forked from coolsnowwolf/lede
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[bot] AutoMerging: merge all upstream's changes:
* https://github.com/coolsnowwolf/lede: x86: swtich kernel to 6.1 by default kernel: bump 6.1 to 6.1.5 ksmbd: Fix ZDI-CAN-18259 octeontx: add sqaushfs and ramdisk to features base-files: add protocol qmi/mbim support for ucidef_set_interface() base-files: add helper functions for adding wlan device entries to board.json generic: fix silicon labs spidev bindings mt76: add stand-alone MT7622 firmware package mt76: add stand-alone MT7915 firmware package mt76: remove unnecessary dependency from mt7915e iwinfo: backport IPQ8074 and QCNxxxx devices support (coolsnowwolf#10743) kernel: bump 6.1 to 6.1.4 kernel: fix ethernet regression on mt7986 kernel: mediatek: fix WED offload regression on MT7622 kernel: mediatek: improve ethernet fix for dealing with small fragments generic: 5.10: backport Treat IPv4 segment's lowest address as unicast
- Loading branch information
Showing
32 changed files
with
531 additions
and
155 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
LINUX_VERSION-6.1 = .3 | ||
LINUX_KERNEL_HASH-6.1.3 = 6dc89ae7a7513e433c597c7346ed7ff4bfd115ea43a3b5e27a6bdb38c5580317 | ||
LINUX_VERSION-6.1 = .5 | ||
LINUX_KERNEL_HASH-6.1.5 = bc7f6d9a8a8bbe9a723e82346bba94b58d926f78bfba106b21e041e0290076fc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
36 changes: 36 additions & 0 deletions
36
package/kernel/ksmbd/patches/10-ksmbd-check-nt_len-to-be-at-least-CIFS_ENCPWD_SIZE-i.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
From 8824b7af409f51f1316e92e9887c2fd48c0b26d6 Mon Sep 17 00:00:00 2001 | ||
From: William Liu <will@willsroot.io> | ||
Date: Fri, 30 Dec 2022 09:13:35 +0900 | ||
Subject: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in | ||
ksmbd_decode_ntlmssp_auth_blob | ||
MIME-Version: 1.0 | ||
Content-Type: text/plain; charset=UTF-8 | ||
Content-Transfer-Encoding: 8bit | ||
|
||
"nt_len - CIFS_ENCPWD_SIZE" is passed directly from | ||
ksmbd_decode_ntlmssp_auth_blob to ksmbd_auth_ntlmv2. Malicious requests | ||
can set nt_len to less than CIFS_ENCPWD_SIZE, which results in a negative | ||
number (or large unsigned value) used for a subsequent memcpy in | ||
ksmbd_auth_ntlvm2 and can cause a panic. | ||
|
||
Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3") | ||
Cc: stable@vger.kernel.org | ||
Signed-off-by: William Liu <will@willsroot.io> | ||
Signed-off-by: Hrvoje Mišetić <misetichrvoje@gmail.com> | ||
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> | ||
--- | ||
auth.c | 3 ++- | ||
1 file changed, 2 insertions(+), 1 deletion(-) | ||
|
||
--- a/auth.c | ||
+++ b/auth.c | ||
@@ -583,7 +583,8 @@ int ksmbd_decode_ntlmssp_auth_blob(struc | ||
dn_off = le32_to_cpu(authblob->DomainName.BufferOffset); | ||
dn_len = le16_to_cpu(authblob->DomainName.Length); | ||
|
||
- if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len) | ||
+ if (blob_len < (u64)dn_off + dn_len || blob_len < (u64)nt_off + nt_len || | ||
+ nt_len < CIFS_ENCPWD_SIZE) | ||
return -EINVAL; | ||
|
||
#ifdef CONFIG_SMB_INSECURE_SERVER |
63 changes: 63 additions & 0 deletions
63
package/kernel/ksmbd/patches/11-ksmbd-fix-infinite-loop-in-ksmbd_conn_handler_loop.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
From cc4f3b5a6ab4693aba94a45cc073188df4d67175 Mon Sep 17 00:00:00 2001 | ||
From: Namjae Jeon <linkinjeon@kernel.org> | ||
Date: Mon, 26 Dec 2022 01:28:52 +0900 | ||
Subject: ksmbd: fix infinite loop in ksmbd_conn_handler_loop() | ||
|
||
If kernel_recvmsg() return -EAGAIN in ksmbd_tcp_readv() and go round | ||
again, It will cause infinite loop issue. And all threads from next | ||
connections would be doing that. This patch add max retry count(2) to | ||
avoid it. kernel_recvmsg() will wait during 7sec timeout and try to | ||
retry two time if -EAGAIN is returned. And add flags of kvmalloc to | ||
__GFP_NOWARN and __GFP_NORETRY to disconnect immediately without | ||
retrying on memory alloation failure. | ||
|
||
Fixes: 0626e66 ("cifsd: add server handler for central processing and tranport layers") | ||
Cc: stable@vger.kernel.org | ||
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18259 | ||
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> | ||
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> | ||
--- | ||
connection.c | 7 +++++-- | ||
transport_tcp.c | 5 ++++- | ||
2 files changed, 9 insertions(+), 3 deletions(-) | ||
|
||
--- a/connection.c | ||
+++ b/connection.c | ||
@@ -337,9 +337,12 @@ int ksmbd_conn_handler_loop(void *p) | ||
|
||
/* 4 for rfc1002 length field */ | ||
size = pdu_size + 4; | ||
- conn->request_buf = kvmalloc(size, GFP_KERNEL); | ||
+ conn->request_buf = kvmalloc(size, | ||
+ GFP_KERNEL | | ||
+ __GFP_NOWARN | | ||
+ __GFP_NORETRY); | ||
if (!conn->request_buf) | ||
- continue; | ||
+ break; | ||
|
||
memcpy(conn->request_buf, hdr_buf, sizeof(hdr_buf)); | ||
if (!ksmbd_smb_request(conn)) | ||
--- a/transport_tcp.c | ||
+++ b/transport_tcp.c | ||
@@ -323,6 +323,7 @@ static int ksmbd_tcp_readv(struct tcp_tr | ||
struct msghdr ksmbd_msg; | ||
struct kvec *iov; | ||
struct ksmbd_conn *conn = KSMBD_TRANS(t)->conn; | ||
+ int max_retry = 2; | ||
|
||
iov = get_conn_iovec(t, nr_segs); | ||
if (!iov) | ||
@@ -349,9 +350,11 @@ static int ksmbd_tcp_readv(struct tcp_tr | ||
} else if (conn->status == KSMBD_SESS_NEED_RECONNECT) { | ||
total_read = -EAGAIN; | ||
break; | ||
- } else if (length == -ERESTARTSYS || length == -EAGAIN) { | ||
+ } else if ((length == -ERESTARTSYS || length == -EAGAIN) && | ||
+ max_retry) { | ||
usleep_range(1000, 2000); | ||
length = 0; | ||
+ max_retry--; | ||
continue; | ||
} else if (length <= 0) { | ||
total_read = -EAGAIN; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.