From bdffb290cd059a9ce570aa89678cc846eac5fcfc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 Dec 2022 12:36:37 +0100 Subject: [PATCH] 4.19-stable patches added patches: proc-avoid-integer-type-confusion-in-get_proc_long.patch proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch --- ...eger-type-confusion-in-get_proc_long.patch | 40 +++++++ ...n-t-think-it-is-working-on-c-strings.patch | 106 ++++++++++++++++++ queue-4.19/series | 2 + 3 files changed, 148 insertions(+) create mode 100644 queue-4.19/proc-avoid-integer-type-confusion-in-get_proc_long.patch create mode 100644 queue-4.19/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch diff --git a/queue-4.19/proc-avoid-integer-type-confusion-in-get_proc_long.patch b/queue-4.19/proc-avoid-integer-type-confusion-in-get_proc_long.patch new file mode 100644 index 00000000000..94001e22eff --- /dev/null +++ b/queue-4.19/proc-avoid-integer-type-confusion-in-get_proc_long.patch @@ -0,0 +1,40 @@ +From e6cfaf34be9fcd1a8285a294e18986bfc41a409c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 11:33:40 -0800 +Subject: proc: avoid integer type confusion in get_proc_long + +From: Linus Torvalds + +commit e6cfaf34be9fcd1a8285a294e18986bfc41a409c upstream. + +proc_get_long() is passed a size_t, but then assigns it to an 'int' +variable for the length. Let's not do that, even if our IO paths are +limited to MAX_RW_COUNT (exactly because of these kinds of type errors). + +So do the proper test in the rigth type. + +Reported-by: Kyle Zeng +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sysctl.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2156,13 +2156,12 @@ static int proc_get_long(char **buf, siz + unsigned long *val, bool *neg, + const char *perm_tr, unsigned perm_tr_len, char *tr) + { +- int len; + char *p, tmp[TMPBUFLEN]; ++ ssize_t len = *size; + +- if (!*size) ++ if (len <= 0) + return -EINVAL; + +- len = *size; + if (len > TMPBUFLEN - 1) + len = TMPBUFLEN - 1; + diff --git a/queue-4.19/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch b/queue-4.19/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch new file mode 100644 index 00000000000..62404bd8cfa --- /dev/null +++ b/queue-4.19/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch @@ -0,0 +1,106 @@ +From bce9332220bd677d83b19d21502776ad555a0e73 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 12:09:06 -0800 +Subject: proc: proc_skip_spaces() shouldn't think it is working on C strings + +From: Linus Torvalds + +commit bce9332220bd677d83b19d21502776ad555a0e73 upstream. + +proc_skip_spaces() seems to think it is working on C strings, and ends +up being just a wrapper around skip_spaces() with a really odd calling +convention. + +Instead of basing it on skip_spaces(), it should have looked more like +proc_skip_char(), which really is the exact same function (except it +skips a particular character, rather than whitespace). So use that as +inspiration, odd coding and all. + +Now the calling convention actually makes sense and works for the +intended purpose. + +Reported-and-tested-by: Kyle Zeng +Acked-by: Eric Dumazet +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sysctl.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2081,13 +2081,14 @@ int proc_dostring(struct ctl_table *tabl + (char __user *)buffer, lenp, ppos); + } + +-static size_t proc_skip_spaces(char **buf) ++static void proc_skip_spaces(char **buf, size_t *size) + { +- size_t ret; +- char *tmp = skip_spaces(*buf); +- ret = tmp - *buf; +- *buf = tmp; +- return ret; ++ while (*size) { ++ if (!isspace(**buf)) ++ break; ++ (*size)--; ++ (*buf)++; ++ } + } + + static void proc_skip_char(char **buf, size_t *size, const char v) +@@ -2324,7 +2325,7 @@ static int __do_proc_dointvec(void *tbl_ + bool neg; + + if (write) { +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + if (!left) + break; +@@ -2355,7 +2356,7 @@ static int __do_proc_dointvec(void *tbl_ + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write) { + kfree(kbuf); + if (first) +@@ -2404,7 +2405,7 @@ static int do_proc_douintvec_w(unsigned + if (IS_ERR(kbuf)) + return -EINVAL; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) { + err = -EINVAL; + goto out_free; +@@ -2424,7 +2425,7 @@ static int do_proc_douintvec_w(unsigned + } + + if (!err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + out_free: + kfree(kbuf); +@@ -2845,7 +2846,7 @@ static int __do_proc_doulongvec_minmax(v + if (write) { + bool neg; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) + break; + +@@ -2878,7 +2879,7 @@ static int __do_proc_doulongvec_minmax(v + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write) { + kfree(kbuf); + if (first) diff --git a/queue-4.19/series b/queue-4.19/series index 25ba8e145ee..e138dfb2509 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -57,6 +57,8 @@ drm-amd-dc-dce120-fix-audio-register-mapping-stop-triggering-kasan.patch drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch btrfs-free-btrfs_path-before-copying-inodes-to-users.patch spi-spi-imx-fix-spi_bus_clk-if-requested-clock-is-hi.patch +proc-avoid-integer-type-confusion-in-get_proc_long.patch +proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch kbuild-fix-wimplicit-function-declaration-in-license.patch iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch -- 2.47.3