From 65d1ee42b8f34e543fbff6c9d6fc6f5196e391a3 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: Mar 08 2023 06:53:12 +0000 Subject: Merge branch 'cve/linux-5.3' into SLE15-SP2-LTSS --- diff --git a/patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch b/patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch new file mode 100644 index 0000000..47b3951 --- /dev/null +++ b/patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch @@ -0,0 +1,83 @@ +From 29b0589a865b6f66d141d79b2dd1373e4e50fe17 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 24 Jan 2023 08:55:33 +0100 +Subject: [PATCH] media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() +Git-commit: 29b0589a865b6f66d141d79b2dd1373e4e50fe17 +Patch-mainline: v6.3-rc1 +References: CVE-2023-1118 bsc#1208837 + +When the ene device is detaching, function ene_remove() will +be called. But there is no function to cancel tx_sim_timer +in ene_remove(), the timer handler ene_tx_irqsim() could race +with ene_remove(). As a result, the UAF bugs could happen, +the process is shown below. + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +ene_remove() | (wait a time) + | ene_tx_irqsim() + | dev->hw_lock //USE + | ene_tx_sample(dev) //USE + +Fix by adding del_timer_sync(&dev->tx_sim_timer) in ene_remove(), +The tx_sim_timer could stop before ene device is deallocated. + +What's more, The rc_unregister_device() and del_timer_sync() +should be called first in ene_remove() and the deallocated +functions such as free_irq(), release_region() and so on +should be called behind them. Because the rc_unregister_device() +is well synchronized. Otherwise, race conditions may happen. The +situations that may lead to race conditions are shown below. + +Firstly, the rx receiver is disabled with ene_rx_disable() +before rc_unregister_device() in ene_remove(), which means it +can be enabled again if a process opens /dev/lirc0 between +ene_rx_disable() and rc_unregister_device(). + +Secondly, the irqaction descriptor is freed by free_irq() +before the rc device is unregistered, which means irqaction +descriptor may be accessed again after it is deallocated. + +Thirdly, the timer can call ene_tx_sample() that can write +to the io ports, which means the io ports could be accessed +again after they are deallocated by release_region(). + +Therefore, the rc_unregister_device() and del_timer_sync() +should be called first in ene_remove(). + +Suggested by: Sean Young + +Fixes: 9ea53b74df9c ("V4L/DVB: STAGING: remove lirc_ene0100 driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/rc/ene_ir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c +index e09270916fbc..11ee21a7db8f 100644 +--- a/drivers/media/rc/ene_ir.c ++++ b/drivers/media/rc/ene_ir.c +@@ -1106,6 +1106,8 @@ static void ene_remove(struct pnp_dev *pnp_dev) + struct ene_device *dev = pnp_get_drvdata(pnp_dev); + unsigned long flags; + ++ rc_unregister_device(dev->rdev); ++ del_timer_sync(&dev->tx_sim_timer); + spin_lock_irqsave(&dev->hw_lock, flags); + ene_rx_disable(dev); + ene_rx_restore_hw_buffer(dev); +@@ -1113,7 +1115,6 @@ static void ene_remove(struct pnp_dev *pnp_dev) + + free_irq(dev->irq, dev); + release_region(dev->hw_io, ENE_IO_SIZE); +- rc_unregister_device(dev->rdev); + kfree(dev); + } + +-- +2.35.3 + diff --git a/patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch b/patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch new file mode 100644 index 0000000..27d0f48 --- /dev/null +++ b/patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch @@ -0,0 +1,38 @@ +From 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 13 Dec 2021 02:05:07 +0000 +Subject: [PATCH] phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function +Git-commit: 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f +Patch-mainline: v5.17-rc1 +References: CVE-2023-23000 bsc#1208816 + +callers of tegra_xusb_find_port_node() function only do NULL checking for +the return value. return NULL instead of ERR_PTR(-ENOMEM) to keep +consistent. + +Signed-off-by: Miaoqian Lin +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20211213020507.1458-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/phy/tegra/xusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c +index 963de5913e50..aa5237eacd29 100644 +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -455,7 +455,7 @@ tegra_xusb_find_port_node(struct tegra_xusb_padctl *padctl, const char *type, + name = kasprintf(GFP_KERNEL, "%s-%u", type, index); + if (!name) { + of_node_put(ports); +- return ERR_PTR(-ENOMEM); ++ return NULL; + } + np = of_get_child_by_name(ports, name); + kfree(name); +-- +2.35.3 + diff --git a/series.conf b/series.conf index 338da24..e4af1b5 100644 --- a/series.conf +++ b/series.conf @@ -23027,6 +23027,7 @@ patches.suse/powerpc-watchdog-Fix-wd_smp_last_reset_tb-reporting.patch patches.suse/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch patches.suse/powerpc-fadump-Fix-inaccurate-CPU-state-info-in-vmco.patch + patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch patches.suse/msft-hv-2510-PCI-hv-Make-the-code-arch-neutral-by-adding-arch-spe.patch patches.suse/msft-hv-2484-PCI-hv-Use-PCI_ERROR_RESPONSE-to-identify-config-rea.patch @@ -23355,6 +23356,7 @@ patches.suse/net-mana-Fix-accessing-freed-irq-affinity_hint.patch patches.suse/vmxnet3-move-rss-code-block-under-eop-descriptor.patch patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch + patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch ######################################################## # end of sorted patches