From 28bf458da3667de7f97e6259cde467f4cf5f0baa Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 14 Mar 2021 14:02:06 +0100 Subject: [PATCH] 4.14-stable patches added patches: staging-comedi-addi_apci_1032-fix-endian-problem-for-cos-sample.patch staging-comedi-addi_apci_1500-fix-endian-problem-for-command-sample.patch staging-comedi-adv_pci1710-fix-endian-problem-for-ai-command-data.patch staging-comedi-das6402-fix-endian-problem-for-ai-command-data.patch staging-comedi-das800-fix-endian-problem-for-ai-command-data.patch staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch staging-ks7010-prevent-buffer-overflow-in-ks_wlan_set_scan.patch staging-rtl8188eu-fix-potential-memory-corruption-in-rtw_check_beacon_data.patch staging-rtl8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch staging-rtl8192e-fix-possible-buffer-overflow-in-_rtl92e_wx_set_scan.patch staging-rtl8192u-fix-ssid-overflow-in-r8192_wx_set_scan.patch staging-rtl8712-fix-possible-buffer-overflow-in-r8712_sitesurvey_cmd.patch staging-rtl8712-unterminated-string-leads-to-read-overflow.patch --- queue-4.14/series | 16 +++++ ...32-fix-endian-problem-for-cos-sample.patch | 45 ++++++++++++ ...ix-endian-problem-for-command-sample.patch | 60 ++++++++++++++++ ...x-endian-problem-for-ai-command-data.patch | 72 +++++++++++++++++++ ...x-endian-problem-for-ai-command-data.patch | 36 ++++++++++ ...x-endian-problem-for-ai-command-data.patch | 36 ++++++++++ ...x-endian-problem-for-ai-command-data.patch | 41 +++++++++++ ...x-endian-problem-for-ai-command-data.patch | 36 ++++++++++ ...x-endian-problem-for-ai-command-data.patch | 36 ++++++++++ ...x-endian-problem-for-ai-command-data.patch | 41 +++++++++++ ...-buffer-overflow-in-ks_wlan_set_scan.patch | 43 +++++++++++ ...-corruption-in-rtw_check_beacon_data.patch | 57 +++++++++++++++ ...ent-ssid-overflow-in-rtw_wx_set_scan.patch | 37 ++++++++++ ...ffer-overflow-in-_rtl92e_wx_set_scan.patch | 38 ++++++++++ ...x-ssid-overflow-in-r8192_wx_set_scan.patch | 36 ++++++++++ ...fer-overflow-in-r8712_sitesurvey_cmd.patch | 36 ++++++++++ ...inated-string-leads-to-read-overflow.patch | 33 +++++++++ 17 files changed, 699 insertions(+) create mode 100644 queue-4.14/staging-comedi-addi_apci_1032-fix-endian-problem-for-cos-sample.patch create mode 100644 queue-4.14/staging-comedi-addi_apci_1500-fix-endian-problem-for-command-sample.patch create mode 100644 queue-4.14/staging-comedi-adv_pci1710-fix-endian-problem-for-ai-command-data.patch create mode 100644 queue-4.14/staging-comedi-das6402-fix-endian-problem-for-ai-command-data.patch create mode 100644 queue-4.14/staging-comedi-das800-fix-endian-problem-for-ai-command-data.patch create mode 100644 queue-4.14/staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch create mode 100644 queue-4.14/staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch create mode 100644 queue-4.14/staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch create mode 100644 queue-4.14/staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch create mode 100644 queue-4.14/staging-ks7010-prevent-buffer-overflow-in-ks_wlan_set_scan.patch create mode 100644 queue-4.14/staging-rtl8188eu-fix-potential-memory-corruption-in-rtw_check_beacon_data.patch create mode 100644 queue-4.14/staging-rtl8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch create mode 100644 queue-4.14/staging-rtl8192e-fix-possible-buffer-overflow-in-_rtl92e_wx_set_scan.patch create mode 100644 queue-4.14/staging-rtl8192u-fix-ssid-overflow-in-r8192_wx_set_scan.patch create mode 100644 queue-4.14/staging-rtl8712-fix-possible-buffer-overflow-in-r8712_sitesurvey_cmd.patch create mode 100644 queue-4.14/staging-rtl8712-unterminated-string-leads-to-read-overflow.patch diff --git a/queue-4.14/series b/queue-4.14/series index 2ba7b3a8ba1..ea02175b0e8 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -62,3 +62,19 @@ usbip-fix-vhci_hcd-to-check-for-stream-socket.patch usbip-fix-vudc-to-check-for-stream-socket.patch usbip-fix-stub_dev-usbip_sockfd_store-races-leading-to-gpf.patch usbip-fix-vhci_hcd-attach_store-races-leading-to-gpf.patch +staging-rtl8192u-fix-ssid-overflow-in-r8192_wx_set_scan.patch +staging-rtl8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch +staging-rtl8712-unterminated-string-leads-to-read-overflow.patch +staging-rtl8188eu-fix-potential-memory-corruption-in-rtw_check_beacon_data.patch +staging-ks7010-prevent-buffer-overflow-in-ks_wlan_set_scan.patch +staging-rtl8712-fix-possible-buffer-overflow-in-r8712_sitesurvey_cmd.patch +staging-rtl8192e-fix-possible-buffer-overflow-in-_rtl92e_wx_set_scan.patch +staging-comedi-addi_apci_1032-fix-endian-problem-for-cos-sample.patch +staging-comedi-addi_apci_1500-fix-endian-problem-for-command-sample.patch +staging-comedi-adv_pci1710-fix-endian-problem-for-ai-command-data.patch +staging-comedi-das6402-fix-endian-problem-for-ai-command-data.patch +staging-comedi-das800-fix-endian-problem-for-ai-command-data.patch +staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch +staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch +staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch +staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch diff --git a/queue-4.14/staging-comedi-addi_apci_1032-fix-endian-problem-for-cos-sample.patch b/queue-4.14/staging-comedi-addi_apci_1032-fix-endian-problem-for-cos-sample.patch new file mode 100644 index 00000000000..351ae6d9e28 --- /dev/null +++ b/queue-4.14/staging-comedi-addi_apci_1032-fix-endian-problem-for-cos-sample.patch @@ -0,0 +1,45 @@ +From 25317f428a78fde71b2bf3f24d05850f08a73a52 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 23 Feb 2021 14:30:42 +0000 +Subject: staging: comedi: addi_apci_1032: Fix endian problem for COS sample + +From: Ian Abbott + +commit 25317f428a78fde71b2bf3f24d05850f08a73a52 upstream. + +The Change-Of-State (COS) subdevice supports Comedi asynchronous +commands to read 16-bit change-of-state values. However, the interrupt +handler is calling `comedi_buf_write_samples()` with the address of a +32-bit integer `&s->state`. On bigendian architectures, it will copy 2 +bytes from the wrong end of the 32-bit integer. Fix it by transferring +the value via a 16-bit integer. + +Fixes: 6bb45f2b0c86 ("staging: comedi: addi_apci_1032: use comedi_buf_write_samples()") +Cc: # 3.19+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20210223143055.257402-2-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/addi_apci_1032.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/addi_apci_1032.c ++++ b/drivers/staging/comedi/drivers/addi_apci_1032.c +@@ -269,6 +269,7 @@ static irqreturn_t apci1032_interrupt(in + struct apci1032_private *devpriv = dev->private; + struct comedi_subdevice *s = dev->read_subdev; + unsigned int ctrl; ++ unsigned short val; + + /* check interrupt is from this device */ + if ((inl(devpriv->amcc_iobase + AMCC_OP_REG_INTCSR) & +@@ -284,7 +285,8 @@ static irqreturn_t apci1032_interrupt(in + outl(ctrl & ~APCI1032_CTRL_INT_ENA, dev->iobase + APCI1032_CTRL_REG); + + s->state = inl(dev->iobase + APCI1032_STATUS_REG) & 0xffff; +- comedi_buf_write_samples(s, &s->state, 1); ++ val = s->state; ++ comedi_buf_write_samples(s, &val, 1); + comedi_handle_events(dev, s); + + /* enable the interrupt */ diff --git a/queue-4.14/staging-comedi-addi_apci_1500-fix-endian-problem-for-command-sample.patch b/queue-4.14/staging-comedi-addi_apci_1500-fix-endian-problem-for-command-sample.patch new file mode 100644 index 00000000000..7ec06f311c9 --- /dev/null +++ b/queue-4.14/staging-comedi-addi_apci_1500-fix-endian-problem-for-command-sample.patch @@ -0,0 +1,60 @@ +From ac0bbf55ed3be75fde1f8907e91ecd2fd589bde3 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 23 Feb 2021 14:30:43 +0000 +Subject: staging: comedi: addi_apci_1500: Fix endian problem for command sample + +From: Ian Abbott + +commit ac0bbf55ed3be75fde1f8907e91ecd2fd589bde3 upstream. + +The digital input subdevice supports Comedi asynchronous commands that +read interrupt status information. This uses 16-bit Comedi samples (of +which only the bottom 8 bits contain status information). However, the +interrupt handler is calling `comedi_buf_write_samples()` with the +address of a 32-bit variable `unsigned int status`. On a bigendian +machine, this will copy 2 bytes from the wrong end of the variable. Fix +it by changing the type of the variable to `unsigned short`. + +Fixes: a8c66b684efa ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions") +Cc: #4.0+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20210223143055.257402-3-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/addi_apci_1500.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/staging/comedi/drivers/addi_apci_1500.c ++++ b/drivers/staging/comedi/drivers/addi_apci_1500.c +@@ -217,7 +217,7 @@ static irqreturn_t apci1500_interrupt(in + struct comedi_device *dev = d; + struct apci1500_private *devpriv = dev->private; + struct comedi_subdevice *s = dev->read_subdev; +- unsigned int status = 0; ++ unsigned short status = 0; + unsigned int val; + + val = inl(devpriv->amcc + AMCC_OP_REG_INTCSR); +@@ -247,14 +247,14 @@ static irqreturn_t apci1500_interrupt(in + * + * Mask Meaning + * ---------- ------------------------------------------ +- * 0x00000001 Event 1 has occurred +- * 0x00000010 Event 2 has occurred +- * 0x00000100 Counter/timer 1 has run down (not implemented) +- * 0x00001000 Counter/timer 2 has run down (not implemented) +- * 0x00010000 Counter 3 has run down (not implemented) +- * 0x00100000 Watchdog has run down (not implemented) +- * 0x01000000 Voltage error +- * 0x10000000 Short-circuit error ++ * 0b00000001 Event 1 has occurred ++ * 0b00000010 Event 2 has occurred ++ * 0b00000100 Counter/timer 1 has run down (not implemented) ++ * 0b00001000 Counter/timer 2 has run down (not implemented) ++ * 0b00010000 Counter 3 has run down (not implemented) ++ * 0b00100000 Watchdog has run down (not implemented) ++ * 0b01000000 Voltage error ++ * 0b10000000 Short-circuit error + */ + comedi_buf_write_samples(s, &status, 1); + comedi_handle_events(dev, s); diff --git a/queue-4.14/staging-comedi-adv_pci1710-fix-endian-problem-for-ai-command-data.patch b/queue-4.14/staging-comedi-adv_pci1710-fix-endian-problem-for-ai-command-data.patch new file mode 100644 index 00000000000..d73132ecaae --- /dev/null +++ b/queue-4.14/staging-comedi-adv_pci1710-fix-endian-problem-for-ai-command-data.patch @@ -0,0 +1,72 @@ +From b2e78630f733a76508b53ba680528ca39c890e82 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 23 Feb 2021 14:30:44 +0000 +Subject: staging: comedi: adv_pci1710: Fix endian problem for AI command data + +From: Ian Abbott + +commit b2e78630f733a76508b53ba680528ca39c890e82 upstream. + +The analog input subdevice supports Comedi asynchronous commands that +use Comedi's 16-bit sample format. However, the calls to +`comedi_buf_write_samples()` are passing the address of a 32-bit integer +variable. On bigendian machines, this will copy 2 bytes from the wrong +end of the 32-bit value. Fix it by changing the type of the variables +holding the sample value to `unsigned short`. The type of the `val` +parameter of `pci1710_ai_read_sample()` is changed to `unsigned short *` +accordingly. The type of the `val` variable in `pci1710_ai_insn_read()` +is also changed to `unsigned short` since its address is passed to +`pci1710_ai_read_sample()`. + +Fixes: a9c3a015c12f ("staging: comedi: adv_pci1710: use comedi_buf_write_samples()") +Cc: # 4.0+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20210223143055.257402-4-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/adv_pci1710.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/staging/comedi/drivers/adv_pci1710.c ++++ b/drivers/staging/comedi/drivers/adv_pci1710.c +@@ -299,11 +299,11 @@ static int pci1710_ai_eoc(struct comedi_ + static int pci1710_ai_read_sample(struct comedi_device *dev, + struct comedi_subdevice *s, + unsigned int cur_chan, +- unsigned int *val) ++ unsigned short *val) + { + const struct boardtype *board = dev->board_ptr; + struct pci1710_private *devpriv = dev->private; +- unsigned int sample; ++ unsigned short sample; + unsigned int chan; + + sample = inw(dev->iobase + PCI171X_AD_DATA_REG); +@@ -344,7 +344,7 @@ static int pci1710_ai_insn_read(struct c + pci1710_ai_setup_chanlist(dev, s, &insn->chanspec, 1, 1); + + for (i = 0; i < insn->n; i++) { +- unsigned int val; ++ unsigned short val; + + /* start conversion */ + outw(0, dev->iobase + PCI171X_SOFTTRG_REG); +@@ -394,7 +394,7 @@ static void pci1710_handle_every_sample( + { + struct comedi_cmd *cmd = &s->async->cmd; + unsigned int status; +- unsigned int val; ++ unsigned short val; + int ret; + + status = inw(dev->iobase + PCI171X_STATUS_REG); +@@ -454,7 +454,7 @@ static void pci1710_handle_fifo(struct c + } + + for (i = 0; i < devpriv->max_samples; i++) { +- unsigned int val; ++ unsigned short val; + int ret; + + ret = pci1710_ai_read_sample(dev, s, s->async->cur_chan, &val); diff --git a/queue-4.14/staging-comedi-das6402-fix-endian-problem-for-ai-command-data.patch b/queue-4.14/staging-comedi-das6402-fix-endian-problem-for-ai-command-data.patch new file mode 100644 index 00000000000..1ce44cb2f37 --- /dev/null +++ b/queue-4.14/staging-comedi-das6402-fix-endian-problem-for-ai-command-data.patch @@ -0,0 +1,36 @@ +From 1c0f20b78781b9ca50dc3ecfd396d0db5b141890 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 23 Feb 2021 14:30:45 +0000 +Subject: staging: comedi: das6402: Fix endian problem for AI command data + +From: Ian Abbott + +commit 1c0f20b78781b9ca50dc3ecfd396d0db5b141890 upstream. + +The analog input subdevice supports Comedi asynchronous commands that +use Comedi's 16-bit sample format. However, the call to +`comedi_buf_write_samples()` is passing the address of a 32-bit integer +variable. On bigendian machines, this will copy 2 bytes from the wrong +end of the 32-bit value. Fix it by changing the type of the variable +holding the sample value to `unsigned short`. + +Fixes: d1d24cb65ee3 ("staging: comedi: das6402: read analog input samples in interrupt handler") +Cc: # 3.19+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20210223143055.257402-5-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/das6402.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/das6402.c ++++ b/drivers/staging/comedi/drivers/das6402.c +@@ -195,7 +195,7 @@ static irqreturn_t das6402_interrupt(int + if (status & DAS6402_STATUS_FFULL) { + async->events |= COMEDI_CB_OVERFLOW; + } else if (status & DAS6402_STATUS_FFNE) { +- unsigned int val; ++ unsigned short val; + + val = das6402_ai_read_sample(dev, s); + comedi_buf_write_samples(s, &val, 1); diff --git a/queue-4.14/staging-comedi-das800-fix-endian-problem-for-ai-command-data.patch b/queue-4.14/staging-comedi-das800-fix-endian-problem-for-ai-command-data.patch new file mode 100644 index 00000000000..27a71792b05 --- /dev/null +++ b/queue-4.14/staging-comedi-das800-fix-endian-problem-for-ai-command-data.patch @@ -0,0 +1,36 @@ +From 459b1e8c8fe97fcba0bd1b623471713dce2c5eaf Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 23 Feb 2021 14:30:46 +0000 +Subject: staging: comedi: das800: Fix endian problem for AI command data + +From: Ian Abbott + +commit 459b1e8c8fe97fcba0bd1b623471713dce2c5eaf upstream. + +The analog input subdevice supports Comedi asynchronous commands that +use Comedi's 16-bit sample format. However, the call to +`comedi_buf_write_samples()` is passing the address of a 32-bit integer +variable. On bigendian machines, this will copy 2 bytes from the wrong +end of the 32-bit value. Fix it by changing the type of the variable +holding the sample value to `unsigned short`. + +Fixes: ad9eb43c93d8 ("staging: comedi: das800: use comedi_buf_write_samples()") +Cc: # 3.19+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20210223143055.257402-6-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/das800.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/das800.c ++++ b/drivers/staging/comedi/drivers/das800.c +@@ -436,7 +436,7 @@ static irqreturn_t das800_interrupt(int + struct comedi_cmd *cmd; + unsigned long irq_flags; + unsigned int status; +- unsigned int val; ++ unsigned short val; + bool fifo_empty; + bool fifo_overflow; + int i; diff --git a/queue-4.14/staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch b/queue-4.14/staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch new file mode 100644 index 00000000000..c449dba56e8 --- /dev/null +++ b/queue-4.14/staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch @@ -0,0 +1,41 @@ +From 54999c0d94b3c26625f896f8e3460bc029821578 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 23 Feb 2021 14:30:47 +0000 +Subject: staging: comedi: dmm32at: Fix endian problem for AI command data + +From: Ian Abbott + +commit 54999c0d94b3c26625f896f8e3460bc029821578 upstream. + +The analog input subdevice supports Comedi asynchronous commands that +use Comedi's 16-bit sample format. However, the call to +`comedi_buf_write_samples()` is passing the address of a 32-bit integer +variable. On bigendian machines, this will copy 2 bytes from the wrong +end of the 32-bit value. Fix it by changing the type of the variable +holding the sample value to `unsigned short`. + +[Note: the bug was introduced in commit 1700529b24cc ("staging: comedi: +dmm32at: use comedi_buf_write_samples()") but the patch applies better +to the later (but in the same kernel release) commit 0c0eadadcbe6e +("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()").] + +Fixes: 0c0eadadcbe6e ("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()") +Cc: # 3.19+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20210223143055.257402-7-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/dmm32at.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/dmm32at.c ++++ b/drivers/staging/comedi/drivers/dmm32at.c +@@ -413,7 +413,7 @@ static irqreturn_t dmm32at_isr(int irq, + { + struct comedi_device *dev = d; + unsigned char intstat; +- unsigned int val; ++ unsigned short val; + int i; + + if (!dev->attached) { diff --git a/queue-4.14/staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch b/queue-4.14/staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch new file mode 100644 index 00000000000..aa454544fc8 --- /dev/null +++ b/queue-4.14/staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch @@ -0,0 +1,36 @@ +From b39dfcced399d31e7c4b7341693b18e01c8f655e Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 23 Feb 2021 14:30:48 +0000 +Subject: staging: comedi: me4000: Fix endian problem for AI command data + +From: Ian Abbott + +commit b39dfcced399d31e7c4b7341693b18e01c8f655e upstream. + +The analog input subdevice supports Comedi asynchronous commands that +use Comedi's 16-bit sample format. However, the calls to +`comedi_buf_write_samples()` are passing the address of a 32-bit integer +variable. On bigendian machines, this will copy 2 bytes from the wrong +end of the 32-bit value. Fix it by changing the type of the variable +holding the sample value to `unsigned short`. + +Fixes: de88924f67d1 ("staging: comedi: me4000: use comedi_buf_write_samples()") +Cc: # 3.19+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20210223143055.257402-8-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/me4000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/me4000.c ++++ b/drivers/staging/comedi/drivers/me4000.c +@@ -933,7 +933,7 @@ static irqreturn_t me4000_ai_isr(int irq + struct comedi_subdevice *s = dev->read_subdev; + int i; + int c = 0; +- unsigned int lval; ++ unsigned short lval; + + if (!dev->attached) + return IRQ_NONE; diff --git a/queue-4.14/staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch b/queue-4.14/staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch new file mode 100644 index 00000000000..2a7cc1f83df --- /dev/null +++ b/queue-4.14/staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch @@ -0,0 +1,36 @@ +From a084303a645896e834883f2c5170d044410dfdb3 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 23 Feb 2021 14:30:49 +0000 +Subject: staging: comedi: pcl711: Fix endian problem for AI command data + +From: Ian Abbott + +commit a084303a645896e834883f2c5170d044410dfdb3 upstream. + +The analog input subdevice supports Comedi asynchronous commands that +use Comedi's 16-bit sample format. However, the call to +`comedi_buf_write_samples()` is passing the address of a 32-bit integer +variable. On bigendian machines, this will copy 2 bytes from the wrong +end of the 32-bit value. Fix it by changing the type of the variable +holding the sample value to `unsigned short`. + +Fixes: 1f44c034de2e ("staging: comedi: pcl711: use comedi_buf_write_samples()") +Cc: # 3.19+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20210223143055.257402-9-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/pcl711.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/pcl711.c ++++ b/drivers/staging/comedi/drivers/pcl711.c +@@ -193,7 +193,7 @@ static irqreturn_t pcl711_interrupt(int + struct comedi_device *dev = d; + struct comedi_subdevice *s = dev->read_subdev; + struct comedi_cmd *cmd = &s->async->cmd; +- unsigned int data; ++ unsigned short data; + + if (!dev->attached) { + dev_err(dev->class_dev, "spurious interrupt\n"); diff --git a/queue-4.14/staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch b/queue-4.14/staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch new file mode 100644 index 00000000000..97e44d1ae12 --- /dev/null +++ b/queue-4.14/staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch @@ -0,0 +1,41 @@ +From 148e34fd33d53740642db523724226de14ee5281 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 23 Feb 2021 14:30:50 +0000 +Subject: staging: comedi: pcl818: Fix endian problem for AI command data + +From: Ian Abbott + +commit 148e34fd33d53740642db523724226de14ee5281 upstream. + +The analog input subdevice supports Comedi asynchronous commands that +use Comedi's 16-bit sample format. However, the call to +`comedi_buf_write_samples()` is passing the address of a 32-bit integer +parameter. On bigendian machines, this will copy 2 bytes from the wrong +end of the 32-bit value. Fix it by changing the type of the parameter +holding the sample value to `unsigned short`. + +[Note: the bug was introduced in commit edf4537bcbf5 ("staging: comedi: +pcl818: use comedi_buf_write_samples()") but the patch applies better to +commit d615416de615 ("staging: comedi: pcl818: introduce +pcl818_ai_write_sample()").] + +Fixes: d615416de615 ("staging: comedi: pcl818: introduce pcl818_ai_write_sample()") +Cc: # 4.0+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20210223143055.257402-10-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/pcl818.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/pcl818.c ++++ b/drivers/staging/comedi/drivers/pcl818.c +@@ -422,7 +422,7 @@ static int pcl818_ai_eoc(struct comedi_d + + static bool pcl818_ai_write_sample(struct comedi_device *dev, + struct comedi_subdevice *s, +- unsigned int chan, unsigned int val) ++ unsigned int chan, unsigned short val) + { + struct pcl818_private *devpriv = dev->private; + struct comedi_cmd *cmd = &s->async->cmd; diff --git a/queue-4.14/staging-ks7010-prevent-buffer-overflow-in-ks_wlan_set_scan.patch b/queue-4.14/staging-ks7010-prevent-buffer-overflow-in-ks_wlan_set_scan.patch new file mode 100644 index 00000000000..e0b5eb037f4 --- /dev/null +++ b/queue-4.14/staging-ks7010-prevent-buffer-overflow-in-ks_wlan_set_scan.patch @@ -0,0 +1,43 @@ +From e163b9823a0b08c3bb8dc4f5b4b5c221c24ec3e5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 2 Mar 2021 14:19:39 +0300 +Subject: staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() + +From: Dan Carpenter + +commit e163b9823a0b08c3bb8dc4f5b4b5c221c24ec3e5 upstream. + +The user can specify a "req->essid_len" of up to 255 but if it's +over IW_ESSID_MAX_SIZE (32) that can lead to memory corruption. + +Fixes: 13a9930d15b4 ("staging: ks7010: add driver from Nanonote extra-repository") +Signed-off-by: Dan Carpenter +Cc: stable +Link: https://lore.kernel.org/r/YD4fS8+HmM/Qmrw6@mwanda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/ks7010/ks_wlan_net.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/ks7010/ks_wlan_net.c ++++ b/drivers/staging/ks7010/ks_wlan_net.c +@@ -1290,6 +1290,7 @@ static int ks_wlan_set_scan(struct net_d + { + struct ks_wlan_private *priv = netdev_priv(dev); + struct iw_scan_req *req = NULL; ++ int len; + + DPRINTK(2, "\n"); + +@@ -1301,8 +1302,9 @@ static int ks_wlan_set_scan(struct net_d + if (wrqu->data.length == sizeof(struct iw_scan_req) && + wrqu->data.flags & IW_SCAN_THIS_ESSID) { + req = (struct iw_scan_req *)extra; +- priv->scan_ssid_len = req->essid_len; +- memcpy(priv->scan_ssid, req->essid, priv->scan_ssid_len); ++ len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE); ++ priv->scan_ssid_len = len; ++ memcpy(priv->scan_ssid, req->essid, len); + } else { + priv->scan_ssid_len = 0; + } diff --git a/queue-4.14/staging-rtl8188eu-fix-potential-memory-corruption-in-rtw_check_beacon_data.patch b/queue-4.14/staging-rtl8188eu-fix-potential-memory-corruption-in-rtw_check_beacon_data.patch new file mode 100644 index 00000000000..e7da6a7e660 --- /dev/null +++ b/queue-4.14/staging-rtl8188eu-fix-potential-memory-corruption-in-rtw_check_beacon_data.patch @@ -0,0 +1,57 @@ +From d4ac640322b06095128a5c45ba4a1e80929fe7f3 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 5 Mar 2021 11:56:32 +0300 +Subject: staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() + +From: Dan Carpenter + +commit d4ac640322b06095128a5c45ba4a1e80929fe7f3 upstream. + +The "ie_len" is a value in the 1-255 range that comes from the user. We +have to cap it to ensure that it's not too large or it could lead to +memory corruption. + +Fixes: 9a7fe54ddc3a ("staging: r8188eu: Add source files for new driver - part 1") +Signed-off-by: Dan Carpenter +Cc: stable +Link: https://lore.kernel.org/r/YEHyQCrFZKTXyT7J@mwanda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8188eu/core/rtw_ap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/staging/rtl8188eu/core/rtw_ap.c ++++ b/drivers/staging/rtl8188eu/core/rtw_ap.c +@@ -912,6 +912,7 @@ int rtw_check_beacon_data(struct adapter + /* SSID */ + p = rtw_get_ie(ie + _BEACON_IE_OFFSET_, _SSID_IE_, &ie_len, (pbss_network->IELength - _BEACON_IE_OFFSET_)); + if (p && ie_len > 0) { ++ ie_len = min_t(int, ie_len, sizeof(pbss_network->Ssid.Ssid)); + memset(&pbss_network->Ssid, 0, sizeof(struct ndis_802_11_ssid)); + memcpy(pbss_network->Ssid.Ssid, (p + 2), ie_len); + pbss_network->Ssid.SsidLength = ie_len; +@@ -930,6 +931,7 @@ int rtw_check_beacon_data(struct adapter + /* get supported rates */ + p = rtw_get_ie(ie + _BEACON_IE_OFFSET_, _SUPPORTEDRATES_IE_, &ie_len, (pbss_network->IELength - _BEACON_IE_OFFSET_)); + if (p) { ++ ie_len = min_t(int, ie_len, NDIS_802_11_LENGTH_RATES_EX); + memcpy(supportRate, p + 2, ie_len); + supportRateNum = ie_len; + } +@@ -937,6 +939,8 @@ int rtw_check_beacon_data(struct adapter + /* get ext_supported rates */ + p = rtw_get_ie(ie + _BEACON_IE_OFFSET_, _EXT_SUPPORTEDRATES_IE_, &ie_len, pbss_network->IELength - _BEACON_IE_OFFSET_); + if (p) { ++ ie_len = min_t(int, ie_len, ++ NDIS_802_11_LENGTH_RATES_EX - supportRateNum); + memcpy(supportRate + supportRateNum, p + 2, ie_len); + supportRateNum += ie_len; + } +@@ -1050,6 +1054,7 @@ int rtw_check_beacon_data(struct adapter + + pht_cap->mcs.rx_mask[0] = 0xff; + pht_cap->mcs.rx_mask[1] = 0x0; ++ ie_len = min_t(int, ie_len, sizeof(pmlmepriv->htpriv.ht_cap)); + memcpy(&pmlmepriv->htpriv.ht_cap, p+2, ie_len); + } + diff --git a/queue-4.14/staging-rtl8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch b/queue-4.14/staging-rtl8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch new file mode 100644 index 00000000000..60b33953e20 --- /dev/null +++ b/queue-4.14/staging-rtl8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch @@ -0,0 +1,37 @@ +From 74b6b20df8cfe90ada777d621b54c32e69e27cd7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 5 Mar 2021 11:58:03 +0300 +Subject: staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan() + +From: Dan Carpenter + +commit 74b6b20df8cfe90ada777d621b54c32e69e27cd7 upstream. + +This code has a check to prevent read overflow but it needs another +check to prevent writing beyond the end of the ->ssid[] array. + +Fixes: a2c60d42d97c ("staging: r8188eu: Add files for new driver - part 16") +Signed-off-by: Dan Carpenter +Cc: stable +Link: https://lore.kernel.org/r/YEHymwsnHewzoam7@mwanda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c ++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +@@ -1169,9 +1169,11 @@ static int rtw_wx_set_scan(struct net_de + break; + } + sec_len = *(pos++); len -= 1; +- if (sec_len > 0 && sec_len <= len) { ++ if (sec_len > 0 && ++ sec_len <= len && ++ sec_len <= 32) { + ssid[ssid_index].SsidLength = sec_len; +- memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); ++ memcpy(ssid[ssid_index].Ssid, pos, sec_len); + ssid_index++; + } + pos += sec_len; diff --git a/queue-4.14/staging-rtl8192e-fix-possible-buffer-overflow-in-_rtl92e_wx_set_scan.patch b/queue-4.14/staging-rtl8192e-fix-possible-buffer-overflow-in-_rtl92e_wx_set_scan.patch new file mode 100644 index 00000000000..bbe22b0b8c8 --- /dev/null +++ b/queue-4.14/staging-rtl8192e-fix-possible-buffer-overflow-in-_rtl92e_wx_set_scan.patch @@ -0,0 +1,38 @@ +From 8687bf9ef9551bcf93897e33364d121667b1aadf Mon Sep 17 00:00:00 2001 +From: Lee Gibson +Date: Fri, 26 Feb 2021 14:51:57 +0000 +Subject: staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan + +From: Lee Gibson + +commit 8687bf9ef9551bcf93897e33364d121667b1aadf upstream. + +Function _rtl92e_wx_set_scan calls memcpy without checking the length. +A user could control that length and trigger a buffer overflow. +Fix by checking the length is within the maximum allowed size. + +Reviewed-by: Dan Carpenter +Signed-off-by: Lee Gibson +Cc: stable +Link: https://lore.kernel.org/r/20210226145157.424065-1-leegib@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8192e/rtl8192e/rtl_wx.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c +@@ -419,9 +419,10 @@ static int _rtl92e_wx_set_scan(struct ne + struct iw_scan_req *req = (struct iw_scan_req *)b; + + if (req->essid_len) { +- ieee->current_network.ssid_len = req->essid_len; +- memcpy(ieee->current_network.ssid, req->essid, +- req->essid_len); ++ int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE); ++ ++ ieee->current_network.ssid_len = len; ++ memcpy(ieee->current_network.ssid, req->essid, len); + } + } + diff --git a/queue-4.14/staging-rtl8192u-fix-ssid-overflow-in-r8192_wx_set_scan.patch b/queue-4.14/staging-rtl8192u-fix-ssid-overflow-in-r8192_wx_set_scan.patch new file mode 100644 index 00000000000..2c724917d1b --- /dev/null +++ b/queue-4.14/staging-rtl8192u-fix-ssid-overflow-in-r8192_wx_set_scan.patch @@ -0,0 +1,36 @@ +From 87107518d7a93fec6cdb2559588862afeee800fb Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 5 Mar 2021 11:12:49 +0300 +Subject: staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan() + +From: Dan Carpenter + +commit 87107518d7a93fec6cdb2559588862afeee800fb upstream. + +We need to cap len at IW_ESSID_MAX_SIZE (32) to avoid memory corruption. +This can be controlled by the user via the ioctl. + +Fixes: 5f53d8ca3d5d ("Staging: add rtl8192SU wireless usb driver") +Signed-off-by: Dan Carpenter +Cc: stable +Link: https://lore.kernel.org/r/YEHoAWMOSZBUw91F@mwanda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8192u/r8192U_wx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/rtl8192u/r8192U_wx.c ++++ b/drivers/staging/rtl8192u/r8192U_wx.c +@@ -333,8 +333,10 @@ static int r8192_wx_set_scan(struct net_ + struct iw_scan_req *req = (struct iw_scan_req *)b; + + if (req->essid_len) { +- ieee->current_network.ssid_len = req->essid_len; +- memcpy(ieee->current_network.ssid, req->essid, req->essid_len); ++ int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE); ++ ++ ieee->current_network.ssid_len = len; ++ memcpy(ieee->current_network.ssid, req->essid, len); + } + } + diff --git a/queue-4.14/staging-rtl8712-fix-possible-buffer-overflow-in-r8712_sitesurvey_cmd.patch b/queue-4.14/staging-rtl8712-fix-possible-buffer-overflow-in-r8712_sitesurvey_cmd.patch new file mode 100644 index 00000000000..5cb34316925 --- /dev/null +++ b/queue-4.14/staging-rtl8712-fix-possible-buffer-overflow-in-r8712_sitesurvey_cmd.patch @@ -0,0 +1,36 @@ +From b93c1e3981af19527beee1c10a2bef67a228c48c Mon Sep 17 00:00:00 2001 +From: Lee Gibson +Date: Mon, 1 Mar 2021 13:26:48 +0000 +Subject: staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd + +From: Lee Gibson + +commit b93c1e3981af19527beee1c10a2bef67a228c48c upstream. + +Function r8712_sitesurvey_cmd calls memcpy without checking the length. +A user could control that length and trigger a buffer overflow. +Fix by checking the length is within the maximum allowed size. + +Signed-off-by: Lee Gibson +Link: https://lore.kernel.org/r/20210301132648.420296-1-leegib@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8712/rtl871x_cmd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/rtl8712/rtl871x_cmd.c ++++ b/drivers/staging/rtl8712/rtl871x_cmd.c +@@ -242,8 +242,10 @@ u8 r8712_sitesurvey_cmd(struct _adapter + psurveyPara->ss_ssidlen = 0; + memset(psurveyPara->ss_ssid, 0, IW_ESSID_MAX_SIZE + 1); + if ((pssid != NULL) && (pssid->SsidLength)) { +- memcpy(psurveyPara->ss_ssid, pssid->Ssid, pssid->SsidLength); +- psurveyPara->ss_ssidlen = cpu_to_le32(pssid->SsidLength); ++ int len = min_t(int, pssid->SsidLength, IW_ESSID_MAX_SIZE); ++ ++ memcpy(psurveyPara->ss_ssid, pssid->Ssid, len); ++ psurveyPara->ss_ssidlen = cpu_to_le32(len); + } + set_fwstate(pmlmepriv, _FW_UNDER_SURVEY); + r8712_enqueue_cmd(pcmdpriv, ph2c); diff --git a/queue-4.14/staging-rtl8712-unterminated-string-leads-to-read-overflow.patch b/queue-4.14/staging-rtl8712-unterminated-string-leads-to-read-overflow.patch new file mode 100644 index 00000000000..24f86c9b11f --- /dev/null +++ b/queue-4.14/staging-rtl8712-unterminated-string-leads-to-read-overflow.patch @@ -0,0 +1,33 @@ +From d660f4f42ccea50262c6ee90c8e7ad19a69fb225 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 24 Feb 2021 11:45:59 +0300 +Subject: staging: rtl8712: unterminated string leads to read overflow + +From: Dan Carpenter + +commit d660f4f42ccea50262c6ee90c8e7ad19a69fb225 upstream. + +The memdup_user() function does not necessarily return a NUL terminated +string so this can lead to a read overflow. Switch from memdup_user() +to strndup_user() to fix this bug. + +Fixes: c6dc001f2add ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.") +Cc: stable +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c ++++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c +@@ -927,7 +927,7 @@ static int r871x_wx_set_priv(struct net_ + struct iw_point *dwrq = (struct iw_point *)awrq; + + len = dwrq->length; +- ext = memdup_user(dwrq->pointer, len); ++ ext = strndup_user(dwrq->pointer, len); + if (IS_ERR(ext)) + return PTR_ERR(ext); + -- 2.47.3