From: Greg Kroah-Hartman Date: Fri, 7 Aug 2020 14:02:27 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.19.139~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=51ae1d2afef8216246d7c368cde86250f4d5d697;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-seq-oss-serialize-ioctls.patch bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch mtd-properly-check-all-write-ioctls-for-permissions.patch vgacon-fix-for-missing-check-in-scrollback-handling.patch --- diff --git a/queue-4.4/alsa-seq-oss-serialize-ioctls.patch b/queue-4.4/alsa-seq-oss-serialize-ioctls.patch new file mode 100644 index 00000000000..ff65c66ca4d --- /dev/null +++ b/queue-4.4/alsa-seq-oss-serialize-ioctls.patch @@ -0,0 +1,51 @@ +From 80982c7e834e5d4e325b6ce33757012ecafdf0bb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 4 Aug 2020 20:58:15 +0200 +Subject: ALSA: seq: oss: Serialize ioctls + +From: Takashi Iwai + +commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. + +Some ioctls via OSS sequencer API may race and lead to UAF when the +port create and delete are performed concurrently, as spotted by a +couple of syzkaller cases. This patch is an attempt to address it by +serializing the ioctls with the existing register_mutex. + +Basically OSS sequencer API is an obsoleted interface and was designed +without much consideration of the concurrency. There are very few +applications with it, and the concurrent performance isn't asked, +hence this "big hammer" approach should be good enough. + +Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com +Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com +Suggested-by: Hillf Danton +Cc: +Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/oss/seq_oss.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/core/seq/oss/seq_oss.c ++++ b/sound/core/seq/oss/seq_oss.c +@@ -180,10 +180,16 @@ static long + odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { + struct seq_oss_devinfo *dp; ++ long rc; ++ + dp = file->private_data; + if (snd_BUG_ON(!dp)) + return -ENXIO; +- return snd_seq_oss_ioctl(dp, cmd, arg); ++ ++ mutex_lock(®ister_mutex); ++ rc = snd_seq_oss_ioctl(dp, cmd, arg); ++ mutex_unlock(®ister_mutex); ++ return rc; + } + + #ifdef CONFIG_COMPAT diff --git a/queue-4.4/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch b/queue-4.4/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch new file mode 100644 index 00000000000..b22dd8cc5be --- /dev/null +++ b/queue-4.4/bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch @@ -0,0 +1,39 @@ +From 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 12:09:15 -0400 +Subject: Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() + +From: Peilin Ye + +commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream. + +Check upon `num_rsp` is insufficient. A malformed event packet with a +large `num_rsp` number makes hci_extended_inquiry_result_evt() go out +of bounds. Fix it. + +This patch fixes the following syzbot bug: + + https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 + +Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Acked-by: Greg Kroah-Hartman +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3812,7 +3812,7 @@ static void hci_extended_inquiry_result_ + + BT_DBG("%s num_rsp %d", hdev->name, num_rsp); + +- if (!num_rsp) ++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) + return; + + if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) diff --git a/queue-4.4/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch b/queue-4.4/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch new file mode 100644 index 00000000000..c052648f35c --- /dev/null +++ b/queue-4.4/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch @@ -0,0 +1,31 @@ +From 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 17:39:18 -0400 +Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() + +From: Peilin Ye + +commit 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a upstream. + +Check `num_rsp` before using it as for-loop counter. + +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2094,7 +2094,7 @@ static void hci_inquiry_result_evt(struc + + BT_DBG("%s num_rsp %d", hdev->name, num_rsp); + +- if (!num_rsp) ++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) + return; + + if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) diff --git a/queue-4.4/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch b/queue-4.4/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch new file mode 100644 index 00000000000..8976ec8785e --- /dev/null +++ b/queue-4.4/bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch @@ -0,0 +1,50 @@ +From 629b49c848ee71244203934347bd7730b0ddee8d Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Fri, 10 Jul 2020 17:45:26 -0400 +Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() + +From: Peilin Ye + +commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. + +Check `num_rsp` before using it as for-loop counter. Add `unlock` label. + +Cc: stable@vger.kernel.org +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3609,6 +3609,9 @@ static void hci_inquiry_result_with_rssi + struct inquiry_info_with_rssi_and_pscan_mode *info; + info = (void *) (skb->data + 1); + ++ if (skb->len < num_rsp * sizeof(*info) + 1) ++ goto unlock; ++ + for (; num_rsp; num_rsp--, info++) { + u32 flags; + +@@ -3630,6 +3633,9 @@ static void hci_inquiry_result_with_rssi + } else { + struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); + ++ if (skb->len < num_rsp * sizeof(*info) + 1) ++ goto unlock; ++ + for (; num_rsp; num_rsp--, info++) { + u32 flags; + +@@ -3650,6 +3656,7 @@ static void hci_inquiry_result_with_rssi + } + } + ++unlock: + hci_dev_unlock(hdev); + } + diff --git a/queue-4.4/mtd-properly-check-all-write-ioctls-for-permissions.patch b/queue-4.4/mtd-properly-check-all-write-ioctls-for-permissions.patch new file mode 100644 index 00000000000..611bbbb8cc4 --- /dev/null +++ b/queue-4.4/mtd-properly-check-all-write-ioctls-for-permissions.patch @@ -0,0 +1,120 @@ +From f7e6b19bc76471ba03725fe58e0c218a3d6266c3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 16 Jul 2020 13:53:46 +0200 +Subject: mtd: properly check all write ioctls for permissions + +From: Greg Kroah-Hartman + +commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream. + +When doing a "write" ioctl call, properly check that we have permissions +to do so before copying anything from userspace or anything else so we +can "fail fast". This includes also covering the MEMWRITE ioctl which +previously missed checking for this. + +Cc: Miquel Raynal +Cc: Richard Weinberger +Cc: Vignesh Raghavendra +Cc: stable +Signed-off-by: Greg Kroah-Hartman +[rw: Fixed locking issue] +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/mtdchar.c | 56 +++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 47 insertions(+), 9 deletions(-) + +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -372,9 +372,6 @@ static int mtdchar_writeoob(struct file + uint32_t retlen; + int ret = 0; + +- if (!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + if (length > 4096) + return -EINVAL; + +@@ -608,6 +605,48 @@ static int mtdchar_ioctl(struct file *fi + return -EFAULT; + } + ++ /* ++ * Check the file mode to require "dangerous" commands to have write ++ * permissions. ++ */ ++ switch (cmd) { ++ /* "safe" commands */ ++ case MEMGETREGIONCOUNT: ++ case MEMGETREGIONINFO: ++ case MEMGETINFO: ++ case MEMREADOOB: ++ case MEMREADOOB64: ++ case MEMLOCK: ++ case MEMUNLOCK: ++ case MEMISLOCKED: ++ case MEMGETOOBSEL: ++ case MEMGETBADBLOCK: ++ case MEMSETBADBLOCK: ++ case OTPSELECT: ++ case OTPGETREGIONCOUNT: ++ case OTPGETREGIONINFO: ++ case OTPLOCK: ++ case ECCGETLAYOUT: ++ case ECCGETSTATS: ++ case MTDFILEMODE: ++ case BLKPG: ++ case BLKRRPART: ++ break; ++ ++ /* "dangerous" commands */ ++ case MEMERASE: ++ case MEMERASE64: ++ case MEMWRITEOOB: ++ case MEMWRITEOOB64: ++ case MEMWRITE: ++ if (!(file->f_mode & FMODE_WRITE)) ++ return -EPERM; ++ break; ++ ++ default: ++ return -ENOTTY; ++ } ++ + switch (cmd) { + case MEMGETREGIONCOUNT: + if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int))) +@@ -655,9 +694,6 @@ static int mtdchar_ioctl(struct file *fi + { + struct erase_info *erase; + +- if(!(file->f_mode & FMODE_WRITE)) +- return -EPERM; +- + erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL); + if (!erase) + ret = -ENOMEM; +@@ -982,9 +1018,6 @@ static int mtdchar_ioctl(struct file *fi + ret = 0; + break; + } +- +- default: +- ret = -ENOTTY; + } + + return ret; +@@ -1028,6 +1061,11 @@ static long mtdchar_compat_ioctl(struct + struct mtd_oob_buf32 buf; + struct mtd_oob_buf32 __user *buf_user = argp; + ++ if (!(file->f_mode & FMODE_WRITE)) { ++ ret = -EPERM; ++ break; ++ } ++ + if (copy_from_user(&buf, argp, sizeof(buf))) + ret = -EFAULT; + else diff --git a/queue-4.4/series b/queue-4.4/series index 26f047165a0..b94f6666960 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -31,3 +31,9 @@ random32-remove-net_rand_state-from-the-latent-entropy-gcc-plugin.patch random32-move-the-pseudo-random-32-bit-definitions-to-prandom.h.patch ext4-fix-direct-i-o-read-error-for-kernel-stable-rc4.4.patch usb-serial-qcserial-add-em7305-qdl-product-id.patch +alsa-seq-oss-serialize-ioctls.patch +bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch +bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch +bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch +vgacon-fix-for-missing-check-in-scrollback-handling.patch +mtd-properly-check-all-write-ioctls-for-permissions.patch diff --git a/queue-4.4/vgacon-fix-for-missing-check-in-scrollback-handling.patch b/queue-4.4/vgacon-fix-for-missing-check-in-scrollback-handling.patch new file mode 100644 index 00000000000..6a0d384ee78 --- /dev/null +++ b/queue-4.4/vgacon-fix-for-missing-check-in-scrollback-handling.patch @@ -0,0 +1,89 @@ +From ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d Mon Sep 17 00:00:00 2001 +From: Yunhai Zhang +Date: Tue, 28 Jul 2020 09:58:03 +0800 +Subject: vgacon: Fix for missing check in scrollback handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunhai Zhang + +commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream. + +vgacon_scrollback_update() always leaves enbough room in the scrollback +buffer for the next call, but if the console size changed that room +might not actually be enough, and so we need to re-check. + +The check should be in the loop since vgacon_scrollback_cur->tail is +updated in the loop and count may be more than 1 when triggered by CSI M, +as Jiri's PoC: +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char** argv) +{ + int fd = open("/dev/tty1", O_RDWR); + unsigned short size[3] = {25, 200, 0}; + ioctl(fd, 0x5609, size); // VT_RESIZE + + write(fd, "\e[1;1H", 6); + for (int i = 0; i < 30; i++) + write(fd, "\e[10M", 5); +} + +It leads to various crashes as vgacon_scrollback_update writes out of +the buffer: + BUG: unable to handle page fault for address: ffffc900001752a0 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + RIP: 0010:mutex_unlock+0x13/0x30 +... + Call Trace: + n_tty_write+0x1a0/0x4d0 + tty_write+0x1a0/0x2e0 + +Or to KASAN reports: +BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed + +This fixes CVE-2020-14331. + +Reported-by: 张云海 +Reported-by: Yang Yingliang +Reported-by: Kyungtae Kim +Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback) +Cc: stable@vger.kernel.org +Cc: linux-fbdev@vger.kernel.org +Cc: Linus Torvalds +Cc: Solar Designer +Cc: "Srivatsa S. Bhat" +Cc: Anthony Liguori +Cc: Yang Yingliang +Cc: Bartlomiej Zolnierkiewicz +Cc: Jiri Slaby +Signed-off-by: Yunhai Zhang +Link: https://lore.kernel.org/r/9fb43895-ca91-9b07-ebfd-808cf854ca95@nsfocus.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/vgacon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -220,6 +220,10 @@ static void vgacon_scrollback_update(str + p = (void *) (c->vc_origin + t * c->vc_size_row); + + while (count--) { ++ if ((vgacon_scrollback_tail + c->vc_size_row) > ++ vgacon_scrollback_size) ++ vgacon_scrollback_tail = 0; ++ + scr_memcpyw(vgacon_scrollback + vgacon_scrollback_tail, + p, c->vc_size_row); + vgacon_scrollback_cnt++;