diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-08 08:06:55 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-08 08:06:55 +0200 |
commit | d34d1cf1269b9e1336343fc52c838a0c67d67705 (patch) | |
tree | cdc6aac8d86252f9f499100d3dd3d7296c0e0ce0 | |
parent | 84a3676fa518b629712f632a429abeb972397292 (diff) | |
download | queue-3.18-d34d1cf1269b9e1336343fc52c838a0c67d67705.tar.gz |
all patches now merged
-rw-r--r-- | hso-fix-null-deref-on-tty-open.patch | 54 | ||||
-rw-r--r-- | ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch | 67 | ||||
-rw-r--r-- | net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch | 62 | ||||
-rw-r--r-- | net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch | 30 | ||||
-rw-r--r-- | net-rds-fix-error-handling-in-rds_ib_add_one.patch | 47 | ||||
-rw-r--r-- | nfc-fix-attrs-checks-in-netlink-interface.patch | 49 | ||||
-rw-r--r-- | nfc-fix-memory-leak-in-llcp_sock_bind.patch | 62 | ||||
-rw-r--r-- | ovl-filter-of-trusted-xattr-results-in-audit.patch | 42 | ||||
-rw-r--r-- | sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch | 112 | ||||
-rw-r--r-- | sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch | 73 | ||||
-rw-r--r-- | series | 11 | ||||
-rw-r--r-- | smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch | 50 |
12 files changed, 0 insertions, 659 deletions
diff --git a/hso-fix-null-deref-on-tty-open.patch b/hso-fix-null-deref-on-tty-open.patch deleted file mode 100644 index 2a23c67..0000000 --- a/hso-fix-null-deref-on-tty-open.patch +++ /dev/null @@ -1,54 +0,0 @@ -From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST -From: Johan Hovold <johan@kernel.org> -Date: Mon, 30 Sep 2019 17:12:41 +0200 -Subject: hso: fix NULL-deref on tty open - -From: Johan Hovold <johan@kernel.org> - -[ Upstream commit 8353da9fa69722b54cba82b2ec740afd3d438748 ] - -Fix NULL-pointer dereference on tty open due to a failure to handle a -missing interrupt-in endpoint when probing modem ports: - - BUG: kernel NULL pointer dereference, address: 0000000000000006 - ... - RIP: 0010:tiocmget_submit_urb+0x1c/0xe0 [hso] - ... - Call Trace: - hso_start_serial_device+0xdc/0x140 [hso] - hso_serial_open+0x118/0x1b0 [hso] - tty_open+0xf1/0x490 - -Fixes: 542f54823614 ("tty: Modem functions for the HSO driver") -Signed-off-by: Johan Hovold <johan@kernel.org> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/usb/hso.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - ---- a/drivers/net/usb/hso.c -+++ b/drivers/net/usb/hso.c -@@ -2639,14 +2639,18 @@ static struct hso_device *hso_create_bul - */ - if (serial->tiocmget) { - tiocmget = serial->tiocmget; -+ tiocmget->endp = hso_get_ep(interface, -+ USB_ENDPOINT_XFER_INT, -+ USB_DIR_IN); -+ if (!tiocmget->endp) { -+ dev_err(&interface->dev, "Failed to find INT IN ep\n"); -+ goto exit; -+ } -+ - tiocmget->urb = usb_alloc_urb(0, GFP_KERNEL); - if (tiocmget->urb) { - mutex_init(&tiocmget->mutex); - init_waitqueue_head(&tiocmget->waitq); -- tiocmget->endp = hso_get_ep( -- interface, -- USB_ENDPOINT_XFER_INT, -- USB_DIR_IN); - } else - hso_free_tiomget(serial); - } diff --git a/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch b/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch deleted file mode 100644 index 63ac554..0000000 --- a/ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch +++ /dev/null @@ -1,67 +0,0 @@ -From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST -From: Eric Dumazet <edumazet@google.com> -Date: Wed, 2 Oct 2019 09:38:55 -0700 -Subject: ipv6: drop incoming packets having a v4mapped source address - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3 ] - -This began with a syzbot report. syzkaller was injecting -IPv6 TCP SYN packets having a v4mapped source address. - -After an unsuccessful 4-tuple lookup, TCP creates a request -socket (SYN_RECV) and calls reqsk_queue_hash_req() - -reqsk_queue_hash_req() calls sk_ehashfn(sk) - -At this point we have AF_INET6 sockets, and the heuristic -used by sk_ehashfn() to either hash the IPv4 or IPv6 addresses -is to use ipv6_addr_v4mapped(&sk->sk_v6_daddr) - -For the particular spoofed packet, we end up hashing V4 addresses -which were not initialized by the TCP IPv6 stack, so KMSAN fired -a warning. - -I first fixed sk_ehashfn() to test both source and destination addresses, -but then faced various problems, including user-space programs -like packetdrill that had similar assumptions. - -Instead of trying to fix the whole ecosystem, it is better -to admit that we have a dual stack behavior, and that we -can not build linux kernels without V4 stack anyway. - -The dual stack API automatically forces the traffic to be IPv4 -if v4mapped addresses are used at bind() or connect(), so it makes -no sense to allow IPv6 traffic to use the same v4mapped class. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Cc: Florian Westphal <fw@strlen.de> -Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/ipv6/ip6_input.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - ---- a/net/ipv6/ip6_input.c -+++ b/net/ipv6/ip6_input.c -@@ -151,6 +151,16 @@ int ipv6_rcv(struct sk_buff *skb, struct - if (ipv6_addr_is_multicast(&hdr->saddr)) - goto err; - -+ /* While RFC4291 is not explicit about v4mapped addresses -+ * in IPv6 headers, it seems clear linux dual-stack -+ * model can not deal properly with these. -+ * Security models could be fooled by ::ffff:127.0.0.1 for example. -+ * -+ * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 -+ */ -+ if (ipv6_addr_v4mapped(&hdr->saddr)) -+ goto err; -+ - skb->transport_header = skb->network_header + sizeof(*hdr); - IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); - diff --git a/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch b/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch deleted file mode 100644 index d8476b7..0000000 --- a/net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch +++ /dev/null @@ -1,62 +0,0 @@ -From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST -From: Paolo Abeni <pabeni@redhat.com> -Date: Fri, 4 Oct 2019 15:11:17 +0200 -Subject: net: ipv4: avoid mixed n_redirects and rate_tokens usage - -From: Paolo Abeni <pabeni@redhat.com> - -[ Upstream commit b406472b5ad79ede8d10077f0c8f05505ace8b6d ] - -Since commit c09551c6ff7f ("net: ipv4: use a dedicated counter -for icmp_v4 redirect packets") we use 'n_redirects' to account -for redirect packets, but we still use 'rate_tokens' to compute -the redirect packets exponential backoff. - -If the device sent to the relevant peer any ICMP error packet -after sending a redirect, it will also update 'rate_token' according -to the leaking bucket schema; typically 'rate_token' will raise -above BITS_PER_LONG and the redirect packets backoff algorithm -will produce undefined behavior. - -Fix the issue using 'n_redirects' to compute the exponential backoff -in ip_rt_send_redirect(). - -Note that we still clear rate_tokens after a redirect silence period, -to avoid changing an established behaviour. - -The root cause predates git history; before the mentioned commit in -the critical scenario, the kernel stopped sending redirects, after -the mentioned commit the behavior more randomic. - -Reported-by: Xiumei Mu <xmu@redhat.com> -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Fixes: c09551c6ff7f ("net: ipv4: use a dedicated counter for icmp_v4 redirect packets") -Signed-off-by: Paolo Abeni <pabeni@redhat.com> -Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/ipv4/route.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -889,16 +889,15 @@ void ip_rt_send_redirect(struct sk_buff - if (peer->rate_tokens == 0 || - time_after(jiffies, - (peer->rate_last + -- (ip_rt_redirect_load << peer->rate_tokens)))) { -+ (ip_rt_redirect_load << peer->n_redirects)))) { - __be32 gw = rt_nexthop(rt, ip_hdr(skb)->daddr); - - icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw); - peer->rate_last = jiffies; -- ++peer->rate_tokens; - ++peer->n_redirects; - #ifdef CONFIG_IP_ROUTE_VERBOSE - if (log_martians && -- peer->rate_tokens == ip_rt_redirect_number) -+ peer->n_redirects == ip_rt_redirect_number) - net_warn_ratelimited("host %pI4/if%d ignores redirects for %pI4 to %pI4\n", - &ip_hdr(skb)->saddr, inet_iif(skb), - &ip_hdr(skb)->daddr, &gw); diff --git a/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch b/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch deleted file mode 100644 index a5b0311..0000000 --- a/net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch +++ /dev/null @@ -1,30 +0,0 @@ -From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST -From: Navid Emamdoost <navid.emamdoost@gmail.com> -Date: Fri, 4 Oct 2019 15:24:39 -0500 -Subject: net: qlogic: Fix memory leak in ql_alloc_large_buffers - -From: Navid Emamdoost <navid.emamdoost@gmail.com> - -[ Upstream commit 1acb8f2a7a9f10543868ddd737e37424d5c36cf4 ] - -In ql_alloc_large_buffers, a new skb is allocated via netdev_alloc_skb. -This skb should be released if pci_dma_mapping_error fails. - -Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() in ql_release_to_lrg_buf_free_list(), ql_populate_free_queue(), ql_alloc_large_buffers(), and ql3xxx_send()") -Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/ethernet/qlogic/qla3xxx.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/net/ethernet/qlogic/qla3xxx.c -+++ b/drivers/net/ethernet/qlogic/qla3xxx.c -@@ -2787,6 +2787,7 @@ static int ql_alloc_large_buffers(struct - netdev_err(qdev->ndev, - "PCI mapping failed with error: %d\n", - err); -+ dev_kfree_skb_irq(skb); - ql_free_large_buffers(qdev); - return -ENOMEM; - } diff --git a/net-rds-fix-error-handling-in-rds_ib_add_one.patch b/net-rds-fix-error-handling-in-rds_ib_add_one.patch deleted file mode 100644 index 53a416c..0000000 --- a/net-rds-fix-error-handling-in-rds_ib_add_one.patch +++ /dev/null @@ -1,47 +0,0 @@ -From foo@baz Sun 06 Oct 2019 11:10:46 AM CEST -From: Dotan Barak <dotanb@dev.mellanox.co.il> -Date: Tue, 1 Oct 2019 10:21:02 -0700 -Subject: net/rds: Fix error handling in rds_ib_add_one() - -From: Dotan Barak <dotanb@dev.mellanox.co.il> - -[ Upstream commit d64bf89a75b65f83f06be9fb8f978e60d53752db ] - -rds_ibdev:ipaddr_list and rds_ibdev:conn_list are initialized -after allocation some resources such as protection domain. -If allocation of such resources fail, then these uninitialized -variables are accessed in rds_ib_dev_free() in failure path. This -can potentially crash the system. The code has been updated to -initialize these variables very early in the function. - -Signed-off-by: Dotan Barak <dotanb@dev.mellanox.co.il> -Signed-off-by: Sudhakar Dindukurti <sudhakar.dindukurti@oracle.com> -Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/rds/ib.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/net/rds/ib.c -+++ b/net/rds/ib.c -@@ -146,6 +146,9 @@ static void rds_ib_add_one(struct ib_dev - atomic_set(&rds_ibdev->refcount, 1); - INIT_WORK(&rds_ibdev->free_work, rds_ib_dev_free); - -+ INIT_LIST_HEAD(&rds_ibdev->ipaddr_list); -+ INIT_LIST_HEAD(&rds_ibdev->conn_list); -+ - rds_ibdev->max_wrs = dev_attr->max_qp_wr; - rds_ibdev->max_sge = min(dev_attr->max_sge, RDS_IB_MAX_SGE); - -@@ -176,9 +179,6 @@ static void rds_ib_add_one(struct ib_dev - goto put_dev; - } - -- INIT_LIST_HEAD(&rds_ibdev->ipaddr_list); -- INIT_LIST_HEAD(&rds_ibdev->conn_list); -- - down_write(&rds_ib_devices_lock); - list_add_tail_rcu(&rds_ibdev->list, &rds_ib_devices); - up_write(&rds_ib_devices_lock); diff --git a/nfc-fix-attrs-checks-in-netlink-interface.patch b/nfc-fix-attrs-checks-in-netlink-interface.patch deleted file mode 100644 index 920a4da..0000000 --- a/nfc-fix-attrs-checks-in-netlink-interface.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 18917d51472fe3b126a3a8f756c6b18085eb8130 Mon Sep 17 00:00:00 2001 -From: Andrey Konovalov <andreyknvl@google.com> -Date: Mon, 29 Jul 2019 16:35:01 +0300 -Subject: NFC: fix attrs checks in netlink interface - -From: Andrey Konovalov <andreyknvl@google.com> - -commit 18917d51472fe3b126a3a8f756c6b18085eb8130 upstream. - -nfc_genl_deactivate_target() relies on the NFC_ATTR_TARGET_INDEX -attribute being present, but doesn't check whether it is actually -provided by the user. Same goes for nfc_genl_fw_download() and -NFC_ATTR_FIRMWARE_NAME. - -This patch adds appropriate checks. - -Found with syzkaller. - -Signed-off-by: Andrey Konovalov <andreyknvl@google.com> -Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - net/nfc/netlink.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/net/nfc/netlink.c -+++ b/net/nfc/netlink.c -@@ -852,7 +852,8 @@ static int nfc_genl_dep_link_down(struct - int rc; - u32 idx; - -- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) -+ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || -+ !info->attrs[NFC_ATTR_TARGET_INDEX]) - return -EINVAL; - - idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); -@@ -1106,7 +1107,8 @@ static int nfc_genl_fw_download(struct s - u32 idx; - char firmware_name[NFC_FIRMWARE_NAME_MAXSIZE + 1]; - -- if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) -+ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || -+ !info->attrs[NFC_ATTR_FIRMWARE_NAME]) - return -EINVAL; - - idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); diff --git a/nfc-fix-memory-leak-in-llcp_sock_bind.patch b/nfc-fix-memory-leak-in-llcp_sock_bind.patch deleted file mode 100644 index 0ed1b68..0000000 --- a/nfc-fix-memory-leak-in-llcp_sock_bind.patch +++ /dev/null @@ -1,62 +0,0 @@ -From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST -From: Eric Dumazet <edumazet@google.com> -Date: Fri, 4 Oct 2019 11:08:34 -0700 -Subject: nfc: fix memory leak in llcp_sock_bind() - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d ] - -sysbot reported a memory leak after a bind() has failed. - -While we are at it, abort the operation if kmemdup() has failed. - -BUG: memory leak -unreferenced object 0xffff888105d83ec0 (size 32): - comm "syz-executor067", pid 7207, jiffies 4294956228 (age 19.430s) - hex dump (first 32 bytes): - 00 69 6c 65 20 72 65 61 64 00 6e 65 74 3a 5b 34 .ile read.net:[4 - 30 32 36 35 33 33 30 39 37 5d 00 00 00 00 00 00 026533097]...... - backtrace: - [<0000000036bac473>] kmemleak_alloc_recursive /./include/linux/kmemleak.h:43 [inline] - [<0000000036bac473>] slab_post_alloc_hook /mm/slab.h:522 [inline] - [<0000000036bac473>] slab_alloc /mm/slab.c:3319 [inline] - [<0000000036bac473>] __do_kmalloc /mm/slab.c:3653 [inline] - [<0000000036bac473>] __kmalloc_track_caller+0x169/0x2d0 /mm/slab.c:3670 - [<000000000cd39d07>] kmemdup+0x27/0x60 /mm/util.c:120 - [<000000008e57e5fc>] kmemdup /./include/linux/string.h:432 [inline] - [<000000008e57e5fc>] llcp_sock_bind+0x1b3/0x230 /net/nfc/llcp_sock.c:107 - [<000000009cb0b5d3>] __sys_bind+0x11c/0x140 /net/socket.c:1647 - [<00000000492c3bbc>] __do_sys_bind /net/socket.c:1658 [inline] - [<00000000492c3bbc>] __se_sys_bind /net/socket.c:1656 [inline] - [<00000000492c3bbc>] __x64_sys_bind+0x1e/0x30 /net/socket.c:1656 - [<0000000008704b2a>] do_syscall_64+0x76/0x1a0 /arch/x86/entry/common.c:296 - [<000000009f4c57a4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 - -Fixes: 30cc4587659e ("NFC: Move LLCP code to the NFC top level diirectory") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/nfc/llcp_sock.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/net/nfc/llcp_sock.c -+++ b/net/nfc/llcp_sock.c -@@ -118,9 +118,14 @@ static int llcp_sock_bind(struct socket - llcp_sock->service_name = kmemdup(llcp_addr.service_name, - llcp_sock->service_name_len, - GFP_KERNEL); -- -+ if (!llcp_sock->service_name) { -+ ret = -ENOMEM; -+ goto put_dev; -+ } - llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); - if (llcp_sock->ssap == LLCP_SAP_MAX) { -+ kfree(llcp_sock->service_name); -+ llcp_sock->service_name = NULL; - ret = -EADDRINUSE; - goto put_dev; - } diff --git a/ovl-filter-of-trusted-xattr-results-in-audit.patch b/ovl-filter-of-trusted-xattr-results-in-audit.patch deleted file mode 100644 index 27af2ba..0000000 --- a/ovl-filter-of-trusted-xattr-results-in-audit.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 5c2e9f346b815841f9bed6029ebcb06415caf640 Mon Sep 17 00:00:00 2001 -From: Mark Salyzyn <salyzyn@android.com> -Date: Thu, 29 Aug 2019 11:30:14 -0700 -Subject: ovl: filter of trusted xattr results in audit - -From: Mark Salyzyn <salyzyn@android.com> - -commit 5c2e9f346b815841f9bed6029ebcb06415caf640 upstream. - -When filtering xattr list for reading, presence of trusted xattr -results in a security audit log. However, if there is other content -no errno will be set, and if there isn't, the errno will be -ENODATA -and not -EPERM as is usually associated with a lack of capability. -The check does not block the request to list the xattrs present. - -Switch to ns_capable_noaudit to reflect a more appropriate check. - -Signed-off-by: Mark Salyzyn <salyzyn@android.com> -Cc: linux-security-module@vger.kernel.org -Cc: kernel-team@android.com -Cc: stable@vger.kernel.org # v3.18+ -Fixes: a082c6f680da ("ovl: filter trusted xattr for non-admin") -Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> -[added export to get this to build - gregkh] -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - fs/overlayfs/inode.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/fs/overlayfs/inode.c -+++ b/fs/overlayfs/inode.c -@@ -265,7 +265,8 @@ static bool ovl_can_list(const char *s) - return true; - - /* Never list trusted.overlay, list other trusted for superuser only */ -- return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN); -+ return !ovl_is_private_xattr(s) && -+ has_capability_noaudit(current, CAP_SYS_ADMIN); - } - - ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) diff --git a/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch b/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch deleted file mode 100644 index 3f40283..0000000 --- a/sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch +++ /dev/null @@ -1,112 +0,0 @@ -From foo@baz Sun 06 Oct 2019 10:01:35 AM CEST -From: Eric Dumazet <edumazet@google.com> -Date: Thu, 26 Sep 2019 18:24:43 -0700 -Subject: sch_cbq: validate TCA_CBQ_WRROPT to avoid crash - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit e9789c7cc182484fc031fd88097eb14cb26c4596 ] - -syzbot reported a crash in cbq_normalize_quanta() caused -by an out of range cl->priority. - -iproute2 enforces this check, but malicious users do not. - -kasan: CONFIG_KASAN_INLINE enabled -kasan: GPF could be caused by NULL-ptr deref or user memory access -general protection fault: 0000 [#1] SMP KASAN PTI -Modules linked in: -CPU: 1 PID: 26447 Comm: syz-executor.1 Not tainted 5.3+ #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -RIP: 0010:cbq_normalize_quanta.part.0+0x1fd/0x430 net/sched/sch_cbq.c:902 -RSP: 0018:ffff8801a5c333b0 EFLAGS: 00010206 -RAX: 0000000020000003 RBX: 00000000fffffff8 RCX: ffffc9000712f000 -RDX: 00000000000043bf RSI: ffffffff83be8962 RDI: 0000000100000018 -RBP: ffff8801a5c33420 R08: 000000000000003a R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000002ef -R13: ffff88018da95188 R14: dffffc0000000000 R15: 0000000000000015 -FS: 00007f37d26b1700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00000000004c7cec CR3: 00000001bcd0a006 CR4: 00000000001626f0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - [<ffffffff83be9d57>] cbq_normalize_quanta include/net/pkt_sched.h:27 [inline] - [<ffffffff83be9d57>] cbq_addprio net/sched/sch_cbq.c:1097 [inline] - [<ffffffff83be9d57>] cbq_set_wrr+0x2d7/0x450 net/sched/sch_cbq.c:1115 - [<ffffffff83bee8a7>] cbq_change_class+0x987/0x225b net/sched/sch_cbq.c:1537 - [<ffffffff83b96985>] tc_ctl_tclass+0x555/0xcd0 net/sched/sch_api.c:2329 - [<ffffffff83a84655>] rtnetlink_rcv_msg+0x485/0xc10 net/core/rtnetlink.c:5248 - [<ffffffff83cadf0a>] netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2510 - [<ffffffff83a7db6d>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5266 - [<ffffffff83cac2c6>] netlink_unicast_kernel net/netlink/af_netlink.c:1324 [inline] - [<ffffffff83cac2c6>] netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1350 - [<ffffffff83cacd4a>] netlink_sendmsg+0x89a/0xd50 net/netlink/af_netlink.c:1939 - [<ffffffff8399d46e>] sock_sendmsg_nosec net/socket.c:673 [inline] - [<ffffffff8399d46e>] sock_sendmsg+0x12e/0x170 net/socket.c:684 - [<ffffffff8399f1fd>] ___sys_sendmsg+0x81d/0x960 net/socket.c:2359 - [<ffffffff839a2d05>] __sys_sendmsg+0x105/0x1d0 net/socket.c:2397 - [<ffffffff839a2df9>] SYSC_sendmsg net/socket.c:2406 [inline] - [<ffffffff839a2df9>] SyS_sendmsg+0x29/0x30 net/socket.c:2404 - [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305 - [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7 - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/sched/sch_cbq.c | 27 ++++++++++++++++++++++----- - 1 file changed, 22 insertions(+), 5 deletions(-) - ---- a/net/sched/sch_cbq.c -+++ b/net/sched/sch_cbq.c -@@ -1340,6 +1340,26 @@ static const struct nla_policy cbq_polic - [TCA_CBQ_POLICE] = { .len = sizeof(struct tc_cbq_police) }, - }; - -+static int cbq_opt_parse(struct nlattr *tb[TCA_CBQ_MAX + 1], struct nlattr *opt) -+{ -+ int err; -+ -+ if (!opt) -+ return -EINVAL; -+ -+ err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy); -+ if (err < 0) -+ return err; -+ -+ if (tb[TCA_CBQ_WRROPT]) { -+ const struct tc_cbq_wrropt *wrr = nla_data(tb[TCA_CBQ_WRROPT]); -+ -+ if (wrr->priority > TC_CBQ_MAXPRIO) -+ err = -EINVAL; -+ } -+ return err; -+} -+ - static int cbq_init(struct Qdisc *sch, struct nlattr *opt) - { - struct cbq_sched_data *q = qdisc_priv(sch); -@@ -1347,7 +1367,7 @@ static int cbq_init(struct Qdisc *sch, s - struct tc_ratespec *r; - int err; - -- err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy); -+ err = cbq_opt_parse(tb, opt); - if (err < 0) - return err; - -@@ -1728,10 +1748,7 @@ cbq_change_class(struct Qdisc *sch, u32 - struct cbq_class *parent; - struct qdisc_rate_table *rtab = NULL; - -- if (opt == NULL) -- return -EINVAL; -- -- err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy); -+ err = cbq_opt_parse(tb, opt); - if (err < 0) - return err; - diff --git a/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch b/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch deleted file mode 100644 index 174a8ee..0000000 --- a/sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch +++ /dev/null @@ -1,73 +0,0 @@ -From foo@baz Sun 06 Oct 2019 01:23:14 PM CEST -From: Eric Dumazet <edumazet@google.com> -Date: Fri, 4 Oct 2019 10:34:45 -0700 -Subject: sch_dsmark: fix potential NULL deref in dsmark_init() - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit 474f0813a3002cb299bb73a5a93aa1f537a80ca8 ] - -Make sure TCA_DSMARK_INDICES was provided by the user. - -syzbot reported : - -kasan: CONFIG_KASAN_INLINE enabled -kasan: GPF could be caused by NULL-ptr deref or user memory access -general protection fault: 0000 [#1] PREEMPT SMP KASAN -CPU: 1 PID: 8799 Comm: syz-executor235 Not tainted 5.3.0+ #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -RIP: 0010:nla_get_u16 include/net/netlink.h:1501 [inline] -RIP: 0010:dsmark_init net/sched/sch_dsmark.c:364 [inline] -RIP: 0010:dsmark_init+0x193/0x640 net/sched/sch_dsmark.c:339 -Code: 85 db 58 0f 88 7d 03 00 00 e8 e9 1a ac fb 48 8b 9d 70 ff ff ff 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ca -RSP: 0018:ffff88809426f3b8 EFLAGS: 00010247 -RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff85c6eb09 -RDX: 0000000000000000 RSI: ffffffff85c6eb17 RDI: 0000000000000004 -RBP: ffff88809426f4b0 R08: ffff88808c4085c0 R09: ffffed1015d26159 -R10: ffffed1015d26158 R11: ffff8880ae930ac7 R12: ffff8880a7e96940 -R13: dffffc0000000000 R14: ffff88809426f8c0 R15: 0000000000000000 -FS: 0000000001292880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000020000080 CR3: 000000008ca1b000 CR4: 00000000001406e0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - qdisc_create+0x4ee/0x1210 net/sched/sch_api.c:1237 - tc_modify_qdisc+0x524/0x1c50 net/sched/sch_api.c:1653 - rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5223 - netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 - rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5241 - netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] - netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328 - netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917 - sock_sendmsg_nosec net/socket.c:637 [inline] - sock_sendmsg+0xd7/0x130 net/socket.c:657 - ___sys_sendmsg+0x803/0x920 net/socket.c:2311 - __sys_sendmsg+0x105/0x1d0 net/socket.c:2356 - __do_sys_sendmsg net/socket.c:2365 [inline] - __se_sys_sendmsg net/socket.c:2363 [inline] - __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363 - do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x440369 - -Fixes: 758cc43c6d73 ("[PKT_SCHED]: Fix dsmark to apply changes consistent") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/sched/sch_dsmark.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/net/sched/sch_dsmark.c -+++ b/net/sched/sch_dsmark.c -@@ -354,6 +354,8 @@ static int dsmark_init(struct Qdisc *sch - goto errout; - - err = -EINVAL; -+ if (!tb[TCA_DSMARK_INDICES]) -+ goto errout; - indices = nla_get_u16(tb[TCA_DSMARK_INDICES]); - - if (hweight32(indices) != 1) @@ -1,11 +0,0 @@ -hso-fix-null-deref-on-tty-open.patch -ipv6-drop-incoming-packets-having-a-v4mapped-source-address.patch -net-ipv4-avoid-mixed-n_redirects-and-rate_tokens-usage.patch -net-qlogic-fix-memory-leak-in-ql_alloc_large_buffers.patch -nfc-fix-memory-leak-in-llcp_sock_bind.patch -sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch -net-rds-fix-error-handling-in-rds_ib_add_one.patch -sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch -smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch -nfc-fix-attrs-checks-in-netlink-interface.patch -ovl-filter-of-trusted-xattr-results-in-audit.patch diff --git a/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch b/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch deleted file mode 100644 index 675bf38..0000000 --- a/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 3675f052b43ba51b99b85b073c7070e083f3e6fb Mon Sep 17 00:00:00 2001 -From: Jann Horn <jannh@google.com> -Date: Thu, 4 Jul 2019 20:44:44 +0200 -Subject: Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set - -From: Jann Horn <jannh@google.com> - -commit 3675f052b43ba51b99b85b073c7070e083f3e6fb upstream. - -There is a logic bug in the current smack_bprm_set_creds(): -If LSM_UNSAFE_PTRACE is set, but the ptrace state is deemed to be -acceptable (e.g. because the ptracer detached in the meantime), the other -->unsafe flags aren't checked. As far as I can tell, this means that -something like the following could work (but I haven't tested it): - - - task A: create task B with fork() - - task B: set NO_NEW_PRIVS - - task B: install a seccomp filter that makes open() return 0 under some - conditions - - task B: replace fd 0 with a malicious library - - task A: attach to task B with PTRACE_ATTACH - - task B: execve() a file with an SMACK64EXEC extended attribute - - task A: while task B is still in the middle of execve(), exit (which - destroys the ptrace relationship) - -Make sure that if any flags other than LSM_UNSAFE_PTRACE are set in -bprm->unsafe, we reject the execve(). - -Cc: stable@vger.kernel.org -Fixes: 5663884caab1 ("Smack: unify all ptrace accesses in the smack") -Signed-off-by: Jann Horn <jannh@google.com> -Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - ---- - security/smack/smack_lsm.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -699,7 +699,8 @@ static int smack_bprm_set_creds(struct l - - if (rc != 0) - return rc; -- } else if (bprm->unsafe) -+ } -+ if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) - return -EPERM; - - bsp->smk_task = isp->smk_task; |