From: Greg Kroah-Hartman Date: Tue, 28 Jan 2020 08:51:03 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.212~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0954018634165c0f8e80c04ff8a4838d77d1e48f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest-element.patch libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch --- diff --git a/queue-4.4/iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest-element.patch b/queue-4.4/iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest-element.patch new file mode 100644 index 00000000000..a14b164cfdf --- /dev/null +++ b/queue-4.4/iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest-element.patch @@ -0,0 +1,63 @@ +From 883f616530692d81cb70f8a32d85c0d2afc05f69 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lars=20M=C3=B6llendorf?= +Date: Fri, 13 Dec 2019 14:50:55 +0100 +Subject: iio: buffer: align the size of scan bytes to size of the largest element +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lars Möllendorf + +commit 883f616530692d81cb70f8a32d85c0d2afc05f69 upstream. + +Previous versions of `iio_compute_scan_bytes` only aligned each element +to its own length (i.e. its own natural alignment). Because multiple +consecutive sets of scan elements are buffered this does not work in +case the computed scan bytes do not align with the natural alignment of +the first scan element in the set. + +This commit fixes this by aligning the scan bytes to the natural +alignment of the largest scan element in the set. + +Fixes: 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.") +Signed-off-by: Lars Möllendorf +Reviewed-by: Lars-Peter Clausen +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/iio/industrialio-buffer.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -527,7 +527,7 @@ static int iio_compute_scan_bytes(struct + { + const struct iio_chan_spec *ch; + unsigned bytes = 0; +- int length, i; ++ int length, i, largest = 0; + + /* How much space will the demuxed element take? */ + for_each_set_bit(i, mask, +@@ -540,6 +540,7 @@ static int iio_compute_scan_bytes(struct + length = ch->scan_type.storagebits / 8; + bytes = ALIGN(bytes, length); + bytes += length; ++ largest = max(largest, length); + } + if (timestamp) { + ch = iio_find_channel_from_si(indio_dev, +@@ -551,7 +552,10 @@ static int iio_compute_scan_bytes(struct + length = ch->scan_type.storagebits / 8; + bytes = ALIGN(bytes, length); + bytes += length; ++ largest = max(largest, length); + } ++ ++ bytes = ALIGN(bytes, largest); + return bytes; + } + diff --git a/queue-4.4/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch b/queue-4.4/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch new file mode 100644 index 00000000000..5f3e4cd9242 --- /dev/null +++ b/queue-4.4/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch @@ -0,0 +1,68 @@ +From e5e884b42639c74b5b57dc277909915c0aefc8bb Mon Sep 17 00:00:00 2001 +From: Wen Huang +Date: Thu, 28 Nov 2019 18:51:04 +0800 +Subject: libertas: Fix two buffer overflows at parsing bss descriptor + +From: Wen Huang + +commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream. + +add_ie_rates() copys rates without checking the length +in bss descriptor from remote AP.when victim connects to +remote attacker, this may trigger buffer overflow. +lbs_ibss_join_existing() copys rates without checking the length +in bss descriptor from remote IBSS node.when victim connects to +remote attacker, this may trigger buffer overflow. +Fix them by putting the length check before performing copy. + +This fix addresses CVE-2019-14896 and CVE-2019-14897. +This also fix build warning of mixed declarations and code. + +Reported-by: kbuild test robot +Signed-off-by: Wen Huang +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/libertas/cfg.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/libertas/cfg.c ++++ b/drivers/net/wireless/libertas/cfg.c +@@ -272,6 +272,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int + int hw, ap, ap_max = ie[1]; + u8 hw_rate; + ++ if (ap_max > MAX_RATES) { ++ lbs_deb_assoc("invalid rates\n"); ++ return tlv; ++ } + /* Advance past IE header */ + ie += 2; + +@@ -1656,6 +1660,9 @@ static int lbs_change_intf(struct wiphy + { + struct lbs_private *priv = wiphy_priv(wiphy); + int ret = 0; ++ int hw, i; ++ u8 rates_max; ++ u8 *rates; + + if (dev == priv->mesh_dev) + return -EOPNOTSUPP; +@@ -1843,9 +1850,12 @@ static int lbs_ibss_join_existing(struct + if (!rates_eid) { + lbs_add_rates(cmd.bss.rates); + } else { +- int hw, i; +- u8 rates_max = rates_eid[1]; +- u8 *rates = cmd.bss.rates; ++ rates_max = rates_eid[1]; ++ if (rates_max > MAX_RATES) { ++ lbs_deb_join("invalid rates"); ++ goto out; ++ } ++ rates = cmd.bss.rates; + for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { + u8 hw_rate = lbs_rates[hw].bitrate / 5; + for (i = 0; i < rates_max; i++) { diff --git a/queue-4.4/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch b/queue-4.4/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch new file mode 100644 index 00000000000..114270ae2d8 --- /dev/null +++ b/queue-4.4/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch @@ -0,0 +1,109 @@ +From bba340c79bfe3644829db5c852fdfa9e33837d6d Mon Sep 17 00:00:00 2001 +From: Bo Wu +Date: Wed, 20 Nov 2019 13:26:17 +0000 +Subject: scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func + +From: Bo Wu + +commit bba340c79bfe3644829db5c852fdfa9e33837d6d upstream. + +In iscsi_if_rx func, after receiving one request through +iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to +reply to the request in a do-while loop. If the iscsi_if_send_reply +function keeps returning -EAGAIN, a deadlock will occur. + +For example, a client only send msg without calling recvmsg func, then +it will result in the watchdog soft lockup. The details are given as +follows: + + sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI); + retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr); + while (1) { + state_msg = sendmsg(sock_fd, &msg, 0); + //Note: recvmsg(sock_fd, &msg, 0) is not processed here. + } + close(sock_fd); + +watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat: +curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0 +deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq: + TIMER: 992 + SCHED: 8 +Sample irqstat: + irq 2: delta 1003, curr: 3103802, arch_timer +CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G OE +Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +pstate: 40400005 (nZcv daif +PAN -UAO) +pc : __alloc_skb+0x104/0x1b0 +lr : __alloc_skb+0x9c/0x1b0 +sp : ffff000033603a30 +x29: ffff000033603a30 x28: 00000000000002dd +x27: ffff800b34ced810 x26: ffff800ba7569f00 +x25: 00000000ffffffff x24: 0000000000000000 +x23: ffff800f7c43f600 x22: 0000000000480020 +x21: ffff0000091d9000 x20: ffff800b34eff200 +x19: ffff800ba7569f00 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 +x15: 0000000000000000 x14: 0001000101000100 +x13: 0000000101010000 x12: 0101000001010100 +x11: 0001010101010001 x10: 00000000000002dd +x9 : ffff000033603d58 x8 : ffff800b34eff400 +x7 : ffff800ba7569200 x6 : ffff800b34eff400 +x5 : 0000000000000000 x4 : 00000000ffffffff +x3 : 0000000000000000 x2 : 0000000000000001 +x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace: +__alloc_skb+0x104/0x1b0 +iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi] +netlink_unicast+0x1e0/0x258 +netlink_sendmsg+0x310/0x378 +sock_sendmsg+0x4c/0x70 +sock_write_iter+0x90/0xf0 +__vfs_write+0x11c/0x190 +vfs_write+0xac/0x1c0 +ksys_write+0x6c/0xd8 +__arm64_sys_write+0x24/0x30 +el0_svc_common+0x78/0x130 +el0_svc_handler+0x38/0x78 +el0_svc+0x8/0xc + +Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com +Signed-off-by: Bo Wu +Reviewed-by: Zhiqiang Liu +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_transport_iscsi.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -37,6 +37,8 @@ + + #define ISCSI_TRANSPORT_VERSION "2.0-870" + ++#define ISCSI_SEND_MAX_ALLOWED 10 ++ + static int dbg_session; + module_param_named(debug_session, dbg_session, int, + S_IRUGO | S_IWUSR); +@@ -3695,6 +3697,7 @@ iscsi_if_rx(struct sk_buff *skb) + struct nlmsghdr *nlh; + struct iscsi_uevent *ev; + uint32_t group; ++ int retries = ISCSI_SEND_MAX_ALLOWED; + + nlh = nlmsg_hdr(skb); + if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) || +@@ -3725,6 +3728,10 @@ iscsi_if_rx(struct sk_buff *skb) + break; + err = iscsi_if_send_reply(group, nlh->nlmsg_seq, + nlh->nlmsg_type, 0, 0, ev, sizeof(*ev)); ++ if (err == -EAGAIN && --retries < 0) { ++ printk(KERN_WARNING "Send reply failed, error %d\n", err); ++ break; ++ } + } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH); + skb_pull(skb, rlen); + } diff --git a/queue-4.4/series b/queue-4.4/series index 4ac40fe631b..88b274bac9f 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -162,7 +162,6 @@ firestream-fix-memory-leaks.patch net-cxgb3_main-add-cap_net_admin-check-to-chelsio_get_mem.patch net-ip_tunnel-fix-namespaces-move.patch net_sched-fix-datalen-for-ematch.patch -net-sysfs-fix-reference-count-leak.patch net-usb-lan78xx-add-.ndo_features_check.patch hwmon-adt7475-make-volt2reg-return-same-reg-as-reg2volt-input.patch input-keyspan-remote-fix-control-message-timeouts.patch @@ -175,3 +174,6 @@ hwmon-nct7802-fix-voltage-limits-to-wrong-registers.patch scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch tracing-xen-ordered-comparison-of-function-pointers.patch do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch +iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest-element.patch +libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch +scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch