--- /dev/null
+From 0aa171e9b267ce7c52d3a3df7bc9c1fc0203dec5 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Sat, 2 Jan 2021 14:59:09 +0100
+Subject: crypto: ecdh - avoid buffer overflow in ecdh_set_secret()
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 0aa171e9b267ce7c52d3a3df7bc9c1fc0203dec5 upstream.
+
+Pavel reports that commit 17858b140bf4 ("crypto: ecdh - avoid unaligned
+accesses in ecdh_set_secret()") fixes one problem but introduces another:
+the unconditional memcpy() introduced by that commit may overflow the
+target buffer if the source data is invalid, which could be the result of
+intentional tampering.
+
+So check params.key_size explicitly against the size of the target buffer
+before validating the key further.
+
+Fixes: 17858b140bf4 ("crypto: ecdh - avoid unaligned accesses in ecdh_set_secret()")
+Reported-by: Pavel Machek <pavel@denx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ecdh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/ecdh.c
++++ b/crypto/ecdh.c
+@@ -43,7 +43,8 @@ static int ecdh_set_secret(struct crypto
+ struct ecdh params;
+ unsigned int ndigits;
+
+- if (crypto_ecdh_decode_key(buf, len, ¶ms) < 0)
++ if (crypto_ecdh_decode_key(buf, len, ¶ms) < 0 ||
++ params.key_size > sizeof(ctx->private_key))
+ return -EINVAL;
+
+ ndigits = ecdh_supported_curve(params.curve_id);
net-mvpp2-fix-gop-port-3-networking-complex-control-configurations.patch
net-systemport-set-dev-max_mtu-to-umac_max_mtu_size.patch
video-hyperv_fb-fix-the-mmap-regression-for-v5.4.y-a.patch
+crypto-ecdh-avoid-buffer-overflow-in-ecdh_set_secret.patch
+usb-gadget-enable-super-speed-plus.patch
+usb-cdc-acm-blacklist-another-ir-droid-device.patch
--- /dev/null
+From 0ffc76539e6e8d28114f95ac25c167c37b5191b3 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 27 Dec 2020 13:45:02 +0000
+Subject: USB: cdc-acm: blacklist another IR Droid device
+
+From: Sean Young <sean@mess.org>
+
+commit 0ffc76539e6e8d28114f95ac25c167c37b5191b3 upstream.
+
+This device is supported by the IR Toy driver.
+
+Reported-by: Georgi Bakalski <georgi.bakalski@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201227134502.4548-2-sean@mess.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1952,6 +1952,10 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x04d8, 0x0083), /* Bootloader mode */
+ .driver_info = IGNORE_DEVICE,
+ },
++
++ { USB_DEVICE(0x04d8, 0xf58b),
++ .driver_info = IGNORE_DEVICE,
++ },
+ #endif
+
+ /*Samsung phone in firmware update mode */
--- /dev/null
+From e2459108b5a0604c4b472cae2b3cb8d3444c77fb Mon Sep 17 00:00:00 2001
+From: "taehyun.cho" <taehyun.cho@samsung.com>
+Date: Thu, 7 Jan 2021 00:46:25 +0900
+Subject: usb: gadget: enable super speed plus
+
+From: taehyun.cho <taehyun.cho@samsung.com>
+
+commit e2459108b5a0604c4b472cae2b3cb8d3444c77fb upstream.
+
+Enable Super speed plus in configfs to support USB3.1 Gen2.
+This ensures that when a USB gadget is plugged in, it is
+enumerated as Gen 2 and connected at 10 Gbps if the host and
+cable are capable of it.
+
+Many in-tree gadget functions (fs, midi, acm, ncm, mass_storage,
+etc.) already have SuperSpeed Plus support.
+
+Tested: plugged gadget into Linux host and saw:
+[284907.385986] usb 8-2: new SuperSpeedPlus Gen 2 USB device number 3 using xhci_hcd
+
+Tested-by: Lorenzo Colitti <lorenzo@google.com>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: taehyun.cho <taehyun.cho@samsung.com>
+Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
+Link: https://lore.kernel.org/r/20210106154625.2801030-1-lorenzo@google.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/configfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -1504,7 +1504,7 @@ static const struct usb_gadget_driver co
+ .suspend = configfs_composite_suspend,
+ .resume = configfs_composite_resume,
+
+- .max_speed = USB_SPEED_SUPER,
++ .max_speed = USB_SPEED_SUPER_PLUS,
+ .driver = {
+ .owner = THIS_MODULE,
+ .name = "configfs-gadget",
+@@ -1544,7 +1544,7 @@ static struct config_group *gadgets_make
+ gi->composite.unbind = configfs_do_nothing;
+ gi->composite.suspend = NULL;
+ gi->composite.resume = NULL;
+- gi->composite.max_speed = USB_SPEED_SUPER;
++ gi->composite.max_speed = USB_SPEED_SUPER_PLUS;
+
+ spin_lock_init(&gi->spinlock);
+ mutex_init(&gi->lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
