From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 11 Dec 2022 09:57:12 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.336~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01bcaaaf8ea7ea20b2badefdd3938dec3e81862f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch
	hid-hid-lg4ff-add-check-for-empty-lbuf.patch
	media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch
---

diff --git a/queue-4.9/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch b/queue-4.9/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch
new file mode 100644
index 00000000000..afd446a1a6d
--- /dev/null
+++ b/queue-4.9/hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch
@@ -0,0 +1,72 @@
+From ec61b41918587be530398b0d1c9a0d16619397e5 Mon Sep 17 00:00:00 2001
+From: ZhangPeng <zhangpeng362@huawei.com>
+Date: Wed, 16 Nov 2022 07:14:28 +0000
+Subject: HID: core: fix shift-out-of-bounds in hid_report_raw_event
+
+From: ZhangPeng <zhangpeng362@huawei.com>
+
+commit ec61b41918587be530398b0d1c9a0d16619397e5 upstream.
+
+Syzbot reported shift-out-of-bounds in hid_report_raw_event.
+
+microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >
+32! (swapper/0)
+======================================================================
+UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
+shift exponent 127 is too large for 32-bit type 'int'
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted
+6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
+Hardware name: Google Compute Engine/Google Compute Engine, BIOS
+Google 10/26/2022
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
+ ubsan_epilogue lib/ubsan.c:151 [inline]
+ __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
+ snto32 drivers/hid/hid-core.c:1323 [inline]
+ hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
+ hid_process_report drivers/hid/hid-core.c:1665 [inline]
+ hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
+ hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
+ hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
+ __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
+ dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
+ call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
+ expire_timers kernel/time/timer.c:1519 [inline]
+ __run_timers+0x76a/0x980 kernel/time/timer.c:1790
+ run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
+ __do_softirq+0x277/0x75b kernel/softirq.c:571
+ __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
+ irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
+ sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
+======================================================================
+
+If the size of the integer (unsigned n) is bigger than 32 in snto32(),
+shift exponent will be too large for 32-bit type 'int', resulting in a
+shift-out-of-bounds bug.
+Fix this by adding a check on the size of the integer (unsigned n) in
+snto32(). To add support for n greater than 32 bits, set n to 32, if n
+is greater than 32.
+
+Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com
+Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
+Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1112,6 +1112,9 @@ static s32 snto32(__u32 value, unsigned
+ 	if (!value || !n)
+ 		return 0;
+ 
++	if (n > 32)
++		n = 32;
++
+ 	switch (n) {
+ 	case 8:  return ((__s8)value);
+ 	case 16: return ((__s16)value);
diff --git a/queue-4.9/hid-hid-lg4ff-add-check-for-empty-lbuf.patch b/queue-4.9/hid-hid-lg4ff-add-check-for-empty-lbuf.patch
new file mode 100644
index 00000000000..e94825005f2
--- /dev/null
+++ b/queue-4.9/hid-hid-lg4ff-add-check-for-empty-lbuf.patch
@@ -0,0 +1,37 @@
+From d180b6496143cd360c5d5f58ae4b9a8229c1f344 Mon Sep 17 00:00:00 2001
+From: Anastasia Belova <abelova@astralinux.ru>
+Date: Fri, 11 Nov 2022 15:55:11 +0300
+Subject: HID: hid-lg4ff: Add check for empty lbuf
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+commit d180b6496143cd360c5d5f58ae4b9a8229c1f344 upstream.
+
+If an empty buf is received, lbuf is also empty. So lbuf is
+accessed by index -1.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: f31a2de3fe36 ("HID: hid-lg4ff: Allow switching of Logitech gaming wheels between compatibility modes")
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-lg4ff.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/hid/hid-lg4ff.c
++++ b/drivers/hid/hid-lg4ff.c
+@@ -880,6 +880,12 @@ static ssize_t lg4ff_alternate_modes_sto
+ 		return -ENOMEM;
+ 
+ 	i = strlen(lbuf);
++
++	if (i == 0) {
++		kfree(lbuf);
++		return -EINVAL;
++	}
++
+ 	if (lbuf[i-1] == '\n') {
+ 		if (i == 1) {
+ 			kfree(lbuf);
diff --git a/queue-4.9/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch b/queue-4.9/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch
new file mode 100644
index 00000000000..985fad5fad6
--- /dev/null
+++ b/queue-4.9/media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch
@@ -0,0 +1,70 @@
+From 5eef2141776da02772c44ec406d6871a790761ee Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Wed, 16 Nov 2022 15:07:22 +0000
+Subject: media: v4l2-dv-timings.c: fix too strict blanking sanity checks
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 5eef2141776da02772c44ec406d6871a790761ee upstream.
+
+Sanity checks were added to verify the v4l2_bt_timings blanking fields
+in order to avoid integer overflows when userspace passes weird values.
+
+But that assumed that userspace would correctly fill in the front porch,
+backporch and sync values, but sometimes all you know is the total
+blanking, which is then assigned to just one of these fields.
+
+And that can fail with these checks.
+
+So instead set a maximum for the total horizontal and vertical
+blanking and check that each field remains below that.
+
+That is still sufficient to avoid integer overflows, but it also
+allows for more flexibility in how userspace fills in these fields.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 4b6d66a45ed3 ("media: v4l2-dv-timings: add sanity checks for blanking values")
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-dv-timings.c |   20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
+@@ -155,6 +155,8 @@ bool v4l2_valid_dv_timings(const struct
+ 	const struct v4l2_bt_timings *bt = &t->bt;
+ 	const struct v4l2_bt_timings_cap *cap = &dvcap->bt;
+ 	u32 caps = cap->capabilities;
++	const u32 max_vert = 10240;
++	u32 max_hor = 3 * bt->width;
+ 
+ 	if (t->type != V4L2_DV_BT_656_1120)
+ 		return false;
+@@ -176,14 +178,20 @@ bool v4l2_valid_dv_timings(const struct
+ 	if (!bt->interlaced &&
+ 	    (bt->il_vbackporch || bt->il_vsync || bt->il_vfrontporch))
+ 		return false;
+-	if (bt->hfrontporch > 2 * bt->width ||
+-	    bt->hsync > 1024 || bt->hbackporch > 1024)
++	/*
++	 * Some video receivers cannot properly separate the frontporch,
++	 * backporch and sync values, and instead they only have the total
++	 * blanking. That can be assigned to any of these three fields.
++	 * So just check that none of these are way out of range.
++	 */
++	if (bt->hfrontporch > max_hor ||
++	    bt->hsync > max_hor || bt->hbackporch > max_hor)
+ 		return false;
+-	if (bt->vfrontporch > 4096 ||
+-	    bt->vsync > 128 || bt->vbackporch > 4096)
++	if (bt->vfrontporch > max_vert ||
++	    bt->vsync > max_vert || bt->vbackporch > max_vert)
+ 		return false;
+-	if (bt->interlaced && (bt->il_vfrontporch > 4096 ||
+-	    bt->il_vsync > 128 || bt->il_vbackporch > 4096))
++	if (bt->interlaced && (bt->il_vfrontporch > max_vert ||
++	    bt->il_vsync > max_vert || bt->il_vbackporch > max_vert))
+ 		return false;
+ 	return fnc == NULL || fnc(t, fnc_handle);
+ }
diff --git a/queue-4.9/series b/queue-4.9/series
index 44e673867c3..c52b07f4ce8 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -11,3 +11,6 @@ xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch
 rcutorture-automatically-create-initrd-directory.patch
 mmc-sdhci-use-field_get-for-preset-value-bit-masks.patch
 mmc-sdhci-fix-voltage-switch-delay.patch
+media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch
+hid-hid-lg4ff-add-check-for-empty-lbuf.patch
+hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch