From: Greg Kroah-Hartman Date: Wed, 15 Nov 2017 18:01:42 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.82~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=baca74f6b024387c2f26710eb30c855853aaa76c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-seq-cancel-pending-autoload-work-at-unbinding-device.patch input-ims-psu-check-if-cdc-union-descriptor-is-sane.patch mac80211-accept-key-reinstall-without-changing-anything.patch mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-prevention.patch mac80211-use-constant-time-comparison-with-keys.patch series usb-usbtest-fix-null-pointer-dereference.patch --- diff --git a/queue-4.4/alsa-seq-cancel-pending-autoload-work-at-unbinding-device.patch b/queue-4.4/alsa-seq-cancel-pending-autoload-work-at-unbinding-device.patch new file mode 100644 index 00000000000..aeb48e30218 --- /dev/null +++ b/queue-4.4/alsa-seq-cancel-pending-autoload-work-at-unbinding-device.patch @@ -0,0 +1,80 @@ +From fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 12 Sep 2017 12:41:20 +0200 +Subject: ALSA: seq: Cancel pending autoload work at unbinding device + +From: Takashi Iwai + +commit fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57 upstream. + +ALSA sequencer core has a mechanism to load the enumerated devices +automatically, and it's performed in an off-load work. This seems +causing some race when a sequencer is removed while the pending +autoload work is running. As syzkaller spotted, it may lead to some +use-after-free: + BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70 + sound/core/rawmidi.c:1617 + Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567 + + CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Workqueue: events autoload_drivers + Call Trace: + __dump_stack lib/dump_stack.c:16 [inline] + dump_stack+0x192/0x22c lib/dump_stack.c:52 + print_address_description+0x78/0x280 mm/kasan/report.c:252 + kasan_report_error mm/kasan/report.c:351 [inline] + kasan_report+0x230/0x340 mm/kasan/report.c:409 + __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435 + snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617 + snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192 + device_release+0x13f/0x210 drivers/base/core.c:814 + kobject_cleanup lib/kobject.c:648 [inline] + kobject_release lib/kobject.c:677 [inline] + kref_put include/linux/kref.h:70 [inline] + kobject_put+0x145/0x240 lib/kobject.c:694 + put_device+0x25/0x30 drivers/base/core.c:1799 + klist_devices_put+0x36/0x40 drivers/base/bus.c:827 + klist_next+0x264/0x4a0 lib/klist.c:403 + next_device drivers/base/bus.c:270 [inline] + bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312 + autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117 + process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097 + worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231 + kthread+0x324/0x3f0 kernel/kthread.c:231 + ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425 + +The fix is simply to assure canceling the autoload work at removing +the device. + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_device.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/core/seq/seq_device.c ++++ b/sound/core/seq/seq_device.c +@@ -148,8 +148,10 @@ void snd_seq_device_load_drivers(void) + flush_work(&autoload_work); + } + EXPORT_SYMBOL(snd_seq_device_load_drivers); ++#define cancel_autoload_drivers() cancel_work_sync(&autoload_work) + #else + #define queue_autoload_drivers() /* NOP */ ++#define cancel_autoload_drivers() /* NOP */ + #endif + + /* +@@ -159,6 +161,7 @@ static int snd_seq_device_dev_free(struc + { + struct snd_seq_device *dev = device->device_data; + ++ cancel_autoload_drivers(); + put_device(&dev->dev); + return 0; + } diff --git a/queue-4.4/input-ims-psu-check-if-cdc-union-descriptor-is-sane.patch b/queue-4.4/input-ims-psu-check-if-cdc-union-descriptor-is-sane.patch new file mode 100644 index 00000000000..c5941627d0e --- /dev/null +++ b/queue-4.4/input-ims-psu-check-if-cdc-union-descriptor-is-sane.patch @@ -0,0 +1,52 @@ +From ea04efee7635c9120d015dcdeeeb6988130cb67a Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Sat, 7 Oct 2017 11:07:47 -0700 +Subject: Input: ims-psu - check if CDC union descriptor is sane + +From: Dmitry Torokhov + +commit ea04efee7635c9120d015dcdeeeb6988130cb67a upstream. + +Before trying to use CDC union descriptor, try to validate whether that it +is sane by checking that intf->altsetting->extra is big enough and that +descriptor bLength is not too big and not too small. + +Reported-by: Andrey Konovalov +Signed-off-by: Dmitry Torokhov +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/ims-pcu.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_in + return NULL; + } + +- while (buflen > 0) { ++ while (buflen >= sizeof(*union_desc)) { + union_desc = (struct usb_cdc_union_desc *)buf; + ++ if (union_desc->bLength > buflen) { ++ dev_err(&intf->dev, "Too large descriptor\n"); ++ return NULL; ++ } ++ + if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE && + union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) { + dev_dbg(&intf->dev, "Found union header\n"); +- return union_desc; ++ ++ if (union_desc->bLength >= sizeof(*union_desc)) ++ return union_desc; ++ ++ dev_err(&intf->dev, ++ "Union descriptor to short (%d vs %zd\n)", ++ union_desc->bLength, sizeof(*union_desc)); ++ return NULL; + } + + buflen -= union_desc->bLength; diff --git a/queue-4.4/mac80211-accept-key-reinstall-without-changing-anything.patch b/queue-4.4/mac80211-accept-key-reinstall-without-changing-anything.patch new file mode 100644 index 00000000000..cc48cfd3e22 --- /dev/null +++ b/queue-4.4/mac80211-accept-key-reinstall-without-changing-anything.patch @@ -0,0 +1,82 @@ +From fdf7cb4185b60c68e1a75e61691c4afdc15dea0e Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 5 Sep 2017 14:54:54 +0200 +Subject: mac80211: accept key reinstall without changing anything + +From: Johannes Berg + +commit fdf7cb4185b60c68e1a75e61691c4afdc15dea0e upstream. + +When a key is reinstalled we can reset the replay counters +etc. which can lead to nonce reuse and/or replay detection +being impossible, breaking security properties, as described +in the "KRACK attacks". + +In particular, CVE-2017-13080 applies to GTK rekeying that +happened in firmware while the host is in D3, with the second +part of the attack being done after the host wakes up. In +this case, the wpa_supplicant mitigation isn't sufficient +since wpa_supplicant doesn't know the GTK material. + +In case this happens, simply silently accept the new key +coming from userspace but don't take any action on it since +it's the same key; this keeps the PN replay counters intact. + +Signed-off-by: Johannes Berg +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/key.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -4,6 +4,7 @@ + * Copyright 2006-2007 Jiri Benc + * Copyright 2007-2008 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH ++ * Copyright 2017 Intel Deutschland GmbH + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -617,9 +618,6 @@ int ieee80211_key_link(struct ieee80211_ + + pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; + idx = key->conf.keyidx; +- key->local = sdata->local; +- key->sdata = sdata; +- key->sta = sta; + + mutex_lock(&sdata->local->key_mtx); + +@@ -630,6 +628,21 @@ int ieee80211_key_link(struct ieee80211_ + else + old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); + ++ /* ++ * Silently accept key re-installation without really installing the ++ * new version of the key to avoid nonce reuse or replay issues. ++ */ ++ if (old_key && key->conf.keylen == old_key->conf.keylen && ++ !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { ++ ieee80211_key_free_unused(key); ++ ret = 0; ++ goto out; ++ } ++ ++ key->local = sdata->local; ++ key->sdata = sdata; ++ key->sta = sta; ++ + increment_tailroom_need_count(sdata); + + ieee80211_key_replace(sdata, sta, pairwise, old_key, key); +@@ -645,6 +658,7 @@ int ieee80211_key_link(struct ieee80211_ + ret = 0; + } + ++ out: + mutex_unlock(&sdata->local->key_mtx); + + return ret; diff --git a/queue-4.4/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-prevention.patch b/queue-4.4/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-prevention.patch new file mode 100644 index 00000000000..8d03f59d7e7 --- /dev/null +++ b/queue-4.4/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-prevention.patch @@ -0,0 +1,80 @@ +From cfbb0d90a7abb289edc91833d0905931f8805f12 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 24 Oct 2017 21:12:13 +0200 +Subject: mac80211: don't compare TKIP TX MIC key in reinstall prevention + +From: Johannes Berg + +commit cfbb0d90a7abb289edc91833d0905931f8805f12 upstream. + +For the reinstall prevention, the code I had added compares the +whole key. It turns out though that iwlwifi firmware doesn't +provide the TKIP TX MIC key as it's not needed in client mode, +and thus the comparison will always return false. + +For client mode, thus always zero out the TX MIC key part before +doing the comparison in order to avoid accepting the reinstall +of the key with identical encryption and RX MIC key, but not the +same TX MIC key (since the supplicant provides the real one.) + +Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") +Signed-off-by: Johannes Berg +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/key.c | 36 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -608,6 +608,39 @@ void ieee80211_key_free_unused(struct ie + ieee80211_key_free_common(key); + } + ++static bool ieee80211_key_identical(struct ieee80211_sub_if_data *sdata, ++ struct ieee80211_key *old, ++ struct ieee80211_key *new) ++{ ++ u8 tkip_old[WLAN_KEY_LEN_TKIP], tkip_new[WLAN_KEY_LEN_TKIP]; ++ u8 *tk_old, *tk_new; ++ ++ if (!old || new->conf.keylen != old->conf.keylen) ++ return false; ++ ++ tk_old = old->conf.key; ++ tk_new = new->conf.key; ++ ++ /* ++ * In station mode, don't compare the TX MIC key, as it's never used ++ * and offloaded rekeying may not care to send it to the host. This ++ * is the case in iwlwifi, for example. ++ */ ++ if (sdata->vif.type == NL80211_IFTYPE_STATION && ++ new->conf.cipher == WLAN_CIPHER_SUITE_TKIP && ++ new->conf.keylen == WLAN_KEY_LEN_TKIP && ++ !(new->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) { ++ memcpy(tkip_old, tk_old, WLAN_KEY_LEN_TKIP); ++ memcpy(tkip_new, tk_new, WLAN_KEY_LEN_TKIP); ++ memset(tkip_old + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); ++ memset(tkip_new + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); ++ tk_old = tkip_old; ++ tk_new = tkip_new; ++ } ++ ++ return !crypto_memneq(tk_old, tk_new, new->conf.keylen); ++} ++ + int ieee80211_key_link(struct ieee80211_key *key, + struct ieee80211_sub_if_data *sdata, + struct sta_info *sta) +@@ -633,8 +666,7 @@ int ieee80211_key_link(struct ieee80211_ + * Silently accept key re-installation without really installing the + * new version of the key to avoid nonce reuse or replay issues. + */ +- if (old_key && key->conf.keylen == old_key->conf.keylen && +- !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) { ++ if (ieee80211_key_identical(sdata, old_key, key)) { + ieee80211_key_free_unused(key); + ret = 0; + goto out; diff --git a/queue-4.4/mac80211-use-constant-time-comparison-with-keys.patch b/queue-4.4/mac80211-use-constant-time-comparison-with-keys.patch new file mode 100644 index 00000000000..62fe4eedfaf --- /dev/null +++ b/queue-4.4/mac80211-use-constant-time-comparison-with-keys.patch @@ -0,0 +1,40 @@ +From 2bdd713b92a9cade239d3c7d15205a09f556624d Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Tue, 17 Oct 2017 20:32:07 +0200 +Subject: mac80211: use constant time comparison with keys + +From: Jason A. Donenfeld + +commit 2bdd713b92a9cade239d3c7d15205a09f556624d upstream. + +Otherwise we risk leaking information via timing side channel. + +Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Johannes Berg +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include "ieee80211_i.h" + #include "driver-ops.h" +@@ -633,7 +634,7 @@ int ieee80211_key_link(struct ieee80211_ + * new version of the key to avoid nonce reuse or replay issues. + */ + if (old_key && key->conf.keylen == old_key->conf.keylen && +- !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { ++ !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) { + ieee80211_key_free_unused(key); + ret = 0; + goto out; diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..e3bd503baee --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,6 @@ +mac80211-accept-key-reinstall-without-changing-anything.patch +mac80211-use-constant-time-comparison-with-keys.patch +mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-prevention.patch +usb-usbtest-fix-null-pointer-dereference.patch +input-ims-psu-check-if-cdc-union-descriptor-is-sane.patch +alsa-seq-cancel-pending-autoload-work-at-unbinding-device.patch diff --git a/queue-4.4/usb-usbtest-fix-null-pointer-dereference.patch b/queue-4.4/usb-usbtest-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..5d58267f44b --- /dev/null +++ b/queue-4.4/usb-usbtest-fix-null-pointer-dereference.patch @@ -0,0 +1,43 @@ +From 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 29 Sep 2017 10:54:24 -0400 +Subject: usb: usbtest: fix NULL pointer dereference + +From: Alan Stern + +commit 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 upstream. + +If the usbtest driver encounters a device with an IN bulk endpoint but +no OUT bulk endpoint, it will try to dereference a NULL pointer +(out->desc.bEndpointAddress). The problem can be solved by adding a +missing test. + +Signed-off-by: Alan Stern +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Felipe Balbi +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/usbtest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/usb/misc/usbtest.c ++++ b/drivers/usb/misc/usbtest.c +@@ -185,12 +185,13 @@ found: + return tmp; + } + +- if (in) { ++ if (in) + dev->in_pipe = usb_rcvbulkpipe(udev, + in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); ++ if (out) + dev->out_pipe = usb_sndbulkpipe(udev, + out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); +- } ++ + if (iso_in) { + dev->iso_in = &iso_in->desc; + dev->in_iso_pipe = usb_rcvisocpipe(udev,