From 739dd1faf1032b28f0896291f481ecee139aa52f Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Sep 23 2019 13:04:23 +0000 Subject: Linux v5.2.17 --- diff --git a/kernel.spec b/kernel.spec index 3520009..e860a47 100644 --- a/kernel.spec +++ b/kernel.spec @@ -56,7 +56,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 16 +%define stable_update 17 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -583,16 +583,6 @@ Patch508: KEYS-Make-use-of-platform-keyring-for-module-signature.patch # rhbz 1732045 Patch511: 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch -# CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 -# rhbz 1744130 1744137 1744149 1746566 1746567 -Patch514: mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch - -# CVE-2019-15505 rhbz 1746732 1746734 -Patch516: technisat-usb2-break-out-of-loop-at-end-of-buffer.patch - -# CVE-2019-14821 rhbz 1746708 1753596 -Patch517: kvm-coalesced_mmio-add-bounds-checking.patch - # rhbz 1753099 Patch518: dwc3-fix.patch @@ -1833,6 +1823,9 @@ fi # # %changelog +* Mon Sep 23 2019 Justin M. Forbes - 5.2.17-200 +- Linux v5.2.17 + * Thu Sep 19 2019 Laura Abbott - Fix for dwc3 (rhbz 1753099) diff --git a/kvm-coalesced_mmio-add-bounds-checking.patch b/kvm-coalesced_mmio-add-bounds-checking.patch deleted file mode 100644 index ddd2568..0000000 --- a/kvm-coalesced_mmio-add-bounds-checking.patch +++ /dev/null @@ -1,83 +0,0 @@ -From b60fe990c6b07ef6d4df67bc0530c7c90a62623a Mon Sep 17 00:00:00 2001 -From: Matt Delco -Date: Mon, 16 Sep 2019 14:16:54 -0700 -Subject: KVM: coalesced_mmio: add bounds checking - -The first/last indexes are typically shared with a user app. -The app can change the 'last' index that the kernel uses -to store the next result. This change sanity checks the index -before using it for writing to a potentially arbitrary address. - -This fixes CVE-2019-14821. - -Cc: stable@vger.kernel.org -Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)") -Signed-off-by: Matt Delco -Signed-off-by: Jim Mattson -Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com -[Use READ_ONCE. - Paolo] -Signed-off-by: Paolo Bonzini ---- - virt/kvm/coalesced_mmio.c | 19 +++++++++++-------- - 1 file changed, 11 insertions(+), 8 deletions(-) - -diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c -index 5294abb3f178..8ffd07e2a160 100644 ---- a/virt/kvm/coalesced_mmio.c -+++ b/virt/kvm/coalesced_mmio.c -@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev, - return 1; - } - --static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) -+static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last) - { - struct kvm_coalesced_mmio_ring *ring; - unsigned avail; -@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) - * there is always one unused entry in the buffer - */ - ring = dev->kvm->coalesced_mmio_ring; -- avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX; -+ avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX; - if (avail == 0) { - /* full */ - return 0; -@@ -67,25 +67,28 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu, - { - struct kvm_coalesced_mmio_dev *dev = to_mmio(this); - struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring; -+ __u32 insert; - - if (!coalesced_mmio_in_range(dev, addr, len)) - return -EOPNOTSUPP; - - spin_lock(&dev->kvm->ring_lock); - -- if (!coalesced_mmio_has_room(dev)) { -+ insert = READ_ONCE(ring->last); -+ if (!coalesced_mmio_has_room(dev, insert) || -+ insert >= KVM_COALESCED_MMIO_MAX) { - spin_unlock(&dev->kvm->ring_lock); - return -EOPNOTSUPP; - } - - /* copy data in first free entry of the ring */ - -- ring->coalesced_mmio[ring->last].phys_addr = addr; -- ring->coalesced_mmio[ring->last].len = len; -- memcpy(ring->coalesced_mmio[ring->last].data, val, len); -- ring->coalesced_mmio[ring->last].pio = dev->zone.pio; -+ ring->coalesced_mmio[insert].phys_addr = addr; -+ ring->coalesced_mmio[insert].len = len; -+ memcpy(ring->coalesced_mmio[insert].data, val, len); -+ ring->coalesced_mmio[insert].pio = dev->zone.pio; - smp_wmb(); -- ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX; -+ ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX; - spin_unlock(&dev->kvm->ring_lock); - return 0; - } --- -cgit 1.2-0.3.lf.el7 - diff --git a/mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch b/mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch deleted file mode 100644 index 6d0bef3..0000000 --- a/mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch +++ /dev/null @@ -1,144 +0,0 @@ -From patchwork Wed Aug 28 02:07:51 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: huangwenabc@gmail.com -X-Patchwork-Id: 11117681 -X-Patchwork-Delegate: kvalo@adurom.com -Return-Path: -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9686413B1 - for ; - Wed, 28 Aug 2019 02:08:25 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id 70EC820679 - for ; - Wed, 28 Aug 2019 02:08:25 +0000 (UTC) -Authentication-Results: mail.kernel.org; - dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com - header.b="IA7BwRJC" -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1726178AbfH1CIY (ORCPT - ); - Tue, 27 Aug 2019 22:08:24 -0400 -Received: from mail-pg1-f195.google.com ([209.85.215.195]:41425 "EHLO - mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1726096AbfH1CIY (ORCPT - ); - Tue, 27 Aug 2019 22:08:24 -0400 -Received: by mail-pg1-f195.google.com with SMTP id x15so498545pgg.8 - for ; - Tue, 27 Aug 2019 19:08:23 -0700 (PDT) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=gmail.com; s=20161025; - h=from:to:cc:subject:date:message-id; - bh=zF/rdCcsl+Dpf6pR2o3pkaHSiAFxtHTEr8wwdACI24s=; - b=IA7BwRJCgc0gGOw5C7lZohfbL4xQenMqPwKog/a6322QW1ZCJo9+YA44hqHGeXCCET - NzgcdXikIEmDh9azkSiFIxncYWnKwJsXdUBhCP5nDp2GciRXS2NQ65JtbqagrheD4lVf - +Pb00xgDSgKWQYTcqwSA2yYT9narnQxKODABGmtA6gwCWCG+SvqcZk1ekpnyXQocS6vh - L4PoCWF3BnZkp235hrtOyzso68sDkVNJz6ZDJG47SIGi//SqblL8+W5L0VdodxWNIeOu - V0anGG8f/Doy0MOpkTorfiducAsLMgfQi1lDZvmLLVd/YWR2IdlSkGuUlYYSPRh3iRQj - YnnA== -X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=1e100.net; s=20161025; - h=x-gm-message-state:from:to:cc:subject:date:message-id; - bh=zF/rdCcsl+Dpf6pR2o3pkaHSiAFxtHTEr8wwdACI24s=; - b=ceinhwS780P1iDieuukVIn2k6b1mW5L9RUW5Cf1wgXUoym0eeHIjHVxJDyte535qY3 - CmHO4Q8viRG4ycIifiJTtKzn7mp0QMeWcG7RpgoAXfZb1XBaj3FXDJjBXyNqvfB23VVm - Zb+siWZHFloiDp+3ZXmTCt24f0/gTWglkCVEa3ZfuE+YCjsiIvct8Srqi+lNeoam6Le7 - w3SlkLkHqr9G3GSN1Rt9Yf0hCymRFlkBbZvnVSLdOTveygH1WdYVD2huLvriEbKL8i6k - SMCb8fXq8mXURblOh+3S7/gmLpaBK7zUi3JpGLnVo5jEH8uIhhxLrJXjoHC9eXTHpO+2 - MpOQ== -X-Gm-Message-State: APjAAAXQVDCD0oVuK0PpIHqp2Jm0L7G6KsvCQ6CgnO4uaNG9QmRxWN+8 - M58+vc7TzkG1sr6shISyFwdcfGBkfjM= -X-Google-Smtp-Source: - APXvYqyECYmkfkZ/6i0IjVBxhjaFZfVQ8xU9tke4CVSodxqtntgjXHLzr6BDXwVULEb6EBySirWb5w== -X-Received: by 2002:a62:cec4:: with SMTP id y187mr1893773pfg.84.1566958103164; - Tue, 27 Aug 2019 19:08:23 -0700 (PDT) -Received: from localhost ([67.218.142.97]) - by smtp.gmail.com with ESMTPSA id m34sm467149pje.5.2019.08.27.19.08.21 - (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); - Tue, 27 Aug 2019 19:08:22 -0700 (PDT) -From: huangwenabc@gmail.com -To: linux-wireless@vger.kernel.org -Cc: amitkarwar@gmail.com, nishants@marvell.com, gbhat@marvell.com, - huxinming820@gmail.com, solar@openwall.com, greg@kroah.com, - kvalo@codeaurora.org, sashal@kernel.org, mrehak@redhat.com -Subject: [PATCH] mwifiex: Fix three heap overflow at parsing element in - cfg80211_ap_settings -Date: Wed, 28 Aug 2019 10:07:51 +0800 -Message-Id: <20190828020751.13625-1-huangwenabc@gmail.com> -X-Mailer: git-send-email 2.17.1 -Sender: linux-wireless-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-wireless@vger.kernel.org - -From: Wen Huang - -mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and -mwifiex_set_wmm_params() call memcpy() without checking -the destination size.Since the source is given from -user-space, this may trigger a heap buffer overflow. - -Fix them by putting the length check before performing memcpy(). - -This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816. - -Signed-off-by: Wen Huang -Acked-by: Ganapathi Bhat ---- - drivers/net/wireless/marvell/mwifiex/ie.c | 3 +++ - drivers/net/wireless/marvell/mwifiex/uap_cmd.c | 9 ++++++++- - 2 files changed, 11 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c -index 653d347a9..580387f9f 100644 ---- a/drivers/net/wireless/marvell/mwifiex/ie.c -+++ b/drivers/net/wireless/marvell/mwifiex/ie.c -@@ -241,6 +241,9 @@ static int mwifiex_update_vs_ie(const u8 *ies, int ies_len, - } - - vs_ie = (struct ieee_types_header *)vendor_ie; -+ if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 > -+ IEEE_MAX_IE_SIZE) -+ return -EINVAL; - memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length), - vs_ie, vs_ie->len + 2); - le16_unaligned_add_cpu(&ie->ie_length, vs_ie->len + 2); -diff --git a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c -index 18f7d9bf3..0939a8c8f 100644 ---- a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c -+++ b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c -@@ -265,6 +265,8 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg, - - rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len); - if (rate_ie) { -+ if (rate_ie->len > MWIFIEX_SUPPORTED_RATES) -+ return; - memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len); - rate_len = rate_ie->len; - } -@@ -272,8 +274,11 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg, - rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, - params->beacon.tail, - params->beacon.tail_len); -- if (rate_ie) -+ if (rate_ie) { -+ if (rate_ie->len > MWIFIEX_SUPPORTED_RATES - rate_len) -+ return; - memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len); -+ } - - return; - } -@@ -391,6 +396,8 @@ mwifiex_set_wmm_params(struct mwifiex_private *priv, - params->beacon.tail_len); - if (vendor_ie) { - wmm_ie = vendor_ie; -+ if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info)) -+ return; - memcpy(&bss_cfg->wmm_info, wmm_ie + - sizeof(struct ieee_types_header), *(wmm_ie + 1)); - priv->wmm_enabled = 1; diff --git a/sources b/sources index 05e75be..27a399c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.2.tar.xz) = 5a28f8a34c4e0470617f5638b7112e6252109b78f23b1eed484a228530970c7ef5c130d6e5a09cf25ea2f6a0329602dcc1ec66ce893182e15b27d99bd228789c -SHA512 (patch-5.2.16.xz) = e9f1157b46c953256883b3deeb5377bcf51ec0ee73e353b843353dfa178e913d0bea7c1dc94d3096612361bed47103d3665951439845c5d9934dbe9224512f54 +SHA512 (patch-5.2.17.xz) = 1bfc7d89fffcbae7c60feacdcebfa28470f766667bdfb0f1e580abe493b71943ed3adc4d738883d52f872debe28ae544e91db3a93ae27740452e3af13f206bec diff --git a/technisat-usb2-break-out-of-loop-at-end-of-buffer.patch b/technisat-usb2-break-out-of-loop-at-end-of-buffer.patch deleted file mode 100644 index 0330080..0000000 --- a/technisat-usb2-break-out-of-loop-at-end-of-buffer.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0c4df39e504bf925ab666132ac3c98d6cbbe380b Mon Sep 17 00:00:00 2001 -From: Sean Young -Date: Wed, 3 Jul 2019 10:52:39 -0400 -Subject: media: technisat-usb2: break out of loop at end of buffer - -Ensure we do not access the buffer beyond the end if no 0xff byte -is encountered. - -Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com -Signed-off-by: Sean Young -Reviewed-by: Kees Cook -Signed-off-by: Mauro Carvalho Chehab - -diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c -index c659e18..676d233 100644 ---- a/drivers/media/usb/dvb-usb/technisat-usb2.c -+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c -@@ -608,10 +608,9 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a) - static int technisat_usb2_get_ir(struct dvb_usb_device *d) - { - struct technisat_usb2_state *state = d->priv; -- u8 *buf = state->buf; -- u8 *b; -- int ret; - struct ir_raw_event ev; -+ u8 *buf = state->buf; -+ int i, ret; - - buf[0] = GET_IR_DATA_VENDOR_REQUEST; - buf[1] = 0x08; -@@ -647,26 +646,25 @@ unlock: - return 0; /* no key pressed */ - - /* decoding */ -- b = buf+1; - - #if 0 - deb_rc("RC: %d ", ret); -- debug_dump(b, ret, deb_rc); -+ debug_dump(buf + 1, ret, deb_rc); - #endif - - ev.pulse = 0; -- while (1) { -- ev.pulse = !ev.pulse; -- ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000; -- ir_raw_event_store(d->rc_dev, &ev); -- -- b++; -- if (*b == 0xff) { -+ for (i = 1; i < ARRAY_SIZE(state->buf); i++) { -+ if (buf[i] == 0xff) { - ev.pulse = 0; - ev.duration = 888888*2; - ir_raw_event_store(d->rc_dev, &ev); - break; - } -+ -+ ev.pulse = !ev.pulse; -+ ev.duration = (buf[i] * FIRMWARE_CLOCK_DIVISOR * -+ FIRMWARE_CLOCK_TICK) / 1000; -+ ir_raw_event_store(d->rc_dev, &ev); - } - - ir_raw_event_handle(d->rc_dev); --- -cgit v0.10.2 -