diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-07-31 12:10:31 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-07-31 12:10:31 +0200 |
| commit | c3ceb3e9ce0b424c96e2b3c265c1083368b32099 (patch) | |
| tree | 2a41afd104fa32cce032605f4a83eac338c0d1a2 | |
| parent | d6709a24fb0cc99d063b14f145b0def39ed5ddff (diff) | |
| download | queue-3.18-c3ceb3e9ce0b424c96e2b3c265c1083368b32099.tar.gz | |
more patches
| -rw-r--r-- | binder-fix-possible-uaf-when-freeing-buffer.patch | 57 | ||||
| -rw-r--r-- | net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch | 23 | ||||
| -rw-r--r-- | scsi-mvsas-fix-command_active-typo.patch | 42 | ||||
| -rw-r--r-- | series | 2 |
4 files changed, 121 insertions, 3 deletions
diff --git a/binder-fix-possible-uaf-when-freeing-buffer.patch b/binder-fix-possible-uaf-when-freeing-buffer.patch new file mode 100644 index 0000000..bff03c0 --- /dev/null +++ b/binder-fix-possible-uaf-when-freeing-buffer.patch @@ -0,0 +1,57 @@ +From 544bb27aa37e1a58352e659dc4811ae5ab8fa5e0 Mon Sep 17 00:00:00 2001 +From: Todd Kjos <tkjos@android.com> +Date: Wed, 12 Jun 2019 13:29:27 -0700 +Subject: binder: fix possible UAF when freeing buffer + +commit a370003cc301d4361bae20c9ef615f89bf8d1e8a upstream + +There is a race between the binder driver cleaning +up a completed transaction via binder_free_transaction() +and a user calling binder_ioctl(BC_FREE_BUFFER) to +release a buffer. It doesn't matter which is first but +they need to be protected against running concurrently +which can result in a UAF. + +Signed-off-by: Todd Kjos <tkjos@google.com> +Cc: stable <stable@vger.kernel.org> # 4.14 4.19 +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/staging/android/binder.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/staging/android/binder.c ++++ b/drivers/staging/android/binder.c +@@ -2117,8 +2117,18 @@ static struct binder_thread *binder_get_ + + static void binder_free_transaction(struct binder_transaction *t) + { +- if (t->buffer) +- t->buffer->transaction = NULL; ++ struct binder_proc *target_proc = t->to_proc; ++ ++ if (target_proc) { ++ binder_inner_proc_lock(target_proc); ++ if (t->buffer) ++ t->buffer->transaction = NULL; ++ binder_inner_proc_unlock(target_proc); ++ } ++ /* ++ * If the transaction has no target_proc, then ++ * t->buffer->transaction has already been cleared. ++ */ + kfree(t); + binder_stats_deleted(BINDER_STAT_TRANSACTION); + } +@@ -3693,10 +3703,12 @@ static int binder_thread_write(struct bi + buffer->debug_id, + buffer->transaction ? "active" : "finished"); + ++ binder_inner_proc_lock(proc); + if (buffer->transaction) { + buffer->transaction->buffer = NULL; + buffer->transaction = NULL; + } ++ binder_inner_proc_unlock(proc); + if (buffer->async_transaction && buffer->target_node) { + struct binder_node *buf_node; + struct binder_work *w; diff --git a/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch b/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch index 1998317..18c8391 100644 --- a/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch +++ b/net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch @@ -17,8 +17,8 @@ Tested-by: Martin Weinelt <martin@linuxlounge.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- - net/bridge/br_multicast.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) + net/bridge/br_multicast.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -30,7 +30,24 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> struct mld_msg *mld; struct net_bridge_mdb_entry *mp; struct mld2_query *mld2q; -@@ -1366,7 +1365,7 @@ static int br_ip6_multicast_query(struct +@@ -1328,7 +1327,7 @@ static int br_ip6_multicast_query(struct + goto out; + + /* RFC2710+RFC3810 (MLDv1+MLDv2) require link-local source addresses */ +- if (!(ipv6_addr_type(&ip6h->saddr) & IPV6_ADDR_LINKLOCAL)) { ++ if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) { + err = -EINVAL; + goto out; + } +@@ -1359,14 +1358,14 @@ static int br_ip6_multicast_query(struct + /* RFC2710+RFC3810 (MLDv1+MLDv2) require the multicast link layer + * all-nodes destination address (ff02::1) for general queries + */ +- if (is_general_query && !ipv6_addr_is_ll_all_nodes(&ip6h->daddr)) { ++ if (is_general_query && !ipv6_addr_is_ll_all_nodes(&ipv6_hdr(skb)->daddr)) { + err = -EINVAL; + goto out; + } if (is_general_query) { saddr.proto = htons(ETH_P_IPV6); diff --git a/scsi-mvsas-fix-command_active-typo.patch b/scsi-mvsas-fix-command_active-typo.patch new file mode 100644 index 0000000..03f139e --- /dev/null +++ b/scsi-mvsas-fix-command_active-typo.patch @@ -0,0 +1,42 @@ +From af15769ffab13d777e55fdef09d0762bf0c249c4 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann <arnd@arndb.de> +Date: Wed, 16 Nov 2016 16:08:34 +0100 +Subject: scsi: mvsas: fix command_active typo + +From: Arnd Bergmann <arnd@arndb.de> + +commit af15769ffab13d777e55fdef09d0762bf0c249c4 upstream. + +gcc-7 notices that the condition in mvs_94xx_command_active looks +suspicious: + +drivers/scsi/mvsas/mv_94xx.c: In function 'mvs_94xx_command_active': +drivers/scsi/mvsas/mv_94xx.c:671:15: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context] + +This was introduced when the mv_printk() statement got added, and leads +to the condition being ignored. This is probably harmless. + +Changing '&&' to '&' makes the code look reasonable, as we check the +command bit before setting and printing it. + +Fixes: a4632aae8b66 ("[SCSI] mvsas: Add new macros and functions") +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/scsi/mvsas/mv_94xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/mvsas/mv_94xx.c ++++ b/drivers/scsi/mvsas/mv_94xx.c +@@ -621,7 +621,7 @@ static void mvs_94xx_command_active(stru + { + u32 tmp; + tmp = mvs_cr32(mvi, MVS_COMMAND_ACTIVE+(slot_idx >> 3)); +- if (tmp && 1 << (slot_idx % 32)) { ++ if (tmp & 1 << (slot_idx % 32)) { + mv_printk("command active %08X, slot [%x].\n", tmp, slot_idx); + mvs_cw32(mvi, MVS_COMMAND_ACTIVE + (slot_idx >> 3), + 1 << (slot_idx % 32)); @@ -34,3 +34,5 @@ usb-pci-quirks-correct-amd-pll-quirk-detection.patch x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch hpet-fix-division-by-zero-in-hpet_time_div.patch powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch +scsi-mvsas-fix-command_active-typo.patch +binder-fix-possible-uaf-when-freeing-buffer.patch |