From a8fa76db776c77ff7f6ebc5db62e5cca037ad74e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 Jul 2020 15:58:48 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	net-qrtr-fix-an-out-of-bounds-read-qrtr_endpoint_post.patch
---
 ...ut-of-bounds-read-qrtr_endpoint_post.patch | 53 +++++++++++++++++++
 queue-4.19/series                             |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 queue-4.19/net-qrtr-fix-an-out-of-bounds-read-qrtr_endpoint_post.patch

diff --git a/queue-4.19/net-qrtr-fix-an-out-of-bounds-read-qrtr_endpoint_post.patch b/queue-4.19/net-qrtr-fix-an-out-of-bounds-read-qrtr_endpoint_post.patch
new file mode 100644
index 00000000000..ed5012ff63a
--- /dev/null
+++ b/queue-4.19/net-qrtr-fix-an-out-of-bounds-read-qrtr_endpoint_post.patch
@@ -0,0 +1,53 @@
+From 8ff41cc21714704ef0158a546c3c4d07fae2c952 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 30 Jun 2020 14:46:15 +0300
+Subject: net: qrtr: Fix an out of bounds read qrtr_endpoint_post()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8ff41cc21714704ef0158a546c3c4d07fae2c952 upstream.
+
+This code assumes that the user passed in enough data for a
+qrtr_hdr_v1 or qrtr_hdr_v2 struct, but it's not necessarily true.  If
+the buffer is too small then it will read beyond the end.
+
+Reported-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reported-by: syzbot+b8fe393f999a291a9ea6@syzkaller.appspotmail.com
+Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/qrtr/qrtr.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -266,7 +266,7 @@ int qrtr_endpoint_post(struct qrtr_endpo
+ 	unsigned int ver;
+ 	size_t hdrlen;
+ 
+-	if (len & 3)
++	if (len == 0 || len & 3)
+ 		return -EINVAL;
+ 
+ 	skb = netdev_alloc_skb(NULL, len);
+@@ -280,6 +280,8 @@ int qrtr_endpoint_post(struct qrtr_endpo
+ 
+ 	switch (ver) {
+ 	case QRTR_PROTO_VER_1:
++		if (len < sizeof(*v1))
++			goto err;
+ 		v1 = data;
+ 		hdrlen = sizeof(*v1);
+ 
+@@ -293,6 +295,8 @@ int qrtr_endpoint_post(struct qrtr_endpo
+ 		size = le32_to_cpu(v1->size);
+ 		break;
+ 	case QRTR_PROTO_VER_2:
++		if (len < sizeof(*v2))
++			goto err;
+ 		v2 = data;
+ 		hdrlen = sizeof(*v2) + v2->optlen;
+ 
diff --git a/queue-4.19/series b/queue-4.19/series
index 972ed506409..c68d779fbbe 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -23,3 +23,4 @@ usb-dwc3-pci-fix-reference-count-leak-in-dwc3_pci_re.patch
 block-release-bip-in-a-right-way-in-error-path.patch
 nvme-rdma-assign-completion-vector-correctly.patch
 x86-entry-increase-entry_stack-size-to-a-full-page.patch
+net-qrtr-fix-an-out-of-bounds-read-qrtr_endpoint_post.patch
-- 
2.47.3