linux.git/drivers/usb, branch v4.2-rc3 Linux kernel source tree configfs: fix kernel infoleak through user-controlled format string 2015-07-17T23:39:53+00:00 Nicolas Iooss nicolas.iooss_linux@m4x.org 2015-07-17T23:23:45+00:00 3958b79266b14729edd61daf9dfb84de45f4ec6d Some modules call config_item_init_type_name() and config_group_init_type_name() with parameter "name" directly controlled by userspace. These two functions call config_item_set_name() with this name used as a format string, which can be used to leak information such as content of the stack to userspace. For example, make_netconsole_target() in netconsole module calls config_item_init_type_name() with the name of a newly-created directory. This means that the following commands give some unexpected output, with configfs mounted in /sys/kernel/config/ and on a system with a configured eth0 ethernet interface: # modprobe netconsole # mkdir /sys/kernel/config/netconsole/target_%lx # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name # echo 1 > /sys/kernel/config/netconsole/target_%lx/enabled # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name # dmesg |tail -n1 [ 142.697668] netconsole: target (target_ffffffffc0ae8080) is enabled, disable to update parameters The directory name is correct but %lx has been interpreted in the internal item name, displayed here in the error message used by store_dev_name() in drivers/net/netconsole.c. To fix this, update every caller of config_item_set_name to use "%s" when operating on untrusted input. This issue was found using -Wformat-security gcc flag, once a __printf attribute has been added to config_item_set_name(). Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Felipe Balbi <balbi@ti.com> Acked-by: Joel Becker <jlbec@evilplan.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Some modules call config_item_init_type_name() and config_group_init_type_name()
with parameter "name" directly controlled by userspace.  These two
functions call config_item_set_name() with this name used as a format
string, which can be used to leak information such as content of the
stack to userspace.

For example, make_netconsole_target() in netconsole module calls
config_item_init_type_name() with the name of a newly-created directory.
This means that the following commands give some unexpected output, with
configfs mounted in /sys/kernel/config/ and on a system with a
configured eth0 ethernet interface:

    # modprobe netconsole
    # mkdir /sys/kernel/config/netconsole/target_%lx
    # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
    # echo 1 > /sys/kernel/config/netconsole/target_%lx/enabled
    # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
    # dmesg |tail -n1
    [  142.697668] netconsole: target (target_ffffffffc0ae8080) is
    enabled, disable to update parameters

The directory name is correct but %lx has been interpreted in the
internal item name, displayed here in the error message used by
store_dev_name() in drivers/net/netconsole.c.

To fix this, update every caller of config_item_set_name to use "%s"
when operating on untrusted input.

This issue was found using -Wformat-security gcc flag, once a __printf
attribute has been added to config_item_set_name().

Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Felipe Balbi <balbi@ti.com>
Acked-by: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge tag 'usb-serial-4.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus 2015-07-10T19:35:14+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2015-07-10T19:35:14+00:00 51f007e1a1f11d5aaa189c1a5cfbae0e8793fe50 Johan writes: USB-serial fixes for v4.2-rc2 Here's an idr memory-leak fix and a couple of new device ids. Included is also a build fix for mos7720 on the mn10300 architecture, which has a register with the same name as one of the driver defines. Signed-off-by: Johan Hovold <johan@kernel.org> 
Johan writes:

USB-serial fixes for v4.2-rc2

Here's an idr memory-leak fix and a couple of new device ids.

Included is also a build fix for mos7720 on the mn10300 architecture,
which has a register with the same name as one of the driver defines.

Signed-off-by: Johan Hovold <johan@kernel.org>
USB: serial: Destroy serial_minors IDR on module exit 2015-07-09T08:41:23+00:00 Johannes Thumshirn jthumshirn@suse.de 2015-07-08T15:26:37+00:00 d23f47d4927fd2f61b3a754d83c7bcec215b5cfe Destroy serial_minors IDR on module exit, reclaiming the allocated memory. This was detected by the following semantic patch (written by Luis Rodriguez <mcgrof@suse.com>) <SmPL> @ defines_module_init @ declarer name module_init, module_exit; declarer name DEFINE_IDR; identifier init; @@ module_init(init); @ defines_module_exit @ identifier exit; @@ module_exit(exit); @ declares_idr depends on defines_module_init && defines_module_exit @ identifier idr; @@ DEFINE_IDR(idr); @ on_exit_calls_destroy depends on declares_idr && defines_module_exit @ identifier declares_idr.idr, defines_module_exit.exit; @@ exit(void) { ... idr_destroy(&idr); ... } @ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @ identifier declares_idr.idr, defines_module_exit.exit; @@ exit(void) { ... +idr_destroy(&idr); } </SmPL> Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de> Cc: stable <stable@vger.kernel.org> # v3.11 Signed-off-by: Johan Hovold <johan@kernel.org> 
Destroy serial_minors IDR on module exit, reclaiming the allocated memory.

This was detected by the following semantic patch (written by Luis
Rodriguez <mcgrof@suse.com>)

<SmPL>
@ defines_module_init @
declarer name module_init, module_exit;
declarer name DEFINE_IDR;
identifier init;
@@

module_init(init);

@ defines_module_exit @
identifier exit;
@@

module_exit(exit);

@ declares_idr depends on defines_module_init && defines_module_exit @
identifier idr;
@@

DEFINE_IDR(idr);

@ on_exit_calls_destroy depends on declares_idr && defines_module_exit @
identifier declares_idr.idr, defines_module_exit.exit;
@@

exit(void)
{
 ...
 idr_destroy(&idr);
 ...
}

@ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @
identifier declares_idr.idr, defines_module_exit.exit;
@@

exit(void)
{
 ...
 +idr_destroy(&idr);
}
</SmPL>

Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: stable <stable@vger.kernel.org>	# v3.11
Signed-off-by: Johan Hovold <johan@kernel.org>
usb: gadget: f_midi: fix error recovery path 2015-07-06T17:34:08+00:00 Andrzej Pietrasiewicz andrzej.p@samsung.com 2015-07-03T12:02:29+00:00 b2e2c94b878be2500d4d42c1f52a2fa1fe7648b4 In case kstrdup() fails the resources to release are midi->in_port[] and midi. No cards have been registered, so no need to unregister any. Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: Felipe Balbi <balbi@ti.com> 
In case kstrdup() fails the resources to release are
midi->in_port[] and midi. No cards have been registered,
so no need to unregister any.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: phy: mxs: suspend to RAM causes NULL pointer dereference 2015-07-06T17:34:08+00:00 Stefan Wahren stefan.wahren@i2se.com 2015-06-15T04:37:00+00:00 543aa4867d4a2dff5fc11e1b688197ee3bad7f89 Triggering suspend to RAM via sysfs on a i.MX28 causes a NULL pointer dereference. This patch avoids the oops in mxs_phy_get_vbus_status() by aborting since there is no syscon available. Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com> Fixes: efdbd3a5d6e ("usb: phy: mxs: do not set PWD.RXPWD1PT1 for low speed connection") CC: <stable@vger.kernel.org> # 4.0 Acked-by: Peter Chen <peter.chen@freescale.com> Signed-off-by: Felipe Balbi <balbi@ti.com> 
Triggering suspend to RAM via sysfs on a i.MX28 causes a NULL pointer
dereference. This patch avoids the oops in mxs_phy_get_vbus_status()
by aborting since there is no syscon available.

Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Fixes: efdbd3a5d6e ("usb: phy: mxs: do not set PWD.RXPWD1PT1 for low speed connection")
CC: <stable@vger.kernel.org> # 4.0
Acked-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: gadget: udc: fix free_irq() after request_irq() failed 2015-07-06T17:34:08+00:00 Takeshi Yoshimura yos@sslab.ics.keio.ac.jp 2015-06-14T07:09:23+00:00 2184fe636b4e310cba52251971cee82cb2407a68 My static checker detected the mistake. I fix this by changing "goto err_irq" to "goto err_req". The label err_irq is not used now so this patch also removes it. Signed-off-by: Takeshi Yoshimura <yos@sslab.ics.keio.ac.jp> Signed-off-by: Felipe Balbi <balbi@ti.com> 
My static checker detected the mistake. I fix this by changing "goto
err_irq" to "goto err_req". The label err_irq is not used now
so this patch also removes it.

Signed-off-by: Takeshi Yoshimura <yos@sslab.ics.keio.ac.jp>
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: gadget: composite: Fix NULL pointer dereference 2015-07-06T17:34:08+00:00 Kishon Vijay Abraham I kishon@ti.com 2015-06-11T16:42:11+00:00 b4c21f0bdd2c0cd5d5be1bb56f0a28dae5041eed commit f563d230903210acc ("usb: gadget: composite: add req_match method to usb_function") accesses cdev->config even before set config is invoked causing a NULL pointer dereferencing error while running Lecroy Mass Storage Compliance test. Fix it here by accessing cdev->config only if it is non NULL. Fixes: commit f563d230903210acc ("usb: gadget: composite: add req_match method to usb_function"). Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com> Signed-off-by: Felipe Balbi <balbi@ti.com> 
commit f563d230903210acc ("usb: gadget: composite: add req_match method
to usb_function") accesses cdev->config even before set config
is invoked causing a NULL pointer dereferencing error while running
Lecroy Mass Storage Compliance test.

Fix it here by accessing cdev->config only if it is non NULL.

Fixes: commit f563d230903210acc ("usb: gadget: composite: add req_match
method to usb_function").

Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: gadget: f_fs: do not set cancel function on synchronous {read,write} 2015-07-06T17:34:08+00:00 Rui Miguel Silva rui.silva@linaro.org 2015-05-18T15:02:07+00:00 4088acf1e845aba35f30fb91dee10649edbd0e84 do not try to set cancel function in synchronous operations in ffs_epfile_{read,write}_iter. Cc: <stable@vger.kernel.org> # v4.0+ Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Signed-off-by: Felipe Balbi <balbi@ti.com> 
do not try to set cancel function in synchronous operations in
ffs_epfile_{read,write}_iter.

Cc: <stable@vger.kernel.org> # v4.0+
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: f_mass_storage: limit number of reported LUNs 2015-07-06T17:34:08+00:00 Michal Nazarewicz mina86@mina86.com 2015-06-19T21:56:34+00:00 8515bac01a983d277148e4fcc5f235bf603de577 Mass storage function created via configfs always reports eight LUNs to the hosts even if only one LUN has been configured. Adjust the number when the USB function is allocated based on LUNs that user has created. Cc: <stable@vger.kernel.org> Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com> Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Felipe Balbi <balbi@ti.com> 
Mass storage function created via configfs always reports eight LUNs
to the hosts even if only one LUN has been configured.  Adjust the
number when the USB function is allocated based on LUNs that user
has created.

Cc: <stable@vger.kernel.org>
Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: dwc3: core: avoid NULL pointer dereference 2015-07-06T17:34:08+00:00 Felipe Balbi balbi@ti.com 2015-07-02T03:03:09+00:00 43cacb03aabe62158d8e5da876054c7d48fc9963 commit 3e10a2ce98d1 ("usb: dwc3: add hsphy_interface property") introduced a possible NULL pointer dereference because dwc->hsphy_interface can be NULL. In order to fix it, all we have to do is guard strncmp() against a NULL argument. Fixes: 3e10a2ce98d1 ("usb: dwc3: add hsphy_interface property") Tested-by: Murali Karicheri <m-karicheri2@ti.com> Signed-off-by: Felipe Balbi <balbi@ti.com> 
commit 3e10a2ce98d1 ("usb: dwc3: add hsphy_interface
property") introduced a possible NULL pointer
dereference because dwc->hsphy_interface can be
NULL.

In order to fix it, all we have to do is guard
strncmp() against a NULL argument.

Fixes: 3e10a2ce98d1 ("usb: dwc3: add hsphy_interface property")
Tested-by: Murali Karicheri <m-karicheri2@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>