From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 25 Feb 2022 12:00:04 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.9.304~61
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e785810b7012854b31eb5112ea265a7707cf7ac5;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	sr9700-sanity-check-for-packet-length.patch
	usb-zaurus-support-another-broken-zaurus.patch
---

diff --git a/queue-4.19/series b/queue-4.19/series
index e9215560e40..eac60153f28 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -2,3 +2,5 @@ cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch
 vhost-vsock-don-t-check-owner-in-vhost_vsock_stop-while-releasing.patch
 parisc-unaligned-fix-fldd-and-fstd-unaligned-handlers-on-32-bit-kernel.patch
 parisc-unaligned-fix-ldw-and-stw-unalignment-handlers.patch
+sr9700-sanity-check-for-packet-length.patch
+usb-zaurus-support-another-broken-zaurus.patch
diff --git a/queue-4.19/sr9700-sanity-check-for-packet-length.patch b/queue-4.19/sr9700-sanity-check-for-packet-length.patch
new file mode 100644
index 00000000000..a81b362b525
--- /dev/null
+++ b/queue-4.19/sr9700-sanity-check-for-packet-length.patch
@@ -0,0 +1,31 @@
+From e9da0b56fe27206b49f39805f7dcda8a89379062 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 17 Feb 2022 14:10:44 +0100
+Subject: sr9700: sanity check for packet length
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit e9da0b56fe27206b49f39805f7dcda8a89379062 upstream.
+
+A malicious device can leak heap data to user space
+providing bogus frame lengths. Introduce a sanity check.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/sr9700.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/sr9700.c
++++ b/drivers/net/usb/sr9700.c
+@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet
+ 		/* ignore the CRC length */
+ 		len = (skb->data[1] | (skb->data[2] << 8)) - 4;
+ 
+-		if (len > ETH_FRAME_LEN)
++		if (len > ETH_FRAME_LEN || len > skb->len)
+ 			return 0;
+ 
+ 		/* the last packet of current skb */
diff --git a/queue-4.19/usb-zaurus-support-another-broken-zaurus.patch b/queue-4.19/usb-zaurus-support-another-broken-zaurus.patch
new file mode 100644
index 00000000000..fc5bedabcf5
--- /dev/null
+++ b/queue-4.19/usb-zaurus-support-another-broken-zaurus.patch
@@ -0,0 +1,79 @@
+From 6605cc67ca18b9d583eb96e18a20f5f4e726103c Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Mon, 14 Feb 2022 15:08:18 +0100
+Subject: USB: zaurus: support another broken Zaurus
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 6605cc67ca18b9d583eb96e18a20f5f4e726103c upstream.
+
+This SL-6000 says Direct Line, not Ethernet
+
+v2: added Reporter and Link
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: Ross Maynard <bids.7405@bigpond.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215361
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ether.c |   12 ++++++++++++
+ drivers/net/usb/zaurus.c    |   12 ++++++++++++
+ 2 files changed, 24 insertions(+)
+
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -584,6 +584,11 @@ static const struct usb_device_id	produc
+ 	.bInterfaceSubClass	= USB_CDC_SUBCLASS_ETHERNET, \
+ 	.bInterfaceProtocol	= USB_CDC_PROTO_NONE
+ 
++#define ZAURUS_FAKE_INTERFACE \
++	.bInterfaceClass	= USB_CLASS_COMM, \
++	.bInterfaceSubClass	= USB_CDC_SUBCLASS_MDLM, \
++	.bInterfaceProtocol	= USB_CDC_PROTO_NONE
++
+ /* SA-1100 based Sharp Zaurus ("collie"), or compatible;
+  * wire-incompatible with true CDC Ethernet implementations.
+  * (And, it seems, needlessly so...)
+@@ -639,6 +644,13 @@ static const struct usb_device_id	produc
+ 	.driver_info		= 0,
+ }, {
+ 	.match_flags    =   USB_DEVICE_ID_MATCH_INT_INFO
++		 | USB_DEVICE_ID_MATCH_DEVICE,
++	.idVendor               = 0x04DD,
++	.idProduct              = 0x9032,	/* SL-6000 */
++	ZAURUS_FAKE_INTERFACE,
++	.driver_info		= 0,
++}, {
++	.match_flags    =   USB_DEVICE_ID_MATCH_INT_INFO
+ 		 | USB_DEVICE_ID_MATCH_DEVICE,
+ 	.idVendor               = 0x04DD,
+ 	/* reported with some C860 units */
+--- a/drivers/net/usb/zaurus.c
++++ b/drivers/net/usb/zaurus.c
+@@ -268,6 +268,11 @@ static const struct usb_device_id	produc
+ 	.bInterfaceSubClass	= USB_CDC_SUBCLASS_ETHERNET, \
+ 	.bInterfaceProtocol	= USB_CDC_PROTO_NONE
+ 
++#define ZAURUS_FAKE_INTERFACE \
++	.bInterfaceClass	= USB_CLASS_COMM, \
++	.bInterfaceSubClass	= USB_CDC_SUBCLASS_MDLM, \
++	.bInterfaceProtocol	= USB_CDC_PROTO_NONE
++
+ /* SA-1100 based Sharp Zaurus ("collie"), or compatible. */
+ {
+ 	.match_flags	=   USB_DEVICE_ID_MATCH_INT_INFO
+@@ -327,6 +332,13 @@ static const struct usb_device_id	produc
+ 	.driver_info = ZAURUS_PXA_INFO,
+ }, {
+ 	.match_flags    =   USB_DEVICE_ID_MATCH_INT_INFO
++			    | USB_DEVICE_ID_MATCH_DEVICE,
++	.idVendor		= 0x04DD,
++	.idProduct		= 0x9032,	/* SL-6000 */
++	ZAURUS_FAKE_INTERFACE,
++	.driver_info = (unsigned long)&bogus_mdlm_info,
++}, {
++	.match_flags    =   USB_DEVICE_ID_MATCH_INT_INFO
+ 		 | USB_DEVICE_ID_MATCH_DEVICE,
+ 	.idVendor               = 0x04DD,
+ 	/* reported with some C860 units */