From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 24 Oct 2021 12:10:54 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.290~50
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7cab733b7ce16ef6e2ff16a2af9c46a8ecdf7815;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch
	netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch
	nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch
---

diff --git a/queue-4.4/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch b/queue-4.4/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch
new file mode 100644
index 00000000000..cf0839bfe58
--- /dev/null
+++ b/queue-4.4/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch
@@ -0,0 +1,64 @@
+From 1f3e2e97c003f80c4b087092b225c8787ff91e4d Mon Sep 17 00:00:00 2001
+From: Xiaolong Huang <butterflyhuangxx@gmail.com>
+Date: Fri, 8 Oct 2021 14:58:30 +0800
+Subject: isdn: cpai: check ctr->cnr to avoid array index out of bound
+
+From: Xiaolong Huang <butterflyhuangxx@gmail.com>
+
+commit 1f3e2e97c003f80c4b087092b225c8787ff91e4d upstream.
+
+The cmtp_add_connection() would add a cmtp session to a controller
+and run a kernel thread to process cmtp.
+
+	__module_get(THIS_MODULE);
+	session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d",
+								session->num);
+
+During this process, the kernel thread would call detach_capi_ctr()
+to detach a register controller. if the controller
+was not attached yet, detach_capi_ctr() would
+trigger an array-index-out-bounds bug.
+
+[   46.866069][ T6479] UBSAN: array-index-out-of-bounds in
+drivers/isdn/capi/kcapi.c:483:21
+[   46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]'
+[   46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted
+5.15.0-rc2+ #8
+[   46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX,
+1996), BIOS 1.14.0-2 04/01/2014
+[   46.870107][ T6479] Call Trace:
+[   46.870473][ T6479]  dump_stack_lvl+0x57/0x7d
+[   46.870974][ T6479]  ubsan_epilogue+0x5/0x40
+[   46.871458][ T6479]  __ubsan_handle_out_of_bounds.cold+0x43/0x48
+[   46.872135][ T6479]  detach_capi_ctr+0x64/0xc0
+[   46.872639][ T6479]  cmtp_session+0x5c8/0x5d0
+[   46.873131][ T6479]  ? __init_waitqueue_head+0x60/0x60
+[   46.873712][ T6479]  ? cmtp_add_msgpart+0x120/0x120
+[   46.874256][ T6479]  kthread+0x147/0x170
+[   46.874709][ T6479]  ? set_kthread_struct+0x40/0x40
+[   46.875248][ T6479]  ret_from_fork+0x1f/0x30
+[   46.875773][ T6479]
+
+Signed-off-by: Xiaolong Huang <butterflyhuangxx@gmail.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20211008065830.305057-1-butterflyhuangxx@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/capi/kcapi.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/isdn/capi/kcapi.c
++++ b/drivers/isdn/capi/kcapi.c
+@@ -564,6 +564,11 @@ int detach_capi_ctr(struct capi_ctr *ctr
+ 
+ 	ctr_down(ctr, CAPI_CTR_DETACHED);
+ 
++	if (ctr->cnr < 1 || ctr->cnr - 1 >= CAPI_MAXCONTR) {
++		err = -EINVAL;
++		goto unlock_out;
++	}
++
+ 	if (capi_controller[ctr->cnr - 1] != ctr) {
+ 		err = -EINVAL;
+ 		goto unlock_out;
diff --git a/queue-4.4/netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch b/queue-4.4/netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch
new file mode 100644
index 00000000000..db91a92cb2a
--- /dev/null
+++ b/queue-4.4/netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch
@@ -0,0 +1,30 @@
+From 77076934afdcd46516caf18ed88b2f88025c9ddb Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@gmail.com>
+Date: Tue, 5 Oct 2021 22:54:54 +0200
+Subject: netfilter: Kconfig: use 'default y' instead of 'm' for bool config option
+
+From: Vegard Nossum <vegard.nossum@gmail.com>
+
+commit 77076934afdcd46516caf18ed88b2f88025c9ddb upstream.
+
+This option, NF_CONNTRACK_SECMARK, is a bool, so it can never be 'm'.
+
+Fixes: 33b8e77605620 ("[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option")
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/Kconfig |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -71,7 +71,7 @@ config NF_CONNTRACK_MARK
+ config NF_CONNTRACK_SECMARK
+ 	bool  'Connection tracking security mark support'
+ 	depends on NETWORK_SECMARK
+-	default m if NETFILTER_ADVANCED=n
++	default y if NETFILTER_ADVANCED=n
+ 	help
+ 	  This option enables security markings to be applied to
+ 	  connections.  Typically they are copied to connections from
diff --git a/queue-4.4/nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch b/queue-4.4/nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch
new file mode 100644
index 00000000000..f2c377c8cf0
--- /dev/null
+++ b/queue-4.4/nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch
@@ -0,0 +1,34 @@
+From 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Thu, 7 Oct 2021 19:44:30 +0200
+Subject: nfc: nci: fix the UAF of rf_conn_info object
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 upstream.
+
+The nci_core_conn_close_rsp_packet() function will release the conn_info
+with given conn_id. However, it needs to set the rf_conn_info to NULL to
+prevent other routines like nci_rf_intf_activated_ntf_packet() to trigger
+the UAF.
+
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/rsp.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/nci/rsp.c
++++ b/net/nfc/nci/rsp.c
+@@ -274,6 +274,8 @@ static void nci_core_conn_close_rsp_pack
+ 		conn_info = nci_get_conn_info_by_conn_id(ndev, ndev->cur_id);
+ 		if (conn_info) {
+ 			list_del(&conn_info->list);
++			if (conn_info == ndev->rf_conn_info)
++				ndev->rf_conn_info = NULL;
+ 			devm_kfree(&ndev->nfc_dev->dev, conn_info);
+ 		}
+ 	}
diff --git a/queue-4.4/series b/queue-4.4/series
index b006af416a1..af9b2064fc6 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -31,3 +31,6 @@ elfcore-correct-reference-to-config_uml.patch
 alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch
 asoc-dapm-fix-missing-kctl-change-notifications.patch
 ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch
+nfc-nci-fix-the-uaf-of-rf_conn_info-object.patch
+isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch
+netfilter-kconfig-use-default-y-instead-of-m-for-bool-config-option.patch