- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] NFSD: Prevent a potential integer overflow
by Li Lingfeng 31 Dec '24

31 Dec '24

From: Chuck Lever <chuck.lever(a)oracle.com> stable inclusion from stable-v5.10.231 commit 3c5f545c9a1f8a1869246f6f3ae8c17289d6a841 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHG9 CVE: CVE-2024-53146 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream. If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs4callback.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index bd79fc4934f0..9b692bcacd4b 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -286,17 +286,17 @@ static int decode_cb_compound4res(struct xdr_stream *xdr, u32 length; __be32 *p; - p = xdr_inline_decode(xdr, 4 + 4); + p = xdr_inline_decode(xdr, XDR_UNIT); if (unlikely(p == NULL)) goto out_overflow; - hdr->status = be32_to_cpup(p++); + hdr->status = be32_to_cpup(p); /* Ignore the tag */ - length = be32_to_cpup(p++); - p = xdr_inline_decode(xdr, length + 4); - if (unlikely(p == NULL)) + if (xdr_stream_decode_u32(xdr, &length) < 0) + goto out_overflow; + if (xdr_inline_decode(xdr, length) == NULL) + goto out_overflow; + if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0) goto out_overflow; - p += XDR_QUADLEN(length); - hdr->nops = be32_to_cpup(p); return 0; out_overflow: return -EIO; -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1] EDAC/bluefield: Fix potential integer overflow
by liukai 31 Dec '24

31 Dec '24

From: David Thompson <davthompson(a)nvidia.com> stable inclusion from stable-v5.10.231 commit e0269ea7a628fdeddd65b92fe29c09655dbb80b9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGU CVE: CVE-2024-53161 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 1fe774a93b46bb029b8f6fa9d1f25affa53f06c6 ] The 64-bit argument for the "get DIMM info" SMC call consists of mem_ctrl_idx left-shifted 16 bits and OR-ed with DIMM index. With mem_ctrl_idx defined as 32-bits wide the left-shift operation truncates the upper 16 bits of information during the calculation of the SMC argument. The mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any potential integer overflow, i.e. loss of data from upper 16 bits. Fixes: 82413e562ea6 ("EDAC, mellanox: Add ECC support for BlueField DDR4") Signed-off-by: David Thompson <davthompson(a)nvidia.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Shravan Kumar Ramani <shravankr(a)nvidia.com> Link: https://lore.kernel.org/r/20240930151056.10158-1-davthompson@nvidia.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Kai <liukai284(a)huawei.com> --- drivers/edac/bluefield_edac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/edac/bluefield_edac.c b/drivers/edac/bluefield_edac.c index e4736eb37bfb..0ef048982768 100644 --- a/drivers/edac/bluefield_edac.c +++ b/drivers/edac/bluefield_edac.c @@ -180,7 +180,7 @@ static void bluefield_edac_check(struct mem_ctl_info *mci) static void bluefield_edac_init_dimms(struct mem_ctl_info *mci) { struct bluefield_edac_priv *priv = mci->pvt_info; - int mem_ctrl_idx = mci->mc_idx; + u64 mem_ctrl_idx = mci->mc_idx; struct dimm_info *dimm; u64 smc_info, smc_arg; int is_empty = 1, i; -- 2.34.1

2 1

[PATCH OLK-6.6] NFSD: Prevent a potential integer overflow
by Li Lingfeng 31 Dec '24

31 Dec '24

From: Chuck Lever <chuck.lever(a)oracle.com> stable inclusion from stable-v6.6.64 commit dde654cad08fdaac370febb161ec41eb58e9d2a2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHG9 CVE: CVE-2024-53146 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream. If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs4callback.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index 49a88dde9631..a8671c7c3e22 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -297,17 +297,17 @@ static int decode_cb_compound4res(struct xdr_stream *xdr, u32 length; __be32 *p; - p = xdr_inline_decode(xdr, 4 + 4); + p = xdr_inline_decode(xdr, XDR_UNIT); if (unlikely(p == NULL)) goto out_overflow; - hdr->status = be32_to_cpup(p++); + hdr->status = be32_to_cpup(p); /* Ignore the tag */ - length = be32_to_cpup(p++); - p = xdr_inline_decode(xdr, length + 4); - if (unlikely(p == NULL)) + if (xdr_stream_decode_u32(xdr, &length) < 0) + goto out_overflow; + if (xdr_inline_decode(xdr, length) == NULL) + goto out_overflow; + if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0) goto out_overflow; - p += XDR_QUADLEN(length); - hdr->nops = be32_to_cpup(p); return 0; out_overflow: return -EIO; -- 2.31.1

2 1

[PATCH openEuler-1.0-LTS] NFSD: Prevent a potential integer overflow
by Li Lingfeng 31 Dec '24

31 Dec '24

From: Chuck Lever <chuck.lever(a)oracle.com> stable inclusion from stable-v4.19.325 commit 745f7ce5a95e783ba62fe774325829466aec2aa8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHG9 CVE: CVE-2024-53146 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream. If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: fs/nfsd/nfs4callback.c [Commit eb72f484a5eb ("NFS: Remove print_overflow_msg()") remove print_overflow_msg.] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs4callback.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index b601e5915e6f..282bb8163cd1 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -294,17 +294,17 @@ static int decode_cb_compound4res(struct xdr_stream *xdr, u32 length; __be32 *p; - p = xdr_inline_decode(xdr, 4 + 4); + p = xdr_inline_decode(xdr, XDR_UNIT); if (unlikely(p == NULL)) goto out_overflow; - hdr->status = be32_to_cpup(p++); + hdr->status = be32_to_cpup(p); /* Ignore the tag */ - length = be32_to_cpup(p++); - p = xdr_inline_decode(xdr, length + 4); - if (unlikely(p == NULL)) + if (xdr_stream_decode_u32(xdr, &length) < 0) + goto out_overflow; + if (xdr_inline_decode(xdr, length) == NULL) + goto out_overflow; + if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0) goto out_overflow; - p += XDR_QUADLEN(length); - hdr->nops = be32_to_cpup(p); return 0; out_overflow: print_overflow_msg(__func__, xdr); -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1] gpio: grgpio: Add NULL check in grgpio_probe
by Pu Lehui 31 Dec '24

31 Dec '24

From: Charles Han <hanchunchao(a)inspur.com> stable inclusion from stable-v5.10.231 commit 4733f68e59bb7b9e3d395699abb18366954b9ba7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANT CVE: CVE-2024-56634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 050b23d081da0f29474de043e9538c1f7a351b3b ] devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. Cc: stable(a)vger.kernel.org Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") Signed-off-by: Charles Han <hanchunchao(a)inspur.com> Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpio/gpio-grgpio.c [The conflicts were due to some minor issues.] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/gpio/gpio-grgpio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c index f954359c9544..e8e059ae5476 100644 --- a/drivers/gpio/gpio-grgpio.c +++ b/drivers/gpio/gpio-grgpio.c @@ -362,6 +362,9 @@ static int grgpio_probe(struct platform_device *ofdev) gc->owner = THIS_MODULE; gc->to_irq = grgpio_to_irq; gc->label = devm_kasprintf(&ofdev->dev, GFP_KERNEL, "%pOF", np); + if (!gc->label) + return -ENOMEM; + gc->base = -1; err = of_property_read_u32(np, "nbits", &prop); -- 2.34.1

2 1

[PATCH OLK-5.10] gpio: grgpio: Add NULL check in grgpio_probe
by Pu Lehui 31 Dec '24

31 Dec '24

From: Charles Han <hanchunchao(a)inspur.com> stable inclusion from stable-v5.10.231 commit 4733f68e59bb7b9e3d395699abb18366954b9ba7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANT CVE: CVE-2024-56634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 050b23d081da0f29474de043e9538c1f7a351b3b ] devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. Cc: stable(a)vger.kernel.org Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") Signed-off-by: Charles Han <hanchunchao(a)inspur.com> Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpio/gpio-grgpio.c [The conflicts were due to some minor issues.] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/gpio/gpio-grgpio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c index f954359c9544..e8e059ae5476 100644 --- a/drivers/gpio/gpio-grgpio.c +++ b/drivers/gpio/gpio-grgpio.c @@ -362,6 +362,9 @@ static int grgpio_probe(struct platform_device *ofdev) gc->owner = THIS_MODULE; gc->to_irq = grgpio_to_irq; gc->label = devm_kasprintf(&ofdev->dev, GFP_KERNEL, "%pOF", np); + if (!gc->label) + return -ENOMEM; + gc->base = -1; err = of_property_read_u32(np, "nbits", &prop); -- 2.34.1

2 1

[PATCH OLK-6.6] gpio: grgpio: Add NULL check in grgpio_probe
by Pu Lehui 31 Dec '24

31 Dec '24

From: Charles Han <hanchunchao(a)inspur.com> stable inclusion from stable-v6.6.66 commit 8d2ca6ac3711a4f4015d26b7cc84f325ac608edb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANT CVE: CVE-2024-56634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 050b23d081da0f29474de043e9538c1f7a351b3b ] devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. Cc: stable(a)vger.kernel.org Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") Signed-off-by: Charles Han <hanchunchao(a)inspur.com> Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpio/gpio-grgpio.c [The conflicts were due to some minor issues.] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/gpio/gpio-grgpio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c index 0163c95f6dd7..b8b9f55e1bc0 100644 --- a/drivers/gpio/gpio-grgpio.c +++ b/drivers/gpio/gpio-grgpio.c @@ -361,6 +361,9 @@ static int grgpio_probe(struct platform_device *ofdev) gc->owner = THIS_MODULE; gc->to_irq = grgpio_to_irq; gc->label = devm_kasprintf(&ofdev->dev, GFP_KERNEL, "%pOF", np); + if (!gc->label) + return -ENOMEM; + gc->base = -1; err = of_property_read_u32(np, "nbits", &prop); -- 2.34.1

2 1

[PATCH OLK-6.6] bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
by Pu Lehui 31 Dec '24

31 Dec '24

From: Jann Horn <jannh(a)google.com> stable inclusion from stable-v6.6.67 commit f9f85df30118f3f4112761e6682fc60ebcce23e5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAKR CVE: CVE-2024-56675 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit ef1b808e3b7c98612feceedf985c2fbbeb28f956 upstream. Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU protection. But it is possible to attach a non-sleepable BPF program to a uprobe, and non-sleepable BPF programs are freed via normal RCU (see __bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal RCU grace period does not imply a tasks-trace-RCU grace period. Fix it by explicitly waiting for a tasks-trace-RCU grace period after removing the attachment of a bpf_prog to a perf_event. Fixes: 8c7dcb84e3b7 ("bpf: implement sleepable uprobes by chaining gps") Suggested-by: Andrii Nakryiko <andrii(a)kernel.org> Suggested-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/bpf/20241210-bpf-fix-actual-uprobe-uaf-v1-1-1943984… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/trace/bpf_trace.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 93e06d370395..b084fe1dbe12 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -2224,6 +2224,13 @@ void perf_event_detach_bpf_prog(struct perf_event *event) bpf_prog_array_free_sleepable(old_array); } + /* + * It could be that the bpf_prog is not sleepable (and will be freed + * via normal RCU), but is called from a point that supports sleepable + * programs and uses tasks-trace-RCU. + */ + synchronize_rcu_tasks_trace(); + bpf_prog_put(event->prog); event->prog = NULL; -- 2.34.1

2 1

[PATCH OLK-6.6] bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
by Pu Lehui 31 Dec '24

31 Dec '24

From: Jann Horn <jannh(a)google.com> stable inclusion from stable-v6.6.67 commit f9f85df30118f3f4112761e6682fc60ebcce23e5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAKR CVE: CVE-2024-56675 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit ef1b808e3b7c98612feceedf985c2fbbeb28f956 upstream. Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU protection. But it is possible to attach a non-sleepable BPF program to a uprobe, and non-sleepable BPF programs are freed via normal RCU (see __bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal RCU grace period does not imply a tasks-trace-RCU grace period. Fix it by explicitly waiting for a tasks-trace-RCU grace period after removing the attachment of a bpf_prog to a perf_event. Fixes: 8c7dcb84e3b7 ("bpf: implement sleepable uprobes by chaining gps") Suggested-by: Andrii Nakryiko <andrii(a)kernel.org> Suggested-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/bpf/20241210-bpf-fix-actual-uprobe-uaf-v1-1-1943984… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/trace/bpf_trace.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 93e06d370395..b084fe1dbe12 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -2224,6 +2224,13 @@ void perf_event_detach_bpf_prog(struct perf_event *event) bpf_prog_array_free_sleepable(old_array); } + /* + * It could be that the bpf_prog is not sleepable (and will be freed + * via normal RCU), but is called from a point that supports sleepable + * programs and uses tasks-trace-RCU. + */ + synchronize_rcu_tasks_trace(); + bpf_prog_put(event->prog); event->prog = NULL; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] printk: Skip log flush in NMI context when logbuf_lock is held
by Xiaomeng Zhang 31 Dec '24

31 Dec '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB963V CVE: NA -------------------------------- In nmi_trigger_cpumask_backtrace(), printk_safe_flush() is called after sending NMI to flush the logs. When logbuf_lock is already held and the current CPU is in printk-safe context (e.g., NMI context), attempting to acquire the lock again can lead to deadlock. Modify the function to return early when detecting logbuf_lock is held and current CPU is in printk-safe context. This prevents deadlock scenarios where CPU0 holds the lock while other CPUs try to acquire it in NMI context. Fixes: 099f1c84c005 ("printk: introduce per-cpu safe_print seq buffer") Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- kernel/printk/printk_safe.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/printk/printk_safe.c b/kernel/printk/printk_safe.c index 809f92492ec7..c97845688fe1 100644 --- a/kernel/printk/printk_safe.c +++ b/kernel/printk/printk_safe.c @@ -256,6 +256,10 @@ void printk_safe_flush(void) { int cpu; + if (raw_spin_is_locked(&logbuf_lock) && + (this_cpu_read(printk_context) & PRINTK_SAFE_CONTEXT_MASK)) + return; + for_each_possible_cpu(cpu) { #ifdef CONFIG_PRINTK_NMI __printk_safe_flush(&per_cpu(nmi_print_seq, cpu).work); -- 2.34.1

2 1