--- /dev/null
+From 4e765b4972af7b07adcb1feb16e7a525ce1f6b28 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 29 Dec 2017 18:15:23 -0600
+Subject: af_key: fix buffer overread in parse_exthdrs()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 4e765b4972af7b07adcb1feb16e7a525ce1f6b28 upstream.
+
+If a message sent to a PF_KEY socket ended with an incomplete extension
+header (fewer than 4 bytes remaining), then parse_exthdrs() read past
+the end of the message, into uninitialized memory. Fix it by returning
+-EINVAL in this case.
+
+Reproducer:
+
+ #include <linux/pfkeyv2.h>
+ #include <sys/socket.h>
+ #include <unistd.h>
+
+ int main()
+ {
+ int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ char buf[17] = { 0 };
+ struct sadb_msg *msg = (void *)buf;
+
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_DELETE;
+ msg->sadb_msg_len = 2;
+
+ write(sock, buf, 17);
+ }
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/key/af_key.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -516,6 +516,9 @@ static int parse_exthdrs(struct sk_buff
+ uint16_t ext_type;
+ int ext_len;
+
++ if (len < sizeof(*ehdr))
++ return -EINVAL;
++
+ ext_len = ehdr->sadb_ext_len;
+ ext_len *= sizeof(uint64_t);
+ ext_type = ehdr->sadb_ext_type;
--- /dev/null
+From 06b335cb51af018d5feeff5dd4fd53847ddb675a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 29 Dec 2017 18:13:05 -0600
+Subject: af_key: fix buffer overread in verify_address_len()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 06b335cb51af018d5feeff5dd4fd53847ddb675a upstream.
+
+If a message sent to a PF_KEY socket ended with one of the extensions
+that takes a 'struct sadb_address' but there were not enough bytes
+remaining in the message for the ->sa_family member of the 'struct
+sockaddr' which is supposed to follow, then verify_address_len() read
+past the end of the message, into uninitialized memory. Fix it by
+returning -EINVAL in this case.
+
+This bug was found using syzkaller with KMSAN.
+
+Reproducer:
+
+ #include <linux/pfkeyv2.h>
+ #include <sys/socket.h>
+ #include <unistd.h>
+
+ int main()
+ {
+ int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ char buf[24] = { 0 };
+ struct sadb_msg *msg = (void *)buf;
+ struct sadb_address *addr = (void *)(msg + 1);
+
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_DELETE;
+ msg->sadb_msg_len = 3;
+ addr->sadb_address_len = 1;
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+
+ write(sock, buf, 24);
+ }
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/key/af_key.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -401,6 +401,11 @@ static int verify_address_len(const void
+ #endif
+ int len;
+
++ if (sp->sadb_address_len <
++ DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family),
++ sizeof(uint64_t)))
++ return -EINVAL;
++
+ switch (addr->sa_family) {
+ case AF_INET:
+ len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t));
--- /dev/null
+From 031f335cda879450095873003abb03ae8ed3b74a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Jan 2018 10:53:18 +0100
+Subject: ALSA: hda - Apply the existing quirk to iMac 14,1
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 031f335cda879450095873003abb03ae8ed3b74a upstream.
+
+iMac 14,1 requires the same quirk as iMac 12,2, using GPIO 2 and 3 for
+headphone and speaker output amps. Add the codec SSID quirk entry
+(106b:0600) accordingly.
+
+BugLink: http://lkml.kernel.org/r/CAEw6Zyteav09VGHRfD5QwsfuWv5a43r0tFBNbfcHXoNrxVz7ew@mail.gmail.com
+Reported-by: Freaky <freaky2000@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_cirrus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -394,6 +394,7 @@ static const struct snd_pci_quirk cs420x
+ /*SND_PCI_QUIRK(0x8086, 0x7270, "IMac 27 Inch", CS420X_IMAC27),*/
+
+ /* codec SSID */
++ SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122),
+ SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81),
+ SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122),
+ SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101),
--- /dev/null
+From 23b19b7b50fe1867da8d431eea9cd3e4b6328c2c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Jan 2018 23:48:05 +0100
+Subject: ALSA: pcm: Remove yet superfluous WARN_ON()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 23b19b7b50fe1867da8d431eea9cd3e4b6328c2c upstream.
+
+muldiv32() contains a snd_BUG_ON() (which is morphed as WARN_ON() with
+debug option) for checking the case of 0 / 0. This would be helpful
+if this happens only as a logical error; however, since the hw refine
+is performed with any data set provided by user, the inconsistent
+values that can trigger such a condition might be passed easily.
+Actually, syzbot caught this by passing some zero'ed old hw_params
+ioctl.
+
+So, having snd_BUG_ON() there is simply superfluous and rather
+harmful to give unnecessary confusions. Let's get rid of it.
+
+Reported-by: syzbot+7e6ee55011deeebce15d@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_lib.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -644,7 +644,6 @@ static inline unsigned int muldiv32(unsi
+ {
+ u_int64_t n = (u_int64_t) a * b;
+ if (c == 0) {
+- snd_BUG_ON(!n);
+ *r = 0;
+ return UINT_MAX;
+ }
--- /dev/null
+From fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a Mon Sep 17 00:00:00 2001
+From: Li Jinyue <lijinyue@huawei.com>
+Date: Thu, 14 Dec 2017 17:04:54 +0800
+Subject: futex: Prevent overflow by strengthen input validation
+
+From: Li Jinyue <lijinyue@huawei.com>
+
+commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a upstream.
+
+UBSAN reports signed integer overflow in kernel/futex.c:
+
+ UBSAN: Undefined behaviour in kernel/futex.c:2041:18
+ signed integer overflow:
+ 0 - -2147483648 cannot be represented in type 'int'
+
+Add a sanity check to catch negative values of nr_wake and nr_requeue.
+
+Signed-off-by: Li Jinyue <lijinyue@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Cc: dvhart@infradead.org
+Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -1514,6 +1514,9 @@ static int futex_requeue(u32 __user *uad
+ struct futex_hash_bucket *hb1, *hb2;
+ struct futex_q *this, *next;
+
++ if (nr_wake < 0 || nr_requeue < 0)
++ return -EINVAL;
++
+ if (requeue_pi) {
+ /*
+ * Requeue PI only works on two distinct uaddrs. This
gcov-disable-for-compile_test.patch
scsi-sg-disable-set_force_low_dma.patch
+futex-prevent-overflow-by-strengthen-input-validation.patch
+alsa-pcm-remove-yet-superfluous-warn_on.patch
+alsa-hda-apply-the-existing-quirk-to-imac-14-1.patch
+af_key-fix-buffer-overread-in-verify_address_len.patch
+af_key-fix-buffer-overread-in-parse_exthdrs.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
