From ac48bdfa4c6336191297bcb5d6b45a0b2df6f3ce Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 Mar 2018 10:25:34 -0800 Subject: [PATCH] 4.15-stable patches added patches: ixgbe-fix-crash-in-build_skb-rx-code-path.patch tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch --- ...-fix-crash-in-build_skb-rx-code-path.patch | 44 +++++++++++++++ queue-4.15/series | 6 ++ ...ns-caused-by-bit-glitches-on-the-bus.patch | 55 +++++++++++++++++++ ...ns-caused-by-bit-glitches-on-the-bus.patch | 49 +++++++++++++++++ ...ns-caused-by-bit-glitches-on-the-bus.patch | 50 +++++++++++++++++ ...ns-caused-by-bit-glitches-on-the-bus.patch | 53 ++++++++++++++++++ ...ns-caused-by-bit-glitches-on-the-bus.patch | 51 +++++++++++++++++ 7 files changed, 308 insertions(+) create mode 100644 queue-4.15/ixgbe-fix-crash-in-build_skb-rx-code-path.patch create mode 100644 queue-4.15/tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch create mode 100644 queue-4.15/tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch create mode 100644 queue-4.15/tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch create mode 100644 queue-4.15/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch create mode 100644 queue-4.15/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch diff --git a/queue-4.15/ixgbe-fix-crash-in-build_skb-rx-code-path.patch b/queue-4.15/ixgbe-fix-crash-in-build_skb-rx-code-path.patch new file mode 100644 index 00000000000..b43627dfc5f --- /dev/null +++ b/queue-4.15/ixgbe-fix-crash-in-build_skb-rx-code-path.patch @@ -0,0 +1,44 @@ +From 0c5661ecc5dd7ce296870a3eb7b62b1b280a5e89 Mon Sep 17 00:00:00 2001 +From: Emil Tantilov +Date: Fri, 23 Feb 2018 12:39:41 -0800 +Subject: ixgbe: fix crash in build_skb Rx code path + +From: Emil Tantilov + +commit 0c5661ecc5dd7ce296870a3eb7b62b1b280a5e89 upstream. + +Add check for build_skb enabled ring in ixgbe_dma_sync_frag(). +In that case &skb_shinfo(skb)->frags[0] may not always be set which +can lead to a crash. Instead we derive the page offset from skb->data. + +Fixes: 42073d91a214 ("ixgbe: Have the CPU take ownership of the buffers sooner") +CC: stable +Reported-by: Ambarish Soman +Suggested-by: Alexander Duyck +Signed-off-by: Emil Tantilov +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -1878,6 +1878,14 @@ static void ixgbe_dma_sync_frag(struct i + ixgbe_rx_pg_size(rx_ring), + DMA_FROM_DEVICE, + IXGBE_RX_DMA_ATTR); ++ } else if (ring_uses_build_skb(rx_ring)) { ++ unsigned long offset = (unsigned long)(skb->data) & ~PAGE_MASK; ++ ++ dma_sync_single_range_for_cpu(rx_ring->dev, ++ IXGBE_CB(skb)->dma, ++ offset, ++ skb_headlen(skb), ++ DMA_FROM_DEVICE); + } else { + struct skb_frag_struct *frag = &skb_shinfo(skb)->frags[0]; + diff --git a/queue-4.15/series b/queue-4.15/series index b52bd70de8d..80b2b2fce85 100644 --- a/queue-4.15/series +++ b/queue-4.15/series @@ -4,3 +4,9 @@ ipmi_si-fix-error-handling-of-platform-device.patch platform-x86-dell-laptop-allocate-buffer-on-heap-rather-than-globally.patch powerpc-pseries-enable-ras-hotplug-events-later.patch bluetooth-btusb-use-dmi-matching-for-qca-reset_resume-quirking.patch +ixgbe-fix-crash-in-build_skb-rx-code-path.patch +tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch +tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch +tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch +tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch +tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch diff --git a/queue-4.15/tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch b/queue-4.15/tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch new file mode 100644 index 00000000000..1a6d146033b --- /dev/null +++ b/queue-4.15/tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch @@ -0,0 +1,55 @@ +From 3be23274755ee85771270a23af7691dc9b3a95db Mon Sep 17 00:00:00 2001 +From: Jeremy Boone +Date: Thu, 8 Feb 2018 12:28:08 -0800 +Subject: tpm: fix potential buffer overruns caused by bit glitches on the bus + +From: Jeremy Boone + +commit 3be23274755ee85771270a23af7691dc9b3a95db upstream. + +Discrete TPMs are often connected over slow serial buses which, on +some platforms, can have glitches causing bit flips. If a bit does +flip it could cause an overrun if it's in one of the size parameters, +so sanity check that we're not overrunning the provided buffer when +doing a memcpy(). + +Signed-off-by: Jeremy Boone +Cc: stable@vger.kernel.org +Signed-off-by: James Bottomley +Reviewed-by: Jarkko Sakkinen +Tested-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-interface.c | 4 ++++ + drivers/char/tpm/tpm2-cmd.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -1228,6 +1228,10 @@ int tpm_get_random(u32 chip_num, u8 *out + break; + + recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); ++ if (recd > num_bytes) { ++ total = -EFAULT; ++ break; ++ } + + rlength = be32_to_cpu(tpm_cmd.header.out.length); + if (rlength < offsetof(struct tpm_getrandom_out, rng_data) + +--- a/drivers/char/tpm/tpm2-cmd.c ++++ b/drivers/char/tpm/tpm2-cmd.c +@@ -683,6 +683,10 @@ static int tpm2_unseal_cmd(struct tpm_ch + if (!rc) { + data_len = be16_to_cpup( + (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]); ++ if (data_len < MIN_KEY_SIZE || data_len > MAX_KEY_SIZE + 1) { ++ rc = -EFAULT; ++ goto out; ++ } + + rlength = be32_to_cpu(((struct tpm2_cmd *)&buf) + ->header.out.length); diff --git a/queue-4.15/tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch b/queue-4.15/tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch new file mode 100644 index 00000000000..abace46ccd4 --- /dev/null +++ b/queue-4.15/tpm-st33zp24-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch @@ -0,0 +1,49 @@ +From 6d24cd186d9fead3722108dec1b1c993354645ff Mon Sep 17 00:00:00 2001 +From: Jeremy Boone +Date: Thu, 8 Feb 2018 12:29:09 -0800 +Subject: tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus + +From: Jeremy Boone + +commit 6d24cd186d9fead3722108dec1b1c993354645ff upstream. + +Discrete TPMs are often connected over slow serial buses which, on +some platforms, can have glitches causing bit flips. In all the +driver _recv() functions, we need to use a u32 to unmarshal the +response size, otherwise a bit flip of the 31st bit would cause the +expected variable to go negative, which would then try to read a huge +amount of data. Also sanity check that the expected amount of data is +large enough for the TPM header. + +Signed-off-by: Jeremy Boone +Cc: stable@vger.kernel.org +Signed-off-by: James Bottomley +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/st33zp24/st33zp24.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/st33zp24/st33zp24.c ++++ b/drivers/char/tpm/st33zp24/st33zp24.c +@@ -457,7 +457,7 @@ static int st33zp24_recv(struct tpm_chip + size_t count) + { + int size = 0; +- int expected; ++ u32 expected; + + if (!chip) + return -EBUSY; +@@ -474,7 +474,7 @@ static int st33zp24_recv(struct tpm_chip + } + + expected = be32_to_cpu(*(__be32 *)(buf + 2)); +- if (expected > count) { ++ if (expected > count || expected < TPM_HEADER_SIZE) { + size = -EIO; + goto out; + } diff --git a/queue-4.15/tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch b/queue-4.15/tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch new file mode 100644 index 00000000000..cfb53f35ac4 --- /dev/null +++ b/queue-4.15/tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch @@ -0,0 +1,50 @@ +From 9b8cb28d7c62568a5916bdd7ea1c9176d7f8f2ed Mon Sep 17 00:00:00 2001 +From: Jeremy Boone +Date: Thu, 8 Feb 2018 12:30:01 -0800 +Subject: tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus + +From: Jeremy Boone + +commit 9b8cb28d7c62568a5916bdd7ea1c9176d7f8f2ed upstream. + +Discrete TPMs are often connected over slow serial buses which, on +some platforms, can have glitches causing bit flips. In all the +driver _recv() functions, we need to use a u32 to unmarshal the +response size, otherwise a bit flip of the 31st bit would cause the +expected variable to go negative, which would then try to read a huge +amount of data. Also sanity check that the expected amount of data is +large enough for the TPM header. + +Signed-off-by: Jeremy Boone +Cc: stable@vger.kernel.org +Signed-off-by: James Bottomley +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_i2c_infineon.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm_i2c_infineon.c ++++ b/drivers/char/tpm/tpm_i2c_infineon.c +@@ -473,7 +473,8 @@ static int recv_data(struct tpm_chip *ch + static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count) + { + int size = 0; +- int expected, status; ++ int status; ++ u32 expected; + + if (count < TPM_HEADER_SIZE) { + size = -EIO; +@@ -488,7 +489,7 @@ static int tpm_tis_i2c_recv(struct tpm_c + } + + expected = be32_to_cpu(*(__be32 *)(buf + 2)); +- if ((size_t) expected > count) { ++ if (((size_t) expected > count) || (expected < TPM_HEADER_SIZE)) { + size = -EIO; + goto out; + } diff --git a/queue-4.15/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch b/queue-4.15/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch new file mode 100644 index 00000000000..22596e753b1 --- /dev/null +++ b/queue-4.15/tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch @@ -0,0 +1,53 @@ +From f9d4d9b5a5ef2f017bc344fb65a58a902517173b Mon Sep 17 00:00:00 2001 +From: Jeremy Boone +Date: Thu, 8 Feb 2018 12:31:16 -0800 +Subject: tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus + +From: Jeremy Boone + +commit f9d4d9b5a5ef2f017bc344fb65a58a902517173b upstream. + +Discrete TPMs are often connected over slow serial buses which, on +some platforms, can have glitches causing bit flips. In all the +driver _recv() functions, we need to use a u32 to unmarshal the +response size, otherwise a bit flip of the 31st bit would cause the +expected variable to go negative, which would then try to read a huge +amount of data. Also sanity check that the expected amount of data is +large enough for the TPM header. + +Signed-off-by: Jeremy Boone +Cc: stable@vger.kernel.org +Signed-off-by: James Bottomley +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_i2c_nuvoton.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm_i2c_nuvoton.c ++++ b/drivers/char/tpm/tpm_i2c_nuvoton.c +@@ -281,7 +281,11 @@ static int i2c_nuvoton_recv(struct tpm_c + struct device *dev = chip->dev.parent; + struct i2c_client *client = to_i2c_client(dev); + s32 rc; +- int expected, status, burst_count, retries, size = 0; ++ int status; ++ int burst_count; ++ int retries; ++ int size = 0; ++ u32 expected; + + if (count < TPM_HEADER_SIZE) { + i2c_nuvoton_ready(chip); /* return to idle */ +@@ -323,7 +327,7 @@ static int i2c_nuvoton_recv(struct tpm_c + * to machine native + */ + expected = be32_to_cpu(*(__be32 *) (buf + 2)); +- if (expected > count) { ++ if (expected > count || expected < size) { + dev_err(dev, "%s() expected > count\n", __func__); + size = -EIO; + continue; diff --git a/queue-4.15/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch b/queue-4.15/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch new file mode 100644 index 00000000000..a3f984cb733 --- /dev/null +++ b/queue-4.15/tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch @@ -0,0 +1,51 @@ +From 6bb320ca4a4a7b5b3db8c8d7250cc40002046878 Mon Sep 17 00:00:00 2001 +From: Jeremy Boone +Date: Thu, 8 Feb 2018 12:32:06 -0800 +Subject: tpm_tis: fix potential buffer overruns caused by bit glitches on the bus + +From: Jeremy Boone + +commit 6bb320ca4a4a7b5b3db8c8d7250cc40002046878 upstream. + +Discrete TPMs are often connected over slow serial buses which, on +some platforms, can have glitches causing bit flips. In all the +driver _recv() functions, we need to use a u32 to unmarshal the +response size, otherwise a bit flip of the 31st bit would cause the +expected variable to go negative, which would then try to read a huge +amount of data. Also sanity check that the expected amount of data is +large enough for the TPM header. + +Signed-off-by: Jeremy Boone +Cc: stable@vger.kernel.org +Signed-off-by: James Bottomley +Tested-by: Jarkko Sakkinen +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_tis_core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -202,7 +202,8 @@ static int tpm_tis_recv(struct tpm_chip + { + struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev); + int size = 0; +- int expected, status; ++ int status; ++ u32 expected; + + if (count < TPM_HEADER_SIZE) { + size = -EIO; +@@ -217,7 +218,7 @@ static int tpm_tis_recv(struct tpm_chip + } + + expected = be32_to_cpu(*(__be32 *) (buf + 2)); +- if (expected > count) { ++ if (expected > count || expected < TPM_HEADER_SIZE) { + size = -EIO; + goto out; + } -- 2.47.3