From: Greg Kroah-Hartman Date: Thu, 9 May 2019 17:01:15 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.9.175~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9fe8a919f790978ce9cd69cd70795517a93c66c8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch bluetooth-hidp-fix-buffer-overflow.patch scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs-routines.patch uas-fix-alignment-of-scatter-gather-segments.patch --- diff --git a/queue-4.9/bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch b/queue-4.9/bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch new file mode 100644 index 00000000000..4431d9146e4 --- /dev/null +++ b/queue-4.9/bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch @@ -0,0 +1,52 @@ +From d5bb334a8e171b262e48f378bd2096c0ea458265 Mon Sep 17 00:00:00 2001 +From: Marcel Holtmann +Date: Wed, 24 Apr 2019 22:19:17 +0200 +Subject: Bluetooth: Align minimum encryption key size for LE and BR/EDR connections + +From: Marcel Holtmann + +commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream. + +The minimum encryption key size for LE connections is 56 bits and to +align LE with BR/EDR, enforce 56 bits of minimum encryption key size for +BR/EDR connections as well. + +Signed-off-by: Marcel Holtmann +Signed-off-by: Johan Hedberg +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/bluetooth/hci_core.h | 3 +++ + net/bluetooth/hci_conn.c | 8 ++++++++ + 2 files changed, 11 insertions(+) + +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -176,6 +176,9 @@ struct adv_info { + + #define HCI_MAX_SHORT_NAME_LENGTH 10 + ++/* Min encryption key size to match with SMP */ ++#define HCI_MIN_ENC_KEY_SIZE 7 ++ + /* Default LE RPA expiry time, 15 minutes */ + #define HCI_DEFAULT_RPA_TIMEOUT (15 * 60) + +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1165,6 +1165,14 @@ int hci_conn_check_link_mode(struct hci_ + !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + return 0; + ++ /* The minimum encryption key size needs to be enforced by the ++ * host stack before establishing any L2CAP connections. The ++ * specification in theory allows a minimum of 1, but to align ++ * BR/EDR and LE transports, a minimum of 7 is chosen. ++ */ ++ if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE) ++ return 0; ++ + return 1; + } + diff --git a/queue-4.9/bluetooth-hidp-fix-buffer-overflow.patch b/queue-4.9/bluetooth-hidp-fix-buffer-overflow.patch new file mode 100644 index 00000000000..732cc10356a --- /dev/null +++ b/queue-4.9/bluetooth-hidp-fix-buffer-overflow.patch @@ -0,0 +1,34 @@ +From a1616a5ac99ede5d605047a9012481ce7ff18b16 Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Fri, 12 Apr 2019 15:24:30 +0800 +Subject: Bluetooth: hidp: fix buffer overflow + +From: Young Xiao + +commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream. + +Struct ca is copied from userspace. It is not checked whether the "name" +field is NULL terminated, which allows local users to obtain potentially +sensitive information from kernel stack memory, via a HIDPCONNADD command. + +This vulnerability is similar to CVE-2011-1079. + +Signed-off-by: Young Xiao +Signed-off-by: Marcel Holtmann +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hidp/sock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/bluetooth/hidp/sock.c ++++ b/net/bluetooth/hidp/sock.c +@@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket + sockfd_put(csock); + return err; + } ++ ca.name[sizeof(ca.name)-1] = 0; + + err = hidp_connection_add(&ca, csock, isock); + if (!err && copy_to_user(argp, &ca, sizeof(ca))) diff --git a/queue-4.9/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs-routines.patch b/queue-4.9/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs-routines.patch new file mode 100644 index 00000000000..231695b041c --- /dev/null +++ b/queue-4.9/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs-routines.patch @@ -0,0 +1,45 @@ +From 5cbdae10bf11f96e30b4d14de7b08c8b490e903c Mon Sep 17 00:00:00 2001 +From: Andrew Vasquez +Date: Tue, 2 Apr 2019 14:24:25 -0700 +Subject: scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines + +From: Andrew Vasquez + +commit 5cbdae10bf11f96e30b4d14de7b08c8b490e903c upstream. + +Commit e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs +code") incorrectly set 'optrom_region_size' to 'start+size', which can +overflow option-rom boundaries when 'start' is non-zero. Continue setting +optrom_region_size to the proper adjusted value of 'size'. + +Fixes: e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs code") +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Vasquez +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_attr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -345,7 +345,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size; ++ ha->optrom_region_size = size; + + ha->optrom_state = QLA_SREADING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +@@ -418,7 +418,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size; ++ ha->optrom_region_size = size; + + ha->optrom_state = QLA_SWRITING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); diff --git a/queue-4.9/series b/queue-4.9/series index 7fb71b754b6..6b66549d78a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -20,3 +20,7 @@ genirq-prevent-use-after-free-and-work-list-corrupti.patch usb-dwc3-fix-default-lpm_nyet_threshold-value.patch usb-serial-f81232-fix-interrupt-worker-not-stop.patch usb-storage-set-virt_boundary_mask-to-avoid-sg-overflows.patch +scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs-routines.patch +bluetooth-hidp-fix-buffer-overflow.patch +bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch +uas-fix-alignment-of-scatter-gather-segments.patch diff --git a/queue-4.9/uas-fix-alignment-of-scatter-gather-segments.patch b/queue-4.9/uas-fix-alignment-of-scatter-gather-segments.patch new file mode 100644 index 00000000000..d4f661ad970 --- /dev/null +++ b/queue-4.9/uas-fix-alignment-of-scatter-gather-segments.patch @@ -0,0 +1,77 @@ +From 3ae62a42090f1ed48e2313ed256a1182a85fb575 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 30 Apr 2019 12:21:45 +0200 +Subject: UAS: fix alignment of scatter/gather segments + +From: Oliver Neukum + +commit 3ae62a42090f1ed48e2313ed256a1182a85fb575 upstream. + +This is the UAS version of + +747668dbc061b3e62bc1982767a3a1f9815fcf0e +usb-storage: Set virt_boundary_mask to avoid SG overflows + +We are not as likely to be vulnerable as storage, as it is unlikelier +that UAS is run over a controller without native support for SG, +but the issue exists. +The issue has been existing since the inception of the driver. + +Fixes: 115bb1ffa54c ("USB: Add UAS driver") +Signed-off-by: Oliver Neukum +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/uas.c | 35 ++++++++++++++++++++++------------- + 1 file changed, 22 insertions(+), 13 deletions(-) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -796,24 +796,33 @@ static int uas_slave_alloc(struct scsi_d + { + struct uas_dev_info *devinfo = + (struct uas_dev_info *)sdev->host->hostdata; ++ int maxp; + + sdev->hostdata = devinfo; + + /* +- * USB has unusual DMA-alignment requirements: Although the +- * starting address of each scatter-gather element doesn't matter, +- * the length of each element except the last must be divisible +- * by the Bulk maxpacket value. There's currently no way to +- * express this by block-layer constraints, so we'll cop out +- * and simply require addresses to be aligned at 512-byte +- * boundaries. This is okay since most block I/O involves +- * hardware sectors that are multiples of 512 bytes in length, +- * and since host controllers up through USB 2.0 have maxpacket +- * values no larger than 512. ++ * We have two requirements here. We must satisfy the requirements ++ * of the physical HC and the demands of the protocol, as we ++ * definitely want no additional memory allocation in this path ++ * ruling out using bounce buffers. + * +- * But it doesn't suffice for Wireless USB, where Bulk maxpacket +- * values can be as large as 2048. To make that work properly +- * will require changes to the block layer. ++ * For a transmission on USB to continue we must never send ++ * a package that is smaller than maxpacket. Hence the length of each ++ * scatterlist element except the last must be divisible by the ++ * Bulk maxpacket value. ++ * If the HC does not ensure that through SG, ++ * the upper layer must do that. We must assume nothing ++ * about the capabilities off the HC, so we use the most ++ * pessimistic requirement. ++ */ ++ ++ maxp = usb_maxpacket(devinfo->udev, devinfo->data_in_pipe, 0); ++ blk_queue_virt_boundary(sdev->request_queue, maxp - 1); ++ ++ /* ++ * The protocol has no requirements on alignment in the strict sense. ++ * Controllers may or may not have alignment restrictions. ++ * As this is not exported, we use an extremely conservative guess. + */ + blk_queue_update_dma_alignment(sdev->request_queue, (512 - 1)); +