- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] drm/stm: Avoid use-after-free issues with crtc and plane
by Zhang Kunbo 01 Nov '24

01 Nov '24

From: Katya Orlova <e.orlova(a)ispras.ru> stable inclusion from stable-v6.6.55 commit 0a1741d10da29aa84955ef89ae9a03c4b6038657 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRAF CVE: CVE-2024-49992 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 19dd9780b7ac673be95bf6fd6892a184c9db611f ] ltdc_load() calls functions drm_crtc_init_with_planes(), drm_universal_plane_init() and drm_encoder_init(). These functions should not be called with parameters allocated with devm_kzalloc() to avoid use-after-free issues [1]. Use allocations managed by the DRM framework. Found by Linux Verification Center (linuxtesting.org) [1] https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhu… Signed-off-by: Katya Orlova <e.orlova(a)ispras.ru> Acked-by: Raphaël Gallais-Pou <raphael.gallais-pou(a)foss.st.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240216125040.8968-1-e.orlov… Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou(a)foss.st.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpu/drm/stm/drv.c drivers/gpu/drm/stm/ltdc.c [ context conflicts in drv.c, keep operations after allocation of struct drm_encoder, drm_plane unchanged, only replace `devm_kzalloc`] Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/gpu/drm/stm/drv.c | 3 ++- drivers/gpu/drm/stm/ltdc.c | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c index 411103f013e2..76dbc5eeb7f7 100644 --- a/drivers/gpu/drm/stm/drv.c +++ b/drivers/gpu/drm/stm/drv.c @@ -23,6 +23,7 @@ #include <drm/drm_gem_framebuffer_helper.h> #include <drm/drm_probe_helper.h> #include <drm/drm_vblank.h> +#include <drm/drm_managed.h> #include "ltdc.h" @@ -73,7 +74,7 @@ static int drv_load(struct drm_device *ddev) DRM_DEBUG("%s\n", __func__); - ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL); + ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL); if (!ldev) return -ENOMEM; diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c index 089c00a8e7d4..3a4e51857a6c 100644 --- a/drivers/gpu/drm/stm/ltdc.c +++ b/drivers/gpu/drm/stm/ltdc.c @@ -32,6 +32,7 @@ #include <drm/drm_plane_helper.h> #include <drm/drm_probe_helper.h> #include <drm/drm_vblank.h> +#include <drm/drm_managed.h> #include <video/videomode.h> @@ -956,7 +957,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev, { unsigned long possible_crtcs = CRTC_MASK; struct ltdc_device *ldev = ddev->dev_private; - struct device *dev = ddev->dev; struct drm_plane *plane; unsigned int i, nb_fmt = 0; u32 formats[NB_PF * 2]; @@ -984,7 +984,7 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev, formats[nb_fmt++] = drm_fmt_no_alpha; } - plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL); + plane = drmm_kzalloc(ddev, sizeof(*plane), GFP_KERNEL); if (!plane) return NULL; @@ -1115,7 +1115,7 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge) struct drm_encoder *encoder; int ret; - encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL); + encoder = drmm_kzalloc(ddev, sizeof(*encoder), GFP_KERNEL); if (!encoder) return -ENOMEM; @@ -1327,7 +1327,7 @@ int ltdc_load(struct drm_device *ddev) } - crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL); + crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL); if (!crtc) { DRM_ERROR("Failed to allocate crtc\n"); ret = -ENOMEM; -- 2.34.1

2 1

[PATCH OLK-5.10] drm/stm: Avoid use-after-free issues with crtc and plane
by Zhang Kunbo 01 Nov '24

01 Nov '24

From: Katya Orlova <e.orlova(a)ispras.ru> stable inclusion from stable-v6.6.55 commit 0a1741d10da29aa84955ef89ae9a03c4b6038657 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRAF CVE: CVE-2024-49992 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 19dd9780b7ac673be95bf6fd6892a184c9db611f ] ltdc_load() calls functions drm_crtc_init_with_planes(), drm_universal_plane_init() and drm_encoder_init(). These functions should not be called with parameters allocated with devm_kzalloc() to avoid use-after-free issues [1]. Use allocations managed by the DRM framework. Found by Linux Verification Center (linuxtesting.org) [1] https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhu… Signed-off-by: Katya Orlova <e.orlova(a)ispras.ru> Acked-by: Raphaël Gallais-Pou <raphael.gallais-pou(a)foss.st.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240216125040.8968-1-e.orlov… Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou(a)foss.st.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpu/drm/stm/drv.c drivers/gpu/drm/stm/ltdc.c [ context conflicts in drv.c, keep operations after allocation of struct drm_encoder, drm_plane unchanged, only replace `devm_kzalloc`] Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/gpu/drm/stm/drv.c | 3 ++- drivers/gpu/drm/stm/ltdc.c | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c index 411103f013e2..76dbc5eeb7f7 100644 --- a/drivers/gpu/drm/stm/drv.c +++ b/drivers/gpu/drm/stm/drv.c @@ -23,6 +23,7 @@ #include <drm/drm_gem_framebuffer_helper.h> #include <drm/drm_probe_helper.h> #include <drm/drm_vblank.h> +#include <drm/drm_managed.h> #include "ltdc.h" @@ -73,7 +74,7 @@ static int drv_load(struct drm_device *ddev) DRM_DEBUG("%s\n", __func__); - ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL); + ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL); if (!ldev) return -ENOMEM; diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c index 089c00a8e7d4..3a4e51857a6c 100644 --- a/drivers/gpu/drm/stm/ltdc.c +++ b/drivers/gpu/drm/stm/ltdc.c @@ -32,6 +32,7 @@ #include <drm/drm_plane_helper.h> #include <drm/drm_probe_helper.h> #include <drm/drm_vblank.h> +#include <drm/drm_managed.h> #include <video/videomode.h> @@ -956,7 +957,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev, { unsigned long possible_crtcs = CRTC_MASK; struct ltdc_device *ldev = ddev->dev_private; - struct device *dev = ddev->dev; struct drm_plane *plane; unsigned int i, nb_fmt = 0; u32 formats[NB_PF * 2]; @@ -984,7 +984,7 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev, formats[nb_fmt++] = drm_fmt_no_alpha; } - plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL); + plane = drmm_kzalloc(ddev, sizeof(*plane), GFP_KERNEL); if (!plane) return NULL; @@ -1115,7 +1115,7 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge) struct drm_encoder *encoder; int ret; - encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL); + encoder = drmm_kzalloc(ddev, sizeof(*encoder), GFP_KERNEL); if (!encoder) return -ENOMEM; @@ -1327,7 +1327,7 @@ int ltdc_load(struct drm_device *ddev) } - crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL); + crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL); if (!crtc) { DRM_ERROR("Failed to allocate crtc\n"); ret = -ENOMEM; -- 2.34.1

2 1

[openeuler:OLK-5.10 2341/2341] kernel/trace/trace_uprobe.o: warning: objtool: __uprobe_perf_func()+0x1e6: unreachable instruction
by kernel test robot 01 Nov '24

01 Nov '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: cc5e1415473b95a8a68887dbb9c459ed50de9f1e commit: c59687cc7631aea65c88ec0f1162492b8470adf3 [2341/2341] uprobe: avoid out-of-bounds memory access of fetching args config: x86_64-kexec (https://download.01.org/0day-ci/archive/20241101/202411012238.VsICkiep-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241101/202411012238.VsICkiep-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411012238.VsICkiep-lkp@intel.com/ All warnings (new ones prefixed by >>): >> kernel/trace/trace_uprobe.o: warning: objtool: __uprobe_perf_func()+0x1e6: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] Revert "LoongArch: Add workaround for 3C6000 about io wr/rd"
by Hongchen Zhang 01 Nov '24

01 Nov '24

LoongArch inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/IB1JDN -------------------------------- This reverts commit fcf5d35be96ef2ca2cc76bff6623ca58c3ecd1eb. Signed-off-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> --- arch/loongarch/include/asm/io.h | 149 -------------------------------- arch/loongarch/kernel/smp.c | 20 +---- 2 files changed, 1 insertion(+), 168 deletions(-) diff --git a/arch/loongarch/include/asm/io.h b/arch/loongarch/include/asm/io.h index d5d5b55cdc50..838db690b723 100644 --- a/arch/loongarch/include/asm/io.h +++ b/arch/loongarch/include/asm/io.h @@ -79,155 +79,6 @@ extern void __memcpy_fromio(void *to, const volatile void __iomem *from, size_t #define __io_aw() mmiowb() -#include <linux/spinlock.h> -extern spinlock_t lcl_node_lock[16]; -#define __raw_readb __raw_readb -static inline u8 __raw_readb(const volatile void __iomem *addr) -{ - unsigned long dst_node, node; - unsigned long irq_flag; - u8 val; - - dst_node = ((unsigned long)addr >> 44) & 0xf; - node = get_csr_cpuid() / 32; - if (node != dst_node) - spin_lock_irqsave(&lcl_node_lock[node + 8], irq_flag); - val = *(const volatile u8 __force *)addr; - if (node != dst_node) - spin_unlock_irqrestore(&lcl_node_lock[node + 8], irq_flag); - /* read barrier */ - rmb(); - return val; -} - -#define __raw_readw __raw_readw -static inline u16 __raw_readw(const volatile void __iomem *addr) -{ - unsigned long dst_node, node; - unsigned long irq_flag; - u16 val; - - dst_node = ((unsigned long)addr >> 44) & 0xf; - node = get_csr_cpuid() / 32; - if (node != dst_node) - spin_lock_irqsave(&lcl_node_lock[node + 8], irq_flag); - val = *(const volatile u16 __force *)addr; - if (node != dst_node) - spin_unlock_irqrestore(&lcl_node_lock[node + 8], irq_flag); - /* read barrier */ - rmb(); - return val; -} - -#define __raw_readl __raw_readl -static inline u32 __raw_readl(const volatile void __iomem *addr) -{ - unsigned long dst_node, node; - unsigned long irq_flag; - u32 val; - - dst_node = ((unsigned long)addr >> 44) & 0xf; - node = get_csr_cpuid() / 32; - if (node != dst_node) - spin_lock_irqsave(&lcl_node_lock[node + 8], irq_flag); - val = *(const volatile u32 __force *)addr; - if (node != dst_node) - spin_unlock_irqrestore(&lcl_node_lock[node + 8], irq_flag); - /* read barrier */ - rmb(); - return val; -} - -#ifdef CONFIG_64BIT -#define __raw_readq __raw_readq -static inline u64 __raw_readq(const volatile void __iomem *addr) -{ - unsigned long dst_node, node; - unsigned long irq_flag; - u64 val; - - dst_node = ((unsigned long)addr >> 44) & 0xf; - node = get_csr_cpuid() / 32; - if (node != dst_node) - spin_lock_irqsave(&lcl_node_lock[node + 8], irq_flag); - val = *(const volatile u64 __force *)addr; - if (node != dst_node) - spin_unlock_irqrestore(&lcl_node_lock[node + 8], irq_flag); - /* read barrier */ - rmb(); - return val; -} -#endif /* CONFIG_64BIT */ - -#define __raw_writeb __raw_writeb -static inline void __raw_writeb(u8 value, volatile void __iomem *addr) -{ - unsigned long dst_node, node; - unsigned long irq_flag; - - /* write barrier */ - wmb(); - dst_node = ((unsigned long)addr >> 44) & 0xf; - node = get_csr_cpuid() / 32; - if (node != dst_node) - spin_lock_irqsave(&lcl_node_lock[node], irq_flag); - *(volatile u8 __force *)addr = value; - if (node != dst_node) - spin_unlock_irqrestore(&lcl_node_lock[node], irq_flag); -} - -#define __raw_writew __raw_writew -static inline void __raw_writew(u16 value, volatile void __iomem *addr) -{ - unsigned long dst_node, node; - unsigned long irq_flag; - - /* write barrier */ - wmb(); - dst_node = ((unsigned long)addr >> 44) & 0xf; - node = get_csr_cpuid() / 32; - if (node != dst_node) - spin_lock_irqsave(&lcl_node_lock[node], irq_flag); - *(volatile u16 __force *)addr = value; - if (node != dst_node) - spin_unlock_irqrestore(&lcl_node_lock[node], irq_flag); -} - -#define __raw_writel __raw_writel -static inline void __raw_writel(u32 value, volatile void __iomem *addr) -{ - unsigned long dst_node, node; - unsigned long irq_flag; - - /* write barrier */ - wmb(); - dst_node = ((unsigned long)addr >> 44) & 0xf; - node = get_csr_cpuid() / 32; - if (node != dst_node) - spin_lock_irqsave(&lcl_node_lock[node], irq_flag); - *(volatile u32 __force *)addr = value; - if (node != dst_node) - spin_unlock_irqrestore(&lcl_node_lock[node], irq_flag); -} - -#ifdef CONFIG_64BIT -#define __raw_writeq __raw_writeq -static inline void __raw_writeq(u64 value, volatile void __iomem *addr) -{ - unsigned long dst_node, node; - unsigned long irq_flag; - - /* write barrier */ - wmb(); - dst_node = ((unsigned long)addr >> 44) & 0xf; - node = get_csr_cpuid() / 32; - if (node != dst_node) - spin_lock_irqsave(&lcl_node_lock[node], irq_flag); - *(volatile u64 __force *)addr = value; - if (node != dst_node) - spin_unlock_irqrestore(&lcl_node_lock[node], irq_flag); -} -#endif /* CONFIG_64BIT */ #include <asm-generic/io.h> #define ARCH_HAS_VALID_PHYS_ADDR_RANGE diff --git a/arch/loongarch/kernel/smp.c b/arch/loongarch/kernel/smp.c index 619e28117af2..bd0bd3decd32 100644 --- a/arch/loongarch/kernel/smp.c +++ b/arch/loongarch/kernel/smp.c @@ -35,8 +35,6 @@ #include <asm/time.h> #include "legacy_boot.h" -spinlock_t lcl_node_lock[16]; -EXPORT_SYMBOL(lcl_node_lock); int __cpu_number_map[NR_CPUS]; /* Map physical to logical */ EXPORT_SYMBOL(__cpu_number_map); @@ -199,19 +197,7 @@ static void ipi_write_action(int cpu, u32 action) static void loongson_send_ipi_single(int cpu, unsigned int action) { - unsigned int curr_cpu = cpu_logical_map(smp_processor_id()); - unsigned int t_cpu = cpu_logical_map(cpu); - int flag = -1; - unsigned long irq_flag; - - if ((curr_cpu / 32) != (t_cpu / 32)) { - flag = curr_cpu / 32; - spin_lock_irqsave(&lcl_node_lock[flag], irq_flag); - asm ("dbar 0x0"); - } ipi_write_action(cpu_logical_map(cpu), (u32)action); - if (flag >= 0) - spin_unlock_irqrestore(&lcl_node_lock[flag], irq_flag); } static void loongson_send_ipi_mask(const struct cpumask *mask, unsigned int action) @@ -219,7 +205,7 @@ static void loongson_send_ipi_mask(const struct cpumask *mask, unsigned int acti unsigned int i; for_each_cpu(i, mask) - loongson_send_ipi_single(i, (u32)action); + ipi_write_action(cpu_logical_map(i), (u32)action); } void arch_send_call_function_single_ipi(int cpu) @@ -325,10 +311,6 @@ static void __init fdt_smp_setup(void) void __init loongson_smp_setup(void) { - int i; - - for (i = 0; i < 16; i++) - spin_lock_init(&lcl_node_lock[i]); fdt_smp_setup(); cpu_data[0].core = cpu_logical_map(0) % loongson_sysconf.cores_per_package; -- 2.33.0

2 1

[PATCH openEuler-22.03-LTS-SP1] tipc: guard against string buffer overrun
by dinglongwei 01 Nov '24

01 Nov '24

From: Simon Horman <horms(a)kernel.org> stable inclusion from stable-v5.10.227 commit e2b2558971e02ca33eb637a8350d68a48b3e8e46 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA6 CVE: CVE-2024-49995 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ] Smatch reports that copying media_name and if_name to name_parts may overwrite the destination. .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) This does seem to be the case so guard against this possibility by using strscpy() and failing if truncation occurs. Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") Compile tested only. Reviewed-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: dinglongwei <dinglongwei1(a)huawei.com> --- net/tipc/bearer.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index 72c31ef985eb..fe2a71971dd7 100644 --- a/net/tipc/bearer.c +++ b/net/tipc/bearer.c @@ -161,8 +161,12 @@ static int bearer_name_validate(const char *name, /* return bearer name components, if necessary */ if (name_parts) { - strcpy(name_parts->media_name, media_name); - strcpy(name_parts->if_name, if_name); + if (strscpy(name_parts->media_name, media_name, + TIPC_MAX_MEDIA_NAME) < 0) + return 0; + if (strscpy(name_parts->if_name, if_name, + TIPC_MAX_IF_NAME) < 0) + return 0; } return 1; } -- 2.17.1

2 1

[PATCH OLK-5.10] tipc: guard against string buffer overrun
by dinglongwei 01 Nov '24

01 Nov '24

From: Simon Horman <horms(a)kernel.org> stable inclusion from stable-v5.10.227 commit e2b2558971e02ca33eb637a8350d68a48b3e8e46 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA6 CVE: CVE-2024-49995 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ] Smatch reports that copying media_name and if_name to name_parts may overwrite the destination. .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) This does seem to be the case so guard against this possibility by using strscpy() and failing if truncation occurs. Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") Compile tested only. Reviewed-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: dinglongwei <dinglongwei1(a)huawei.com> --- net/tipc/bearer.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index 2511718b8f3f..69dfb0431008 100644 --- a/net/tipc/bearer.c +++ b/net/tipc/bearer.c @@ -161,8 +161,12 @@ static int bearer_name_validate(const char *name, /* return bearer name components, if necessary */ if (name_parts) { - strcpy(name_parts->media_name, media_name); - strcpy(name_parts->if_name, if_name); + if (strscpy(name_parts->media_name, media_name, + TIPC_MAX_MEDIA_NAME) < 0) + return 0; + if (strscpy(name_parts->if_name, if_name, + TIPC_MAX_IF_NAME) < 0) + return 0; } return 1; } -- 2.17.1

2 1

[PATCH OLK-6.6] tipc: guard against string buffer overrun
by dinglongwei 01 Nov '24

01 Nov '24

From: Simon Horman <horms(a)kernel.org> stable inclusion from stable-v6.6.55 commit 12d26aa7fd3cbdbc5149b6e516563478d575026e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA6 CVE: CVE-2024-49995 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ] Smatch reports that copying media_name and if_name to name_parts may overwrite the destination. .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) This does seem to be the case so guard against this possibility by using strscpy() and failing if truncation occurs. Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") Compile tested only. Reviewed-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: dinglongwei <dinglongwei1(a)huawei.com> --- net/tipc/bearer.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index 878415c43527..fec638e494c9 100644 --- a/net/tipc/bearer.c +++ b/net/tipc/bearer.c @@ -163,8 +163,12 @@ static int bearer_name_validate(const char *name, /* return bearer name components, if necessary */ if (name_parts) { - strcpy(name_parts->media_name, media_name); - strcpy(name_parts->if_name, if_name); + if (strscpy(name_parts->media_name, media_name, + TIPC_MAX_MEDIA_NAME) < 0) + return 0; + if (strscpy(name_parts->if_name, if_name, + TIPC_MAX_IF_NAME) < 0) + return 0; } return 1; } -- 2.17.1

2 1

[openeuler:OLK-5.10 2332/2332] fs/buffer.o: warning: objtool: __breadahead_gfp()+0x9b: unreachable instruction
by kernel test robot 01 Nov '24

01 Nov '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: cc5e1415473b95a8a68887dbb9c459ed50de9f1e commit: 1ee722823d036ae6478e6bdb1afb12abff10a907 [2332/2332] fs/buffer: replace ll_rw_block() config: x86_64-randconfig-005-20241101 (https://download.01.org/0day-ci/archive/20241101/202411011918.G4zrdL90-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241101/202411011918.G4zrdL90-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411011918.G4zrdL90-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/buffer.o: warning: objtool: __breadahead_gfp()+0x9b: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] tipc: guard against string buffer overrun
by dinglongwei 01 Nov '24

01 Nov '24

From: Simon Horman <horms(a)kernel.org> stable inclusion from stable-v5.10.227 commit e2b2558971e02ca33eb637a8350d68a48b3e8e46 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA6 CVE: CVE-2024-49995 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ] Smatch reports that copying media_name and if_name to name_parts may overwrite the destination. .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) This does seem to be the case so guard against this possibility by using strscpy() and failing if truncation occurs. Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") Compile tested only. Reviewed-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: dinglongwei <dinglongwei1(a)huawei.com> --- net/tipc/bearer.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index 8879f7923ef5..6187fe37e668 100644 --- a/net/tipc/bearer.c +++ b/net/tipc/bearer.c @@ -158,8 +158,12 @@ static int bearer_name_validate(const char *name, /* return bearer name components, if necessary */ if (name_parts) { - strcpy(name_parts->media_name, media_name); - strcpy(name_parts->if_name, if_name); + if (strscpy(name_parts->media_name, media_name, + TIPC_MAX_MEDIA_NAME) < 0) + return 0; + if (strscpy(name_parts->if_name, if_name, + TIPC_MAX_IF_NAME) < 0) + return 0; } return 1; } -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1 0/2] Fix CVE-2024-47703
by Tengda Wu 01 Nov '24

01 Nov '24

This patchset is going to fix CVE-2024-47703, which may resulting in kernel panic. Tengda Wu (1): bpf, lsm: Add check for BPF LSM return value Xu Kuohai (1): bpf, lsm: Add disabled BPF LSM hook list include/linux/bpf.h | 1 + include/linux/bpf_lsm.h | 8 ++++ include/linux/bpf_verifier.h | 5 +++ kernel/bpf/bpf_lsm.c | 63 ++++++++++++++++++++++++++++-- kernel/bpf/btf.c | 3 ++ kernel/bpf/verifier.c | 74 ++++++++++++++++++++++++++++++++++-- 6 files changed, 147 insertions(+), 7 deletions(-) -- 2.34.1

2 3