- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] [Backport] bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos
by Xiaomeng Zhang 26 Oct '24

26 Oct '24

From: Eduard Zingerman <eddyz87(a)gmail.com> stable inclusion from stable-v6.6.54 commit 2288b54b96dcb55bedebcef3572bb8821fc5e708 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQR6 CVE: CVE-2024-49850 [ Upstream commit 3d2786d65aaa954ebd3fcc033ada433e10da21c4 ] In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL referencing a non-existing BTF type, function bpf_core_calc_relo_insn would cause a null pointer deference. Fix this by adding a proper check upper in call stack, as malformed relocation records could be passed from user space. Simplest reproducer is a program: r0 = 0 exit With a single relocation record: .insn_off = 0, /* patch first instruction */ .type_id = 100500, /* this type id does not exist */ .access_str_off = 6, /* offset of string "0" */ .kind = BPF_CORE_TYPE_ID_LOCAL, See the link for original reproducer or next commit for a test case. Fixes: 74753e1462e7 ("libbpf: Replace btf__type_by_id() with btf_type_by_id().") Reported-by: Liu RuiTong <cnitlrt(a)gmail.com> Closes: https://lore.kernel.org/bpf/CAK55_s6do7C+DVwbwY_7nKfUz0YLDoiA1v6X3Y9+p0sWzi… Acked-by: Andrii Nakryiko <andrii(a)kernel.org> Signed-off-by: Eduard Zingerman <eddyz87(a)gmail.com> Link: https://lore.kernel.org/r/20240822080124.2995724-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- kernel/bpf/btf.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 7ac62793a753..01303bb8ee29 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -8419,6 +8419,7 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, struct bpf_core_cand_list cands = {}; struct bpf_core_relo_res targ_res; struct bpf_core_spec *specs; + const struct btf_type *type; int err; /* ~4k of temp memory necessary to convert LLVM spec like "0:1:0:5" @@ -8428,6 +8429,13 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, if (!specs) return -ENOMEM; + type = btf_type_by_id(ctx->btf, relo->type_id); + if (!type) { + bpf_log(ctx->log, "relo #%u: bad type id %u\n", + relo_idx, relo->type_id); + return -EINVAL; + } + if (need_cands) { struct bpf_cand_cache *cc; int i; -- 2.34.1

2 1

[PATCH OLK-5.10] kabi: use CONFIG_KABI_RESERVE to control reservation in ucount_type and user_table
by GONG Ruiqi 26 Oct '24

26 Oct '24

From: "GONG, Ruiqi" <gongruiqi1(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4MYYH CVE: NA ---------------------------------------- Commit 328e64817efe ("kabi: reserve space for cred and user_namespace"), besides reserving space for struct cred and struct user_namespace, adds new members to enum ucount_type and struct ctl_table user_table[] as well. Use CONFIG_KABI_RESERVE to control them. Signed-off-by: GONG, Ruiqi <gongruiqi1(a)huawei.com> --- include/linux/user_namespace.h | 2 ++ kernel/ucount.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h index f79abb16a874..6bdd18062ee0 100644 --- a/include/linux/user_namespace.h +++ b/include/linux/user_namespace.h @@ -51,6 +51,7 @@ enum ucount_type { UCOUNT_INOTIFY_INSTANCES, UCOUNT_INOTIFY_WATCHES, #endif +#ifdef CONFIG_KABI_RESERVE /* These 15 members are reserved (with extra margin) for the future * enlargement of enum ucount_type, as how RH8.1 did it. This number * should be enough, as 6 of them are very likely to be used in the near @@ -71,6 +72,7 @@ enum ucount_type { UCOUNT_KABI_RESERVE13, UCOUNT_KABI_RESERVE14, UCOUNT_KABI_RESERVE15, +#endif UCOUNT_COUNTS, }; diff --git a/kernel/ucount.c b/kernel/ucount.c index 1f5825b674d8..093b2fa76385 100644 --- a/kernel/ucount.c +++ b/kernel/ucount.c @@ -77,6 +77,7 @@ static struct ctl_table user_table[] = { UCOUNT_ENTRY("max_inotify_instances"), UCOUNT_ENTRY("max_inotify_watches"), #endif +#ifdef CONFIG_KABI_RESERVE /* These corresponds to the reservation in enum ucount_type */ { }, // UCOUNT_KABI_RESERVE1 { }, // UCOUNT_KABI_RESERVE2 @@ -93,6 +94,7 @@ static struct ctl_table user_table[] = { { }, // UCOUNT_KABI_RESERVE13 { }, // UCOUNT_KABI_RESERVE14 { }, // UCOUNT_KABI_RESERVE15 +#endif { } }; #endif /* CONFIG_SYSCTL */ -- 2.25.1

2 1

[PATCH OLK-5.10 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS-SP1 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 2

[PATCH OLK-6.6] drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer
by Li Huafei 26 Oct '24

26 Oct '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> mainline inclusion from mainline-v6.12-rc1 commit ac2140449184a26eac99585b7f69814bd3ba8f2d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRAX CVE: CVE-2024-49918 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- This commit addresses a potential null pointer dereference issue in the `dcn32_acquire_idle_pipe_for_head_pipe_in_layer` function. The issue could occur when `head_pipe` is null. The fix adds a check to ensure `head_pipe` is not null before asserting it. If `head_pipe` is null, the function returns NULL to prevent a potential null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn32/dcn32_resource.c:2690 dcn32_acquire_idle_pipe_for_head_pipe_in_layer() error: we previously assumed 'head_pipe' could be null (see line 2681) Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Conflicts: drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c [ Resolve the conflict caused by renaming files in the commit 8b8eed05a1c6 ('drm/amd/display: Refactor resource into component directory'). ] Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c index 4d4ff13a2af8..d96c1d953593 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c @@ -2642,8 +2642,10 @@ static struct pipe_ctx *dcn32_acquire_idle_pipe_for_head_pipe_in_layer( struct resource_context *old_ctx = &stream->ctx->dc->current_state->res_ctx; int head_index; - if (!head_pipe) + if (!head_pipe) { ASSERT(0); + return NULL; + } /* * Modified from dcn20_acquire_idle_pipe_for_layer -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS-SP1 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 2

[PATCH OLK-5.10 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 4

[PATCH OLK-6.6 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 2

[PATCH OLK-6.6 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 4

2025

2024

2023

2022

2021

2020

2019

Kernel