From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 9 Oct 2020 07:38:14 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.239~71
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=739258e572efb4691710c36a60cbf53156bb305a;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch
	usermodehelper-reset-umask-to-default-before-executing-user-process.patch
---

diff --git a/queue-4.14/net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch b/queue-4.14/net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch
new file mode 100644
index 00000000000..c90192cbd0e
--- /dev/null
+++ b/queue-4.14/net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch
@@ -0,0 +1,42 @@
+From 3dc289f8f139997f4e9d3cfccf8738f20d23e47b Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Wed, 7 Oct 2020 09:24:01 +0530
+Subject: net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 3dc289f8f139997f4e9d3cfccf8738f20d23e47b upstream.
+
+In nl80211_parse_key(), key.idx is first initialized as -1.
+If this value of key.idx remains unmodified and gets returned, and
+nl80211_key_allowed() also returns 0, then rdev_del_key() gets called
+with key.idx = -1.
+This causes an out-of-bounds array access.
+
+Handle this issue by checking if the value of key.idx after
+nl80211_parse_key() is called and return -EINVAL if key.idx < 0.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
+Tested-by: syzbot+b1bb342d1d097516cbda@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Link: https://lore.kernel.org/r/20201007035401.9522-1-anant.thazhemadam@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3343,6 +3343,9 @@ static int nl80211_del_key(struct sk_buf
+ 	if (err)
+ 		return err;
+ 
++	if (key.idx < 0)
++		return -EINVAL;
++
+ 	if (info->attrs[NL80211_ATTR_MAC])
+ 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
+ 
diff --git a/queue-4.14/series b/queue-4.14/series
index 0d865687802..2f7680956b8 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -33,3 +33,5 @@ fbdev-newport_con-move-font_extra_words-macros-into-linux-font.h.patch
 fonts-support-font_extra_words-macros-for-built-in-fonts.patch
 revert-ravb-fixed-to-be-able-to-unload-modules.patch
 fbcon-fix-global-out-of-bounds-read-in-fbcon_get_font.patch
+net-wireless-nl80211-fix-out-of-bounds-access-in-nl80211_del_key.patch
+usermodehelper-reset-umask-to-default-before-executing-user-process.patch
diff --git a/queue-4.14/usermodehelper-reset-umask-to-default-before-executing-user-process.patch b/queue-4.14/usermodehelper-reset-umask-to-default-before-executing-user-process.patch
new file mode 100644
index 00000000000..513292e3203
--- /dev/null
+++ b/queue-4.14/usermodehelper-reset-umask-to-default-before-executing-user-process.patch
@@ -0,0 +1,64 @@
+From 4013c1496c49615d90d36b9d513eee8e369778e9 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 5 Oct 2020 10:56:22 -0700
+Subject: usermodehelper: reset umask to default before executing user process
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4013c1496c49615d90d36b9d513eee8e369778e9 upstream.
+
+Kernel threads intentionally do CLONE_FS in order to follow any changes
+that 'init' does to set up the root directory (or cwd).
+
+It is admittedly a bit odd, but it avoids the situation where 'init'
+does some extensive setup to initialize the system environment, and then
+we execute a usermode helper program, and it uses the original FS setup
+from boot time that may be very limited and incomplete.
+
+[ Both Al Viro and Eric Biederman point out that 'pivot_root()' will
+  follow the root regardless, since it fixes up other users of root (see
+  chroot_fs_refs() for details), but overmounting root and doing a
+  chroot() would not. ]
+
+However, Vegard Nossum noticed that the CLONE_FS not only means that we
+follow the root and current working directories, it also means we share
+umask with whatever init changed it to. That wasn't intentional.
+
+Just reset umask to the original default (0022) before actually starting
+the usermode helper program.
+
+Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/umh.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/kernel/umh.c
++++ b/kernel/umh.c
+@@ -13,6 +13,7 @@
+ #include <linux/cred.h>
+ #include <linux/file.h>
+ #include <linux/fdtable.h>
++#include <linux/fs_struct.h>
+ #include <linux/workqueue.h>
+ #include <linux/security.h>
+ #include <linux/mount.h>
+@@ -71,6 +72,14 @@ static int call_usermodehelper_exec_asyn
+ 	spin_unlock_irq(&current->sighand->siglock);
+ 
+ 	/*
++	 * Initial kernel threads share ther FS with init, in order to
++	 * get the init root directory. But we've now created a new
++	 * thread that is going to execve a user process and has its own
++	 * 'struct fs_struct'. Reset umask to the default.
++	 */
++	current->fs->umask = 0022;
++
++	/*
+ 	 * Our parent (unbound workqueue) runs with elevated scheduling
+ 	 * priority. Avoid propagating that into the userspace child.
+ 	 */