Fix CVE-2019-18808 CVE-2019-18809 CVE-2019-18811 CVE-2019-18812 CVE-2019-16232

2019-12-02 09:14:44 -06:00 · 2019-12-02 09:14:44 -06:00 · fbd3f73ad4
commit fbd3f73ad4
parent bf6e2e5c45
6 changed files with 209 additions and 0 deletions
--- a/0001-ASoC-SOF-Fix-memory-leak-in-sof_dfsentry_write.patch
+++ b/0001-ASoC-SOF-Fix-memory-leak-in-sof_dfsentry_write.patch
@ -0,0 +1,37 @@
+From c0a333d842ef67ac04adc72ff79dc1ccc3dca4ed Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Sun, 27 Oct 2019 14:48:47 -0500
+Subject: [PATCH] ASoC: SOF: Fix memory leak in sof_dfsentry_write
+
+In the implementation of sof_dfsentry_write() memory allocated for
+string is leaked in case of an error. Go to error handling path if the
+d_name.name is not valid.
+
+Fixes: 091c12e1f50c ("ASoC: SOF: debug: add new debugfs entries for IPC flood test")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Link: https://lore.kernel.org/r/20191027194856.4056-1-navid.emamdoost@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+---
+ sound/soc/sof/debug.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/sof/debug.c b/sound/soc/sof/debug.c
+index 54cd431faab7..5529e8eeca46 100644
+--- a/sound/soc/sof/debug.c
+++ b/sound/soc/sof/debug.c
+@@ -152,8 +152,10 @@ static ssize_t sof_dfsentry_write(struct file *file, const char __user *buffer,
+ 	 * in the debugfs entry.
+ 	 */
+ 	if (strcmp(dfse->dfsentry->d_name.name, "ipc_flood_count") &&
+-	    strcmp(dfse->dfsentry->d_name.name, "ipc_flood_duration_ms"))
+-		return -EINVAL;
+	    strcmp(dfse->dfsentry->d_name.name, "ipc_flood_duration_ms")) {
+		ret = -EINVAL;
+		goto out;
+	}
+
+ 	if (!strcmp(dfse->dfsentry->d_name.name, "ipc_flood_duration_ms"))
+ 		flood_duration_test = true;
+-- 
+2.23.0
+
--- a/0001-ASoC-SOF-ipc-Fix-memory-leak-in-sof_set_get_large_ct.patch
+++ b/0001-ASoC-SOF-ipc-Fix-memory-leak-in-sof_set_get_large_ct.patch
@ -0,0 +1,37 @@
+From 45c1380358b12bf2d1db20a5874e9544f56b34ab Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Sun, 27 Oct 2019 16:53:24 -0500
+Subject: [PATCH] ASoC: SOF: ipc: Fix memory leak in
+ sof_set_get_large_ctrl_data
+
+In the implementation of sof_set_get_large_ctrl_data() there is a memory
+leak in case an error. Release partdata if sof_get_ctrl_copy_params()
+fails.
+
+Fixes: 54d198d5019d ("ASoC: SOF: Propagate sof_get_ctrl_copy_params() error properly")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Link: https://lore.kernel.org/r/20191027215330.12729-1-navid.emamdoost@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+---
+ sound/soc/sof/ipc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/ipc.c b/sound/soc/sof/ipc.c
+index b2f359d2f7e5..086eeeab8679 100644
+--- a/sound/soc/sof/ipc.c
+++ b/sound/soc/sof/ipc.c
+@@ -572,8 +572,10 @@ static int sof_set_get_large_ctrl_data(struct snd_sof_dev *sdev,
+ 	else
+ 		err = sof_get_ctrl_copy_params(cdata->type, partdata, cdata,
+ 					       sparams);
+-	if (err < 0)
+	if (err < 0) {
+		kfree(partdata);
+ 		return err;
+	}
+
+ 	msg_bytes = sparams->msg_bytes;
+ 	pl_size = sparams->pl_size;
+-- 
+2.23.0
+
--- a/0001-crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch
+++ b/0001-crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch
@ -0,0 +1,37 @@
+From 128c66429247add5128c03dc1e144ca56f05a4e2 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Thu, 19 Sep 2019 11:04:48 -0500
+Subject: [PATCH] crypto: ccp - Release all allocated memory if sha type is
+ invalid
+
+Release all allocated memory if sha type is invalid:
+In ccp_run_sha_cmd, if the type of sha is invalid, the allocated
+hmac_buf should be released.
+
+v2: fix the goto.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ drivers/crypto/ccp/ccp-ops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
+index c8da8eb160da..422193690fd4 100644
+--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -1777,8 +1777,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
+ 			       LSB_ITEM_SIZE);
+ 			break;
+ 		default:
+			kfree(hmac_buf);
+ 			ret = -EINVAL;
+-			goto e_ctx;
+			goto e_data;
+ 		}
+
+ 		memset(&hmac_cmd, 0, sizeof(hmac_cmd));
+-- 
+2.23.0
+
--- a/0001-libertas-fix-a-potential-NULL-pointer-dereference.patch
+++ b/0001-libertas-fix-a-potential-NULL-pointer-dereference.patch
@ -0,0 +1,40 @@
+From 7da413a18583baaf35dd4a8eb414fa410367d7f2 Mon Sep 17 00:00:00 2001
+From: Allen Pais <allen.pais@oracle.com>
+Date: Wed, 18 Sep 2019 22:05:00 +0530
+Subject: [PATCH] libertas: fix a potential NULL pointer dereference
+
+alloc_workqueue is not checked for errors and as a result,
+a potential NULL dereference could occur.
+
+Signed-off-by: Allen Pais <allen.pais@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/marvell/libertas/if_sdio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c
+index 242d8845da3f..30f1025ecb9b 100644
+--- a/drivers/net/wireless/marvell/libertas/if_sdio.c
+++ b/drivers/net/wireless/marvell/libertas/if_sdio.c
+@@ -1179,6 +1179,10 @@ static int if_sdio_probe(struct sdio_func *func,
+
+ 	spin_lock_init(&card->lock);
+ 	card->workqueue = alloc_workqueue("libertas_sdio", WQ_MEM_RECLAIM, 0);
+	if (unlikely(!card->workqueue)) {
+		ret = -ENOMEM;
+		goto err_queue;
+	}
+ 	INIT_WORK(&card->packet_worker, if_sdio_host_to_card_worker);
+ 	init_waitqueue_head(&card->pwron_waitq);
+
+@@ -1230,6 +1234,7 @@ static int if_sdio_probe(struct sdio_func *func,
+ 	lbs_remove_card(priv);
+ free:
+ 	destroy_workqueue(card->workqueue);
+err_queue:
+ 	while (card->packets) {
+ 		packet = card->packets;
+ 		card->packets = card->packets->next;
+-- 
+2.23.0
+
--- a/0001-media-usb-fix-memory-leak-in-af9005_identify_state.patch
+++ b/0001-media-usb-fix-memory-leak-in-af9005_identify_state.patch
@ -0,0 +1,36 @@
+From 2289adbfa559050d2a38bcd9caac1c18b800e928 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Wed, 9 Oct 2019 12:01:47 -0300
+Subject: [PATCH] media: usb: fix memory leak in af9005_identify_state
+
+In af9005_identify_state when returning -EIO the allocated buffer should
+be released. Replace the "return -EIO" with assignment into ret and move
+deb_info() under a check.
+
+Fixes: af4e067e1dcf ("V4L/DVB (5625): Add support for the AF9005 demodulator from Afatech")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+---
+ drivers/media/usb/dvb-usb/af9005.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/af9005.c b/drivers/media/usb/dvb-usb/af9005.c
+index 02697d86e8c1..ac93e88d7038 100644
+--- a/drivers/media/usb/dvb-usb/af9005.c
+++ b/drivers/media/usb/dvb-usb/af9005.c
+@@ -976,8 +976,9 @@ static int af9005_identify_state(struct usb_device *udev,
+ 	else if (reply == 0x02)
+ 		*cold = 0;
+ 	else
+-		return -EIO;
+-	deb_info("Identify state cold = %d\n", *cold);
+		ret = -EIO;
+	if (!ret)
+		deb_info("Identify state cold = %d\n", *cold);
+
+ err:
+ 	kfree(buf);
+-- 
+2.23.0
+
--- a/kernel.spec
+++ b/kernel.spec
@ -670,6 +670,21 @@ Patch529: ath10k-fix-memory-leak.patch
 # CVE-2019-19082 rhbz 1776832 1776833
 Patch530: 0001-drm-amd-display-prevent-memory-leak.patch

+# CVE-2019-18808 rhbz 1777418 1777421
+Patch531: 0001-crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch
+
+# CVE-2019-18809 rhbz 1777449 1777451
+Patch532: 0001-media-usb-fix-memory-leak-in-af9005_identify_state.patch
+
+# CVE-2019-18811 rhbz 1777455 1777456
+Patch533: 0001-ASoC-SOF-ipc-Fix-memory-leak-in-sof_set_get_large_ct.patch
+
+# CVE-2019-18812 rhbz 1777458 1777459
+Patch534: 0001-ASoC-SOF-Fix-memory-leak-in-sof_dfsentry_write.patch
+
+# CVE-2019-16232 rhbz 1760351 1760352
+Patch535: 0001-libertas-fix-a-potential-NULL-pointer-dereference.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1871,6 +1886,13 @@ fi
 #
 #
 %changelog
+* Mon Dec 02 2019 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2019-18808 (rhbz 1777418 1777421)
+- Fix CVE-2019-18809 (rhbz 1777449 1777451)
+- Fix CVE-2019-18811 (rhbz 1777455 1777456)
+- Fix CVE-2019-18812 (rhbz 1777458 1777459)
+- Fix CVE-2019-16232 (rhbz 1760351 1760352)
+
 * Tue Nov 26 2019 Justin M. Forbes <jforbes@fedoraproject.org> 
 - Fix CVE-2019-19082 (rhbz 1776832 1776833)