- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1 0/4] Fix CVE-2023-52441 and integrate the pre-patch
by ZhaoLong Wang 10 Apr '24

10 Apr '24

All patches are from 5.15.y. Namjae Jeon (4): ksmbd: return STATUS_NOT_SUPPORTED on unsupported smb2.0 dialect ksmbd: return unsupported error on smb1 mount ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr ksmbd: fix out of bounds in init_smb2_rsp_hdr() fs/ksmbd/connection.c | 7 +-- fs/ksmbd/server.c | 6 +- fs/ksmbd/smb2pdu.c | 3 - fs/ksmbd/smb_common.c | 142 +++++++++++++++++++++++++++++++++++------- fs/ksmbd/smb_common.h | 30 +++------ 5 files changed, 135 insertions(+), 53 deletions(-) -- 2.34.3

2 5

[PATCH openEuler-22.03-LTS 0/4] Fix CVE-2023-52441 and integrate the pre-patch
by ZhaoLong Wang 10 Apr '24

10 Apr '24

All patches are from 5.15.y. Namjae Jeon (4): ksmbd: return STATUS_NOT_SUPPORTED on unsupported smb2.0 dialect ksmbd: return unsupported error on smb1 mount ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr ksmbd: fix out of bounds in init_smb2_rsp_hdr() fs/ksmbd/connection.c | 7 +-- fs/ksmbd/server.c | 6 +- fs/ksmbd/smb2pdu.c | 3 - fs/ksmbd/smb_common.c | 142 +++++++++++++++++++++++++++++++++++------- fs/ksmbd/smb_common.h | 30 +++------ 5 files changed, 135 insertions(+), 53 deletions(-) -- 2.34.3

2 5

[PATCH OLK-5.10 0/4] Fix CVE-2023-52441 and integrate the pre-patch
by ZhaoLong Wang 10 Apr '24

10 Apr '24

All patches are from 5.15.y. Namjae Jeon (4): ksmbd: return STATUS_NOT_SUPPORTED on unsupported smb2.0 dialect ksmbd: return unsupported error on smb1 mount ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr ksmbd: fix out of bounds in init_smb2_rsp_hdr() fs/ksmbd/connection.c | 7 +-- fs/ksmbd/server.c | 6 +- fs/ksmbd/smb2pdu.c | 3 - fs/ksmbd/smb_common.c | 142 +++++++++++++++++++++++++++++++++++------- fs/ksmbd/smb_common.h | 30 +++------ 5 files changed, 135 insertions(+), 53 deletions(-) -- 2.34.3

2 5

[PATCH OLK-5.10 0/1] fixup CVE-2024-26751
by Yuntao Liu 10 Apr '24

10 Apr '24

fixup CVE-2024-26751 Nikita Shubin (1): ARM: ep93xx: Add terminator to gpiod_lookup_table arch/arm/mach-ep93xx/core.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

1 1

[PATCH openEuler-1.0-LTS] btrfs: dev-replace: properly validate device names
by Long Li 10 Apr '24

10 Apr '24

From: David Sterba <dsterba(a)suse.com> stable inclusion from stable-v4.19.273 commit 11d7a2e429c02d51e2dc90713823ea8b8d3d3a84 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E469 CVE: CVE-2024-26791 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- commit 9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 upstream. There's a syzbot report that device name buffers passed to device replace are not properly checked for string termination which could lead to a read out of bounds in getname_kernel(). Add a helper that validates both source and target device name buffers. For devid as the source initialize the buffer to empty string in case something tries to read it later. This was originally analyzed and fixed in a different way by Edward Adam Davis (see links). Link: https://lore.kernel.org/linux-btrfs/000000000000d1a1d1060cc9c5e7@google.com/ Link: https://lore.kernel.org/linux-btrfs/tencent_44CA0665C9836EF9EEC80CB9E7E206D… CC: stable(a)vger.kernel.org # 4.19+ CC: Edward Adam Davis <eadavis(a)qq.com> Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8(a)syzkaller.appspotmail.com Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/btrfs/dev-replace.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c index 1b9c8ffb038f..c50c0251fd90 100644 --- a/fs/btrfs/dev-replace.c +++ b/fs/btrfs/dev-replace.c @@ -513,6 +513,23 @@ int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, return ret; } +static int btrfs_check_replace_dev_names(struct btrfs_ioctl_dev_replace_args *args) +{ + if (args->start.srcdevid == 0) { + if (memchr(args->start.srcdev_name, 0, + sizeof(args->start.srcdev_name)) == NULL) + return -ENAMETOOLONG; + } else { + args->start.srcdev_name[0] = 0; + } + + if (memchr(args->start.tgtdev_name, 0, + sizeof(args->start.tgtdev_name)) == NULL) + return -ENAMETOOLONG; + + return 0; +} + int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, struct btrfs_ioctl_dev_replace_args *args) { @@ -525,10 +542,9 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, default: return -EINVAL; } - - if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || - args->start.tgtdev_name[0] == '\0') - return -EINVAL; + ret = btrfs_check_replace_dev_names(args); + if (ret < 0) + return ret; ret = btrfs_dev_replace_start(fs_info, args->start.tgtdev_name, args->start.srcdevid, -- 2.31.1

2 1

[PATCH OLK-5.10 0/1] fixup CVE-2024-26751
by Yuntao Liu 10 Apr '24

10 Apr '24

fixup CVE-2024-26751 Nikita Shubin (1): ARM: ep93xx: Add terminator to gpiod_lookup_table arch/arm/mach-ep93xx/core.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

1 1

[PATCH openEuler-1.0-LTS] fbdev: savage: Error out if pixclock equals zero
by Cai Xinchen 10 Apr '24

10 Apr '24

From: Fullway Wang <fullwaywang(a)outlook.com> stable inclusion from stable-v4.19.308 commit 224453de8505aede1890f007be973925a3edf6a1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2Y8 CVE: CVE-2024-26778 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288 ] The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of pixclock, it may cause divide-by-zero error. Although pixclock is checked in savagefb_decode_var(), but it is not checked properly in savagefb_probe(). Fix this by checking whether pixclock is zero in the function savagefb_check_var() before info->var.pixclock is used as the divisor. This is similar to CVE-2022-3061 in i740fb which was fixed by commit 15cf0b8. Signed-off-by: Fullway Wang <fullwaywang(a)outlook.com> Signed-off-by: Helge Deller <deller(a)gmx.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/video/fbdev/savage/savagefb_driver.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/savage/savagefb_driver.c b/drivers/video/fbdev/savage/savagefb_driver.c index c09d7426cd92..d9eafdb89cea 100644 --- a/drivers/video/fbdev/savage/savagefb_driver.c +++ b/drivers/video/fbdev/savage/savagefb_driver.c @@ -869,6 +869,9 @@ static int savagefb_check_var(struct fb_var_screeninfo *var, DBG("savagefb_check_var"); + if (!var->pixclock) + return -EINVAL; + var->transp.offset = 0; var->transp.length = 0; switch (var->bits_per_pixel) { -- 2.34.1

2 1

[PATCH] fbdev: savage: Error out if pixclock equals zero
by Cai Xinchen 10 Apr '24

10 Apr '24

From: Fullway Wang <fullwaywang(a)outlook.com> stable inclusion from stable-v4.19.308 commit 224453de8505aede1890f007be973925a3edf6a1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2Y8 CVE: CVE-2024-26778 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288 ] The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of pixclock, it may cause divide-by-zero error. Although pixclock is checked in savagefb_decode_var(), but it is not checked properly in savagefb_probe(). Fix this by checking whether pixclock is zero in the function savagefb_check_var() before info->var.pixclock is used as the divisor. This is similar to CVE-2022-3061 in i740fb which was fixed by commit 15cf0b8. Signed-off-by: Fullway Wang <fullwaywang(a)outlook.com> Signed-off-by: Helge Deller <deller(a)gmx.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/video/fbdev/savage/savagefb_driver.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/savage/savagefb_driver.c b/drivers/video/fbdev/savage/savagefb_driver.c index c09d7426cd92..d9eafdb89cea 100644 --- a/drivers/video/fbdev/savage/savagefb_driver.c +++ b/drivers/video/fbdev/savage/savagefb_driver.c @@ -869,6 +869,9 @@ static int savagefb_check_var(struct fb_var_screeninfo *var, DBG("savagefb_check_var"); + if (!var->pixclock) + return -EINVAL; + var->transp.offset = 0; var->transp.length = 0; switch (var->bits_per_pixel) { -- 2.34.1

1 0

[PATCH OLK-5.10 0/5] cvm feature patches
by hejingxian 10 Apr '24

10 Apr '24

From: Jingxian He <hejingxian(a)huawei.com> Add cvm feature patches: 1. add cvm host feature 2. enable pmu phys irq inject for cvm 3. add bounce buffer feature for cvm guest 4. add lpi support for cvm guest 5. fix kabi for cvm host arch/arm64/configs/defconfig | 2 + arch/arm64/configs/openeuler_defconfig | 2 + arch/arm64/include/asm/cvm_guest.h | 21 + arch/arm64/include/asm/kvm_emulate.h | 18 + arch/arm64/include/asm/kvm_host.h | 28 +- arch/arm64/include/asm/kvm_tmi.h | 377 +++++++++++ arch/arm64/include/asm/kvm_tmm.h | 73 +++ arch/arm64/kvm/Kconfig | 16 + arch/arm64/kvm/Makefile | 5 + arch/arm64/kvm/arch_timer.c | 104 ++- arch/arm64/kvm/arm.c | 157 ++++- arch/arm64/kvm/cvm.c | 869 +++++++++++++++++++++++++ arch/arm64/kvm/cvm_exit.c | 240 +++++++ arch/arm64/kvm/cvm_guest.c | 91 +++ arch/arm64/kvm/guest.c | 8 + arch/arm64/kvm/hisilicon/hisi_virt.c | 7 + arch/arm64/kvm/hyp/vgic-v3-sr.c | 19 + arch/arm64/kvm/mmio.c | 19 + arch/arm64/kvm/mmu.c | 7 + arch/arm64/kvm/pmu-emul.c | 10 + arch/arm64/kvm/psci.c | 12 +- arch/arm64/kvm/reset.c | 10 + arch/arm64/kvm/tmi.c | 168 +++++ arch/arm64/kvm/vgic/vgic-v3.c | 18 +- arch/arm64/kvm/vgic/vgic.c | 59 +- arch/arm64/mm/mmu.c | 11 + arch/arm64/mm/pageattr.c | 9 +- drivers/irqchip/irq-gic-v3-its.c | 229 ++++++- drivers/perf/arm_pmu.c | 17 + include/kvm/arm_arch_timer.h | 4 + include/linux/kvm_host.h | 23 + include/linux/perf/arm_pmu.h | 3 + include/linux/swiotlb.h | 13 + include/uapi/linux/kvm.h | 27 + kernel/dma/direct.c | 39 ++ kernel/dma/swiotlb.c | 86 ++- virt/kvm/kvm_main.c | 7 +- 37 files changed, 2765 insertions(+), 43 deletions(-) create mode 100644 arch/arm64/include/asm/cvm_guest.h create mode 100644 arch/arm64/include/asm/kvm_tmi.h create mode 100644 arch/arm64/include/asm/kvm_tmm.h create mode 100644 arch/arm64/kvm/cvm.c create mode 100644 arch/arm64/kvm/cvm_exit.c create mode 100644 arch/arm64/kvm/cvm_guest.c create mode 100644 arch/arm64/kvm/tmi.c -- 2.33.0

2 6

[PATCH openEuler-22.03-LTS-SP2] EDAC/thunderx: Fix possible out-of-bounds string access
by Guo Mengqi 10 Apr '24

10 Apr '24

From: Arnd Bergmann <arnd(a)arndb.de> stable inclusion from stable-v5.10.209 commit 6aa7865ba7ff7f0ede0035180fb3b9400ceb405a category: bugfix bugzilla: 189268 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 475c58e1a471e9b873e3e39958c64a2d278275c8 ] Enabling -Wstringop-overflow globally exposes a warning for a common bug in the usage of strncat(): drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr': drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=] 1136 | strncat(msg, other, OCX_MESSAGE_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... 1145 | strncat(msg, other, OCX_MESSAGE_SIZE); ... 1150 | strncat(msg, other, OCX_MESSAGE_SIZE); ... Apparently the author of this driver expected strncat() to behave the way that strlcat() does, which uses the size of the destination buffer as its third argument rather than the length of the source buffer. The result is that there is no check on the size of the allocated buffer. Change it to strlcat(). [ bp: Trim compiler output, fixup commit message. ] Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Gustavo A. R. Silva <gustavoars(a)kernel.org> Link: https://lore.kernel.org/r/20231122222007.3199885-1-arnd@kernel.org Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/edac/thunderx_edac.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c index 0eb5eb97fd74..3b0e1fe27d93 100644 --- a/drivers/edac/thunderx_edac.c +++ b/drivers/edac/thunderx_edac.c @@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id) decode_register(other, OCX_OTHER_SIZE, ocx_com_errors, ctx->reg_com_int); - strncat(msg, other, OCX_MESSAGE_SIZE); + strlcat(msg, other, OCX_MESSAGE_SIZE); for (lane = 0; lane < OCX_RX_LANES; lane++) if (ctx->reg_com_int & BIT(lane)) { @@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id) lane, ctx->reg_lane_int[lane], lane, ctx->reg_lane_stat11[lane]); - strncat(msg, other, OCX_MESSAGE_SIZE); + strlcat(msg, other, OCX_MESSAGE_SIZE); decode_register(other, OCX_OTHER_SIZE, ocx_lane_errors, ctx->reg_lane_int[lane]); - strncat(msg, other, OCX_MESSAGE_SIZE); + strlcat(msg, other, OCX_MESSAGE_SIZE); } if (ctx->reg_com_int & OCX_COM_INT_CE) @@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id) decode_register(other, OCX_OTHER_SIZE, ocx_com_link_errors, ctx->reg_com_link_int); - strncat(msg, other, OCX_MESSAGE_SIZE); + strlcat(msg, other, OCX_MESSAGE_SIZE); if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE) edac_device_handle_ue(ocx->edac_dev, 0, 0, msg); @@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id) decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int); - strncat(msg, other, L2C_MESSAGE_SIZE); + strlcat(msg, other, L2C_MESSAGE_SIZE); if (ctx->reg_int & mask_ue) edac_device_handle_ue(l2c->edac_dev, 0, 0, msg); -- 2.17.1

2 1