From 9c99e69b593c46872bd1d9592b7b03b7f4c2bc3e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 31 Mar 2020 10:19:23 +0200 Subject: [PATCH] 4.19-stable patches added patches: ahci-add-intel-comet-lake-h-raid-pci-id.patch libfs-fix-infoleak-in-simple_attr_read.patch media-dib0700-fix-rc-endpoint-lookup.patch media-ov519-add-missing-endpoint-sanity-checks.patch media-stv06xx-add-missing-descriptor-sanity-checks.patch media-xirlink_cit-add-missing-descriptor-sanity-checks.patch --- ...i-add-intel-comet-lake-h-raid-pci-id.patch | 30 ++++++ ...bfs-fix-infoleak-in-simple_attr_read.patch | 79 ++++++++++++++++ ...media-dib0700-fix-rc-endpoint-lookup.patch | 46 +++++++++ ...9-add-missing-endpoint-sanity-checks.patch | 55 +++++++++++ ...add-missing-descriptor-sanity-checks.patch | 93 +++++++++++++++++++ ...add-missing-descriptor-sanity-checks.patch | 82 ++++++++++++++++ queue-4.19/series | 6 ++ 7 files changed, 391 insertions(+) create mode 100644 queue-4.19/ahci-add-intel-comet-lake-h-raid-pci-id.patch create mode 100644 queue-4.19/libfs-fix-infoleak-in-simple_attr_read.patch create mode 100644 queue-4.19/media-dib0700-fix-rc-endpoint-lookup.patch create mode 100644 queue-4.19/media-ov519-add-missing-endpoint-sanity-checks.patch create mode 100644 queue-4.19/media-stv06xx-add-missing-descriptor-sanity-checks.patch create mode 100644 queue-4.19/media-xirlink_cit-add-missing-descriptor-sanity-checks.patch diff --git a/queue-4.19/ahci-add-intel-comet-lake-h-raid-pci-id.patch b/queue-4.19/ahci-add-intel-comet-lake-h-raid-pci-id.patch new file mode 100644 index 00000000000..d8ae3f67152 --- /dev/null +++ b/queue-4.19/ahci-add-intel-comet-lake-h-raid-pci-id.patch @@ -0,0 +1,30 @@ +From 32d2545462c6cede998267b86e57cda5d1dc2225 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Thu, 27 Feb 2020 20:28:22 +0800 +Subject: ahci: Add Intel Comet Lake H RAID PCI ID + +From: Kai-Heng Feng + +commit 32d2545462c6cede998267b86e57cda5d1dc2225 upstream. + +Add the PCI ID to the driver list to support this new device. + +Cc: stable@vger.kernel.org +Signed-off-by: Kai-Heng Feng +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -409,6 +409,7 @@ static const struct pci_device_id ahci_p + { PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/ + { PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/ + { PCI_VDEVICE(INTEL, 0xa356), board_ahci }, /* Cannon Lake PCH-H RAID */ ++ { PCI_VDEVICE(INTEL, 0x06d7), board_ahci }, /* Comet Lake-H RAID */ + { PCI_VDEVICE(INTEL, 0x0f22), board_ahci_mobile }, /* Bay Trail AHCI */ + { PCI_VDEVICE(INTEL, 0x0f23), board_ahci_mobile }, /* Bay Trail AHCI */ + { PCI_VDEVICE(INTEL, 0x22a3), board_ahci_mobile }, /* Cherry Tr. AHCI */ diff --git a/queue-4.19/libfs-fix-infoleak-in-simple_attr_read.patch b/queue-4.19/libfs-fix-infoleak-in-simple_attr_read.patch new file mode 100644 index 00000000000..de0a0531a95 --- /dev/null +++ b/queue-4.19/libfs-fix-infoleak-in-simple_attr_read.patch @@ -0,0 +1,79 @@ +From a65cab7d7f05c2061a3e2490257d3086ff3202c6 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 7 Mar 2020 18:38:49 -0800 +Subject: libfs: fix infoleak in simple_attr_read() + +From: Eric Biggers + +commit a65cab7d7f05c2061a3e2490257d3086ff3202c6 upstream. + +Reading from a debugfs file at a nonzero position, without first reading +at position 0, leaks uninitialized memory to userspace. + +It's a bit tricky to do this, since lseek() and pread() aren't allowed +on these files, and write() doesn't update the position on them. But +writing to them with splice() *does* update the position: + + #define _GNU_SOURCE 1 + #include + #include + #include + int main() + { + int pipes[2], fd, n, i; + char buf[32]; + + pipe(pipes); + write(pipes[1], "0", 1); + fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR); + splice(pipes[0], NULL, fd, NULL, 1, 0); + n = read(fd, buf, sizeof(buf)); + for (i = 0; i < n; i++) + printf("%02x", buf[i]); + printf("\n"); + } + +Output: + 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30 + +Fix the infoleak by making simple_attr_read() always fill +simple_attr::get_buf if it hasn't been filled yet. + +Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com +Reported-by: Alexander Potapenko +Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Acked-by: Kees Cook +Link: https://lore.kernel.org/r/20200308023849.988264-1-ebiggers@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/libfs.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -802,7 +802,7 @@ int simple_attr_open(struct inode *inode + { + struct simple_attr *attr; + +- attr = kmalloc(sizeof(*attr), GFP_KERNEL); ++ attr = kzalloc(sizeof(*attr), GFP_KERNEL); + if (!attr) + return -ENOMEM; + +@@ -842,9 +842,11 @@ ssize_t simple_attr_read(struct file *fi + if (ret) + return ret; + +- if (*ppos) { /* continued read */ ++ if (*ppos && attr->get_buf[0]) { ++ /* continued read */ + size = strlen(attr->get_buf); +- } else { /* first read */ ++ } else { ++ /* first read */ + u64 val; + ret = attr->get(attr->data, &val); + if (ret) diff --git a/queue-4.19/media-dib0700-fix-rc-endpoint-lookup.patch b/queue-4.19/media-dib0700-fix-rc-endpoint-lookup.patch new file mode 100644 index 00000000000..a9426d992d7 --- /dev/null +++ b/queue-4.19/media-dib0700-fix-rc-endpoint-lookup.patch @@ -0,0 +1,46 @@ +From f52981019ad8d6718de79b425a574c6bddf81f7c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 3 Jan 2020 17:35:12 +0100 +Subject: media: dib0700: fix rc endpoint lookup + +From: Johan Hovold + +commit f52981019ad8d6718de79b425a574c6bddf81f7c upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid submitting an URB to an invalid endpoint. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge Nova-TD") +Cc: stable # 3.16 +Signed-off-by: Johan Hovold +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dib0700_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dib0700_core.c ++++ b/drivers/media/usb/dvb-usb/dib0700_core.c +@@ -821,7 +821,7 @@ int dib0700_rc_setup(struct dvb_usb_devi + + /* Starting in firmware 1.20, the RC info is provided on a bulk pipe */ + +- if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1) ++ if (intf->cur_altsetting->desc.bNumEndpoints < rc_ep + 1) + return -ENODEV; + + purb = usb_alloc_urb(0, GFP_KERNEL); +@@ -841,7 +841,7 @@ int dib0700_rc_setup(struct dvb_usb_devi + * Some devices like the Hauppauge NovaTD model 52009 use an interrupt + * endpoint, while others use a bulk one. + */ +- e = &intf->altsetting[0].endpoint[rc_ep].desc; ++ e = &intf->cur_altsetting->endpoint[rc_ep].desc; + if (usb_endpoint_dir_in(e)) { + if (usb_endpoint_xfer_bulk(e)) { + pipe = usb_rcvbulkpipe(d->udev, rc_ep); diff --git a/queue-4.19/media-ov519-add-missing-endpoint-sanity-checks.patch b/queue-4.19/media-ov519-add-missing-endpoint-sanity-checks.patch new file mode 100644 index 00000000000..e37b0bc0eb1 --- /dev/null +++ b/queue-4.19/media-ov519-add-missing-endpoint-sanity-checks.patch @@ -0,0 +1,55 @@ +From 998912346c0da53a6dbb71fab3a138586b596b30 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 3 Jan 2020 17:35:09 +0100 +Subject: media: ov519: add missing endpoint sanity checks + +From: Johan Hovold + +commit 998912346c0da53a6dbb71fab3a138586b596b30 upstream. + +Make sure to check that we have at least one endpoint before accessing +the endpoint array to avoid dereferencing a NULL-pointer on stream +start. + +Note that these sanity checks are not redundant as the driver is mixing +looking up altsettings by index and by number, which need not coincide. + +Fixes: 1876bb923c98 ("V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge") +Fixes: b282d87332f5 ("V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)") +Cc: stable # 2.6.31 +Cc: Hans de Goede +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/gspca/ov519.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/media/usb/gspca/ov519.c ++++ b/drivers/media/usb/gspca/ov519.c +@@ -3487,6 +3487,11 @@ static void ov511_mode_init_regs(struct + return; + } + ++ if (alt->desc.bNumEndpoints < 1) { ++ sd->gspca_dev.usb_err = -ENODEV; ++ return; ++ } ++ + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); + reg_w(sd, R51x_FIFO_PSIZE, packet_size >> 5); + +@@ -3613,6 +3618,11 @@ static void ov518_mode_init_regs(struct + return; + } + ++ if (alt->desc.bNumEndpoints < 1) { ++ sd->gspca_dev.usb_err = -ENODEV; ++ return; ++ } ++ + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); + ov518_reg_w32(sd, R51x_FIFO_PSIZE, packet_size & ~7, 2); + diff --git a/queue-4.19/media-stv06xx-add-missing-descriptor-sanity-checks.patch b/queue-4.19/media-stv06xx-add-missing-descriptor-sanity-checks.patch new file mode 100644 index 00000000000..834534c799f --- /dev/null +++ b/queue-4.19/media-stv06xx-add-missing-descriptor-sanity-checks.patch @@ -0,0 +1,93 @@ +From 485b06aadb933190f4bc44e006076bc27a23f205 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 3 Jan 2020 17:35:10 +0100 +Subject: media: stv06xx: add missing descriptor sanity checks + +From: Johan Hovold + +commit 485b06aadb933190f4bc44e006076bc27a23f205 upstream. + +Make sure to check that we have two alternate settings and at least one +endpoint before accessing the second altsetting structure and +dereferencing the endpoint arrays. + +This specifically avoids dereferencing NULL-pointers or corrupting +memory when a device does not have the expected descriptors. + +Note that the sanity checks in stv06xx_start() and pb0100_start() are +not redundant as the driver is mixing looking up altsettings by index +and by number, which may not coincide. + +Fixes: 8668d504d72c ("V4L/DVB (12082): gspca_stv06xx: Add support for st6422 bridge and sensor") +Fixes: c0b33bdc5b8d ("[media] gspca-stv06xx: support bandwidth changing") +Cc: stable # 2.6.31 +Cc: Hans de Goede +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/gspca/stv06xx/stv06xx.c | 19 ++++++++++++++++++- + drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c | 4 ++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c ++++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c +@@ -291,6 +291,9 @@ static int stv06xx_start(struct gspca_de + return -EIO; + } + ++ if (alt->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); + err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size); + if (err < 0) +@@ -315,11 +318,21 @@ out: + + static int stv06xx_isoc_init(struct gspca_dev *gspca_dev) + { ++ struct usb_interface_cache *intfc; + struct usb_host_interface *alt; + struct sd *sd = (struct sd *) gspca_dev; + ++ intfc = gspca_dev->dev->actconfig->intf_cache[0]; ++ ++ if (intfc->num_altsetting < 2) ++ return -ENODEV; ++ ++ alt = &intfc->altsetting[1]; ++ ++ if (alt->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + /* Start isoc bandwidth "negotiation" at max isoc bandwidth */ +- alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; + alt->endpoint[0].desc.wMaxPacketSize = + cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]); + +@@ -332,6 +345,10 @@ static int stv06xx_isoc_nego(struct gspc + struct usb_host_interface *alt; + struct sd *sd = (struct sd *) gspca_dev; + ++ /* ++ * Existence of altsetting and endpoint was verified in ++ * stv06xx_isoc_init() ++ */ + alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); + min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode]; +--- a/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c ++++ b/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c +@@ -194,6 +194,10 @@ static int pb0100_start(struct sd *sd) + alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt); + if (!alt) + return -ENODEV; ++ ++ if (alt->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); + + /* If we don't have enough bandwidth use a lower framerate */ diff --git a/queue-4.19/media-xirlink_cit-add-missing-descriptor-sanity-checks.patch b/queue-4.19/media-xirlink_cit-add-missing-descriptor-sanity-checks.patch new file mode 100644 index 00000000000..0e088b56660 --- /dev/null +++ b/queue-4.19/media-xirlink_cit-add-missing-descriptor-sanity-checks.patch @@ -0,0 +1,82 @@ +From a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 3 Jan 2020 17:35:11 +0100 +Subject: media: xirlink_cit: add missing descriptor sanity checks + +From: Johan Hovold + +commit a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 upstream. + +Make sure to check that we have two alternate settings and at least one +endpoint before accessing the second altsetting structure and +dereferencing the endpoint arrays. + +This specifically avoids dereferencing NULL-pointers or corrupting +memory when a device does not have the expected descriptors. + +Note that the sanity check in cit_get_packet_size() is not redundant as +the driver is mixing looking up altsettings by index and by number, +which may not coincide. + +Fixes: 659fefa0eb17 ("V4L/DVB: gspca_xirlink_cit: Add support for camera with a bcd version of 0.01") +Fixes: 59f8b0bf3c12 ("V4L/DVB: gspca_xirlink_cit: support bandwidth changing for devices with 1 alt setting") +Cc: stable # 2.6.37 +Cc: Hans de Goede +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/gspca/xirlink_cit.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/gspca/xirlink_cit.c ++++ b/drivers/media/usb/gspca/xirlink_cit.c +@@ -1452,6 +1452,9 @@ static int cit_get_packet_size(struct gs + return -EIO; + } + ++ if (alt->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + return le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); + } + +@@ -2636,6 +2639,7 @@ static int sd_start(struct gspca_dev *gs + + static int sd_isoc_init(struct gspca_dev *gspca_dev) + { ++ struct usb_interface_cache *intfc; + struct usb_host_interface *alt; + int max_packet_size; + +@@ -2651,8 +2655,17 @@ static int sd_isoc_init(struct gspca_dev + break; + } + ++ intfc = gspca_dev->dev->actconfig->intf_cache[0]; ++ ++ if (intfc->num_altsetting < 2) ++ return -ENODEV; ++ ++ alt = &intfc->altsetting[1]; ++ ++ if (alt->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + /* Start isoc bandwidth "negotiation" at max isoc bandwidth */ +- alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; + alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(max_packet_size); + + return 0; +@@ -2675,6 +2688,9 @@ static int sd_isoc_nego(struct gspca_dev + break; + } + ++ /* ++ * Existence of altsetting and endpoint was verified in sd_isoc_init() ++ */ + alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); + if (packet_size <= min_packet_size) diff --git a/queue-4.19/series b/queue-4.19/series index 7cfe352df83..9ababa7111a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -89,3 +89,9 @@ media-usbtv-fix-control-message-timeouts.patch staging-rtl8188eu-add-asus-usb-n10-nano-b1-to-device-table.patch staging-wlan-ng-fix-odebug-bug-in-prism2sta_disconnect_usb.patch staging-wlan-ng-fix-use-after-free-read-in-hfa384x_usbin_callback.patch +ahci-add-intel-comet-lake-h-raid-pci-id.patch +libfs-fix-infoleak-in-simple_attr_read.patch +media-ov519-add-missing-endpoint-sanity-checks.patch +media-dib0700-fix-rc-endpoint-lookup.patch +media-stv06xx-add-missing-descriptor-sanity-checks.patch +media-xirlink_cit-add-missing-descriptor-sanity-checks.patch -- 2.47.3