June 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] of: module: add buffer overflow check in of_modalias()
by GONG, Ruiqi 21 Jun '24

21 Jun '24

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> mainline inclusion from mainline-v6.10-rc1 commit cf7385cb26ac4f0ee6c7385960525ad534323252 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SDQ CVE: CVE-2024-38541 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Conflicts: drivers/of/module.c [of_modalias() was in drivers/of/device.c before commit bd7a7ed774af ("of: Move of_modalias() to module.c") and was named as of_device_get_modalias() before commit 5c3d15e127eb ("of: Update of_device_get_modalias()"). Both commits are in v6.4.] Signed-off-by: GONG, Ruiqi <gongruiqi1(a)huawei.com> --- drivers/of/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/device.c b/drivers/of/device.c index 3a547793135c..93f08f18f6b3 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -231,14 +231,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', of_node_get_device_type(dev->of_node)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); -- 2.25.1

2 1

[PATCH OLK-5.10] of: module: add buffer overflow check in of_modalias()
by GONG, Ruiqi 21 Jun '24

21 Jun '24

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> mainline inclusion from mainline-v6.10-rc1 commit cf7385cb26ac4f0ee6c7385960525ad534323252 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SDQ CVE: CVE-2024-38541 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Conflicts: drivers/of/device.c [of_modalias() was in drivers/of/device.c before commit bd7a7ed774af ("of: Move of_modalias() to module.c") and was named as of_device_get_modalias() before commit 5c3d15e127eb ("of: Update of_device_get_modalias()"). Both commits are in v6.4.] Signed-off-by: GONG, Ruiqi <gongruiqi1(a)huawei.com> --- drivers/of/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/device.c b/drivers/of/device.c index 3a547793135c..93f08f18f6b3 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -231,14 +231,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', of_node_get_device_type(dev->of_node)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group
by Luo Gengkun 21 Jun '24

21 Jun '24

From: Junhao He <hejunhao3(a)huawei.com> mainline inclusion from mainline-v6.10-rc1 commit 77fce82678ea5fd51442e62febec2004f79e041b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S7E CVE: CVE-2024-38569 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of bounds when writing data to the event_group array. If the number of events in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write overflow of event_group array occurs. Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds. There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}' Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU") Signed-off-by: Junhao He <hejunhao3(a)huawei.com> Reviewed-by: Jijie Shao <shaojijie(a)huawei.com> Acked-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Link: https://lore.kernel.org/r/20240425124627.13764-2-hejunhao3@huawei.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/perf/hisilicon/hisi_pcie_pmu.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c index 26a63e7539c0..4018bdca0a36 100644 --- a/drivers/perf/hisilicon/hisi_pcie_pmu.c +++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c @@ -356,15 +356,27 @@ static bool hisi_pcie_pmu_validate_event_group(struct perf_event *event) return false; for (num = 0; num < counters; num++) { + /* + * If we find a related event, then it's a valid group + * since we don't need to allocate a new counter for it. + */ if (hisi_pcie_pmu_cmp_event(event_group[num], sibling)) break; } + /* + * Otherwise it's a new event but if there's no available counter, + * fail the check since we cannot schedule all the events in + * the group simultaneously. + */ + if (num == HISI_PCIE_MAX_COUNTERS) + return false; + if (num == counters) event_group[counters++] = sibling; } - return counters <= HISI_PCIE_MAX_COUNTERS; + return true; } static int hisi_pcie_pmu_event_init(struct perf_event *event) -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] of: module: add buffer overflow check in of_modalias()
by GONG, Ruiqi 21 Jun '24

21 Jun '24

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> mainline inclusion from mainline-v6.10-rc1 commit cf7385cb26ac4f0ee6c7385960525ad534323252 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SDQ CVE: CVE-2024-38541 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Conflicts: drivers/of/device.c [of_modalias() was in drivers/of/device.c before commit bd7a7ed774af ("of: Move of_modalias() to module.c") and was named as of_device_get_modalias() before commit 5c3d15e127eb ("of: Update of_device_get_modalias()"). Both commits are in v6.4.] Signed-off-by: GONG, Ruiqi <gongruiqi1(a)huawei.com> --- drivers/of/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/device.c b/drivers/of/device.c index 566d8af05157..65235ff63c5d 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -225,14 +225,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', dev->of_node->type); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] net: sched: sch_multiq: fix possible OOB write in multiq_tune()
by Zhengchao Shao 21 Jun '24

21 Jun '24

From: Hangyu Hua <hbh25y(a)gmail.com> mainline inclusion from mainline-v6.10-rc3 commit affc18fdc694190ca7575b9a86632a73b9fe043d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6R4J CVE: CVE-2024-36978 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur. Fixes: c2999f7fb05b ("net: sched: multiq: don't call qdisc_put() while holding tree lock") Signed-off-by: Hangyu Hua <hbh25y(a)gmail.com> Acked-by: Cong Wang <cong.wang(a)bytedance.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/sched/sch_multiq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c index 5c27b4270b90..36068029c35e 100644 --- a/net/sched/sch_multiq.c +++ b/net/sched/sch_multiq.c @@ -186,7 +186,7 @@ static int multiq_tune(struct Qdisc *sch, struct nlattr *opt, qopt->bands = qdisc_dev(sch)->real_num_tx_queues; - removed = kmalloc(sizeof(*removed) * (q->max_bands - q->bands), + removed = kmalloc(sizeof(*removed) * (q->max_bands - qopt->bands), GFP_KERNEL); if (!removed) return -ENOMEM; -- 2.34.1

2 1

[PATCH OLK-5.10] drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group
by Luo Gengkun 20 Jun '24

20 Jun '24

From: Junhao He <hejunhao3(a)huawei.com> mainline inclusion from mainline-v6.10-rc1 commit 77fce82678ea5fd51442e62febec2004f79e041b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S7E CVE: CVE-2024-38569 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of bounds when writing data to the event_group array. If the number of events in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write overflow of event_group array occurs. Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds. There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}' Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU") Signed-off-by: Junhao He <hejunhao3(a)huawei.com> Reviewed-by: Jijie Shao <shaojijie(a)huawei.com> Acked-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Link: https://lore.kernel.org/r/20240425124627.13764-2-hejunhao3@huawei.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/perf/hisilicon/hisi_pcie_pmu.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c index 26a63e7539c0..4018bdca0a36 100644 --- a/drivers/perf/hisilicon/hisi_pcie_pmu.c +++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c @@ -356,15 +356,27 @@ static bool hisi_pcie_pmu_validate_event_group(struct perf_event *event) return false; for (num = 0; num < counters; num++) { + /* + * If we find a related event, then it's a valid group + * since we don't need to allocate a new counter for it. + */ if (hisi_pcie_pmu_cmp_event(event_group[num], sibling)) break; } + /* + * Otherwise it's a new event but if there's no available counter, + * fail the check since we cannot schedule all the events in + * the group simultaneously. + */ + if (num == HISI_PCIE_MAX_COUNTERS) + return false; + if (num == counters) event_group[counters++] = sibling; } - return counters <= HISI_PCIE_MAX_COUNTERS; + return true; } static int hisi_pcie_pmu_event_init(struct perf_event *event) -- 2.34.1

2 1

[PATCH OLK-5.10] drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group mainline inclusion from mainline-v6.10-rc1 commit 77fce82678ea5fd51442e62febec2004f79e041b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S7E CVE: CVE-2024-38569
by Luo Gengkun 20 Jun '24

20 Jun '24

From: Junhao He <hejunhao3(a)huawei.com> Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of bounds when writing data to the event_group array. If the number of events in an event_group is greater than HISI_PCIE_MAX_COUNTERS, the memory write overflow of event_group array occurs. Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds. There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}' Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU") Signed-off-by: Junhao He <hejunhao3(a)huawei.com> Reviewed-by: Jijie Shao <shaojijie(a)huawei.com> Acked-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Link: https://lore.kernel.org/r/20240425124627.13764-2-hejunhao3@huawei.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/perf/hisilicon/hisi_pcie_pmu.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c index 26a63e7539c0..4018bdca0a36 100644 --- a/drivers/perf/hisilicon/hisi_pcie_pmu.c +++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c @@ -356,15 +356,27 @@ static bool hisi_pcie_pmu_validate_event_group(struct perf_event *event) return false; for (num = 0; num < counters; num++) { + /* + * If we find a related event, then it's a valid group + * since we don't need to allocate a new counter for it. + */ if (hisi_pcie_pmu_cmp_event(event_group[num], sibling)) break; } + /* + * Otherwise it's a new event but if there's no available counter, + * fail the check since we cannot schedule all the events in + * the group simultaneously. + */ + if (num == HISI_PCIE_MAX_COUNTERS) + return false; + if (num == counters) event_group[counters++] = sibling; } - return counters <= HISI_PCIE_MAX_COUNTERS; + return true; } static int hisi_pcie_pmu_event_init(struct perf_event *event) -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/2] CVE-2021-47231
by Zhang Changzhong 20 Jun '24

20 Jun '24

Pavel Skripkin (2): can: mcba_usb: fix memory leak in mcba_usb can: mcba_usb_start(): add missing urb->transfer_dma initialization drivers/net/can/usb/mcba_usb.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) -- 2.9.5

2 3

[PATCH OLK-6.6] drm/mediatek: Add 0 size check to mtk_drm_gem_obj
by Liu Chuang 20 Jun '24

20 Jun '24

From: Justin Green <greenjustin(a)chromium.org> mainline inclusion from mainline-v6.10-rc1 commit 1e4350095e8ab2577ee05f8c3b044e661b5af9a0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S8E CVE: CVE-2024-38549 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object of 0 bytes. Currently, no such check exists and the kernel will panic if a userspace application attempts to allocate a 0x0 GBM buffer. Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and verifying that we now return EINVAL. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Signed-off-by: Justin Green <greenjustin(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Reviewed-by: CK Hu <ck.hu(a)mediatek.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20240307180051.4104425… Signed-off-by: Chun-Kuang Hu <chunkuang.hu(a)kernel.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c index 4f2e3feabc0f..1bf229615b01 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c @@ -38,6 +38,9 @@ static struct mtk_drm_gem_obj *mtk_drm_gem_init(struct drm_device *dev, size = round_up(size, PAGE_SIZE); + if (size == 0) + return ERR_PTR(-EINVAL); + mtk_gem_obj = kzalloc(sizeof(*mtk_gem_obj), GFP_KERNEL); if (!mtk_gem_obj) return ERR_PTR(-ENOMEM); -- 2.34.1

2 1

[PATCH OLK-5.10] drm/mediatek: Add 0 size check to mtk_drm_gem_obj
by Liu Chuang 20 Jun '24

20 Jun '24

From: Justin Green <greenjustin(a)chromium.org> mainline inclusion from mainline-v6.10-rc1 commit 1e4350095e8ab2577ee05f8c3b044e661b5af9a0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S8E CVE: CVE-2024-38549 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object of 0 bytes. Currently, no such check exists and the kernel will panic if a userspace application attempts to allocate a 0x0 GBM buffer. Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and verifying that we now return EINVAL. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Signed-off-by: Justin Green <greenjustin(a)chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Reviewed-by: CK Hu <ck.hu(a)mediatek.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20240307180051.4104425… Signed-off-by: Chun-Kuang Hu <chunkuang.hu(a)kernel.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c index 4f2e3feabc0f..1bf229615b01 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c @@ -38,6 +38,9 @@ static struct mtk_drm_gem_obj *mtk_drm_gem_init(struct drm_device *dev, size = round_up(size, PAGE_SIZE); + if (size == 0) + return ERR_PTR(-EINVAL); + mtk_gem_obj = kzalloc(sizeof(*mtk_gem_obj), GFP_KERNEL); if (!mtk_gem_obj) return ERR_PTR(-ENOMEM); -- 2.34.1

2 1

2024

2023

2022

2021

2020

2019

Kernel June 2024