--- /dev/null
+From a0341fc1981a950c1e902ab901e98f60e0e243f3 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Sat, 7 Jul 2018 04:16:33 +0200
+Subject: ibmasm: don't write out of bounds in read handler
+
+From: Jann Horn <jannh@google.com>
+
+commit a0341fc1981a950c1e902ab901e98f60e0e243f3 upstream.
+
+This read handler had a lot of custom logic and wrote outside the bounds of
+the provided buffer. This could lead to kernel and userspace memory
+corruption. Just use simple_read_from_buffer() with a stack buffer.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/ibmasm/ibmasmfs.c | 27 +++------------------------
+ 1 file changed, 3 insertions(+), 24 deletions(-)
+
+--- a/drivers/misc/ibmasm/ibmasmfs.c
++++ b/drivers/misc/ibmasm/ibmasmfs.c
+@@ -507,35 +507,14 @@ static int remote_settings_file_close(st
+ static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
+ {
+ void __iomem *address = (void __iomem *)file->private_data;
+- unsigned char *page;
+- int retval;
+ int len = 0;
+ unsigned int value;
+-
+- if (*offset < 0)
+- return -EINVAL;
+- if (count == 0 || count > 1024)
+- return 0;
+- if (*offset != 0)
+- return 0;
+-
+- page = (unsigned char *)__get_free_page(GFP_KERNEL);
+- if (!page)
+- return -ENOMEM;
++ char lbuf[20];
+
+ value = readl(address);
+- len = sprintf(page, "%d\n", value);
+-
+- if (copy_to_user(buf, page, len)) {
+- retval = -EFAULT;
+- goto exit;
+- }
+- *offset += len;
+- retval = len;
++ len = snprintf(lbuf, sizeof(lbuf), "%d\n", value);
+
+-exit:
+- free_page((unsigned long)page);
+- return retval;
++ return simple_read_from_buffer(buf, count, offset, lbuf, len);
+ }
+
+ static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)
--- /dev/null
+ibmasm-don-t-write-out-of-bounds-in-read-handler.patch
+usb-serial-keyspan_pda-fix-modem-status-error-handling.patch
+usb-yurex-fix-out-of-bounds-uaccess-in-read-handler.patch
+usb-serial-mos7840-fix-status-register-error-handling.patch
+usb-quirks-add-delay-quirks-for-corsair-strafe.patch
+xhci-xhci-mem-off-by-one-in-xhci_stream_id_to_ring.patch
--- /dev/null
+From bba57eddadda936c94b5dccf73787cb9e159d0a5 Mon Sep 17 00:00:00 2001
+From: Nico Sneck <snecknico@gmail.com>
+Date: Mon, 2 Jul 2018 19:26:07 +0300
+Subject: usb: quirks: add delay quirks for Corsair Strafe
+
+From: Nico Sneck <snecknico@gmail.com>
+
+commit bba57eddadda936c94b5dccf73787cb9e159d0a5 upstream.
+
+Corsair Strafe appears to suffer from the same issues
+as the Corsair Strafe RGB.
+Apply the same quirks (control message delay and init delay)
+that the RGB version has to 1b1c:1b15.
+
+With these quirks in place the keyboard works correctly upon
+booting the system, and no longer requires reattaching the device.
+
+Signed-off-by: Nico Sneck <snecknico@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -221,6 +221,10 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+
++ /* Corsair Strafe */
++ { USB_DEVICE(0x1b1c, 0x1b15), .driver_info = USB_QUIRK_DELAY_INIT |
++ USB_QUIRK_DELAY_CTRL_MSG },
++
+ /* Corsair Strafe RGB */
+ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
+ USB_QUIRK_DELAY_CTRL_MSG },
--- /dev/null
+From 01b3cdfca263a17554f7b249d20a247b2a751521 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Jul 2018 17:02:16 +0200
+Subject: USB: serial: keyspan_pda: fix modem-status error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 01b3cdfca263a17554f7b249d20a247b2a751521 upstream.
+
+Fix broken modem-status error handling which could lead to bits of slab
+data leaking to user space.
+
+Fixes: 3b36a8fd6777 ("usb: fix uninitialized variable warning in keyspan_pda")
+Cc: stable <stable@vger.kernel.org> # 2.6.27
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan_pda.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -373,8 +373,10 @@ static int keyspan_pda_get_modem_info(st
+ 3, /* get pins */
+ USB_TYPE_VENDOR|USB_RECIP_INTERFACE|USB_DIR_IN,
+ 0, 0, data, 1, 2000);
+- if (rc >= 0)
++ if (rc == 1)
+ *value = *data;
++ else if (rc >= 0)
++ rc = -EIO;
+
+ kfree(data);
+ return rc;
--- /dev/null
+From 794744abfffef8b1f3c0c8a4896177d6d13d653d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Jul 2018 17:02:17 +0200
+Subject: USB: serial: mos7840: fix status-register error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 794744abfffef8b1f3c0c8a4896177d6d13d653d upstream.
+
+Add missing transfer-length sanity check to the status-register
+completion handler to avoid leaking bits of uninitialised slab data to
+user space.
+
+Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mos7840.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -482,6 +482,9 @@ static void mos7840_control_callback(str
+ }
+
+ dev_dbg(dev, "%s urb buffer size is %d\n", __func__, urb->actual_length);
++ if (urb->actual_length < 1)
++ goto out;
++
+ dev_dbg(dev, "%s mos7840_port->MsrLsr is %d port %d\n", __func__,
+ mos7840_port->MsrLsr, mos7840_port->port_num);
+ data = urb->transfer_buffer;
--- /dev/null
+From f1e255d60ae66a9f672ff9a207ee6cd8e33d2679 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 6 Jul 2018 17:12:56 +0200
+Subject: USB: yurex: fix out-of-bounds uaccess in read handler
+
+From: Jann Horn <jannh@google.com>
+
+commit f1e255d60ae66a9f672ff9a207ee6cd8e33d2679 upstream.
+
+In general, accessing userspace memory beyond the length of the supplied
+buffer in VFS read/write handlers can lead to both kernel memory corruption
+(via kernel_read()/kernel_write(), which can e.g. be triggered via
+sys_splice()) and privilege escalation inside userspace.
+
+Fix it by using simple_read_from_buffer() instead of custom logic.
+
+Fixes: 6bc235a2e24a ("USB: add driver for Meywa-Denki & Kayac YUREX")
+Signed-off-by: Jann Horn <jannh@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/yurex.c | 23 ++++++-----------------
+ 1 file changed, 6 insertions(+), 17 deletions(-)
+
+--- a/drivers/usb/misc/yurex.c
++++ b/drivers/usb/misc/yurex.c
+@@ -413,8 +413,7 @@ static int yurex_release(struct inode *i
+ static ssize_t yurex_read(struct file *file, char *buffer, size_t count, loff_t *ppos)
+ {
+ struct usb_yurex *dev;
+- int retval = 0;
+- int bytes_read = 0;
++ int len = 0;
+ char in_buffer[20];
+ unsigned long flags;
+
+@@ -422,26 +421,16 @@ static ssize_t yurex_read(struct file *f
+
+ mutex_lock(&dev->io_mutex);
+ if (!dev->interface) { /* already disconnected */
+- retval = -ENODEV;
+- goto exit;
++ mutex_unlock(&dev->io_mutex);
++ return -ENODEV;
+ }
+
+ spin_lock_irqsave(&dev->lock, flags);
+- bytes_read = snprintf(in_buffer, 20, "%lld\n", dev->bbu);
++ len = snprintf(in_buffer, 20, "%lld\n", dev->bbu);
+ spin_unlock_irqrestore(&dev->lock, flags);
+-
+- if (*ppos < bytes_read) {
+- if (copy_to_user(buffer, in_buffer + *ppos, bytes_read - *ppos))
+- retval = -EFAULT;
+- else {
+- retval = bytes_read - *ppos;
+- *ppos += bytes_read;
+- }
+- }
+-
+-exit:
+ mutex_unlock(&dev->io_mutex);
+- return retval;
++
++ return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
+ }
+
+ static ssize_t yurex_write(struct file *file, const char *user_buffer, size_t count, loff_t *ppos)
--- /dev/null
+From 313db3d6488bb03b61b99de9dbca061f1fd838e1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:48:53 +0300
+Subject: xhci: xhci-mem: off by one in xhci_stream_id_to_ring()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 313db3d6488bb03b61b99de9dbca061f1fd838e1 upstream.
+
+The > should be >= here so that we don't read one element beyond the end
+of the ep->stream_info->stream_rings[] array.
+
+Fixes: e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -638,7 +638,7 @@ struct xhci_ring *xhci_stream_id_to_ring
+ if (!ep->stream_info)
+ return NULL;
+
+- if (stream_id > ep->stream_info->num_streams)
++ if (stream_id >= ep->stream_info->num_streams)
+ return NULL;
+ return ep->stream_info->stream_rings[stream_id];
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
