From a28f03c10cf40aea2603d3e5b9bcba2272c21e32 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 1 Jan 2024 13:11:08 -0500 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- queue-4.19/series | 2 + .../smb-client-fix-oob-in-smbcalcsize.patch | 84 +++++++++++++++++++ ...-hcd-delete-an-incorrect-bounds-test.patch | 63 ++++++++++++++ 3 files changed, 149 insertions(+) create mode 100644 queue-4.19/smb-client-fix-oob-in-smbcalcsize.patch create mode 100644 queue-4.19/usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch diff --git a/queue-4.19/series b/queue-4.19/series index 4413ef71810..2df37ee435e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -35,3 +35,5 @@ net-9p-avoid-freeing-uninit-memory-in-p9pdu_vreadf.patch net-rfkill-gpio-set-gpio-direction.patch x86-alternatives-sync-core-before-enabling-interrupts.patch usb-musb-fix-musb_quirk_b_disconnect_99-handling.patch +usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch +smb-client-fix-oob-in-smbcalcsize.patch diff --git a/queue-4.19/smb-client-fix-oob-in-smbcalcsize.patch b/queue-4.19/smb-client-fix-oob-in-smbcalcsize.patch new file mode 100644 index 00000000000..16704681fa9 --- /dev/null +++ b/queue-4.19/smb-client-fix-oob-in-smbcalcsize.patch @@ -0,0 +1,84 @@ +From 38f802543fce4c7c3601e86bc7d867dc0701b778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 19:59:14 -0300 +Subject: smb: client: fix OOB in smbCalcSize() + +From: Paulo Alcantara + +[ Upstream commit b35858b3786ddbb56e1c35138ba25d6adf8d0bef ] + +Validate @smb->WordCount to avoid reading off the end of @smb and thus +causing the following KASAN splat: + + BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs] + Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328 + + CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS + rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + Call Trace: + + dump_stack_lvl+0x4a/0x80 + print_report+0xcf/0x650 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __phys_addr+0x46/0x90 + kasan_report+0xd8/0x110 + ? smbCalcSize+0x32/0x40 [cifs] + ? smbCalcSize+0x32/0x40 [cifs] + kasan_check_range+0x105/0x1b0 + smbCalcSize+0x32/0x40 [cifs] + checkSMB+0x162/0x370 [cifs] + ? __pfx_checkSMB+0x10/0x10 [cifs] + cifs_handle_standard+0xbc/0x2f0 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + cifs_demultiplex_thread+0xed1/0x1360 [cifs] + ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + ? lockdep_hardirqs_on_prepare+0x136/0x210 + ? __pfx_lock_release+0x10/0x10 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? mark_held_locks+0x1a/0x90 + ? lockdep_hardirqs_on_prepare+0x136/0x210 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __kthread_parkme+0xce/0xf0 + ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] + kthread+0x18d/0x1d0 + ? kthread+0xdb/0x1d0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x34/0x60 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + + +This fixes CVE-2023-6606. + +Reported-by: j51569436@gmail.com +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218 +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/misc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c +index dd67f56ea61e5..c9ebfff5190a8 100644 +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -338,6 +338,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) + cifs_dbg(VFS, "Length less than smb header size\n"); + } + return -EIO; ++ } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) { ++ cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n", ++ __func__, smb->WordCount); ++ return -EIO; + } + + /* otherwise, there is enough to get to the BCC */ +-- +2.43.0 + diff --git a/queue-4.19/usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch b/queue-4.19/usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch new file mode 100644 index 00000000000..8769ea3765b --- /dev/null +++ b/queue-4.19/usb-fotg210-hcd-delete-an-incorrect-bounds-test.patch @@ -0,0 +1,63 @@ +From 819aa1d773adbe0d7c2949c5f77b9eb84f10e20a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 16:22:43 +0300 +Subject: usb: fotg210-hcd: delete an incorrect bounds test + +From: Dan Carpenter + +[ Upstream commit 7fbcd195e2b8cc952e4aeaeb50867b798040314c ] + +Here "temp" is the number of characters that we have written and "size" +is the size of the buffer. The intent was clearly to say that if we have +written to the end of the buffer then stop. + +However, for that to work the comparison should have been done on the +original "size" value instead of the "size -= temp" value. Not only +will that not trigger when we want to, but there is a small chance that +it will trigger incorrectly before we want it to and we break from the +loop slightly earlier than intended. + +This code was recently changed from using snprintf() to scnprintf(). With +snprintf() we likely would have continued looping and passed a negative +size parameter to snprintf(). This would have triggered an annoying +WARN(). Now that we have converted to scnprintf() "size" will never +drop below 1 and there is no real need for this test. We could change +the condition to "if (temp <= 1) goto done;" but just deleting the test +is cleanest. + +Fixes: 7d50195f6c50 ("usb: host: Faraday fotg210-hcd driver") +Cc: stable +Signed-off-by: Dan Carpenter +Reviewed-by: Linus Walleij +Reviewed-by: Lee Jones +Link: https://lore.kernel.org/r/ZXmwIwHe35wGfgzu@suswa +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/fotg210-hcd.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c +index 1577424319613..d87b4fb0d9af6 100644 +--- a/drivers/usb/host/fotg210-hcd.c ++++ b/drivers/usb/host/fotg210-hcd.c +@@ -426,8 +426,6 @@ static void qh_lines(struct fotg210_hcd *fotg210, struct fotg210_qh *qh, + temp = size; + size -= temp; + next += temp; +- if (temp == size) +- goto done; + } + + temp = snprintf(next, size, "\n"); +@@ -437,7 +435,6 @@ static void qh_lines(struct fotg210_hcd *fotg210, struct fotg210_qh *qh, + size -= temp; + next += temp; + +-done: + *sizep = size; + *nextp = next; + } +-- +2.43.0 + -- 2.47.3