5.2-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tue, 17 Sep 2019 17:43:28 +0000 (19:43 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tue, 17 Sep 2019 17:43:28 +0000 (19:43 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 17 Sep 2019 17:43:28 +0000 (19:43 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 17 Sep 2019 17:43:28 +0000 (19:43 +0200)
diff --git a/queue-5.2/rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch b/queue-5.2/rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch

new file mode 100644 (file)

index 0000000..ba05c1f
--- /dev/null
+++ b/queue-5.2/rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch
@@ -0,0 +1,46 @@
+From 8b51dc7291473093c821195c4b6af85fadedbc2f Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Mon, 19 Aug 2019 18:02:29 -0400
+Subject: rsi: fix a double free bug in rsi_91x_deinit()
+
+From: Hui Peng <benquike@gmail.com>
+
+commit 8b51dc7291473093c821195c4b6af85fadedbc2f upstream.
+
+`dev` (struct rsi_91x_usbdev *) field of adapter
+(struct rsi_91x_usbdev *) is allocated  and initialized in
+`rsi_init_usb_interface`. If any error is detected in information
+read from the device side,  `rsi_init_usb_interface` will be
+freed. However, in the higher level error handling code in
+`rsi_probe`, if error is detected, `rsi_91x_deinit` is called
+again, in which `dev` will be freed again, resulting double free.
+
+This patch fixes the double free by removing the free operation on
+`dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also
+used in `rsi_disconnect`, in that code path, the `dev` field is not
+ (and thus needs to be) freed.
+
+This bug was found in v4.19, but is also present in the latest version
+of kernel. Fixes CVE-2019-15504.
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -645,7 +645,6 @@ fail_rx:
+       kfree(rsi_dev->tx_buffer);
+ 
+ fail_eps:
+-      kfree(rsi_dev);
+ 
+       return status;
+ }
diff --git a/queue-5.2/series b/queue-5.2/series

index 562d3e42becee1cd6245faf417b6fbcb264e9fc6..85e358adc1bb8321dc16efa3956a9bee74b29bcd 100644 (file)
--- a/queue-5.2/series
+++ b/queue-5.2/series
@@ -81,3 +81,4 @@ kvm-nvmx-remove-unnecessary-sync_roots-from-handle_invept.patch
  kvm-svm-fix-detection-of-amd-errata-1096.patch
  platform-x86-pmc_atom-add-cb4063-beckhoff-automation-board-to-critclk_systems-dmi-table.patch
  platform-x86-pcengines-apuv2-use-key_restart-for-front-button.patch
+rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 17 Sep 2019 17:43:28 +0000 (19:43 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 17 Sep 2019 17:43:28 +0000 (19:43 +0200)
queue-5.2/rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch	[new file with mode: 0644]	patch \| blob
queue-5.2/series		patch \| blob \| blame \| history