--- /dev/null
+From 3dc289f8f139997f4e9d3cfccf8738f20d23e47b Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Wed, 7 Oct 2020 09:24:01 +0530
+Subject: net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 3dc289f8f139997f4e9d3cfccf8738f20d23e47b upstream.
+
+In nl80211_parse_key(), key.idx is first initialized as -1.
+If this value of key.idx remains unmodified and gets returned, and
+nl80211_key_allowed() also returns 0, then rdev_del_key() gets called
+with key.idx = -1.
+This causes an out-of-bounds array access.
+
+Handle this issue by checking if the value of key.idx after
+nl80211_parse_key() is called and return -EINVAL if key.idx < 0.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
+Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Link: https://lore.kernel.org/r/20201007035401.9522-1-anant.thazhemadam@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3283,6 +3283,9 @@ static int nl80211_del_key(struct sk_buf
+ if (err)
+ return err;
+
++ if (key.idx < 0)
++ return -EINVAL;
++
+ if (info->attrs[NL80211_ATTR_MAC])
+ mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
+
--- /dev/null
+From 4013c1496c49615d90d36b9d513eee8e369778e9 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 5 Oct 2020 10:56:22 -0700
+Subject: usermodehelper: reset umask to default before executing user process
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4013c1496c49615d90d36b9d513eee8e369778e9 upstream.
+
+Kernel threads intentionally do CLONE_FS in order to follow any changes
+that 'init' does to set up the root directory (or cwd).
+
+It is admittedly a bit odd, but it avoids the situation where 'init'
+does some extensive setup to initialize the system environment, and then
+we execute a usermode helper program, and it uses the original FS setup
+from boot time that may be very limited and incomplete.
+
+[ Both Al Viro and Eric Biederman point out that 'pivot_root()' will
+ follow the root regardless, since it fixes up other users of root (see
+ chroot_fs_refs() for details), but overmounting root and doing a
+ chroot() would not. ]
+
+However, Vegard Nossum noticed that the CLONE_FS not only means that we
+follow the root and current working directories, it also means we share
+umask with whatever init changed it to. That wasn't intentional.
+
+Just reset umask to the original default (0022) before actually starting
+the usermode helper program.
+
+Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kmod.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -28,6 +28,7 @@
+ #include <linux/cred.h>
+ #include <linux/file.h>
+ #include <linux/fdtable.h>
++#include <linux/fs_struct.h>
+ #include <linux/workqueue.h>
+ #include <linux/security.h>
+ #include <linux/mount.h>
+@@ -223,6 +224,14 @@ static int call_usermodehelper_exec_asyn
+ spin_unlock_irq(¤t->sighand->siglock);
+
+ /*
++ * Initial kernel threads share ther FS with init, in order to
++ * get the init root directory. But we've now created a new
++ * thread that is going to execve a user process and has its own
++ * 'struct fs_struct'. Reset umask to the default.
++ */
++ current->fs->umask = 0022;
++
++ /*
+ * Our parent (unbound workqueue) runs with elevated scheduling
+ * priority. Avoid propagating that into the userspace child.
+ */
projects / thirdparty / kernel / stable-queue.git / commitdiff
