From 4f2c420e63fbc962badd092bcfce96204ebbfaf9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 7 Jan 2022 14:26:19 +0100 Subject: [PATCH] 4.14-stable patches added patches: mac80211-initialize-variable-have_higher_than_11mbit.patch rdma-core-don-t-infoleak-grh-fields.patch --- ...ize-variable-have_higher_than_11mbit.patch | 41 ++++++++++++ .../rdma-core-don-t-infoleak-grh-fields.patch | 64 +++++++++++++++++++ queue-4.14/series | 2 + 3 files changed, 107 insertions(+) create mode 100644 queue-4.14/mac80211-initialize-variable-have_higher_than_11mbit.patch create mode 100644 queue-4.14/rdma-core-don-t-infoleak-grh-fields.patch diff --git a/queue-4.14/mac80211-initialize-variable-have_higher_than_11mbit.patch b/queue-4.14/mac80211-initialize-variable-have_higher_than_11mbit.patch new file mode 100644 index 00000000000..2a74f768909 --- /dev/null +++ b/queue-4.14/mac80211-initialize-variable-have_higher_than_11mbit.patch @@ -0,0 +1,41 @@ +From 68a18ad71378a56858141c4449e02a30c829763e Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Thu, 23 Dec 2021 08:28:48 -0800 +Subject: mac80211: initialize variable have_higher_than_11mbit + +From: Tom Rix + +commit 68a18ad71378a56858141c4449e02a30c829763e upstream. + +Clang static analysis reports this warnings + +mlme.c:5332:7: warning: Branch condition evaluates to a + garbage value + have_higher_than_11mbit) + ^~~~~~~~~~~~~~~~~~~~~~~ + +have_higher_than_11mbit is only set to true some of the time in +ieee80211_get_rates() but is checked all of the time. So +have_higher_than_11mbit needs to be initialized to false. + +Fixes: 5d6a1b069b7f ("mac80211: set basic rates earlier") +Signed-off-by: Tom Rix +Reviewed-by: Nick Desaulniers +Link: https://lore.kernel.org/r/20211223162848.3243702-1-trix@redhat.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4501,7 +4501,7 @@ static int ieee80211_prep_connection(str + */ + if (new_sta) { + u32 rates = 0, basic_rates = 0; +- bool have_higher_than_11mbit; ++ bool have_higher_than_11mbit = false; + int min_rate = INT_MAX, min_rate_index = -1; + const struct cfg80211_bss_ies *ies; + int shift = ieee80211_vif_get_shift(&sdata->vif); diff --git a/queue-4.14/rdma-core-don-t-infoleak-grh-fields.patch b/queue-4.14/rdma-core-don-t-infoleak-grh-fields.patch new file mode 100644 index 00000000000..e0bffc223ba --- /dev/null +++ b/queue-4.14/rdma-core-don-t-infoleak-grh-fields.patch @@ -0,0 +1,64 @@ +From b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 4 Jan 2022 14:21:52 +0200 +Subject: RDMA/core: Don't infoleak GRH fields + +From: Leon Romanovsky + +commit b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd upstream. + +If dst->is_global field is not set, the GRH fields are not cleared +and the following infoleak is reported. + +===================================================== +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + _copy_to_user+0x1c9/0x270 lib/usercopy.c:33 + copy_to_user include/linux/uaccess.h:209 [inline] + ucma_init_qp_attr+0x8c7/0xb10 drivers/infiniband/core/ucma.c:1242 + ucma_write+0x637/0x6c0 drivers/infiniband/core/ucma.c:1732 + vfs_write+0x8ce/0x2030 fs/read_write.c:588 + ksys_write+0x28b/0x510 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __ia32_sys_write+0xdb/0x120 fs/read_write.c:652 + do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline] + __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180 + do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205 + do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Local variable resp created at: + ucma_init_qp_attr+0xa4/0xb10 drivers/infiniband/core/ucma.c:1214 + ucma_write+0x637/0x6c0 drivers/infiniband/core/ucma.c:1732 + +Bytes 40-59 of 144 are uninitialized +Memory access of size 144 starts at ffff888167523b00 +Data copied to user address 0000000020000100 + +CPU: 1 PID: 25910 Comm: syz-executor.1 Not tainted 5.16.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +===================================================== + +Fixes: 4ba66093bdc6 ("IB/core: Check for global flag when using ah_attr") +Link: https://lore.kernel.org/r/0e9dd51f93410b7b2f4f5562f52befc878b71afa.1641298868.git.leonro@nvidia.com +Reported-by: syzbot+6d532fa8f9463da290bc@syzkaller.appspotmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_marshall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/uverbs_marshall.c ++++ b/drivers/infiniband/core/uverbs_marshall.c +@@ -66,7 +66,7 @@ void ib_copy_ah_attr_to_user(struct ib_d + struct rdma_ah_attr *src = ah_attr; + struct rdma_ah_attr conv_ah; + +- memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved)); ++ memset(&dst->grh, 0, sizeof(dst->grh)); + + if ((ah_attr->type == RDMA_AH_ATTR_TYPE_OPA) && + (rdma_ah_get_dlid(ah_attr) >= diff --git a/queue-4.14/series b/queue-4.14/series index 8e2fe32e61e..5fcae8a2cf7 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -3,3 +3,5 @@ tracing-fix-check-for-trace_percpu_buffer-validity-in-get_trace_buf.patch tracing-tag-trace_percpu_buffer-as-a-percpu-pointer.patch virtio_pci-support-surprise-removal-of-virtio-pci-device.patch ieee802154-atusb-fix-uninit-value-in-atusb_set_extended_addr.patch +rdma-core-don-t-infoleak-grh-fields.patch +mac80211-initialize-variable-have_higher_than_11mbit.patch -- 2.47.3