Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.4.26 2020-01-23T07:22:35+00:00 2020-01-23T07:22:35+00:00 Dan Carpenter dan.carpenter@oracle.com 2020-01-14T12:34:14+00:00 urn:sha1:b307a5e97483d72c4a18cc8755d362d88b50c6d1 commit 28d76df18f0ad5bcf5fa48510b225f0ed262a99b upstream. Tom Hatskevich reported that we look up "iocp" then, in the called functions we do a second copy_from_user() and look it up again. The problem that could cause is: drivers/message/fusion/mptctl.c 674 /* All of these commands require an interrupt or 675 * are unknown/illegal. 676 */ 677 if ((ret = mptctl_syscall_down(iocp, nonblock)) != 0) ^^^^ We take this lock. 678 return ret; 679 680 if (cmd == MPTFWDOWNLOAD) 681 ret = mptctl_fw_download(arg); ^^^ Then the user memory changes and we look up "iocp" again but a different one so now we are holding the incorrect lock and have a race condition. 682 else if (cmd == MPTCOMMAND) 683 ret = mptctl_mpt_command(arg); The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power. But it's still worth fixing. This patch passes the "iocp" pointer to the functions to avoid the second lookup. That deletes 100 lines of code from the driver so it's a nice clean up as well. Link: https://lore.kernel.org/r/20200114123414.GA7957@kadam Reported-by: Tom Hatskevich <tom2001tom.23@gmail.com> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-03-19T21:17:08+00:00 Colin Ian King colin.king@canonical.com 2019-02-07T12:44:07+00:00 urn:sha1:244830a0dcca133f452cdf8926b93ace912f83f4 There are several statements and code blocks there are incorrectly indented. Fix these. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2018-07-31T03:17:53+00:00 Dominique Martinet asmadeus@codewreck.org 2018-07-13T01:25:37+00:00 urn:sha1:7bd1d615a57f3356f41b0079a3fb9ee77ae00a82 Generated by scripts/coccinelle/misc/strncpy_truncation.cocci Signed-off-by: Dominique Martinet <asmadeus@codewreck.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2018-01-31T02:32:06+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-01-25T14:27:27+00:00 urn:sha1:a7043e9529f3c367cc4d82997e00be034cbe57ca My static checker complains about an out of bounds read: drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo() error: buffer overflow 'hd->sel_timeout' 255 <= u32max. It's true that we probably should have a bounds check here. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2018-01-17T06:12:20+00:00 Andy Shevchenko andriy.shevchenko@linux.intel.com 2018-01-15T17:05:58+00:00 urn:sha1:332b4b2a6f380e07ccdd72da7f42f11f6b333784 Numbers up to 100 snprintf() prints without using a division. Besides that the code looks more readable. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2016-12-24T19:46:01+00:00 Linus Torvalds torvalds@linux-foundation.org 2016-12-24T19:46:01+00:00 urn:sha1:7c0f6ba682b9c7632072ffbedf8d328c8f3c42ba This was entirely automated, using the script by Al: PATT='^[[:blank:]]*#[[:blank:]]*include[[:blank:]]*<asm/uaccess.h>' sed -i -e "s!$PATT!#include <linux/uaccess.h>!" \ $(git grep -l "$PATT"|grep -v ^include/linux/uaccess.h) to do the replacement at the end of the merge window. Requested-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-11-12T01:58:06+00:00 Dan Carpenter dan.carpenter@oracle.com 2015-11-10T22:15:24+00:00 urn:sha1:491212014ec3ab6c477e7368405c5ae028b05ceb There is a static checker warning here because "bytes" is controlled by the user and we cap the upper bound with min() but allow negatives. Negative bytes will result in some nasty warning messages but are not super harmful. Anyway, no one needs negative bytes so let's just check for it and return NULL. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2015-08-26T14:11:45+00:00 Dan Carpenter dan.carpenter@oracle.com 2015-07-03T08:53:03+00:00 urn:sha1:e819cdb198319cccf4af4fc12ac4d796109d8c23 These are signed values the come from the user, we put a cap on the upper bounds but not on the lower bounds. We use "karg.dataSgeOffset" to calculate "sz". We verify "sz" and proceed as if that means that "karg.dataSgeOffset" is correct but this fails to consider that the "sz" calculations can have integer overflows. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: James Bottomley <JBottomley@Odin.com> 2014-09-16T16:09:43+00:00 Rasmus Villemoes linux@rasmusvillemoes.dk 2014-07-01T12:56:20+00:00 urn:sha1:f6e495a2b317fd7f3693d7c9217abfe943cbb3c6 Rounding up to a multiple of 4 should be done using the ALIGN macro. As a bonus, this also makes the generated code smaller. In GetIocFacts(), sz is assigned to a few lines below without being read in the meantime, so it is ok that it doesn't end up with the same value as facts->FWImageSize. Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Reviewed-by: Joe Lawrence <joe.lawrence@stratus.com> Signed-off-by: Christoph Hellwig <hch@lst.de> 2014-07-25T21:16:57+00:00 Joe Lawrence joe.lawrence@stratus.com 2014-06-25T21:06:12+00:00 urn:sha1:3e67c459d0ac945ac09639d85de299e65317aefe Let memdup_user handle the kmalloc, copy_from_user and error checking kfree code. Spotted by the following smatch (false positive) warning: drivers/message/fusion/mptctl.c:1369 mptctl_getiocinfo() warn: possible info leak 'karg' Signed-off-by: Joe Lawrence <joe.lawrence@stratus.com> Acked-by: Sreekanth Reddy <Sreekanth.Reddy@avagotech.com> Signed-off-by: Christoph Hellwig <hch@lst.de>