From: Greg Kroah-Hartman Date: Sat, 17 Oct 2020 11:29:57 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.241~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b3c6d33db01e9d7010b99ee710647a207c2f1235;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-bebob-potential-info-leak-in-hwdep_read.patch binder-fix-uaf-when-releasing-todo-list.patch --- diff --git a/queue-4.19/alsa-bebob-potential-info-leak-in-hwdep_read.patch b/queue-4.19/alsa-bebob-potential-info-leak-in-hwdep_read.patch new file mode 100644 index 00000000000..833ced5ffeb --- /dev/null +++ b/queue-4.19/alsa-bebob-potential-info-leak-in-hwdep_read.patch @@ -0,0 +1,40 @@ +From b41c15f4e1c1f1657da15c482fa837c1b7384452 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 7 Oct 2020 10:49:28 +0300 +Subject: ALSA: bebob: potential info leak in hwdep_read() + +From: Dan Carpenter + +commit b41c15f4e1c1f1657da15c482fa837c1b7384452 upstream. + +The "count" variable needs to be capped on every path so that we don't +copy too much information to the user. + +Fixes: 618eabeae711 ("ALSA: bebob: Add hwdep interface") +Signed-off-by: Dan Carpenter +Acked-by: Takashi Sakamoto +Cc: +Link: https://lore.kernel.org/r/20201007074928.GA2529578@mwanda +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/bebob/bebob_hwdep.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/firewire/bebob/bebob_hwdep.c ++++ b/sound/firewire/bebob/bebob_hwdep.c +@@ -37,12 +37,11 @@ hwdep_read(struct snd_hwdep *hwdep, char + } + + memset(&event, 0, sizeof(event)); ++ count = min_t(long, count, sizeof(event.lock_status)); + if (bebob->dev_lock_changed) { + event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS; + event.lock_status.status = (bebob->dev_lock_count > 0); + bebob->dev_lock_changed = false; +- +- count = min_t(long, count, sizeof(event.lock_status)); + } + + spin_unlock_irq(&bebob->lock); diff --git a/queue-4.19/binder-fix-uaf-when-releasing-todo-list.patch b/queue-4.19/binder-fix-uaf-when-releasing-todo-list.patch new file mode 100644 index 00000000000..712da6eeeeb --- /dev/null +++ b/queue-4.19/binder-fix-uaf-when-releasing-todo-list.patch @@ -0,0 +1,113 @@ +From f3277cbfba763cd2826396521b9296de67cf1bbc Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Fri, 9 Oct 2020 16:24:55 -0700 +Subject: binder: fix UAF when releasing todo list + +From: Todd Kjos + +commit f3277cbfba763cd2826396521b9296de67cf1bbc upstream. + +When releasing a thread todo list when tearing down +a binder_proc, the following race was possible which +could result in a use-after-free: + +1. Thread 1: enter binder_release_work from binder_thread_release +2. Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked() +3. Thread 2: dec nodeA --> 0 (will free node) +4. Thread 1: ACQ inner_proc_lock +5. Thread 2: block on inner_proc_lock +6. Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA) +7. Thread 1: REL inner_proc_lock +8. Thread 2: ACQ inner_proc_lock +9. Thread 2: todo list cleanup, but work was already dequeued +10. Thread 2: free node +11. Thread 2: REL inner_proc_lock +12. Thread 1: deref w->type (UAF) + +The problem was that for a BINDER_WORK_NODE, the binder_work element +must not be accessed after releasing the inner_proc_lock while +processing the todo list elements since another thread might be +handling a deref on the node containing the binder_work element +leading to the node being freed. + +Signed-off-by: Todd Kjos +Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com +Cc: # 4.14, 4.19, 5.4, 5.8 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 35 ++++++++++------------------------- + 1 file changed, 10 insertions(+), 25 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -285,7 +285,7 @@ struct binder_device { + struct binder_work { + struct list_head entry; + +- enum { ++ enum binder_work_type { + BINDER_WORK_TRANSACTION = 1, + BINDER_WORK_TRANSACTION_COMPLETE, + BINDER_WORK_RETURN_ERROR, +@@ -895,27 +895,6 @@ static struct binder_work *binder_dequeu + return w; + } + +-/** +- * binder_dequeue_work_head() - Dequeues the item at head of list +- * @proc: binder_proc associated with list +- * @list: list to dequeue head +- * +- * Removes the head of the list if there are items on the list +- * +- * Return: pointer dequeued binder_work, NULL if list was empty +- */ +-static struct binder_work *binder_dequeue_work_head( +- struct binder_proc *proc, +- struct list_head *list) +-{ +- struct binder_work *w; +- +- binder_inner_proc_lock(proc); +- w = binder_dequeue_work_head_ilocked(list); +- binder_inner_proc_unlock(proc); +- return w; +-} +- + static void + binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer); + static void binder_free_thread(struct binder_thread *thread); +@@ -4242,13 +4221,17 @@ static void binder_release_work(struct b + struct list_head *list) + { + struct binder_work *w; ++ enum binder_work_type wtype; + + while (1) { +- w = binder_dequeue_work_head(proc, list); ++ binder_inner_proc_lock(proc); ++ w = binder_dequeue_work_head_ilocked(list); ++ wtype = w ? w->type : 0; ++ binder_inner_proc_unlock(proc); + if (!w) + return; + +- switch (w->type) { ++ switch (wtype) { + case BINDER_WORK_TRANSACTION: { + struct binder_transaction *t; + +@@ -4282,9 +4265,11 @@ static void binder_release_work(struct b + kfree(death); + binder_stats_deleted(BINDER_STAT_DEATH); + } break; ++ case BINDER_WORK_NODE: ++ break; + default: + pr_err("unexpected work type, %d, not freed\n", +- w->type); ++ wtype); + break; + } + } diff --git a/queue-4.19/series b/queue-4.19/series index 6ef164872f6..2f7f8a84bbf 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -11,3 +11,5 @@ tipc-fix-the-skb_unshare-in-tipc_buf_append.patch net-ipv4-always-honour-route-mtu-during-forwarding.patch r8169-fix-data-corruption-issue-on-rtl8402.patch net-tls-sendfile-fails-with-ktls-offload.patch +binder-fix-uaf-when-releasing-todo-list.patch +alsa-bebob-potential-info-leak-in-hwdep_read.patch