_ies().
+The bug could occur when assoc_info->req_len, data from a URB provided
+by a USB device, is bigger than the size of buffer which is defined as
+WL_EXTRA_BUF_MAX.
+
+Add the size check for req_len/resp_len of assoc_info.
+
+Found by a modified version of syzkaller.
+
+[   46.592467][    T7] ==================================================================
+[   46.594687][    T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50
+[   46.596572][    T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7
+[   46.598575][    T7]
+[   46.599157][    T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G           O      5.14.0+ #145
+[   46.601333][    T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+[   46.604360][    T7] Workqueue: events brcmf_fweh_event_worker
+[   46.605943][    T7] Call Trace:
+[   46.606584][    T7]  dump_stack_lvl+0x8e/0xd1
+[   46.607446][    T7]  print_address_description.constprop.0.cold+0x93/0x334
+[   46.608610][    T7]  ? kmemdup+0x3e/0x50
+[   46.609341][    T7]  kasan_report.cold+0x79/0xd5
+[   46.610151][    T7]  ? kmemdup+0x3e/0x50
+[   46.610796][    T7]  kasan_check_range+0x14e/0x1b0
+[   46.611691][    T7]  memcpy+0x20/0x60
+[   46.612323][    T7]  kmemdup+0x3e/0x50
+[   46.612987][    T7]  brcmf_get_assoc_ies+0x967/0xf60
+[   46.613904][    T7]  ? brcmf_notify_vif_event+0x3d0/0x3d0
+[   46.614831][    T7]  ? lock_chain_count+0x20/0x20
+[   46.615683][    T7]  ? mark_lock.part.0+0xfc/0x2770
+[   46.616552][    T7]  ? lock_chain_count+0x20/0x20
+[   46.617409][    T7]  ? mark_lock.part.0+0xfc/0x2770
+[   46.618244][    T7]  ? lock_chain_count+0x20/0x20
+[   46.619024][    T7]  brcmf_bss_connect_done.constprop.0+0x241/0x2e0
+[   46.620019][    T7]  ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0
+[   46.620818][    T7]  ? __lock_acquire+0x181f/0x5790
+[   46.621462][    T7]  brcmf_notify_connect_status+0x448/0x1950
+[   46.622134][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0
+[   46.622736][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0
+[   46.623390][    T7]  ? find_held_lock+0x2d/0x110
+[   46.623962][    T7]  ? brcmf_fweh_event_worker+0x19f/0xc60
+[   46.624603][    T7]  ? mark_held_locks+0x9f/0xe0
+[   46.625145][    T7]  ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0
+[   46.625871][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0
+[   46.626545][    T7]  brcmf_fweh_call_event_handler.isra.0+0x90/0x100
+[   46.627338][    T7]  brcmf_fweh_event_worker+0x557/0xc60
+[   46.627962][    T7]  ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100
+[   46.628736][    T7]  ? rcu_read_lock_sched_held+0xa1/0xd0
+[   46.629396][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0
+[   46.629970][    T7]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
+[   46.630649][    T7]  process_one_work+0x92b/0x1460
+[   46.631205][    T7]  ? pwq_dec_nr_in_flight+0x330/0x330
+[   46.631821][    T7]  ? rwlock_bug.part.0+0x90/0x90
+[   46.632347][    T7]  worker_thread+0x95/0xe00
+[   46.632832][    T7]  ? __kthread_parkme+0x115/0x1e0
+[   46.633393][    T7]  ? process_one_work+0x1460/0x1460
+[   46.633957][    T7]  kthread+0x3a1/0x480
+[   46.634369][    T7]  ? set_kthread_struct+0x120/0x120
+[   46.634933][    T7]  ret_from_fork+0x1f/0x30
+[   46.635431][    T7]
+[   46.635687][    T7] Allocated by task 7:
+[   46.636151][    T7]  kasan_save_stack+0x1b/0x40
+[   46.636628][    T7]  __kasan_kmalloc+0x7c/0x90
+[   46.637108][    T7]  kmem_cache_alloc_trace+0x19e/0x330
+[   46.637696][    T7]  brcmf_cfg80211_attach+0x4a0/0x4040
+[   46.638275][    T7]  brcmf_attach+0x389/0xd40
+[   46.638739][    T7]  brcmf_usb_probe+0x12de/0x1690
+[   46.639279][    T7]  usb_probe_interface+0x2aa/0x760
+[   46.639820][    T7]  really_probe+0x205/0xb70
+[   46.640342][    T7]  __driver_probe_device+0x311/0x4b0
+[   46.640876][    T7]  driver_probe_device+0x4e/0x150
+[   46.641445][    T7]  __device_attach_driver+0x1cc/0x2a0
+[   46.642000][    T7]  bus_for_each_drv+0x156/0x1d0
+[   46.642543][    T7]  __device_attach+0x23f/0x3a0
+[   46.643065][    T7]  bus_probe_device+0x1da/0x290
+[   46.643644][    T7]  device_add+0xb7b/0x1eb0
+[   46.644130][    T7]  usb_set_configuration+0xf59/0x16f0
+[   46.644720][    T7]  usb_generic_driver_probe+0x82/0xa0
+[   46.645295][    T7]  usb_probe_device+0xbb/0x250
+[   46.645786][    T7]  really_probe+0x205/0xb70
+[   46.646258][    T7]  __driver_probe_device+0x311/0x4b0
+[   46.646804][    T7]  driver_probe_device+0x4e/0x150
+[   46.647387][    T7]  __device_attach_driver+0x1cc/0x2a0
+[   46.647926][    T7]  bus_for_each_drv+0x156/0x1d0
+[   46.648454][    T7]  __device_attach+0x23f/0x3a0
+[   46.648939][    T7]  bus_probe_device+0x1da/0x290
+[   46.649478][    T7]  device_add+0xb7b/0x1eb0
+[   46.649936][    T7]  usb_new_device.cold+0x49c/0x1029
+[   46.650526][    T7]  hub_event+0x1c98/0x3950
+[   46.650975][    T7]  process_one_work+0x92b/0x1460
+[   46.651535][    T7]  worker_thread+0x95/0xe00
+[   46.651991][    T7]  kthread+0x3a1/0x480
+[   46.652413][    T7]  ret_from_fork+0x1f/0x30
+[   46.652885][    T7]
+[   46.653131][    T7] The buggy address belongs to the object at ffff888019442000
+[   46.653131][    T7]  which belongs to the cache kmalloc-2k of size 2048
+[   46.654669][    T7] The buggy address is located 0 bytes inside of
+[   46.654669][    T7]  2048-byte region [ffff888019442000, ffff888019442800)
+[   46.656137][    T7] The buggy address belongs to the page:
+[   46.656720][    T7] page:ffffea0000651000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19440
+[   46.657792][    T7] head:ffffea0000651000 order:3 compound_mapcount:0 compound_pincount:0
+[   46.658673][    T7] flags: 0x100000000010200(slab|head|node=0|zone=1)
+[   46.659422][    T7] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888100042000
+[   46.660363][    T7] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
+[   46.661236][    T7] page dumped because: kasan: bad access detected
+[   46.661956][    T7] page_owner tracks the page as allocated
+[   46.662588][    T7] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 7, ts 31136961085, free_ts 0
+[   46.664271][    T7]  prep_new_page+0x1aa/0x240
+[   46.664763][    T7]  get_page_from_freelist+0x159a/0x27c0
+[   46.665340][    T7]  __alloc_pages+0x2da/0x6a0
+[   46.665847][    T7]  alloc_pages+0xec/0x1e0
+[   46.666308][    T7]  allocate_slab+0x380/0x4e0
+[   46.666770][    T7]  ___slab_alloc+0x5bc/0x940
+[   46.667264][    T7]  __slab_alloc+0x6d/0x80
+[   46.667712][    T7]  kmem_cache_alloc_trace+0x30a/0x330
+[   46.668299][    T7]  brcmf_usbdev_qinit.constprop.0+0x50/0x470
+[   46.668885][    T7]  brcmf_usb_probe+0xc97/0x1690
+[   46.669438][    T7]  usb_probe_interface+0x2aa/0x760
+[   46.669988][    T7]  really_probe+0x205/0xb70
+[   46.670487][    T7]  __driver_probe_device+0x311/0x4b0
+[   46.671031][    T7]  driver_probe_device+0x4e/0x150
+[   46.671604][    T7]  __device_attach_driver+0x1cc/0x2a0
+[   46.672192][    T7]  bus_for_each_drv+0x156/0x1d0
+[   46.672739][    T7] page_owner free stack trace missing
+[   46.673335][    T7]
+[   46.673620][    T7] Memory state around the buggy address:
+[   46.674213][    T7]  ffff888019442700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[   46.675083][    T7]  ffff888019442780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[   46.675994][    T7] >ffff888019442800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[   46.676875][    T7]                    ^
+[   46.677323][    T7]  ffff888019442880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[   46.678190][    T7]  ffff888019442900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[   46.679052][    T7] ==================================================================
+[   46.679945][    T7] Disabling lock debugging due to kernel taint
+[   46.680725][    T7] Kernel panic - not syncing:
+
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5890,6 +5890,11 @@ static s32 brcmf_get_assoc_ies(struct br
+               (struct brcmf_cfg80211_assoc_ielen_le *)cfg->extra_buf;
+       req_len = le32_to_cpu(assoc_info->req_len);
+       resp_len = le32_to_cpu(assoc_info->resp_len);
++      if (req_len > WL_EXTRA_BUF_MAX || resp_len > WL_EXTRA_BUF_MAX) {
++              bphy_err(drvr, "invalid lengths in assoc info: req %u resp %u\n",
++                       req_len, resp_len);
++              return -EINVAL;
++      }
+       if (req_len) {
+               err = brcmf_fil_iovar_data_get(ifp, "assoc_req_ies",
+                                              cfg->extra_buf,