From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 Sep 2018 12:03:25 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v4.18.9~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=260a072f73478eb91c9f5d0a22a8fe84c7b190c5;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch
	xhci-fix-use-after-free-in-xhci_free_virt_device.patch
---

diff --git a/queue-3.18/netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch b/queue-3.18/netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch
new file mode 100644
index 00000000000..b4738fb5909
--- /dev/null
+++ b/queue-3.18/netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch
@@ -0,0 +1,49 @@
+From e466af75c074e76107ae1cd5a2823e9c61894ffb Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Oct 2017 02:50:07 -0700
+Subject: netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e466af75c074e76107ae1cd5a2823e9c61894ffb upstream.
+
+syzkaller reports an out of bound read in strlcpy(), triggered
+by xt_copy_counters_from_user()
+
+Fix this by using memcpy(), then forcing a zero byte at the last position
+of the destination, as Florian did for the non COMPAT code.
+
+Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/x_tables.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -877,7 +877,7 @@ void *xt_copy_counters_from_user(const v
+ 		if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
+ 			return ERR_PTR(-EFAULT);
+ 
+-		strlcpy(info->name, compat_tmp.name, sizeof(info->name));
++		memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
+ 		info->num_counters = compat_tmp.num_counters;
+ 		user += sizeof(compat_tmp);
+ 	} else
+@@ -890,9 +890,9 @@ void *xt_copy_counters_from_user(const v
+ 		if (copy_from_user(info, user, sizeof(*info)) != 0)
+ 			return ERR_PTR(-EFAULT);
+ 
+-		info->name[sizeof(info->name) - 1] = '\0';
+ 		user += sizeof(*info);
+ 	}
++	info->name[sizeof(info->name) - 1] = '\0';
+ 
+ 	size = sizeof(struct xt_counters);
+ 	size *= info->num_counters;
diff --git a/queue-3.18/series b/queue-3.18/series
index 8b35257e187..4314f097345 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -57,3 +57,5 @@ partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch
 mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch
 f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch
 mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch
+xhci-fix-use-after-free-in-xhci_free_virt_device.patch
+netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch
diff --git a/queue-3.18/xhci-fix-use-after-free-in-xhci_free_virt_device.patch b/queue-3.18/xhci-fix-use-after-free-in-xhci_free_virt_device.patch
new file mode 100644
index 00000000000..077ad43777f
--- /dev/null
+++ b/queue-3.18/xhci-fix-use-after-free-in-xhci_free_virt_device.patch
@@ -0,0 +1,47 @@
+From 44a182b9d17765514fa2b1cc911e4e65134eef93 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 3 May 2018 17:30:07 +0300
+Subject: xhci: Fix use-after-free in xhci_free_virt_device
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream.
+
+KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
+where xhci_free_virt_device() sets slot id to 0 if udev exists:
+if (dev->udev && dev->udev->slot_id)
+	dev->udev->slot_id = 0;
+
+dev->udev will be true even if udev is freed because dev->udev is
+not set to NULL.
+
+set dev->udev pointer to NULL in xhci_free_dev()
+
+The original patch went to stable so this fix needs to be applied
+there as well.
+
+Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
+Cc: <stable@vger.kernel.org>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3630,6 +3630,9 @@ void xhci_free_dev(struct usb_hcd *hcd,
+ 	}
+ 
+ 	spin_lock_irqsave(&xhci->lock, flags);
++
++	virt_dev->udev = NULL;
++
+ 	/* Don't disable the slot if the host controller is dead. */
+ 	state = readl(&xhci->op_regs->status);
+ 	if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) ||