[PATCH AUTOSEL 3.18 1/6] selftests/efivarfs: add required kernel configs

List overview All Threads
Download

newer

older

[PATCH 4.4 000/113] 4.4.160-stable...

[PATCH 2/2] xen: make...

Sasha Levin

5 Oct 2018 5 Oct '18

4:17 p.m.

From: Lei Yang Lei.Yang@windriver.com

[ Upstream commit 53cf59d6c0ad3edc4f4449098706a8f8986258b6 ]

add config file

Signed-off-by: Lei Yang Lei.Yang@windriver.com Signed-off-by: Shuah Khan (Samsung OSG) shuah@kernel.org Signed-off-by: Sasha Levin alexander.levin@microsoft.com --- tools/testing/selftests/efivarfs/config | 1 + 1 file changed, 1 insertion(+) create mode 100644 tools/testing/selftests/efivarfs/config

diff --git a/tools/testing/selftests/efivarfs/config b/tools/testing/selftests/efivarfs/config new file mode 100644 index 000000000000..4e151f1005b2 --- /dev/null +++ b/tools/testing/selftests/efivarfs/config @@ -0,0 +1 @@ +CONFIG_EFIVAR_FS=y

-- 2.17.1

Show replies by date

Sasha Levin

5 Oct 5 Oct

4:17 p.m.

New subject: [PATCH AUTOSEL 3.18 2/6] mfd: omap-usb-host: Fix dts probe of children

From: Tony Lindgren tony@atomide.com

[ Upstream commit 10492ee8ed9188d6d420e1f79b2b9bdbc0624e65 ]

It currently only works if the parent bus uses "simple-bus". We currently try to probe children with non-existing compatible values. And we're missing .probe.

I noticed this while testing devices configured to probe using ti-sysc interconnect target module driver. For that we also may want to rebind the driver, so let's remove __init and __exit.

Signed-off-by: Tony Lindgren tony@atomide.com Acked-by: Roger Quadros rogerq@ti.com Signed-off-by: Lee Jones lee.jones@linaro.org Signed-off-by: Sasha Levin alexander.levin@microsoft.com --- drivers/mfd/omap-usb-host.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/mfd/omap-usb-host.c b/drivers/mfd/omap-usb-host.c index 83dab2f0a50e..c59dc55de803 100644 --- a/drivers/mfd/omap-usb-host.c +++ b/drivers/mfd/omap-usb-host.c @@ -558,8 +558,8 @@ static int usbhs_omap_get_dt_pdata(struct device *dev, }

static const struct of_device_id usbhs_child_match_table[] = { - { .compatible = "ti,omap-ehci", }, - { .compatible = "ti,omap-ohci", }, + { .compatible = "ti,ehci-omap", }, + { .compatible = "ti,ohci-omap3", }, { } };

@@ -886,6 +886,7 @@ static struct platform_driver usbhs_omap_driver = { .pm = &usbhsomap_dev_pm_ops, .of_match_table = usbhs_omap_dt_ids, }, + .probe = usbhs_omap_probe, .remove = usbhs_omap_remove, };

@@ -895,9 +896,9 @@ MODULE_ALIAS("platform:" USBHS_DRIVER_NAME); MODULE_LICENSE("GPL v2"); MODULE_DESCRIPTION("usb host common core driver for omap EHCI and OHCI");

-static int __init omap_usbhs_drvinit(void) +static int omap_usbhs_drvinit(void) { - return platform_driver_probe(&usbhs_omap_driver, usbhs_omap_probe); + return platform_driver_register(&usbhs_omap_driver); }

/* @@ -909,7 +910,7 @@ static int __init omap_usbhs_drvinit(void) */ fs_initcall_sync(omap_usbhs_drvinit);

-static void __exit omap_usbhs_drvexit(void) +static void omap_usbhs_drvexit(void) { platform_driver_unregister(&usbhs_omap_driver); }

-- 2.17.1

Sasha Levin

4:17 p.m.

New subject: [PATCH AUTOSEL 3.18 3/6] stmmac: fix valid numbers of unicast filter entries

From: Jongsung Kim neidhard.kim@lge.com

[ Upstream commit edf2ef7242805e53ec2e0841db26e06d8bc7da70 ]

Synopsys DWC Ethernet MAC can be configured to have 1..32, 64, or 128 unicast filter entries. (Table 7-8 MAC Address Registers from databook) Fix dwmac1000_validate_ucast_entries() to accept values between 1 and 32 in addition.

Signed-off-by: Jongsung Kim neidhard.kim@lge.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin alexander.levin@microsoft.com --- drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c index 58a1a0a423d4..4d718e738522 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c @@ -85,7 +85,7 @@ static int dwmac1000_validate_mcast_bins(int mcast_bins)

/* This function validates the number of Unicast address entries supported * by a particular Synopsys 10/100/1000 controller. The Synopsys controller - * supports 1, 32, 64, or 128 Unicast filter entries for it's Unicast filter + * supports 1..32, 64, or 128 Unicast filter entries for it's Unicast filter * logic. This function validates a valid, supported configuration is * selected, and defaults to 1 Unicast address if an unsupported * configuration is selected. @@ -95,8 +95,7 @@ static int dwmac1000_validate_ucast_entries(int ucast_entries) int x = ucast_entries;

switch (x) { - case 1: - case 32: + case 1 ... 32: case 64: case 128: break;

-- 2.17.1

Sasha Levin

4:17 p.m.

New subject: [PATCH AUTOSEL 3.18 4/6] net: hp100: fix always-true check for link up state

From: Colin Ian King colin.king@canonical.com

[ Upstream commit a7f38002fb69b44f8fc622ecb838665d0b8666af ]

The operation ~(p100_inb(VG_LAN_CFG_1) & HP100_LINK_UP) returns a value that is always non-zero and hence the wait for the link to drop always terminates prematurely. Fix this by using a logical not operator instead of a bitwise complement. This issue has been in the driver since pre-2.6.12-rc2.

Detected by CoverityScan, CID#114157 ("Logical vs. bitwise operator")

Signed-off-by: Colin Ian King colin.king@canonical.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin alexander.levin@microsoft.com --- drivers/net/ethernet/hp/hp100.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/hp/hp100.c b/drivers/net/ethernet/hp/hp100.c index 76a6e0c77d69..034471003249 100644 --- a/drivers/net/ethernet/hp/hp100.c +++ b/drivers/net/ethernet/hp/hp100.c @@ -2637,7 +2637,7 @@ static int hp100_login_to_vg_hub(struct net_device *dev, u_short force_relogin) /* Wait for link to drop */ time = jiffies + (HZ / 10); do { - if (~(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST)) + if (!(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST)) break; if (!in_interrupt()) schedule_timeout_interruptible(1);

-- 2.17.1

Sasha Levin

4:17 p.m.

New subject: [PATCH AUTOSEL 3.18 5/6] floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

From: Andy Whitcroft apw@canonical.com

[ Upstream commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e ]

The final field of a floppy_struct is the field "name", which is a pointer to a string in kernel memory. The kernel pointer should not be copied to user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, including this "name" field. This pointer cannot be used by the user and it will leak a kernel address to user-space, which will reveal the location of kernel code and data and undermine KASLR protection.

Model this code after the compat ioctl which copies the returned data to a previously cleared temporary structure on the stack (excluding the name pointer) and copy out to userspace from there. As we already have an inparam union with an appropriate member and that memory is already cleared even for read only calls make use of that as a temporary store.

Based on an initial patch by Brian Belleville.

CVE-2018-7755 Signed-off-by: Andy Whitcroft apw@canonical.com

Broke up long line.

Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Sasha Levin alexander.levin@microsoft.com --- drivers/block/floppy.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 56d46ffb08e1..f824836d2e7a 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3459,6 +3459,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int (struct floppy_struct **)&outparam); if (ret) return ret; + memcpy(&inparam.g, outparam, + offsetof(struct floppy_struct, name)); + outparam = &inparam.g; break; case FDMSGON: UDP->flags |= FTD_MSG;

-- 2.17.1

Sasha Levin

4:17 p.m.

New subject: [PATCH AUTOSEL 3.18 6/6] ubifs: Check for name being NULL while mounting

From: Richard Weinberger richard@nod.at

[ Upstream commit 37f31b6ca4311b94d985fb398a72e5399ad57925 ]

The requested device name can be NULL or an empty string. Check for that and refuse to continue. UBIFS has to do this manually since we cannot use mount_bdev(), which checks for this condition.

Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Sasha Levin alexander.levin@microsoft.com --- fs/ubifs/super.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c index 2f7a74e73b7d..a6a2108bf620 100644 --- a/fs/ubifs/super.c +++ b/fs/ubifs/super.c @@ -1917,6 +1917,9 @@ static struct ubi_volume_desc *open_ubi(const char *name, int mode) int dev, vol; char *endptr;

+ if (!name || !*name) + return ERR_PTR(-EINVAL); + /* First, try to open using the device node path method */ ubi = ubi_open_volume_path(name, mode); if (!IS_ERR(ubi))

-- 2.17.1

Richard Weinberger

4:24 p.m.

New subject: [PATCH AUTOSEL 3.18 6/6] ubifs: Check for name being NULL while mounting

Sasha,

Am Freitag, 5. Oktober 2018, 18:17:50 CEST schrieb Sasha Levin:

...

From: Richard Weinberger richard@nod.at

[ Upstream commit 37f31b6ca4311b94d985fb398a72e5399ad57925 ]

The requested device name can be NULL or an empty string. Check for that and refuse to continue. UBIFS has to do this manually since we cannot use mount_bdev(), which checks for this condition.

Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Sasha Levin alexander.levin@microsoft.com

I'm not sure whether it makes sense to apply this patch to stable. 1. You need to be the real root to hit this code path. 2. Access is read-only, for an attacker it is useless.

If we look at the code: if (name[0] != 'u' || name[1] != 'b' || name[2] != 'i') return ERR_PTR(-EINVAL);

/* ubi:NAME method */ if ((name[3] == ':' || name[3] == '!') && name[4] != '\0')

name can be NULL, so we access just a few bytes.

Thanks, //richard

Sasha Levin

10 Oct 10 Oct

3 p.m.

New subject: [PATCH AUTOSEL 3.18 6/6] ubifs: Check for name being NULL while mounting

On Fri, Oct 05, 2018 at 06:24:42PM +0200, Richard Weinberger wrote:

...

Sasha,

Am Freitag, 5. Oktober 2018, 18:17:50 CEST schrieb Sasha Levin:

...
From: Richard Weinberger richard@nod.at

[ Upstream commit 37f31b6ca4311b94d985fb398a72e5399ad57925 ]

The requested device name can be NULL or an empty string. Check for that and refuse to continue. UBIFS has to do this manually since we cannot use mount_bdev(), which checks for this condition.

Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Sasha Levin alexander.levin@microsoft.com

I'm not sure whether it makes sense to apply this patch to stable.

You need to be the real root to hit this code path.

Access is read-only, for an attacker it is useless.

If we look at the code: if (name[0] != 'u' || name[1] != 'b' || name[2] != 'i') return ERR_PTR(-EINVAL);
   /* ubi:NAME method */
   if ((name[3] == ':' || name[3] == '!') && name[4] != '\0')
name can be NULL, so we access just a few bytes.

Thanks, //richard

Hi Richard,

I wasn't really looking at it from a security perspective. My thought process was that if a user (root or not) is doing action A, expecting result B but instead unexpectedly sees result C then it's a bug worth fixing in stable.

If you think it's a risky change for stable I'd be happy to drop it.

-- Thanks, Sasha

2255

days inactive

2260

days old

linux-stable-mirror@lists.linaro.org

7 comments

participants

tags (0)

participants (2)

Richard Weinberger
Sasha Levin