From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 9 Apr 2020 14:06:58 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.219~32
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fabc9b8dfa81833d7b347877528f216bf2e9443d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch
	slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch
---

diff --git a/queue-4.4/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch b/queue-4.4/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch
new file mode 100644
index 00000000000..1bcffe5c40b
--- /dev/null
+++ b/queue-4.4/net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch
@@ -0,0 +1,35 @@
+From foo@baz Thu 09 Apr 2020 04:06:49 PM CEST
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Date: Fri, 3 Apr 2020 10:23:29 +0800
+Subject: net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting
+
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+
+[ Upstream commit 3e1221acf6a8f8595b5ce354bab4327a69d54d18 ]
+
+Commit 9463c4455900 ("net: stmmac: dwmac1000: Clear unused address
+entries") cleared the unused mac address entries, but introduced an
+out-of bounds mac address register programming bug -- After setting
+the secondary unicast mac addresses, the "reg" value has reached
+netdev_uc_count() + 1, thus we should only clear address entries
+if (addr < perfect_addr_number)
+
+Fixes: 9463c4455900 ("net: stmmac: dwmac1000: Clear unused address entries")
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+@@ -188,7 +188,7 @@ static void dwmac1000_set_filter(struct
+ 			reg++;
+ 		}
+ 
+-		while (reg <= perfect_addr_number) {
++		while (reg < perfect_addr_number) {
+ 			writel(0, ioaddr + GMAC_ADDR_HIGH(reg));
+ 			writel(0, ioaddr + GMAC_ADDR_LOW(reg));
+ 			reg++;
diff --git a/queue-4.4/series b/queue-4.4/series
index 1fa9ce99a9d..429fe2219c4 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -14,3 +14,5 @@ usb-gadget-uac2-drop-unused-device-qualifier-descriptor.patch
 usb-gadget-printer-drop-unused-device-qualifier-descriptor.patch
 padata-always-acquire-cpu_hotplug_lock-before-pinst-lock.patch
 mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch
+net-stmmac-dwmac1000-fix-out-of-bounds-mac-address-reg-setting.patch
+slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch
diff --git a/queue-4.4/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch b/queue-4.4/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch
new file mode 100644
index 00000000000..50405dbb77a
--- /dev/null
+++ b/queue-4.4/slcan-don-t-transmit-uninitialized-stack-data-in-padding.patch
@@ -0,0 +1,51 @@
+From foo@baz Thu 09 Apr 2020 04:06:49 PM CEST
+From: Richard Palethorpe <rpalethorpe@suse.com>
+Date: Wed, 1 Apr 2020 12:06:39 +0200
+Subject: slcan: Don't transmit uninitialized stack data in padding
+
+From: Richard Palethorpe <rpalethorpe@suse.com>
+
+[ Upstream commit b9258a2cece4ec1f020715fe3554bc2e360f6264 ]
+
+struct can_frame contains some padding which is not explicitly zeroed in
+slc_bump. This uninitialized data will then be transmitted if the stack
+initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL).
+
+This commit just zeroes the whole struct including the padding.
+
+Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
+Fixes: a1044e36e457 ("can: add slcan driver for serial/USB-serial CAN adapters")
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: linux-can@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Cc: security@kernel.org
+Cc: wg@grandegger.com
+Cc: mkl@pengutronix.de
+Cc: davem@davemloft.net
+Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/slcan.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -147,7 +147,7 @@ static void slc_bump(struct slcan *sl)
+ 	u32 tmpid;
+ 	char *cmd = sl->rbuff;
+ 
+-	cf.can_id = 0;
++	memset(&cf, 0, sizeof(cf));
+ 
+ 	switch (*cmd) {
+ 	case 'r':
+@@ -186,8 +186,6 @@ static void slc_bump(struct slcan *sl)
+ 	else
+ 		return;
+ 
+-	*(u64 *) (&cf.data) = 0; /* clear payload */
+-
+ 	/* RTR frames may have a dlc > 0 but they never have any data bytes */
+ 	if (!(cf.can_id & CAN_RTR_FLAG)) {
+ 		for (i = 0; i < cf.can_dlc; i++) {