Hi! > CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access() > > CVSS v3 score is not provided. > > ION is a memory manager which is used by Android. This CVE may affect > 4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip > member enabled ION. The ION driver has been removed since 5.11. > > Fixed status > > mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf] Furthermore, CIP members should really not be using code from staging. > * Updated CVEs > > CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in > avc_ca_pmt() > > 4.19 and 5.X kernels have been fixed in this week. However, appliying > patch to 4.4 and 4.9 are failed. > According to the cip-kernel-config repo, no CIP member uses firewire driver. This one looks rather easy to backport. It failed only because reformatting of the printk. > CVE-2021-3640: UAF in sco_send_frame function > > Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth: > sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches > for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing > list on Nov 9. This fix can be applied to 4.4 by git-am without error. > > mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951] Would it make sense to ask why it was not applied? Best regards, Pavel diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c index 280b5ffea592..3a373711f5ad 100644 --- a/drivers/media/firewire/firedtv-avc.c +++ b/drivers/media/firewire/firedtv-avc.c @@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) read_pos += program_info_length; write_pos += program_info_length; } - while (read_pos < length) { + while (read_pos + 4 < length) { + if (write_pos + 4 >= sizeof(c->operand) - 4) { + ret = -EINVAL; + goto out; + } c->operand[write_pos++] = msg[read_pos++]; c->operand[write_pos++] = msg[read_pos++]; c->operand[write_pos++] = msg[read_pos++]; @@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) c->operand[write_pos++] = es_info_length >> 8; c->operand[write_pos++] = es_info_length & 0xff; if (es_info_length > 0) { + if (read_pos >= length) { + ret = -EINVAL; + goto out; + } pmt_cmd_id = msg[read_pos++]; if (pmt_cmd_id != 1 && pmt_cmd_id != 4) dev_err(fdtv->device, "invalid pmt_cmd_id %d " "at stream level\n", pmt_cmd_id); - if (es_info_length > sizeof(c->operand) - 4 - - write_pos) { + if (es_info_length > sizeof(c->operand) - 4 - write_pos || + es_info_length > length - read_pos) { ret = -EINVAL; goto out; } diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c index e63f582378bf..f07482fb8010 100644 --- a/drivers/media/firewire/firedtv-ci.c +++ b/drivers/media/firewire/firedtv-ci.c @@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg) } else { data_length = msg->msg[3]; } + if (data_length > sizeof(msg->msg) - data_pos) + return -EINVAL; return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length); } -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany