--- /dev/null
+From 5cc41e099504b77014358b58567c5ea6293dd220 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Thu, 7 Jun 2018 17:11:01 -0700
+Subject: fs/binfmt_misc.c: do not allow offset overflow
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 5cc41e099504b77014358b58567c5ea6293dd220 upstream.
+
+WHen registering a new binfmt_misc handler, it is possible to overflow
+the offset to get a negative value, which might crash the system, or
+possibly leak kernel data.
+
+Here is a crash log when 2500000000 was used as an offset:
+
+ BUG: unable to handle kernel paging request at ffff989cfd6edca0
+ IP: load_misc_binary+0x22b/0x470 [binfmt_misc]
+ PGD 1ef3e067 P4D 1ef3e067 PUD 0
+ Oops: 0000 [#1] SMP NOPTI
+ Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy
+ CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
+ RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc]
+ Call Trace:
+ search_binary_handler+0x97/0x1d0
+ do_execveat_common.isra.34+0x667/0x810
+ SyS_execve+0x31/0x40
+ do_syscall_64+0x73/0x130
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Use kstrtoint instead of simple_strtoul. It will work as the code
+already set the delimiter byte to '\0' and we only do it when the field
+is not empty.
+
+Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested
+with examples documented at Documentation/admin-guide/binfmt-misc.rst
+and other registrations from packages on Ubuntu.
+
+Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_misc.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -384,8 +384,13 @@ static Node *create_entry(const char __u
+ s = strchr(p, del);
+ if (!s)
+ goto einval;
+- *s++ = '\0';
+- e->offset = simple_strtoul(p, &p, 10);
++ *s = '\0';
++ if (p != s) {
++ int r = kstrtoint(p, 10, &e->offset);
++ if (r != 0 || e->offset < 0)
++ goto einval;
++ }
++ p = s;
+ if (*p++)
+ goto einval;
+ pr_debug("register: offset: %#x\n", e->offset);
+@@ -425,7 +430,8 @@ static Node *create_entry(const char __u
+ if (e->mask &&
+ string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
+ goto einval;
+- if (e->size + e->offset > BINPRM_BUF_SIZE)
++ if (e->size > BINPRM_BUF_SIZE ||
++ BINPRM_BUF_SIZE - e->size < e->offset)
+ goto einval;
+ pr_debug("register: magic/mask length: %i\n", e->size);
+ if (USE_DEBUG) {
--- /dev/null
+From ebeaa367548e9e92dd9374b9464ff6e7d157117b Mon Sep 17 00:00:00 2001
+From: Even Xu <even.xu@intel.com>
+Date: Fri, 12 Feb 2016 04:11:34 +0800
+Subject: HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation
+
+From: Even Xu <even.xu@intel.com>
+
+commit ebeaa367548e9e92dd9374b9464ff6e7d157117b upstream.
+
+Current ISH driver only registers suspend/resume PM callbacks which don't
+support hibernation (suspend to disk). Basically after hiberation, the ISH
+can't resume properly and user may not see sensor events (for example: screen
+ rotation may not work).
+
+User will not see a crash or panic or anything except the following message
+in log:
+
+ hid-sensor-hub 001F:8086:22D8.0001: timeout waiting for response from ISHTP device
+
+So this patch adds support for S4/hiberbation to ISH by using the
+SIMPLE_DEV_PM_OPS() MACRO instead of struct dev_pm_ops directly. The suspend
+and resume functions will now be used for both suspend to RAM and hibernation.
+
+If power management is disabled, SIMPLE_DEV_PM_OPS will do nothing, the suspend
+and resume related functions won't be used, so mark them as __maybe_unused to
+clarify that this is the intended behavior, and remove #ifdefs for power
+management.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Even Xu <even.xu@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/intel-ish-hid/ipc/pci-ish.c | 22 +++++++---------------
+ 1 file changed, 7 insertions(+), 15 deletions(-)
+
+--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c
++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+@@ -202,8 +202,7 @@ static void ish_remove(struct pci_dev *p
+ kfree(ishtp_dev);
+ }
+
+-#ifdef CONFIG_PM
+-static struct device *ish_resume_device;
++static struct device __maybe_unused *ish_resume_device;
+
+ /**
+ * ish_resume_handler() - Work function to complete resume
+@@ -214,7 +213,7 @@ static struct device *ish_resume_device;
+ * in that case a simple resume message is enough, others we need
+ * a reset sequence.
+ */
+-static void ish_resume_handler(struct work_struct *work)
++static void __maybe_unused ish_resume_handler(struct work_struct *work)
+ {
+ struct pci_dev *pdev = to_pci_dev(ish_resume_device);
+ struct ishtp_device *dev = pci_get_drvdata(pdev);
+@@ -245,7 +244,7 @@ static void ish_resume_handler(struct wo
+ *
+ * Return: 0 to the pm core
+ */
+-static int ish_suspend(struct device *device)
++static int __maybe_unused ish_suspend(struct device *device)
+ {
+ struct pci_dev *pdev = to_pci_dev(device);
+ struct ishtp_device *dev = pci_get_drvdata(pdev);
+@@ -271,7 +270,7 @@ static int ish_suspend(struct device *de
+ return 0;
+ }
+
+-static DECLARE_WORK(resume_work, ish_resume_handler);
++static __maybe_unused DECLARE_WORK(resume_work, ish_resume_handler);
+ /**
+ * ish_resume() - ISH resume callback
+ * @device: device pointer
+@@ -280,7 +279,7 @@ static DECLARE_WORK(resume_work, ish_res
+ *
+ * Return: 0 to the pm core
+ */
+-static int ish_resume(struct device *device)
++static int __maybe_unused ish_resume(struct device *device)
+ {
+ struct pci_dev *pdev = to_pci_dev(device);
+ struct ishtp_device *dev = pci_get_drvdata(pdev);
+@@ -294,21 +293,14 @@ static int ish_resume(struct device *dev
+ return 0;
+ }
+
+-static const struct dev_pm_ops ish_pm_ops = {
+- .suspend = ish_suspend,
+- .resume = ish_resume,
+-};
+-#define ISHTP_ISH_PM_OPS (&ish_pm_ops)
+-#else
+-#define ISHTP_ISH_PM_OPS NULL
+-#endif /* CONFIG_PM */
++static SIMPLE_DEV_PM_OPS(ish_pm_ops, ish_suspend, ish_resume);
+
+ static struct pci_driver ish_driver = {
+ .name = KBUILD_MODNAME,
+ .id_table = ish_pci_tbl,
+ .probe = ish_probe,
+ .remove = ish_remove,
+- .driver.pm = ISHTP_ISH_PM_OPS,
++ .driver.pm = &ish_pm_ops,
+ };
+
+ module_pci_driver(ish_driver);
--- /dev/null
+From f6a4b4c9d07dda90c7c29dae96d6119ac6425dca Mon Sep 17 00:00:00 2001
+From: Martin Brandenburg <martin@omnibond.com>
+Date: Thu, 31 May 2018 16:36:58 +0000
+Subject: orangefs: set i_size on new symlink
+
+From: Martin Brandenburg <martin@omnibond.com>
+
+commit f6a4b4c9d07dda90c7c29dae96d6119ac6425dca upstream.
+
+As long as a symlink inode remains in-core, the destination (and
+therefore size) will not be re-fetched from the server, as it cannot
+change. The original implementation of the attribute cache assumed that
+setting the expiry time in the past was sufficient to cause a re-fetch
+of all attributes on the next getattr. That does not work in this case.
+
+The bug manifested itself as follows. When the command sequence
+
+touch foo; ln -s foo bar; ls -l bar
+
+is run, the output was
+
+lrwxrwxrwx. 1 fedora fedora 4906 Apr 24 19:10 bar -> foo
+
+However, after a re-mount, ls -l bar produces
+
+lrwxrwxrwx. 1 fedora fedora 3 Apr 24 19:10 bar -> foo
+
+After this commit, even before a re-mount, the output is
+
+lrwxrwxrwx. 1 fedora fedora 3 Apr 24 19:10 bar -> foo
+
+Reported-by: Becky Ligon <ligon@clemson.edu>
+Signed-off-by: Martin Brandenburg <martin@omnibond.com>
+Fixes: 71680c18c8f2 ("orangefs: Cache getattr results.")
+Cc: stable@vger.kernel.org
+Cc: hubcap@omnibond.com
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/orangefs/namei.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/orangefs/namei.c
++++ b/fs/orangefs/namei.c
+@@ -312,6 +312,13 @@ static int orangefs_symlink(struct inode
+ ret = PTR_ERR(inode);
+ goto out;
+ }
++ /*
++ * This is necessary because orangefs_inode_getattr will not
++ * re-read symlink size as it is impossible for it to change.
++ * Invalidating the cache does not help. orangefs_new_inode
++ * does not set the correct size (it does not know symname).
++ */
++ inode->i_size = strlen(symname);
+
+ gossip_debug(GOSSIP_NAME_DEBUG,
+ "Assigned symlink inode new number of %pU\n",
libata-zpodd-small-read-overflow-in-eject_tray.patch
libata-drop-sandisk-sd7ub3q-g1001-nolpm-quirk.patch
w1-mxc_w1-enable-clock-before-calling-clk_get_rate-on-it.patch
+orangefs-set-i_size-on-new-symlink.patch
+hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch
+vhost-fix-info-leak-due-to-uninitialized-memory.patch
+fs-binfmt_misc.c-do-not-allow-offset-overflow.patch
--- /dev/null
+From 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Sat, 12 May 2018 00:33:10 +0300
+Subject: vhost: fix info leak due to uninitialized memory
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad upstream.
+
+struct vhost_msg within struct vhost_msg_node is copied to userspace.
+Unfortunately it turns out on 64 bit systems vhost_msg has padding after
+type which gcc doesn't initialize, leaking 4 uninitialized bytes to
+userspace.
+
+This padding also unfortunately means 32 bit users of this interface are
+broken on a 64 bit kernel which will need to be fixed separately.
+
+Fixes: CVE-2018-1118
+Cc: stable@vger.kernel.org
+Reported-by: Kevin Easton <kevin@guarana.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/vhost.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2295,6 +2295,9 @@ struct vhost_msg_node *vhost_new_msg(str
+ struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
+ if (!node)
+ return NULL;
++
++ /* Make sure all padding within the structure is initialized. */
++ memset(&node->msg, 0, sizeof node->msg);
+ node->vq = vq;
+ node->msg.type = type;
+ return node;
projects / thirdparty / kernel / stable-queue.git / commitdiff
