From: Greg Kroah-Hartman Date: Wed, 30 Nov 2022 17:13:56 +0000 (+0100) Subject: 6.0-stable patches X-Git-Tag: v5.10.157~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6bc2d29af6cfb499772a932229c76c1473af4d98;p=thirdparty%2Fkernel%2Fstable-queue.git 6.0-stable patches added patches: fuse-lock-inode-unconditionally-in-fuse_fallocate.patch wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_channel_list-attribute.patch wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_oper_channel-attribute.patch wifi-wilc1000-validate-number-of-channels.patch wifi-wilc1000-validate-pairwise-and-authentication-suite-offsets.patch --- diff --git a/queue-6.0/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch b/queue-6.0/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch new file mode 100644 index 00000000000..b8dd3d92b56 --- /dev/null +++ b/queue-6.0/fuse-lock-inode-unconditionally-in-fuse_fallocate.patch @@ -0,0 +1,89 @@ +From 44361e8cf9ddb23f17bdcc40ca944abf32e83e79 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 23 Nov 2022 09:10:42 +0100 +Subject: fuse: lock inode unconditionally in fuse_fallocate() + +From: Miklos Szeredi + +commit 44361e8cf9ddb23f17bdcc40ca944abf32e83e79 upstream. + +file_modified() must be called with inode lock held. fuse_fallocate() +didn't lock the inode in case of just FALLOC_KEEP_SIZE flags value, which +resulted in a kernel Warning in notify_change(). + +Lock the inode unconditionally, like all other fallocate implementations +do. + +Reported-by: Pengfei Xu +Reported-and-tested-by: syzbot+462da39f0667b357c4b6@syzkaller.appspotmail.com +Fixes: 4a6f278d4827 ("fuse: add file_modified() to fallocate") +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 41 ++++++++++++++++++----------------------- + 1 file changed, 18 insertions(+), 23 deletions(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -2963,11 +2963,9 @@ static long fuse_file_fallocate(struct f + .mode = mode + }; + int err; +- bool lock_inode = !(mode & FALLOC_FL_KEEP_SIZE) || +- (mode & (FALLOC_FL_PUNCH_HOLE | +- FALLOC_FL_ZERO_RANGE)); +- +- bool block_faults = FUSE_IS_DAX(inode) && lock_inode; ++ bool block_faults = FUSE_IS_DAX(inode) && ++ (!(mode & FALLOC_FL_KEEP_SIZE) || ++ (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE))); + + if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE | + FALLOC_FL_ZERO_RANGE)) +@@ -2976,22 +2974,20 @@ static long fuse_file_fallocate(struct f + if (fm->fc->no_fallocate) + return -EOPNOTSUPP; + +- if (lock_inode) { +- inode_lock(inode); +- if (block_faults) { +- filemap_invalidate_lock(inode->i_mapping); +- err = fuse_dax_break_layouts(inode, 0, 0); +- if (err) +- goto out; +- } +- +- if (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE)) { +- loff_t endbyte = offset + length - 1; +- +- err = fuse_writeback_range(inode, offset, endbyte); +- if (err) +- goto out; +- } ++ inode_lock(inode); ++ if (block_faults) { ++ filemap_invalidate_lock(inode->i_mapping); ++ err = fuse_dax_break_layouts(inode, 0, 0); ++ if (err) ++ goto out; ++ } ++ ++ if (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE)) { ++ loff_t endbyte = offset + length - 1; ++ ++ err = fuse_writeback_range(inode, offset, endbyte); ++ if (err) ++ goto out; + } + + if (!(mode & FALLOC_FL_KEEP_SIZE) && +@@ -3039,8 +3035,7 @@ out: + if (block_faults) + filemap_invalidate_unlock(inode->i_mapping); + +- if (lock_inode) +- inode_unlock(inode); ++ inode_unlock(inode); + + fuse_flush_time_update(inode); + diff --git a/queue-6.0/series b/queue-6.0/series index 9878dc65773..56d705307b5 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -263,3 +263,8 @@ scsi-iscsi-fix-possible-memory-leak-when-device_regi.patch gpu-host1x-avoid-trying-to-use-gart-on-tegra20.patch dm-integrity-flush-the-journal-on-suspend.patch dm-integrity-clear-the-journal-on-suspend.patch +fuse-lock-inode-unconditionally-in-fuse_fallocate.patch +wifi-wilc1000-validate-pairwise-and-authentication-suite-offsets.patch +wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_oper_channel-attribute.patch +wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_channel_list-attribute.patch +wifi-wilc1000-validate-number-of-channels.patch diff --git a/queue-6.0/wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_channel_list-attribute.patch b/queue-6.0/wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_channel_list-attribute.patch new file mode 100644 index 00000000000..214a07568fa --- /dev/null +++ b/queue-6.0/wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_channel_list-attribute.patch @@ -0,0 +1,38 @@ +From f9b62f9843c7b0afdaecabbcebf1dbba18599408 Mon Sep 17 00:00:00 2001 +From: Phil Turnbull +Date: Wed, 23 Nov 2022 10:35:42 -0500 +Subject: wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute + +From: Phil Turnbull + +commit f9b62f9843c7b0afdaecabbcebf1dbba18599408 upstream. + +Validate that the IEEE80211_P2P_ATTR_CHANNEL_LIST attribute contains +enough space for a 'struct wilc_attr_oper_ch'. If the attribute is too +small then it can trigger an out-of-bounds write later in the function. + +'struct wilc_attr_oper_ch' is variable sized so also check 'attr_len' +does not extend beyond the end of 'buf'. + +Signed-off-by: Phil Turnbull +Tested-by: Ajay Kathat +Acked-by: Ajay Kathat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221123153543.8568-4-philipturnbull@github.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/microchip/wilc1000/cfg80211.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c ++++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c +@@ -964,7 +964,8 @@ static inline void wilc_wfi_cfg_parse_ch + if (index + sizeof(*e) + attr_size > len) + return; + +- if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST) ++ if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST && ++ attr_size >= (sizeof(struct wilc_attr_ch_list) - sizeof(*e))) + ch_list_idx = index; + else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL && + attr_size == (sizeof(struct wilc_attr_oper_ch) - sizeof(*e))) diff --git a/queue-6.0/wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_oper_channel-attribute.patch b/queue-6.0/wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_oper_channel-attribute.patch new file mode 100644 index 00000000000..d554095395e --- /dev/null +++ b/queue-6.0/wifi-wilc1000-validate-length-of-ieee80211_p2p_attr_oper_channel-attribute.patch @@ -0,0 +1,52 @@ +From 051ae669e4505abbe05165bebf6be7922de11f41 Mon Sep 17 00:00:00 2001 +From: Phil Turnbull +Date: Wed, 23 Nov 2022 10:35:41 -0500 +Subject: wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute + +From: Phil Turnbull + +commit 051ae669e4505abbe05165bebf6be7922de11f41 upstream. + +Validate that the IEEE80211_P2P_ATTR_OPER_CHANNEL attribute contains +enough space for a 'struct struct wilc_attr_oper_ch'. If the attribute is +too small then it triggers an out-of-bounds write later in the function. + +Signed-off-by: Phil Turnbull +Tested-by: Ajay Kathat +Acked-by: Ajay Kathat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221123153543.8568-3-philipturnbull@github.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/microchip/wilc1000/cfg80211.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c ++++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c +@@ -956,14 +956,24 @@ static inline void wilc_wfi_cfg_parse_ch + return; + + while (index + sizeof(*e) <= len) { ++ u16 attr_size; ++ + e = (struct wilc_attr_entry *)&buf[index]; ++ attr_size = le16_to_cpu(e->attr_len); ++ ++ if (index + sizeof(*e) + attr_size > len) ++ return; ++ + if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST) + ch_list_idx = index; +- else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL) ++ else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL && ++ attr_size == (sizeof(struct wilc_attr_oper_ch) - sizeof(*e))) + op_ch_idx = index; ++ + if (ch_list_idx && op_ch_idx) + break; +- index += le16_to_cpu(e->attr_len) + sizeof(*e); ++ ++ index += sizeof(*e) + attr_size; + } + + if (ch_list_idx) { diff --git a/queue-6.0/wifi-wilc1000-validate-number-of-channels.patch b/queue-6.0/wifi-wilc1000-validate-number-of-channels.patch new file mode 100644 index 00000000000..6e58acb06b3 --- /dev/null +++ b/queue-6.0/wifi-wilc1000-validate-number-of-channels.patch @@ -0,0 +1,62 @@ +From 0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0 Mon Sep 17 00:00:00 2001 +From: Phil Turnbull +Date: Wed, 23 Nov 2022 10:35:43 -0500 +Subject: wifi: wilc1000: validate number of channels + +From: Phil Turnbull + +commit 0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0 upstream. + +There is no validation of 'e->no_of_channels' which can trigger an +out-of-bounds write in the following 'memset' call. Validate that the +number of channels does not extends beyond the size of the channel list +element. + +Signed-off-by: Phil Turnbull +Tested-by: Ajay Kathat +Acked-by: Ajay Kathat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221123153543.8568-5-philipturnbull@github.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/microchip/wilc1000/cfg80211.c | 22 +++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c ++++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c +@@ -978,19 +978,29 @@ static inline void wilc_wfi_cfg_parse_ch + } + + if (ch_list_idx) { +- u16 attr_size; +- struct wilc_ch_list_elem *e; +- int i; ++ u16 elem_size; + + ch_list = (struct wilc_attr_ch_list *)&buf[ch_list_idx]; +- attr_size = le16_to_cpu(ch_list->attr_len); +- for (i = 0; i < attr_size;) { ++ /* the number of bytes following the final 'elem' member */ ++ elem_size = le16_to_cpu(ch_list->attr_len) - ++ (sizeof(*ch_list) - sizeof(struct wilc_attr_entry)); ++ for (unsigned int i = 0; i < elem_size;) { ++ struct wilc_ch_list_elem *e; ++ + e = (struct wilc_ch_list_elem *)(ch_list->elem + i); ++ ++ i += sizeof(*e); ++ if (i > elem_size) ++ break; ++ ++ i += e->no_of_channels; ++ if (i > elem_size) ++ break; ++ + if (e->op_class == WILC_WLAN_OPERATING_CLASS_2_4GHZ) { + memset(e->ch_list, sta_ch, e->no_of_channels); + break; + } +- i += e->no_of_channels; + } + } + diff --git a/queue-6.0/wifi-wilc1000-validate-pairwise-and-authentication-suite-offsets.patch b/queue-6.0/wifi-wilc1000-validate-pairwise-and-authentication-suite-offsets.patch new file mode 100644 index 00000000000..4f4c2fc6e2c --- /dev/null +++ b/queue-6.0/wifi-wilc1000-validate-pairwise-and-authentication-suite-offsets.patch @@ -0,0 +1,55 @@ +From cd21d99e595ec1d8721e1058dcdd4f1f7de1d793 Mon Sep 17 00:00:00 2001 +From: Phil Turnbull +Date: Wed, 23 Nov 2022 10:35:40 -0500 +Subject: wifi: wilc1000: validate pairwise and authentication suite offsets + +From: Phil Turnbull + +commit cd21d99e595ec1d8721e1058dcdd4f1f7de1d793 upstream. + +There is no validation of 'offset' which can trigger an out-of-bounds +read when extracting RSN capabilities. + +Signed-off-by: Phil Turnbull +Tested-by: Ajay Kathat +Acked-by: Ajay Kathat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/microchip/wilc1000/hif.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/microchip/wilc1000/hif.c ++++ b/drivers/net/wireless/microchip/wilc1000/hif.c +@@ -482,14 +482,25 @@ void *wilc_parse_join_bss_param(struct c + + rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies->data, ies->len); + if (rsn_ie) { ++ int rsn_ie_len = sizeof(struct element) + rsn_ie[1]; + int offset = 8; + +- param->mode_802_11i = 2; +- param->rsn_found = true; + /* extract RSN capabilities */ +- offset += (rsn_ie[offset] * 4) + 2; +- offset += (rsn_ie[offset] * 4) + 2; +- memcpy(param->rsn_cap, &rsn_ie[offset], 2); ++ if (offset < rsn_ie_len) { ++ /* skip over pairwise suites */ ++ offset += (rsn_ie[offset] * 4) + 2; ++ ++ if (offset < rsn_ie_len) { ++ /* skip over authentication suites */ ++ offset += (rsn_ie[offset] * 4) + 2; ++ ++ if (offset + 1 < rsn_ie_len) { ++ param->mode_802_11i = 2; ++ param->rsn_found = true; ++ memcpy(param->rsn_cap, &rsn_ie[offset], 2); ++ } ++ } ++ } + } + + if (param->rsn_found) {