Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.19.16 2019-01-09T16:38:31+00:00 2019-01-09T16:38:31+00:00 Eric Dumazet edumazet@google.com 2019-01-02T17:20:27+00:00 urn:sha1:ec820972c5436e45f398904af1bc715b969c3d5d [ Upstream commit d63967e475ae10f286dbd35e189cb241e0b1f284 ] Since capi_ioctl() copies 64 bytes after calling capi20_get_manufacturer() we need to ensure to not leak information to user. BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 CPU: 0 PID: 11245 Comm: syz-executor633 Not tainted 4.20.0-rc7+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x173/0x1d0 lib/dump_stack.c:113 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 kmsan_internal_check_memory+0x9d4/0xb00 mm/kmsan/kmsan.c:704 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 capi_ioctl include/linux/uaccess.h:177 [inline] capi_unlocked_ioctl+0x1a0b/0x1bf0 drivers/isdn/capi/capi.c:939 do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46 ksys_ioctl fs/ioctl.c:713 [inline] __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x440019 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffdd4659fb8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019 RDX: 0000000020000080 RSI: 00000000c0044306 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004018a0 R13: 0000000000401930 R14: 0000000000000000 R15: 0000000000000000 Local variable description: ----data.i@capi_unlocked_ioctl Variable was created at: capi_ioctl drivers/isdn/capi/capi.c:747 [inline] capi_unlocked_ioctl+0x82/0x1bf0 drivers/isdn/capi/capi.c:939 do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46 Bytes 12-63 of 64 are uninitialized Memory access of size 64 starts at ffff88807ac5fce8 Data copied to user address 0000000020000080 Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Cc: Karsten Keil <isdn@linux-pingi.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-08-16T19:26:24+00:00 Kees Cook keescook@chromium.org 2018-08-15T19:14:05+00:00 urn:sha1:5e22002aa8809e2efab2da95855f73f63e14a36c It was possible to directly leak the kernel address where the isdn_dev structure pointer was stored. This is a kernel ASLR bypass for anyone with access to the ioctl. The code had been present since the beginning of git history, though this shouldn't ever be needed for normal operation, therefore remove it. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Cc: Karsten Keil <isdn@linux-pingi.de> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-07-27T04:23:47+00:00 Jia-Ju Bai baijiaju1990@gmail.com 2018-07-27T02:48:28+00:00 urn:sha1:055d624facda577d3168951a1d6e2519e4fc30f7 hisax_cs_new() and hisax_cs_setup() are never called in atomic context. They call kmalloc() and kzalloc() with GFP_ATOMIC, which is not necessary. GFP_ATOMIC can be replaced with GFP_KERNEL. This is found by a static analysis tool named DCNS written by myself. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-07-27T04:23:16+00:00 Jia-Ju Bai baijiaju1990@gmail.com 2018-07-27T02:45:30+00:00 urn:sha1:87935aa776caae9c8346797271d19fa710b65a6a init_PStack() is never called in atomic context. It calls kmalloc() with GFP_ATOMIC, which is not necessary. GFP_ATOMIC can be replaced with GFP_KERNEL. This is found by a static analysis tool named DCNS written by myself. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-07-27T04:21:23+00:00 Jia-Ju Bai baijiaju1990@gmail.com 2018-07-27T02:41:09+00:00 urn:sha1:9d8009dee92cc97f866403da1b306e6e29fc12cc nj_probe() is never called in atomic context. It calls kzalloc() with GFP_ATOMIC, which is not necessary. GFP_ATOMIC can be replaced with GFP_KERNEL. This is found by a static analysis tool named DCNS written by myself. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-07-27T04:20:52+00:00 Jia-Ju Bai baijiaju1990@gmail.com 2018-07-27T02:39:06+00:00 urn:sha1:8c957d66d2edb3293ff6a45d660bdaec45f7a5d0 hfc_probe() is never called in atomic context. It calls kzalloc() with GFP_ATOMIC, which is not necessary. GFP_ATOMIC can be replaced with GFP_KERNEL. This is found by a static analysis tool named DCNS written by myself. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-07-08T02:00:50+00:00 Randy Dunlap rdunlap@infradead.org 2018-07-07T15:31:15+00:00 urn:sha1:20fbdc35723f0b3e1a0d2948960244f9721d1646 Fix build warnings in drivers/isdn/capi/ when CONFIG_PROC_FS is not enabled by marking the unused functions as __maybe_unused. ../drivers/isdn/capi/capi.c:1324:12: warning: 'capi20_proc_show' defined but not used [-Wunused-function] ../drivers/isdn/capi/capi.c:1347:12: warning: 'capi20ncci_proc_show' defined but not used [-Wunused-function] ../drivers/isdn/capi/capidrv.c:2454:12: warning: 'capidrv_proc_show' defined but not used [-Wunused-function] Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Cc: Karsten Keil <isdn@linux-pingi.de> Cc: isdn4linux@listserv.isdn4linux.de (subscribers-only) Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> 2018-07-04T13:17:32+00:00 Gustavo A. R. Silva gustavo@embeddedor.com 2018-07-03T21:17:31+00:00 urn:sha1:d287c5024361554d746e918b20d69a37f1b6bd79 In preparation to enabling -Wimplicit-fallthrough, mark switch cases where we are expecting to fall through. Warning level 2 was used: -Wimplicit-fallthrough=2 Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-07-03T01:29:26+00:00 David S. Miller davem@davemloft.net 2018-07-03T01:26:50+00:00 urn:sha1:5cd3da4ba2397ef07226ca2aa5094ed21ff8198f Simple overlapping changes in stmmac driver. Adjust skb_gro_flush_final_remcsum function signature to make GRO list changes in net-next, as per Stephen Rothwell's example merge resolution. Signed-off-by: David S. Miller <davem@davemloft.net> 2018-07-02T13:41:58+00:00 Guenter Roeck linux@roeck-us.net 2018-07-01T20:57:38+00:00 urn:sha1:414372f633e378b3ef7443ce0f0370a6a4e5808b gcc 8.1.0 complains: drivers/isdn/i4l/isdn_tty.c: In function 'isdn_tty_suspend.isra.1': drivers/isdn/i4l/isdn_tty.c:790:3: warning: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length drivers/isdn/i4l/isdn_tty.c:778:6: note: length computed here drivers/isdn/i4l/isdn_tty.c: In function 'isdn_tty_resume': drivers/isdn/i4l/isdn_tty.c:880:3: warning: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length drivers/isdn/i4l/isdn_tty.c:817:6: note: length computed here Using strncpy() is indeed less than perfect since the length of data to be copied has already been determined with strlen(). Replace strncpy() with memcpy() to address the warning and optimize the code a little. Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: David S. Miller <davem@davemloft.net>