From f6a073e260d132e5adb2da2a271576043556986c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 23 Jun 2019 18:03:10 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	apparmor-enforce-nullbyte-at-end-of-tag-string.patch
	input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch
---
 ...nforce-nullbyte-at-end-of-tag-string.patch | 38 ++++++++++++
 ...umber-translation-for-ui_-_ff_upload.patch | 61 +++++++++++++++++++
 queue-4.4/series                              |  2 +
 3 files changed, 101 insertions(+)
 create mode 100644 queue-4.4/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
 create mode 100644 queue-4.4/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch

diff --git a/queue-4.4/apparmor-enforce-nullbyte-at-end-of-tag-string.patch b/queue-4.4/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
new file mode 100644
index 00000000000..2f047c60dc8
--- /dev/null
+++ b/queue-4.4/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
@@ -0,0 +1,38 @@
+From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 28 May 2019 17:32:26 +0200
+Subject: apparmor: enforce nullbyte at end of tag string
+
+From: Jann Horn <jannh@google.com>
+
+commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.
+
+A packed AppArmor policy contains null-terminated tag strings that are read
+by unpack_nameX(). However, unpack_nameX() uses string functions on them
+without ensuring that they are actually null-terminated, potentially
+leading to out-of-bounds accesses.
+
+Make sure that the tag string is null-terminated before passing it to
+strcmp().
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/policy_unpack.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -177,7 +177,7 @@ static bool unpack_nameX(struct aa_ext *
+ 		char *tag = NULL;
+ 		size_t size = unpack_u16_chunk(e, &tag);
+ 		/* if a name is specified it must match. otherwise skip tag */
+-		if (name && (!size || strcmp(name, tag)))
++		if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
+ 			goto fail;
+ 	} else if (name) {
+ 		/* if a name is specified and there is no name tag fail */
diff --git a/queue-4.4/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch b/queue-4.4/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch
new file mode 100644
index 00000000000..baee4dd43e8
--- /dev/null
+++ b/queue-4.4/input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch
@@ -0,0 +1,61 @@
+From 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 Mon Sep 17 00:00:00 2001
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Date: Thu, 23 May 2019 12:55:26 -0700
+Subject: Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
+
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+
+commit 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 upstream.
+
+In the case of compat syscall ioctl numbers for UI_BEGIN_FF_UPLOAD and
+UI_END_FF_UPLOAD need to be adjusted before being passed on
+uinput_ioctl_handler() since code built with -m32 will be passing
+slightly different values. Extend the code already covering
+UI_SET_PHYS to cover UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD as well.
+
+Reported-by: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
+Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/uinput.c |   22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -894,13 +894,31 @@ static long uinput_ioctl(struct file *fi
+ 
+ #ifdef CONFIG_COMPAT
+ 
+-#define UI_SET_PHYS_COMPAT	_IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++/*
++ * These IOCTLs change their size and thus their numbers between
++ * 32 and 64 bits.
++ */
++#define UI_SET_PHYS_COMPAT		\
++	_IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++#define UI_BEGIN_FF_UPLOAD_COMPAT	\
++	_IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat)
++#define UI_END_FF_UPLOAD_COMPAT		\
++	_IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat)
+ 
+ static long uinput_compat_ioctl(struct file *file,
+ 				unsigned int cmd, unsigned long arg)
+ {
+-	if (cmd == UI_SET_PHYS_COMPAT)
++	switch (cmd) {
++	case UI_SET_PHYS_COMPAT:
+ 		cmd = UI_SET_PHYS;
++		break;
++	case UI_BEGIN_FF_UPLOAD_COMPAT:
++		cmd = UI_BEGIN_FF_UPLOAD;
++		break;
++	case UI_END_FF_UPLOAD_COMPAT:
++		cmd = UI_END_FF_UPLOAD;
++		break;
++	}
+ 
+ 	return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
+ }
diff --git a/queue-4.4/series b/queue-4.4/series
index 806c840575c..cea4d04f73e 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -1,3 +1,5 @@
 tracing-silence-gcc-9-array-bounds-warning.patch
 gcc-9-silence-address-of-packed-member-warning.patch
 usb-chipidea-udc-workaround-for-endpoint-conflict-issue.patch
+input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch
+apparmor-enforce-nullbyte-at-end-of-tag-string.patch
-- 
2.47.3