microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
WSL2-Linux-Kernel/drivers
История
Mazin Al Haddad 309aea4b6b tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf() 
commit f16c6d2e58 upstream.

A null pointer dereference can happen when attempting to access the
"gsm->receive()" function in gsmld_receive_buf(). Currently, the code
assumes that gsm->recieve is only called after MUX activation.
Since the gsmld_receive_buf() function can be accessed without the need to
initialize the MUX, the gsm->receive() function will not be set and a
NULL pointer dereference will occur.

Fix this by avoiding the call to "gsm->receive()" in case the function is
not initialized by adding a sanity check.

Call Trace:
 <TASK>
 gsmld_receive_buf+0x1c2/0x2f0 drivers/tty/n_gsm.c:2861
 tiocsti drivers/tty/tty_io.c:2293 [inline]
 tty_ioctl+0xa75/0x15d0 drivers/tty/tty_io.c:2692
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Link: https://syzkaller.appspot.com/bug?id=bdf035c61447f8c6e0e6920315d577cb5cc35ac5
Fixes: 01aecd9171 ("tty: n_gsm: fix tty registration before control channel open")
Cc: stable <stable@kernel.org>
Reported-and-tested-by: syzbot+e3563f0c94e188366dbb@syzkaller.appspotmail.com
Signed-off-by: Mazin Al Haddad <mazinalhaddad05@gmail.com>
Link: https://lore.kernel.org/r/20220814015211.84180-1-mazinalhaddad05@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2022-09-08 12:28:08 +02:00
..
accessibility tty: the rest, stop using tty_schedule_flip() 2022-07-29 17:25:32 +02:00
acpi ACPI: thermal: drop an always true check 2022-09-05 10:30:03 +02:00
amba
android binder: fix alloc->vma_vm_mm null-ptr dereference 2022-09-08 12:28:04 +02:00
ata ata: libata-eh: Add missing command name 2022-08-25 11:39:55 +02:00
atm atm: idt77252: fix use-after-free bugs caused by tst_timer 2022-08-25 11:40:15 +02:00
auxdisplay
base driver core: Don't probe devices after bus_type.match() probe deferral 2022-09-08 12:28:07 +02:00
bcma
block xen-blkfront: Cache feature_persistent value before advertisement 2022-09-08 12:28:05 +02:00
bluetooth Bluetooth: hci_intel: Add check for platform_driver_register 2022-08-17 14:23:34 +02:00
bus bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() 2022-08-17 14:23:10 +02:00
cdrom
char random: update comment from copy_to_user() -> copy_to_iter() 2022-06-29 09:03:31 +02:00
clk clk: bcm: rpi: Add missing newline 2022-09-08 12:28:05 +02:00
clocksource clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() 2022-07-07 17:53:32 +02:00
comedi comedi: vmk80xx: fix expression for tx buffer size 2022-06-22 14:22:03 +02:00
connector
counter
cpufreq cpufreq: pmac32-cpufreq: Fix refcount leak bug 2022-07-21 21:24:34 +02:00
cpuidle cpuidle: PSCI: Improve support for suspend-to-RAM for PSCI OSI mode 2022-06-09 10:22:33 +02:00
crypto crypto: hisilicon/sec - fix auth key size error 2022-08-17 14:23:35 +02:00
cxl cxl/port: Hold port reference until decoder release 2022-07-12 16:34:58 +02:00
dax dax: make sure inodes are flushed before destroy cache 2022-04-08 14:23:31 +02:00
dca
devfreq PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events 2022-07-07 17:53:27 +02:00
dio
dma dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed 2022-08-25 11:40:38 +02:00
dma-buf udmabuf: Set the DMA mask for the udmabuf device (v2) 2022-09-05 10:30:06 +02:00
edac EDAC/ghes: Set the DIMM label unconditionally 2022-08-03 12:03:55 +02:00
eisa
extcon extcon: Modify extcon device to be created after driver data is set 2022-06-14 18:36:22 +02:00
firewire firewire: core: extend card->lock in fw_core_handle_bus_reset 2022-05-12 12:30:05 +02:00
firmware firmware: tegra: bpmp: Do only aligned access to IPC memory area 2022-09-05 10:30:03 +02:00
fpga fpga: altera-pr-ip: fix unsigned comparison with less than zero 2022-08-17 14:23:41 +02:00
fsi fsi: occ: Force sequence numbering per OCC 2022-07-07 17:53:32 +02:00
gnss
gpio gpio: pca953x: Add mutex_lock for regcache sync in PM 2022-09-08 12:28:05 +02:00
gpu drm/i915: Skip wm/ddb readout for disabled pipes 2022-09-08 12:28:08 +02:00
greybus
hid HID: thrustmaster: Add sparco wheel and fix array length 2022-09-05 10:30:08 +02:00
hsi
hv Drivers: hv: balloon: Support status report for larger page sizes 2022-09-05 10:30:04 +02:00
hwmon hwmon: (gpio-fan) Fix array out of bounds access 2022-09-08 12:28:05 +02:00
hwspinlock
hwtracing coresight: etm4x: avoid build failure with unrolled loops 2022-08-25 11:40:35 +02:00
i2c i2c: imx: Make sure to unregister adapter on remove() 2022-08-25 11:40:26 +02:00
i3c
idle intel_idle: Disable IBRS during long idle 2022-07-23 12:54:04 +02:00
iio iio: adc: mcp3911: use correct formula for AD conversion 2022-09-08 12:28:04 +02:00
infiniband RDMA/rxe: Limit the number of calls to each tasklet 2022-08-25 11:40:37 +02:00
input Input: rk805-pwrkey - fix module autoloading 2022-09-08 12:28:05 +02:00
interconnect interconnect: imx: fix max_node_id 2022-08-17 14:23:53 +02:00
iommu iommu/io-pgtable-arm-v7s: Add a quirk to allow pgtable PA up to 35bit 2022-08-25 11:40:41 +02:00
ipack
irqchip irqchip/tegra: Fix overflow implicit truncation warnings 2022-08-25 11:40:32 +02:00
isdn
leds
macintosh macintosh/adb: fix oob read in do_adb_query() function 2022-08-11 13:07:54 +02:00
mailbox mailbox: forward the hrtimer if not queued and under a lock 2022-06-09 10:23:12 +02:00
mcb
md md: call __md_stop_writes in md_stop 2022-08-31 17:16:50 +02:00
media media: mceusb: Use new usb_control_msg_*() routines 2022-09-08 12:28:06 +02:00
memory memory: renesas-rpc-if: Avoid unaligned bus access for HyperFlash 2022-07-12 16:34:52 +02:00
memstick memstick/ms_block: Fix a memory leak 2022-08-17 14:23:50 +02:00
message
mfd mfd: max77620: Fix refcount leak in max77620_initialise_fps 2022-08-17 14:24:09 +02:00
misc misc: fastrpc: fix memory corruption on open 2022-09-08 12:28:04 +02:00
mmc mmc: core: Fix inconsistent sd3_bus_mode at UHS-I SD voltage switch failure 2022-09-08 12:28:04 +02:00
most
mtd mtd: spi-nor: fix spi_nor_spimem_setup_op() call in spi_nor_erase_{sector,chip}() 2022-08-17 14:23:58 +02:00
mux
net net: Use u64_stats_fetch_begin_irq() for stats fetch. 2022-09-08 12:28:07 +02:00
nfc nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout 2022-08-31 17:16:38 +02:00
ntb NTB: ntb_tool: uninitialized heap data in tool_fn_write() 2022-08-25 11:40:14 +02:00
nubus
nvdimm nvdimm: Fix badblocks clear off-by-one error 2022-07-07 17:53:24 +02:00
nvme block: add a bdev_max_zone_append_sectors helper 2022-08-31 17:16:34 +02:00
nvmem
of of/fdt: declared return type does not match actual return type 2022-08-17 14:23:59 +02:00
opp opp: Fix error check in dev_pm_opp_attach_genpd() 2022-08-17 14:24:01 +02:00
parisc parisc: Check the return value of ioremap() in lba_driver_probe() 2022-08-17 14:22:51 +02:00
parport
pci Revert "PCI/portdrv: Don't disable AER reporting in get_port_device_capability()" 2022-09-05 10:30:06 +02:00
pcmcia pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards 2022-06-14 18:36:02 +02:00
perf drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX 2022-08-17 14:23:14 +02:00
phy phy: samsung: phy-exynos-pcie: sanitize init/power_on callbacks 2022-08-25 11:40:39 +02:00
pinctrl pinctrl: intel: Check against matching data instead of ACPI companion 2022-08-25 11:40:36 +02:00
platform platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask 2022-09-08 12:28:01 +02:00
pnp
power power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe 2022-07-29 17:25:10 +02:00
powercap
pps pps: clients: gpio: Propagate return value from pps_gpio_probe 2022-04-08 14:23:44 +02:00
ps3
ptp ptp: replace snprintf with sysfs_emit 2022-04-13 20:59:01 +02:00
pwm pwm: lpc18xx: Fix period handling 2022-08-17 14:23:16 +02:00
rapidio
ras
regulator regulator: of: Fix refcount leak bug in of_get_regulation_constraints() 2022-08-17 14:23:14 +02:00
remoteproc remoteproc: sysmon: Wait for SSCTL service to come up 2022-08-17 14:24:09 +02:00
reset reset: tegra-bpmp: Restore Handle errors in BPMP response 2022-04-27 14:38:55 +02:00
rpmsg rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge 2022-08-17 14:24:08 +02:00
rtc rtc: rx8025: fix 12/24 hour mode detection on RX-8035 2022-08-17 14:22:53 +02:00
s390 scsi: zfcp: Fix missing auto port scan and thus missing target ports 2022-08-17 14:24:16 +02:00
sbus
scsi scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq 2022-08-31 17:16:51 +02:00
sh
siox
slimbus slimbus: qcom: Fix IRQ check in qcom_slim_probe 2022-05-18 10:26:55 +02:00
soc soc: qcom: Make QCOM_RPMPD depend on PM 2022-08-17 14:23:14 +02:00
soundwire soundwire: qcom: fix device status array range 2022-09-08 12:28:03 +02:00
spi spi: meson-spicc: add local pow2 clock ops to preserve rate between messages 2022-08-25 11:40:23 +02:00
spmi
ssb
staging staging: r8188eu: add firmware dependency 2022-09-08 12:28:03 +02:00
target target: remove an incorrect unmap zeroes data deduction 2022-06-09 10:22:47 +02:00
tc
tee tee: add overflow check in register_shm_helper() 2022-08-21 15:17:47 +02:00
thermal thermal: sysfs: Fix cooling_device_stats_setup() error code path 2022-08-17 14:22:50 +02:00
thunderbolt thunderbolt: Use the actual buffer in tb_async_error() 2022-09-08 12:28:05 +02:00
tty tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf() 2022-09-08 12:28:08 +02:00
uio
usb usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS 2022-09-08 12:28:07 +02:00
vdpa vduse: Tie vduse mgmtdev and its device 2022-07-21 21:24:33 +02:00
vfio vfio: Clear the caps->buf to NULL after free 2022-08-25 11:40:41 +02:00
vhost vringh: Fix loop descriptors check in the indirect cases 2022-06-14 18:36:24 +02:00
video fbdev: fb_pm2fb: Avoid potential divide by zero error 2022-09-05 10:30:07 +02:00
virt vboxguest: Do not use devm for irq 2022-08-25 11:40:33 +02:00
virtio virtio_mmio: Restore guest page size on resume 2022-07-21 21:24:33 +02:00
visorbus
vlynq
vme
w1 w1: w1_therm: fixes w1_seq for ds28ea00 sensors 2022-04-13 20:59:11 +02:00
watchdog watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() 2022-08-17 14:24:11 +02:00
xen xen/grants: prevent integer overflow in gnttab_dma_alloc_pages() 2022-09-08 12:28:05 +02:00
zorro
Kconfig
Makefile