Add various security fixes

7 files changed, 386 insertions, 0 deletions

diff --git a/queue-3.16/bluetooth-hidp-fix-buffer-overflow.patch b/queue-3.16/bluetooth-hidp-fix-buffer-overflow.patch
new file mode 100644
index 00000000..e1fb3792
--- /dev/null
+++ b/queue-3.16/bluetooth-hidp-fix-buffer-overflow.patch
@@ -0,0 +1,29 @@
+From: Young Xiao <YangX92@hotmail.com>
+Date: Fri, 12 Apr 2019 15:24:30 +0800
+Subject: Bluetooth: hidp: fix buffer overflow
+
+commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream.
+
+Struct ca is copied from userspace. It is not checked whether the "name"
+field is NULL terminated, which allows local users to obtain potentially
+sensitive information from kernel stack memory, via a HIDPCONNADD command.
+
+This vulnerability is similar to CVE-2011-1079.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/bluetooth/hidp/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/hidp/sock.c
++++ b/net/bluetooth/hidp/sock.c
+@@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket
+ 			sockfd_put(csock);
+ 			return err;
+ 		}
++		ca.name[sizeof(ca.name)-1] = 0;
+ 
+ 		err = hidp_connection_add(&ca, csock, isock);
+ 		if (!err && copy_to_user(argp, &ca, sizeof(ca)))
diff --git a/queue-3.16/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch b/queue-3.16/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch
new file mode 100644
index 00000000..e844b6ea
--- /dev/null
+++ b/queue-3.16/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch
@@ -0,0 +1,41 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 May 2019 15:47:03 -0700
+Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
+
+commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream.
+
+The "param.count" value is a u64 thatcomes from the user.  The code
+later in the function assumes that param.count is at least one and if
+it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR.
+
+Also the addition can have an integer overflow which would lead us to
+allocate a smaller "pages" array than required.  I can't immediately
+tell what the possible run times implications are, but it's safest to
+prevent the overflow.
+
+Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Timur Tabi <timur@freescale.com>
+Cc: Mihai Caraman <mihai.caraman@freescale.com>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/virt/fsl_hypervisor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i
+ 	 * hypervisor.
+ 	 */
+ 	lb_offset = param.local_vaddr & (PAGE_SIZE - 1);
++	if (param.count == 0 ||
++	    param.count > U64_MAX - lb_offset - PAGE_SIZE + 1)
++		return -EINVAL;
+ 	num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ 
+ 	/* Allocate the buffers we need */
diff --git a/queue-3.16/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch b/queue-3.16/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch
new file mode 100644
index 00000000..0c0e0cdd
--- /dev/null
+++ b/queue-3.16/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch
@@ -0,0 +1,77 @@
+From: Sriram Rajagopalan <sriramr@arista.com>
+Date: Fri, 10 May 2019 19:28:06 -0400
+Subject: ext4: zero out the unused memory region in the extent tree block
+
+commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream.
+
+This commit zeroes out the unused memory region in the buffer_head
+corresponding to the extent metablock after writing the extent header
+and the corresponding extent node entries.
+
+This is done to prevent random uninitialized data from getting into
+the filesystem when the extent block is synced.
+
+This fixes CVE-2019-11833.
+
+Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ext4/extents.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1016,6 +1016,7 @@ static int ext4_ext_split(handle_t *hand
+ 	__le32 border;
+ 	ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */
+ 	int err = 0;
++	size_t ext_size = 0;
+ 
+ 	/* make decision: where to split? */
+ 	/* FIXME: now decision is simplest: at current extent */
+@@ -1107,6 +1108,10 @@ static int ext4_ext_split(handle_t *hand
+ 		le16_add_cpu(&neh->eh_entries, m);
+ 	}
+ 
++	/* zero out unused area in the extent block */
++	ext_size = sizeof(struct ext4_extent_header) +
++		sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries);
++	memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+ 	ext4_extent_block_csum_set(inode, neh);
+ 	set_buffer_uptodate(bh);
+ 	unlock_buffer(bh);
+@@ -1186,6 +1191,11 @@ static int ext4_ext_split(handle_t *hand
+ 				sizeof(struct ext4_extent_idx) * m);
+ 			le16_add_cpu(&neh->eh_entries, m);
+ 		}
++		/* zero out unused area in the extent block */
++		ext_size = sizeof(struct ext4_extent_header) +
++		   (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries));
++		memset(bh->b_data + ext_size, 0,
++			inode->i_sb->s_blocksize - ext_size);
+ 		ext4_extent_block_csum_set(inode, neh);
+ 		set_buffer_uptodate(bh);
+ 		unlock_buffer(bh);
+@@ -1251,6 +1261,7 @@ static int ext4_ext_grow_indepth(handle_
+ 	struct buffer_head *bh;
+ 	ext4_fsblk_t newblock;
+ 	int err = 0;
++	size_t ext_size = 0;
+ 
+ 	newblock = ext4_ext_new_meta_block(handle, inode, NULL,
+ 		newext, &err, flags);
+@@ -1268,9 +1279,11 @@ static int ext4_ext_grow_indepth(handle_
+ 		goto out;
+ 	}
+ 
++	ext_size = sizeof(EXT4_I(inode)->i_data);
+ 	/* move top-level index/leaf into new block */
+-	memmove(bh->b_data, EXT4_I(inode)->i_data,
+-		sizeof(EXT4_I(inode)->i_data));
++	memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size);
++	/* zero out unused area in the extent block */
++	memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+ 
+ 	/* set size of new block */
+ 	neh = ext_block_hdr(bh);
diff --git a/queue-3.16/mm-introduce-vma_is_anonymous-vma-helper.patch b/queue-3.16/mm-introduce-vma_is_anonymous-vma-helper.patch
new file mode 100644
index 00000000..048a4b4f
--- /dev/null
+++ b/queue-3.16/mm-introduce-vma_is_anonymous-vma-helper.patch
@@ -0,0 +1,74 @@
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Tue, 8 Sep 2015 14:58:28 -0700
+Subject: mm: introduce vma_is_anonymous(vma) helper
+
+commit b5330628546616af14ff23075fbf8d4ad91f6e25 upstream.
+
+special_mapping_fault() is absolutely broken.  It seems it was always
+wrong, but this didn't matter until vdso/vvar started to use more than
+one page.
+
+And after this change vma_is_anonymous() becomes really trivial, it
+simply checks vm_ops == NULL.  However, I do think the helper makes
+sense.  There are a lot of ->vm_ops != NULL checks, the helper makes the
+caller's code more understandable (self-documented) and this is more
+grep-friendly.
+
+This patch (of 3):
+
+Preparation.  Add the new simple helper, vma_is_anonymous(vma), and change
+handle_pte_fault() to use it.  It will have more users.
+
+The name is not accurate, say a hpet_mmap()'ed vma is not anonymous.
+Perhaps it should be named vma_has_fault() instead.  But it matches the
+logic in mmap.c/memory.c (see next changes).  "True" just means that a
+page fault will use do_anonymous_page().
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[bwh: Backported to 3.16 as dependency of "mm/mincore.c: make mincore() more
+ conservative"; adjusted context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/linux/mm.h | 5 +++++
+ mm/memory.c        | 8 ++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1241,6 +1241,11 @@ int get_cmdline(struct task_struct *task
+ 
+ int vma_is_stack_for_task(struct vm_area_struct *vma, struct task_struct *t);
+ 
++static inline bool vma_is_anonymous(struct vm_area_struct *vma)
++{
++	return !vma->vm_ops;
++}
++
+ extern unsigned long move_page_tables(struct vm_area_struct *vma,
+ 		unsigned long old_addr, struct vm_area_struct *new_vma,
+ 		unsigned long new_addr, unsigned long len,
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -3105,12 +3105,12 @@ static int handle_pte_fault(struct mm_st
+ 	entry = *pte;
+ 	if (!pte_present(entry)) {
+ 		if (pte_none(entry)) {
+-			if (vma->vm_ops)
++			if (vma_is_anonymous(vma))
++				return do_anonymous_page(mm, vma, address,
++							 pte, pmd, flags);
++			else
+ 				return do_fault(mm, vma, address, pte,
+ 						pmd, flags, entry);
+-
+-			return do_anonymous_page(mm, vma, address,
+-						 pte, pmd, flags);
+ 		}
+ 		return do_swap_page(mm, vma, address,
+ 					pte, pmd, flags, entry);
diff --git a/queue-3.16/mm-mincore.c-make-mincore-more-conservative.patch b/queue-3.16/mm-mincore.c-make-mincore-more-conservative.patch
new file mode 100644
index 00000000..f82b85d8
--- /dev/null
+++ b/queue-3.16/mm-mincore.c-make-mincore-more-conservative.patch
@@ -0,0 +1,86 @@
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Tue, 14 May 2019 15:41:38 -0700
+Subject: mm/mincore.c: make mincore() more conservative
+
+commit 134fca9063ad4851de767d1768180e5dede9a881 upstream.
+
+The semantics of what mincore() considers to be resident is not
+completely clear, but Linux has always (since 2.3.52, which is when
+mincore() was initially done) treated it as "page is available in page
+cache".
+
+That's potentially a problem, as that [in]directly exposes
+meta-information about pagecache / memory mapping state even about
+memory not strictly belonging to the process executing the syscall,
+opening possibilities for sidechannel attacks.
+
+Change the semantics of mincore() so that it only reveals pagecache
+information for non-anonymous mappings that belog to files that the
+calling process could (if it tried to) successfully open for writing;
+otherwise we'd be including shared non-exclusive mappings, which
+
+ - is the sidechannel
+
+ - is not the usecase for mincore(), as that's primarily used for data,
+   not (shared) text
+
+[jkosina@suse.cz: v2]
+  Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz
+[mhocko@suse.com: restructure can_do_mincore() conditions]
+Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Josh Snyder <joshs@netflix.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
+Originally-by: Dominique Martinet <asmadeus@codewreck.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: Kevin Easton <kevin@guarana.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Cyril Hrubis <chrubis@suse.cz>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Daniel Gruss <daniel@gruss.cc>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/mm/mincore.c
++++ b/mm/mincore.c
+@@ -212,6 +212,22 @@ static void mincore_page_range(struct vm
+ 	} while (pgd++, addr = next, addr != end);
+ }
+ 
++static inline bool can_do_mincore(struct vm_area_struct *vma)
++{
++	if (vma_is_anonymous(vma))
++		return true;
++	if (!vma->vm_file)
++		return false;
++	/*
++	 * Reveal pagecache information only for non-anonymous mappings that
++	 * correspond to the files the calling process could (if tried) open
++	 * for writing; otherwise we'd be including shared non-exclusive
++	 * mappings, which opens a side channel.
++	 */
++	return inode_owner_or_capable(file_inode(vma->vm_file)) ||
++		inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0;
++}
++
+ /*
+  * Do a chunk of "sys_mincore()". We've already checked
+  * all the arguments, we hold the mmap semaphore: we should
+@@ -227,6 +243,11 @@ static long do_mincore(unsigned long add
+ 		return -ENOMEM;
+ 
+ 	end = min(vma->vm_end, addr + (pages << PAGE_SHIFT));
++	if (!can_do_mincore(vma)) {
++		unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE);
++		memset(vec, 1, pages);
++		return pages;
++	}
+ 
+ 	if (is_vm_hugetlb_page(vma))
+ 		mincore_hugetlb_page_range(vma, addr, end, vec);
diff --git a/queue-3.16/scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch b/queue-3.16/scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch
new file mode 100644
index 00000000..bd5e0b24
--- /dev/null
+++ b/queue-3.16/scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch
@@ -0,0 +1,73 @@
+From: Jason Yan <yanaijie@huawei.com>
+Date: Fri, 15 Feb 2019 19:50:27 +0800
+Subject: scsi: megaraid_sas: return error when create DMA pool failed
+
+commit bcf3b67d16a4c8ffae0aa79de5853435e683945c upstream.
+
+when create DMA pool for cmd frames failed, we should return -ENOMEM,
+instead of 0.
+In some case in:
+
+    megasas_init_adapter_fusion()
+
+    -->megasas_alloc_cmds()
+       -->megasas_create_frame_pool
+          create DMA pool failed,
+        --> megasas_free_cmds() [1]
+
+    -->megasas_alloc_cmds_fusion()
+       failed, then goto fail_alloc_cmds.
+    -->megasas_free_cmds() [2]
+
+we will call megasas_free_cmds twice, [1] will kfree cmd_list,
+[2] will use cmd_list.it will cause a problem:
+
+Unable to handle kernel NULL pointer dereference at virtual address
+00000000
+pgd = ffffffc000f70000
+[00000000] *pgd=0000001fbf893003, *pud=0000001fbf893003,
+*pmd=0000001fbf894003, *pte=006000006d000707
+Internal error: Oops: 96000005 [#1] SMP
+ Modules linked in:
+ CPU: 18 PID: 1 Comm: swapper/0 Not tainted
+ task: ffffffdfb9290000 ti: ffffffdfb923c000 task.ti: ffffffdfb923c000
+ PC is at megasas_free_cmds+0x30/0x70
+ LR is at megasas_free_cmds+0x24/0x70
+ ...
+ Call trace:
+ [<ffffffc0005b779c>] megasas_free_cmds+0x30/0x70
+ [<ffffffc0005bca74>] megasas_init_adapter_fusion+0x2f4/0x4d8
+ [<ffffffc0005b926c>] megasas_init_fw+0x2dc/0x760
+ [<ffffffc0005b9ab0>] megasas_probe_one+0x3c0/0xcd8
+ [<ffffffc0004a5abc>] local_pci_probe+0x4c/0xb4
+ [<ffffffc0004a5c40>] pci_device_probe+0x11c/0x14c
+ [<ffffffc00053a5e4>] driver_probe_device+0x1ec/0x430
+ [<ffffffc00053a92c>] __driver_attach+0xa8/0xb0
+ [<ffffffc000538178>] bus_for_each_dev+0x74/0xc8
+  [<ffffffc000539e88>] driver_attach+0x28/0x34
+ [<ffffffc000539a18>] bus_add_driver+0x16c/0x248
+ [<ffffffc00053b234>] driver_register+0x6c/0x138
+ [<ffffffc0004a5350>] __pci_register_driver+0x5c/0x6c
+ [<ffffffc000ce3868>] megasas_init+0xc0/0x1a8
+ [<ffffffc000082a58>] do_one_initcall+0xe8/0x1ec
+ [<ffffffc000ca7be8>] kernel_init_freeable+0x1c8/0x284
+ [<ffffffc0008d90b8>] kernel_init+0x1c/0xe4
+
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -3489,6 +3489,7 @@ int megasas_alloc_cmds(struct megasas_in
+ 	if (megasas_create_frame_pool(instance)) {
+ 		printk(KERN_DEBUG "megasas: Error creating frame DMA pool\n");
+ 		megasas_free_cmds(instance);
++		return -ENOMEM;
+ 	}
+ 
+ 	return 0;
diff --git a/queue-3.16/series b/queue-3.16/series
new file mode 100644
index 00000000..a651d2fc
--- /dev/null
+++ b/queue-3.16/series
@@ -0,0 +1,6 @@
+mm-introduce-vma_is_anonymous-vma-helper.patch
+mm-mincore.c-make-mincore-more-conservative.patch
+drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch
+scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch
+ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch
+bluetooth-hidp-fix-buffer-overflow.patch