diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-23 14:11:20 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-23 14:11:20 +0200 |
commit | 87e6ef12a4195a4ed08169adc96486ab26e258f3 (patch) | |
tree | dc5d571410caefb229c38bcc516d0ec0e0581c07 | |
parent | 9e7c44d8cc47a45cca718bf6add5acefea9d546b (diff) | |
download | stable-queue-87e6ef12a4195a4ed08169adc96486ab26e258f3.tar.gz |
5.4-stable patches
added patches:
binder-check-offset-alignment-in-binder_get_object.patch
comedi-vmk80xx-fix-incomplete-endpoint-checking.patch
-rw-r--r-- | queue-5.4/binder-check-offset-alignment-in-binder_get_object.patch | 46 | ||||
-rw-r--r-- | queue-5.4/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch | 98 | ||||
-rw-r--r-- | queue-5.4/series | 2 |
3 files changed, 146 insertions, 0 deletions
diff --git a/queue-5.4/binder-check-offset-alignment-in-binder_get_object.patch b/queue-5.4/binder-check-offset-alignment-in-binder_get_object.patch new file mode 100644 index 0000000000..5816a2eecf --- /dev/null +++ b/queue-5.4/binder-check-offset-alignment-in-binder_get_object.patch @@ -0,0 +1,46 @@ +From aaef73821a3b0194a01bd23ca77774f704a04d40 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas <cmllamas@google.com> +Date: Sat, 30 Mar 2024 19:01:14 +0000 +Subject: binder: check offset alignment in binder_get_object() + +From: Carlos Llamas <cmllamas@google.com> + +commit aaef73821a3b0194a01bd23ca77774f704a04d40 upstream. + +Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying +txn") introduced changes to how binder objects are copied. In doing so, +it unintentionally removed an offset alignment check done through calls +to binder_alloc_copy_from_buffer() -> check_buffer(). + +These calls were replaced in binder_get_object() with copy_from_user(), +so now an explicit offset alignment check is needed here. This avoids +later complications when unwinding the objects gets harder. + +It is worth noting this check existed prior to commit 7a67a39320df +("binder: add function to copy binder object from buffer"), likely +removed due to redundancy at the time. + +Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn") +Cc: stable@vger.kernel.org +Signed-off-by: Carlos Llamas <cmllamas@google.com> +Acked-by: Todd Kjos <tkjos@google.com> +Link: https://lore.kernel.org/r/20240330190115.1877819-1-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/android/binder.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2047,8 +2047,10 @@ static size_t binder_get_object(struct b + size_t object_size = 0; + + read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset); +- if (offset > buffer->data_size || read_size < sizeof(*hdr)) ++ if (offset > buffer->data_size || read_size < sizeof(*hdr) || ++ !IS_ALIGNED(offset, sizeof(u32))) + return 0; ++ + if (u) { + if (copy_from_user(object, u + offset, read_size)) + return 0; diff --git a/queue-5.4/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch b/queue-5.4/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch new file mode 100644 index 0000000000..b6d74efedc --- /dev/null +++ b/queue-5.4/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch @@ -0,0 +1,98 @@ +From d1718530e3f640b7d5f0050e725216eab57a85d8 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich <n.zhandarovich@fintech.ru> +Date: Mon, 8 Apr 2024 10:16:33 -0700 +Subject: comedi: vmk80xx: fix incomplete endpoint checking + +From: Nikita Zhandarovich <n.zhandarovich@fintech.ru> + +commit d1718530e3f640b7d5f0050e725216eab57a85d8 upstream. + +While vmk80xx does have endpoint checking implemented, some things +can fall through the cracks. Depending on the hardware model, +URBs can have either bulk or interrupt type, and current version +of vmk80xx_find_usb_endpoints() function does not take that fully +into account. While this warning does not seem to be too harmful, +at the very least it will crash systems with 'panic_on_warn' set on +them. + +Fix the issue found by Syzkaller [1] by somewhat simplifying the +endpoint checking process with usb_find_common_endpoints() and +ensuring that only expected endpoint types are present. + +This patch has not been tested on real hardware. + +[1] Syzkaller report: +usb 1-1: BOGUS urb xfer, pipe 1 != type 3 +WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 +... +Call Trace: + <TASK> + usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 + vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline] + vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818 + comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 + usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 +... + +Similar issue also found by Syzkaller: +Link: https://syzkaller.appspot.com/bug?extid=5205eb2f17de3e01946e + +Reported-and-tested-by: syzbot+5f29dc6a889fc42bd896@syzkaller.appspotmail.com +Cc: stable <stable@kernel.org> +Fixes: 49253d542cc0 ("staging: comedi: vmk80xx: factor out usb endpoint detection") +Reviewed-by: Ian Abbott <abbotti@mev.co.uk> +Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> +Link: https://lore.kernel.org/r/20240408171633.31649-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/staging/comedi/drivers/vmk80xx.c | 35 ++++++++++--------------------- + 1 file changed, 12 insertions(+), 23 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -642,33 +642,22 @@ static int vmk80xx_find_usb_endpoints(st + struct vmk80xx_private *devpriv = dev->private; + struct usb_interface *intf = comedi_to_usb_interface(dev); + struct usb_host_interface *iface_desc = intf->cur_altsetting; +- struct usb_endpoint_descriptor *ep_desc; +- int i; ++ struct usb_endpoint_descriptor *ep_rx_desc, *ep_tx_desc; ++ int ret; + +- if (iface_desc->desc.bNumEndpoints != 2) +- return -ENODEV; +- +- for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) { +- ep_desc = &iface_desc->endpoint[i].desc; +- +- if (usb_endpoint_is_int_in(ep_desc) || +- usb_endpoint_is_bulk_in(ep_desc)) { +- if (!devpriv->ep_rx) +- devpriv->ep_rx = ep_desc; +- continue; +- } ++ if (devpriv->model == VMK8061_MODEL) ++ ret = usb_find_common_endpoints(iface_desc, &ep_rx_desc, ++ &ep_tx_desc, NULL, NULL); ++ else ++ ret = usb_find_common_endpoints(iface_desc, NULL, NULL, ++ &ep_rx_desc, &ep_tx_desc); + +- if (usb_endpoint_is_int_out(ep_desc) || +- usb_endpoint_is_bulk_out(ep_desc)) { +- if (!devpriv->ep_tx) +- devpriv->ep_tx = ep_desc; +- continue; +- } +- } +- +- if (!devpriv->ep_rx || !devpriv->ep_tx) ++ if (ret) + return -ENODEV; + ++ devpriv->ep_rx = ep_rx_desc; ++ devpriv->ep_tx = ep_tx_desc; ++ + if (!usb_endpoint_maxp(devpriv->ep_rx) || !usb_endpoint_maxp(devpriv->ep_tx)) + return -EINVAL; + diff --git a/queue-5.4/series b/queue-5.4/series index 8596d3d13c..9e9fc83f12 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -33,3 +33,5 @@ clk-print-an-info-line-before-disabling-unused-clock.patch clk-initialize-struct-clk_core-kref-earlier.patch clk-get-runtime-pm-before-walking-tree-during-disabl.patch x86-cpufeatures-fix-dependencies-for-gfni-vaes-and-v.patch +binder-check-offset-alignment-in-binder_get_object.patch +comedi-vmk80xx-fix-incomplete-endpoint-checking.patch |