From: Greg Kroah-Hartman Date: Wed, 23 Dec 2020 15:01:35 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.10.3~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1156aa52302557bfaac0cec90de347b335938f5e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch media-msi2500-assign-spi-bus-number-dynamically.patch quota-sanity-check-quota-file-headers-on-load.patch --- diff --git a/queue-5.4/bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch b/queue-5.4/bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch new file mode 100644 index 00000000000..b4a1fdba8fd --- /dev/null +++ b/queue-5.4/bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch @@ -0,0 +1,54 @@ +From f7e0e8b2f1b0a09b527885babda3e912ba820798 Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Wed, 9 Sep 2020 03:17:00 -0400 +Subject: Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() + +From: Peilin Ye + +commit f7e0e8b2f1b0a09b527885babda3e912ba820798 upstream. + +`num_reports` is not being properly checked. A malformed event packet with +a large `num_reports` number makes hci_le_direct_adv_report_evt() read out +of bounds. Fix it. + +Cc: stable@vger.kernel.org +Fixes: 2f010b55884e ("Bluetooth: Add support for handling LE Direct Advertising Report events") +Reported-and-tested-by: syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01 +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5711,21 +5711,19 @@ static void hci_le_direct_adv_report_evt + struct sk_buff *skb) + { + u8 num_reports = skb->data[0]; +- void *ptr = &skb->data[1]; ++ struct hci_ev_le_direct_adv_info *ev = (void *)&skb->data[1]; + +- hci_dev_lock(hdev); ++ if (!num_reports || skb->len < num_reports * sizeof(*ev) + 1) ++ return; + +- while (num_reports--) { +- struct hci_ev_le_direct_adv_info *ev = ptr; ++ hci_dev_lock(hdev); + ++ for (; num_reports; num_reports--, ev++) + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, + ev->bdaddr_type, &ev->direct_addr, + ev->direct_addr_type, ev->rssi, NULL, 0, + false); + +- ptr += sizeof(*ev); +- } +- + hci_dev_unlock(hdev); + } + diff --git a/queue-5.4/crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch b/queue-5.4/crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch new file mode 100644 index 00000000000..e44bf83361f --- /dev/null +++ b/queue-5.4/crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch @@ -0,0 +1,108 @@ +From 92eb6c3060ebe3adf381fd9899451c5b047bb14d Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 26 Oct 2020 13:07:15 -0700 +Subject: crypto: af_alg - avoid undefined behavior accessing salg_name + +From: Eric Biggers + +commit 92eb6c3060ebe3adf381fd9899451c5b047bb14d upstream. + +Commit 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm +names") made the kernel start accepting arbitrarily long algorithm names +in sockaddr_alg. However, the actual length of the salg_name field +stayed at the original 64 bytes. + +This is broken because the kernel can access indices >= 64 in salg_name, +which is undefined behavior -- even though the memory that is accessed +is still located within the sockaddr structure. It would only be +defined behavior if the array were properly marked as arbitrary-length +(either by making it a flexible array, which is the recommended way +these days, or by making it an array of length 0 or 1). + +We can't simply change salg_name into a flexible array, since that would +break source compatibility with userspace programs that embed +sockaddr_alg into another struct, or (more commonly) declare a +sockaddr_alg like 'struct sockaddr_alg sa = { .salg_name = "foo" };'. + +One solution would be to change salg_name into a flexible array only +when '#ifdef __KERNEL__'. However, that would keep userspace without an +easy way to actually use the longer algorithm names. + +Instead, add a new structure 'sockaddr_alg_new' that has the flexible +array field, and expose it to both userspace and the kernel. +Make the kernel use it correctly in alg_bind(). + +This addresses the syzbot report +"UBSAN: array-index-out-of-bounds in alg_bind" +(https://syzkaller.appspot.com/bug?extid=92ead4eb8e26a26d465e). + +Reported-by: syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com +Fixes: 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm names") +Cc: # v4.12+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 10 +++++++--- + include/uapi/linux/if_alg.h | 16 ++++++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -147,7 +147,7 @@ static int alg_bind(struct socket *sock, + const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY; + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); +- struct sockaddr_alg *sa = (void *)uaddr; ++ struct sockaddr_alg_new *sa = (void *)uaddr; + const struct af_alg_type *type; + void *private; + int err; +@@ -155,7 +155,11 @@ static int alg_bind(struct socket *sock, + if (sock->state == SS_CONNECTED) + return -EINVAL; + +- if (addr_len < sizeof(*sa)) ++ BUILD_BUG_ON(offsetof(struct sockaddr_alg_new, salg_name) != ++ offsetof(struct sockaddr_alg, salg_name)); ++ BUILD_BUG_ON(offsetof(struct sockaddr_alg, salg_name) != sizeof(*sa)); ++ ++ if (addr_len < sizeof(*sa) + 1) + return -EINVAL; + + /* If caller uses non-allowed flag, return error. */ +@@ -163,7 +167,7 @@ static int alg_bind(struct socket *sock, + return -EINVAL; + + sa->salg_type[sizeof(sa->salg_type) - 1] = 0; +- sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0; ++ sa->salg_name[addr_len - sizeof(*sa) - 1] = 0; + + type = alg_get_type(sa->salg_type); + if (IS_ERR(type) && PTR_ERR(type) == -ENOENT) { +--- a/include/uapi/linux/if_alg.h ++++ b/include/uapi/linux/if_alg.h +@@ -24,6 +24,22 @@ struct sockaddr_alg { + __u8 salg_name[64]; + }; + ++/* ++ * Linux v4.12 and later removed the 64-byte limit on salg_name[]; it's now an ++ * arbitrary-length field. We had to keep the original struct above for source ++ * compatibility with existing userspace programs, though. Use the new struct ++ * below if support for very long algorithm names is needed. To do this, ++ * allocate 'sizeof(struct sockaddr_alg_new) + strlen(algname) + 1' bytes, and ++ * copy algname (including the null terminator) into salg_name. ++ */ ++struct sockaddr_alg_new { ++ __u16 salg_family; ++ __u8 salg_type[14]; ++ __u32 salg_feat; ++ __u32 salg_mask; ++ __u8 salg_name[]; ++}; ++ + struct af_alg_iv { + __u32 ivlen; + __u8 iv[0]; diff --git a/queue-5.4/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch b/queue-5.4/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch new file mode 100644 index 00000000000..c5647b30e2c --- /dev/null +++ b/queue-5.4/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch @@ -0,0 +1,75 @@ +From c731b84b51bf7fe83448bea8f56a6d55006b0615 Mon Sep 17 00:00:00 2001 +From: "Dae R. Jeong" +Date: Thu, 22 Oct 2020 10:21:28 +0900 +Subject: md: fix a warning caused by a race between concurrent md_ioctl()s + +From: Dae R. Jeong + +commit c731b84b51bf7fe83448bea8f56a6d55006b0615 upstream. + +Syzkaller reports a warning as belows. +WARNING: CPU: 0 PID: 9647 at drivers/md/md.c:7169 +... +Call Trace: +... +RIP: 0010:md_ioctl+0x4017/0x5980 drivers/md/md.c:7169 +RSP: 0018:ffff888096027950 EFLAGS: 00010293 +RAX: ffff88809322c380 RBX: 0000000000000932 RCX: ffffffff84e266f2 +RDX: 0000000000000000 RSI: ffffffff84e299f7 RDI: 0000000000000007 +RBP: ffff888096027bc0 R08: ffff88809322c380 R09: ffffed101341a482 +R10: ffff888096027940 R11: ffff88809a0d240f R12: 0000000000000932 +R13: ffff8880a2c14100 R14: ffff88809a0d2268 R15: ffff88809a0d2408 + __blkdev_driver_ioctl block/ioctl.c:304 [inline] + blkdev_ioctl+0xece/0x1c10 block/ioctl.c:606 + block_ioctl+0xee/0x130 fs/block_dev.c:1930 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:509 [inline] + do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696 + ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl fs/ioctl.c:718 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 + do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +This is caused by a race between two concurrenct md_ioctl()s closing +the array. +CPU1 (md_ioctl()) CPU2 (md_ioctl()) +------ ------ +set_bit(MD_CLOSING, &mddev->flags); +did_set_md_closing = true; + WARN_ON_ONCE(test_bit(MD_CLOSING, + &mddev->flags)); +if(did_set_md_closing) + clear_bit(MD_CLOSING, &mddev->flags); + +Fix the warning by returning immediately if the MD_CLOSING bit is set +in &mddev->flags which indicates that the array is being closed. + +Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop") +Reported-by: syzbot+1e46a0864c1a6e9bd3d8@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dae R. Jeong +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7371,8 +7371,11 @@ static int md_ioctl(struct block_device + err = -EBUSY; + goto out; + } +- WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags)); +- set_bit(MD_CLOSING, &mddev->flags); ++ if (test_and_set_bit(MD_CLOSING, &mddev->flags)) { ++ mutex_unlock(&mddev->open_mutex); ++ err = -EBUSY; ++ goto out; ++ } + did_set_md_closing = true; + mutex_unlock(&mddev->open_mutex); + sync_blockdev(bdev); diff --git a/queue-5.4/media-msi2500-assign-spi-bus-number-dynamically.patch b/queue-5.4/media-msi2500-assign-spi-bus-number-dynamically.patch new file mode 100644 index 00000000000..6fd85394e8c --- /dev/null +++ b/queue-5.4/media-msi2500-assign-spi-bus-number-dynamically.patch @@ -0,0 +1,34 @@ +From 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 Mon Sep 17 00:00:00 2001 +From: Antti Palosaari +Date: Sat, 17 Aug 2019 03:12:10 +0200 +Subject: media: msi2500: assign SPI bus number dynamically + +From: Antti Palosaari + +commit 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 upstream. + +SPI bus number must be assigned dynamically for each device, otherwise it +will crash when multiple devices are plugged to system. + +Reported-and-tested-by: syzbot+c60ddb60b685777d9d59@syzkaller.appspotmail.com + +Cc: stable@vger.kernel.org +Signed-off-by: Antti Palosaari +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/msi2500/msi2500.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/msi2500/msi2500.c ++++ b/drivers/media/usb/msi2500/msi2500.c +@@ -1230,7 +1230,7 @@ static int msi2500_probe(struct usb_inte + } + + dev->master = master; +- master->bus_num = 0; ++ master->bus_num = -1; + master->num_chipselect = 1; + master->transfer_one_message = msi2500_transfer_one_message; + spi_master_set_devdata(master, dev); diff --git a/queue-5.4/quota-sanity-check-quota-file-headers-on-load.patch b/queue-5.4/quota-sanity-check-quota-file-headers-on-load.patch new file mode 100644 index 00000000000..b69803952fc --- /dev/null +++ b/queue-5.4/quota-sanity-check-quota-file-headers-on-load.patch @@ -0,0 +1,50 @@ +From 11c514a99bb960941535134f0587102855e8ddee Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 2 Nov 2020 16:16:29 +0100 +Subject: quota: Sanity-check quota file headers on load + +From: Jan Kara + +commit 11c514a99bb960941535134f0587102855e8ddee upstream. + +Perform basic sanity checks of quota headers to avoid kernel crashes on +corrupted quota files. + +CC: stable@vger.kernel.org +Reported-by: syzbot+f816042a7ae2225f25ba@syzkaller.appspotmail.com +Reviewed-by: Andreas Dilger +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/quota/quota_v2.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/fs/quota/quota_v2.c ++++ b/fs/quota/quota_v2.c +@@ -159,6 +159,25 @@ static int v2_read_file_info(struct supe + qinfo->dqi_entry_size = sizeof(struct v2r1_disk_dqblk); + qinfo->dqi_ops = &v2r1_qtree_ops; + } ++ ret = -EUCLEAN; ++ /* Some sanity checks of the read headers... */ ++ if ((loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits > ++ i_size_read(sb_dqopt(sb)->files[type])) { ++ quota_error(sb, "Number of blocks too big for quota file size (%llu > %llu).", ++ (loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits, ++ i_size_read(sb_dqopt(sb)->files[type])); ++ goto out; ++ } ++ if (qinfo->dqi_free_blk >= qinfo->dqi_blocks) { ++ quota_error(sb, "Free block number too big (%u >= %u).", ++ qinfo->dqi_free_blk, qinfo->dqi_blocks); ++ goto out; ++ } ++ if (qinfo->dqi_free_entry >= qinfo->dqi_blocks) { ++ quota_error(sb, "Block with free entry too big (%u >= %u).", ++ qinfo->dqi_free_entry, qinfo->dqi_blocks); ++ goto out; ++ } + ret = 0; + out: + up_read(&dqopt->dqio_sem); diff --git a/queue-5.4/series b/queue-5.4/series index a3a3c983118..2a7ceffd5f1 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -64,3 +64,8 @@ coresight-etb10-fix-possible-null-ptr-dereference-in-etb_enable_perf.patch scsi-megaraid_sas-check-user-provided-offsets.patch hid-i2c-hid-add-vero-k147-to-descriptor-override.patch serial_core-check-for-port-state-when-tty-is-in-error-state.patch +bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch +quota-sanity-check-quota-file-headers-on-load.patch +media-msi2500-assign-spi-bus-number-dynamically.patch +crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch +md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch