64d8d22...
by
Dan Carpenter <email address hidden>
cdrom: information leak in cdrom_ioctl_media_changed()
CVE-2018-10940
This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned
long. The way the check is written now, if one of the high 32 bits is
set then we could read outside the info->slots[] array.
This bug is pretty old and it predates git.
Reviewed-by: Christoph Hellwig <email address hidden>
Cc: <email address hidden>
Signed-off-by: Dan Carpenter <email address hidden>
Signed-off-by: Jens Axboe <email address hidden>
(cherry-picked from 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707)
Signed-off-by: Khalid Elmously <email address hidden>
Acked-by: Po-Hsu Lin <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
xfs_attr3_leaf_create may have errored out before instantiating a buffer,
for example if the blkno is out of range. In that case there is no work
to do to remove it, and in fact xfs_da_shrink_inode will lead to an oops
if we try.
This also seems to fix a flaw where the original error from
xfs_attr3_leaf_create gets overwritten in the cleanup case, and it
removes a pointless assignment to bp which isn't used after this.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199969
Reported-by: Xu, Wen <email address hidden>
Tested-by: Xu, Wen <email address hidden>
Signed-off-by: Eric Sandeen <email address hidden>
Reviewed-by: Darrick J. Wong <email address hidden>
Signed-off-by: Darrick J. Wong <email address hidden>
(backported from commit bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a)
Signed-off-by: Po-Hsu Lin <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Acked-by: Aaron Ma <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
196c443...
by
Linus Torvalds <email address hidden>
sgid directories have special semantics, making newly created files in
the directory belong to the group of the directory, and newly created
subdirectories will also become sgid. This is historically used for
group-shared directories.
But group directories writable by non-group members should not imply
that such non-group members can magically join the group, so make sure
to clear the sgid bit on non-directories for non-members (but remember
that sgid without group execute means "mandatory locking", just to
confuse things even more).
ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
CVE-2017-16529
When a USB-audio device receives a maliciously adjusted or corrupted
buffer descriptor, the USB-audio driver may access an out-of-bounce
value at its parser. This was detected by syzkaller, something like:
->disconnect() is not called with socket lock held.
Fix this by acquiring ping rwlock earlier.
Thanks to Daniel, Alexander and Andrey for letting us know this problem.
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Signed-off-by: Eric Dumazet <email address hidden>
Reported-by: Daniel Jiang <email address hidden>
Reported-by: Solar Designer <email address hidden>
Reported-by: Andrey Konovalov <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from commit 43a6684519ab0a6c52024b5e25322476cabad893)
Signed-off-by: Paolo Pisati <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Juerg Haefliger <email address hidden>
cac9532...
by
Willem de Bruijn <email address hidden>
packet: in packet_do_bind, test fanout with bind_lock held
CVE-2017-15649
Once a socket has po->fanout set, it remains a member of the group
until it is destroyed. The prot_hook must be constant and identical
across sockets in the group.
If fanout_add races with packet_do_bind between the test of po->fanout
and taking the lock, the bind call may make type or dev inconsistent
with that of the fanout group.
Hold po->bind_lock when testing po->fanout to avoid this race.
I had to introduce artificial delay (local_bh_enable) to actually
observe the race.
Fixes: dc99f600698d ("packet: Add fanout support.")
Signed-off-by: Willem de Bruijn <email address hidden>
Reviewed-by: Eric Dumazet <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(backported from commit 4971613c1639d8e5f102c4e797c3bf8f83a5a69e)
Signed-off-by: Paolo Pisati <email address hidden>
Acked-by: Stefan Bader <email address hidden>
[juergh: Unlock the spinlock and release the socket before erroring out
rather than jumping to out_unlock (which returns with 0).]
Signed-off-by: Juerg Haefliger <email address hidden>
92b858d...
by
Willem de Bruijn <email address hidden>
packet: hold bind lock when rebinding to fanout hook
CVE-2017-15649
Packet socket bind operations must hold the po->bind_lock. This keeps
po->running consistent with whether the socket is actually on a ptype
list to receive packets.
fanout_add unbinds a socket and its packet_rcv/tpacket_rcv call, then
binds the fanout object to receive through packet_rcv_fanout.
Make it hold the po->bind_lock when testing po->running and rebinding.
Else, it can race with other rebind operations, such as that in
packet_set_ring from packet_rcv to tpacket_rcv. Concurrent updates
can result in a socket being added to a fanout group twice, causing
use-after-free KASAN bug reports, among others.
Reported independently by both trinity and syzkaller.
Verified that the syzkaller reproducer passes after this patch.
Fixes: dc99f600698d ("packet: Add fanout support.")
Reported-by: nixioaming <email address hidden>
Signed-off-by: Willem de Bruijn <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(backported from commit 008ba2a13f2d04c947adc536d19debb8fe66f110)
Signed-off-by: Paolo Pisati <email address hidden>
Acked-by: Stefan Bader <email address hidden>
[juergh: Use atomic_read() instead of refcount_read().]
Signed-off-by: Juerg Haefliger <email address hidden>
USB-audio driver may leave a stray URB for the mixer interrupt when it
exits by some error during probe. This leads to a use-after-free
error as spotted by syzkaller like:
==================================================================
BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x23d/0x350 mm/kasan/report.c:409
__asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
__usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
....
Actually such a URB is killed properly at disconnection when the
device gets probed successfully, and what we need is to apply it for
the error-path, too.
In this patch, we apply snd_usb_mixer_disconnect() at releasing.
Also introduce a new flag, disconnected, to struct usb_mixer_interface
for not performing the disconnection procedure twice.
ca6e217...
by
Andrey Konovalov <email address hidden>
uwb: properly check kthread_run return value
CVE-2017-16526
uwbd_start() calls kthread_run() and checks that the return value is
not NULL. But the return value is not NULL in case kthread_run() fails,
it takes the form of ERR_PTR(-EINTR).
Use IS_ERR() instead.
Also add a check to uwbd_stop().
Signed-off-by: Andrey Konovalov <email address hidden>
Cc: stable <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
(cherry picked from commit bbf26183b7a6236ba602f4d6a2f7cade35bba043)
Signed-off-by: Paolo Pisati <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Juerg Haefliger <email address hidden>