From 0ef4714dbb2cc38fcf026a2ed04d4d689c6aa191 Mon Sep 17 00:00:00 2001 From: Ali Abdallah Date: Jan 20 2023 14:56:23 +0000 Subject: Merge branch 'cve/linux-5.3' into SLE15-SP3-LTSS --- diff --git a/patches.suse/HID-betop-check-shape-of-output-reports.patch b/patches.suse/HID-betop-check-shape-of-output-reports.patch new file mode 100644 index 0000000..b9cff34 --- /dev/null +++ b/patches.suse/HID-betop-check-shape-of-output-reports.patch @@ -0,0 +1,68 @@ +From 3782c0d6edf658b71354a64d60aa7a296188fc90 Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Wed, 11 Jan 2023 18:12:16 +0000 +Subject: [PATCH] HID: betop: check shape of output reports +Git-commit: 3782c0d6edf658b71354a64d60aa7a296188fc90 +Patch-mainline: v6.2-rc5 +References: git-fixes, bsc#1207186 + +betopff_init() only checks the total sum of the report counts for each +report field to be at least 4, but hid_betopff_play() expects 4 report +fields. +A device advertising an output report with one field and 4 report counts +would pass the check but crash the kernel with a NULL pointer dereference +in hid_betopff_play(). + +Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-betopff.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c +index 467d789f9bc2..25ed7b9a917e 100644 +--- a/drivers/hid/hid-betopff.c ++++ b/drivers/hid/hid-betopff.c +@@ -60,7 +60,6 @@ static int betopff_init(struct hid_device *hid) + struct list_head *report_list = + &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev; +- int field_count = 0; + int error; + int i, j; + +@@ -86,19 +85,21 @@ static int betopff_init(struct hid_device *hid) + * ----------------------------------------- + * Do init them with default value. + */ ++ if (report->maxfield < 4) { ++ hid_err(hid, "not enough fields in the report: %d\n", ++ report->maxfield); ++ return -ENODEV; ++ } + for (i = 0; i < report->maxfield; i++) { ++ if (report->field[i]->report_count < 1) { ++ hid_err(hid, "no values in the field\n"); ++ return -ENODEV; ++ } + for (j = 0; j < report->field[i]->report_count; j++) { + report->field[i]->value[j] = 0x00; +- field_count++; + } + } + +- if (field_count < 4) { +- hid_err(hid, "not enough fields in the report: %d\n", +- field_count); +- return -ENODEV; +- } +- + betopff = kzalloc(sizeof(*betopff), GFP_KERNEL); + if (!betopff) + return -ENOMEM; +-- +2.35.3 + diff --git a/patches.suse/HID-check-empty-report_list-in-bigben_probe.patch b/patches.suse/HID-check-empty-report_list-in-bigben_probe.patch new file mode 100644 index 0000000..644d78f --- /dev/null +++ b/patches.suse/HID-check-empty-report_list-in-bigben_probe.patch @@ -0,0 +1,43 @@ +From c7bf714f875531f227f2ef1fdcc8f4d44e7c7d9d Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Mon, 16 Jan 2023 11:11:25 +0000 +Subject: [PATCH] HID: check empty report_list in bigben_probe() +Git-commit: c7bf714f875531f227f2ef1fdcc8f4d44e7c7d9d +Patch-mainline: v6.2-rc5 +References: git-fixes, bsc#1206784 + +Add a check for empty report_list in bigben_probe(). +The missing check causes a type confusion when issuing a list_entry() +on an empty report_list. +The problem is caused by the assumption that the device must +have valid report_list. While this will be true for all normal HID +devices, a suitably malicious device can violate the assumption. + +Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-bigbenff.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index e8c5e3ac9fff..e8b16665860d 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -344,6 +344,11 @@ static int bigben_probe(struct hid_device *hid, + } + + report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; ++ if (list_empty(report_list)) { ++ hid_err(hid, "no output report found\n"); ++ error = -ENODEV; ++ goto error_hw_stop; ++ } + bigben->report = list_entry(report_list->next, + struct hid_report, list); + +-- +2.35.3 + diff --git a/patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch b/patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch new file mode 100644 index 0000000..bf9d299 --- /dev/null +++ b/patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch @@ -0,0 +1,42 @@ +From b12fece4c64857e5fab4290bf01b2e0317a88456 Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Mon, 16 Jan 2023 11:11:24 +0000 +Subject: [PATCH] HID: check empty report_list in hid_validate_values() +Git-commit: b12fece4c64857e5fab4290bf01b2e0317a88456 +Patch-mainline: v6.2-rc5 +References: git-fixes, bsc#1206784 + +Add a check for empty report_list in hid_validate_values(). +The missing check causes a type confusion when issuing a list_entry() +on an empty report_list. +The problem is caused by the assumption that the device must +have valid report_list. While this will be true for all normal HID +devices, a suitably malicious device can violate the assumption. + +Fixes: 1b15d2e5b807 ("HID: core: fix validation of report id 0") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index bd47628da6be..3e1803592bd4 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -993,8 +993,8 @@ struct hid_report *hid_validate_values(struct hid_device *hid, + * Validating on id 0 means we should examine the first + * report in the list. + */ +- report = list_entry( +- hid->report_enum[type].report_list.next, ++ report = list_first_entry_or_null( ++ &hid->report_enum[type].report_list, + struct hid_report, list); + } else { + report = hid->report_enum[type].report_id_hash[id]; +-- +2.35.3 + diff --git a/rpm/check-for-config-changes b/rpm/check-for-config-changes index fb31586..c0754d3 100755 --- a/rpm/check-for-config-changes +++ b/rpm/check-for-config-changes @@ -5,20 +5,21 @@ # # please keep them sorted alphabetically declare -a IGNORED_CONFIGS_RE=( - 'AS_HAS_[A-Z_]*' + 'AS_HAS_[A-Z0-9_]*' 'AS_VERSION' 'CC_CAN_[A-Z_]*' 'CC_HAS_[A-Z_]*' 'CC_HAVE_[A-Z_]*' 'CC_VERSION_TEXT' - 'FTRACE_MCOUNT_USE_CC' - 'FTRACE_MCOUNT_USE_RECORDMCOUNT' + 'FTRACE_MCOUNT_USE_[A-Z_]*' 'GCC_VERSION' 'G*CC[0-9]*_NO_[A-Z_]*' 'HAVE_[A-Z]*_COMPILER' 'LD_VERSION' 'PAHOLE_VERSION' + 'TOOLCHAIN_HAS_[A-Z_]*' 'TOOLS_SUPPORT_[A-Z_]*' + 'OBJTOOL' ) declare -a SED_ARGS=() diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index 33eb21a..545aa8a 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -24,6 +24,7 @@ %define compress_modules @COMPRESS_MODULES@ %define compress_vmlinux @COMPRESS_VMLINUX@ %define livepatch @LIVEPATCH@%{nil} +%define livepatch_rt @LIVEPATCH_RT@%{nil} %include %_sourcedir/kernel-spec-macros @@ -1373,7 +1374,7 @@ relink ../../linux-%{kernelrelease}%{variant}-obj/"%cpu_arch_flavor" /usr/src/li /usr/src/linux-obj/%kmp_target_cpu %endif -%if "%livepatch" != "" && "%CONFIG_SUSE_KERNEL_SUPPORTED" == "y" && "%variant" == "" && %build_default +%if "%livepatch" != "" && "%CONFIG_SUSE_KERNEL_SUPPORTED" == "y" && (("%variant" == "" && %build_default) || ("%variant" == "-rt" && 0%livepatch_rt)) %if "%livepatch" == "kgraft" %define patch_package %{livepatch}-patch %else @@ -1383,13 +1384,15 @@ relink ../../linux-%{kernelrelease}%{variant}-obj/"%cpu_arch_flavor" /usr/src/li Summary: Metapackage to pull in matching %patch_package package Group: System/Kernel Requires: %{patch_package}-%(echo %{version}-%{source_rel} | sed 'y/\./_/')-%{build_flavor} +Provides: multiversion(kernel) +%if "%variant" != "-rt" Provides: kernel-default-kgraft = %version Provides: kernel-xen-kgraft = %version -Provides: multiversion(kernel) %if "%livepatch" != "kgraft" Obsoletes: kernel-default-kgraft < %version Obsoletes: kernel-xen-kgraft < %version %endif +%endif %description %{livepatch} This is a metapackage that pulls in the matching %patch_package package for a @@ -1428,6 +1431,8 @@ Provides: multiversion(kernel) # tell weak-modules2 to ignore this package Provides: kmp_in_kernel Requires(post): suse-module-tools >= 12.4 +Enhances: %name +Supplements: packageand(%name:%@KMP_NAME@-%build_flavor) @KMP_DEPS@ %description -n @KMP_NAME@-%build_flavor diff --git a/rpm/kernel-source.rpmlintrc b/rpm/kernel-source.rpmlintrc index a63f94e..fa0fc43 100644 --- a/rpm/kernel-source.rpmlintrc +++ b/rpm/kernel-source.rpmlintrc @@ -10,7 +10,3 @@ addFilter("dangling-symlink .*/lib/modules/[1-9].*/source") addFilter("hidden-file-or-dir /usr/src/linux-.*-obj/.*/.config") addFilter("hidden-file-or-dir /usr/src/linux-.*-obj/.*/.kernel-binary.spec.buildenv") addFilter("hidden-file-or-dir /boot/\..*\.hmac") -# This check ensures that KMPs are built using the %kernel_module_package -# macro, but we are deliberately not doing this for KMPs built from the -# kernel spec file (fate#319339) -addFilter("suse-policy-kmp-missing-supplements") diff --git a/rpm/macros.kernel-source b/rpm/macros.kernel-source index 3097b62..78b4126 100644 --- a/rpm/macros.kernel-source +++ b/rpm/macros.kernel-source @@ -7,7 +7,7 @@ else \ end } %kernel_module_package_release 1 -%kernel_module_package_buildreqs modutils kernel-syms kmod-compat %kernel_build_shell_package +%kernel_module_package_buildreqs modutils kernel-syms kmod-compat suse-kernel-rpm-scriptlets %kernel_build_shell_package %cpu_arch %(case %_target_cpu in \ # from rpm --eval '%ix86' \ diff --git a/rpm/mkspec b/rpm/mkspec index 4fe1124..c415073 100755 --- a/rpm/mkspec +++ b/rpm/mkspec @@ -41,6 +41,7 @@ my $compress_modules = 'none'; my $compress_vmlinux = 'gz'; my $build_dtbs = (); my $livepatch = ""; +my $livepatch_rt = ""; if (defined($vars{'COMPRESS_MODULES'})) { $compress_modules = $vars{'COMPRESS_MODULES'}; } @@ -55,6 +56,10 @@ if (defined($vars{'LIVEPATCH'})) { $livepatch = $vars{'LIVEPATCH'}; $livepatch = "" if $livepatch =~ /^(0+|no|none)$/i; } +if (defined($vars{'LIVEPATCH_RT'})) { + $livepatch_rt = $vars{'LIVEPATCH_RT'}; + $livepatch_rt = "" if $livepatch_rt =~ /^(0+|no|none)$/i; +} $vanilla_only ||= "0"; if (!defined ($rpmrelease)) { $rpmrelease = $vars{'RELEASE'} || 0; @@ -121,6 +126,7 @@ my %macros = ( UNPACK_PATCHES => $unpack_patches, SCRIPTS => $scripts, LIVEPATCH => $livepatch, + LIVEPATCH_RT => $livepatch_rt, YEAR => (localtime time)[5] + 1900, COMPRESS_MODULES => $compress_modules, COMPRESS_VMLINUX => $compress_vmlinux, diff --git a/rpm/mkspec-dtb b/rpm/mkspec-dtb index a46416f..4d9ff96 100755 --- a/rpm/mkspec-dtb +++ b/rpm/mkspec-dtb @@ -87,6 +87,7 @@ my @aarch64_package_list = ( # DTB packages names my @riscv64_package_list = ( ['dtb-microchip', 'microchip/*.dts', "Microchip based riscv64 systems"], + ['dtb-renesas', 'renesas/*.dts', "Renesas based riscv64 systems"], ['dtb-sifive', 'sifive/*.dts', "SiFive based riscv64 systems"], ['dtb-starfive', 'starfive/*.dts', "StarFive based riscv64 systems"], ); diff --git a/series.conf b/series.conf index 5912623..fd03da6 100644 --- a/series.conf +++ b/series.conf @@ -58222,6 +58222,9 @@ patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch + patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch + patches.suse/HID-check-empty-report_list-in-bigben_probe.patch + patches.suse/HID-betop-check-shape-of-output-reports.patch ######################################################## # end of sorted patches