Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora

3 files changed, 73 insertions, 0 deletions

diff --git a/clk-sunxi-fix-a-missing-check-bug-in-sunxi_divs_clk_setup.patch b/clk-sunxi-fix-a-missing-check-bug-in-sunxi_divs_clk_setup.patch
new file mode 100644
index 000000000..3f877a8cf
--- /dev/null
+++ b/clk-sunxi-fix-a-missing-check-bug-in-sunxi_divs_clk_setup.patch
@@ -0,0 +1,30 @@
+From fcdf445ff42f036d22178b49cf64e92d527c1330 Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Tue, 28 May 2019 10:18:51 +0800
+Subject: clk-sunxi: fix a missing-check bug in sunxi_divs_clk_setup()
+
+In sunxi_divs_clk_setup(), 'derived_name' is allocated by kstrndup().
+It returns NULL when fails. 'derived_name' should be checked.
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+---
+ drivers/clk/sunxi/clk-sunxi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/sunxi/clk-sunxi.c b/drivers/clk/sunxi/clk-sunxi.c
+index f5b1c0067365..830bfb7f5e6b 100644
+--- a/drivers/clk/sunxi/clk-sunxi.c
++++ b/drivers/clk/sunxi/clk-sunxi.c
+@@ -989,6 +989,8 @@ static struct clk ** __init sunxi_divs_clk_setup(struct device_node *node,
+ 		if (endp) {
+ 			derived_name = kstrndup(clk_name, endp - clk_name,
+ 						GFP_KERNEL);
++			if (!derived_name)
++				return NULL;
+ 			factors.name = derived_name;
+ 		} else {
+ 			factors.name = clk_name;
+-- 
+cgit 1.2-0.3.lf.el7
+
diff --git a/kernel.spec b/kernel.spec
index 96141bb98..5fe887fee 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -626,6 +626,12 @@ Patch532: drm-edid-fix-missing-check-bug-in-drm_load_edid_firmware.patch
 # CVE-2019-12379 rhbz 1715491 1715706
 Patch533: consolemap-fix-memory-leaking-bug.patch
 
+# CVE-2019-12455 rhbz 1716990 1717003
+Patch534: clk-sunxi-fix-a-missing-check-bug-in-sunxi_divs_clk_setup.patch
+
+# CVE-2019-12454 rhbz 1716996 1717003
+Patch535: wcd9335-fix-a-incorrect-use-of-kstrndup.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1867,6 +1873,11 @@ fi
 #
 #
 %changelog
+* Tue Jun 04 2019 Jeremy Cline <jcline@redhat.com> - 5.1.7-300
+- Linux v5.1.7
+- Fix CVE-2019-12455 (rhbz 1716990 1717003)
+- Fix CVE-2019-12454 (rhbz 1716996 1717003)
+
 * Mon Jun 03 2019 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2019-12378 (rhbz 1715459 1715460)
 - Fix CVE-2019-3846 (rhbz 1713059 1715475)
diff --git a/wcd9335-fix-a-incorrect-use-of-kstrndup.patch b/wcd9335-fix-a-incorrect-use-of-kstrndup.patch
new file mode 100644
index 000000000..2b35e913e
--- /dev/null
+++ b/wcd9335-fix-a-incorrect-use-of-kstrndup.patch
@@ -0,0 +1,32 @@
+From a54988113985ca22e414e132054f234fc8a92604 Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Wed, 29 May 2019 09:53:05 +0800
+Subject: wcd9335: fix a incorrect use of kstrndup()
+
+In wcd9335_codec_enable_dec(), 'widget_name' is allocated by kstrndup().
+However, according to doc: "Note: Use kmemdup_nul() instead if the size
+is known exactly." So we should use kmemdup_nul() here instead of
+kstrndup().
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+---
+ sound/soc/codecs/wcd9335.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
+index a04a7cedd99d..85737fe54474 100644
+--- a/sound/soc/codecs/wcd9335.c
++++ b/sound/soc/codecs/wcd9335.c
+@@ -2734,7 +2734,7 @@ static int wcd9335_codec_enable_dec(struct snd_soc_dapm_widget *w,
+ 	char *dec;
+ 	u8 hpf_coff_freq;
+ 
+-	widget_name = kstrndup(w->name, 15, GFP_KERNEL);
++	widget_name = kmemdup_nul(w->name, 15, GFP_KERNEL);
+ 	if (!widget_name)
+ 		return -ENOMEM;
+ 
+-- 
+cgit 1.2-0.3.lf.el7
+