diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-06-06 21:40:18 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-06-06 21:40:18 +0100 |
commit | 67ccdddf1a73dc878130b6c4477af0dad13e9781 (patch) | |
tree | b91a926f438a050f0e952251fabca613e90baa2b | |
parent | a44fe45dcd6971deacbd9fc47c7febd8390581d2 (diff) | |
download | linux-stable-queue-67ccdddf1a73dc878130b6c4477af0dad13e9781.tar.gz |
Add various security fixes
7 files changed, 386 insertions, 0 deletions
diff --git a/queue-3.16/bluetooth-hidp-fix-buffer-overflow.patch b/queue-3.16/bluetooth-hidp-fix-buffer-overflow.patch new file mode 100644 index 00000000..e1fb3792 --- /dev/null +++ b/queue-3.16/bluetooth-hidp-fix-buffer-overflow.patch @@ -0,0 +1,29 @@ +From: Young Xiao <YangX92@hotmail.com> +Date: Fri, 12 Apr 2019 15:24:30 +0800 +Subject: Bluetooth: hidp: fix buffer overflow + +commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream. + +Struct ca is copied from userspace. It is not checked whether the "name" +field is NULL terminated, which allows local users to obtain potentially +sensitive information from kernel stack memory, via a HIDPCONNADD command. + +This vulnerability is similar to CVE-2011-1079. + +Signed-off-by: Young Xiao <YangX92@hotmail.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bluetooth/hidp/sock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/bluetooth/hidp/sock.c ++++ b/net/bluetooth/hidp/sock.c +@@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket + sockfd_put(csock); + return err; + } ++ ca.name[sizeof(ca.name)-1] = 0; + + err = hidp_connection_add(&ca, csock, isock); + if (!err && copy_to_user(argp, &ca, sizeof(ca))) diff --git a/queue-3.16/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch b/queue-3.16/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch new file mode 100644 index 00000000..e844b6ea --- /dev/null +++ b/queue-3.16/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch @@ -0,0 +1,41 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 14 May 2019 15:47:03 -0700 +Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl + +commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream. + +The "param.count" value is a u64 thatcomes from the user. The code +later in the function assumes that param.count is at least one and if +it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR. + +Also the addition can have an integer overflow which would lead us to +allocate a smaller "pages" array than required. I can't immediately +tell what the possible run times implications are, but it's safest to +prevent the overflow. + +Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam +Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Andrew Morton <akpm@linux-foundation.org> +Cc: Timur Tabi <timur@freescale.com> +Cc: Mihai Caraman <mihai.caraman@freescale.com> +Cc: Kumar Gala <galak@kernel.crashing.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/virt/fsl_hypervisor.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i + * hypervisor. + */ + lb_offset = param.local_vaddr & (PAGE_SIZE - 1); ++ if (param.count == 0 || ++ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1) ++ return -EINVAL; + num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT; + + /* Allocate the buffers we need */ diff --git a/queue-3.16/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch b/queue-3.16/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch new file mode 100644 index 00000000..0c0e0cdd --- /dev/null +++ b/queue-3.16/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch @@ -0,0 +1,77 @@ +From: Sriram Rajagopalan <sriramr@arista.com> +Date: Fri, 10 May 2019 19:28:06 -0400 +Subject: ext4: zero out the unused memory region in the extent tree block + +commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream. + +This commit zeroes out the unused memory region in the buffer_head +corresponding to the extent metablock after writing the extent header +and the corresponding extent node entries. + +This is done to prevent random uninitialized data from getting into +the filesystem when the extent block is synced. + +This fixes CVE-2019-11833. + +Signed-off-by: Sriram Rajagopalan <sriramr@arista.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ext4/extents.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -1016,6 +1016,7 @@ static int ext4_ext_split(handle_t *hand + __le32 border; + ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ + int err = 0; ++ size_t ext_size = 0; + + /* make decision: where to split? */ + /* FIXME: now decision is simplest: at current extent */ +@@ -1107,6 +1108,10 @@ static int ext4_ext_split(handle_t *hand + le16_add_cpu(&neh->eh_entries, m); + } + ++ /* zero out unused area in the extent block */ ++ ext_size = sizeof(struct ext4_extent_header) + ++ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); ++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); + ext4_extent_block_csum_set(inode, neh); + set_buffer_uptodate(bh); + unlock_buffer(bh); +@@ -1186,6 +1191,11 @@ static int ext4_ext_split(handle_t *hand + sizeof(struct ext4_extent_idx) * m); + le16_add_cpu(&neh->eh_entries, m); + } ++ /* zero out unused area in the extent block */ ++ ext_size = sizeof(struct ext4_extent_header) + ++ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); ++ memset(bh->b_data + ext_size, 0, ++ inode->i_sb->s_blocksize - ext_size); + ext4_extent_block_csum_set(inode, neh); + set_buffer_uptodate(bh); + unlock_buffer(bh); +@@ -1251,6 +1261,7 @@ static int ext4_ext_grow_indepth(handle_ + struct buffer_head *bh; + ext4_fsblk_t newblock; + int err = 0; ++ size_t ext_size = 0; + + newblock = ext4_ext_new_meta_block(handle, inode, NULL, + newext, &err, flags); +@@ -1268,9 +1279,11 @@ static int ext4_ext_grow_indepth(handle_ + goto out; + } + ++ ext_size = sizeof(EXT4_I(inode)->i_data); + /* move top-level index/leaf into new block */ +- memmove(bh->b_data, EXT4_I(inode)->i_data, +- sizeof(EXT4_I(inode)->i_data)); ++ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); ++ /* zero out unused area in the extent block */ ++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); + + /* set size of new block */ + neh = ext_block_hdr(bh); diff --git a/queue-3.16/mm-introduce-vma_is_anonymous-vma-helper.patch b/queue-3.16/mm-introduce-vma_is_anonymous-vma-helper.patch new file mode 100644 index 00000000..048a4b4f --- /dev/null +++ b/queue-3.16/mm-introduce-vma_is_anonymous-vma-helper.patch @@ -0,0 +1,74 @@ +From: Oleg Nesterov <oleg@redhat.com> +Date: Tue, 8 Sep 2015 14:58:28 -0700 +Subject: mm: introduce vma_is_anonymous(vma) helper + +commit b5330628546616af14ff23075fbf8d4ad91f6e25 upstream. + +special_mapping_fault() is absolutely broken. It seems it was always +wrong, but this didn't matter until vdso/vvar started to use more than +one page. + +And after this change vma_is_anonymous() becomes really trivial, it +simply checks vm_ops == NULL. However, I do think the helper makes +sense. There are a lot of ->vm_ops != NULL checks, the helper makes the +caller's code more understandable (self-documented) and this is more +grep-friendly. + +This patch (of 3): + +Preparation. Add the new simple helper, vma_is_anonymous(vma), and change +handle_pte_fault() to use it. It will have more users. + +The name is not accurate, say a hpet_mmap()'ed vma is not anonymous. +Perhaps it should be named vma_has_fault() instead. But it matches the +logic in mmap.c/memory.c (see next changes). "True" just means that a +page fault will use do_anonymous_page(). + +Signed-off-by: Oleg Nesterov <oleg@redhat.com> +Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Hugh Dickins <hughd@google.com> +Cc: Pavel Emelyanov <xemul@parallels.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[bwh: Backported to 3.16 as dependency of "mm/mincore.c: make mincore() more + conservative"; adjusted context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/mm.h | 5 +++++ + mm/memory.c | 8 ++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1241,6 +1241,11 @@ int get_cmdline(struct task_struct *task + + int vma_is_stack_for_task(struct vm_area_struct *vma, struct task_struct *t); + ++static inline bool vma_is_anonymous(struct vm_area_struct *vma) ++{ ++ return !vma->vm_ops; ++} ++ + extern unsigned long move_page_tables(struct vm_area_struct *vma, + unsigned long old_addr, struct vm_area_struct *new_vma, + unsigned long new_addr, unsigned long len, +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3105,12 +3105,12 @@ static int handle_pte_fault(struct mm_st + entry = *pte; + if (!pte_present(entry)) { + if (pte_none(entry)) { +- if (vma->vm_ops) ++ if (vma_is_anonymous(vma)) ++ return do_anonymous_page(mm, vma, address, ++ pte, pmd, flags); ++ else + return do_fault(mm, vma, address, pte, + pmd, flags, entry); +- +- return do_anonymous_page(mm, vma, address, +- pte, pmd, flags); + } + return do_swap_page(mm, vma, address, + pte, pmd, flags, entry); diff --git a/queue-3.16/mm-mincore.c-make-mincore-more-conservative.patch b/queue-3.16/mm-mincore.c-make-mincore-more-conservative.patch new file mode 100644 index 00000000..f82b85d8 --- /dev/null +++ b/queue-3.16/mm-mincore.c-make-mincore-more-conservative.patch @@ -0,0 +1,86 @@ +From: Jiri Kosina <jkosina@suse.cz> +Date: Tue, 14 May 2019 15:41:38 -0700 +Subject: mm/mincore.c: make mincore() more conservative + +commit 134fca9063ad4851de767d1768180e5dede9a881 upstream. + +The semantics of what mincore() considers to be resident is not +completely clear, but Linux has always (since 2.3.52, which is when +mincore() was initially done) treated it as "page is available in page +cache". + +That's potentially a problem, as that [in]directly exposes +meta-information about pagecache / memory mapping state even about +memory not strictly belonging to the process executing the syscall, +opening possibilities for sidechannel attacks. + +Change the semantics of mincore() so that it only reveals pagecache +information for non-anonymous mappings that belog to files that the +calling process could (if it tried to) successfully open for writing; +otherwise we'd be including shared non-exclusive mappings, which + + - is the sidechannel + + - is not the usecase for mincore(), as that's primarily used for data, + not (shared) text + +[jkosina@suse.cz: v2] + Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz +[mhocko@suse.com: restructure can_do_mincore() conditions] +Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Vlastimil Babka <vbabka@suse.cz> +Acked-by: Josh Snyder <joshs@netflix.com> +Acked-by: Michal Hocko <mhocko@suse.com> +Originally-by: Linus Torvalds <torvalds@linux-foundation.org> +Originally-by: Dominique Martinet <asmadeus@codewreck.org> +Cc: Andy Lutomirski <luto@amacapital.net> +Cc: Dave Chinner <david@fromorbit.com> +Cc: Kevin Easton <kevin@guarana.org> +Cc: Matthew Wilcox <willy@infradead.org> +Cc: Cyril Hrubis <chrubis@suse.cz> +Cc: Tejun Heo <tj@kernel.org> +Cc: Kirill A. Shutemov <kirill@shutemov.name> +Cc: Daniel Gruss <daniel@gruss.cc> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/mm/mincore.c ++++ b/mm/mincore.c +@@ -212,6 +212,22 @@ static void mincore_page_range(struct vm + } while (pgd++, addr = next, addr != end); + } + ++static inline bool can_do_mincore(struct vm_area_struct *vma) ++{ ++ if (vma_is_anonymous(vma)) ++ return true; ++ if (!vma->vm_file) ++ return false; ++ /* ++ * Reveal pagecache information only for non-anonymous mappings that ++ * correspond to the files the calling process could (if tried) open ++ * for writing; otherwise we'd be including shared non-exclusive ++ * mappings, which opens a side channel. ++ */ ++ return inode_owner_or_capable(file_inode(vma->vm_file)) || ++ inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0; ++} ++ + /* + * Do a chunk of "sys_mincore()". We've already checked + * all the arguments, we hold the mmap semaphore: we should +@@ -227,6 +243,11 @@ static long do_mincore(unsigned long add + return -ENOMEM; + + end = min(vma->vm_end, addr + (pages << PAGE_SHIFT)); ++ if (!can_do_mincore(vma)) { ++ unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE); ++ memset(vec, 1, pages); ++ return pages; ++ } + + if (is_vm_hugetlb_page(vma)) + mincore_hugetlb_page_range(vma, addr, end, vec); diff --git a/queue-3.16/scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch b/queue-3.16/scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch new file mode 100644 index 00000000..bd5e0b24 --- /dev/null +++ b/queue-3.16/scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch @@ -0,0 +1,73 @@ +From: Jason Yan <yanaijie@huawei.com> +Date: Fri, 15 Feb 2019 19:50:27 +0800 +Subject: scsi: megaraid_sas: return error when create DMA pool failed + +commit bcf3b67d16a4c8ffae0aa79de5853435e683945c upstream. + +when create DMA pool for cmd frames failed, we should return -ENOMEM, +instead of 0. +In some case in: + + megasas_init_adapter_fusion() + + -->megasas_alloc_cmds() + -->megasas_create_frame_pool + create DMA pool failed, + --> megasas_free_cmds() [1] + + -->megasas_alloc_cmds_fusion() + failed, then goto fail_alloc_cmds. + -->megasas_free_cmds() [2] + +we will call megasas_free_cmds twice, [1] will kfree cmd_list, +[2] will use cmd_list.it will cause a problem: + +Unable to handle kernel NULL pointer dereference at virtual address +00000000 +pgd = ffffffc000f70000 +[00000000] *pgd=0000001fbf893003, *pud=0000001fbf893003, +*pmd=0000001fbf894003, *pte=006000006d000707 +Internal error: Oops: 96000005 [#1] SMP + Modules linked in: + CPU: 18 PID: 1 Comm: swapper/0 Not tainted + task: ffffffdfb9290000 ti: ffffffdfb923c000 task.ti: ffffffdfb923c000 + PC is at megasas_free_cmds+0x30/0x70 + LR is at megasas_free_cmds+0x24/0x70 + ... + Call trace: + [<ffffffc0005b779c>] megasas_free_cmds+0x30/0x70 + [<ffffffc0005bca74>] megasas_init_adapter_fusion+0x2f4/0x4d8 + [<ffffffc0005b926c>] megasas_init_fw+0x2dc/0x760 + [<ffffffc0005b9ab0>] megasas_probe_one+0x3c0/0xcd8 + [<ffffffc0004a5abc>] local_pci_probe+0x4c/0xb4 + [<ffffffc0004a5c40>] pci_device_probe+0x11c/0x14c + [<ffffffc00053a5e4>] driver_probe_device+0x1ec/0x430 + [<ffffffc00053a92c>] __driver_attach+0xa8/0xb0 + [<ffffffc000538178>] bus_for_each_dev+0x74/0xc8 + [<ffffffc000539e88>] driver_attach+0x28/0x34 + [<ffffffc000539a18>] bus_add_driver+0x16c/0x248 + [<ffffffc00053b234>] driver_register+0x6c/0x138 + [<ffffffc0004a5350>] __pci_register_driver+0x5c/0x6c + [<ffffffc000ce3868>] megasas_init+0xc0/0x1a8 + [<ffffffc000082a58>] do_one_initcall+0xe8/0x1ec + [<ffffffc000ca7be8>] kernel_init_freeable+0x1c8/0x284 + [<ffffffc0008d90b8>] kernel_init+0x1c/0xe4 + +Signed-off-by: Jason Yan <yanaijie@huawei.com> +Acked-by: Sumit Saxena <sumit.saxena@broadcom.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -3489,6 +3489,7 @@ int megasas_alloc_cmds(struct megasas_in + if (megasas_create_frame_pool(instance)) { + printk(KERN_DEBUG "megasas: Error creating frame DMA pool\n"); + megasas_free_cmds(instance); ++ return -ENOMEM; + } + + return 0; diff --git a/queue-3.16/series b/queue-3.16/series new file mode 100644 index 00000000..a651d2fc --- /dev/null +++ b/queue-3.16/series @@ -0,0 +1,6 @@ +mm-introduce-vma_is_anonymous-vma-helper.patch +mm-mincore.c-make-mincore-more-conservative.patch +drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch +scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch +ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch +bluetooth-hidp-fix-buffer-overflow.patch |