From 6f9babcb28ce9b8ecfc1afb612361d26c9ec34a7 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 6 May 2019 16:48:38 +0000 Subject: Initial v5.1 rebase --- CVE-2019-3459-and-CVE-2019-3460.patch | 167 ---------------------------------- 1 file changed, 167 deletions(-) delete mode 100644 CVE-2019-3459-and-CVE-2019-3460.patch (limited to 'CVE-2019-3459-and-CVE-2019-3460.patch') diff --git a/CVE-2019-3459-and-CVE-2019-3460.patch b/CVE-2019-3459-and-CVE-2019-3460.patch deleted file mode 100644 index c7fa62736..000000000 --- a/CVE-2019-3459-and-CVE-2019-3460.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 20614b74e481f0c9f94032ae99f110d4647b65a6 Mon Sep 17 00:00:00 2001 -From: Greg Kroah-Hartman -Date: Thu, 10 Jan 2019 07:28:33 +0100 -Subject: [PATCH 1/2] Bluetooth: check message types in l2cap_get_conf_opt - -l2cap_get_conf_opt can handle a "default" message type, but it needs to -be verified that it really is the correct type (CONF_EFS or CONF_RFC) -before passing it back to the caller. To do this we need to check the -return value of this call now and handle the error correctly up the -stack. - -Based on a patch from Ran Menscher. - -Reported-by: Ran Menscher -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Jeremy Cline ---- - net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++------ - 1 file changed, 19 insertions(+), 6 deletions(-) - -diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index d17a4736e47c..a0ce6e8e5ef7 100644 ---- a/net/bluetooth/l2cap_core.c -+++ b/net/bluetooth/l2cap_core.c -@@ -2979,6 +2979,10 @@ static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, - break; - - default: -+ /* Only CONF_EFS and CONF_RFC are allowed here */ -+ if ((opt->type != L2CAP_CONF_EFS) && -+ (opt->type != L2CAP_CONF_RFC)) -+ return -EPROTO; - *val = (unsigned long) opt->val; - break; - } -@@ -3323,7 +3327,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data - void *endptr = data + data_size; - void *req = chan->conf_req; - int len = chan->conf_len; -- int type, hint, olen; -+ int type, hint, olen, err; - unsigned long val; - struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; - struct l2cap_conf_efs efs; -@@ -3335,7 +3339,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data - BT_DBG("chan %p", chan); - - while (len >= L2CAP_CONF_OPT_SIZE) { -- len -= l2cap_get_conf_opt(&req, &type, &olen, &val); -+ err = l2cap_get_conf_opt(&req, &type, &olen, &val); -+ if (err < 0) -+ return err; -+ len -= err; - - hint = type & L2CAP_CONF_HINT; - type &= L2CAP_CONF_MASK; -@@ -3538,7 +3545,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, - struct l2cap_conf_req *req = data; - void *ptr = req->data; - void *endptr = data + size; -- int type, olen; -+ int type, olen, err; - unsigned long val; - struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; - struct l2cap_conf_efs efs; -@@ -3546,7 +3553,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, - BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data); - - while (len >= L2CAP_CONF_OPT_SIZE) { -- len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); -+ err = l2cap_get_conf_opt(&rsp, &type, &olen, &val); -+ if (err < 0) -+ return err; -+ len -= err; - - switch (type) { - case L2CAP_CONF_MTU: -@@ -3706,7 +3716,7 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan) - - static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) - { -- int type, olen; -+ int type, olen, err; - unsigned long val; - /* Use sane default values in case a misbehaving remote device - * did not send an RFC or extended window size option. -@@ -3726,7 +3736,10 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) - return; - - while (len >= L2CAP_CONF_OPT_SIZE) { -- len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); -+ err = l2cap_get_conf_opt(&rsp, &type, &olen, &val); -+ if (err < 0) -+ return; -+ len -= err; - - switch (type) { - case L2CAP_CONF_RFC: --- -2.20.1 - -From 50cd5314f5ffa264906f4986f414750d648c4ece Mon Sep 17 00:00:00 2001 -From: Greg Kroah-Hartman -Date: Thu, 10 Jan 2019 07:29:17 +0100 -Subject: [PATCH 2/2] Bluetooth: check the buffer size for some messages before - parsing - -The L2CAP_CONF_EFS and L2CAP_CONF_RFC messages can be sent from -userspace so their structure sizes need to be checked before parsing -them. - -Based on a patch from Ran Menscher. - -Reported-by: Ran Menscher -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Jeremy Cline ---- - net/bluetooth/l2cap_core.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index a0ce6e8e5ef7..d8d3cbdc0d29 100644 ---- a/net/bluetooth/l2cap_core.c -+++ b/net/bluetooth/l2cap_core.c -@@ -3360,7 +3360,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data - break; - - case L2CAP_CONF_RFC: -- if (olen == sizeof(rfc)) -+ if ((olen == sizeof(rfc)) && -+ (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(rfc))) - memcpy(&rfc, (void *) val, olen); - break; - -@@ -3370,7 +3371,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data - break; - - case L2CAP_CONF_EFS: -- if (olen == sizeof(efs)) { -+ if ((olen == sizeof(efs)) && -+ (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(efs))) { - remote_efs = 1; - memcpy(&efs, (void *) val, olen); - } -@@ -3575,7 +3577,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, - break; - - case L2CAP_CONF_RFC: -- if (olen == sizeof(rfc)) -+ if ((olen == sizeof(rfc)) && -+ (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(rfc))) - memcpy(&rfc, (void *)val, olen); - - if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && -@@ -3595,7 +3598,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, - break; - - case L2CAP_CONF_EFS: -- if (olen == sizeof(efs)) { -+ if ((olen == sizeof(efs)) && -+ (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(efs))) { - memcpy(&efs, (void *)val, olen); - - if (chan->local_stype != L2CAP_SERV_NOTRAFIC && --- -2.20.1 - -- cgit