From: Greg Kroah-Hartman Date: Tue, 16 Jun 2020 11:15:15 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.4.47~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d30b5006fa67f49b283d16e5ca7922edfa76388;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch ath9k-fix-use-after-free-read-in-ath9k_wmi_ctrl_rx.patch ath9k-fix-use-after-free-write-in-ath9k_htc_rx_msg.patch ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch smack-slab-out-of-bounds-in-vsscanf.patch --- diff --git a/queue-4.19/ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch b/queue-4.19/ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch new file mode 100644 index 00000000000..25cbc7493c0 --- /dev/null +++ b/queue-4.19/ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch @@ -0,0 +1,215 @@ +From 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 Mon Sep 17 00:00:00 2001 +From: Qiujun Huang +Date: Sat, 4 Apr 2020 12:18:38 +0800 +Subject: ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb + +From: Qiujun Huang + +commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 upstream. + +In ath9k_hif_usb_rx_cb interface number is assumed to be 0. +usb_ifnum_to_if(urb->dev, 0) +But it isn't always true. + +The case reported by syzbot: +https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com +usb 2-1: new high-speed USB device number 2 using dummy_hcd +usb 2-1: config 1 has an invalid interface number: 2 but max is 0 +usb 2-1: config 1 has no interface number 0 +usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= +1.08 +usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +general protection fault, probably for non-canonical address +0xdffffc0000000015: 0000 [#1] SMP KASAN +KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af] +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0 + +Call Trace +__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 +usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 +dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 +call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 +expire_timers kernel/time/timer.c:1449 [inline] +__run_timers kernel/time/timer.c:1773 [inline] +__run_timers kernel/time/timer.c:1740 [inline] +run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 +__do_softirq+0x21e/0x950 kernel/softirq.c:292 +invoke_softirq kernel/softirq.c:373 [inline] +irq_exit+0x178/0x1a0 kernel/softirq.c:413 +exiting_irq arch/x86/include/asm/apic.h:546 [inline] +smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146 +apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 + +Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com +Signed-off-by: Qiujun Huang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 48 +++++++++++++++++++++++-------- + drivers/net/wireless/ath/ath9k/hif_usb.h | 5 +++ + 2 files changed, 42 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -643,9 +643,9 @@ err: + + static void ath9k_hif_usb_rx_cb(struct urb *urb) + { +- struct sk_buff *skb = (struct sk_buff *) urb->context; +- struct hif_device_usb *hif_dev = +- usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); ++ struct rx_buf *rx_buf = (struct rx_buf *)urb->context; ++ struct hif_device_usb *hif_dev = rx_buf->hif_dev; ++ struct sk_buff *skb = rx_buf->skb; + int ret; + + if (!skb) +@@ -685,14 +685,15 @@ resubmit: + return; + free: + kfree_skb(skb); ++ kfree(rx_buf); + } + + static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + { +- struct sk_buff *skb = (struct sk_buff *) urb->context; ++ struct rx_buf *rx_buf = (struct rx_buf *)urb->context; ++ struct hif_device_usb *hif_dev = rx_buf->hif_dev; ++ struct sk_buff *skb = rx_buf->skb; + struct sk_buff *nskb; +- struct hif_device_usb *hif_dev = +- usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); + int ret; + + if (!skb) +@@ -750,6 +751,7 @@ resubmit: + return; + free: + kfree_skb(skb); ++ kfree(rx_buf); + urb->context = NULL; + } + +@@ -795,7 +797,7 @@ static int ath9k_hif_usb_alloc_tx_urbs(s + init_usb_anchor(&hif_dev->mgmt_submitted); + + for (i = 0; i < MAX_TX_URB_NUM; i++) { +- tx_buf = kzalloc(sizeof(struct tx_buf), GFP_KERNEL); ++ tx_buf = kzalloc(sizeof(*tx_buf), GFP_KERNEL); + if (!tx_buf) + goto err; + +@@ -832,8 +834,9 @@ static void ath9k_hif_usb_dealloc_rx_urb + + static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev) + { +- struct urb *urb = NULL; ++ struct rx_buf *rx_buf = NULL; + struct sk_buff *skb = NULL; ++ struct urb *urb = NULL; + int i, ret; + + init_usb_anchor(&hif_dev->rx_submitted); +@@ -841,6 +844,12 @@ static int ath9k_hif_usb_alloc_rx_urbs(s + + for (i = 0; i < MAX_RX_URB_NUM; i++) { + ++ rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL); ++ if (!rx_buf) { ++ ret = -ENOMEM; ++ goto err_rxb; ++ } ++ + /* Allocate URB */ + urb = usb_alloc_urb(0, GFP_KERNEL); + if (urb == NULL) { +@@ -855,11 +864,14 @@ static int ath9k_hif_usb_alloc_rx_urbs(s + goto err_skb; + } + ++ rx_buf->hif_dev = hif_dev; ++ rx_buf->skb = skb; ++ + usb_fill_bulk_urb(urb, hif_dev->udev, + usb_rcvbulkpipe(hif_dev->udev, + USB_WLAN_RX_PIPE), + skb->data, MAX_RX_BUF_SIZE, +- ath9k_hif_usb_rx_cb, skb); ++ ath9k_hif_usb_rx_cb, rx_buf); + + /* Anchor URB */ + usb_anchor_urb(urb, &hif_dev->rx_submitted); +@@ -885,6 +897,8 @@ err_submit: + err_skb: + usb_free_urb(urb); + err_urb: ++ kfree(rx_buf); ++err_rxb: + ath9k_hif_usb_dealloc_rx_urbs(hif_dev); + return ret; + } +@@ -896,14 +910,21 @@ static void ath9k_hif_usb_dealloc_reg_in + + static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev) + { +- struct urb *urb = NULL; ++ struct rx_buf *rx_buf = NULL; + struct sk_buff *skb = NULL; ++ struct urb *urb = NULL; + int i, ret; + + init_usb_anchor(&hif_dev->reg_in_submitted); + + for (i = 0; i < MAX_REG_IN_URB_NUM; i++) { + ++ rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL); ++ if (!rx_buf) { ++ ret = -ENOMEM; ++ goto err_rxb; ++ } ++ + /* Allocate URB */ + urb = usb_alloc_urb(0, GFP_KERNEL); + if (urb == NULL) { +@@ -918,11 +939,14 @@ static int ath9k_hif_usb_alloc_reg_in_ur + goto err_skb; + } + ++ rx_buf->hif_dev = hif_dev; ++ rx_buf->skb = skb; ++ + usb_fill_int_urb(urb, hif_dev->udev, + usb_rcvintpipe(hif_dev->udev, + USB_REG_IN_PIPE), + skb->data, MAX_REG_IN_BUF_SIZE, +- ath9k_hif_usb_reg_in_cb, skb, 1); ++ ath9k_hif_usb_reg_in_cb, rx_buf, 1); + + /* Anchor URB */ + usb_anchor_urb(urb, &hif_dev->reg_in_submitted); +@@ -948,6 +972,8 @@ err_submit: + err_skb: + usb_free_urb(urb); + err_urb: ++ kfree(rx_buf); ++err_rxb: + ath9k_hif_usb_dealloc_reg_in_urbs(hif_dev); + return ret; + } +--- a/drivers/net/wireless/ath/ath9k/hif_usb.h ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.h +@@ -86,6 +86,11 @@ struct tx_buf { + struct list_head list; + }; + ++struct rx_buf { ++ struct sk_buff *skb; ++ struct hif_device_usb *hif_dev; ++}; ++ + #define HIF_USB_TX_STOP BIT(0) + #define HIF_USB_TX_FLUSH BIT(1) + diff --git a/queue-4.19/ath9k-fix-use-after-free-read-in-ath9k_wmi_ctrl_rx.patch b/queue-4.19/ath9k-fix-use-after-free-read-in-ath9k_wmi_ctrl_rx.patch new file mode 100644 index 00000000000..fd48efffb53 --- /dev/null +++ b/queue-4.19/ath9k-fix-use-after-free-read-in-ath9k_wmi_ctrl_rx.patch @@ -0,0 +1,152 @@ +From abeaa85054ff8cfe8b99aafc5c70ea067e5d0908 Mon Sep 17 00:00:00 2001 +From: Qiujun Huang +Date: Sat, 4 Apr 2020 12:18:35 +0800 +Subject: ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx + +From: Qiujun Huang + +commit abeaa85054ff8cfe8b99aafc5c70ea067e5d0908 upstream. + +Free wmi later after cmd urb has been killed, as urb cb will access wmi. + +the case reported by syzbot: +https://lore.kernel.org/linux-usb/0000000000000002fc05a1d61a68@google.com +BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 +drivers/net/wireless/ath/ath9k/wmi.c:215 +Read of size 1 at addr ffff8881cef1417c by task swapper/1/0 + +Call Trace: + +ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215 +ath9k_htc_rx_msg+0x2da/0xaf0 +drivers/net/wireless/ath/ath9k/htc_hst.c:459 +ath9k_hif_usb_reg_in_cb+0x1ba/0x630 +drivers/net/wireless/ath/ath9k/hif_usb.c:718 +__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 +usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 +dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 +call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 +expire_timers kernel/time/timer.c:1449 [inline] +__run_timers kernel/time/timer.c:1773 [inline] +__run_timers kernel/time/timer.c:1740 [inline] +run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 + +Reported-and-tested-by: syzbot+5d338854440137ea0fef@syzkaller.appspotmail.com +Signed-off-by: Qiujun Huang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200404041838.10426-3-hqjagain@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 5 +++-- + drivers/net/wireless/ath/ath9k/hif_usb.h | 1 + + drivers/net/wireless/ath/ath9k/htc_drv_init.c | 10 +++++++--- + drivers/net/wireless/ath/ath9k/wmi.c | 5 ++++- + drivers/net/wireless/ath/ath9k/wmi.h | 3 ++- + 5 files changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -973,7 +973,7 @@ err: + return -ENOMEM; + } + +-static void ath9k_hif_usb_dealloc_urbs(struct hif_device_usb *hif_dev) ++void ath9k_hif_usb_dealloc_urbs(struct hif_device_usb *hif_dev) + { + usb_kill_anchored_urbs(&hif_dev->regout_submitted); + ath9k_hif_usb_dealloc_reg_in_urbs(hif_dev); +@@ -1341,8 +1341,9 @@ static void ath9k_hif_usb_disconnect(str + + if (hif_dev->flags & HIF_USB_READY) { + ath9k_htc_hw_deinit(hif_dev->htc_handle, unplugged); +- ath9k_htc_hw_free(hif_dev->htc_handle); + ath9k_hif_usb_dev_deinit(hif_dev); ++ ath9k_destoy_wmi(hif_dev->htc_handle->drv_priv); ++ ath9k_htc_hw_free(hif_dev->htc_handle); + } + + usb_set_intfdata(interface, NULL); +--- a/drivers/net/wireless/ath/ath9k/hif_usb.h ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.h +@@ -133,5 +133,6 @@ struct hif_device_usb { + + int ath9k_hif_usb_init(void); + void ath9k_hif_usb_exit(void); ++void ath9k_hif_usb_dealloc_urbs(struct hif_device_usb *hif_dev); + + #endif /* HTC_USB_H */ +--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c +@@ -933,8 +933,9 @@ err_init: + int ath9k_htc_probe_device(struct htc_target *htc_handle, struct device *dev, + u16 devid, char *product, u32 drv_info) + { +- struct ieee80211_hw *hw; ++ struct hif_device_usb *hif_dev; + struct ath9k_htc_priv *priv; ++ struct ieee80211_hw *hw; + int ret; + + hw = ieee80211_alloc_hw(sizeof(struct ath9k_htc_priv), &ath9k_htc_ops); +@@ -969,7 +970,10 @@ int ath9k_htc_probe_device(struct htc_ta + return 0; + + err_init: +- ath9k_deinit_wmi(priv); ++ ath9k_stop_wmi(priv); ++ hif_dev = (struct hif_device_usb *)htc_handle->hif_dev; ++ ath9k_hif_usb_dealloc_urbs(hif_dev); ++ ath9k_destoy_wmi(priv); + err_free: + ieee80211_free_hw(hw); + return ret; +@@ -984,7 +988,7 @@ void ath9k_htc_disconnect_device(struct + htc_handle->drv_priv->ah->ah_flags |= AH_UNPLUGGED; + + ath9k_deinit_device(htc_handle->drv_priv); +- ath9k_deinit_wmi(htc_handle->drv_priv); ++ ath9k_stop_wmi(htc_handle->drv_priv); + ieee80211_free_hw(htc_handle->drv_priv->hw); + } + } +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -112,14 +112,17 @@ struct wmi *ath9k_init_wmi(struct ath9k_ + return wmi; + } + +-void ath9k_deinit_wmi(struct ath9k_htc_priv *priv) ++void ath9k_stop_wmi(struct ath9k_htc_priv *priv) + { + struct wmi *wmi = priv->wmi; + + mutex_lock(&wmi->op_mutex); + wmi->stopped = true; + mutex_unlock(&wmi->op_mutex); ++} + ++void ath9k_destoy_wmi(struct ath9k_htc_priv *priv) ++{ + kfree(priv->wmi); + } + +--- a/drivers/net/wireless/ath/ath9k/wmi.h ++++ b/drivers/net/wireless/ath/ath9k/wmi.h +@@ -179,7 +179,6 @@ struct wmi { + }; + + struct wmi *ath9k_init_wmi(struct ath9k_htc_priv *priv); +-void ath9k_deinit_wmi(struct ath9k_htc_priv *priv); + int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi, + enum htc_endpoint_id *wmi_ctrl_epid); + int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, +@@ -189,6 +188,8 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum + void ath9k_wmi_event_tasklet(unsigned long data); + void ath9k_fatal_work(struct work_struct *work); + void ath9k_wmi_event_drain(struct ath9k_htc_priv *priv); ++void ath9k_stop_wmi(struct ath9k_htc_priv *priv); ++void ath9k_destoy_wmi(struct ath9k_htc_priv *priv); + + #define WMI_CMD(_wmi_cmd) \ + do { \ diff --git a/queue-4.19/ath9k-fix-use-after-free-write-in-ath9k_htc_rx_msg.patch b/queue-4.19/ath9k-fix-use-after-free-write-in-ath9k_htc_rx_msg.patch new file mode 100644 index 00000000000..19a2cacdaeb --- /dev/null +++ b/queue-4.19/ath9k-fix-use-after-free-write-in-ath9k_htc_rx_msg.patch @@ -0,0 +1,57 @@ +From e4ff08a4d727146bb6717a39a8d399d834654345 Mon Sep 17 00:00:00 2001 +From: Qiujun Huang +Date: Sat, 4 Apr 2020 12:18:36 +0800 +Subject: ath9k: Fix use-after-free Write in ath9k_htc_rx_msg + +From: Qiujun Huang + +commit e4ff08a4d727146bb6717a39a8d399d834654345 upstream. + +Write out of slab bounds. We should check epid. + +The case reported by syzbot: +https://lore.kernel.org/linux-usb/0000000000006ac55b05a1c05d72@google.com +BUG: KASAN: use-after-free in htc_process_conn_rsp +drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline] +BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 +drivers/net/wireless/ath/ath9k/htc_hst.c:443 +Write of size 2 at addr ffff8881cea291f0 by task swapper/1/0 + +Call Trace: + htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 +[inline] +ath9k_htc_rx_msg+0xa25/0xaf0 +drivers/net/wireless/ath/ath9k/htc_hst.c:443 +ath9k_hif_usb_reg_in_cb+0x1ba/0x630 +drivers/net/wireless/ath/ath9k/hif_usb.c:718 +__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 +usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 +dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 +call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 +expire_timers kernel/time/timer.c:1449 [inline] +__run_timers kernel/time/timer.c:1773 [inline] +__run_timers kernel/time/timer.c:1740 [inline] +run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 + +Reported-and-tested-by: syzbot+b1c61e5f11be5782f192@syzkaller.appspotmail.com +Signed-off-by: Qiujun Huang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200404041838.10426-4-hqjagain@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -113,6 +113,9 @@ static void htc_process_conn_rsp(struct + + if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) { + epid = svc_rspmsg->endpoint_id; ++ if (epid < 0 || epid >= ENDPOINT_MAX) ++ return; ++ + service_id = be16_to_cpu(svc_rspmsg->service_id); + max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len); + endpoint = &target->endpoint[epid]; diff --git a/queue-4.19/ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch b/queue-4.19/ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch new file mode 100644 index 00000000000..38652ae5d51 --- /dev/null +++ b/queue-4.19/ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch @@ -0,0 +1,57 @@ +From 19d6c375d671ce9949a864fb9a03e19f5487b4d3 Mon Sep 17 00:00:00 2001 +From: Qiujun Huang +Date: Sat, 4 Apr 2020 12:18:37 +0800 +Subject: ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb + +From: Qiujun Huang + +commit 19d6c375d671ce9949a864fb9a03e19f5487b4d3 upstream. + +Add barrier to accessing the stack array skb_pool. + +The case reported by syzbot: +https://lore.kernel.org/linux-usb/0000000000003d7c1505a2168418@google.com +BUG: KASAN: stack-out-of-bounds in ath9k_hif_usb_rx_stream +drivers/net/wireless/ath/ath9k/hif_usb.c:626 [inline] +BUG: KASAN: stack-out-of-bounds in ath9k_hif_usb_rx_cb+0xdf6/0xf70 +drivers/net/wireless/ath/ath9k/hif_usb.c:666 +Write of size 8 at addr ffff8881db309a28 by task swapper/1/0 + +Call Trace: +ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:626 +[inline] +ath9k_hif_usb_rx_cb+0xdf6/0xf70 +drivers/net/wireless/ath/ath9k/hif_usb.c:666 +__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648 +usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713 +dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 +call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 +expire_timers kernel/time/timer.c:1449 [inline] +__run_timers kernel/time/timer.c:1773 [inline] +__run_timers kernel/time/timer.c:1740 [inline] +run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 + +Reported-and-tested-by: syzbot+d403396d4df67ad0bd5f@syzkaller.appspotmail.com +Signed-off-by: Qiujun Huang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200404041838.10426-5-hqjagain@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -612,6 +612,11 @@ static void ath9k_hif_usb_rx_stream(stru + hif_dev->remain_skb = nskb; + spin_unlock(&hif_dev->rx_lock); + } else { ++ if (pool_index == MAX_PKT_NUM_IN_TRANSFER) { ++ dev_err(&hif_dev->udev->dev, ++ "ath9k_htc: over RX MAX_PKT_NUM\n"); ++ goto err; ++ } + nskb = __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC); + if (!nskb) { + dev_err(&hif_dev->udev->dev, diff --git a/queue-4.19/series b/queue-4.19/series index b22e14c64ae..d1a62505b2c 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -75,3 +75,8 @@ kvm-mips-define-kvm_entryhi_asid-to-cpu_asid_mask-boot_cpu_data.patch kvm-mips-fix-vpn2_mask-definition-for-variable-cpu_vmbits.patch kvm-arm64-make-vcpu_cp1x-work-on-big-endian-hosts.patch scsi-megaraid_sas-tm-command-refire-leads-to-controller-firmware-crash.patch +ath9k-fix-use-after-free-read-in-ath9k_wmi_ctrl_rx.patch +ath9k-fix-use-after-free-write-in-ath9k_htc_rx_msg.patch +ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch +ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch +smack-slab-out-of-bounds-in-vsscanf.patch diff --git a/queue-4.19/smack-slab-out-of-bounds-in-vsscanf.patch b/queue-4.19/smack-slab-out-of-bounds-in-vsscanf.patch new file mode 100644 index 00000000000..98bf0dda386 --- /dev/null +++ b/queue-4.19/smack-slab-out-of-bounds-in-vsscanf.patch @@ -0,0 +1,45 @@ +From 84e99e58e8d1e26f04c097f4266e431a33987f36 Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Thu, 9 Apr 2020 16:35:28 -0700 +Subject: Smack: slab-out-of-bounds in vsscanf + +From: Casey Schaufler + +commit 84e99e58e8d1e26f04c097f4266e431a33987f36 upstream. + +Add barrier to soob. Return -EOVERFLOW if the buffer +is exceeded. + +Suggested-by: Hillf Danton +Reported-by: syzbot+bfdd4a2f07be52351350@syzkaller.appspotmail.com +Signed-off-by: Casey Schaufler +Signed-off-by: Greg Kroah-Hartman + +--- + security/smack/smackfs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -906,11 +906,21 @@ static ssize_t smk_set_cipso(struct file + else + rule += strlen(skp->smk_known) + 1; + ++ if (rule > data + count) { ++ rc = -EOVERFLOW; ++ goto out; ++ } ++ + ret = sscanf(rule, "%d", &maplevel); + if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) + goto out; + + rule += SMK_DIGITLEN; ++ if (rule > data + count) { ++ rc = -EOVERFLOW; ++ goto out; ++ } ++ + ret = sscanf(rule, "%d", &catlen); + if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM) + goto out;