From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 25 Sep 2020 09:12:45 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.19.148~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=65ade10a4c05a06149137078bc75834962a338f6;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch
	ip-fix-tos-reflection-in-ack-and-reset-packets.patch
	net-add-__must_check-to-skb_put_padto.patch
	tipc-use-skb_unshare-instead-in-tipc_buf_append.patch
---

diff --git a/queue-4.4/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch b/queue-4.4/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch
new file mode 100644
index 00000000000..8b1cbedd2fb
--- /dev/null
+++ b/queue-4.4/hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch
@@ -0,0 +1,80 @@
+From foo@baz Fri Sep 25 11:07:59 AM CEST 2020
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 9 Sep 2020 12:46:48 +0300
+Subject: hdlc_ppp: add range checks in ppp_cp_parse_cr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ]
+
+There are a couple bugs here:
+1) If opt[1] is zero then this results in a forever loop.  If the value
+   is less than 2 then it is invalid.
+2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
+   result in memory corruption.
+
+In the case of LCP_OPTION_ACCM, then  we should check "opt[1]" instead
+of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
+"nak_len" gets out of sync and it can lead to memory corruption in the
+next iterations through the loop.  In case of LCP_OPTION_MAGIC, the
+only valid value for opt[1] is 6, but the code is trying to log invalid
+data so we should only discard the data when "len" is less than 6
+because that leads to a read overflow.
+
+Reported-by: ChenNan Of Chaitin Security Research Lab  <whutchennan@gmail.com>
+Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/hdlc_ppp.c |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wan/hdlc_ppp.c
++++ b/drivers/net/wan/hdlc_ppp.c
+@@ -386,11 +386,8 @@ static void ppp_cp_parse_cr(struct net_d
+ 	}
+ 
+ 	for (opt = data; len; len -= opt[1], opt += opt[1]) {
+-		if (len < 2 || len < opt[1]) {
+-			dev->stats.rx_errors++;
+-			kfree(out);
+-			return; /* bad packet, drop silently */
+-		}
++		if (len < 2 || opt[1] < 2 || len < opt[1])
++			goto err_out;
+ 
+ 		if (pid == PID_LCP)
+ 			switch (opt[0]) {
+@@ -398,6 +395,8 @@ static void ppp_cp_parse_cr(struct net_d
+ 				continue; /* MRU always OK and > 1500 bytes? */
+ 
+ 			case LCP_OPTION_ACCM: /* async control character map */
++				if (opt[1] < sizeof(valid_accm))
++					goto err_out;
+ 				if (!memcmp(opt, valid_accm,
+ 					    sizeof(valid_accm)))
+ 					continue;
+@@ -409,6 +408,8 @@ static void ppp_cp_parse_cr(struct net_d
+ 				}
+ 				break;
+ 			case LCP_OPTION_MAGIC:
++				if (len < 6)
++					goto err_out;
+ 				if (opt[1] != 6 || (!opt[2] && !opt[3] &&
+ 						    !opt[4] && !opt[5]))
+ 					break; /* reject invalid magic number */
+@@ -427,6 +428,11 @@ static void ppp_cp_parse_cr(struct net_d
+ 		ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data);
+ 
+ 	kfree(out);
++	return;
++
++err_out:
++	dev->stats.rx_errors++;
++	kfree(out);
+ }
+ 
+ static int ppp_rx(struct sk_buff *skb)
diff --git a/queue-4.4/ip-fix-tos-reflection-in-ack-and-reset-packets.patch b/queue-4.4/ip-fix-tos-reflection-in-ack-and-reset-packets.patch
new file mode 100644
index 00000000000..035b647882b
--- /dev/null
+++ b/queue-4.4/ip-fix-tos-reflection-in-ack-and-reset-packets.patch
@@ -0,0 +1,43 @@
+From foo@baz Fri Sep 25 11:07:59 AM CEST 2020
+From: Wei Wang <weiwan@google.com>
+Date: Tue, 8 Sep 2020 14:09:34 -0700
+Subject: ip: fix tos reflection in ack and reset packets
+
+From: Wei Wang <weiwan@google.com>
+
+[ Upstream commit ba9e04a7ddf4f22a10e05bf9403db6b97743c7bf ]
+
+Currently, in tcp_v4_reqsk_send_ack() and tcp_v4_send_reset(), we
+echo the TOS value of the received packets in the response.
+However, we do not want to echo the lower 2 ECN bits in accordance
+with RFC 3168 6.1.5 robustness principles.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+
+Signed-off-by: Wei Wang <weiwan@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_output.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -73,6 +73,7 @@
+ #include <net/icmp.h>
+ #include <net/checksum.h>
+ #include <net/inetpeer.h>
++#include <net/inet_ecn.h>
+ #include <linux/igmp.h>
+ #include <linux/netfilter_ipv4.h>
+ #include <linux/netfilter_bridge.h>
+@@ -1597,7 +1598,7 @@ void ip_send_unicast_reply(struct sock *
+ 	if (IS_ERR(rt))
+ 		return;
+ 
+-	inet_sk(sk)->tos = arg->tos;
++	inet_sk(sk)->tos = arg->tos & ~INET_ECN_MASK;
+ 
+ 	sk->sk_priority = skb->priority;
+ 	sk->sk_protocol = ip_hdr(skb)->protocol;
diff --git a/queue-4.4/net-add-__must_check-to-skb_put_padto.patch b/queue-4.4/net-add-__must_check-to-skb_put_padto.patch
new file mode 100644
index 00000000000..2263ffee493
--- /dev/null
+++ b/queue-4.4/net-add-__must_check-to-skb_put_padto.patch
@@ -0,0 +1,30 @@
+From foo@baz Fri Sep 25 11:00:38 AM CEST 2020
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 9 Sep 2020 01:27:40 -0700
+Subject: net: add __must_check to skb_put_padto()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4a009cb04aeca0de60b73f37b102573354214b52 ]
+
+skb_put_padto() and __skb_put_padto() callers
+must check return values or risk use-after-free.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2651,7 +2651,7 @@ static inline int skb_padto(struct sk_bu
+  *	is untouched. Otherwise it is extended. Returns zero on
+  *	success. The skb is freed on error.
+  */
+-static inline int skb_put_padto(struct sk_buff *skb, unsigned int len)
++static inline int __must_check skb_put_padto(struct sk_buff *skb, unsigned int len)
+ {
+ 	unsigned int size = skb->len;
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index a5f69c5232e..3663c19f077 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -4,3 +4,7 @@ kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch
 ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch
 rdma-ucma-ucma_context-reference-leak-in-error-path.patch
 mtd-fix-comparison-in-map_word_andequal.patch
+hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch
+tipc-use-skb_unshare-instead-in-tipc_buf_append.patch
+net-add-__must_check-to-skb_put_padto.patch
+ip-fix-tos-reflection-in-ack-and-reset-packets.patch
diff --git a/queue-4.4/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch b/queue-4.4/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch
new file mode 100644
index 00000000000..e7809c2eeff
--- /dev/null
+++ b/queue-4.4/tipc-use-skb_unshare-instead-in-tipc_buf_append.patch
@@ -0,0 +1,67 @@
+From foo@baz Fri Sep 25 11:07:59 AM CEST 2020
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 13 Sep 2020 19:37:31 +0800
+Subject: tipc: use skb_unshare() instead in tipc_buf_append()
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit ff48b6222e65ebdba5a403ef1deba6214e749193 ]
+
+In tipc_buf_append() it may change skb's frag_list, and it causes
+problems when this skb is cloned. skb_unclone() doesn't really
+make this skb's flag_list available to change.
+
+Shuang Li has reported an use-after-free issue because of this
+when creating quite a few macvlan dev over the same dev, where
+the broadcast packets will be cloned and go up to the stack:
+
+ [ ] BUG: KASAN: use-after-free in pskb_expand_head+0x86d/0xea0
+ [ ] Call Trace:
+ [ ]  dump_stack+0x7c/0xb0
+ [ ]  print_address_description.constprop.7+0x1a/0x220
+ [ ]  kasan_report.cold.10+0x37/0x7c
+ [ ]  check_memory_region+0x183/0x1e0
+ [ ]  pskb_expand_head+0x86d/0xea0
+ [ ]  process_backlog+0x1df/0x660
+ [ ]  net_rx_action+0x3b4/0xc90
+ [ ]
+ [ ] Allocated by task 1786:
+ [ ]  kmem_cache_alloc+0xbf/0x220
+ [ ]  skb_clone+0x10a/0x300
+ [ ]  macvlan_broadcast+0x2f6/0x590 [macvlan]
+ [ ]  macvlan_process_broadcast+0x37c/0x516 [macvlan]
+ [ ]  process_one_work+0x66a/0x1060
+ [ ]  worker_thread+0x87/0xb10
+ [ ]
+ [ ] Freed by task 3253:
+ [ ]  kmem_cache_free+0x82/0x2a0
+ [ ]  skb_release_data+0x2c3/0x6e0
+ [ ]  kfree_skb+0x78/0x1d0
+ [ ]  tipc_recvmsg+0x3be/0xa40 [tipc]
+
+So fix it by using skb_unshare() instead, which would create a new
+skb for the cloned frag and it'll be safe to change its frag_list.
+The similar things were also done in sctp_make_reassembled_event(),
+which is using skb_copy().
+
+Reported-by: Shuang Li <shuali@redhat.com>
+Fixes: 37e22164a8a3 ("tipc: rename and move message reassembly function")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/msg.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -138,7 +138,8 @@ int tipc_buf_append(struct sk_buff **hea
+ 	if (fragid == FIRST_FRAGMENT) {
+ 		if (unlikely(head))
+ 			goto err;
+-		if (unlikely(skb_unclone(frag, GFP_ATOMIC)))
++		frag = skb_unshare(frag, GFP_ATOMIC);
++		if (unlikely(!frag))
+ 			goto err;
+ 		head = *headbuf = frag;
+ 		*buf = NULL;