From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 28 May 2023 16:31:28 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: review~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3c67744d2476f928d42644c3c4ef96b110a1921e;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	media-radio-shark-add-endpoint-checks.patch
---

diff --git a/queue-5.4/media-radio-shark-add-endpoint-checks.patch b/queue-5.4/media-radio-shark-add-endpoint-checks.patch
new file mode 100644
index 00000000000..99e7a825998
--- /dev/null
+++ b/queue-5.4/media-radio-shark-add-endpoint-checks.patch
@@ -0,0 +1,92 @@
+From 76e31045ba030e94e72105c01b2e98f543d175ac Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Apr 2023 15:40:05 -0400
+Subject: media: radio-shark: Add endpoint checks
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 76e31045ba030e94e72105c01b2e98f543d175ac upstream.
+
+The syzbot fuzzer was able to provoke a WARNING from the radio-shark2
+driver:
+
+------------[ cut here ]------------
+usb 1-1: BOGUS urb xfer, pipe 1 != type 3
+WARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504
+Modules linked in:
+CPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+Workqueue: usb_hub_wq hub_event
+RIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504
+Code: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 <0f> 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7
+RSP: 0018:ffffc90003876dd0 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
+RDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac
+RBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
+R13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200
+FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
+ usb_bulk_msg+0x226/0x550 drivers/usb/core/message.c:387
+ shark_write_reg+0x1ff/0x2e0 drivers/media/radio/radio-shark2.c:88
+...
+
+The problem was caused by the fact that the driver does not check
+whether the endpoints it uses are actually present and have the
+appropriate types.  This can be fixed by adding a simple check of
+these endpoints (and similarly for the radio-shark driver).
+
+Link: https://syzkaller.appspot.com/bug?extid=4b3f8190f6e13b3efd74
+Reported-and-tested-by: syzbot+4b3f8190f6e13b3efd74@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/e2858ab4-4adf-46e5-bbf6-c56742034547@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/radio/radio-shark.c  |   10 ++++++++++
+ drivers/media/radio/radio-shark2.c |   10 ++++++++++
+ 2 files changed, 20 insertions(+)
+
+--- a/drivers/media/radio/radio-shark.c
++++ b/drivers/media/radio/radio-shark.c
+@@ -316,6 +316,16 @@ static int usb_shark_probe(struct usb_in
+ {
+ 	struct shark_device *shark;
+ 	int retval = -ENOMEM;
++	static const u8 ep_addresses[] = {
++		SHARK_IN_EP | USB_DIR_IN,
++		SHARK_OUT_EP | USB_DIR_OUT,
++		0};
++
++	/* Are the expected endpoints present? */
++	if (!usb_check_int_endpoints(intf, ep_addresses)) {
++		dev_err(&intf->dev, "Invalid radioSHARK device\n");
++		return -EINVAL;
++	}
+ 
+ 	shark = kzalloc(sizeof(struct shark_device), GFP_KERNEL);
+ 	if (!shark)
+--- a/drivers/media/radio/radio-shark2.c
++++ b/drivers/media/radio/radio-shark2.c
+@@ -282,6 +282,16 @@ static int usb_shark_probe(struct usb_in
+ {
+ 	struct shark_device *shark;
+ 	int retval = -ENOMEM;
++	static const u8 ep_addresses[] = {
++		SHARK_IN_EP | USB_DIR_IN,
++		SHARK_OUT_EP | USB_DIR_OUT,
++		0};
++
++	/* Are the expected endpoints present? */
++	if (!usb_check_int_endpoints(intf, ep_addresses)) {
++		dev_err(&intf->dev, "Invalid radioSHARK2 device\n");
++		return -EINVAL;
++	}
+ 
+ 	shark = kzalloc(sizeof(struct shark_device), GFP_KERNEL);
+ 	if (!shark)
diff --git a/queue-5.4/series b/queue-5.4/series
index e3c80229daa..3c5c30aba5d 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -141,3 +141,4 @@ net-fix-stack-overflow-when-lro-is-disabled-for-virtual-interfaces.patch
 udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch
 usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch
 usb-sisusbvga-add-endpoint-checks.patch
+media-radio-shark-add-endpoint-checks.patch