From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 20 Feb 2018 09:54:46 +0000 (+0100)
Subject: 4.15-stable patches
X-Git-Tag: v4.15.5~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d0af71aa5449029af84f07cd37c13f87f0e8a23b;p=thirdparty%2Fkernel%2Fstable-queue.git

4.15-stable patches

added patches:
	platform-x86-wmi-fix-off-by-one-write-in-wmi_dev_probe.patch
---

diff --git a/queue-4.15/platform-x86-wmi-fix-off-by-one-write-in-wmi_dev_probe.patch b/queue-4.15/platform-x86-wmi-fix-off-by-one-write-in-wmi_dev_probe.patch
new file mode 100644
index 00000000000..52ed0cf731c
--- /dev/null
+++ b/queue-4.15/platform-x86-wmi-fix-off-by-one-write-in-wmi_dev_probe.patch
@@ -0,0 +1,70 @@
+From 6e1d8ea90932f77843730ada0bfea63093b7212a Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Wed, 14 Feb 2018 14:55:24 +0300
+Subject: platform/x86: wmi: fix off-by-one write in wmi_dev_probe()
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit 6e1d8ea90932f77843730ada0bfea63093b7212a upstream.
+
+wmi_dev_probe() allocates one byte less than necessary, thus
+subsequent sprintf() call writes trailing zero past the end
+of the 'buf':
+
+    BUG: KASAN: slab-out-of-bounds in vsnprintf+0xda4/0x1240
+    Write of size 1 at addr ffff880423529caf by task kworker/1:1/32
+
+    Call Trace:
+     dump_stack+0xb3/0x14d
+     print_address_description+0xd7/0x380
+     kasan_report+0x166/0x2b0
+     vsnprintf+0xda4/0x1240
+     sprintf+0x9b/0xd0
+     wmi_dev_probe+0x1c3/0x400
+     driver_probe_device+0x5d1/0x990
+     bus_for_each_drv+0x109/0x190
+     __device_attach+0x217/0x360
+     bus_probe_device+0x1ad/0x260
+     deferred_probe_work_func+0x10f/0x5d0
+     process_one_work+0xa8b/0x1dc0
+     worker_thread+0x20d/0x17d0
+     kthread+0x311/0x3d0
+     ret_from_fork+0x3a/0x50
+
+    Allocated by task 32:
+     kasan_kmalloc+0xa0/0xd0
+     __kmalloc+0x14f/0x3e0
+     wmi_dev_probe+0x182/0x400
+     driver_probe_device+0x5d1/0x990
+     bus_for_each_drv+0x109/0x190
+     __device_attach+0x217/0x360
+     bus_probe_device+0x1ad/0x260
+     deferred_probe_work_func+0x10f/0x5d0
+     process_one_work+0xa8b/0x1dc0
+     worker_thread+0x20d/0x17d0
+     kthread+0x311/0x3d0
+     ret_from_fork+0x3a/0x50
+
+Increment allocation size to fix this.
+
+Fixes: 44b6b7661132 ("platform/x86: wmi: create userspace interface for drivers")
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/wmi.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -933,7 +933,7 @@ static int wmi_dev_probe(struct device *
+ 			goto probe_failure;
+ 		}
+ 
+-		buf = kmalloc(strlen(wdriver->driver.name) + 4, GFP_KERNEL);
++		buf = kmalloc(strlen(wdriver->driver.name) + 5, GFP_KERNEL);
+ 		if (!buf) {
+ 			ret = -ENOMEM;
+ 			goto probe_string_failure;
diff --git a/queue-4.15/series b/queue-4.15/series
index 65486ea10a0..2ff031599b6 100644
--- a/queue-4.15/series
+++ b/queue-4.15/series
@@ -54,3 +54,4 @@ kvm-nvmx-set-the-cpu_based_use_msr_bitmaps-if-we-have-a-valid-l02-msr-bitmap.pat
 x86-speculation-clean-up-various-spectre-related-details.patch
 pm-runtime-update-links_count-also-if-config_srcu.patch
 pm-cpuidle-fix-cpuidle_poll_state_init-prototype.patch
+platform-x86-wmi-fix-off-by-one-write-in-wmi_dev_probe.patch