From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 5 Apr 2021 08:21:50 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.265~10
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0bc07a087005ffd7da64b17f09d3fab7d526eeec;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch
	staging-rtl8192e-change-state-information-from-u16-to-u8.patch
	staging-rtl8192e-fix-incorrect-source-in-memcpy.patch
---

diff --git a/queue-4.19/drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch b/queue-4.19/drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch
new file mode 100644
index 00000000000..00ab1572493
--- /dev/null
+++ b/queue-4.19/drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch
@@ -0,0 +1,32 @@
+From 01faae5193d6190b7b3aa93dae43f514e866d652 Mon Sep 17 00:00:00 2001
+From: Du Cheng <ducheng2@gmail.com>
+Date: Fri, 12 Mar 2021 16:14:21 +0800
+Subject: drivers: video: fbcon: fix NULL dereference in fbcon_cursor()
+
+From: Du Cheng <ducheng2@gmail.com>
+
+commit 01faae5193d6190b7b3aa93dae43f514e866d652 upstream.
+
+add null-check on function pointer before dereference on ops->cursor
+
+Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Du Cheng <ducheng2@gmail.com>
+Link: https://lore.kernel.org/r/20210312081421.452405-1-ducheng2@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbcon.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -1306,6 +1306,9 @@ static void fbcon_cursor(struct vc_data
+ 
+ 	ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
+ 
++	if (!ops->cursor)
++		return;
++
+ 	ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
+ 		    get_color(vc, info, c, 0));
+ }
diff --git a/queue-4.19/series b/queue-4.19/series
index f8a760447be..d3620dca7b7 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -51,3 +51,6 @@ usb-cdc-acm-fix-double-free-on-probe-failure.patch
 usb-cdc-acm-fix-use-after-free-after-probe-failure.patch
 usb-gadget-udc-amd5536udc_pci-fix-null-ptr-dereference.patch
 usb-dwc2-fix-hprt0.prtsusp-bit-setting-for-hikey-960-board.patch
+staging-rtl8192e-fix-incorrect-source-in-memcpy.patch
+staging-rtl8192e-change-state-information-from-u16-to-u8.patch
+drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch
diff --git a/queue-4.19/staging-rtl8192e-change-state-information-from-u16-to-u8.patch b/queue-4.19/staging-rtl8192e-change-state-information-from-u16-to-u8.patch
new file mode 100644
index 00000000000..78dad5375f3
--- /dev/null
+++ b/queue-4.19/staging-rtl8192e-change-state-information-from-u16-to-u8.patch
@@ -0,0 +1,74 @@
+From e78836ae76d20f38eed8c8c67f21db97529949da Mon Sep 17 00:00:00 2001
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+Date: Tue, 23 Mar 2021 17:04:14 +0530
+Subject: staging: rtl8192e: Change state information from u16 to u8
+
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+
+commit e78836ae76d20f38eed8c8c67f21db97529949da upstream.
+
+The "u16 CcxRmState[2];" array field in struct "rtllib_network" has 4
+bytes in total while the operations performed on this array through-out
+the code base are only 2 bytes.
+
+The "CcxRmState" field is fed only 2 bytes of data using memcpy():
+
+(In rtllib_rx.c:1972)
+	memcpy(network->CcxRmState, &info_element->data[4], 2)
+
+With "info_element->data[]" being a u8 array, if 2 bytes are written
+into "CcxRmState" (whose one element is u16 size), then the 2 u8
+elements from "data[]" gets squashed and written into the first element
+("CcxRmState[0]") while the second element ("CcxRmState[1]") is never
+fed with any data.
+
+Same in file rtllib_rx.c:2522:
+	 memcpy(dst->CcxRmState, src->CcxRmState, 2);
+
+The above line duplicates "src" data to "dst" but only writes 2 bytes
+(and not 4, which is the actual size). Again, only 1st element gets the
+value while the 2nd element remains uninitialized.
+
+This later makes operations done with CcxRmState unpredictable in the
+following lines as the 1st element is having a squashed number while the
+2nd element is having an uninitialized random number.
+
+rtllib_rx.c:1973:    if (network->CcxRmState[0] != 0)
+rtllib_rx.c:1977:    network->MBssidMask = network->CcxRmState[1] & 0x07;
+
+network->MBssidMask is also of type u8 and not u16.
+
+Fix this by changing the type of "CcxRmState" from u16 to u8 so that the
+data written into this array and read from it make sense and are not
+random values.
+
+NOTE: The wrong initialization of "CcxRmState" can be seen in the
+following commit:
+
+commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver")
+
+The above commit created a file `rtl8192e/ieee80211.h` which used to
+have the faulty line. The file has been deleted (or possibly renamed)
+with the contents copied in to a new file `rtl8192e/rtllib.h` along with
+additional code in the commit 94a799425eee (tagged in Fixes).
+
+Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
+Cc: stable@vger.kernel.org
+Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
+Link: https://lore.kernel.org/r/20210323113413.29179-2-atulgopinathan@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192e/rtllib.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8192e/rtllib.h
++++ b/drivers/staging/rtl8192e/rtllib.h
+@@ -1110,7 +1110,7 @@ struct rtllib_network {
+ 	bool	bWithAironetIE;
+ 	bool	bCkipSupported;
+ 	bool	bCcxRmEnable;
+-	u16	CcxRmState[2];
++	u8	CcxRmState[2];
+ 	bool	bMBssidValid;
+ 	u8	MBssidMask;
+ 	u8	MBssid[ETH_ALEN];
diff --git a/queue-4.19/staging-rtl8192e-fix-incorrect-source-in-memcpy.patch b/queue-4.19/staging-rtl8192e-fix-incorrect-source-in-memcpy.patch
new file mode 100644
index 00000000000..408f2441d44
--- /dev/null
+++ b/queue-4.19/staging-rtl8192e-fix-incorrect-source-in-memcpy.patch
@@ -0,0 +1,67 @@
+From 72ad25fbbb78930f892b191637359ab5b94b3190 Mon Sep 17 00:00:00 2001
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+Date: Tue, 23 Mar 2021 17:04:12 +0530
+Subject: staging: rtl8192e: Fix incorrect source in memcpy()
+
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+
+commit 72ad25fbbb78930f892b191637359ab5b94b3190 upstream.
+
+The variable "info_element" is of the following type:
+
+	struct rtllib_info_element *info_element
+
+defined in drivers/staging/rtl8192e/rtllib.h:
+
+	struct rtllib_info_element {
+		u8 id;
+		u8 len;
+		u8 data[];
+	} __packed;
+
+The "len" field defines the size of the "data[]" array. The code is
+supposed to check if "info_element->len" is greater than 4 and later
+equal to 6. If this is satisfied then, the last two bytes (the 4th and
+5th element of u8 "data[]" array) are copied into "network->CcxRmState".
+
+Right now the code uses "memcpy()" with the source as "&info_element[4]"
+which would copy in wrong and unintended information. The struct
+"rtllib_info_element" has a size of 2 bytes for "id" and "len",
+therefore indexing will be done in interval of 2 bytes. So,
+"info_element[4]" would point to data which is beyond the memory
+allocated for this pointer (that is, at x+8, while "info_element" has
+been allocated only from x to x+7 (2 + 6 => 8 bytes)).
+
+This patch rectifies this error by using "&info_element->data[4]" which
+correctly copies the last two bytes of "data[]".
+
+NOTE: The faulty line of code came from the following commit:
+
+commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver")
+
+The above commit created the file `rtl8192e/ieee80211/ieee80211_rx.c`
+which had the faulty line of code. This file has been deleted (or
+possibly renamed) with the contents copied in to a new file
+`rtl8192e/rtllib_rx.c` along with additional code in the commit
+94a799425eee (tagged in Fixes).
+
+Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
+Cc: stable@vger.kernel.org
+Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
+Link: https://lore.kernel.org/r/20210323113413.29179-1-atulgopinathan@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192e/rtllib_rx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8192e/rtllib_rx.c
++++ b/drivers/staging/rtl8192e/rtllib_rx.c
+@@ -1978,7 +1978,7 @@ static void rtllib_parse_mife_generic(st
+ 	    info_element->data[2] == 0x96 &&
+ 	    info_element->data[3] == 0x01) {
+ 		if (info_element->len == 6) {
+-			memcpy(network->CcxRmState, &info_element[4], 2);
++			memcpy(network->CcxRmState, &info_element->data[4], 2);
+ 			if (network->CcxRmState[0] != 0)
+ 				network->bCcxRmEnable = true;
+ 			else