--- /dev/null
+From a65cab7d7f05c2061a3e2490257d3086ff3202c6 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sat, 7 Mar 2020 18:38:49 -0800
+Subject: libfs: fix infoleak in simple_attr_read()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit a65cab7d7f05c2061a3e2490257d3086ff3202c6 upstream.
+
+Reading from a debugfs file at a nonzero position, without first reading
+at position 0, leaks uninitialized memory to userspace.
+
+It's a bit tricky to do this, since lseek() and pread() aren't allowed
+on these files, and write() doesn't update the position on them. But
+writing to them with splice() *does* update the position:
+
+ #define _GNU_SOURCE 1
+ #include <fcntl.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ int main()
+ {
+ int pipes[2], fd, n, i;
+ char buf[32];
+
+ pipe(pipes);
+ write(pipes[1], "0", 1);
+ fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
+ splice(pipes[0], NULL, fd, NULL, 1, 0);
+ n = read(fd, buf, sizeof(buf));
+ for (i = 0; i < n; i++)
+ printf("%02x", buf[i]);
+ printf("\n");
+ }
+
+Output:
+ 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30
+
+Fix the infoleak by making simple_attr_read() always fill
+simple_attr::get_buf if it hasn't been filled yet.
+
+Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
+Reported-by: Alexander Potapenko <glider@google.com>
+Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20200308023849.988264-1-ebiggers@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/libfs.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/libfs.c
++++ b/fs/libfs.c
+@@ -761,7 +761,7 @@ int simple_attr_open(struct inode *inode
+ {
+ struct simple_attr *attr;
+
+- attr = kmalloc(sizeof(*attr), GFP_KERNEL);
++ attr = kzalloc(sizeof(*attr), GFP_KERNEL);
+ if (!attr)
+ return -ENOMEM;
+
+@@ -801,9 +801,11 @@ ssize_t simple_attr_read(struct file *fi
+ if (ret)
+ return ret;
+
+- if (*ppos) { /* continued read */
++ if (*ppos && attr->get_buf[0]) {
++ /* continued read */
+ size = strlen(attr->get_buf);
+- } else { /* first read */
++ } else {
++ /* first read */
+ u64 val;
+ ret = attr->get(attr->data, &val);
+ if (ret)
--- /dev/null
+From f52981019ad8d6718de79b425a574c6bddf81f7c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 3 Jan 2020 17:35:12 +0100
+Subject: media: dib0700: fix rc endpoint lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f52981019ad8d6718de79b425a574c6bddf81f7c upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid submitting an URB to an invalid endpoint.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge Nova-TD")
+Cc: stable <stable@vger.kernel.org> # 3.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dib0700_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dib0700_core.c
++++ b/drivers/media/usb/dvb-usb/dib0700_core.c
+@@ -783,7 +783,7 @@ int dib0700_rc_setup(struct dvb_usb_devi
+
+ /* Starting in firmware 1.20, the RC info is provided on a bulk pipe */
+
+- if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1)
++ if (intf->cur_altsetting->desc.bNumEndpoints < rc_ep + 1)
+ return -ENODEV;
+
+ purb = usb_alloc_urb(0, GFP_KERNEL);
+@@ -805,7 +805,7 @@ int dib0700_rc_setup(struct dvb_usb_devi
+ * Some devices like the Hauppauge NovaTD model 52009 use an interrupt
+ * endpoint, while others use a bulk one.
+ */
+- e = &intf->altsetting[0].endpoint[rc_ep].desc;
++ e = &intf->cur_altsetting->endpoint[rc_ep].desc;
+ if (usb_endpoint_dir_in(e)) {
+ if (usb_endpoint_xfer_bulk(e)) {
+ pipe = usb_rcvbulkpipe(d->udev, rc_ep);
--- /dev/null
+From 998912346c0da53a6dbb71fab3a138586b596b30 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 3 Jan 2020 17:35:09 +0100
+Subject: media: ov519: add missing endpoint sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 998912346c0da53a6dbb71fab3a138586b596b30 upstream.
+
+Make sure to check that we have at least one endpoint before accessing
+the endpoint array to avoid dereferencing a NULL-pointer on stream
+start.
+
+Note that these sanity checks are not redundant as the driver is mixing
+looking up altsettings by index and by number, which need not coincide.
+
+Fixes: 1876bb923c98 ("V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge")
+Fixes: b282d87332f5 ("V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)")
+Cc: stable <stable@vger.kernel.org> # 2.6.31
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/ov519.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/media/usb/gspca/ov519.c
++++ b/drivers/media/usb/gspca/ov519.c
+@@ -3507,6 +3507,11 @@ static void ov511_mode_init_regs(struct
+ return;
+ }
+
++ if (alt->desc.bNumEndpoints < 1) {
++ sd->gspca_dev.usb_err = -ENODEV;
++ return;
++ }
++
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ reg_w(sd, R51x_FIFO_PSIZE, packet_size >> 5);
+
+@@ -3632,6 +3637,11 @@ static void ov518_mode_init_regs(struct
+ return;
+ }
+
++ if (alt->desc.bNumEndpoints < 1) {
++ sd->gspca_dev.usb_err = -ENODEV;
++ return;
++ }
++
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ ov518_reg_w32(sd, R51x_FIFO_PSIZE, packet_size & ~7, 2);
+
--- /dev/null
+From 485b06aadb933190f4bc44e006076bc27a23f205 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 3 Jan 2020 17:35:10 +0100
+Subject: media: stv06xx: add missing descriptor sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 485b06aadb933190f4bc44e006076bc27a23f205 upstream.
+
+Make sure to check that we have two alternate settings and at least one
+endpoint before accessing the second altsetting structure and
+dereferencing the endpoint arrays.
+
+This specifically avoids dereferencing NULL-pointers or corrupting
+memory when a device does not have the expected descriptors.
+
+Note that the sanity checks in stv06xx_start() and pb0100_start() are
+not redundant as the driver is mixing looking up altsettings by index
+and by number, which may not coincide.
+
+Fixes: 8668d504d72c ("V4L/DVB (12082): gspca_stv06xx: Add support for st6422 bridge and sensor")
+Fixes: c0b33bdc5b8d ("[media] gspca-stv06xx: support bandwidth changing")
+Cc: stable <stable@vger.kernel.org> # 2.6.31
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/stv06xx/stv06xx.c | 19 ++++++++++++++++++-
+ drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c | 4 ++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+@@ -293,6 +293,9 @@ static int stv06xx_start(struct gspca_de
+ return -EIO;
+ }
+
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size);
+ if (err < 0)
+@@ -317,11 +320,21 @@ out:
+
+ static int stv06xx_isoc_init(struct gspca_dev *gspca_dev)
+ {
++ struct usb_interface_cache *intfc;
+ struct usb_host_interface *alt;
+ struct sd *sd = (struct sd *) gspca_dev;
+
++ intfc = gspca_dev->dev->actconfig->intf_cache[0];
++
++ if (intfc->num_altsetting < 2)
++ return -ENODEV;
++
++ alt = &intfc->altsetting[1];
++
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ /* Start isoc bandwidth "negotiation" at max isoc bandwidth */
+- alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
+ alt->endpoint[0].desc.wMaxPacketSize =
+ cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]);
+
+@@ -334,6 +347,10 @@ static int stv06xx_isoc_nego(struct gspc
+ struct usb_host_interface *alt;
+ struct sd *sd = (struct sd *) gspca_dev;
+
++ /*
++ * Existence of altsetting and endpoint was verified in
++ * stv06xx_isoc_init()
++ */
+ alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode];
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
+@@ -198,6 +198,10 @@ static int pb0100_start(struct sd *sd)
+ alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);
+ if (!alt)
+ return -ENODEV;
++
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+
+ /* If we don't have enough bandwidth use a lower framerate */
--- /dev/null
+From a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 3 Jan 2020 17:35:11 +0100
+Subject: media: xirlink_cit: add missing descriptor sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 upstream.
+
+Make sure to check that we have two alternate settings and at least one
+endpoint before accessing the second altsetting structure and
+dereferencing the endpoint arrays.
+
+This specifically avoids dereferencing NULL-pointers or corrupting
+memory when a device does not have the expected descriptors.
+
+Note that the sanity check in cit_get_packet_size() is not redundant as
+the driver is mixing looking up altsettings by index and by number,
+which may not coincide.
+
+Fixes: 659fefa0eb17 ("V4L/DVB: gspca_xirlink_cit: Add support for camera with a bcd version of 0.01")
+Fixes: 59f8b0bf3c12 ("V4L/DVB: gspca_xirlink_cit: support bandwidth changing for devices with 1 alt setting")
+Cc: stable <stable@vger.kernel.org> # 2.6.37
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/xirlink_cit.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/gspca/xirlink_cit.c
++++ b/drivers/media/usb/gspca/xirlink_cit.c
+@@ -1455,6 +1455,9 @@ static int cit_get_packet_size(struct gs
+ return -EIO;
+ }
+
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ return le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ }
+
+@@ -2638,6 +2641,7 @@ static int sd_start(struct gspca_dev *gs
+
+ static int sd_isoc_init(struct gspca_dev *gspca_dev)
+ {
++ struct usb_interface_cache *intfc;
+ struct usb_host_interface *alt;
+ int max_packet_size;
+
+@@ -2653,8 +2657,17 @@ static int sd_isoc_init(struct gspca_dev
+ break;
+ }
+
++ intfc = gspca_dev->dev->actconfig->intf_cache[0];
++
++ if (intfc->num_altsetting < 2)
++ return -ENODEV;
++
++ alt = &intfc->altsetting[1];
++
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ /* Start isoc bandwidth "negotiation" at max isoc bandwidth */
+- alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
+ alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(max_packet_size);
+
+ return 0;
+@@ -2677,6 +2690,9 @@ static int sd_isoc_nego(struct gspca_dev
+ break;
+ }
+
++ /*
++ * Existence of altsetting and endpoint was verified in sd_isoc_init()
++ */
+ alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ if (packet_size <= min_packet_size)
media-usbtv-fix-control-message-timeouts.patch
staging-rtl8188eu-add-asus-usb-n10-nano-b1-to-device-table.patch
staging-wlan-ng-fix-use-after-free-read-in-hfa384x_usbin_callback.patch
+libfs-fix-infoleak-in-simple_attr_read.patch
+media-ov519-add-missing-endpoint-sanity-checks.patch
+media-dib0700-fix-rc-endpoint-lookup.patch
+media-stv06xx-add-missing-descriptor-sanity-checks.patch
+media-xirlink_cit-add-missing-descriptor-sanity-checks.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
