From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 17 Sep 2019 17:43:28 +0000 (+0200)
Subject: 5.2-stable patches
X-Git-Tag: v4.14.145~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=88ed4e4e924991c06eda30b16a702b83751390b1;p=thirdparty%2Fkernel%2Fstable-queue.git

5.2-stable patches

added patches:
	rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch
---

diff --git a/queue-5.2/rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch b/queue-5.2/rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch
new file mode 100644
index 00000000000..ba05c1f29d1
--- /dev/null
+++ b/queue-5.2/rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch
@@ -0,0 +1,46 @@
+From 8b51dc7291473093c821195c4b6af85fadedbc2f Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Mon, 19 Aug 2019 18:02:29 -0400
+Subject: rsi: fix a double free bug in rsi_91x_deinit()
+
+From: Hui Peng <benquike@gmail.com>
+
+commit 8b51dc7291473093c821195c4b6af85fadedbc2f upstream.
+
+`dev` (struct rsi_91x_usbdev *) field of adapter
+(struct rsi_91x_usbdev *) is allocated  and initialized in
+`rsi_init_usb_interface`. If any error is detected in information
+read from the device side,  `rsi_init_usb_interface` will be
+freed. However, in the higher level error handling code in
+`rsi_probe`, if error is detected, `rsi_91x_deinit` is called
+again, in which `dev` will be freed again, resulting double free.
+
+This patch fixes the double free by removing the free operation on
+`dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also
+used in `rsi_disconnect`, in that code path, the `dev` field is not
+ (and thus needs to be) freed.
+
+This bug was found in v4.19, but is also present in the latest version
+of kernel. Fixes CVE-2019-15504.
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -645,7 +645,6 @@ fail_rx:
+ 	kfree(rsi_dev->tx_buffer);
+ 
+ fail_eps:
+-	kfree(rsi_dev);
+ 
+ 	return status;
+ }
diff --git a/queue-5.2/series b/queue-5.2/series
index 562d3e42bec..85e358adc1b 100644
--- a/queue-5.2/series
+++ b/queue-5.2/series
@@ -81,3 +81,4 @@ kvm-nvmx-remove-unnecessary-sync_roots-from-handle_invept.patch
 kvm-svm-fix-detection-of-amd-errata-1096.patch
 platform-x86-pmc_atom-add-cb4063-beckhoff-automation-board-to-critclk_systems-dmi-table.patch
 platform-x86-pcengines-apuv2-use-key_restart-for-front-button.patch
+rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch