From: Tony Nguyen <anthony.l.nguyen(a)intel.com>
stable inclusion
from stable-v4.19.270
commit ef1d739dd1f362aec081278ff92f943c31eb177a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRIW
CVE: CVE-2022-48949
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit de5dc44370fbd6b46bd7f1a1e00369be54a041c8 upstream.
When a MAC address is not assigned to the VF, that portion of the message
sent to the VF is not set. The memory, however, is allocated from the
stack meaning that information may be leaked to the VM. Initialize the
message buffer to 0 so that no information is passed to the VM in this
case.
Fixes: 6ddbc4cf1f4d ("igb: Indicate failure on vf reset for empty mac address")
Reported-by: Akihiko Odaki <akihiko.odaki(a)daynix.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki(a)daynix.com>
Reviewed-by: Leon Romanovsky <leonro(a)nvidia.com>
Link: https://lore.kernel.org/r/20221212190031.3983342-1-anthony.l.nguyen@intel.c…
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Wang Liang <wangliang74(a)huawei.com>
---
drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 6b7e4a718630..ef5d11723d56 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -7151,7 +7151,7 @@ static void igb_vf_reset_msg(struct igb_adapter *adapter, u32 vf)
{
struct e1000_hw *hw = &adapter->hw;
unsigned char *vf_mac = adapter->vf_data[vf].vf_mac_addresses;
- u32 reg, msgbuf[3];
+ u32 reg, msgbuf[3] = {};
u8 *addr = (u8 *)(&msgbuf[1]);
/* process all the same items cleared in a function level reset */
--
2.34.1
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: 4cd9ac5bb21892408b1fd5332f7fbea44a16b61e
commit: 3ad98583441f7c8a2553e1e8d6340ed4397033e2 [1344/1344] crypto: tdm: Support dynamic protection for SCT and IDT by HYGON TDM
config: x86_64-buildonly-randconfig-003-20241102 (https://download.01.org/0day-ci/archive/20241102/202411020918.At8pfay4-lkp@…)
compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241102/202411020918.At8pfay4-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202411020918.At8pfay4-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from drivers/crypto/ccp/hygon/tdm-kernel-guard.c:15:
In file included from include/linux/kallsyms.h:13:
In file included from include/linux/mm.h:2242:
include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
drivers/crypto/ccp/hygon/tdm-kernel-guard.c:151:5: warning: no previous prototype for function 'tdm_service_run' [-Wmissing-prototypes]
151 | int tdm_service_run(struct tdm_security_enhance *data)
| ^
drivers/crypto/ccp/hygon/tdm-kernel-guard.c:151:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
151 | int tdm_service_run(struct tdm_security_enhance *data)
| ^
| static
drivers/crypto/ccp/hygon/tdm-kernel-guard.c:212:5: warning: no previous prototype for function 'tdm_service_exit' [-Wmissing-prototypes]
212 | int tdm_service_exit(struct tdm_security_enhance *data)
| ^
drivers/crypto/ccp/hygon/tdm-kernel-guard.c:212:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
212 | int tdm_service_exit(struct tdm_security_enhance *data)
| ^
| static
>> drivers/crypto/ccp/hygon/tdm-kernel-guard.c:243:15: warning: no previous prototype for function 'kprobe_symbol_address_byname' [-Wmissing-prototypes]
243 | unsigned long kprobe_symbol_address_byname(const char *name)
| ^
drivers/crypto/ccp/hygon/tdm-kernel-guard.c:243:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
243 | unsigned long kprobe_symbol_address_byname(const char *name)
| ^
| static
4 warnings generated.
vim +/kprobe_symbol_address_byname +243 drivers/crypto/ccp/hygon/tdm-kernel-guard.c
211
> 212 int tdm_service_exit(struct tdm_security_enhance *data)
213 {
214 int ret = 0;
215 int task_status = 0;
216
217 task_status = psp_startstop_measure_task(data->task_id, data->authcode, false);
218 if (task_status < 0) {
219 ret = task_status;
220 pr_err("task_id %d stop failed with 0x%x\n", data->task_id, ret);
221 goto end;
222 }
223
224 // Waiting for the task to end
225 msleep(40);
226
227 psp_destroy_measure_task(data->task_id, data->authcode);
228
229 kfree(data->authcode);
230 data->authcode = NULL;
231 kfree(data->mem_range);
232 data->mem_range = NULL;
233 end:
234 return ret;
235 }
236
237 #if !IS_BUILTIN(CONFIG_TDM_KERNEL_GUARD)
238 static int p_tmp_kprobe_handler(struct kprobe *p_ri, struct pt_regs *p_regs)
239 {
240 return 0;
241 }
242
> 243 unsigned long kprobe_symbol_address_byname(const char *name)
244 {
245 int p_ret;
246 struct kprobe p_kprobe;
247 unsigned long addr = 0;
248
249 memset(&p_kprobe, 0, sizeof(p_kprobe));
250
251 p_kprobe.pre_handler = p_tmp_kprobe_handler;
252 p_kprobe.symbol_name = name;
253
254 p_ret = register_kprobe(&p_kprobe);
255 if (p_ret < 0) {
256 pr_err("register_kprobe error [%d] :(\n", p_ret);
257 return 0;
258 }
259
260 addr = (unsigned long)p_kprobe.addr;
261 unregister_kprobe(&p_kprobe);
262
263 return addr;
264 }
265 #endif
266
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Steven,
FYI, the error/warning still remains.
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: fc269dcb986088196619510639266c08d10fc8b7
commit: a6a7981cbf66d4951425d33cdce6ef39206eba83 [1231/1231] Net: ethernet: Support 3snic 3s9xx network card
config: arm64-randconfig-004-20241029 (https://download.01.org/0day-ci/archive/20241101/202411012342.ooJtSVFz-lkp@…)
compiler: aarch64-linux-gcc (GCC) 14.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241101/202411012342.ooJtSVFz-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202411012342.ooJtSVFz-lkp@intel.com/
All error/warnings (new ones prefixed by >>):
>> drivers/net/ethernet/3snic/sssnic/hw/sss_pci_sriov.c:40:13: warning: 'sss_deinit_vf_hw' defined but not used [-Wunused-function]
40 | static void sss_deinit_vf_hw(void *hwdev, u16 vf_num)
| ^~~~~~~~~~~~~~~~
>> drivers/net/ethernet/3snic/sssnic/hw/sss_pci_sriov.c:18:12: warning: 'sss_init_vf_hw' defined but not used [-Wunused-function]
18 | static int sss_init_vf_hw(void *hwdev, u16 vf_num)
| ^~~~~~~~~~~~~~
--
drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c: In function 'sss_nic_get_vlan_depth':
>> drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:165:28: error: implicit declaration of function 'vlan_dev_priv'; did you mean 'netdev_priv'? [-Werror=implicit-function-declaration]
165 | vlan_dev = vlan_dev_priv(vlan_dev)->real_dev;
| ^~~~~~~~~~~~~
| netdev_priv
>> drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:165:51: error: invalid type argument of '->' (have 'int')
165 | vlan_dev = vlan_dev_priv(vlan_dev)->real_dev;
| ^~
drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c: At top level:
drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:878:6: warning: no previous prototype for 'sss_nic_port_module_cable_plug' [-Wmissing-prototypes]
878 | void sss_nic_port_module_cable_plug(struct sss_nic_dev *nic_dev, void *event_data)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:884:6: warning: no previous prototype for 'sss_nic_port_module_cable_unplug' [-Wmissing-prototypes]
884 | void sss_nic_port_module_cable_unplug(struct sss_nic_dev *nic_dev, void *event_data)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:890:6: warning: no previous prototype for 'sss_nic_port_module_link_err' [-Wmissing-prototypes]
890 | void sss_nic_port_module_link_err(struct sss_nic_dev *nic_dev, void *event_data)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:1029:22: warning: no previous prototype for 'get_nic_uld_info' [-Wmissing-prototypes]
1029 | struct sss_uld_info *get_nic_uld_info(void)
| ^~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +165 drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c
157
158 static u16 sss_nic_get_vlan_depth(struct net_device *dev)
159 {
160 u16 vlan_depth = 0;
161 struct net_device *vlan_dev = dev;
162
163 do {
164 vlan_depth++;
> 165 vlan_dev = vlan_dev_priv(vlan_dev)->real_dev;
166 } while (is_vlan_dev(vlan_dev));
167
168 return vlan_depth;
169 }
170
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
From: Simon Horman <horms(a)kernel.org>
stable inclusion
from stable-v5.10.227
commit e2b2558971e02ca33eb637a8350d68a48b3e8e46
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA6
CVE: CVE-2024-49995
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ]
Smatch reports that copying media_name and if_name to name_parts may
overwrite the destination.
.../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
.../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)
This does seem to be the case so guard against this possibility by using
strscpy() and failing if truncation occurs.
Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge")
Compile tested only.
Reviewed-by: Jakub Kicinski <kuba(a)kernel.org>
Signed-off-by: Simon Horman <horms(a)kernel.org>
Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: dinglongwei <dinglongwei1(a)huawei.com>
---
net/tipc/bearer.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 72c31ef985eb..fe2a71971dd7 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -161,8 +161,12 @@ static int bearer_name_validate(const char *name,
/* return bearer name components, if necessary */
if (name_parts) {
- strcpy(name_parts->media_name, media_name);
- strcpy(name_parts->if_name, if_name);
+ if (strscpy(name_parts->media_name, media_name,
+ TIPC_MAX_MEDIA_NAME) < 0)
+ return 0;
+ if (strscpy(name_parts->if_name, if_name,
+ TIPC_MAX_IF_NAME) < 0)
+ return 0;
}
return 1;
}
--
2.17.1