From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 20 Oct 2023 16:52:11 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.14.328~106
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=31cf0a87ef545058292e32d1b3232541426ddee8;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	bluetooth-avoid-memcmp-out-of-bounds-warning.patch
	bluetooth-hci_event-fix-coding-style.patch
---

diff --git a/queue-4.14/bluetooth-avoid-memcmp-out-of-bounds-warning.patch b/queue-4.14/bluetooth-avoid-memcmp-out-of-bounds-warning.patch
new file mode 100644
index 00000000000..5c6240c4a22
--- /dev/null
+++ b/queue-4.14/bluetooth-avoid-memcmp-out-of-bounds-warning.patch
@@ -0,0 +1,52 @@
+From 9d1a3c74746428102d55371fbf74b484733937d9 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 9 Oct 2023 22:31:31 +0200
+Subject: Bluetooth: avoid memcmp() out of bounds warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 9d1a3c74746428102d55371fbf74b484733937d9 upstream.
+
+bacmp() is a wrapper around memcpy(), which contain compile-time
+checks for buffer overflow. Since the hci_conn_request_evt() also calls
+bt_dev_dbg() with an implicit NULL pointer check, the compiler is now
+aware of a case where 'hdev' is NULL and treats this as meaning that
+zero bytes are available:
+
+In file included from net/bluetooth/hci_event.c:32:
+In function 'bacmp',
+    inlined from 'hci_conn_request_evt' at net/bluetooth/hci_event.c:3276:7:
+include/net/bluetooth/bluetooth.h:364:16: error: 'memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread]
+  364 |         return memcmp(ba1, ba2, sizeof(bdaddr_t));
+      |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add another NULL pointer check before the bacmp() to ensure the compiler
+understands the code flow enough to not warn about it.  Since the patch
+that introduced the warning is marked for stable backports, this one
+should also go that way to avoid introducing build regressions.
+
+Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
+Cc: Kees Cook <keescook@chromium.org>
+Cc: "Lee, Chun-Yi" <jlee@suse.com>
+Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2250,7 +2250,7 @@ static void hci_conn_request_evt(struct
+ 	/* Reject incoming connection from device with same BD ADDR against
+ 	 * CVE-2020-26555
+ 	 */
+-	if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) {
++	if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
+ 		bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ 			   &ev->bdaddr);
+ 		hci_reject_conn(hdev, &ev->bdaddr);
diff --git a/queue-4.14/bluetooth-hci_event-fix-coding-style.patch b/queue-4.14/bluetooth-hci_event-fix-coding-style.patch
new file mode 100644
index 00000000000..6eef5a13196
--- /dev/null
+++ b/queue-4.14/bluetooth-hci_event-fix-coding-style.patch
@@ -0,0 +1,34 @@
+From 35d91d95a0cd61ebb90e0246dc917fd25e519b8c Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 5 Oct 2023 14:12:19 -0700
+Subject: Bluetooth: hci_event: Fix coding style
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 35d91d95a0cd61ebb90e0246dc917fd25e519b8c upstream.
+
+This fixes the following code style problem:
+
+ERROR: that open brace { should be on the previous line
++	if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
++	{
+
+Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2250,8 +2250,7 @@ static void hci_conn_request_evt(struct
+ 	/* Reject incoming connection from device with same BD ADDR against
+ 	 * CVE-2020-26555
+ 	 */
+-	if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
+-	{
++	if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) {
+ 		bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ 			   &ev->bdaddr);
+ 		hci_reject_conn(hdev, &ev->bdaddr);
diff --git a/queue-4.14/series b/queue-4.14/series
index 85fc03b9372..25828194bfa 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -27,3 +27,5 @@ bluetooth-hci_event-ignore-null-link-key.patch
 bluetooth-reject-connection-with-the-device-which-has-same-bd_addr.patch
 bluetooth-fix-a-refcnt-underflow-problem-for-hci_conn.patch
 bluetooth-vhci-fix-race-when-opening-vhci-device.patch
+bluetooth-hci_event-fix-coding-style.patch
+bluetooth-avoid-memcmp-out-of-bounds-warning.patch