linux-samsung-espresso3g: backport fixes for CVE-2021-39685 (MR 2763)

[ci:skip-build] Already built on CI in MR
This commit is contained in:
Mighty 2021-12-17 12:40:33 +05:30 committed by Alexey Min
parent 83d8199ee8
commit 8c3abf9a1d
No known key found for this signature in database
GPG key ID: 0B19D2A65870B448
3 changed files with 162 additions and 1 deletions

View file

@ -0,0 +1,47 @@
From 6eea4ace62fa6414432692ee44f0c0a3d541d97a Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 9 Dec 2021 19:02:15 +0100
Subject: USB: gadget: zero allocate endpoint 0 buffers
commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream.
Under some conditions, USB gadget devices can show allocated buffer
contents to a host. Fix this up by zero-allocating them so that any
extra data will all just be zeros.
Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Tested-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/composite.c | 2 +-
drivers/usb/gadget/legacy/dbgp.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 1ef7922b57b62..284eea9f6e4d8 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2221,7 +2221,7 @@ int composite_dev_prepare(struct usb_composite_driver *composite,
if (!cdev->req)
return -ENOMEM;
- cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
+ cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
if (!cdev->req->buf)
goto fail;
diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
index e567afcb2794c..355bc7dab9d5f 100644
--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
@@ -137,7 +137,7 @@ static int dbgp_enable_ep_req(struct usb_ep *ep)
goto fail_1;
}
- req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL);
+ req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL);
if (!req->buf) {
err = -ENOMEM;
stp = 2;
--
cgit 1.2.3-1.el7

View file

@ -0,0 +1,110 @@
From 36dfdf11af49d3c009c711fb16f5c6e7a274505d Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 9 Dec 2021 18:59:27 +0100
Subject: USB: gadget: detect too-big endpoint 0 requests
commit 153a2d7e3350cc89d406ba2d35be8793a64c2038 upstream.
Sometimes USB hosts can ask for buffers that are too large from endpoint
0, which should not be allowed. If this happens for OUT requests, stall
the endpoint, but for IN requests, trim the request size to the endpoint
buffer size.
Co-developed-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/composite.c | 12 ++++++++++++
drivers/usb/gadget/legacy/dbgp.c | 13 +++++++++++++
drivers/usb/gadget/legacy/inode.c | 16 +++++++++++++++-
3 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 504c1cbc255d1..1ef7922b57b62 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1679,6 +1679,18 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
struct usb_function *f = NULL;
u8 endp;
+ if (w_length > USB_COMP_EP0_BUFSIZ) {
+ if (ctrl->bRequestType == USB_DIR_OUT) {
+ goto done;
+ } else {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
+ w_length = USB_COMP_EP0_BUFSIZ;
+ }
+ }
+
/* partial re-init of the response message; the function or the
* gadget might need to intercept e.g. a control-OUT completion
* when we delegate to it.
diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
index e1d566c9918ae..e567afcb2794c 100644
--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
@@ -345,6 +345,19 @@ static int dbgp_setup(struct usb_gadget *gadget,
void *data = NULL;
u16 len = 0;
+ if (length > DBGP_REQ_LEN) {
+ if (ctrl->bRequestType == USB_DIR_OUT) {
+ return err;
+ } else {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(DBGP_REQ_LEN);
+ length = DBGP_REQ_LEN;
+ }
+ }
+
+
if (request == USB_REQ_GET_DESCRIPTOR) {
switch (value>>8) {
case USB_DT_DEVICE:
diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 539220d7f5b62..0a4041552ed19 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -110,6 +110,8 @@ enum ep0_state {
/* enough for the whole queue: most events invalidate others */
#define N_EVENT 5
+#define RBUF_SIZE 256
+
struct dev_data {
spinlock_t lock;
refcount_t count;
@@ -144,7 +146,7 @@ struct dev_data {
struct dentry *dentry;
/* except this scratch i/o buffer for ep0 */
- u8 rbuf [256];
+ u8 rbuf[RBUF_SIZE];
};
static inline void get_dev (struct dev_data *data)
@@ -1334,6 +1336,18 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
u16 w_value = le16_to_cpu(ctrl->wValue);
u16 w_length = le16_to_cpu(ctrl->wLength);
+ if (w_length > RBUF_SIZE) {
+ if (ctrl->bRequestType == USB_DIR_OUT) {
+ return value;
+ } else {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(RBUF_SIZE);
+ w_length = RBUF_SIZE;
+ }
+ }
+
spin_lock (&dev->lock);
dev->setup_abort = 0;
if (dev->state == STATE_DEV_UNCONNECTED) {
--
cgit 1.2.3-1.el7

View file

@ -2,7 +2,7 @@
# Co-Maintainer: Antoni Aloy <aaloytorrens@gmail.com> # Co-Maintainer: Antoni Aloy <aaloytorrens@gmail.com>
pkgname=linux-samsung-espresso3g pkgname=linux-samsung-espresso3g
pkgver=5.15.2 pkgver=5.15.2
pkgrel=0 pkgrel=1
pkgdesc="Samsung Galaxy Tab 2 (7.0 inch) mainline kernel" pkgdesc="Samsung Galaxy Tab 2 (7.0 inch) mainline kernel"
arch="armv7" arch="armv7"
_carch="arm" _carch="arm"
@ -21,6 +21,8 @@ _config="config-$_flavor.$arch"
source=" source="
$pkgname-$_commit.tar.gz::https://github.com/tmlind/linux_openpvrsgx/archive/$_commit.tar.gz $pkgname-$_commit.tar.gz::https://github.com/tmlind/linux_openpvrsgx/archive/$_commit.tar.gz
00-add-espresso-dts.patch 00-add-espresso-dts.patch
02-CVE-2021-39685-USB-gadget-detect-too-big-endpoint-0-requests.patch
03-CVE-2021-39685-USB-gadget-zero-allocate-endpoint-0-buffers.patch
$_config $_config
" "
builddir="$srcdir/linux_openpvrsgx-$_commit" builddir="$srcdir/linux_openpvrsgx-$_commit"
@ -52,5 +54,7 @@ package() {
sha512sums=" sha512sums="
c1f1372afc303cabb55210c7c46a694eff3bc0d7871efee7a690488b782b0c2cb48dbccc43b454a7cf96cfea796397f621d338e791172a8d1f62b26b2e1d54cb linux-samsung-espresso3g-6ba3430a6fad45bf35f2634809e4f3a12f85cb89.tar.gz c1f1372afc303cabb55210c7c46a694eff3bc0d7871efee7a690488b782b0c2cb48dbccc43b454a7cf96cfea796397f621d338e791172a8d1f62b26b2e1d54cb linux-samsung-espresso3g-6ba3430a6fad45bf35f2634809e4f3a12f85cb89.tar.gz
c914516703fdb42f3b33ee3f449222a81c06b3c9a3dd4f9a24ad55a9b32cf0828bf557897157296a9e5edbe92a898cdd42d147b196162750010e1d087f80ab39 00-add-espresso-dts.patch c914516703fdb42f3b33ee3f449222a81c06b3c9a3dd4f9a24ad55a9b32cf0828bf557897157296a9e5edbe92a898cdd42d147b196162750010e1d087f80ab39 00-add-espresso-dts.patch
c83480686caa35c51bce654104082e51d2569850bbbdcdb8479fb756ffb7907aefce685b2cfa748bbed0da7b585be83a08d194d0ff315a070a5b5a07c8dbc1d2 02-CVE-2021-39685-USB-gadget-detect-too-big-endpoint-0-requests.patch
7b76e82bca21c9746bb37df2e840b43a0628a8a00b45ee43dd38ce742d7b99e30faf4bd11c99f1a20299b486885cbb9f62502400544a6a7e319292b97331581d 03-CVE-2021-39685-USB-gadget-zero-allocate-endpoint-0-buffers.patch
4afcca55621a626cfc37fc571af916e794b201417897ba19d5d9394e7b843b14f6095033a4a4b4f9c2e15bce27e687930d5dfed27253e64bf2a4c78ebbe637c8 config-samsung-espresso3g.armv7 4afcca55621a626cfc37fc571af916e794b201417897ba19d5d9394e7b843b14f6095033a4a4b4f9c2e15bce27e687930d5dfed27253e64bf2a4c78ebbe637c8 config-samsung-espresso3g.armv7
" "