diff options
Diffstat (limited to 'debian/patches/bugfix')
3 files changed, 179 insertions, 71 deletions
diff --git a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch index 7f5da028c5..ef0201ec34 100644 --- a/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch +++ b/debian/patches/bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch @@ -1279,22 +1279,6 @@ upstream submission. at76_dbg(DBG_FW, "got it."); fwh = (struct at76_fw_header *)(fwe->fw->data); ---- a/drivers/net/wireless/atmel/atmel.c -+++ b/drivers/net/wireless/atmel/atmel.c -@@ -3820,12 +3820,8 @@ static int reset_atmel_card(struct net_d - strcpy(priv->firmware_id, "atmel_at76c502.bin"); - } - err = request_firmware(&fw_entry, priv->firmware_id, priv->sys_dev); -- if (err != 0) { -- printk(KERN_ALERT -- "%s: firmware %s is missing, cannot continue.\n", -- dev->name, priv->firmware_id); -+ if (err != 0) - return err; -- } - } else { - int fw_index = 0; - int success = 0; --- a/drivers/net/wireless/broadcom/b43/main.c +++ b/drivers/net/wireless/broadcom/b43/main.c @@ -2245,19 +2245,8 @@ int b43_do_request_fw(struct b43_request @@ -1408,50 +1392,6 @@ upstream submission. if (cfg->ucode_api_min == cfg->ucode_api_max) { IWL_ERR(drv, "%s-%d is required\n", fw_name_pre, cfg->ucode_api_max); ---- a/drivers/net/wireless/intersil/orinoco/fw.c -+++ b/drivers/net/wireless/intersil/orinoco/fw.c -@@ -132,7 +132,6 @@ orinoco_dl_firmware(struct orinoco_priva - err = request_firmware(&fw_entry, firmware, priv->dev); - - if (err) { -- dev_err(dev, "Cannot find firmware %s\n", firmware); - err = -ENOENT; - goto free; - } -@@ -292,10 +291,8 @@ symbol_dl_firmware(struct orinoco_privat - const struct firmware *fw_entry; - - if (!orinoco_cached_fw_get(priv, true)) { -- if (request_firmware(&fw_entry, fw->pri_fw, priv->dev) != 0) { -- dev_err(dev, "Cannot find firmware: %s\n", fw->pri_fw); -+ if (request_firmware(&fw_entry, fw->pri_fw, priv->dev) != 0) - return -ENOENT; -- } - } else - fw_entry = orinoco_cached_fw_get(priv, true); - -@@ -311,10 +308,8 @@ symbol_dl_firmware(struct orinoco_privat - } - - if (!orinoco_cached_fw_get(priv, false)) { -- if (request_firmware(&fw_entry, fw->sta_fw, priv->dev) != 0) { -- dev_err(dev, "Cannot find firmware: %s\n", fw->sta_fw); -+ if (request_firmware(&fw_entry, fw->sta_fw, priv->dev) != 0) - return -ENOENT; -- } - } else - fw_entry = orinoco_cached_fw_get(priv, false); - ---- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c -+++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c -@@ -1708,7 +1708,6 @@ static int ezusb_probe(struct usb_interf - if (ezusb_firmware_download(upriv, &firmware) < 0) - goto error; - } else { -- err("No firmware to download"); - goto error; - } - --- a/drivers/net/wireless/intersil/p54/p54pci.c +++ b/drivers/net/wireless/intersil/p54/p54pci.c @@ -502,7 +502,6 @@ static void p54p_firmware_step2(const st @@ -1637,17 +1577,6 @@ upstream submission. if (fw->size % 4) { wl1271_error("firmware size is not multiple of 32 bits: %zu", ---- a/drivers/net/wireless/zydas/zd1201.c -+++ b/drivers/net/wireless/zydas/zd1201.c -@@ -62,8 +62,6 @@ static int zd1201_fw_upload(struct usb_d - - err = request_firmware(&fw_entry, fwfile, &dev->dev); - if (err) { -- dev_err(&dev->dev, "Failed to load %s firmware file!\n", fwfile); -- dev_err(&dev->dev, "Make sure the hotplug firmware loader is installed.\n"); - dev_err(&dev->dev, "Goto http://linux-lc100020.sourceforge.net for more info.\n"); - return err; - } --- a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c +++ b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c @@ -107,16 +107,9 @@ static void int_urb_complete(struct urb diff --git a/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch b/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch new file mode 100644 index 0000000000..b21318ecce --- /dev/null +++ b/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch @@ -0,0 +1,141 @@ +From: Paolo Abeni <pabeni@redhat.com> +Date: Tue, 30 Apr 2024 15:53:37 +0200 +Subject: tipc: fix UAF in error path +Origin: https://git.kernel.org/linus/080cbb890286cd794f1ee788bbc5463e2deb7c2b + +Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported +a UAF in the tipc_buf_append() error path: + +BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0 +linux/net/core/skbuff.c:1183 +Read of size 8 at addr ffff88804d2a7c80 by task poc/8034 + +CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.16.0-debian-1.16.0-5 04/01/2014 +Call Trace: + <IRQ> + __dump_stack linux/lib/dump_stack.c:88 + dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106 + print_address_description linux/mm/kasan/report.c:377 + print_report+0xc4/0x620 linux/mm/kasan/report.c:488 + kasan_report+0xda/0x110 linux/mm/kasan/report.c:601 + kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 + skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026 + skb_release_all linux/net/core/skbuff.c:1094 + __kfree_skb linux/net/core/skbuff.c:1108 + kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144 + kfree_skb linux/./include/linux/skbuff.h:1244 + tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186 + tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324 + tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824 + tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159 + tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390 + udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108 + udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186 + udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346 + __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422 + ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233 + NF_HOOK linux/./include/linux/netfilter.h:314 + NF_HOOK linux/./include/linux/netfilter.h:308 + ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254 + dst_input linux/./include/net/dst.h:461 + ip_rcv_finish linux/net/ipv4/ip_input.c:449 + NF_HOOK linux/./include/linux/netfilter.h:314 + NF_HOOK linux/./include/linux/netfilter.h:308 + ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569 + __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534 + __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648 + process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976 + __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576 + napi_poll linux/net/core/dev.c:6645 + net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781 + __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553 + do_softirq linux/kernel/softirq.c:454 + do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441 + </IRQ> + <TASK> + __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381 + local_bh_enable linux/./include/linux/bottom_half.h:33 + rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851 + __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378 + dev_queue_xmit linux/./include/linux/netdevice.h:3169 + neigh_hh_output linux/./include/net/neighbour.h:526 + neigh_output linux/./include/net/neighbour.h:540 + ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235 + __ip_finish_output linux/net/ipv4/ip_output.c:313 + __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295 + ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323 + NF_HOOK_COND linux/./include/linux/netfilter.h:303 + ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433 + dst_output linux/./include/net/dst.h:451 + ip_local_out linux/net/ipv4/ip_output.c:129 + ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492 + udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963 + udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250 + inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850 + sock_sendmsg_nosec linux/net/socket.c:730 + __sock_sendmsg linux/net/socket.c:745 + __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191 + __do_sys_sendto linux/net/socket.c:2203 + __se_sys_sendto linux/net/socket.c:2199 + __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199 + do_syscall_x64 linux/arch/x86/entry/common.c:52 + do_syscall_64+0xd8/0x270 linux/arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 linux/arch/x86/entry/entry_64.S:120 +RIP: 0033:0x7f3434974f29 +Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48 +RSP: 002b:00007fff9154f2b8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3434974f29 +RDX: 00000000000032c8 RSI: 00007fff9154f300 RDI: 0000000000000003 +RBP: 00007fff915532e0 R08: 00007fff91553360 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000212 R12: 000055ed86d261d0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + </TASK> + +In the critical scenario, either the relevant skb is freed or its +ownership is transferred into a frag_lists. In both cases, the cleanup +code must not free it again: we need to clear the skb reference earlier. + +Fixes: 1149557d64c9 ("tipc: eliminate unnecessary linearization of incoming buffers") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23852 +Acked-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Link: https://lore.kernel.org/r/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/tipc/msg.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index 5c9fd4791c4b..9a6e9bcbf694 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -156,6 +156,11 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (!head) + goto err; + ++ /* Either the input skb ownership is transferred to headskb ++ * or the input skb is freed, clear the reference to avoid ++ * bad access on error path. ++ */ ++ *buf = NULL; + if (skb_try_coalesce(head, frag, &headstolen, &delta)) { + kfree_skb_partial(frag, headstolen); + } else { +@@ -179,7 +184,6 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + *headbuf = NULL; + return 1; + } +- *buf = NULL; + return 0; + err: + kfree_skb(*buf); +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch b/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch new file mode 100644 index 0000000000..0b0ac04c6e --- /dev/null +++ b/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch @@ -0,0 +1,38 @@ +From: Xin Long <lucien.xin@gmail.com> +Date: Tue, 30 Apr 2024 10:03:38 -0400 +Subject: tipc: fix a possible memleak in tipc_buf_append +Origin: https://git.kernel.org/linus/97bf6f81b29a8efaf5d0983251a7450e5794370d + +__skb_linearize() doesn't free the skb when it fails, so move +'*buf = NULL' after __skb_linearize(), so that the skb can be +freed on the err path. + +Fixes: b7df21cf1b79 ("tipc: skb_linearize the head skb when reassembling msgs") +Reported-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Reviewed-by: Simon Horman <horms@kernel.org> +Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au> +Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/tipc/msg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index 9a6e9bcbf694..76284fc538eb 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -142,9 +142,9 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (fragid == FIRST_FRAGMENT) { + if (unlikely(head)) + goto err; +- *buf = NULL; + if (skb_has_frag_list(frag) && __skb_linearize(frag)) + goto err; ++ *buf = NULL; + frag = skb_unshare(frag, GFP_ATOMIC); + if (unlikely(!frag)) + goto err; +-- +2.43.0 + |