Home Home > GIT Browse > SLE12-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-08-23 07:01:16 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-08-23 07:01:16 +0200
commit10ade493f3d59a5fe90c15ce6806130e8dbe1917 (patch)
tree10961fee96556416643df30e24bad84b15de9c67
parent698ef197439e8220f2d8e6fca317e959200218e1 (diff)
parent26c322aa55754416536d0732fbf4988e021b5704 (diff)
Merge branch 'SLE15' into SLE12-SP4SLE12-SP4
-rw-r--r--patches.drivers/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch2
-rw-r--r--patches.drivers/USB-rio500-refuse-more-than-one-device-at-a-time.patch2
-rw-r--r--patches.drivers/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch107
-rw-r--r--patches.drivers/media-usb-zr364xx-Fix-KASAN-null-ptr-deref-Read-in-z.patch78
-rw-r--r--patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch2
-rw-r--r--series.conf2
6 files changed, 190 insertions, 3 deletions
diff --git a/patches.drivers/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch b/patches.drivers/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch
index d3744d4d86..11aabab622 100644
--- a/patches.drivers/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch
+++ b/patches.drivers/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch
@@ -4,7 +4,7 @@ Date: Thu, 9 May 2019 11:30:59 +0200
Subject: [PATCH] USB: rio500: fix memory leak in close after disconnect
Git-commit: e0feb73428b69322dd5caae90b0207de369b5575
Patch-mainline: v5.2-rc3
-References: bsc#1051510
+References: bsc#1051510 bsc#1146391 CVE-2019-15212
If a disconnected device is closed, rio_close() must free
the buffers.
diff --git a/patches.drivers/USB-rio500-refuse-more-than-one-device-at-a-time.patch b/patches.drivers/USB-rio500-refuse-more-than-one-device-at-a-time.patch
index ba7264c1a6..5c684a2d5d 100644
--- a/patches.drivers/USB-rio500-refuse-more-than-one-device-at-a-time.patch
+++ b/patches.drivers/USB-rio500-refuse-more-than-one-device-at-a-time.patch
@@ -4,7 +4,7 @@ Date: Thu, 9 May 2019 11:30:58 +0200
Subject: [PATCH] USB: rio500: refuse more than one device at a time
Git-commit: 3864d33943b4a76c6e64616280e98d2410b1190f
Patch-mainline: v5.2-rc3
-References: bsc#1051510
+References: bsc#1051510 bsc#1146391 CVE-2019-15212
This driver is using a global variable. It cannot handle more than
one device at a time. The issue has been existing since the dawn
diff --git a/patches.drivers/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch b/patches.drivers/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch
new file mode 100644
index 0000000000..9ac0fb44be
--- /dev/null
+++ b/patches.drivers/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch
@@ -0,0 +1,107 @@
+From c666355e60ddb4748ead3bdd983e3f7f2224aaf0 Mon Sep 17 00:00:00 2001
+From: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+Date: Fri, 21 Jun 2019 21:04:38 -0400
+Subject: [PATCH] media: radio-raremono: change devm_k*alloc to k*alloc
+Git-commit: c666355e60ddb4748ead3bdd983e3f7f2224aaf0
+Patch-mainline: v5.3-rc1
+References: CVE-2019-15211,bsc#1146519
+
+Change devm_k*alloc to k*alloc to manually allocate memory
+
+The manual allocation and freeing of memory is necessary because when
+the USB radio is disconnected, the memory associated with devm_k*alloc
+is freed. Meaning if we still have unresolved references to the radio
+device, then we get use-after-free errors.
+
+This patch fixes this by manually allocating memory, and freeing it in
+the v4l2.release callback that gets called when the last radio device
+exits.
+
+Reported-and-tested-by: syzbot+a4387f5b6b799f6becbf@syzkaller.appspotmail.com
+
+Signed-off-by: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: cleaned up two small checkpatch.pl warnings]
+[hverkuil-cisco@xs4all.nl: prefix subject with driver name]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/radio/radio-raremono.c | 30 +++++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/radio/radio-raremono.c
++++ b/drivers/media/radio/radio-raremono.c
+@@ -283,6 +283,14 @@ static int vidioc_g_frequency(struct fil
+ return 0;
+ }
+
++static void raremono_device_release(struct v4l2_device *v4l2_dev)
++{
++ struct raremono_device *radio = to_raremono_dev(v4l2_dev);
++
++ kfree(radio->buffer);
++ kfree(radio);
++}
++
+ /* File system interface */
+ static const struct v4l2_file_operations usb_raremono_fops = {
+ .owner = THIS_MODULE,
+@@ -307,12 +315,14 @@ static int usb_raremono_probe(struct usb
+ struct raremono_device *radio;
+ int retval = 0;
+
+- radio = devm_kzalloc(&intf->dev, sizeof(struct raremono_device), GFP_KERNEL);
+- if (radio)
+- radio->buffer = devm_kmalloc(&intf->dev, BUFFER_LENGTH, GFP_KERNEL);
+-
+- if (!radio || !radio->buffer)
++ radio = kzalloc(sizeof(*radio), GFP_KERNEL);
++ if (!radio)
++ return -ENOMEM;
++ radio->buffer = kmalloc(BUFFER_LENGTH, GFP_KERNEL);
++ if (!radio->buffer) {
++ kfree(radio);
+ return -ENOMEM;
++ }
+
+ radio->usbdev = interface_to_usbdev(intf);
+ radio->intf = intf;
+@@ -336,7 +346,8 @@ static int usb_raremono_probe(struct usb
+ if (retval != 3 ||
+ (get_unaligned_be16(&radio->buffer[1]) & 0xfff) == 0x0242) {
+ dev_info(&intf->dev, "this is not Thanko's Raremono.\n");
+- return -ENODEV;
++ retval = -ENODEV;
++ goto free_mem;
+ }
+
+ dev_info(&intf->dev, "Thanko's Raremono connected: (%04X:%04X)\n",
+@@ -345,7 +356,7 @@ static int usb_raremono_probe(struct usb
+ retval = v4l2_device_register(&intf->dev, &radio->v4l2_dev);
+ if (retval < 0) {
+ dev_err(&intf->dev, "couldn't register v4l2_device\n");
+- return retval;
++ goto free_mem;
+ }
+
+ mutex_init(&radio->lock);
+@@ -357,6 +368,7 @@ static int usb_raremono_probe(struct usb
+ radio->vdev.ioctl_ops = &usb_raremono_ioctl_ops;
+ radio->vdev.lock = &radio->lock;
+ radio->vdev.release = video_device_release_empty;
++ radio->v4l2_dev.release = raremono_device_release;
+
+ usb_set_intfdata(intf, &radio->v4l2_dev);
+
+@@ -372,6 +384,10 @@ static int usb_raremono_probe(struct usb
+ }
+ dev_err(&intf->dev, "could not register video device\n");
+ v4l2_device_unregister(&radio->v4l2_dev);
++
++free_mem:
++ kfree(radio->buffer);
++ kfree(radio);
+ return retval;
+ }
+
diff --git a/patches.drivers/media-usb-zr364xx-Fix-KASAN-null-ptr-deref-Read-in-z.patch b/patches.drivers/media-usb-zr364xx-Fix-KASAN-null-ptr-deref-Read-in-z.patch
new file mode 100644
index 0000000000..f435bc5f82
--- /dev/null
+++ b/patches.drivers/media-usb-zr364xx-Fix-KASAN-null-ptr-deref-Read-in-z.patch
@@ -0,0 +1,78 @@
+From 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e Mon Sep 17 00:00:00 2001
+From: Vandana BN <bnvandana@gmail.com>
+Date: Wed, 22 May 2019 04:34:15 -0400
+Subject: [PATCH] media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
+Git-commit: 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e
+Patch-mainline: v5.3-rc1
+References: CVE-2019-15217,bsc#1146547
+
+SyzKaller hit the null pointer deref while reading from uninitialized
+udev->product in zr364xx_vidioc_querycap().
+
+==================================================================
+Bug: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20
+include/linux/compiler.h:274
+Read of size 1 at addr 0000000000000000 by task v4l_id/5287
+
+Cpu: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xe8/0x16e lib/dump_stack.c:113
+ kasan_report.cold+0x5/0x3c mm/kasan/report.c:321
+ read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274
+ strscpy+0x8a/0x280 lib/string.c:207
+ zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706
+ v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062
+ __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874
+ video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056
+ v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
+ ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+Rip: 0033:0x7f3b56d8b347
+Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff
+ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff
+ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64
+Rsp: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+Rax: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347
+Rdx: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003
+Rbp: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884
+R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000
+==================================================================
+
+For this device udev->product is not initialized and accessing it causes a NULL pointer deref.
+
+The fix is to check for NULL before strscpy() and copy empty string, if
+product is NULL
+
+Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com
+Signed-off-by: Vandana BN <bnvandana@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/usb/zr364xx/zr364xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -706,7 +706,8 @@ static int zr364xx_vidioc_querycap(struc
+ struct zr364xx_camera *cam = video_drvdata(file);
+
+ strlcpy(cap->driver, DRIVER_DESC, sizeof(cap->driver));
+- strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
++ if (cam->udev->product)
++ strscpy(cap->card, cam->udev->product, sizeof(cap->card));
+ strlcpy(cap->bus_info, dev_name(&cam->udev->dev),
+ sizeof(cap->bus_info));
+ cap->device_caps = V4L2_CAP_VIDEO_CAPTURE |
diff --git a/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch b/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
index 8bb642942b..6bb8df989d 100644
--- a/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
+++ b/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
@@ -4,7 +4,7 @@ Date: Fri, 1 Mar 2019 10:57:57 +0800
Subject: [PATCH] appletalk: Fix use-after-free in atalk_proc_exit
Git-commit: 6377f787aeb945cae7abbb6474798de129e1f3ac
Patch-mainline: v5.1-rc1
-References: bsc#1051510
+References: bsc#1051510,CVE-2019-15292,bsc#1146678
KASAN report this:
diff --git a/series.conf b/series.conf
index f15683ee64..0f4bf91bf7 100644
--- a/series.conf
+++ b/series.conf
@@ -23378,6 +23378,7 @@
patches.drivers/0017-media-pvrusb2-use-a-different-format-for-warnings.patch
patches.drivers/media-coda-Remove-unbalanced-and-unneeded-mutex-unlo.patch
patches.fixes/0001-media-cpia2_usb-first-wake-up-then-free-in-disconnec.patch
+ patches.drivers/media-usb-zr364xx-Fix-KASAN-null-ptr-deref-Read-in-z.patch
patches.drivers/media-staging-media-davinci_vpfe-Fix-for-memory-leak.patch
patches.drivers/media-wl128x-Fix-some-error-handling-in-fm_v4l2_init.patch
patches.drivers/media-vivid-fix-incorrect-assignment-operation-when-.patch
@@ -23387,6 +23388,7 @@
patches.drivers/media-coda-increment-sequence-offset-for-the-last-re.patch
patches.drivers/media-v4l2-Test-type-instead-of-cfg-type-in-v4l2_ctr.patch
patches.drivers/media-hdpvr-fix-locking-and-a-missing-msleep.patch
+ patches.drivers/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch
patches.drivers/ALSA-usb-audio-Enable-.product_name-override-for-Ema.patch
patches.drivers/ALSA-usb-audio-Sanity-checks-for-each-pipe-and-EP-ty.patch
patches.drivers/ALSA-hda-realtek-Headphone-Mic-can-t-record-after-S3.patch