From: Greg Kroah-Hartman Date: Thu, 16 Mar 2023 09:34:34 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.14.310~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0180589fb539ecf987702f04d50f9eb861f34406;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: ila-do-not-generate-empty-messages-in-ila_xlat_nl_cmd_get_mapping.patch net-caif-fix-use-after-free-in-cfusbl_device_notify.patch nfc-fdp-add-null-check-of-devm_kmalloc_array-in-fdp_nci_i2c_read_device_properties.patch --- diff --git a/queue-4.19/ila-do-not-generate-empty-messages-in-ila_xlat_nl_cmd_get_mapping.patch b/queue-4.19/ila-do-not-generate-empty-messages-in-ila_xlat_nl_cmd_get_mapping.patch new file mode 100644 index 00000000000..504d3930216 --- /dev/null +++ b/queue-4.19/ila-do-not-generate-empty-messages-in-ila_xlat_nl_cmd_get_mapping.patch @@ -0,0 +1,108 @@ +From 693aa2c0d9b6d5b1f2745d31b6e70d09dbbaf06e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 27 Feb 2023 15:30:24 +0000 +Subject: ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() + +From: Eric Dumazet + +commit 693aa2c0d9b6d5b1f2745d31b6e70d09dbbaf06e upstream. + +ila_xlat_nl_cmd_get_mapping() generates an empty skb, +triggerring a recent sanity check [1]. + +Instead, return an error code, so that user space +can get it. + +[1] +skb_assert_len +WARNING: CPU: 0 PID: 5923 at include/linux/skbuff.h:2527 skb_assert_len include/linux/skbuff.h:2527 [inline] +WARNING: CPU: 0 PID: 5923 at include/linux/skbuff.h:2527 __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156 +Modules linked in: +CPU: 0 PID: 5923 Comm: syz-executor269 Not tainted 6.2.0-syzkaller-18300-g2ebd1fbb946d #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 +pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : skb_assert_len include/linux/skbuff.h:2527 [inline] +pc : __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156 +lr : skb_assert_len include/linux/skbuff.h:2527 [inline] +lr : __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156 +sp : ffff80001e0d6c40 +x29: ffff80001e0d6e60 x28: dfff800000000000 x27: ffff0000c86328c0 +x26: dfff800000000000 x25: ffff0000c8632990 x24: ffff0000c8632a00 +x23: 0000000000000000 x22: 1fffe000190c6542 x21: ffff0000c8632a10 +x20: ffff0000c8632a00 x19: ffff80001856e000 x18: ffff80001e0d5fc0 +x17: 0000000000000000 x16: ffff80001235d16c x15: 0000000000000000 +x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001 +x11: ff80800008353a30 x10: 0000000000000000 x9 : 21567eaf25bfb600 +x8 : 21567eaf25bfb600 x7 : 0000000000000001 x6 : 0000000000000001 +x5 : ffff80001e0d6558 x4 : ffff800015c74760 x3 : ffff800008596744 +x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000000e +Call trace: +skb_assert_len include/linux/skbuff.h:2527 [inline] +__dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156 +dev_queue_xmit include/linux/netdevice.h:3033 [inline] +__netlink_deliver_tap_skb net/netlink/af_netlink.c:307 [inline] +__netlink_deliver_tap+0x45c/0x6f8 net/netlink/af_netlink.c:325 +netlink_deliver_tap+0xf4/0x174 net/netlink/af_netlink.c:338 +__netlink_sendskb net/netlink/af_netlink.c:1283 [inline] +netlink_sendskb+0x6c/0x154 net/netlink/af_netlink.c:1292 +netlink_unicast+0x334/0x8d4 net/netlink/af_netlink.c:1380 +nlmsg_unicast include/net/netlink.h:1099 [inline] +genlmsg_unicast include/net/genetlink.h:433 [inline] +genlmsg_reply include/net/genetlink.h:443 [inline] +ila_xlat_nl_cmd_get_mapping+0x620/0x7d0 net/ipv6/ila/ila_xlat.c:493 +genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline] +genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] +genl_rcv_msg+0x938/0xc1c net/netlink/genetlink.c:1065 +netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574 +genl_rcv+0x38/0x50 net/netlink/genetlink.c:1076 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x800/0xae0 net/netlink/af_netlink.c:1942 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg net/socket.c:734 [inline] +____sys_sendmsg+0x558/0x844 net/socket.c:2479 +___sys_sendmsg net/socket.c:2533 [inline] +__sys_sendmsg+0x26c/0x33c net/socket.c:2562 +__do_sys_sendmsg net/socket.c:2571 [inline] +__se_sys_sendmsg net/socket.c:2569 [inline] +__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2569 +__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] +invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 +el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 +do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193 +el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 +el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 +el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 +irq event stamp: 136484 +hardirqs last enabled at (136483): [] __up_console_sem+0x60/0xb4 kernel/printk/printk.c:345 +hardirqs last disabled at (136484): [] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405 +softirqs last enabled at (136418): [] softirq_handle_end kernel/softirq.c:414 [inline] +softirqs last enabled at (136418): [] __do_softirq+0xd4c/0xfa4 kernel/softirq.c:600 +softirqs last disabled at (136371): [] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80 +---[ end trace 0000000000000000 ]--- +skb len=0 headroom=0 headlen=0 tailroom=192 +mac=(0,0) net=(0,-1) trans=-1 +shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0)) +csum(0x0 ip_summed=0 complete_sw=0 valid=0 level=0) +hash(0x0 sw=0 l4=0) proto=0x0010 pkttype=6 iif=0 +dev name=nlmon0 feat=0x0000000000005861 + +Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ila/ila_xlat.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/ila/ila_xlat.c ++++ b/net/ipv6/ila/ila_xlat.c +@@ -480,6 +480,7 @@ int ila_xlat_nl_cmd_get_mapping(struct s + + rcu_read_lock(); + ++ ret = -ESRCH; + ila = ila_lookup_by_params(&xp, ilan); + if (ila) { + ret = ila_dump_info(ila, diff --git a/queue-4.19/net-caif-fix-use-after-free-in-cfusbl_device_notify.patch b/queue-4.19/net-caif-fix-use-after-free-in-cfusbl_device_notify.patch new file mode 100644 index 00000000000..d88244139de --- /dev/null +++ b/queue-4.19/net-caif-fix-use-after-free-in-cfusbl_device_notify.patch @@ -0,0 +1,81 @@ +From 9781e98a97110f5e76999058368b4be76a788484 Mon Sep 17 00:00:00 2001 +From: Shigeru Yoshida +Date: Thu, 2 Mar 2023 01:39:13 +0900 +Subject: net: caif: Fix use-after-free in cfusbl_device_notify() + +From: Shigeru Yoshida + +commit 9781e98a97110f5e76999058368b4be76a788484 upstream. + +syzbot reported use-after-free in cfusbl_device_notify() [1]. This +causes a stack trace like below: + +BUG: KASAN: use-after-free in cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138 +Read of size 8 at addr ffff88807ac4e6f0 by task kworker/u4:6/1214 + +CPU: 0 PID: 1214 Comm: kworker/u4:6 Not tainted 5.19.0-rc3-syzkaller-00146-g92f20ff72066 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: netns cleanup_net +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313 + print_report mm/kasan/report.c:429 [inline] + kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 + cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 + call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 + call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] + call_netdevice_notifiers net/core/dev.c:1997 [inline] + netdev_wait_allrefs_any net/core/dev.c:10227 [inline] + netdev_run_todo+0xbc0/0x10f0 net/core/dev.c:10341 + default_device_exit_batch+0x44e/0x590 net/core/dev.c:11334 + ops_exit_list+0x125/0x170 net/core/net_namespace.c:167 + cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594 + process_one_work+0x996/0x1610 kernel/workqueue.c:2289 + worker_thread+0x665/0x1080 kernel/workqueue.c:2436 + kthread+0x2e9/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 + + +When unregistering a net device, unregister_netdevice_many_notify() +sets the device's reg_state to NETREG_UNREGISTERING, calls notifiers +with NETDEV_UNREGISTER, and adds the device to the todo list. + +Later on, devices in the todo list are processed by netdev_run_todo(). +netdev_run_todo() waits devices' reference count become 1 while +rebdoadcasting NETDEV_UNREGISTER notification. + +When cfusbl_device_notify() is called with NETDEV_UNREGISTER multiple +times, the parent device might be freed. This could cause UAF. +Processing NETDEV_UNREGISTER multiple times also causes inbalance of +reference count for the module. + +This patch fixes the issue by accepting only first NETDEV_UNREGISTER +notification. + +Fixes: 7ad65bf68d70 ("caif: Add support for CAIF over CDC NCM USB interface") +CC: sjur.brandeland@stericsson.com +Reported-by: syzbot+b563d33852b893653a9e@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=c3bfd8e2450adab3bffe4d80821fbbced600407f [1] +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20230301163913.391304-1-syoshida@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/caif/caif_usb.c ++++ b/net/caif/caif_usb.c +@@ -135,6 +135,9 @@ static int cfusbl_device_notify(struct n + struct usb_device *usbdev; + int res; + ++ if (what == NETDEV_UNREGISTER && dev->reg_state >= NETREG_UNREGISTERED) ++ return 0; ++ + /* Check whether we have a NCM device, and find its VID/PID. */ + if (!(dev->dev.parent && dev->dev.parent->driver && + strcmp(dev->dev.parent->driver->name, "cdc_ncm") == 0)) diff --git a/queue-4.19/nfc-fdp-add-null-check-of-devm_kmalloc_array-in-fdp_nci_i2c_read_device_properties.patch b/queue-4.19/nfc-fdp-add-null-check-of-devm_kmalloc_array-in-fdp_nci_i2c_read_device_properties.patch new file mode 100644 index 00000000000..8a81d559fd9 --- /dev/null +++ b/queue-4.19/nfc-fdp-add-null-check-of-devm_kmalloc_array-in-fdp_nci_i2c_read_device_properties.patch @@ -0,0 +1,43 @@ +From 11f180a5d62a51b484e9648f9b310e1bd50b1a57 Mon Sep 17 00:00:00 2001 +From: Kang Chen +Date: Mon, 27 Feb 2023 17:30:37 +0800 +Subject: nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties + +From: Kang Chen + +commit 11f180a5d62a51b484e9648f9b310e1bd50b1a57 upstream. + +devm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause +out-of-bounds write in device_property_read_u8_array later. + +Fixes: a06347c04c13 ("NFC: Add Intel Fields Peak NFC solution driver") +Signed-off-by: Kang Chen +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230227093037.907654-1-void0red@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/fdp/i2c.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/nfc/fdp/i2c.c ++++ b/drivers/nfc/fdp/i2c.c +@@ -263,6 +263,9 @@ static void fdp_nci_i2c_read_device_prop + len, sizeof(**fw_vsc_cfg), + GFP_KERNEL); + ++ if (!*fw_vsc_cfg) ++ goto alloc_err; ++ + r = device_property_read_u8_array(dev, FDP_DP_FW_VSC_CFG_NAME, + *fw_vsc_cfg, len); + +@@ -276,6 +279,7 @@ vsc_read_err: + *fw_vsc_cfg = NULL; + } + ++alloc_err: + dev_dbg(dev, "Clock type: %d, clock frequency: %d, VSC: %s", + *clock_type, *clock_freq, *fw_vsc_cfg != NULL ? "yes" : "no"); + } diff --git a/queue-4.19/series b/queue-4.19/series index c80e24b0220..0d49cf87630 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -22,3 +22,6 @@ pci-add-solidrun-vendor-id.patch media-ov5640-fix-analogue-gain-control.patch tipc-improve-function-tipc_wait_for_cond.patch drm-i915-don-t-use-bar-mappings-for-ring-buffers-with-llc.patch +net-caif-fix-use-after-free-in-cfusbl_device_notify.patch +nfc-fdp-add-null-check-of-devm_kmalloc_array-in-fdp_nci_i2c_read_device_properties.patch +ila-do-not-generate-empty-messages-in-ila_xlat_nl_cmd_get_mapping.patch