From: Greg Kroah-Hartman Date: Thu, 13 Jan 2022 18:52:52 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v5.16.1~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb1591b9a66092cc71804363d39c71324714f954;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: can-gs_usb-fix-use-of-uninitialized-variable-detach-device-on-reception-of-invalid-usb-data.patch can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flags-reserved.patch --- diff --git a/queue-4.4/can-gs_usb-fix-use-of-uninitialized-variable-detach-device-on-reception-of-invalid-usb-data.patch b/queue-4.4/can-gs_usb-fix-use-of-uninitialized-variable-detach-device-on-reception-of-invalid-usb-data.patch new file mode 100644 index 00000000000..7c4cb9ff1f4 --- /dev/null +++ b/queue-4.4/can-gs_usb-fix-use-of-uninitialized-variable-detach-device-on-reception-of-invalid-usb-data.patch @@ -0,0 +1,51 @@ +From 4a8737ff068724f509d583fef404d349adba80d6 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 10 Dec 2021 10:03:09 +0100 +Subject: can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data + +From: Marc Kleine-Budde + +commit 4a8737ff068724f509d583fef404d349adba80d6 upstream. + +The received data contains the channel the received data is associated +with. If the channel number is bigger than the actual number of +channels assume broken or malicious USB device and shut it down. + +This fixes the error found by clang: + +| drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used +| uninitialized whenever 'if' condition is true +| if (hf->channel >= GS_MAX_INTF) +| ^~~~~~~~~~~~~~~~~~~~~~~~~~ +| drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here +| hf, dev->gs_hf_size, gs_usb_receive_bulk_callback, +| ^~~ + +Link: https://lore.kernel.org/all/20211210091158.408326-1-mkl@pengutronix.de +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -303,7 +303,7 @@ static void gs_usb_receive_bulk_callback + + /* device reports out of range channel id */ + if (hf->channel >= GS_MAX_INTF) +- goto resubmit_urb; ++ goto device_detach; + + dev = usbcan->canch[hf->channel]; + +@@ -388,6 +388,7 @@ static void gs_usb_receive_bulk_callback + + /* USB failure take down all interfaces */ + if (rc == -ENODEV) { ++ device_detach: + for (rc = 0; rc < GS_MAX_INTF; rc++) { + if (usbcan->canch[rc]) + netif_device_detach(usbcan->canch[rc]->netdev); diff --git a/queue-4.4/can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flags-reserved.patch b/queue-4.4/can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flags-reserved.patch new file mode 100644 index 00000000000..a19a6238e2c --- /dev/null +++ b/queue-4.4/can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flags-reserved.patch @@ -0,0 +1,39 @@ +From 89d58aebe14a365c25ba6645414afdbf4e41cea4 Mon Sep 17 00:00:00 2001 +From: Brian Silverman +Date: Wed, 5 Jan 2022 16:29:50 -0800 +Subject: can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved} + +From: Brian Silverman + +commit 89d58aebe14a365c25ba6645414afdbf4e41cea4 upstream. + +No information is deliberately sent in hf->flags in host -> device +communications, but the open-source candleLight firmware echoes it +back, which can result in the GS_CAN_FLAG_OVERFLOW flag being set and +generating spurious ERRORFRAMEs. + +While there also initialize the reserved member with 0. + +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Link: https://lore.kernel.org/all/20220106002952.25883-1-brian.silverman@bluerivertech.com +Link: https://github.com/candle-usb/candleLight_fw/issues/87 +Cc: stable@vger.kernel.org +Signed-off-by: Brian Silverman +[mkl: initialize the reserved member, too] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -491,6 +491,8 @@ static netdev_tx_t gs_can_start_xmit(str + + hf->echo_id = idx; + hf->channel = dev->channel; ++ hf->flags = 0; ++ hf->reserved = 0; + + cf = (struct can_frame *)skb->data; + diff --git a/queue-4.4/series b/queue-4.4/series index 7b95fc8208f..1050f991fba 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -2,3 +2,5 @@ bluetooth-bfusb-fix-division-by-zero-in-send-path.patch usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch mfd-intel-lpss-fix-too-early-pm-enablement-in-the-acpi-probe.patch +can-gs_usb-fix-use-of-uninitialized-variable-detach-device-on-reception-of-invalid-usb-data.patch +can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flags-reserved.patch