--- /dev/null
+From fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 12 Sep 2017 12:41:20 +0200
+Subject: ALSA: seq: Cancel pending autoload work at unbinding device
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57 upstream.
+
+ALSA sequencer core has a mechanism to load the enumerated devices
+automatically, and it's performed in an off-load work. This seems
+causing some race when a sequencer is removed while the pending
+autoload work is running. As syzkaller spotted, it may lead to some
+use-after-free:
+ BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70
+ sound/core/rawmidi.c:1617
+ Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567
+
+ CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Workqueue: events autoload_drivers
+ Call Trace:
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x192/0x22c lib/dump_stack.c:52
+ print_address_description+0x78/0x280 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x230/0x340 mm/kasan/report.c:409
+ __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
+ snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617
+ snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192
+ device_release+0x13f/0x210 drivers/base/core.c:814
+ kobject_cleanup lib/kobject.c:648 [inline]
+ kobject_release lib/kobject.c:677 [inline]
+ kref_put include/linux/kref.h:70 [inline]
+ kobject_put+0x145/0x240 lib/kobject.c:694
+ put_device+0x25/0x30 drivers/base/core.c:1799
+ klist_devices_put+0x36/0x40 drivers/base/bus.c:827
+ klist_next+0x264/0x4a0 lib/klist.c:403
+ next_device drivers/base/bus.c:270 [inline]
+ bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312
+ autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117
+ process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
+ worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
+ kthread+0x324/0x3f0 kernel/kthread.c:231
+ ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
+
+The fix is simply to assure canceling the autoload work at removing
+the device.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_device.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/core/seq/seq_device.c
++++ b/sound/core/seq/seq_device.c
+@@ -148,8 +148,10 @@ void snd_seq_device_load_drivers(void)
+ flush_work(&autoload_work);
+ }
+ EXPORT_SYMBOL(snd_seq_device_load_drivers);
++#define cancel_autoload_drivers() cancel_work_sync(&autoload_work)
+ #else
+ #define queue_autoload_drivers() /* NOP */
++#define cancel_autoload_drivers() /* NOP */
+ #endif
+
+ /*
+@@ -159,6 +161,7 @@ static int snd_seq_device_dev_free(struc
+ {
+ struct snd_seq_device *dev = device->device_data;
+
++ cancel_autoload_drivers();
+ put_device(&dev->dev);
+ return 0;
+ }
--- /dev/null
+From ea04efee7635c9120d015dcdeeeb6988130cb67a Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Sat, 7 Oct 2017 11:07:47 -0700
+Subject: Input: ims-psu - check if CDC union descriptor is sane
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit ea04efee7635c9120d015dcdeeeb6988130cb67a upstream.
+
+Before trying to use CDC union descriptor, try to validate whether that it
+is sane by checking that intf->altsetting->extra is big enough and that
+descriptor bLength is not too big and not too small.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/ims-pcu.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/misc/ims-pcu.c
++++ b/drivers/input/misc/ims-pcu.c
+@@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_in
+ return NULL;
+ }
+
+- while (buflen > 0) {
++ while (buflen >= sizeof(*union_desc)) {
+ union_desc = (struct usb_cdc_union_desc *)buf;
+
++ if (union_desc->bLength > buflen) {
++ dev_err(&intf->dev, "Too large descriptor\n");
++ return NULL;
++ }
++
+ if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE &&
+ union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) {
+ dev_dbg(&intf->dev, "Found union header\n");
+- return union_desc;
++
++ if (union_desc->bLength >= sizeof(*union_desc))
++ return union_desc;
++
++ dev_err(&intf->dev,
++ "Union descriptor to short (%d vs %zd\n)",
++ union_desc->bLength, sizeof(*union_desc));
++ return NULL;
+ }
+
+ buflen -= union_desc->bLength;
--- /dev/null
+From fdf7cb4185b60c68e1a75e61691c4afdc15dea0e Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 5 Sep 2017 14:54:54 +0200
+Subject: mac80211: accept key reinstall without changing anything
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit fdf7cb4185b60c68e1a75e61691c4afdc15dea0e upstream.
+
+When a key is reinstalled we can reset the replay counters
+etc. which can lead to nonce reuse and/or replay detection
+being impossible, breaking security properties, as described
+in the "KRACK attacks".
+
+In particular, CVE-2017-13080 applies to GTK rekeying that
+happened in firmware while the host is in D3, with the second
+part of the attack being done after the host wakes up. In
+this case, the wpa_supplicant mitigation isn't sufficient
+since wpa_supplicant doesn't know the GTK material.
+
+In case this happens, simply silently accept the new key
+coming from userspace but don't take any action on it since
+it's the same key; this keeps the PN replay counters intact.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/key.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -4,6 +4,7 @@
+ * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
+ * Copyright 2007-2008 Johannes Berg <johannes@sipsolutions.net>
+ * Copyright 2013-2014 Intel Mobile Communications GmbH
++ * Copyright 2017 Intel Deutschland GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -617,9 +618,6 @@ int ieee80211_key_link(struct ieee80211_
+
+ pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
+ idx = key->conf.keyidx;
+- key->local = sdata->local;
+- key->sdata = sdata;
+- key->sta = sta;
+
+ mutex_lock(&sdata->local->key_mtx);
+
+@@ -630,6 +628,21 @@ int ieee80211_key_link(struct ieee80211_
+ else
+ old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
+
++ /*
++ * Silently accept key re-installation without really installing the
++ * new version of the key to avoid nonce reuse or replay issues.
++ */
++ if (old_key && key->conf.keylen == old_key->conf.keylen &&
++ !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) {
++ ieee80211_key_free_unused(key);
++ ret = 0;
++ goto out;
++ }
++
++ key->local = sdata->local;
++ key->sdata = sdata;
++ key->sta = sta;
++
+ increment_tailroom_need_count(sdata);
+
+ ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
+@@ -645,6 +658,7 @@ int ieee80211_key_link(struct ieee80211_
+ ret = 0;
+ }
+
++ out:
+ mutex_unlock(&sdata->local->key_mtx);
+
+ return ret;
--- /dev/null
+From cfbb0d90a7abb289edc91833d0905931f8805f12 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 24 Oct 2017 21:12:13 +0200
+Subject: mac80211: don't compare TKIP TX MIC key in reinstall prevention
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit cfbb0d90a7abb289edc91833d0905931f8805f12 upstream.
+
+For the reinstall prevention, the code I had added compares the
+whole key. It turns out though that iwlwifi firmware doesn't
+provide the TKIP TX MIC key as it's not needed in client mode,
+and thus the comparison will always return false.
+
+For client mode, thus always zero out the TX MIC key part before
+doing the comparison in order to avoid accepting the reinstall
+of the key with identical encryption and RX MIC key, but not the
+same TX MIC key (since the supplicant provides the real one.)
+
+Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/key.c | 36 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -608,6 +608,39 @@ void ieee80211_key_free_unused(struct ie
+ ieee80211_key_free_common(key);
+ }
+
++static bool ieee80211_key_identical(struct ieee80211_sub_if_data *sdata,
++ struct ieee80211_key *old,
++ struct ieee80211_key *new)
++{
++ u8 tkip_old[WLAN_KEY_LEN_TKIP], tkip_new[WLAN_KEY_LEN_TKIP];
++ u8 *tk_old, *tk_new;
++
++ if (!old || new->conf.keylen != old->conf.keylen)
++ return false;
++
++ tk_old = old->conf.key;
++ tk_new = new->conf.key;
++
++ /*
++ * In station mode, don't compare the TX MIC key, as it's never used
++ * and offloaded rekeying may not care to send it to the host. This
++ * is the case in iwlwifi, for example.
++ */
++ if (sdata->vif.type == NL80211_IFTYPE_STATION &&
++ new->conf.cipher == WLAN_CIPHER_SUITE_TKIP &&
++ new->conf.keylen == WLAN_KEY_LEN_TKIP &&
++ !(new->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) {
++ memcpy(tkip_old, tk_old, WLAN_KEY_LEN_TKIP);
++ memcpy(tkip_new, tk_new, WLAN_KEY_LEN_TKIP);
++ memset(tkip_old + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8);
++ memset(tkip_new + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8);
++ tk_old = tkip_old;
++ tk_new = tkip_new;
++ }
++
++ return !crypto_memneq(tk_old, tk_new, new->conf.keylen);
++}
++
+ int ieee80211_key_link(struct ieee80211_key *key,
+ struct ieee80211_sub_if_data *sdata,
+ struct sta_info *sta)
+@@ -633,8 +666,7 @@ int ieee80211_key_link(struct ieee80211_
+ * Silently accept key re-installation without really installing the
+ * new version of the key to avoid nonce reuse or replay issues.
+ */
+- if (old_key && key->conf.keylen == old_key->conf.keylen &&
+- !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) {
++ if (ieee80211_key_identical(sdata, old_key, key)) {
+ ieee80211_key_free_unused(key);
+ ret = 0;
+ goto out;
--- /dev/null
+From 2bdd713b92a9cade239d3c7d15205a09f556624d Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 17 Oct 2017 20:32:07 +0200
+Subject: mac80211: use constant time comparison with keys
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 2bdd713b92a9cade239d3c7d15205a09f556624d upstream.
+
+Otherwise we risk leaking information via timing side channel.
+
+Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/key.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -19,6 +19,7 @@
+ #include <linux/slab.h>
+ #include <linux/export.h>
+ #include <net/mac80211.h>
++#include <crypto/algapi.h>
+ #include <asm/unaligned.h>
+ #include "ieee80211_i.h"
+ #include "driver-ops.h"
+@@ -633,7 +634,7 @@ int ieee80211_key_link(struct ieee80211_
+ * new version of the key to avoid nonce reuse or replay issues.
+ */
+ if (old_key && key->conf.keylen == old_key->conf.keylen &&
+- !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) {
++ !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) {
+ ieee80211_key_free_unused(key);
+ ret = 0;
+ goto out;
--- /dev/null
+mac80211-accept-key-reinstall-without-changing-anything.patch
+mac80211-use-constant-time-comparison-with-keys.patch
+mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-prevention.patch
+usb-usbtest-fix-null-pointer-dereference.patch
+input-ims-psu-check-if-cdc-union-descriptor-is-sane.patch
+alsa-seq-cancel-pending-autoload-work-at-unbinding-device.patch
--- /dev/null
+From 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 29 Sep 2017 10:54:24 -0400
+Subject: usb: usbtest: fix NULL pointer dereference
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 upstream.
+
+If the usbtest driver encounters a device with an IN bulk endpoint but
+no OUT bulk endpoint, it will try to dereference a NULL pointer
+(out->desc.bEndpointAddress). The problem can be solved by adding a
+missing test.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/usbtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/misc/usbtest.c
++++ b/drivers/usb/misc/usbtest.c
+@@ -185,12 +185,13 @@ found:
+ return tmp;
+ }
+
+- if (in) {
++ if (in)
+ dev->in_pipe = usb_rcvbulkpipe(udev,
+ in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
++ if (out)
+ dev->out_pipe = usb_sndbulkpipe(udev,
+ out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
+- }
++
+ if (iso_in) {
+ dev->iso_in = &iso_in->desc;
+ dev->in_iso_pipe = usb_rcvisocpipe(udev,
projects / thirdparty / kernel / stable-queue.git / commitdiff
