From: Greg Kroah-Hartman Date: Mon, 18 Nov 2019 08:32:18 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v5.3.12~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=763e1268b92c96f8b878fdfb2ff348c59656ca72;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: ax88172a-fix-information-leak-on-short-answers.patch slip-fix-memory-leak-in-slip_open-error-path.patch --- diff --git a/queue-4.9/ax88172a-fix-information-leak-on-short-answers.patch b/queue-4.9/ax88172a-fix-information-leak-on-short-answers.patch new file mode 100644 index 00000000000..c0cab0822eb --- /dev/null +++ b/queue-4.9/ax88172a-fix-information-leak-on-short-answers.patch @@ -0,0 +1,32 @@ +From foo@baz Mon 18 Nov 2019 09:19:31 AM CET +From: Oliver Neukum +Date: Thu, 14 Nov 2019 11:16:01 +0100 +Subject: ax88172a: fix information leak on short answers + +From: Oliver Neukum + +[ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ] + +If a malicious device gives a short MAC it can elicit up to +5 bytes of leaked memory out of the driver. We need to check for +ETH_ALEN instead. + +Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ax88172a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/ax88172a.c ++++ b/drivers/net/usb/ax88172a.c +@@ -215,7 +215,7 @@ static int ax88172a_bind(struct usbnet * + + /* Get the MAC address */ + ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0); +- if (ret < 0) { ++ if (ret < ETH_ALEN) { + netdev_err(dev->net, "Failed to read MAC address: %d\n", ret); + goto free; + } diff --git a/queue-4.9/slip-fix-memory-leak-in-slip_open-error-path.patch b/queue-4.9/slip-fix-memory-leak-in-slip_open-error-path.patch new file mode 100644 index 00000000000..d5cea36e54e --- /dev/null +++ b/queue-4.9/slip-fix-memory-leak-in-slip_open-error-path.patch @@ -0,0 +1,55 @@ +From foo@baz Mon 18 Nov 2019 09:19:31 AM CET +From: Jouni Hogander +Date: Wed, 13 Nov 2019 13:45:02 +0200 +Subject: slip: Fix memory leak in slip_open error path + +From: Jouni Hogander + +[ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ] + +Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected +by Syzkaller in slcan. Same issue exists in slip.c and this patch is +addressing the leak in slip.c. + +Here is the slcan memory leak trace reported by Syzkaller: + +BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096): + comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s) + hex dump (first 32 bytes): + 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0.......... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0 + [<0000000083306e66>] kvmalloc_node+0x3a/0xc0 + [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080 + [<0000000061a996c9>] slcan_open+0x3ae/0x9a0 + [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0 + [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0 + [<000000004de5a617>] tty_ioctl+0x48d/0x1590 + [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510 + [<0000000059068dbc>] ksys_ioctl+0x99/0xb0 + [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0 + [<0000000053d0332e>] do_syscall_64+0x16f/0x580 + [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [<000000008ea75434>] 0xfffffffffffffff + +Cc: "David S. Miller" +Cc: Oliver Hartkopp +Cc: Lukas Bulwahn +Signed-off-by: Jouni Hogander +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/slip/slip.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -860,6 +860,7 @@ err_free_chan: + sl->tty = NULL; + tty->disc_data = NULL; + clear_bit(SLF_INUSE, &sl->flags); ++ free_netdev(sl->dev); + + err_exit: + rtnl_unlock();