From: Eric Biggers <ebiggers(a)google.com>
ext4 isn't validating the sizes of xattrs. This is problematic
because ->e_value_size is a u32, but ext4_xattr_get() returns an int.
A very large size is misinterpreted as an error code, which
ext4_get_acl() translates into a bogus ERR_PTR() for which IS_ERR()
returns false, causing a crash.
Fix this by validating that all xattrs are <= INT_MAX bytes. Also add
explicit checks in ext4_xattr_block_get() and ext4_xattr_ibody_get()
just in case the xattr block is corrupted in memory.
This issue has been assigned CVE-2018-1095.
https://bugzilla.kernel.org/show_bug.cgi?id=199185https://bugzilla.redhat.com/show_bug.cgi?id=1560793
Reported-by: Wen Xu <wen.xu(a)gatech.edu>
Signed-off-by: Eric Biggers <ebiggers(a)google.com>
Signed-off-by: Theodore Ts'o <tytso(a)mit.edu>
Cc: stable(a)vger.kernel.org
---
fs/ext4/xattr.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 63656dbafdc4..fea1108c3bea 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -201,6 +201,9 @@ ext4_xattr_check_entries(struct ext4_xattr_entry *entry, void *end,
u32 size = le32_to_cpu(entry->e_value_size);
void *value;
+ if (size > INT_MAX)
+ return -EFSCORRUPTED;
+
/*
* The value cannot overlap the names, and the value
* with padding cannot extend beyond 'end'. Check both
@@ -523,8 +526,10 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name,
if (error)
goto cleanup;
size = le32_to_cpu(entry->e_value_size);
+ error = -ERANGE;
+ if (unlikely(size > INT_MAX))
+ goto cleanup;
if (buffer) {
- error = -ERANGE;
if (size > buffer_size)
goto cleanup;
if (entry->e_value_inum) {
@@ -572,8 +577,10 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
if (error)
goto cleanup;
size = le32_to_cpu(entry->e_value_size);
+ error = -ERANGE;
+ if (unlikely(size > INT_MAX))
+ goto cleanup;
if (buffer) {
- error = -ERANGE;
if (size > buffer_size)
goto cleanup;
if (entry->e_value_inum) {
--
2.16.1.72.g5be1f00a9a
This is a note to let you know that I've just added the patch titled
Revert "USB: serial: ftdi_sio: add Id for Physik Instrumente E-870"
to my usb git tree which can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
in the usb-next branch.
The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)
The patch will also be merged in the next major kernel release
during the merge window.
If you have any questions about this process, please let me know.
>From 5267c5e09c25e2ee6242b37833a9bdf9d97f54a2 Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan(a)kernel.org>
Date: Thu, 29 Mar 2018 14:35:40 +0200
Subject: Revert "USB: serial: ftdi_sio: add Id for Physik Instrumente E-870"
This reverts commit 79a0b33165d8d8ec0840fcfc74fd0a8f219abeee.
Turns out this is not an FTDI device after all.
Fixes: 79a0b33165d8 ("USB: serial: ftdi_sio: add Id for Physik Instrumente E-870")
Reported-by: Martin Teichmann <martin.teichmann(a)xfel.eu>
Cc: stable <stable(a)vger.kernel.org>
Signed-off-by: Johan Hovold <johan(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 1 -
drivers/usb/serial/ftdi_sio_ids.h | 1 -
2 files changed, 2 deletions(-)
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index 566f25781ea0..87202ad5a50d 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -894,7 +894,6 @@ static const struct usb_device_id id_table_combined[] = {
{ USB_DEVICE(PI_VID, PI_1014_PID) },
{ USB_DEVICE(PI_VID, PI_1015_PID) },
{ USB_DEVICE(PI_VID, PI_1016_PID) },
- { USB_DEVICE(PI_VID, PI_E870_PID) },
{ USB_DEVICE(KONDO_VID, KONDO_USB_SERIAL_PID) },
{ USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) },
{ USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID),
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
index f7790758de7c..975d02666c5a 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -981,7 +981,6 @@
#define PI_1014_PID 0x1014 /* PI Device */
#define PI_1015_PID 0x1015 /* PI Device */
#define PI_1016_PID 0x1016 /* PI Digital Servo Module */
-#define PI_E870_PID 0x1019 /* PI E-870 Piezomotor Controller */
/*
* Kondo Kagaku Co.Ltd.
--
2.16.3
This is a note to let you know that I've just added the patch titled
usb: musb: gadget: misplaced out of bounds check
to my usb git tree which can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
in the usb-next branch.
The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)
The patch will also be merged in the next major kernel release
during the merge window.
If you have any questions about this process, please let me know.
>From af6f8529098aeb0e56a68671b450cf74e7a64fcd Mon Sep 17 00:00:00 2001
From: Heinrich Schuchardt <xypron.glpk(a)gmx.de>
Date: Thu, 29 Mar 2018 10:48:28 -0500
Subject: usb: musb: gadget: misplaced out of bounds check
musb->endpoints[] has array size MUSB_C_NUM_EPS.
We must check array bounds before accessing the array and not afterwards.
Signed-off-by: Heinrich Schuchardt <xypron.glpk(a)gmx.de>
Signed-off-by: Bin Liu <b-liu(a)ti.com>
Cc: stable <stable(a)vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/usb/musb/musb_gadget_ep0.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c
index 18da4873e52e..91a5027b5c1f 100644
--- a/drivers/usb/musb/musb_gadget_ep0.c
+++ b/drivers/usb/musb/musb_gadget_ep0.c
@@ -89,15 +89,19 @@ static int service_tx_status_request(
}
is_in = epnum & USB_DIR_IN;
- if (is_in) {
- epnum &= 0x0f;
+ epnum &= 0x0f;
+ if (epnum >= MUSB_C_NUM_EPS) {
+ handled = -EINVAL;
+ break;
+ }
+
+ if (is_in)
ep = &musb->endpoints[epnum].ep_in;
- } else {
+ else
ep = &musb->endpoints[epnum].ep_out;
- }
regs = musb->endpoints[epnum].regs;
- if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
+ if (!ep->desc) {
handled = -EINVAL;
break;
}
--
2.16.3
This is a note to let you know that I've just added the patch titled
Revert "USB: serial: ftdi_sio: add Id for Physik Instrumente E-870"
to my usb git tree which can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
in the usb-testing branch.
The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)
The patch will be merged to the usb-next branch sometime soon,
after it passes testing, and the merge window is open.
If you have any questions about this process, please let me know.
>From 5267c5e09c25e2ee6242b37833a9bdf9d97f54a2 Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan(a)kernel.org>
Date: Thu, 29 Mar 2018 14:35:40 +0200
Subject: Revert "USB: serial: ftdi_sio: add Id for Physik Instrumente E-870"
This reverts commit 79a0b33165d8d8ec0840fcfc74fd0a8f219abeee.
Turns out this is not an FTDI device after all.
Fixes: 79a0b33165d8 ("USB: serial: ftdi_sio: add Id for Physik Instrumente E-870")
Reported-by: Martin Teichmann <martin.teichmann(a)xfel.eu>
Cc: stable <stable(a)vger.kernel.org>
Signed-off-by: Johan Hovold <johan(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 1 -
drivers/usb/serial/ftdi_sio_ids.h | 1 -
2 files changed, 2 deletions(-)
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index 566f25781ea0..87202ad5a50d 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -894,7 +894,6 @@ static const struct usb_device_id id_table_combined[] = {
{ USB_DEVICE(PI_VID, PI_1014_PID) },
{ USB_DEVICE(PI_VID, PI_1015_PID) },
{ USB_DEVICE(PI_VID, PI_1016_PID) },
- { USB_DEVICE(PI_VID, PI_E870_PID) },
{ USB_DEVICE(KONDO_VID, KONDO_USB_SERIAL_PID) },
{ USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) },
{ USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID),
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
index f7790758de7c..975d02666c5a 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -981,7 +981,6 @@
#define PI_1014_PID 0x1014 /* PI Device */
#define PI_1015_PID 0x1015 /* PI Device */
#define PI_1016_PID 0x1016 /* PI Digital Servo Module */
-#define PI_E870_PID 0x1019 /* PI E-870 Piezomotor Controller */
/*
* Kondo Kagaku Co.Ltd.
--
2.16.3
This is a note to let you know that I've just added the patch titled
usb: musb: gadget: misplaced out of bounds check
to my usb git tree which can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
in the usb-testing branch.
The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)
The patch will be merged to the usb-next branch sometime soon,
after it passes testing, and the merge window is open.
If you have any questions about this process, please let me know.
>From af6f8529098aeb0e56a68671b450cf74e7a64fcd Mon Sep 17 00:00:00 2001
From: Heinrich Schuchardt <xypron.glpk(a)gmx.de>
Date: Thu, 29 Mar 2018 10:48:28 -0500
Subject: usb: musb: gadget: misplaced out of bounds check
musb->endpoints[] has array size MUSB_C_NUM_EPS.
We must check array bounds before accessing the array and not afterwards.
Signed-off-by: Heinrich Schuchardt <xypron.glpk(a)gmx.de>
Signed-off-by: Bin Liu <b-liu(a)ti.com>
Cc: stable <stable(a)vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/usb/musb/musb_gadget_ep0.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c
index 18da4873e52e..91a5027b5c1f 100644
--- a/drivers/usb/musb/musb_gadget_ep0.c
+++ b/drivers/usb/musb/musb_gadget_ep0.c
@@ -89,15 +89,19 @@ static int service_tx_status_request(
}
is_in = epnum & USB_DIR_IN;
- if (is_in) {
- epnum &= 0x0f;
+ epnum &= 0x0f;
+ if (epnum >= MUSB_C_NUM_EPS) {
+ handled = -EINVAL;
+ break;
+ }
+
+ if (is_in)
ep = &musb->endpoints[epnum].ep_in;
- } else {
+ else
ep = &musb->endpoints[epnum].ep_out;
- }
regs = musb->endpoints[epnum].regs;
- if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
+ if (!ep->desc) {
handled = -EINVAL;
break;
}
--
2.16.3
This is a fix for a regression in 32 bit kernels caused by an
invalid check for pgoff overflow in hugetlbfs mmap setup. The
check incorrectly specified that the size of a loff_t was the
same as the size of a long. The regression prevents mapping
hugetlbfs files at offset greater than 4GB on 32 bit kernels.
Fix the check by using sizeof(loff_t) to get size. In addition,
make sure pgoff + length can be represented by a signed long
huge page offset. This check is only necessary on 32 bit kernels.
Fixes: 63489f8e8211 ("hugetlbfs: check for pgoff value overflow")
Cc: <stable(a)vger.kernel.org>
Reported-by: Dan Rue <dan.rue(a)linaro.org>
Signed-off-by: Mike Kravetz <mike.kravetz(a)oracle.com>
---
fs/hugetlbfs/inode.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index b9a254dcc0e7..8450a1d75dfa 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -116,7 +116,8 @@ static void huge_pagevec_release(struct pagevec *pvec)
* bit into account.
*/
#define PGOFF_LOFFT_MAX \
- (((1UL << (PAGE_SHIFT + 1)) - 1) << (BITS_PER_LONG - (PAGE_SHIFT + 1)))
+ (((1UL << (PAGE_SHIFT + 1)) - 1) << \
+ ((sizeof(loff_t) * BITS_PER_BYTE) - (PAGE_SHIFT + 1)))
static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
{
@@ -138,21 +139,32 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
/*
* page based offset in vm_pgoff could be sufficiently large to
- * overflow a (l)off_t when converted to byte offset.
+ * overflow a loff_t when converted to byte offset.
*/
- if (vma->vm_pgoff & PGOFF_LOFFT_MAX)
+ if ((loff_t)vma->vm_pgoff & (loff_t)PGOFF_LOFFT_MAX)
return -EINVAL;
- /* must be huge page aligned */
+ /* vm_pgoff must be huge page aligned */
if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
return -EINVAL;
+ /*
+ * Compute file offset of the end of this mapping
+ */
vma_len = (loff_t)(vma->vm_end - vma->vm_start);
len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
- /* check for overflow */
+
+ /* Check to ensure this did not overflow loff_t */
if (len < vma_len)
return -EINVAL;
+ /*
+ * On 32 bit systems, this check is necessary to ensure the last page
+ * of mapping can be represented as a signed long huge page index.
+ */
+ if ((len >> huge_page_shift(h)) > LONG_MAX)
+ return -EINVAL;
+
inode_lock(inode);
file_accessed(file);
--
2.13.6
From: Victor Gu <xigu(a)marvell.com>
The PCI configuration space read/write functions were special casing
the situation where PCI_SLOT(devfn) != 0, and returned
PCIBIOS_DEVICE_NOT_FOUND in this case.
However, while this is what is intended for the root bus, it is not
intended for the child busses, as it prevents discovering devices with
PCI_SLOT(x) != 0. Therefore, we return PCIBIOS_DEVICE_NOT_FOUND only
if we're on the root bus.
Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver")
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Victor Gu <xigu(a)marvell.com>
Reviewed-by: Wilson Ding <dingwei(a)marvell.com>
Reviewed-by: Nadav Haklai <nadavh(a)marvell.com>
[Thomas: tweak commit log.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni(a)bootlin.com>
---
Changes since v2:
- The logic has been factorized into a advk_pcie_valid_device()
helper in a previous patch, so this patch was adjusted accordingly.
---
drivers/pci/host/pci-aardvark.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/host/pci-aardvark.c b/drivers/pci/host/pci-aardvark.c
index 82bff709a4b3..9d7f9f1c6837 100644
--- a/drivers/pci/host/pci-aardvark.c
+++ b/drivers/pci/host/pci-aardvark.c
@@ -433,7 +433,7 @@ static int advk_pcie_wait_pio(struct advk_pcie *pcie)
static bool advk_pcie_valid_device(struct advk_pcie *pcie, struct pci_bus *bus,
int devfn)
{
- if (PCI_SLOT(devfn) != 0)
+ if ((bus->number == pcie->root_bus_nr) && PCI_SLOT(devfn) != 0)
return false;
return true;
--
2.14.3