From 206ff7fd1400a2c1764aeac4895dbce5d382077a Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Aug 29 2019 12:11:04 +0000 Subject: Linux v5.2.11 --- diff --git a/HID-input-fix-a4tech-horizontal-wheel-custom-usage.patch b/HID-input-fix-a4tech-horizontal-wheel-custom-usage.patch deleted file mode 100644 index df6a459..0000000 --- a/HID-input-fix-a4tech-horizontal-wheel-custom-usage.patch +++ /dev/null @@ -1,142 +0,0 @@ -From mboxrd@z Thu Jan 1 00:00:00 1970 -Return-Path: -X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on - aws-us-west-2-korg-lkml-1.web.codeaurora.org -X-Spam-Level: -X-Spam-Status: No, score=-8.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, - INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, - USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 -Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) - by smtp.lore.kernel.org (Postfix) with ESMTP id 25464C4321A - for ; Tue, 11 Jun 2019 12:13:29 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 0217A206E0 - for ; Tue, 11 Jun 2019 12:13:29 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S2387819AbfFKMN1 (ORCPT - ); - Tue, 11 Jun 2019 08:13:27 -0400 -Received: from mx2.suse.de ([195.135.220.15]:44798 "EHLO mx1.suse.de" - rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP - id S2387538AbfFKMN1 (ORCPT ); - Tue, 11 Jun 2019 08:13:27 -0400 -X-Virus-Scanned: by amavisd-new at test-mx.suse.de -Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx1.suse.de (Postfix) with ESMTP id 5E5D7B00C; - Tue, 11 Jun 2019 12:13:25 +0000 (UTC) -From: Nicolas Saenz Julienne -To: Jiri Kosina , - Benjamin Tissoires -Cc: dmitry.torokhov@gmail.com, wbauer@tmo.at, - Nicolas Saenz Julienne , - linux-input@vger.kernel.org, linux-kernel@vger.kernel.org -Subject: [PATCH v2] HID: input: fix a4tech horizontal wheel custom usage -Date: Tue, 11 Jun 2019 14:13:20 +0200 -Message-Id: <20190611121320.30267-1-nsaenzjulienne@suse.de> -X-Mailer: git-send-email 2.21.0 -MIME-Version: 1.0 -Content-Transfer-Encoding: 8bit -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Archived-At: -List-Archive: -List-Post: - -Some a4tech mice use the 'GenericDesktop.00b8' usage to inform whether -the previous wheel report was horizontal or vertical. Before -c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key") this -usage was being mapped to 'Relative.Misc'. After the patch it's simply -ignored (usage->type == 0 & usage->code == 0). Which ultimately makes -hid-a4tech ignore the WHEEL/HWHEEL selection event, as it has no -usage->type. - -We shouldn't rely on a mapping for that usage as it's nonstandard and -doesn't really map to an input event. So we bypass the mapping and make -sure the custom event handling properly handles both reports. - -Fixes: c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key") -Signed-off-by: Nicolas Saenz Julienne ---- - -NOTE: I CC'd Wolfgang as he's the one who can test this. - -Changes since v1: - - new approach, moved fix into hid-a4tech - - drivers/hid/hid-a4tech.c | 30 +++++++++++++++++++++++++++--- - 1 file changed, 27 insertions(+), 3 deletions(-) - -diff --git a/drivers/hid/hid-a4tech.c b/drivers/hid/hid-a4tech.c -index 98bf694626f7..3a8c4a5971f7 100644 ---- a/drivers/hid/hid-a4tech.c -+++ b/drivers/hid/hid-a4tech.c -@@ -23,12 +23,36 @@ - #define A4_2WHEEL_MOUSE_HACK_7 0x01 - #define A4_2WHEEL_MOUSE_HACK_B8 0x02 - -+#define A4_WHEEL_ORIENTATION (HID_UP_GENDESK | 0x000000b8) -+ - struct a4tech_sc { - unsigned long quirks; - unsigned int hw_wheel; - __s32 delayed_value; - }; - -+static int a4_input_mapping(struct hid_device *hdev, struct hid_input *hi, -+ struct hid_field *field, struct hid_usage *usage, -+ unsigned long **bit, int *max) -+{ -+ struct a4tech_sc *a4 = hid_get_drvdata(hdev); -+ -+ if (a4->quirks & A4_2WHEEL_MOUSE_HACK_B8 && -+ usage->hid == A4_WHEEL_ORIENTATION) { -+ /* -+ * We do not want to have this usage mapped to anything as it's -+ * nonstandard and doesn't really behave like an HID report. -+ * It's only selecting the orientation (vertical/horizontal) of -+ * the previous mouse wheel report. The input_events will be -+ * generated once both reports are recorded in a4_event(). -+ */ -+ return -1; -+ } -+ -+ return 0; -+ -+} -+ - static int a4_input_mapped(struct hid_device *hdev, struct hid_input *hi, - struct hid_field *field, struct hid_usage *usage, - unsigned long **bit, int *max) -@@ -52,8 +76,7 @@ static int a4_event(struct hid_device *hdev, struct hid_field *field, - struct a4tech_sc *a4 = hid_get_drvdata(hdev); - struct input_dev *input; - -- if (!(hdev->claimed & HID_CLAIMED_INPUT) || !field->hidinput || -- !usage->type) -+ if (!(hdev->claimed & HID_CLAIMED_INPUT) || !field->hidinput) - return 0; - - input = field->hidinput->input; -@@ -64,7 +87,7 @@ static int a4_event(struct hid_device *hdev, struct hid_field *field, - return 1; - } - -- if (usage->hid == 0x000100b8) { -+ if (usage->hid == A4_WHEEL_ORIENTATION) { - input_event(input, EV_REL, value ? REL_HWHEEL : - REL_WHEEL, a4->delayed_value); - input_event(input, EV_REL, value ? REL_HWHEEL_HI_RES : -@@ -131,6 +154,7 @@ MODULE_DEVICE_TABLE(hid, a4_devices); - static struct hid_driver a4_driver = { - .name = "a4tech", - .id_table = a4_devices, -+ .input_mapping = a4_input_mapping, - .input_mapped = a4_input_mapped, - .event = a4_event, - .probe = a4_probe, --- -2.21.0 - - diff --git a/fix-a-double-free-bug-in-rsi_91x_deinit.patch b/fix-a-double-free-bug-in-rsi_91x_deinit.patch new file mode 100644 index 0000000..331817b --- /dev/null +++ b/fix-a-double-free-bug-in-rsi_91x_deinit.patch @@ -0,0 +1,121 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, + DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, + HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, + SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no + version=3.4.0 +Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) + by smtp.lore.kernel.org (Postfix) with ESMTP id EBD3AC3A5A0 + for ; Mon, 19 Aug 2019 22:02:45 +0000 (UTC) +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.kernel.org (Postfix) with ESMTP id BCC05214DA + for ; Mon, 19 Aug 2019 22:02:45 +0000 (UTC) +Authentication-Results: mail.kernel.org; + dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IRgzkkQ0" +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1728637AbfHSWCp (ORCPT + ); + Mon, 19 Aug 2019 18:02:45 -0400 +Received: from mail-io1-f67.google.com ([209.85.166.67]:33900 "EHLO + mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1728494AbfHSWCo (ORCPT + ); + Mon, 19 Aug 2019 18:02:44 -0400 +Received: by mail-io1-f67.google.com with SMTP id s21so7791675ioa.1; + Mon, 19 Aug 2019 15:02:44 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20161025; + h=from:to:cc:subject:date:message-id:mime-version + :content-transfer-encoding; + bh=nkPsYIq5p1Usn95zadxgW7erLbA98guz1UFddB9orFo=; + b=IRgzkkQ0QlYiIqgU9DslAGaSx9oz5wU5adcfTZWc60ibm3DHynGVVixJrWxAut0Pae + ARzqaY1/pxrAMSpTdcKfCBtRoFPMFS8+WZsScW495O7Pf7bJTCDAo3OOueleEgGs9Osv + 59921BouToXc5Ovc92CQFjNHP3+/kGBqZvxV+QK34IvNWzoIEU93UHsUIxSn6eVvrsFU + g5treQ50nJkKHPa8rwc0Oh9s6WWKODy8zKxExTJhdznLdHOm5T7muHcEccqX8YZQ5L7d + ADPOmA+sRvWN3t/z9HxtD4g/Lgj4kzEYFnWJ9k7ClZwbnzn02QUlkT8waxriC/Wpe9nP + q53A== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version + :content-transfer-encoding; + bh=nkPsYIq5p1Usn95zadxgW7erLbA98guz1UFddB9orFo=; + b=oYozfHj6p7SMaYdxmSXvkqz3omwdyg+ftHjVBaHiAqBlnLj6x9531et8jUk50jueoT + y2cU/oVuoVQsCwOEu43hu26qlol2JSmB1xXJj0Za8nKZa3h3GF5CKG8/dexHz8TzCJX1 + vo/TNPdY3AlW7Sn9JLnWCqFK+QgbPhjdBs+6Hbh+5nkCxIG5dVn0FfYbLYATeh/888YB + pTCJ8dkbLQiWXEJam6b9NoOpcIzbpcb7rL3A355C/1AGZsCy/NlKmneuw0Va10AnswkK + KBYv+EisB1L8oCP9l6r5fp4PUqyMH3TjrBdJddx8EQ9cq8SORiLtmmRuF8e3kdImDEK4 + 6Gcw== +X-Gm-Message-State: APjAAAXB6U8H/6BuBUmOb6K7bk/qaEOOS1bw9RIpAgXyrExtL8rl/B99 + 17LNTRGgJKvcUB6qlr4ZRbY= +X-Google-Smtp-Source: APXvYqzjT1oN5/e8keSQCjVxoTzLRGG1vuf4kTYM+hq51sy7QzOV0GLDOYYsYVB78xsRtsZrFijh0Q== +X-Received: by 2002:a6b:f30b:: with SMTP id m11mr21952710ioh.214.1566252163559; + Mon, 19 Aug 2019 15:02:43 -0700 (PDT) +Received: from peng.science.purdue.edu (cos-128-210-107-27.science.purdue.edu. [128.210.107.27]) + by smtp.googlemail.com with ESMTPSA id z9sm2850133ior.79.2019.08.19.15.02.42 + (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); + Mon, 19 Aug 2019 15:02:43 -0700 (PDT) +From: Hui Peng +To: security@kernel.org +Cc: Hui Peng , + Mathias Payer , + Kalle Valo , + "David S. Miller" , + linux-wireless@vger.kernel.org, netdev@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH] Fix a double free bug in rsi_91x_deinit +Date: Mon, 19 Aug 2019 18:02:29 -0400 +Message-Id: <20190819220230.10597-1-benquike@gmail.com> +X-Mailer: git-send-email 2.22.1 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Archived-At: +List-Archive: +List-Post: + +`dev` (struct rsi_91x_usbdev *) field of adapter +(struct rsi_91x_usbdev *) is allocated and initialized in +`rsi_init_usb_interface`. If any error is detected in information +read from the device side, `rsi_init_usb_interface` will be +freed. However, in the higher level error handling code in +`rsi_probe`, if error is detected, `rsi_91x_deinit` is called +again, in which `dev` will be freed again, resulting double free. + +This patch fixes the double free by removing the free operation on +`dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also +used in `rsi_disconnect`, in that code path, the `dev` field is not + (and thus needs to be) freed. + +This bug was found in v4.19, but is also present in the latest version +of kernel. + +Reported-by: Hui Peng +Reported-by: Mathias Payer +Signed-off-by: Hui Peng +--- + drivers/net/wireless/rsi/rsi_91x_usb.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c +index c0a163e40402..ac917227f708 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -640,7 +640,6 @@ static int rsi_init_usb_interface(struct rsi_hw *adapter, + kfree(rsi_dev->tx_buffer); + + fail_eps: +- kfree(rsi_dev); + + return status; + } +-- +2.22.1 + + diff --git a/for-v5.2-iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch b/for-v5.2-iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch deleted file mode 100644 index a28e017..0000000 --- a/for-v5.2-iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch +++ /dev/null @@ -1,108 +0,0 @@ -From patchwork Wed Jul 3 08:10:49 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Luca Coelho -X-Patchwork-Id: 11029027 -X-Patchwork-Delegate: kvalo@adurom.com -Return-Path: -Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org - [172.30.200.125]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A4F061398 - for ; - Wed, 3 Jul 2019 08:11:03 +0000 (UTC) -Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 93D7228807 - for ; - Wed, 3 Jul 2019 08:11:03 +0000 (UTC) -Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) - id 82C5C28786; Wed, 3 Jul 2019 08:11:03 +0000 (UTC) -X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on - pdx-wl-mail.web.codeaurora.org -X-Spam-Level: -X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, - RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0A56D28786 - for ; - Wed, 3 Jul 2019 08:11:03 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1727179AbfGCILC (ORCPT - ); - Wed, 3 Jul 2019 04:11:02 -0400 -Received: from paleale.coelho.fi ([176.9.41.70]:54844 "EHLO - farmhouse.coelho.fi" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org - with ESMTP id S1727052AbfGCILC (ORCPT - ); - Wed, 3 Jul 2019 04:11:02 -0400 -Received: from 91-156-6-193.elisa-laajakaista.fi ([91.156.6.193] - helo=redipa.ger.corp.intel.com) - by farmhouse.coelho.fi with esmtpsa - (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) - (Exim 4.92) - (envelope-from ) - id 1hiaLv-0004w3-Ei; Wed, 03 Jul 2019 11:10:55 +0300 -From: Luca Coelho -To: davem@davemloft.net -Cc: kvalo@codeaurora.org, linux-wireless@vger.kernel.org, - emmanuel.grumbach@intel.com, johannes.hirte@datenkhaos.de, - steven@uplinklabs.net, Johannes Berg , - Luca Coelho -Subject: [PATCH for v5.2] iwlwifi: mvm: disable TX-AMSDU on older NICs -Date: Wed, 3 Jul 2019 11:10:49 +0300 -Message-Id: <20190703081049.28831-1-luca@coelho.fi> -X-Mailer: git-send-email 2.20.1 -MIME-Version: 1.0 -Sender: linux-wireless-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-wireless@vger.kernel.org -X-Virus-Scanned: ClamAV using ClamSMTP - -From: Johannes Berg - -On older NICs, we occasionally see issues with A-MSDU support, -where the commands in the FIFO get confused and then we see an -assert EDC because the next command in the FIFO isn't TX. - -We've tried to isolate this issue and understand where it comes -from, but haven't found any errors in building the A-MSDU in -software. - -At least for now, disable A-MSDU support on older hardware so -that users can use it again without fearing the assert. - -This fixes https://bugzilla.kernel.org/show_bug.cgi?id=203315. - -Signed-off-by: Johannes Berg -Signed-off-by: Luca Coelho -Acked-by: Kalle Valo ---- - drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c -index fdbabca0280e..3a076e5e319f 100644 ---- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c -@@ -468,7 +468,19 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm) - ieee80211_hw_set(hw, SUPPORTS_VHT_EXT_NSS_BW); - ieee80211_hw_set(hw, BUFF_MMPDU_TXQ); - ieee80211_hw_set(hw, STA_MMPDU_TXQ); -- ieee80211_hw_set(hw, TX_AMSDU); -+ /* -+ * On older devices, enabling TX A-MSDU occasionally leads to -+ * something getting messed up, the command read from the FIFO -+ * gets out of sync and isn't a TX command, so that we have an -+ * assert EDC. -+ * -+ * It's not clear where the bug is, but since we didn't used to -+ * support A-MSDU until moving the mac80211 iTXQs, just leave it -+ * for older devices. We also don't see this issue on any newer -+ * devices. -+ */ -+ if (mvm->cfg->device_family >= IWL_DEVICE_FAMILY_9000) -+ ieee80211_hw_set(hw, TX_AMSDU); - ieee80211_hw_set(hw, TX_FRAG_LIST); - - if (iwl_mvm_has_tlc_offload(mvm)) { diff --git a/kernel.spec b/kernel.spec index 8181687..7ab744a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -56,7 +56,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 10 +%define stable_update 11 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -588,16 +588,16 @@ Patch510: drm-panel-orientation-quirks.patch # rhbz 1732045 Patch511: 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch -# rhbz 1730762 -Patch512: HID-input-fix-a4tech-horizontal-wheel-custom-usage.patch - -# These should make stable soon -Patch513: for-v5.2-iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch - # CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 # rhbz 1744130 1744137 1744149 1746566 1746567 Patch514: mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch +# CVE-2019-15504 rhbz 1746725 1746726 +Patch515: fix-a-double-free-bug-in-rsi_91x_deinit.patch + +# CVE-2019-15505 rhbz 1746732 1746734 +Patch516: technisat-usb2-break-out-of-loop-at-end-of-buffer.patch + # END OF PATCH DEFINITIONS %endif @@ -1835,6 +1835,12 @@ fi # # %changelog +* Thu Aug 29 2019 Justin M. Forbes - 5.2.11-200 +- Linux v5.2.11 +- Fix CVE-2019-15504 (rhbz 1746725 1746726) +- Fix CVE-2019-15505 (rhbz 1746732 1746734) +- Fix CVE-2019-15538 (rhbz 1746777 1746779) + * Wed Aug 28 2019 Justin M. Forbes - Fix mwifiex CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 - (rhbz 1744130 1744137 1744149 1746566 1746567) diff --git a/sources b/sources index 778e4b8..0ec49ec 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.2.tar.xz) = 5a28f8a34c4e0470617f5638b7112e6252109b78f23b1eed484a228530970c7ef5c130d6e5a09cf25ea2f6a0329602dcc1ec66ce893182e15b27d99bd228789c -SHA512 (patch-5.2.10.xz) = 1e90d4ed7e3e4ba67b8f2f6369b0038fb6a7c78040a86994ff09ff7cb9635dc621fff500b4f0c28c7f2c6d9136781637339fbc0d3363109d628ff686c2928c53 +SHA512 (patch-5.2.11.xz) = 585c5f2578201f302c8017c2b406bc863418b6ffca90d641c035a56b750aea8b837a8ae5401d1070bf63983861574f1bced4a16f1b5e385f81f0a286f46f52e5 diff --git a/technisat-usb2-break-out-of-loop-at-end-of-buffer.patch b/technisat-usb2-break-out-of-loop-at-end-of-buffer.patch new file mode 100644 index 0000000..0330080 --- /dev/null +++ b/technisat-usb2-break-out-of-loop-at-end-of-buffer.patch @@ -0,0 +1,68 @@ +From 0c4df39e504bf925ab666132ac3c98d6cbbe380b Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Wed, 3 Jul 2019 10:52:39 -0400 +Subject: media: technisat-usb2: break out of loop at end of buffer + +Ensure we do not access the buffer beyond the end if no 0xff byte +is encountered. + +Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Reviewed-by: Kees Cook +Signed-off-by: Mauro Carvalho Chehab + +diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c +index c659e18..676d233 100644 +--- a/drivers/media/usb/dvb-usb/technisat-usb2.c ++++ b/drivers/media/usb/dvb-usb/technisat-usb2.c +@@ -608,10 +608,9 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a) + static int technisat_usb2_get_ir(struct dvb_usb_device *d) + { + struct technisat_usb2_state *state = d->priv; +- u8 *buf = state->buf; +- u8 *b; +- int ret; + struct ir_raw_event ev; ++ u8 *buf = state->buf; ++ int i, ret; + + buf[0] = GET_IR_DATA_VENDOR_REQUEST; + buf[1] = 0x08; +@@ -647,26 +646,25 @@ unlock: + return 0; /* no key pressed */ + + /* decoding */ +- b = buf+1; + + #if 0 + deb_rc("RC: %d ", ret); +- debug_dump(b, ret, deb_rc); ++ debug_dump(buf + 1, ret, deb_rc); + #endif + + ev.pulse = 0; +- while (1) { +- ev.pulse = !ev.pulse; +- ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000; +- ir_raw_event_store(d->rc_dev, &ev); +- +- b++; +- if (*b == 0xff) { ++ for (i = 1; i < ARRAY_SIZE(state->buf); i++) { ++ if (buf[i] == 0xff) { + ev.pulse = 0; + ev.duration = 888888*2; + ir_raw_event_store(d->rc_dev, &ev); + break; + } ++ ++ ev.pulse = !ev.pulse; ++ ev.duration = (buf[i] * FIRMWARE_CLOCK_DIVISOR * ++ FIRMWARE_CLOCK_TICK) / 1000; ++ ir_raw_event_store(d->rc_dev, &ev); + } + + ir_raw_event_handle(d->rc_dev); +-- +cgit v0.10.2 +