Signed-off-by: Wang Xiayang <xywang.sjtu(a)alumni.sjtu.edu.cn>
---
README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README b/README
index 2129d19c4024..5eb80adf47ad 100644
--- a/README
+++ b/README
@@ -14,7 +14,7 @@ Steps of submitting patches
---------------------------
1. Compile and test your patches successfully.
- You should test your patch in OpenHamrony supported boards, hi3516dv300,
+ You should test your patch in OpenHarmony supported boards, hi3516dv300,
etc.
2. Generate patches
--
2.30.2
From: Wang Yufen <wangyufen(a)huawei.com>
stable inclusion
from stable-5.10.111
commit d745512d54fd79d58e227f6f583b84e6111204a8
category: bugfix
issue: I54NFQ
Signed-off-by: gaochao <gaochao49(a)huawei.com>
---------------------------------------
netlabel: fix out-of-bounds memory accesses
[ Upstream commit f22881de730ebd472e15bcc2c0d1d46e36a87b9c ]
In calipso_map_cat_ntoh(), in the for loop, if the return value of
netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when
netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses
of bitmap[byte_offset] occurs.
The bug was found during fuzzing. The following is the fuzzing report
BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0
Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252
CPU: 7 PID: 252 Comm: err_OH Not tainted 5.17.0-rc7+ #17
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x21c/0x230
show_stack+0x1c/0x60
dump_stack_lvl+0x64/0x7c
print_address_description.constprop.0+0x70/0x2d0
__kasan_report+0x158/0x16c
kasan_report+0x74/0x120
__asan_load1+0x80/0xa0
netlbl_bitmap_walk+0x3c/0xd0
calipso_opt_getattr+0x1a8/0x230
calipso_sock_getattr+0x218/0x340
calipso_sock_getattr+0x44/0x60
netlbl_sock_getattr+0x44/0x80
selinux_netlbl_socket_setsockopt+0x138/0x170
selinux_socket_setsockopt+0x4c/0x60
security_socket_setsockopt+0x4c/0x90
__sys_setsockopt+0xbc/0x2b0
__arm64_sys_setsockopt+0x6c/0x84
invoke_syscall+0x64/0x190
el0_svc_common.constprop.0+0x88/0x200
do_el0_svc+0x88/0xa0
el0_svc+0x128/0x1b0
el0t_64_sync_handler+0x9c/0x120
el0t_64_sync+0x16c/0x170
Reported-by: Hulk Robot <hulkci(a)huawei.com>
Signed-off-by: Wang Yufen <wangyufen(a)huawei.com>
Acked-by: Paul Moore <paul(a)paul-moore.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
net/netlabel/netlabel_kapi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 5e1239cef000..91b35b7c80d8 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -885,6 +885,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
unsigned char bitmask;
unsigned char byte;
+ if (offset >= bitmap_len)
+ return -1;
byte_offset = offset / 8;
byte = bitmap[byte_offset];
bit_spot = offset;
--
2.25.1
From: Yu Changchun <yuchangchun1(a)huawei.com>
These patches are related with the following CVEs:
CVE-2021-39685
CVE-2021-4083
CVE-2021-4155
CVE-2021-4197
CVE-2021-4202
CVE-2021-44733
CVE-2021-45095
CVE-2021-45469
CVE-2021-45480
---------------------------------------------------
Bongsu Jeon (1):
net: nfc: nci: Change the NCI close sequence
Chao Yu (1):
f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
Darrick J. Wong (1):
xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like
fallocate
Greg Kroah-Hartman (2):
USB: gadget: detect too-big endpoint 0 requests
USB: gadget: bRequestType is a bitfield, not a enum
Hangyu Hua (2):
phonet: refcount leak in pep_sock_accep
rds: memory leak in __rds_conn_create()
Hui Su (1):
cgroup/cgroup.c: replace 'of->kn->priv' with of_cft()
Jens Wiklander (1):
tee: handle lookup of shm with reference count 0
Lin Ma (4):
NFC: reorganize the functions in nci_request
NFC: reorder the logic in nfc_{un,}register_device
NFC: add NCI_UNREG flag to eliminate the race
NFC: add necessary privilege flags in netlink layer
Linus Torvalds (1):
fget: check that the fd still exists after getting a ref to it
Michal Koutný (1):
cgroup: cgroup.{procs,threads} factor out common parts
Tejun Heo (3):
cgroup: Use open-time credentials for process migraton perm checks
cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv
cgroup: Use open-time cgroup namespace for process migration perm
checks
drivers/tee/tee_shm.c | 171 ++++++++++++------------------
drivers/usb/gadget/composite.c | 12 +++
drivers/usb/gadget/legacy/dbgp.c | 13 +++
drivers/usb/gadget/legacy/inode.c | 16 ++-
fs/f2fs/xattr.c | 11 +-
fs/file.c | 4 +
fs/xfs/xfs_ioctl.c | 3 +-
include/linux/tee_drv.h | 4 +-
include/net/nfc/nci_core.h | 1 +
kernel/cgroup/cgroup-internal.h | 19 ++++
kernel/cgroup/cgroup-v1.c | 33 +++---
kernel/cgroup/cgroup.c | 147 ++++++++++++-------------
net/nfc/core.c | 32 +++---
net/nfc/nci/core.c | 34 ++++--
net/nfc/netlink.c | 15 +++
net/phonet/pep.c | 1 +
net/rds/connection.c | 1 +
17 files changed, 299 insertions(+), 218 deletions(-)
--
2.25.1
From: Yu Changchun <yuchangchun1(a)huawei.com>
These patches are related with the following CVEs:
CVE-2021-39685
CVE-2021-4083
CVE-2021-4155
CVE-2021-4197
CVE-2021-4202
CVE-2021-44733
CVE-2021-45095
CVE-2021-45469
CVE-2021-45480
---------------------------------------------------
Bongsu Jeon (1):
net: nfc: nci: Change the NCI close sequence
Chao Yu (1):
f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
Darrick J. Wong (1):
xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like
fallocate
Greg Kroah-Hartman (2):
USB: gadget: detect too-big endpoint 0 requests
USB: gadget: bRequestType is a bitfield, not a enum
Hangyu Hua (2):
phonet: refcount leak in pep_sock_accep
rds: memory leak in __rds_conn_create()
Hui Su (1):
cgroup/cgroup.c: replace 'of->kn->priv' with of_cft()
Jens Wiklander (1):
tee: handle lookup of shm with reference count 0
Lin Ma (4):
NFC: reorganize the functions in nci_request
NFC: reorder the logic in nfc_{un,}register_device
NFC: add NCI_UNREG flag to eliminate the race
NFC: add necessary privilege flags in netlink layer
Linus Torvalds (1):
fget: check that the fd still exists after getting a ref to it
Michal Koutný (1):
cgroup: cgroup.{procs,threads} factor out common parts
Tejun Heo (3):
cgroup: Use open-time credentials for process migraton perm checks
cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv
cgroup: Use open-time cgroup namespace for process migration perm
checks
drivers/tee/tee_shm.c | 171 ++++++++++++------------------
drivers/usb/gadget/composite.c | 12 +++
drivers/usb/gadget/legacy/dbgp.c | 13 +++
drivers/usb/gadget/legacy/inode.c | 16 ++-
fs/f2fs/xattr.c | 11 +-
fs/file.c | 4 +
fs/xfs/xfs_ioctl.c | 3 +-
include/linux/tee_drv.h | 4 +-
include/net/nfc/nci_core.h | 1 +
kernel/cgroup/cgroup-internal.h | 19 ++++
kernel/cgroup/cgroup-v1.c | 33 +++---
kernel/cgroup/cgroup.c | 147 ++++++++++++-------------
net/nfc/core.c | 32 +++---
net/nfc/nci/core.c | 34 ++++--
net/nfc/netlink.c | 15 +++
net/phonet/pep.c | 1 +
net/rds/connection.c | 1 +
17 files changed, 299 insertions(+), 218 deletions(-)
--
2.25.1