From: "Luis Henriques (SUSE)" <luis.henriques(a)linux.dev>
mainline inclusion
from mainline-v6.11-rc1
commit 907c3fe532253a6ef4eb9c4d67efb71fab58c706
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ7X
CVE: CVE-2024-43828
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
When doing fast_commit replay an infinite loop may occur due to an
uninitialized extent_status struct. ext4_ext_determine_insert_hole() does
not detect the replay and calls ext4_es_find_extent_range(), which will
return immediately without initializing the 'es' variable.
Because 'es' contains garbage, an integer overflow may happen causing an
infinite loop in this function, easily reproducible using fstest generic/039.
This commit fixes this issue by unconditionally initializing the structure
in function ext4_es_find_extent_range().
Thanks to Zhang Yi, for figuring out the real problem!
Fixes: 8016e29f4362 ("ext4: fast commit recovery path")
Signed-off-by: Luis Henriques (SUSE) <luis.henriques(a)linux.dev>
Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com>
Link: https://patch.msgid.link/20240515082857.32730-1-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso(a)mit.edu>
Signed-off-by: Zhihao Cheng <chengzhihao(a)huaweicloud.com>
---
fs/ext4/extents_status.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
index dd679014db98..1b4f07949136 100644
--- a/fs/ext4/extents_status.c
+++ b/fs/ext4/extents_status.c
@@ -311,6 +311,8 @@ void ext4_es_find_extent_range(struct inode *inode,
ext4_lblk_t lblk, ext4_lblk_t end,
struct extent_status *es)
{
+ es->es_lblk = es->es_len = es->es_pblk = 0;
+
if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY)
return;
--
2.31.1
From: "Luis Henriques (SUSE)" <luis.henriques(a)linux.dev>
mainline inclusion
from mainline-v6.11-rc1
commit 907c3fe532253a6ef4eb9c4d67efb71fab58c706
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ7X
CVE: CVE-2024-43828
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
When doing fast_commit replay an infinite loop may occur due to an
uninitialized extent_status struct. ext4_ext_determine_insert_hole() does
not detect the replay and calls ext4_es_find_extent_range(), which will
return immediately without initializing the 'es' variable.
Because 'es' contains garbage, an integer overflow may happen causing an
infinite loop in this function, easily reproducible using fstest generic/039.
This commit fixes this issue by unconditionally initializing the structure
in function ext4_es_find_extent_range().
Thanks to Zhang Yi, for figuring out the real problem!
Fixes: 8016e29f4362 ("ext4: fast commit recovery path")
Signed-off-by: Luis Henriques (SUSE) <luis.henriques(a)linux.dev>
Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com>
Link: https://patch.msgid.link/20240515082857.32730-1-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso(a)mit.edu>
Signed-off-by: Zhihao Cheng <chengzhihao(a)huaweicloud.com>
---
fs/ext4/extents_status.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
index 783f6205cc9f..cf6e1e001ac7 100644
--- a/fs/ext4/extents_status.c
+++ b/fs/ext4/extents_status.c
@@ -311,6 +311,8 @@ void ext4_es_find_extent_range(struct inode *inode,
ext4_lblk_t lblk, ext4_lblk_t end,
struct extent_status *es)
{
+ es->es_lblk = es->es_len = es->es_pblk = 0;
+
if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY)
return;
--
2.31.1
From: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org>
mainline inclusion
from mainline-v6.11-rc1
commit 5a5095a8bd1bd349cce1c879e5e44407a34dda8a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ5P
CVE: CVE-2024-43824
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
Instead of getting the epc_features from pci_epc_get_features() API, use
the cached pci_epf_test::epc_features value to avoid the NULL check. Since
the NULL check is already performed in pci_epf_test_bind(), having one more
check in pci_epf_test_core_init() is redundant and it is not possible to
hit the NULL pointer dereference.
Also with commit a01e7214bef9 ("PCI: endpoint: Remove "core_init_notifier"
flag"), 'epc_features' got dereferenced without the NULL check, leading to
the following false positive Smatch warning:
drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)
Thus, remove the redundant NULL check and also use the epc_features::
{msix_capable/msi_capable} flags directly to avoid local variables.
[kwilczynski: commit log]
Fixes: 5e50ee27d4a5 ("PCI: pci-epf-test: Add support to defer core initialization")
Closes: https://lore.kernel.org/linux-pci/024b5826-7180-4076-ae08-57d2584cca3f@moro…
Link: https://lore.kernel.org/linux-pci/20240418-pci-epf-test-fix-v2-1-eacd548314…
Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org>
Signed-off-by: Krzysztof Wilczyński <kwilczynski(a)kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com>
Reviewed-by: Frank Li <Frank.Li(a)nxp.com>
Reviewed-by: Niklas Cassel <cassel(a)kernel.org>
Conflicts:
drivers/pci/endpoint/functions/pci-epf-test.c
[context conflicts]
Signed-off-by: liwei <liwei728(a)huawei.com>
---
drivers/pci/endpoint/functions/pci-epf-test.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c
index ef52f5097eb3..219ac744275d 100644
--- a/drivers/pci/endpoint/functions/pci-epf-test.c
+++ b/drivers/pci/endpoint/functions/pci-epf-test.c
@@ -674,19 +674,11 @@ static int pci_epf_test_core_init(struct pci_epf *epf)
{
struct pci_epf_test *epf_test = epf_get_drvdata(epf);
struct pci_epf_header *header = epf->header;
- const struct pci_epc_features *epc_features;
+ const struct pci_epc_features *epc_features = epf_test->epc_features;
struct pci_epc *epc = epf->epc;
struct device *dev = &epf->dev;
- bool msix_capable = false;
- bool msi_capable = true;
int ret;
- epc_features = pci_epc_get_features(epc, epf->func_no);
- if (epc_features) {
- msix_capable = epc_features->msix_capable;
- msi_capable = epc_features->msi_capable;
- }
-
ret = pci_epc_write_header(epc, epf->func_no, header);
if (ret) {
dev_err(dev, "Configuration header write failed\n");
@@ -697,7 +689,7 @@ static int pci_epf_test_core_init(struct pci_epf *epf)
if (ret)
return ret;
- if (msi_capable) {
+ if (epc_features->msi_capable) {
ret = pci_epc_set_msi(epc, epf->func_no, epf->msi_interrupts);
if (ret) {
dev_err(dev, "MSI configuration failed\n");
@@ -705,7 +697,7 @@ static int pci_epf_test_core_init(struct pci_epf *epf)
}
}
- if (msix_capable) {
+ if (epc_features->msix_capable) {
ret = pci_epc_set_msix(epc, epf->func_no, epf->msix_interrupts,
epf_test->test_reg_bar,
epf_test->msix_table_offset);
--
2.25.1
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: 063fb5b67877d27a0adebef0dd88bab842d8de07
commit: 3ad98583441f7c8a2553e1e8d6340ed4397033e2 [13311/13455] crypto: tdm: Support dynamic protection for SCT and IDT by HYGON TDM
config: x86_64-randconfig-004-20240819 (https://download.01.org/0day-ci/archive/20240820/202408200300.4dy9MKnd-lkp@…)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240820/202408200300.4dy9MKnd-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202408200300.4dy9MKnd-lkp@intel.com/
All errors (new ones prefixed by >>):
drivers/crypto/ccp/hygon/tdm-kernel-guard.c:151:5: warning: no previous prototype for 'tdm_service_run' [-Wmissing-prototypes]
151 | int tdm_service_run(struct tdm_security_enhance *data)
| ^~~~~~~~~~~~~~~
drivers/crypto/ccp/hygon/tdm-kernel-guard.c:212:5: warning: no previous prototype for 'tdm_service_exit' [-Wmissing-prototypes]
212 | int tdm_service_exit(struct tdm_security_enhance *data)
| ^~~~~~~~~~~~~~~~
drivers/crypto/ccp/hygon/tdm-kernel-guard.c:243:15: warning: no previous prototype for 'kprobe_symbol_address_byname' [-Wmissing-prototypes]
243 | unsigned long kprobe_symbol_address_byname(const char *name)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/crypto/ccp/hygon/tdm-kernel-guard.c: In function 'kernel_security_enhance_init':
>> drivers/crypto/ccp/hygon/tdm-kernel-guard.c:308:37: error: 'NR_syscalls' undeclared (first use in this function); did you mean 'si_syscall'?
308 | eh_objs[SCT].size = NR_syscalls * sizeof(char *);
| ^~~~~~~~~~~
| si_syscall
drivers/crypto/ccp/hygon/tdm-kernel-guard.c:308:37: note: each undeclared identifier is reported only once for each function it appears in
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for ACPI_HOTPLUG_IGNORE_OSC
Depends on [n]: ACPI [=y] && ACPI_HOTPLUG_CPU [=n]
Selected by [y]:
- X86 [=y] && ACPI [=y] && HOTPLUG_CPU [=y]
vim +308 drivers/crypto/ccp/hygon/tdm-kernel-guard.c
286
287 sct_addr = (unsigned long *)kallsyms_lookup_name("sys_call_table");
288 #endif
289 if (!sct_addr) {
290 ret = -DYN_ERR_API;
291 pr_err("kallsyms_lookup_name for sys_call_table failed!");
292 goto end;
293 }
294
295 asm("sidt %0":"=m"(idtr));
296
297 if (!psp_check_tdm_support())
298 return 0;
299
300 for (i = 0; i < MAX_OBJ; i++) {
301 memset(&eh_objs[i], 0, sizeof(eh_objs[i]));
302 eh_objs[i].context = CONTEXT_CHECK_MODNAME;
303 eh_objs[i].obj_name = obj_names[i];
304 }
305
306 if ((eh_obj == -1) || (eh_obj & (1 << SCT))) {
307 eh_objs[SCT].vaddr = (uint64_t)sct_addr;
> 308 eh_objs[SCT].size = NR_syscalls * sizeof(char *);
309 }
310 if ((eh_obj == -1) || (eh_obj & (1 << IDT))) {
311 eh_objs[IDT].vaddr = idtr.address;
312 eh_objs[IDT].size = idtr.size;
313 }
314
315 for (i = 0; i < MAX_OBJ; i++) {
316 if (eh_objs[i].vaddr)
317 tdm_service_run(&eh_objs[i]);
318 }
319
320 pr_info("Hygon TDM guard load successfully!\n");
321
322 end:
323 return ret;
324 }
325
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki