From c24042ffed8b6927283ae7b5845d5bccafaf8b16 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 23 Dec 2020 16:01:48 +0100 Subject: [PATCH] 5.10-stable patches added patches: bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch fs-quota-fix-array-index-out-of-bounds-bug-by-passing-correct-argument-to-vfs_cleanup_quota_inode.patch md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch media-msi2500-assign-spi-bus-number-dynamically.patch nl80211-validate-key-indexes-for-cfg80211_registered_device.patch quota-sanity-check-quota-file-headers-on-load.patch --- ...read-in-hci_le_direct_adv_report_evt.patch | 54 +++++++ ...defined-behavior-accessing-salg_name.patch | 108 ++++++++++++++ ...-argument-to-vfs_cleanup_quota_inode.patch | 42 ++++++ ...a-race-between-concurrent-md_ioctl-s.patch | 75 ++++++++++ ...00-assign-spi-bus-number-dynamically.patch | 34 +++++ ...dexes-for-cfg80211_registered_device.patch | 136 ++++++++++++++++++ ...ity-check-quota-file-headers-on-load.patch | 50 +++++++ queue-5.10/series | 7 + 8 files changed, 506 insertions(+) create mode 100644 queue-5.10/bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch create mode 100644 queue-5.10/crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch create mode 100644 queue-5.10/fs-quota-fix-array-index-out-of-bounds-bug-by-passing-correct-argument-to-vfs_cleanup_quota_inode.patch create mode 100644 queue-5.10/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch create mode 100644 queue-5.10/media-msi2500-assign-spi-bus-number-dynamically.patch create mode 100644 queue-5.10/nl80211-validate-key-indexes-for-cfg80211_registered_device.patch create mode 100644 queue-5.10/quota-sanity-check-quota-file-headers-on-load.patch diff --git a/queue-5.10/bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch b/queue-5.10/bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch new file mode 100644 index 00000000000..930f8c389bf --- /dev/null +++ b/queue-5.10/bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch @@ -0,0 +1,54 @@ +From f7e0e8b2f1b0a09b527885babda3e912ba820798 Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Wed, 9 Sep 2020 03:17:00 -0400 +Subject: Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() + +From: Peilin Ye + +commit f7e0e8b2f1b0a09b527885babda3e912ba820798 upstream. + +`num_reports` is not being properly checked. A malformed event packet with +a large `num_reports` number makes hci_le_direct_adv_report_evt() read out +of bounds. Fix it. + +Cc: stable@vger.kernel.org +Fixes: 2f010b55884e ("Bluetooth: Add support for handling LE Direct Advertising Report events") +Reported-and-tested-by: syzbot+24ebd650e20bd263ca01@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01 +Signed-off-by: Peilin Ye +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5868,21 +5868,19 @@ static void hci_le_direct_adv_report_evt + struct sk_buff *skb) + { + u8 num_reports = skb->data[0]; +- void *ptr = &skb->data[1]; ++ struct hci_ev_le_direct_adv_info *ev = (void *)&skb->data[1]; + +- hci_dev_lock(hdev); ++ if (!num_reports || skb->len < num_reports * sizeof(*ev) + 1) ++ return; + +- while (num_reports--) { +- struct hci_ev_le_direct_adv_info *ev = ptr; ++ hci_dev_lock(hdev); + ++ for (; num_reports; num_reports--, ev++) + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, + ev->bdaddr_type, &ev->direct_addr, + ev->direct_addr_type, ev->rssi, NULL, 0, + false); + +- ptr += sizeof(*ev); +- } +- + hci_dev_unlock(hdev); + } + diff --git a/queue-5.10/crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch b/queue-5.10/crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch new file mode 100644 index 00000000000..991477d46b5 --- /dev/null +++ b/queue-5.10/crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch @@ -0,0 +1,108 @@ +From 92eb6c3060ebe3adf381fd9899451c5b047bb14d Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 26 Oct 2020 13:07:15 -0700 +Subject: crypto: af_alg - avoid undefined behavior accessing salg_name + +From: Eric Biggers + +commit 92eb6c3060ebe3adf381fd9899451c5b047bb14d upstream. + +Commit 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm +names") made the kernel start accepting arbitrarily long algorithm names +in sockaddr_alg. However, the actual length of the salg_name field +stayed at the original 64 bytes. + +This is broken because the kernel can access indices >= 64 in salg_name, +which is undefined behavior -- even though the memory that is accessed +is still located within the sockaddr structure. It would only be +defined behavior if the array were properly marked as arbitrary-length +(either by making it a flexible array, which is the recommended way +these days, or by making it an array of length 0 or 1). + +We can't simply change salg_name into a flexible array, since that would +break source compatibility with userspace programs that embed +sockaddr_alg into another struct, or (more commonly) declare a +sockaddr_alg like 'struct sockaddr_alg sa = { .salg_name = "foo" };'. + +One solution would be to change salg_name into a flexible array only +when '#ifdef __KERNEL__'. However, that would keep userspace without an +easy way to actually use the longer algorithm names. + +Instead, add a new structure 'sockaddr_alg_new' that has the flexible +array field, and expose it to both userspace and the kernel. +Make the kernel use it correctly in alg_bind(). + +This addresses the syzbot report +"UBSAN: array-index-out-of-bounds in alg_bind" +(https://syzkaller.appspot.com/bug?extid=92ead4eb8e26a26d465e). + +Reported-by: syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com +Fixes: 3f69cc60768b ("crypto: af_alg - Allow arbitrarily long algorithm names") +Cc: # v4.12+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 10 +++++++--- + include/uapi/linux/if_alg.h | 16 ++++++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -147,7 +147,7 @@ static int alg_bind(struct socket *sock, + const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY; + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); +- struct sockaddr_alg *sa = (void *)uaddr; ++ struct sockaddr_alg_new *sa = (void *)uaddr; + const struct af_alg_type *type; + void *private; + int err; +@@ -155,7 +155,11 @@ static int alg_bind(struct socket *sock, + if (sock->state == SS_CONNECTED) + return -EINVAL; + +- if (addr_len < sizeof(*sa)) ++ BUILD_BUG_ON(offsetof(struct sockaddr_alg_new, salg_name) != ++ offsetof(struct sockaddr_alg, salg_name)); ++ BUILD_BUG_ON(offsetof(struct sockaddr_alg, salg_name) != sizeof(*sa)); ++ ++ if (addr_len < sizeof(*sa) + 1) + return -EINVAL; + + /* If caller uses non-allowed flag, return error. */ +@@ -163,7 +167,7 @@ static int alg_bind(struct socket *sock, + return -EINVAL; + + sa->salg_type[sizeof(sa->salg_type) - 1] = 0; +- sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0; ++ sa->salg_name[addr_len - sizeof(*sa) - 1] = 0; + + type = alg_get_type(sa->salg_type); + if (PTR_ERR(type) == -ENOENT) { +--- a/include/uapi/linux/if_alg.h ++++ b/include/uapi/linux/if_alg.h +@@ -24,6 +24,22 @@ struct sockaddr_alg { + __u8 salg_name[64]; + }; + ++/* ++ * Linux v4.12 and later removed the 64-byte limit on salg_name[]; it's now an ++ * arbitrary-length field. We had to keep the original struct above for source ++ * compatibility with existing userspace programs, though. Use the new struct ++ * below if support for very long algorithm names is needed. To do this, ++ * allocate 'sizeof(struct sockaddr_alg_new) + strlen(algname) + 1' bytes, and ++ * copy algname (including the null terminator) into salg_name. ++ */ ++struct sockaddr_alg_new { ++ __u16 salg_family; ++ __u8 salg_type[14]; ++ __u32 salg_feat; ++ __u32 salg_mask; ++ __u8 salg_name[]; ++}; ++ + struct af_alg_iv { + __u32 ivlen; + __u8 iv[0]; diff --git a/queue-5.10/fs-quota-fix-array-index-out-of-bounds-bug-by-passing-correct-argument-to-vfs_cleanup_quota_inode.patch b/queue-5.10/fs-quota-fix-array-index-out-of-bounds-bug-by-passing-correct-argument-to-vfs_cleanup_quota_inode.patch new file mode 100644 index 00000000000..4905a1f3845 --- /dev/null +++ b/queue-5.10/fs-quota-fix-array-index-out-of-bounds-bug-by-passing-correct-argument-to-vfs_cleanup_quota_inode.patch @@ -0,0 +1,42 @@ +From e51d68e76d604c6d5d1eb13ae1d6da7f6c8c0dfc Mon Sep 17 00:00:00 2001 +From: Anant Thazhemadam +Date: Wed, 9 Dec 2020 01:13:38 +0530 +Subject: fs: quota: fix array-index-out-of-bounds bug by passing correct argument to vfs_cleanup_quota_inode() + +From: Anant Thazhemadam + +commit e51d68e76d604c6d5d1eb13ae1d6da7f6c8c0dfc upstream. + +When dquot_resume() was last updated, the argument that got passed +to vfs_cleanup_quota_inode was incorrectly set. + +If type = -1 and dquot_load_quota_sb() returns a negative value, +then vfs_cleanup_quota_inode() gets called with -1 passed as an +argument, and this leads to an array-index-out-of-bounds bug. + +Fix this issue by correctly passing the arguments. + +Fixes: ae45f07d47cc ("quota: Simplify dquot_resume()") +Link: https://lore.kernel.org/r/20201208194338.7064-1-anant.thazhemadam@gmail.com +Reported-by: syzbot+2643e825238d7aabb37f@syzkaller.appspotmail.com +Tested-by: syzbot+2643e825238d7aabb37f@syzkaller.appspotmail.com +CC: stable@vger.kernel.org +Signed-off-by: Anant Thazhemadam +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/quota/dquot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2455,7 +2455,7 @@ int dquot_resume(struct super_block *sb, + ret = dquot_load_quota_sb(sb, cnt, dqopt->info[cnt].dqi_fmt_id, + flags); + if (ret < 0) +- vfs_cleanup_quota_inode(sb, type); ++ vfs_cleanup_quota_inode(sb, cnt); + } + + return ret; diff --git a/queue-5.10/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch b/queue-5.10/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch new file mode 100644 index 00000000000..c2648895155 --- /dev/null +++ b/queue-5.10/md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch @@ -0,0 +1,75 @@ +From c731b84b51bf7fe83448bea8f56a6d55006b0615 Mon Sep 17 00:00:00 2001 +From: "Dae R. Jeong" +Date: Thu, 22 Oct 2020 10:21:28 +0900 +Subject: md: fix a warning caused by a race between concurrent md_ioctl()s + +From: Dae R. Jeong + +commit c731b84b51bf7fe83448bea8f56a6d55006b0615 upstream. + +Syzkaller reports a warning as belows. +WARNING: CPU: 0 PID: 9647 at drivers/md/md.c:7169 +... +Call Trace: +... +RIP: 0010:md_ioctl+0x4017/0x5980 drivers/md/md.c:7169 +RSP: 0018:ffff888096027950 EFLAGS: 00010293 +RAX: ffff88809322c380 RBX: 0000000000000932 RCX: ffffffff84e266f2 +RDX: 0000000000000000 RSI: ffffffff84e299f7 RDI: 0000000000000007 +RBP: ffff888096027bc0 R08: ffff88809322c380 R09: ffffed101341a482 +R10: ffff888096027940 R11: ffff88809a0d240f R12: 0000000000000932 +R13: ffff8880a2c14100 R14: ffff88809a0d2268 R15: ffff88809a0d2408 + __blkdev_driver_ioctl block/ioctl.c:304 [inline] + blkdev_ioctl+0xece/0x1c10 block/ioctl.c:606 + block_ioctl+0xee/0x130 fs/block_dev.c:1930 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:509 [inline] + do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696 + ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl fs/ioctl.c:718 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 + do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +This is caused by a race between two concurrenct md_ioctl()s closing +the array. +CPU1 (md_ioctl()) CPU2 (md_ioctl()) +------ ------ +set_bit(MD_CLOSING, &mddev->flags); +did_set_md_closing = true; + WARN_ON_ONCE(test_bit(MD_CLOSING, + &mddev->flags)); +if(did_set_md_closing) + clear_bit(MD_CLOSING, &mddev->flags); + +Fix the warning by returning immediately if the MD_CLOSING bit is set +in &mddev->flags which indicates that the array is being closed. + +Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop") +Reported-by: syzbot+1e46a0864c1a6e9bd3d8@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dae R. Jeong +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7590,8 +7590,11 @@ static int md_ioctl(struct block_device + err = -EBUSY; + goto out; + } +- WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags)); +- set_bit(MD_CLOSING, &mddev->flags); ++ if (test_and_set_bit(MD_CLOSING, &mddev->flags)) { ++ mutex_unlock(&mddev->open_mutex); ++ err = -EBUSY; ++ goto out; ++ } + did_set_md_closing = true; + mutex_unlock(&mddev->open_mutex); + sync_blockdev(bdev); diff --git a/queue-5.10/media-msi2500-assign-spi-bus-number-dynamically.patch b/queue-5.10/media-msi2500-assign-spi-bus-number-dynamically.patch new file mode 100644 index 00000000000..6fd85394e8c --- /dev/null +++ b/queue-5.10/media-msi2500-assign-spi-bus-number-dynamically.patch @@ -0,0 +1,34 @@ +From 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 Mon Sep 17 00:00:00 2001 +From: Antti Palosaari +Date: Sat, 17 Aug 2019 03:12:10 +0200 +Subject: media: msi2500: assign SPI bus number dynamically + +From: Antti Palosaari + +commit 9c60cc797cf72e95bb39f32316e9f0e5f85435f9 upstream. + +SPI bus number must be assigned dynamically for each device, otherwise it +will crash when multiple devices are plugged to system. + +Reported-and-tested-by: syzbot+c60ddb60b685777d9d59@syzkaller.appspotmail.com + +Cc: stable@vger.kernel.org +Signed-off-by: Antti Palosaari +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/msi2500/msi2500.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/msi2500/msi2500.c ++++ b/drivers/media/usb/msi2500/msi2500.c +@@ -1230,7 +1230,7 @@ static int msi2500_probe(struct usb_inte + } + + dev->master = master; +- master->bus_num = 0; ++ master->bus_num = -1; + master->num_chipselect = 1; + master->transfer_one_message = msi2500_transfer_one_message; + spi_master_set_devdata(master, dev); diff --git a/queue-5.10/nl80211-validate-key-indexes-for-cfg80211_registered_device.patch b/queue-5.10/nl80211-validate-key-indexes-for-cfg80211_registered_device.patch new file mode 100644 index 00000000000..3d96381f5e8 --- /dev/null +++ b/queue-5.10/nl80211-validate-key-indexes-for-cfg80211_registered_device.patch @@ -0,0 +1,136 @@ +From 2d9463083ce92636a1bdd3e30d1236e3e95d859e Mon Sep 17 00:00:00 2001 +From: Anant Thazhemadam +Date: Sat, 5 Dec 2020 03:28:25 +0530 +Subject: nl80211: validate key indexes for cfg80211_registered_device + +From: Anant Thazhemadam + +commit 2d9463083ce92636a1bdd3e30d1236e3e95d859e upstream. + +syzbot discovered a bug in which an OOB access was being made because +an unsuitable key_idx value was wrongly considered to be acceptable +while deleting a key in nl80211_del_key(). + +Since we don't know the cipher at the time of deletion, if +cfg80211_validate_key_settings() were to be called directly in +nl80211_del_key(), even valid keys would be wrongly determined invalid, +and deletion wouldn't occur correctly. +For this reason, a new function - cfg80211_valid_key_idx(), has been +created, to determine if the key_idx value provided is valid or not. +cfg80211_valid_key_idx() is directly called in 2 places - +nl80211_del_key(), and cfg80211_validate_key_settings(). + +Reported-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com +Tested-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com +Suggested-by: Johannes Berg +Signed-off-by: Anant Thazhemadam +Link: https://lore.kernel.org/r/20201204215825.129879-1-anant.thazhemadam@gmail.com +Cc: stable@vger.kernel.org +[also disallow IGTK key IDs if no IGTK cipher is supported] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/core.h | 2 + + net/wireless/nl80211.c | 7 +++--- + net/wireless/util.c | 51 +++++++++++++++++++++++++++++++++++++++++-------- + 3 files changed, 49 insertions(+), 11 deletions(-) + +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -433,6 +433,8 @@ void cfg80211_sme_abandon_assoc(struct w + + /* internal helpers */ + bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher); ++bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev, ++ int key_idx, bool pairwise); + int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev, + struct key_params *params, int key_idx, + bool pairwise, const u8 *mac_addr); +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4260,9 +4260,6 @@ static int nl80211_del_key(struct sk_buf + if (err) + return err; + +- if (key.idx < 0) +- return -EINVAL; +- + if (info->attrs[NL80211_ATTR_MAC]) + mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]); + +@@ -4278,6 +4275,10 @@ static int nl80211_del_key(struct sk_buf + key.type != NL80211_KEYTYPE_GROUP) + return -EINVAL; + ++ if (!cfg80211_valid_key_idx(rdev, key.idx, ++ key.type == NL80211_KEYTYPE_PAIRWISE)) ++ return -EINVAL; ++ + if (!rdev->ops->del_key) + return -EOPNOTSUPP; + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -272,18 +272,53 @@ bool cfg80211_supported_cipher_suite(str + return false; + } + +-int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev, +- struct key_params *params, int key_idx, +- bool pairwise, const u8 *mac_addr) ++static bool ++cfg80211_igtk_cipher_supported(struct cfg80211_registered_device *rdev) ++{ ++ struct wiphy *wiphy = &rdev->wiphy; ++ int i; ++ ++ for (i = 0; i < wiphy->n_cipher_suites; i++) { ++ switch (wiphy->cipher_suites[i]) { ++ case WLAN_CIPHER_SUITE_AES_CMAC: ++ case WLAN_CIPHER_SUITE_BIP_CMAC_256: ++ case WLAN_CIPHER_SUITE_BIP_GMAC_128: ++ case WLAN_CIPHER_SUITE_BIP_GMAC_256: ++ return true; ++ } ++ } ++ ++ return false; ++} ++ ++bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev, ++ int key_idx, bool pairwise) + { +- int max_key_idx = 5; ++ int max_key_idx; + +- if (wiphy_ext_feature_isset(&rdev->wiphy, +- NL80211_EXT_FEATURE_BEACON_PROTECTION) || +- wiphy_ext_feature_isset(&rdev->wiphy, +- NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT)) ++ if (pairwise) ++ max_key_idx = 3; ++ else if (wiphy_ext_feature_isset(&rdev->wiphy, ++ NL80211_EXT_FEATURE_BEACON_PROTECTION) || ++ wiphy_ext_feature_isset(&rdev->wiphy, ++ NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT)) + max_key_idx = 7; ++ else if (cfg80211_igtk_cipher_supported(rdev)) ++ max_key_idx = 5; ++ else ++ max_key_idx = 3; ++ + if (key_idx < 0 || key_idx > max_key_idx) ++ return false; ++ ++ return true; ++} ++ ++int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev, ++ struct key_params *params, int key_idx, ++ bool pairwise, const u8 *mac_addr) ++{ ++ if (!cfg80211_valid_key_idx(rdev, key_idx, pairwise)) + return -EINVAL; + + if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)) diff --git a/queue-5.10/quota-sanity-check-quota-file-headers-on-load.patch b/queue-5.10/quota-sanity-check-quota-file-headers-on-load.patch new file mode 100644 index 00000000000..96cd827eff0 --- /dev/null +++ b/queue-5.10/quota-sanity-check-quota-file-headers-on-load.patch @@ -0,0 +1,50 @@ +From 11c514a99bb960941535134f0587102855e8ddee Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 2 Nov 2020 16:16:29 +0100 +Subject: quota: Sanity-check quota file headers on load + +From: Jan Kara + +commit 11c514a99bb960941535134f0587102855e8ddee upstream. + +Perform basic sanity checks of quota headers to avoid kernel crashes on +corrupted quota files. + +CC: stable@vger.kernel.org +Reported-by: syzbot+f816042a7ae2225f25ba@syzkaller.appspotmail.com +Reviewed-by: Andreas Dilger +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/quota/quota_v2.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/fs/quota/quota_v2.c ++++ b/fs/quota/quota_v2.c +@@ -157,6 +157,25 @@ static int v2_read_file_info(struct supe + qinfo->dqi_entry_size = sizeof(struct v2r1_disk_dqblk); + qinfo->dqi_ops = &v2r1_qtree_ops; + } ++ ret = -EUCLEAN; ++ /* Some sanity checks of the read headers... */ ++ if ((loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits > ++ i_size_read(sb_dqopt(sb)->files[type])) { ++ quota_error(sb, "Number of blocks too big for quota file size (%llu > %llu).", ++ (loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits, ++ i_size_read(sb_dqopt(sb)->files[type])); ++ goto out; ++ } ++ if (qinfo->dqi_free_blk >= qinfo->dqi_blocks) { ++ quota_error(sb, "Free block number too big (%u >= %u).", ++ qinfo->dqi_free_blk, qinfo->dqi_blocks); ++ goto out; ++ } ++ if (qinfo->dqi_free_entry >= qinfo->dqi_blocks) { ++ quota_error(sb, "Block with free entry too big (%u >= %u).", ++ qinfo->dqi_free_entry, qinfo->dqi_blocks); ++ goto out; ++ } + ret = 0; + out: + up_read(&dqopt->dqio_sem); diff --git a/queue-5.10/series b/queue-5.10/series index be64b356bcd..08526b4210a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -31,3 +31,10 @@ fscrypt-add-fscrypt_is_nokey_name.patch ubifs-prevent-creating-duplicate-encrypted-filenames.patch ext4-prevent-creating-duplicate-encrypted-filenames.patch f2fs-prevent-creating-duplicate-encrypted-filenames.patch +bluetooth-fix-slab-out-of-bounds-read-in-hci_le_direct_adv_report_evt.patch +quota-sanity-check-quota-file-headers-on-load.patch +fs-quota-fix-array-index-out-of-bounds-bug-by-passing-correct-argument-to-vfs_cleanup_quota_inode.patch +media-msi2500-assign-spi-bus-number-dynamically.patch +crypto-af_alg-avoid-undefined-behavior-accessing-salg_name.patch +nl80211-validate-key-indexes-for-cfg80211_registered_device.patch +md-fix-a-warning-caused-by-a-race-between-concurrent-md_ioctl-s.patch -- 2.47.3