--- /dev/null
+From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 28 May 2019 17:32:26 +0200
+Subject: apparmor: enforce nullbyte at end of tag string
+
+From: Jann Horn <jannh@google.com>
+
+commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.
+
+A packed AppArmor policy contains null-terminated tag strings that are read
+by unpack_nameX(). However, unpack_nameX() uses string functions on them
+without ensuring that they are actually null-terminated, potentially
+leading to out-of-bounds accesses.
+
+Make sure that the tag string is null-terminated before passing it to
+strcmp().
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/policy_unpack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -177,7 +177,7 @@ static bool unpack_nameX(struct aa_ext *
+ char *tag = NULL;
+ size_t size = unpack_u16_chunk(e, &tag);
+ /* if a name is specified it must match. otherwise skip tag */
+- if (name && (!size || strcmp(name, tag)))
++ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
+ goto fail;
+ } else if (name) {
+ /* if a name is specified and there is no name tag fail */
--- /dev/null
+From 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 Mon Sep 17 00:00:00 2001
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Date: Thu, 23 May 2019 12:55:26 -0700
+Subject: Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
+
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+
+commit 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 upstream.
+
+In the case of compat syscall ioctl numbers for UI_BEGIN_FF_UPLOAD and
+UI_END_FF_UPLOAD need to be adjusted before being passed on
+uinput_ioctl_handler() since code built with -m32 will be passing
+slightly different values. Extend the code already covering
+UI_SET_PHYS to cover UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD as well.
+
+Reported-by: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
+Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/uinput.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -894,13 +894,31 @@ static long uinput_ioctl(struct file *fi
+
+ #ifdef CONFIG_COMPAT
+
+-#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++/*
++ * These IOCTLs change their size and thus their numbers between
++ * 32 and 64 bits.
++ */
++#define UI_SET_PHYS_COMPAT \
++ _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++#define UI_BEGIN_FF_UPLOAD_COMPAT \
++ _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat)
++#define UI_END_FF_UPLOAD_COMPAT \
++ _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat)
+
+ static long uinput_compat_ioctl(struct file *file,
+ unsigned int cmd, unsigned long arg)
+ {
+- if (cmd == UI_SET_PHYS_COMPAT)
++ switch (cmd) {
++ case UI_SET_PHYS_COMPAT:
+ cmd = UI_SET_PHYS;
++ break;
++ case UI_BEGIN_FF_UPLOAD_COMPAT:
++ cmd = UI_BEGIN_FF_UPLOAD;
++ break;
++ case UI_END_FF_UPLOAD_COMPAT:
++ cmd = UI_END_FF_UPLOAD;
++ break;
++ }
+
+ return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
