- Kernel - mailweb.openeuler.org

[PATCH v2 OLK-5.10] selinux: avoid dereference of garbage after mount failure
by felix 22 May '24

22 May '24

From: Christian Göttsche <cgzones(a)googlemail.com> stable inclusion from stable-v6.6.26 commit 477ed6789eb9f3f4d3568bb977f90c863c12724e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG73 CVE: CVE-2024-35904 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 37801a36b4d68892ce807264f784d818f8d0d39b upstream. In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount. Cc: stable(a)vger.kernel.org Fixes: 0619f0f5e36f ("selinux: wrap selinuxfs state") Signed-off-by: Christian Göttsche <cgzones(a)googlemail.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: security/selinux/selinuxfs.c [selinuxfs_mount still in use because of SECURITY_SELINUX_DISABLE, so we reserve it, only deal with kern_mount failure issue] Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- security/selinux/selinuxfs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index d893c2280f59..97d169679265 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -2232,13 +2232,17 @@ static int __init init_sel_fs(void) pr_err("selinuxfs: could not mount!\n"); err = PTR_ERR(selinuxfs_mount); selinuxfs_mount = NULL; + selinux_null.mnt = NULL; + return err; } + selinux_null.dentry = d_hash_and_lookup(selinux_null.mnt->mnt_root, &null_name); if (IS_ERR(selinux_null.dentry)) { pr_err("selinuxfs: could not lookup null!\n"); err = PTR_ERR(selinux_null.dentry); selinux_null.dentry = NULL; + return err; } return err; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/1] net-memcg: Fix scope of sockmem pressure indicators
by Chen Ridong 22 May '24

22 May '24

*** BLURB HERE *** Abel Wu (1): net-memcg: Fix scope of sockmem pressure indicators include/linux/memcontrol.h | 9 +++++++-- mm/vmpressure.c | 13 ++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) -- 2.34.1

2 2

[PATCH OLK-5.10] netfilter: nft_flow_offload: reset dst in route object after setting up flow
by Liu Jian 22 May '24

22 May '24

From: Pablo Neira Ayuso <pablo(a)netfilter.org> mainline inclusion from mainline-v6.8-rc6 commit 9e0f0430389be7696396c62f037be4bf72cf93e3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8LQ CVE: CVE-2024-27403 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- dst is transferred to the flow object, route object does not own it anymore. Reset dst in route object, otherwise if flow_offload_add() fails, error path releases dst twice, leading to a refcount underflow. Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression") Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Conflicts: include/net/netfilter/nf_flow_table.h net/netfilter/nf_flow_table_core.c [This is because we did not backport fa502c865666, 8b9229d15877, 7a27f6ab4135] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- include/net/netfilter/nf_flow_table.h | 2 +- net/netfilter/nf_flow_table_core.c | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index b338638f2279..b49dfb415bad 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -207,7 +207,7 @@ nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table, } int flow_offload_route_init(struct flow_offload *flow, - const struct nf_flow_route *route); + struct nf_flow_route *route); int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow); void flow_offload_refresh(struct nf_flowtable *flow_table, diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index d091d51b5e19..5a5faefb181d 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -74,13 +74,23 @@ struct flow_offload *flow_offload_alloc(struct nf_conn *ct) } EXPORT_SYMBOL_GPL(flow_offload_alloc); +static struct dst_entry *nft_route_dst_fetch(struct nf_flow_route *route, + enum flow_offload_tuple_dir dir) +{ + struct dst_entry *dst = route->tuple[dir].dst; + + route->tuple[dir].dst = NULL; + + return dst; +} + static int flow_offload_fill_route(struct flow_offload *flow, - const struct nf_flow_route *route, + struct nf_flow_route *route, enum flow_offload_tuple_dir dir) { struct flow_offload_tuple *flow_tuple = &flow->tuplehash[dir].tuple; struct dst_entry *other_dst = route->tuple[!dir].dst; - struct dst_entry *dst = route->tuple[dir].dst; + struct dst_entry *dst = nft_route_dst_fetch(route, dir); if (!dst_hold_safe(route->tuple[dir].dst)) return -1; @@ -101,7 +111,7 @@ static int flow_offload_fill_route(struct flow_offload *flow, } int flow_offload_route_init(struct flow_offload *flow, - const struct nf_flow_route *route) + struct nf_flow_route *route) { int err; -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP2 0/1] net-memcg: Fix scope of sockmem pressure indicators
by Chen Ridong 22 May '24

22 May '24

*** BLURB HERE *** Abel Wu (1): net-memcg: Fix scope of sockmem pressure indicators include/linux/memcontrol.h | 9 +++++++-- mm/vmpressure.c | 12 +++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS-SP1 0/1] net-memcg: Fix scope of sockmem pressure indicators
by Chen Ridong 22 May '24

22 May '24

*** BLURB HERE *** Abel Wu (1): net-memcg: Fix scope of sockmem pressure indicators include/linux/memcontrol.h | 9 +++++++-- mm/vmpressure.c | 12 +++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS 0/1] net-memcg: Fix scope of sockmem pressure indicators
by Chen Ridong 22 May '24

22 May '24

*** BLURB HERE *** Abel Wu (1): net-memcg: Fix scope of sockmem pressure indicators include/linux/memcontrol.h | 9 +++++++-- mm/vmpressure.c | 12 +++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) -- 2.34.1

2 2

[PATCH OLK5.10 0/1] net-memcg: Fix scope of sockmem pressure indicators
by Chen Ridong 22 May '24

22 May '24

*** BLURB HERE *** Abel Wu (1): net-memcg: Fix scope of sockmem pressure indicators include/linux/memcontrol.h | 9 +++++++-- mm/vmpressure.c | 12 +++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) -- 2.34.1

1 0

[PATCH openEuler-1.0-LTS V2 0/2] Fix CVE-2023-52656
by Zizhi Wo 22 May '24

22 May '24

V2: fix an undeclared error with io_uring_fops V1: fix main error Jens Axboe (2): io_uring/unix: drop usage of io_uring socket io_uring: drop any code related to SCM_RIGHTS fs/io_uring.c | 212 +-------------------------------------------- include/linux/fs.h | 6 +- net/core/scm.c | 2 +- net/unix/scm.c | 4 +- 4 files changed, 8 insertions(+), 216 deletions(-) -- 2.39.2

2 3

[PATCH OLK-5.10 0/1] net-memcg: Fix scope of sockmem pressure indicators
by Chen Ridong 22 May '24

22 May '24

*** BLURB HERE *** Abel Wu (1): net-memcg: Fix scope of sockmem pressure indicators include/linux/memcontrol.h | 9 +++++++-- mm/vmpressure.c | 13 ++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS-SP2 0/1] net-memcg: Fix scope of sockmem pressure indicators
by Chen Ridong 22 May '24

22 May '24

*** BLURB HERE *** Abel Wu (1): net-memcg: Fix scope of sockmem pressure indicators include/linux/memcontrol.h | 9 +++++++-- mm/vmpressure.c | 13 ++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) -- 2.34.1

2 2