From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 24 Feb 2020 14:48:13 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.215~93
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2ccea89a23c89089ea919bfcb72744f9b871ced7;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	alsa-hda-use-scnprintf-for-printing-texts-for-sysfs-procfs.patch
	ecryptfs-fix-a-memory-leak-bug-in-ecryptfs_init_messaging.patch
	ecryptfs-fix-a-memory-leak-bug-in-parse_tag_1_packet.patch
---

diff --git a/queue-4.4/alsa-hda-use-scnprintf-for-printing-texts-for-sysfs-procfs.patch b/queue-4.4/alsa-hda-use-scnprintf-for-printing-texts-for-sysfs-procfs.patch
new file mode 100644
index 00000000000..684b7ab290f
--- /dev/null
+++ b/queue-4.4/alsa-hda-use-scnprintf-for-printing-texts-for-sysfs-procfs.patch
@@ -0,0 +1,70 @@
+From 44eeb081b8630bb3ad3cd381d1ae1831463e48bb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 18 Feb 2020 10:14:09 +0100
+Subject: ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 44eeb081b8630bb3ad3cd381d1ae1831463e48bb upstream.
+
+Some code in HD-audio driver calls snprintf() in a loop and still
+expects that the return value were actually written size, while
+snprintf() returns the expected would-be length instead.  When the
+given buffer limit were small, this leads to a buffer overflow.
+
+Use scnprintf() for addressing those issues.  It returns the actually
+written size unlike snprintf().
+
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200218091409.27162-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_codec.c |    2 +-
+ sound/pci/hda/hda_eld.c   |    2 +-
+ sound/pci/hda/hda_sysfs.c |    4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -4098,7 +4098,7 @@ void snd_print_pcm_bits(int pcm, char *b
+ 
+ 	for (i = 0, j = 0; i < ARRAY_SIZE(bits); i++)
+ 		if (pcm & (AC_SUPPCM_BITS_8 << i))
+-			j += snprintf(buf + j, buflen - j,  " %d", bits[i]);
++			j += scnprintf(buf + j, buflen - j,  " %d", bits[i]);
+ 
+ 	buf[j] = '\0'; /* necessary when j == 0 */
+ }
+--- a/sound/pci/hda/hda_eld.c
++++ b/sound/pci/hda/hda_eld.c
+@@ -385,7 +385,7 @@ static void hdmi_print_pcm_rates(int pcm
+ 
+ 	for (i = 0, j = 0; i < ARRAY_SIZE(alsa_rates); i++)
+ 		if (pcm & (1 << i))
+-			j += snprintf(buf + j, buflen - j,  " %d",
++			j += scnprintf(buf + j, buflen - j,  " %d",
+ 				alsa_rates[i]);
+ 
+ 	buf[j] = '\0'; /* necessary when j == 0 */
+--- a/sound/pci/hda/hda_sysfs.c
++++ b/sound/pci/hda/hda_sysfs.c
+@@ -221,7 +221,7 @@ static ssize_t init_verbs_show(struct de
+ 	mutex_lock(&codec->user_mutex);
+ 	for (i = 0; i < codec->init_verbs.used; i++) {
+ 		struct hda_verb *v = snd_array_elem(&codec->init_verbs, i);
+-		len += snprintf(buf + len, PAGE_SIZE - len,
++		len += scnprintf(buf + len, PAGE_SIZE - len,
+ 				"0x%02x 0x%03x 0x%04x\n",
+ 				v->nid, v->verb, v->param);
+ 	}
+@@ -271,7 +271,7 @@ static ssize_t hints_show(struct device
+ 	mutex_lock(&codec->user_mutex);
+ 	for (i = 0; i < codec->hints.used; i++) {
+ 		struct hda_hint *hint = snd_array_elem(&codec->hints, i);
+-		len += snprintf(buf + len, PAGE_SIZE - len,
++		len += scnprintf(buf + len, PAGE_SIZE - len,
+ 				"%s = %s\n", hint->key, hint->val);
+ 	}
+ 	mutex_unlock(&codec->user_mutex);
diff --git a/queue-4.4/ecryptfs-fix-a-memory-leak-bug-in-ecryptfs_init_messaging.patch b/queue-4.4/ecryptfs-fix-a-memory-leak-bug-in-ecryptfs_init_messaging.patch
new file mode 100644
index 00000000000..4ef0de1b4a1
--- /dev/null
+++ b/queue-4.4/ecryptfs-fix-a-memory-leak-bug-in-ecryptfs_init_messaging.patch
@@ -0,0 +1,34 @@
+From b4a81b87a4cfe2bb26a4a943b748d96a43ef20e8 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Tue, 20 Aug 2019 00:33:54 -0500
+Subject: ecryptfs: fix a memory leak bug in ecryptfs_init_messaging()
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit b4a81b87a4cfe2bb26a4a943b748d96a43ef20e8 upstream.
+
+In ecryptfs_init_messaging(), if the allocation for 'ecryptfs_msg_ctx_arr'
+fails, the previously allocated 'ecryptfs_daemon_hash' is not deallocated,
+leading to a memory leak bug. To fix this issue, free
+'ecryptfs_daemon_hash' before returning the error.
+
+Cc: stable@vger.kernel.org
+Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/messaging.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ecryptfs/messaging.c
++++ b/fs/ecryptfs/messaging.c
+@@ -397,6 +397,7 @@ int __init ecryptfs_init_messaging(void)
+ 					* ecryptfs_message_buf_len),
+ 				       GFP_KERNEL);
+ 	if (!ecryptfs_msg_ctx_arr) {
++		kfree(ecryptfs_daemon_hash);
+ 		rc = -ENOMEM;
+ 		printk(KERN_ERR "%s: Failed to allocate memory\n", __func__);
+ 		goto out;
diff --git a/queue-4.4/ecryptfs-fix-a-memory-leak-bug-in-parse_tag_1_packet.patch b/queue-4.4/ecryptfs-fix-a-memory-leak-bug-in-parse_tag_1_packet.patch
new file mode 100644
index 00000000000..ff72891d5d6
--- /dev/null
+++ b/queue-4.4/ecryptfs-fix-a-memory-leak-bug-in-parse_tag_1_packet.patch
@@ -0,0 +1,35 @@
+From fe2e082f5da5b4a0a92ae32978f81507ef37ec66 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Tue, 20 Aug 2019 00:16:40 -0500
+Subject: ecryptfs: fix a memory leak bug in parse_tag_1_packet()
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit fe2e082f5da5b4a0a92ae32978f81507ef37ec66 upstream.
+
+In parse_tag_1_packet(), if tag 1 packet contains a key larger than
+ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES, no cleanup is executed, leading to a
+memory leak on the allocated 'auth_tok_list_item'. To fix this issue, go to
+the label 'out_free' to perform the cleanup work.
+
+Cc: stable@vger.kernel.org
+Fixes: dddfa461fc89 ("[PATCH] eCryptfs: Public key; packet management")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/keystore.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -1280,7 +1280,7 @@ parse_tag_1_packet(struct ecryptfs_crypt
+ 		printk(KERN_ERR "Enter w/ first byte != 0x%.2x\n",
+ 		       ECRYPTFS_TAG_1_PACKET_TYPE);
+ 		rc = -EINVAL;
+-		goto out;
++		goto out_free;
+ 	}
+ 	/* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or
+ 	 * at end of function upon failure */
diff --git a/queue-4.4/series b/queue-4.4/series
index ecae4353e1f..776c2419b28 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -1,3 +1,6 @@
+alsa-hda-use-scnprintf-for-printing-texts-for-sysfs-procfs.patch
+ecryptfs-fix-a-memory-leak-bug-in-parse_tag_1_packet.patch
+ecryptfs-fix-a-memory-leak-bug-in-ecryptfs_init_messaging.patch
 alsa-usb-audio-apply-sample-rate-quirk-for-audioengine-d1.patch
 ubifs-fix-deadlock-in-concurrent-bulk-read-and-writepage.patch
 ext4-fix-checksum-errors-with-indexed-dirs.patch