- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6 0/6] Fix CVE-2024-47703
by Tengda Wu 26 Oct '24

26 Oct '24

This patchset is going to fix CVE-2024-47703. Andrii Nakryiko (2): bpf: enforce exact retval range on subprog/callback exit bpf: enforce precise retval range on program exit Tengda Wu (1): Fix kabi breakage in struct bpf_func_state Xu Kuohai (3): bpf, lsm: Add disabled BPF LSM hook list bpf, lsm: Add check for BPF LSM return value bpf: Fix compare error in function retval_range_within include/linux/bpf.h | 1 + include/linux/bpf_lsm.h | 8 + include/linux/bpf_verifier.h | 11 +- kernel/bpf/bpf_lsm.c | 63 +++++++- kernel/bpf/btf.c | 5 +- kernel/bpf/verifier.c | 149 ++++++++++++------ .../selftests/bpf/progs/test_global_func15.c | 2 +- .../selftests/bpf/progs/timer_failure.c | 2 +- .../selftests/bpf/progs/user_ringbuf_fail.c | 2 +- .../bpf/progs/verifier_cgroup_inv_retcode.c | 8 +- .../bpf/progs/verifier_netfilter_retcode.c | 2 +- 11 files changed, 196 insertions(+), 57 deletions(-) -- 2.34.1

2 7

[PATCH OLK-5.10 0/2] Fix CVE-2024-47703
by Tengda Wu 26 Oct '24

26 Oct '24

This patchset is going to fix CVE-2024-47703. Tengda Wu (1): bpf, lsm: Add check for BPF LSM return value Xu Kuohai (1): bpf, lsm: Add disabled BPF LSM hook list include/linux/bpf.h | 1 + include/linux/bpf_lsm.h | 8 +++++ include/linux/bpf_verifier.h | 5 +++ kernel/bpf/bpf_lsm.c | 63 ++++++++++++++++++++++++++++++++++-- kernel/bpf/btf.c | 3 ++ kernel/bpf/verifier.c | 62 +++++++++++++++++++++++++++++++++-- 6 files changed, 136 insertions(+), 6 deletions(-) -- 2.34.1

2 3

[openeuler:openEuler-1.0-LTS 17125/23859] kernel/bpf/verifier.o: warning: objtool: do_check()+0x2bc8: can't find switch jump table
by kernel test robot 26 Oct '24

26 Oct '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: d2a40c79ddef4b96b8a7a396bd7273121b1b4a5c commit: b2fdc6d8c190bbe579cbc19c520f3d7c25e9fb44 [17125/23859] bpf: Do not mark insn as seen under speculative path verification config: x86_64-randconfig-073-20241026 (https://download.01.org/0day-ci/archive/20241026/202410261849.E2vRU8kU-lkp@…) compiler: clang version 19.1.2 (https://github.com/llvm/llvm-project 7ba7d8e2f7b6445b60679da826210cdde29eaf8b) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241026/202410261849.E2vRU8kU-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410261849.E2vRU8kU-lkp@intel.com/ All warnings (new ones prefixed by >>): kernel/bpf/verifier.c:6228:16: warning: cast from 'unsigned int (*)(const void *, const struct bpf_insn *)' to 'u64 (*)(u64, u64, u64, u64, u64)' (aka 'unsigned long long (*)(unsigned long long, unsigned long long, unsigned long long, unsigned long long, unsigned long long)') converts to incompatible function type [-Wcast-function-type-strict] 6228 | insn->imm = (u64 (*)(u64, u64, u64, u64, u64)) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6229 | func[subprog]->bpf_func - | ~~~~~~~~~~~~~~~~~~~~~~~ kernel/bpf/verifier.c:6569:17: warning: cast from 'void *(*)(struct bpf_map *, void *)' to 'u64 (*)(u64, u64, u64, u64, u64)' (aka 'unsigned long long (*)(unsigned long long, unsigned long long, unsigned long long, unsigned long long, unsigned long long)') converts to incompatible function type [-Wcast-function-type-strict] 6569 | insn->imm = BPF_CAST_CALL(ops->map_lookup_elem) - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/filter.h:323:4: note: expanded from macro 'BPF_CAST_CALL' 323 | ((u64 (*)(u64, u64, u64, u64, u64))(x)) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/bpf/verifier.c:6573:17: warning: cast from 'int (*)(struct bpf_map *, void *, void *, u64)' (aka 'int (*)(struct bpf_map *, void *, void *, unsigned long long)') to 'u64 (*)(u64, u64, u64, u64, u64)' (aka 'unsigned long long (*)(unsigned long long, unsigned long long, unsigned long long, unsigned long long, unsigned long long)') converts to incompatible function type [-Wcast-function-type-strict] 6573 | insn->imm = BPF_CAST_CALL(ops->map_update_elem) - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/filter.h:323:4: note: expanded from macro 'BPF_CAST_CALL' 323 | ((u64 (*)(u64, u64, u64, u64, u64))(x)) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/bpf/verifier.c:6577:17: warning: cast from 'int (*)(struct bpf_map *, void *)' to 'u64 (*)(u64, u64, u64, u64, u64)' (aka 'unsigned long long (*)(unsigned long long, unsigned long long, unsigned long long, unsigned long long, unsigned long long)') converts to incompatible function type [-Wcast-function-type-strict] 6577 | insn->imm = BPF_CAST_CALL(ops->map_delete_elem) - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/filter.h:323:4: note: expanded from macro 'BPF_CAST_CALL' 323 | ((u64 (*)(u64, u64, u64, u64, u64))(x)) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 4 warnings generated. >> kernel/bpf/verifier.o: warning: objtool: do_check()+0x2bc8: can't find switch jump table -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] [Backport] bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos
by Xiaomeng Zhang 26 Oct '24

26 Oct '24

From: Eduard Zingerman <eddyz87(a)gmail.com> stable inclusion from stable-v6.6.54 commit 2288b54b96dcb55bedebcef3572bb8821fc5e708 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQR6 CVE: CVE-2024-49850 [ Upstream commit 3d2786d65aaa954ebd3fcc033ada433e10da21c4 ] In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL referencing a non-existing BTF type, function bpf_core_calc_relo_insn would cause a null pointer deference. Fix this by adding a proper check upper in call stack, as malformed relocation records could be passed from user space. Simplest reproducer is a program: r0 = 0 exit With a single relocation record: .insn_off = 0, /* patch first instruction */ .type_id = 100500, /* this type id does not exist */ .access_str_off = 6, /* offset of string "0" */ .kind = BPF_CORE_TYPE_ID_LOCAL, See the link for original reproducer or next commit for a test case. Fixes: 74753e1462e7 ("libbpf: Replace btf__type_by_id() with btf_type_by_id().") Reported-by: Liu RuiTong <cnitlrt(a)gmail.com> Closes: https://lore.kernel.org/bpf/CAK55_s6do7C+DVwbwY_7nKfUz0YLDoiA1v6X3Y9+p0sWzi… Acked-by: Andrii Nakryiko <andrii(a)kernel.org> Signed-off-by: Eduard Zingerman <eddyz87(a)gmail.com> Link: https://lore.kernel.org/r/20240822080124.2995724-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- kernel/bpf/btf.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 7ac62793a753..01303bb8ee29 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -8419,6 +8419,7 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, struct bpf_core_cand_list cands = {}; struct bpf_core_relo_res targ_res; struct bpf_core_spec *specs; + const struct btf_type *type; int err; /* ~4k of temp memory necessary to convert LLVM spec like "0:1:0:5" @@ -8428,6 +8429,13 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, if (!specs) return -ENOMEM; + type = btf_type_by_id(ctx->btf, relo->type_id); + if (!type) { + bpf_log(ctx->log, "relo #%u: bad type id %u\n", + relo_idx, relo->type_id); + return -EINVAL; + } + if (need_cands) { struct bpf_cand_cache *cc; int i; -- 2.34.1

2 1

[PATCH OLK-5.10] kabi: use CONFIG_KABI_RESERVE to control reservation in ucount_type and user_table
by GONG Ruiqi 26 Oct '24

26 Oct '24

From: "GONG, Ruiqi" <gongruiqi1(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4MYYH CVE: NA ---------------------------------------- Commit 328e64817efe ("kabi: reserve space for cred and user_namespace"), besides reserving space for struct cred and struct user_namespace, adds new members to enum ucount_type and struct ctl_table user_table[] as well. Use CONFIG_KABI_RESERVE to control them. Signed-off-by: GONG, Ruiqi <gongruiqi1(a)huawei.com> --- include/linux/user_namespace.h | 2 ++ kernel/ucount.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h index f79abb16a874..6bdd18062ee0 100644 --- a/include/linux/user_namespace.h +++ b/include/linux/user_namespace.h @@ -51,6 +51,7 @@ enum ucount_type { UCOUNT_INOTIFY_INSTANCES, UCOUNT_INOTIFY_WATCHES, #endif +#ifdef CONFIG_KABI_RESERVE /* These 15 members are reserved (with extra margin) for the future * enlargement of enum ucount_type, as how RH8.1 did it. This number * should be enough, as 6 of them are very likely to be used in the near @@ -71,6 +72,7 @@ enum ucount_type { UCOUNT_KABI_RESERVE13, UCOUNT_KABI_RESERVE14, UCOUNT_KABI_RESERVE15, +#endif UCOUNT_COUNTS, }; diff --git a/kernel/ucount.c b/kernel/ucount.c index 1f5825b674d8..093b2fa76385 100644 --- a/kernel/ucount.c +++ b/kernel/ucount.c @@ -77,6 +77,7 @@ static struct ctl_table user_table[] = { UCOUNT_ENTRY("max_inotify_instances"), UCOUNT_ENTRY("max_inotify_watches"), #endif +#ifdef CONFIG_KABI_RESERVE /* These corresponds to the reservation in enum ucount_type */ { }, // UCOUNT_KABI_RESERVE1 { }, // UCOUNT_KABI_RESERVE2 @@ -93,6 +94,7 @@ static struct ctl_table user_table[] = { { }, // UCOUNT_KABI_RESERVE13 { }, // UCOUNT_KABI_RESERVE14 { }, // UCOUNT_KABI_RESERVE15 +#endif { } }; #endif /* CONFIG_SYSCTL */ -- 2.25.1

2 1

[PATCH OLK-5.10 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS-SP1 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 2

[PATCH OLK-6.6] drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer
by Li Huafei 26 Oct '24

26 Oct '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> mainline inclusion from mainline-v6.12-rc1 commit ac2140449184a26eac99585b7f69814bd3ba8f2d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRAX CVE: CVE-2024-49918 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- This commit addresses a potential null pointer dereference issue in the `dcn32_acquire_idle_pipe_for_head_pipe_in_layer` function. The issue could occur when `head_pipe` is null. The fix adds a check to ensure `head_pipe` is not null before asserting it. If `head_pipe` is null, the function returns NULL to prevent a potential null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn32/dcn32_resource.c:2690 dcn32_acquire_idle_pipe_for_head_pipe_in_layer() error: we previously assumed 'head_pipe' could be null (see line 2681) Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Conflicts: drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c [ Resolve the conflict caused by renaming files in the commit 8b8eed05a1c6 ('drm/amd/display: Refactor resource into component directory'). ] Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c index 4d4ff13a2af8..d96c1d953593 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c @@ -2642,8 +2642,10 @@ static struct pipe_ctx *dcn32_acquire_idle_pipe_for_head_pipe_in_layer( struct resource_context *old_ctx = &stream->ctx->dc->current_state->res_ctx; int head_index; - if (!head_pipe) + if (!head_pipe) { ASSERT(0); + return NULL; + } /* * Modified from dcn20_acquire_idle_pipe_for_layer -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS-SP1 0/1] fix CVE-2024-49924
by Lin Yujun 26 Oct '24

26 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 2

2024

2023

2022

2021

2020

2019

Kernel