linux-samsung-espresso3g: backport fixes for CVE-2021-39685 (MR 2763)

[ci:skip-build] Already built on CI in MR
2021-12-17 12:40:33 +05:30 · 2021-12-17 12:40:33 +05:30 · 8c3abf9a1d
commit 8c3abf9a1d
parent 83d8199ee8
3 changed files with 162 additions and 1 deletions
--- a/device/community/linux-samsung-espresso3g/02-CVE-2021-39685-USB-gadget-detect-too-big-endpoint-0-requests.patch
+++ b/device/community/linux-samsung-espresso3g/02-CVE-2021-39685-USB-gadget-detect-too-big-endpoint-0-requests.patch
@ -0,0 +1,47 @@
+From 6eea4ace62fa6414432692ee44f0c0a3d541d97a Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 9 Dec 2021 19:02:15 +0100
+Subject: USB: gadget: zero allocate endpoint 0 buffers
+
+commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream.
+
+Under some conditions, USB gadget devices can show allocated buffer
+contents to a host.  Fix this up by zero-allocating them so that any
+extra data will all just be zeros.
+
+Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Tested-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c   | 2 +-
+ drivers/usb/gadget/legacy/dbgp.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index 1ef7922b57b62..284eea9f6e4d8 100644
+--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
+@@ -2221,7 +2221,7 @@ int composite_dev_prepare(struct usb_composite_driver *composite,
+ 	if (!cdev->req)
+ 		return -ENOMEM;
+
+-	cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
+	cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
+ 	if (!cdev->req->buf)
+ 		goto fail;
+
+diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
+index e567afcb2794c..355bc7dab9d5f 100644
+--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
+@@ -137,7 +137,7 @@ static int dbgp_enable_ep_req(struct usb_ep *ep)
+ 		goto fail_1;
+ 	}
+
+-	req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL);
+	req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL);
+ 	if (!req->buf) {
+ 		err = -ENOMEM;
+ 		stp = 2;
+--
+cgit 1.2.3-1.el7
--- a/device/community/linux-samsung-espresso3g/03-CVE-2021-39685-USB-gadget-zero-allocate-endpoint-0-buffers.patch
+++ b/device/community/linux-samsung-espresso3g/03-CVE-2021-39685-USB-gadget-zero-allocate-endpoint-0-buffers.patch
@ -0,0 +1,110 @@
+From 36dfdf11af49d3c009c711fb16f5c6e7a274505d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 9 Dec 2021 18:59:27 +0100
+Subject: USB: gadget: detect too-big endpoint 0 requests
+
+commit 153a2d7e3350cc89d406ba2d35be8793a64c2038 upstream.
+
+Sometimes USB hosts can ask for buffers that are too large from endpoint
+0, which should not be allowed.  If this happens for OUT requests, stall
+the endpoint, but for IN requests, trim the request size to the endpoint
+buffer size.
+
+Co-developed-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c    | 12 ++++++++++++
+ drivers/usb/gadget/legacy/dbgp.c  | 13 +++++++++++++
+ drivers/usb/gadget/legacy/inode.c | 16 +++++++++++++++-
+ 3 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index 504c1cbc255d1..1ef7922b57b62 100644
+--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
+@@ -1679,6 +1679,18 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+ 	struct usb_function		*f = NULL;
+ 	u8				endp;
+
+	if (w_length > USB_COMP_EP0_BUFSIZ) {
+		if (ctrl->bRequestType == USB_DIR_OUT) {
+			goto done;
+		} else {
+			/* Cast away the const, we are going to overwrite on purpose. */
+			__le16 *temp = (__le16 *)&ctrl->wLength;
+
+			*temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
+			w_length = USB_COMP_EP0_BUFSIZ;
+		}
+	}
+
+ 	/* partial re-init of the response message; the function or the
+ 	 * gadget might need to intercept e.g. a control-OUT completion
+ 	 * when we delegate to it.
+diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
+index e1d566c9918ae..e567afcb2794c 100644
+--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
+@@ -345,6 +345,19 @@ static int dbgp_setup(struct usb_gadget *gadget,
+ 	void *data = NULL;
+ 	u16 len = 0;
+
+	if (length > DBGP_REQ_LEN) {
+		if (ctrl->bRequestType == USB_DIR_OUT) {
+			return err;
+		} else {
+			/* Cast away the const, we are going to overwrite on purpose. */
+			__le16 *temp = (__le16 *)&ctrl->wLength;
+
+			*temp = cpu_to_le16(DBGP_REQ_LEN);
+			length = DBGP_REQ_LEN;
+		}
+	}
+
+
+ 	if (request == USB_REQ_GET_DESCRIPTOR) {
+ 		switch (value>>8) {
+ 		case USB_DT_DEVICE:
+diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
+index 539220d7f5b62..0a4041552ed19 100644
+--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
+@@ -110,6 +110,8 @@ enum ep0_state {
+ /* enough for the whole queue: most events invalidate others */
+ #define	N_EVENT			5
+
+#define RBUF_SIZE		256
+
+ struct dev_data {
+ 	spinlock_t			lock;
+ 	refcount_t			count;
+@@ -144,7 +146,7 @@ struct dev_data {
+ 	struct dentry			*dentry;
+
+ 	/* except this scratch i/o buffer for ep0 */
+-	u8				rbuf [256];
+	u8				rbuf[RBUF_SIZE];
+ };
+
+ static inline void get_dev (struct dev_data *data)
+@@ -1334,6 +1336,18 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+ 	u16				w_value = le16_to_cpu(ctrl->wValue);
+ 	u16				w_length = le16_to_cpu(ctrl->wLength);
+
+	if (w_length > RBUF_SIZE) {
+		if (ctrl->bRequestType == USB_DIR_OUT) {
+			return value;
+		} else {
+			/* Cast away the const, we are going to overwrite on purpose. */
+			__le16 *temp = (__le16 *)&ctrl->wLength;
+
+			*temp = cpu_to_le16(RBUF_SIZE);
+			w_length = RBUF_SIZE;
+		}
+	}
+
+ 	spin_lock (&dev->lock);
+ 	dev->setup_abort = 0;
+ 	if (dev->state == STATE_DEV_UNCONNECTED) {
+--
+cgit 1.2.3-1.el7
--- a/device/community/linux-samsung-espresso3g/APKBUILD
+++ b/device/community/linux-samsung-espresso3g/APKBUILD
@ -2,7 +2,7 @@
 # Co-Maintainer: Antoni Aloy <aaloytorrens@gmail.com>
 pkgname=linux-samsung-espresso3g
 pkgver=5.15.2
-pkgrel=0
+pkgrel=1
 pkgdesc="Samsung Galaxy Tab 2 (7.0 inch) mainline kernel"
 arch="armv7"
 _carch="arm"
@ -21,6 +21,8 @@ _config="config-$_flavor.$arch"
 source="
 	$pkgname-$_commit.tar.gz::https://github.com/tmlind/linux_openpvrsgx/archive/$_commit.tar.gz
 	00-add-espresso-dts.patch
+	02-CVE-2021-39685-USB-gadget-detect-too-big-endpoint-0-requests.patch
+	03-CVE-2021-39685-USB-gadget-zero-allocate-endpoint-0-buffers.patch
 	$_config
 "
 builddir="$srcdir/linux_openpvrsgx-$_commit"
@ -52,5 +54,7 @@ package() {
 sha512sums="
 c1f1372afc303cabb55210c7c46a694eff3bc0d7871efee7a690488b782b0c2cb48dbccc43b454a7cf96cfea796397f621d338e791172a8d1f62b26b2e1d54cb  linux-samsung-espresso3g-6ba3430a6fad45bf35f2634809e4f3a12f85cb89.tar.gz
 c914516703fdb42f3b33ee3f449222a81c06b3c9a3dd4f9a24ad55a9b32cf0828bf557897157296a9e5edbe92a898cdd42d147b196162750010e1d087f80ab39  00-add-espresso-dts.patch
+c83480686caa35c51bce654104082e51d2569850bbbdcdb8479fb756ffb7907aefce685b2cfa748bbed0da7b585be83a08d194d0ff315a070a5b5a07c8dbc1d2  02-CVE-2021-39685-USB-gadget-detect-too-big-endpoint-0-requests.patch
+7b76e82bca21c9746bb37df2e840b43a0628a8a00b45ee43dd38ce742d7b99e30faf4bd11c99f1a20299b486885cbb9f62502400544a6a7e319292b97331581d  03-CVE-2021-39685-USB-gadget-zero-allocate-endpoint-0-buffers.patch
 4afcca55621a626cfc37fc571af916e794b201417897ba19d5d9394e7b843b14f6095033a4a4b4f9c2e15bce27e687930d5dfed27253e64bf2a4c78ebbe637c8  config-samsung-espresso3g.armv7
 "