From: Greg Kroah-Hartman Date: Sun, 1 May 2016 22:59:15 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.14.68~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0b46c02c5d4c8bfacff76eadb388703b4ad1021;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: crypto-ccp-prevent-information-leakage-on-export.patch crypto-gcm-fix-rfc4543-decryption-crash.patch input-gtco-fix-crash-on-detecting-device-without-endpoints.patch nl80211-check-netlink-protocol-in-socket-release-notification.patch pinctrl-single-fix-pcs_parse_bits_in_pinctrl_entry-to-use-__ffs-than-ffs.patch --- diff --git a/queue-3.14/crypto-ccp-prevent-information-leakage-on-export.patch b/queue-3.14/crypto-ccp-prevent-information-leakage-on-export.patch new file mode 100644 index 00000000000..25dbc716974 --- /dev/null +++ b/queue-3.14/crypto-ccp-prevent-information-leakage-on-export.patch @@ -0,0 +1,48 @@ +From f709b45ec461b548c41a00044dba1f1b572783bf Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Wed, 13 Apr 2016 10:52:25 -0500 +Subject: crypto: ccp - Prevent information leakage on export + +From: Tom Lendacky + +commit f709b45ec461b548c41a00044dba1f1b572783bf upstream. + +Prevent information from leaking to userspace by doing a memset to 0 of +the export state structure before setting the structure values and copying +it. This prevents un-initialized padding areas from being copied into the +export area. + +Reported-by: Ben Hutchings +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 3 +++ + drivers/crypto/ccp/ccp-crypto-sha.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -206,6 +206,9 @@ static int ccp_aes_cmac_export(struct ah + struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); + struct ccp_aes_cmac_exp_ctx state; + ++ /* Don't let anything leak to 'out' */ ++ memset(&state, 0, sizeof(state)); ++ + state.null_msg = rctx->null_msg; + memcpy(state.iv, rctx->iv, sizeof(state.iv)); + state.buf_count = rctx->buf_count; +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -262,6 +262,9 @@ static int ccp_sha_export(struct ahash_r + struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); + struct ccp_sha_exp_ctx state; + ++ /* Don't let anything leak to 'out' */ ++ memset(&state, 0, sizeof(state)); ++ + state.type = rctx->type; + state.msg_bits = rctx->msg_bits; + state.first = rctx->first; diff --git a/queue-3.14/crypto-gcm-fix-rfc4543-decryption-crash.patch b/queue-3.14/crypto-gcm-fix-rfc4543-decryption-crash.patch new file mode 100644 index 00000000000..2d0a1ab9794 --- /dev/null +++ b/queue-3.14/crypto-gcm-fix-rfc4543-decryption-crash.patch @@ -0,0 +1,41 @@ +From herbert@gondor.apana.org.au Sun May 1 15:39:20 2016 +From: Herbert Xu +Date: Fri, 18 Mar 2016 22:42:40 +0800 +Subject: crypto: gcm - Fix rfc4543 decryption crash +To: stable@vger.kernel.org, Linux Crypto Mailing List , Jussi Kivilinna , patrick.meyer@vasgard.com +Message-ID: <20160318144240.GA20816@gondor.apana.org.au> +Content-Disposition: inline + +From: Herbert Xu + +This bug has already bee fixed upstream since 4.2. However, it +was fixed during the AEAD conversion so no fix was backported to +the older kernels. + +When we do an RFC 4543 decryption, we will end up writing the +ICV beyond the end of the dst buffer. This should lead to a +crash but for some reason it was never noticed. + +This patch fixes it by only writing back the ICV for encryption. + +Fixes: d733ac90f9fe ("crypto: gcm - fix rfc4543 to handle async...") +Reported-by: Patrick Meyer +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/gcm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/gcm.c ++++ b/crypto/gcm.c +@@ -1173,6 +1173,9 @@ static struct aead_request *crypto_rfc45 + aead_request_set_tfm(subreq, ctx->child); + aead_request_set_callback(subreq, req->base.flags, crypto_rfc4543_done, + req); ++ if (!enc) ++ aead_request_set_callback(subreq, req->base.flags, ++ req->base.complete, req->base.data); + aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv); + aead_request_set_assoc(subreq, assoc, assoclen); + diff --git a/queue-3.14/input-gtco-fix-crash-on-detecting-device-without-endpoints.patch b/queue-3.14/input-gtco-fix-crash-on-detecting-device-without-endpoints.patch new file mode 100644 index 00000000000..13f0dd618fa --- /dev/null +++ b/queue-3.14/input-gtco-fix-crash-on-detecting-device-without-endpoints.patch @@ -0,0 +1,56 @@ +From 162f98dea487206d9ab79fc12ed64700667a894d Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Thu, 31 Mar 2016 10:53:42 -0700 +Subject: Input: gtco - fix crash on detecting device without endpoints + +From: Vladis Dronov + +commit 162f98dea487206d9ab79fc12ed64700667a894d upstream. + +The gtco driver expects at least one valid endpoint. If given malicious +descriptors that specify 0 for the number of endpoints, it will crash in +the probe function. Ensure there is at least one endpoint on the interface +before using it. + +Also let's fix a minor coding style issue. + +The full correct report of this issue can be found in the public +Red Hat Bugzilla: + +https://bugzilla.redhat.com/show_bug.cgi?id=1283385 + +Reported-by: Ralf Spenneberg +Signed-off-by: Vladis Dronov +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/gtco.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -868,6 +868,14 @@ static int gtco_probe(struct usb_interfa + goto err_free_buf; + } + ++ /* Sanity check that a device has an endpoint */ ++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ dev_err(&usbinterface->dev, ++ "Invalid number of endpoints\n"); ++ error = -EINVAL; ++ goto err_free_urb; ++ } ++ + /* + * The endpoint is always altsetting 0, we know this since we know + * this device only has one interrupt endpoint +@@ -889,7 +897,7 @@ static int gtco_probe(struct usb_interfa + * HID report descriptor + */ + if (usb_get_extra_descriptor(usbinterface->cur_altsetting, +- HID_DEVICE_TYPE, &hid_desc) != 0){ ++ HID_DEVICE_TYPE, &hid_desc) != 0) { + dev_err(&usbinterface->dev, + "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); + error = -EIO; diff --git a/queue-3.14/nl80211-check-netlink-protocol-in-socket-release-notification.patch b/queue-3.14/nl80211-check-netlink-protocol-in-socket-release-notification.patch new file mode 100644 index 00000000000..da73eddf153 --- /dev/null +++ b/queue-3.14/nl80211-check-netlink-protocol-in-socket-release-notification.patch @@ -0,0 +1,42 @@ +From 8f815cdde3e550e10c2736990d791f60c2ce43eb Mon Sep 17 00:00:00 2001 +From: Dmitry Ivanov +Date: Wed, 6 Apr 2016 17:23:18 +0300 +Subject: nl80211: check netlink protocol in socket release notification + +From: Dmitry Ivanov + +commit 8f815cdde3e550e10c2736990d791f60c2ce43eb upstream. + +A non-privileged user can create a netlink socket with the same port_id as +used by an existing open nl80211 netlink socket (e.g. as used by a hostapd +process) with a different protocol number. + +Closing this socket will then lead to the notification going to nl80211's +socket release notification handler, and possibly cause an action such as +removing a virtual interface. + +Fix this issue by checking that the netlink protocol is NETLINK_GENERIC. +Since generic netlink has no notifier chain of its own, we can't fix the +problem more generically. + +Fixes: 026331c4d9b5 ("cfg80211/mac80211: allow registering for and sending action frames") +Signed-off-by: Dmitry Ivanov +[rewrite commit message] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -11522,7 +11522,7 @@ static int nl80211_netlink_notify(struct + struct wireless_dev *wdev; + struct cfg80211_beacon_registration *reg, *tmp; + +- if (state != NETLINK_URELEASE) ++ if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC) + return NOTIFY_DONE; + + rcu_read_lock(); diff --git a/queue-3.14/pinctrl-single-fix-pcs_parse_bits_in_pinctrl_entry-to-use-__ffs-than-ffs.patch b/queue-3.14/pinctrl-single-fix-pcs_parse_bits_in_pinctrl_entry-to-use-__ffs-than-ffs.patch new file mode 100644 index 00000000000..1bff443ce0f --- /dev/null +++ b/queue-3.14/pinctrl-single-fix-pcs_parse_bits_in_pinctrl_entry-to-use-__ffs-than-ffs.patch @@ -0,0 +1,60 @@ +From 56b367c0cd67d4c3006738e7dc9dda9273fd2bfe Mon Sep 17 00:00:00 2001 +From: Keerthy +Date: Thu, 14 Apr 2016 10:29:16 +0530 +Subject: pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs + +From: Keerthy + +commit 56b367c0cd67d4c3006738e7dc9dda9273fd2bfe upstream. + +pcs_parse_bits_in_pinctrl_entry uses ffs which gives bit indices +ranging from 1 to MAX. This leads to a corner case where we try to request +the pin number = MAX and fails. + +bit_pos value is being calculted using ffs. pin_num_from_lsb uses +bit_pos value. pins array is populated with: + +pin + pin_num_from_lsb. + +The above is 1 more than usual bit indices as bit_pos uses ffs to compute +first set bit. Hence the last of the pins array is populated with the MAX +value and not MAX - 1 which causes error when we call pin_request. + +mask_pos is rightly calculated as ((pcs->fmask) << (bit_pos - 1)) +Consequently val_pos and submask are correct. + +Hence use __ffs which gives (ffs(x) - 1) as the first bit set. + +fixes: 4e7e8017a8 ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules") +Signed-off-by: Keerthy +Acked-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/pinctrl-single.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1313,9 +1313,9 @@ static int pcs_parse_bits_in_pinctrl_ent + + /* Parse pins in each row from LSB */ + while (mask) { +- bit_pos = ffs(mask); ++ bit_pos = __ffs(mask); + pin_num_from_lsb = bit_pos / pcs->bits_per_pin; +- mask_pos = ((pcs->fmask) << (bit_pos - 1)); ++ mask_pos = ((pcs->fmask) << bit_pos); + val_pos = val & mask_pos; + submask = mask & mask_pos; + +@@ -1892,7 +1892,7 @@ static int pcs_probe(struct platform_dev + ret = of_property_read_u32(np, "pinctrl-single,function-mask", + &pcs->fmask); + if (!ret) { +- pcs->fshift = ffs(pcs->fmask) - 1; ++ pcs->fshift = __ffs(pcs->fmask); + pcs->fmax = pcs->fmask >> pcs->fshift; + } else { + /* If mask property doesn't exist, function mux is invalid. */ diff --git a/queue-3.14/series b/queue-3.14/series index 5eef2854461..0fcde362a73 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -6,3 +6,8 @@ lib-lz4-fixed-zram-with-lz4-on-big-endian-machines.patch x86-iopl-64-properly-context-switch-iopl-on-xen-pv.patch futex-acknowledge-a-new-waiter-in-counter-before-plist.patch drm-qxl-fix-cursor-position-with-non-zero-hotspot.patch +crypto-ccp-prevent-information-leakage-on-export.patch +crypto-gcm-fix-rfc4543-decryption-crash.patch +nl80211-check-netlink-protocol-in-socket-release-notification.patch +input-gtco-fix-crash-on-detecting-device-without-endpoints.patch +pinctrl-single-fix-pcs_parse_bits_in_pinctrl_entry-to-use-__ffs-than-ffs.patch