August 2024 - Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS v2] orangefs: fix out-of-bounds fsid access
by Liu Shixin 13 Aug '24

13 Aug '24

From: Mike Marshall <hubcap(a)omnibond.com> stable inclusion from stable-v4.19.318 commit b90176a9553775e23966650e445b1866e62e4924 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGPSE CVE: CVE-2024-42143 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ] Arnd Bergmann sent a patch to fsdevel, he says: "orangefs_statfs() copies two consecutive fields of the superblock into the statfs structure, which triggers a warning from the string fortification helpers" Jan Kara suggested an alternate way to do the patch to make it more readable. I ran both ideas through xfstests and both seem fine. This patch is based on Jan Kara's suggestion. Signed-off-by: Mike Marshall <hubcap(a)omnibond.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- fs/orangefs/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c index dfaee90d30bd..3f01a1d80558 100644 --- a/fs/orangefs/super.c +++ b/fs/orangefs/super.c @@ -186,7 +186,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf) (long)new_op->downcall.resp.statfs.files_avail); buf->f_type = sb->s_magic; - memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid)); + buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id; + buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id; buf->f_bsize = new_op->downcall.resp.statfs.block_size; buf->f_namelen = ORANGEFS_NAME_MAX; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] orangefs: fix out-of-bounds fsid access
by Liu Shixin 13 Aug '24

13 Aug '24

From: Mike Marshall <hubcap(a)omnibond.com> stable inclusion from stable-v4.19.318 commit b90176a9553775e23966650e445b1866e62e4924 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGPSE CVE: CVE-2024-42143 -------------------------------- [ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ] Arnd Bergmann sent a patch to fsdevel, he says: "orangefs_statfs() copies two consecutive fields of the superblock into the statfs structure, which triggers a warning from the string fortification helpers" Jan Kara suggested an alternate way to do the patch to make it more readable. I ran both ideas through xfstests and both seem fine. This patch is based on Jan Kara's suggestion. Signed-off-by: Mike Marshall <hubcap(a)omnibond.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- fs/orangefs/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c index dfaee90d30bd..3f01a1d80558 100644 --- a/fs/orangefs/super.c +++ b/fs/orangefs/super.c @@ -186,7 +186,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf) (long)new_op->downcall.resp.statfs.files_avail); buf->f_type = sb->s_magic; - memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid)); + buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id; + buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id; buf->f_bsize = new_op->downcall.resp.statfs.block_size; buf->f_namelen = ORANGEFS_NAME_MAX; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep
by Liu Shixin 13 Aug '24

13 Aug '24

From: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> stable inclusion from stable-v4.19.317 commit b71348be1236398be2d04c5e145fd6eaae86a91b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEP0 CVE: CVE-2024-42087 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ee7860cd8b5763017f8dc785c2851fecb7a0c565 ] The ilitek-ili9881c controls the reset GPIO using the non-sleeping gpiod_set_value() function. This complains loudly when the GPIO controller needs to sleep. As the caller can sleep, use gpiod_set_value_cansleep() to fix the issue. Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Reviewed-by: Neil Armstrong <neil.armstrong(a)linaro.org> Link: https://lore.kernel.org/r/20240317154839.21260-1-laurent.pinchart@ideasonbo… Signed-off-by: Neil Armstrong <neil.armstrong(a)linaro.org> Link: https://patchwork.freedesktop.org/patch/msgid/20240317154839.21260-1-lauren… Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c index 3ad4a46c4e94..cc11cf41d392 100644 --- a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c +++ b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c @@ -307,10 +307,10 @@ static int ili9881c_prepare(struct drm_panel *panel) msleep(5); /* And reset it */ - gpiod_set_value(ctx->reset, 1); + gpiod_set_value_cansleep(ctx->reset, 1); msleep(20); - gpiod_set_value(ctx->reset, 0); + gpiod_set_value_cansleep(ctx->reset, 0); msleep(20); for (i = 0; i < ARRAY_SIZE(ili9881c_init); i++) { @@ -367,7 +367,7 @@ static int ili9881c_unprepare(struct drm_panel *panel) mipi_dsi_dcs_enter_sleep_mode(ctx->dsi); regulator_disable(ctx->power); - gpiod_set_value(ctx->reset, 1); + gpiod_set_value_cansleep(ctx->reset, 1); return 0; } -- 2.25.1

2 1

[PATCH v2 openEuler-1.0-LTS] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
by Wang Hai 13 Aug '24

13 Aug '24

From: Pablo Neira Ayuso <pablo(a)netfilter.org> stable inclusion from stable-v4.19.317 commit 40188a25a9847dbeb7ec67517174a835a677752f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEO4 CVE: CVE-2024-42070 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 7931d32955e09d0a11b1fe0b6aac1bfa061c005c ] register store validation for NFT_DATA_VALUE is conditional, however, the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This only requires a new helper function to infer the register type from the set datatype so this conditional check can be removed. Otherwise, pointer to chain object can be leaked through the registers. Fixes: 96518518cc41 ("netfilter: add nftables") Reported-by: Linus Torvalds <torvalds(a)linuxfoundation.org> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: include/net/netfilter/nf_tables.h net/netfilter/nft_lookup.c [nf_tables.h conflicts due to context, nft_lookup.c conflicts because e1c59f90e1a6 ("netfilter: nftables: add nft_parse_register_store() and use it") is not merged.] Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- v1->v2: change bugzilla include/net/netfilter/nf_tables.h | 5 +++++ net/netfilter/nf_tables_api.c | 8 ++++---- net/netfilter/nft_lookup.c | 2 +- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index ecc301ee1556..247e4637b458 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -438,6 +438,11 @@ static inline void *nft_set_priv(const struct nft_set *set) return (void *)set->data; } +static inline enum nft_data_types nft_set_datatype(const struct nft_set *set) +{ + return set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE; +} + static inline struct nft_set *nft_set_container_of(const void *priv) { return (void *)priv - offsetof(struct nft_set, data); diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 97e56cadb4bf..133cff3a3f77 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3961,8 +3961,7 @@ static int nf_tables_fill_setelem(struct sk_buff *skb, if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), - set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, - set->dlen) < 0) + nft_set_datatype(set), set->dlen) < 0) goto nla_put_failure; if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) && @@ -7174,6 +7173,9 @@ int nft_validate_register_store(const struct nft_ctx *ctx, return 0; default: + if (type != NFT_DATA_VALUE) + return -EINVAL; + if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) return -EINVAL; if (len == 0) @@ -7182,8 +7184,6 @@ int nft_validate_register_store(const struct nft_ctx *ctx, FIELD_SIZEOF(struct nft_regs, data)) return -ERANGE; - if (data != NULL && type != NFT_DATA_VALUE) - return -EINVAL; return 0; } } diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c index cb9e937a5ce0..0d7a21ec9b11 100644 --- a/net/netfilter/nft_lookup.c +++ b/net/netfilter/nft_lookup.c @@ -102,7 +102,7 @@ static int nft_lookup_init(const struct nft_ctx *ctx, priv->dreg = nft_parse_register(tb[NFTA_LOOKUP_DREG]); err = nft_validate_register_store(ctx, priv->dreg, NULL, - set->dtype, set->dlen); + nft_set_datatype(set), set->dlen); if (err < 0) return err; } else if (set->flags & NFT_SET_MAP) -- 2.17.1

2 1

[openeuler:openEuler-1.0-LTS] BUILD SUCCESS 146a244b7e1e972d9df692a65f5319a673798896
by kernel test robot 13 Aug '24

13 Aug '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: 146a244b7e1e972d9df692a65f5319a673798896 !10871 USB: serial: mos7840: fix crash on resume Warning ids grouped by kconfigs: recent_errors |-- arm64-randconfig-004-20240812 | |-- drivers-net-ethernet-cisco-enic-vnic_dev.c:warning:a0-may-be-used-uninitialized | `-- drivers-net-ethernet-cisco-enic-vnic_dev.c:warning:a1-may-be-used-uninitialized `-- x86_64-buildonly-randconfig-001-20240812 `-- mm-slab_common.o:warning:objtool:kmem_cache_create_usercopy:unreachable-instruction elapsed time: 725m configs tested: 35 configs skipped: 137 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig gcc-14.1.0 arm64 allnoconfig gcc-14.1.0 arm64 defconfig gcc-14.1.0 arm64 randconfig-001-20240812 gcc-14.1.0 arm64 randconfig-002-20240812 gcc-14.1.0 arm64 randconfig-003-20240812 gcc-14.1.0 arm64 randconfig-004-20240812 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240812 clang-18 x86_64 buildonly-randconfig-002-20240812 clang-18 x86_64 buildonly-randconfig-003-20240812 gcc-12 x86_64 buildonly-randconfig-004-20240812 clang-18 x86_64 buildonly-randconfig-005-20240812 clang-18 x86_64 buildonly-randconfig-006-20240812 clang-18 x86_64 defconfig gcc-11 x86_64 randconfig-001-20240812 clang-18 x86_64 randconfig-002-20240812 clang-18 x86_64 randconfig-003-20240812 gcc-12 x86_64 randconfig-004-20240812 gcc-12 x86_64 randconfig-005-20240812 gcc-11 x86_64 randconfig-006-20240812 clang-18 x86_64 randconfig-011-20240812 clang-18 x86_64 randconfig-012-20240812 gcc-12 x86_64 randconfig-013-20240812 clang-18 x86_64 randconfig-014-20240812 clang-18 x86_64 randconfig-015-20240812 gcc-12 x86_64 randconfig-016-20240812 gcc-12 x86_64 randconfig-071-20240812 gcc-12 x86_64 randconfig-072-20240812 gcc-12 x86_64 randconfig-073-20240812 gcc-12 x86_64 randconfig-074-20240812 clang-18 x86_64 randconfig-075-20240812 gcc-12 x86_64 randconfig-076-20240812 gcc-12 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6] BUILD REGRESSION a151658a1b2d88ae86a8611249c930100194e4d2
by kernel test robot 13 Aug '24

13 Aug '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: a151658a1b2d88ae86a8611249c930100194e4d2 !10823 mm/userfaultfd: reset ptes when close() for wr-protected ones Error/Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | |-- arch-arm64-kvm-arm.c:warning:variable-r-is-used-uninitialized-whenever-if-condition-is-false | |-- arch-arm64-kvm-tmi.c:warning:no-previous-prototype-for-function-tmi_tmm_inf_test | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_create_ttt_levels | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_get_num_brps | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_get_num_wrps | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_ipa_limit | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_populate_par_region | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_supports_pmu | `-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_supports_sve |-- x86_64-buildonly-randconfig-001-20240812 | `-- kernel-sched-isolation.c:error:use-of-undeclared-identifier-setup_max_cpus |-- x86_64-buildonly-randconfig-002-20240812 | `-- kernel-sched-isolation.c:error:use-of-undeclared-identifier-setup_max_cpus `-- x86_64-buildonly-randconfig-003-20240812 `-- kernel-sched-isolation.c:error:setup_max_cpus-undeclared-(first-use-in-this-function) elapsed time: 725m configs tested: 40 configs skipped: 134 tested configs: arm64 allmodconfig clang-20 arm64 allnoconfig gcc-14.1.0 arm64 defconfig gcc-14.1.0 arm64 randconfig-001-20240812 gcc-14.1.0 arm64 randconfig-002-20240812 clang-20 arm64 randconfig-003-20240812 gcc-14.1.0 arm64 randconfig-004-20240812 clang-20 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 loongarch defconfig gcc-14.1.0 loongarch randconfig-001-20240812 gcc-14.1.0 loongarch randconfig-002-20240812 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240812 clang-18 x86_64 buildonly-randconfig-002-20240812 clang-18 x86_64 buildonly-randconfig-003-20240812 gcc-12 x86_64 buildonly-randconfig-004-20240812 clang-18 x86_64 buildonly-randconfig-005-20240812 clang-18 x86_64 buildonly-randconfig-006-20240812 clang-18 x86_64 defconfig gcc-11 x86_64 randconfig-001-20240812 clang-18 x86_64 randconfig-002-20240812 clang-18 x86_64 randconfig-003-20240812 gcc-12 x86_64 randconfig-004-20240812 gcc-12 x86_64 randconfig-005-20240812 gcc-11 x86_64 randconfig-006-20240812 clang-18 x86_64 randconfig-011-20240812 clang-18 x86_64 randconfig-012-20240812 gcc-12 x86_64 randconfig-013-20240812 clang-18 x86_64 randconfig-014-20240812 clang-18 x86_64 randconfig-015-20240812 gcc-12 x86_64 randconfig-016-20240812 gcc-12 x86_64 randconfig-071-20240812 gcc-12 x86_64 randconfig-072-20240812 gcc-12 x86_64 randconfig-073-20240812 gcc-12 x86_64 randconfig-074-20240812 clang-18 x86_64 randconfig-075-20240812 gcc-12 x86_64 randconfig-076-20240812 gcc-12 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] crypto: aead,cipher - zeroize key buffer after use
by Yi Yang 12 Aug '24

12 Aug '24

From: Hailey Mothershead <hailmo(a)amazon.com> mainline inclusion from mainline-v6.10-rc1 commit 23e4099bdc3c8381992f9eb975c79196d6755210 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAHJG9 CVE: CVE-2024-42229 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key. Signed-off-by: Hailey Mothershead <hailmo(a)amazon.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Conflicts: crypto/aead.c crypto/cipher.c [Use kzfree instead of kfree_sensitive because commit 453431a54934 ("mm, treewide: rename kzfree() to kfree_sensitive()") not merged] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- crypto/aead.c | 3 +-- crypto/cipher.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/crypto/aead.c b/crypto/aead.c index 9688ada13981..f8b2cd0567f1 100644 --- a/crypto/aead.c +++ b/crypto/aead.c @@ -45,8 +45,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key, alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); memcpy(alignbuffer, key, keylen); ret = crypto_aead_alg(tfm)->setkey(tfm, alignbuffer, keylen); - memset(alignbuffer, 0, keylen); - kfree(buffer); + kzfree(buffer); return ret; } diff --git a/crypto/cipher.c b/crypto/cipher.c index 57836c30a49a..3d3fa8d0d533 100644 --- a/crypto/cipher.c +++ b/crypto/cipher.c @@ -38,8 +38,7 @@ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key, alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); memcpy(alignbuffer, key, keylen); ret = cia->cia_setkey(tfm, alignbuffer, keylen); - memset(alignbuffer, 0, keylen); - kfree(buffer); + kzfree(buffer); return ret; } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS 0/1] CVE-2024-42105
by Chen Ridong 12 Aug '24

12 Aug '24

*** BLURB HERE *** Ryusuke Konishi (1): nilfs2: fix inode number range checks fs/nilfs2/nilfs.h | 5 +++-- fs/nilfs2/the_nilfs.c | 6 ++++++ fs/nilfs2/the_nilfs.h | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-1.0-LTS] crypto: aead,cipher - zeroize key buffer after use
by Yi Yang 12 Aug '24

12 Aug '24

From: Hailey Mothershead <hailmo(a)amazon.com> mainline inclusion from mainline-v6.10-rc1 commit 23e4099bdc3c8381992f9eb975c79196d6755210 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAHJG9 CVE: CVE-2024-42229 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key. Signed-off-by: Hailey Mothershead <hailmo(a)amazon.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Conflicts: crypto/cipher.c [Use kzfree instead of kfree_sensitive because commit 453431a54934 ("mm, treewide: rename kzfree() to kfree_sensitive()") not merged] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- crypto/aead.c | 3 +-- crypto/cipher.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/crypto/aead.c b/crypto/aead.c index 9688ada13981..f8b2cd0567f1 100644 --- a/crypto/aead.c +++ b/crypto/aead.c @@ -45,8 +45,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key, alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); memcpy(alignbuffer, key, keylen); ret = crypto_aead_alg(tfm)->setkey(tfm, alignbuffer, keylen); - memset(alignbuffer, 0, keylen); - kfree(buffer); + kzfree(buffer); return ret; } diff --git a/crypto/cipher.c b/crypto/cipher.c index 57836c30a49a..3d3fa8d0d533 100644 --- a/crypto/cipher.c +++ b/crypto/cipher.c @@ -38,8 +38,7 @@ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key, alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); memcpy(alignbuffer, key, keylen); ret = cia->cia_setkey(tfm, alignbuffer, keylen); - memset(alignbuffer, 0, keylen); - kfree(buffer); + kzfree(buffer); return ret; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] s390/pkey: Wipe copies of clear-key structures on failure
by Li Huafei 12 Aug '24

12 Aug '24

From: Holger Dengler <dengler(a)linux.ibm.com> mainline inclusion from mainline-v6.10-rc1 commit d65d76a44ffe74c73298ada25b0f578680576073 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAH6LY CVE: CVE-2024-42156 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key. Reviewed-by: Harald Freudenberger <freude(a)linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki(a)linux.ibm.com> Acked-by: Heiko Carstens <hca(a)linux.ibm.com> Signed-off-by: Holger Dengler <dengler(a)linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Conflicts: drivers/s390/crypto/pkey_api.c [ Resolved context conflict due to commit 6d749b4e0208 ("s390/pkey: introduce dynamic debugging for pkey") not backport. ] Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> --- drivers/s390/crypto/pkey_api.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index eccee7cabf18..2cdfc83a1f82 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c @@ -1151,10 +1151,8 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, rc = cca_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype, kcs.clrkey.clrkey, kcs.seckey.seckey); DEBUG_DBG("%s cca_clr2seckey()=%d\n", __func__, rc); - if (rc) - break; - if (copy_to_user(ucs, &kcs, sizeof(kcs))) - rc = -EFAULT; + if (!rc && copy_to_user(ucs, &kcs, sizeof(kcs))) + return -EFAULT; memzero_explicit(&kcs, sizeof(kcs)); break; } @@ -1182,10 +1180,8 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, rc = pkey_clr2protkey(kcp.keytype, &kcp.clrkey, &kcp.protkey); DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__, rc); - if (rc) - break; - if (copy_to_user(ucp, &kcp, sizeof(kcp))) - rc = -EFAULT; + if (!rc && copy_to_user(ucp, &kcp, sizeof(kcp))) + return -EFAULT; memzero_explicit(&kcp, sizeof(kcp)); break; } @@ -1325,11 +1321,14 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, if (copy_from_user(&kcs, ucs, sizeof(kcs))) return -EFAULT; apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries); - if (IS_ERR(apqns)) + if (IS_ERR(apqns)) { + memzero_explicit(&kcs, sizeof(kcs)); return PTR_ERR(apqns); + } kkey = kmalloc(klen, GFP_KERNEL); if (!kkey) { kfree(apqns); + memzero_explicit(&kcs, sizeof(kcs)); return -ENOMEM; } rc = pkey_clr2seckey2(apqns, kcs.apqn_entries, @@ -1339,15 +1338,18 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, kfree(apqns); if (rc) { kfree_sensitive(kkey); + memzero_explicit(&kcs, sizeof(kcs)); break; } if (kcs.key) { if (kcs.keylen < klen) { kfree_sensitive(kkey); + memzero_explicit(&kcs, sizeof(kcs)); return -EINVAL; } if (copy_to_user(kcs.key, kkey, klen)) { kfree_sensitive(kkey); + memzero_explicit(&kcs, sizeof(kcs)); return -EFAULT; } } -- 2.25.1

2 1

2024

2023

2022

2021

2020

2019

Kernel August 2024