From: Greg Kroah-Hartman Date: Thu, 11 Oct 2018 15:08:07 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.124~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f38da5c882986d8d4a9b06b9faa8b833bc539f39;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch ebtables-arpreply-add-the-standard-target-sanity-check.patch --- diff --git a/queue-4.4/ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch b/queue-4.4/ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch new file mode 100644 index 00000000000..770a3227468 --- /dev/null +++ b/queue-4.4/ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch @@ -0,0 +1,61 @@ +From c8291988806407e02a01b4b15b4504eafbcc04e0 Mon Sep 17 00:00:00 2001 +From: Zhi Chen +Date: Mon, 18 Jun 2018 17:00:39 +0300 +Subject: ath10k: fix scan crash due to incorrect length calculation + +From: Zhi Chen + +commit c8291988806407e02a01b4b15b4504eafbcc04e0 upstream. + +Length of WMI scan message was not calculated correctly. The allocated +buffer was smaller than what we expected. So WMI message corrupted +skb_info, which is at the end of skb->data. This fix takes TLV header +into account even if the element is zero-length. + +Crash log: + [49.629986] Unhandled kernel unaligned access[#1]: + [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180 + [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000 + [49.646608] $ 0 : 00000000 00000001 80984a80 00000000 + [49.652038] $ 4 : 45259e89 8046d484 8046df30 8024ba70 + [49.657468] $ 8 : 00000000 804cc4c0 00000001 20306320 + [49.662898] $12 : 33322037 000110f2 00000000 31203930 + [49.668327] $16 : 82792b40 80984a80 00000001 804207fc + [49.673757] $20 : 00000000 0000012c 00000040 80470000 + [49.679186] $24 : 00000000 8024af7c + [49.684617] $28 : 8329c000 8329db88 00000001 802c58d0 + [49.690046] Hi : 00000000 + [49.693022] Lo : 453c0000 + [49.696013] epc : 800efae4 put_page+0x0/0x58 + [49.700615] ra : 802c58d0 skb_release_data+0x148/0x1d4 + [49.706184] Status: 1000fc03 KERNEL EXL IE + [49.710531] Cause : 00800010 (ExcCode 04) + [49.714669] BadVA : 45259e89 + [49.717644] PrId : 00019374 (MIPS 24Kc) + +Signed-off-by: Zhi Chen +Signed-off-by: Kalle Valo +Cc: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -1459,10 +1459,10 @@ ath10k_wmi_tlv_op_gen_start_scan(struct + bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr); + ie_len = roundup(arg->ie_len, 4); + len = (sizeof(*tlv) + sizeof(*cmd)) + +- (arg->n_channels ? sizeof(*tlv) + chan_len : 0) + +- (arg->n_ssids ? sizeof(*tlv) + ssid_len : 0) + +- (arg->n_bssids ? sizeof(*tlv) + bssid_len : 0) + +- (arg->ie_len ? sizeof(*tlv) + ie_len : 0); ++ sizeof(*tlv) + chan_len + ++ sizeof(*tlv) + ssid_len + ++ sizeof(*tlv) + bssid_len + ++ sizeof(*tlv) + ie_len; + + skb = ath10k_wmi_alloc_skb(ar, len); + if (!skb) diff --git a/queue-4.4/ebtables-arpreply-add-the-standard-target-sanity-check.patch b/queue-4.4/ebtables-arpreply-add-the-standard-target-sanity-check.patch new file mode 100644 index 00000000000..3c5265a5249 --- /dev/null +++ b/queue-4.4/ebtables-arpreply-add-the-standard-target-sanity-check.patch @@ -0,0 +1,55 @@ +From c953d63548207a085abcb12a15fefc8a11ffdf0a Mon Sep 17 00:00:00 2001 +From: Gao Feng +Date: Tue, 16 May 2017 09:30:18 +0800 +Subject: ebtables: arpreply: Add the standard target sanity check + +From: Gao Feng + +commit c953d63548207a085abcb12a15fefc8a11ffdf0a upstream. + +The info->target comes from userspace and it would be used directly. +So we need to add the sanity check to make sure it is a valid standard +target, although the ebtables tool has already checked it. Kernel needs +to validate anything coming from userspace. + +If the target is set as an evil value, it would break the ebtables +and cause a panic. Because the non-standard target is treated as one +offset. + +Now add one helper function ebt_invalid_target, and we would replace +the macro INVALID_TARGET later. + +Signed-off-by: Gao Feng +Signed-off-by: Pablo Neira Ayuso +Cc: Loic +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter_bridge/ebtables.h | 5 +++++ + net/bridge/netfilter/ebt_arpreply.c | 3 +++ + 2 files changed, 8 insertions(+) + +--- a/include/linux/netfilter_bridge/ebtables.h ++++ b/include/linux/netfilter_bridge/ebtables.h +@@ -125,4 +125,9 @@ extern unsigned int ebt_do_table(struct + /* True if the target is not a standard target */ + #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) + ++static inline bool ebt_invalid_target(int target) ++{ ++ return (target < -NUM_STANDARD_TARGETS || target >= 0); ++} ++ + #endif +--- a/net/bridge/netfilter/ebt_arpreply.c ++++ b/net/bridge/netfilter/ebt_arpreply.c +@@ -67,6 +67,9 @@ static int ebt_arpreply_tg_check(const s + if (e->ethproto != htons(ETH_P_ARP) || + e->invflags & EBT_IPROTO) + return -EINVAL; ++ if (ebt_invalid_target(info->target)) ++ return -EINVAL; ++ + return 0; + } + diff --git a/queue-4.4/series b/queue-4.4/series index 20189986b39..03882e9b33e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -23,3 +23,5 @@ tcp-fix-a-stale-ooo_last_skb-after-a-replace.patch tcp-free-batches-of-packets-in-tcp_prune_ofo_queue.patch tcp-call-tcp_drop-from-tcp_data_queue_ofo.patch tcp-add-tcp_ooo_try_coalesce-helper.patch +ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch +ebtables-arpreply-add-the-standard-target-sanity-check.patch