From: Greg Kroah-Hartman Date: Tue, 23 May 2017 13:40:00 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.55~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e7a6a0e8f3b1881dbb1414464d7e1bfeeb4b8204;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: cx231xx-audio-fix-null-deref-at-probe.patch cx231xx-cards-fix-null-deref-at-probe.patch dib0700-fix-null-deref-at-probe.patch gspca-konica-add-missing-endpoint-sanity-check.patch iio-proximity-as3935-fix-as3935_write.patch ipx-call-ipxitf_put-in-ioctl-error-path.patch s5p-mfc-fix-unbalanced-call-to-clock-management.patch zr364xx-enforce-minimum-size-when-reading-header.patch --- diff --git a/queue-3.18/cx231xx-audio-fix-null-deref-at-probe.patch b/queue-3.18/cx231xx-audio-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..a20116b63b0 --- /dev/null +++ b/queue-3.18/cx231xx-audio-fix-null-deref-at-probe.patch @@ -0,0 +1,56 @@ +From 65f921647f4c89a2068478c89691f39b309b58f7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:58 -0300 +Subject: [media] cx231xx-audio: fix NULL-deref at probe + +From: Johan Hovold + +commit 65f921647f4c89a2068478c89691f39b309b58f7 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: Sri Deevi +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cx231xx/cx231xx-audio.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/cx231xx/cx231xx-audio.c ++++ b/drivers/media/usb/cx231xx/cx231xx-audio.c +@@ -702,6 +702,11 @@ static int cx231xx_audio_init(struct cx2 + hs_config_info[0].interface_info. + audio_index + 1]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) { ++ snd_card_free(card); ++ return -ENODEV; ++ } ++ + adev->end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe].desc. + bEndpointAddress; +@@ -717,8 +722,14 @@ static int cx231xx_audio_init(struct cx2 + } + + for (i = 0; i < adev->num_alt; i++) { +- u16 tmp = +- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) { ++ snd_card_free(card); ++ return -ENODEV; ++ } ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc. + wMaxPacketSize); + adev->alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); diff --git a/queue-3.18/cx231xx-cards-fix-null-deref-at-probe.patch b/queue-3.18/cx231xx-cards-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..b3b71679882 --- /dev/null +++ b/queue-3.18/cx231xx-cards-fix-null-deref-at-probe.patch @@ -0,0 +1,128 @@ +From 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:56 -0300 +Subject: [media] cx231xx-cards: fix NULL-deref at probe + +From: Johan Hovold + +commit 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: Sri Deevi +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cx231xx/cx231xx-cards.c | 45 ++++++++++++++++++++++++++---- + 1 file changed, 40 insertions(+), 5 deletions(-) + +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -1291,6 +1291,9 @@ static int cx231xx_init_v4l2(struct cx23 + + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ + dev->video_mode.end_point_addr = uif->altsetting[0].endpoint[isoc_pipe].desc.bEndpointAddress; + dev->video_mode.num_alt = uif->num_altsetting; + +@@ -1305,7 +1308,12 @@ static int cx231xx_init_v4l2(struct cx23 + } + + for (i = 0; i < dev->video_mode.num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize); ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize); + dev->video_mode.alt_max_pkt_size[i] = (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); + cx231xx_info("Alternate setting %i, max size= %i\n", i, + dev->video_mode.alt_max_pkt_size[i]); +@@ -1320,6 +1328,9 @@ static int cx231xx_init_v4l2(struct cx23 + } + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ + dev->vbi_mode.end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe].desc. + bEndpointAddress; +@@ -1337,8 +1348,12 @@ static int cx231xx_init_v4l2(struct cx23 + } + + for (i = 0; i < dev->vbi_mode.num_alt; i++) { +- u16 tmp = +- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. + desc.wMaxPacketSize); + dev->vbi_mode.alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); +@@ -1356,6 +1371,9 @@ static int cx231xx_init_v4l2(struct cx23 + } + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ + dev->sliced_cc_mode.end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe].desc. + bEndpointAddress; +@@ -1372,7 +1390,12 @@ static int cx231xx_init_v4l2(struct cx23 + } + + for (i = 0; i < dev->sliced_cc_mode.num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. + desc.wMaxPacketSize); + dev->sliced_cc_mode.alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); +@@ -1526,6 +1549,11 @@ static int cx231xx_usb_probe(struct usb_ + } + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) { ++ retval = -ENODEV; ++ goto err_video_alt; ++ } ++ + dev->ts1_mode.end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe]. + desc.bEndpointAddress; +@@ -1543,7 +1571,14 @@ static int cx231xx_usb_probe(struct usb_ + } + + for (i = 0; i < dev->ts1_mode.num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i]. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) { ++ retval = -ENODEV; ++ goto err_video_alt; ++ } ++ ++ tmp = le16_to_cpu(uif->altsetting[i]. + endpoint[isoc_pipe].desc. + wMaxPacketSize); + dev->ts1_mode.alt_max_pkt_size[i] = diff --git a/queue-3.18/dib0700-fix-null-deref-at-probe.patch b/queue-3.18/dib0700-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..d6d478e5e83 --- /dev/null +++ b/queue-3.18/dib0700-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From d5823511c0f8719a39e72ede1bce65411ac653b7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:54 -0300 +Subject: [media] dib0700: fix NULL-deref at probe + +From: Johan Hovold + +commit d5823511c0f8719a39e72ede1bce65411ac653b7 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge +Nova-TD") + +Cc: Mauro Carvalho Chehab +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dib0700_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/dvb-usb/dib0700_core.c ++++ b/drivers/media/usb/dvb-usb/dib0700_core.c +@@ -786,6 +786,9 @@ int dib0700_rc_setup(struct dvb_usb_devi + + /* Starting in firmware 1.20, the RC info is provided on a bulk pipe */ + ++ if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1) ++ return -ENODEV; ++ + purb = usb_alloc_urb(0, GFP_KERNEL); + if (purb == NULL) { + err("rc usb alloc urb failed"); diff --git a/queue-3.18/gspca-konica-add-missing-endpoint-sanity-check.patch b/queue-3.18/gspca-konica-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000000..a418c2bfb1b --- /dev/null +++ b/queue-3.18/gspca-konica-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,41 @@ +From aa58fedb8c7b6cf2f05941d238495f9e2f29655c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:59 -0300 +Subject: [media] gspca: konica: add missing endpoint sanity check + +From: Johan Hovold + +commit aa58fedb8c7b6cf2f05941d238495f9e2f29655c upstream. + +Make sure to check the number of endpoints to avoid accessing memory +beyond the endpoint array should a device lack the expected endpoints. + +Note that, as far as I can tell, the gspca framework has already made +sure there is at least one endpoint in the current alternate setting so +there should be no risk for a NULL-pointer dereference here. + +Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for +konica chipset using cams") + +Cc: Hans de Goede +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/gspca/konica.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/gspca/konica.c ++++ b/drivers/media/usb/gspca/konica.c +@@ -188,6 +188,9 @@ static int sd_start(struct gspca_dev *gs + return -EIO; + } + ++ if (alt->desc.bNumEndpoints < 2) ++ return -ENODEV; ++ + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); + + n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv; diff --git a/queue-3.18/iio-proximity-as3935-fix-as3935_write.patch b/queue-3.18/iio-proximity-as3935-fix-as3935_write.patch new file mode 100644 index 00000000000..926530c0132 --- /dev/null +++ b/queue-3.18/iio-proximity-as3935-fix-as3935_write.patch @@ -0,0 +1,40 @@ +From 84ca8e364acb26aba3292bc113ca8ed4335380fd Mon Sep 17 00:00:00 2001 +From: Matt Ranostay +Date: Thu, 13 Apr 2017 23:21:56 -0700 +Subject: iio: proximity: as3935: fix as3935_write + +From: Matt Ranostay + +commit 84ca8e364acb26aba3292bc113ca8ed4335380fd upstream. + +AS3935_WRITE_DATA macro bit is incorrect and the actual write +sequence is two leading zeros. + +Cc: George McCollister +Signed-off-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/proximity/as3935.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/proximity/as3935.c ++++ b/drivers/iio/proximity/as3935.c +@@ -50,7 +50,6 @@ + #define AS3935_TUNE_CAP 0x08 + #define AS3935_CALIBRATE 0x3D + +-#define AS3935_WRITE_DATA BIT(15) + #define AS3935_READ_DATA BIT(14) + #define AS3935_ADDRESS(x) ((x) << 8) + +@@ -103,7 +102,7 @@ static int as3935_write(struct as3935_st + { + u8 *buf = st->buf; + +- buf[0] = (AS3935_WRITE_DATA | AS3935_ADDRESS(reg)) >> 8; ++ buf[0] = AS3935_ADDRESS(reg) >> 8; + buf[1] = val; + + return spi_write(st->spi, buf, 2); diff --git a/queue-3.18/ipx-call-ipxitf_put-in-ioctl-error-path.patch b/queue-3.18/ipx-call-ipxitf_put-in-ioctl-error-path.patch new file mode 100644 index 00000000000..d61f880100c --- /dev/null +++ b/queue-3.18/ipx-call-ipxitf_put-in-ioctl-error-path.patch @@ -0,0 +1,39 @@ +From ee0d8d8482345ff97a75a7d747efc309f13b0d80 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 2 May 2017 13:58:53 +0300 +Subject: ipx: call ipxitf_put() in ioctl error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +commit ee0d8d8482345ff97a75a7d747efc309f13b0d80 upstream. + +We should call ipxitf_put() if the copy_to_user() fails. + +Reported-by: 李强 +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipx/af_ipx.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/ipx/af_ipx.c ++++ b/net/ipx/af_ipx.c +@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd + sipx->sipx_network = ipxif->if_netnum; + memcpy(sipx->sipx_node, ipxif->if_node, + sizeof(sipx->sipx_node)); +- rc = -EFAULT; ++ rc = 0; + if (copy_to_user(arg, &ifr, sizeof(ifr))) +- break; ++ rc = -EFAULT; + ipxitf_put(ipxif); +- rc = 0; + break; + } + case SIOCAIPXITFCRT: diff --git a/queue-3.18/s5p-mfc-fix-unbalanced-call-to-clock-management.patch b/queue-3.18/s5p-mfc-fix-unbalanced-call-to-clock-management.patch new file mode 100644 index 00000000000..4d6753dc11d --- /dev/null +++ b/queue-3.18/s5p-mfc-fix-unbalanced-call-to-clock-management.patch @@ -0,0 +1,34 @@ +From a5cb00eb4223458250b55daf03ac7ea5f424d601 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Wed, 22 Mar 2017 04:53:57 -0300 +Subject: [media] s5p-mfc: Fix unbalanced call to clock management + +From: Marek Szyprowski + +commit a5cb00eb4223458250b55daf03ac7ea5f424d601 upstream. + +Clock should be turned off after calling s5p_mfc_init_hw() from the +watchdog worker, like it is already done in the s5p_mfc_open() which also +calls this function. + +Fixes: af93574678108 ("[media] MFC: Add MFC 5.1 V4L2 driver") + +Signed-off-by: Marek Szyprowski +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -169,6 +169,7 @@ static void s5p_mfc_watchdog_worker(stru + } + s5p_mfc_clock_on(); + ret = s5p_mfc_init_hw(dev); ++ s5p_mfc_clock_off(); + if (ret) + mfc_err("Failed to reinit FW\n"); + } diff --git a/queue-3.18/series b/queue-3.18/series index 85c74f47dd9..a98c23ddd4c 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -32,3 +32,11 @@ usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch usb-hub-fix-ss-hub-descriptor-handling.patch usb-hub-fix-non-ss-hub-descriptor-handling.patch tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch +ipx-call-ipxitf_put-in-ioctl-error-path.patch +iio-proximity-as3935-fix-as3935_write.patch +gspca-konica-add-missing-endpoint-sanity-check.patch +s5p-mfc-fix-unbalanced-call-to-clock-management.patch +dib0700-fix-null-deref-at-probe.patch +zr364xx-enforce-minimum-size-when-reading-header.patch +cx231xx-cards-fix-null-deref-at-probe.patch +cx231xx-audio-fix-null-deref-at-probe.patch diff --git a/queue-3.18/zr364xx-enforce-minimum-size-when-reading-header.patch b/queue-3.18/zr364xx-enforce-minimum-size-when-reading-header.patch new file mode 100644 index 00000000000..28c8125e14b --- /dev/null +++ b/queue-3.18/zr364xx-enforce-minimum-size-when-reading-header.patch @@ -0,0 +1,37 @@ +From ee0fe833d96793853335844b6d99fb76bd12cbeb Mon Sep 17 00:00:00 2001 +From: Alyssa Milburn +Date: Sat, 1 Apr 2017 14:34:08 -0300 +Subject: [media] zr364xx: enforce minimum size when reading header + +From: Alyssa Milburn + +commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream. + +This code copies actual_length-128 bytes from the header, which will +underflow if the received buffer is too small. + +Signed-off-by: Alyssa Milburn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/zr364xx/zr364xx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -605,6 +605,14 @@ static int zr364xx_read_video_callback(s + ptr = pdest = frm->lpvbits; + + if (frm->ulState == ZR364XX_READ_IDLE) { ++ if (purb->actual_length < 128) { ++ /* header incomplete */ ++ dev_info(&cam->udev->dev, ++ "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n", ++ __func__, purb->actual_length); ++ return -EINVAL; ++ } ++ + frm->ulState = ZR364XX_READ_FRAME; + frm->cur_size = 0; +