- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS v5] can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
by Yipeng Zou 29 May '24

29 May '24

From: Marc Kleine-Budde <mkl(a)pengutronix.de> mainline inclusion from mainline-v6.7-rc1 commit 6411959c10fe917288cbb1038886999148560057 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9REA2 CVE: CVE-2023-52878 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- If the "struct can_priv::echoo_skb" is accessed out of bounds, this would cause a kernel crash. Instead, issue a meaningful warning message and return with an error. Fixes: a6e4bc530403 ("can: make the number of echo skb's configurable") Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-5-91b5c1fd9… Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Conflicts: drivers/net/can/dev/skb.c drivers/net/can/dev/dev.c [Since 18f2dbfd2232 ("can: dev: move skb related into seperate file") can_put_echo_skb has been moved to skb.c without any functional change. So we can fix this cve directly in dev.c.] Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> --- drivers/net/can/dev/dev.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index 40e2e1bbb8a6..5667f1ebd8e7 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -447,7 +447,11 @@ void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev, { struct can_priv *priv = netdev_priv(dev); - BUG_ON(idx >= priv->echo_skb_max); + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", + __func__, idx, priv->echo_skb_max); + return; + } /* check flag whether this packet has to be looped back */ if (!(dev->flags & IFF_ECHO) || skb->pkt_type != PACKET_LOOPBACK || -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] powerpc/mm: Fix lockup on kernel exec fault
by Liu Shixin 29 May '24

29 May '24

From: Christophe Leroy <christophe.leroy(a)csgroup.eu> stable inclusion from stable-v5.4.133 commit a82471a14aad90f79d1608d2bcbb019f0ffb53f0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4CI CVE: CVE-2021-47350 -------------------------------- commit cd5d5e602f502895e47e18cd46804d6d7014e65c upstream. The powerpc kernel is not prepared to handle exec faults from kernel. Especially, the function is_exec_fault() will return 'false' when an exec fault is taken by kernel, because the check is based on reading current->thread.regs->trap which contains the trap from user. For instance, when provoking a LKDTM EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap (0xc00), and the fault taken by the kernel is not seen as an exec fault by set_access_flags_filter(). Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix with autonuma") made it clear and handled it properly. But later on commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") removed that handling, introducing test based on error_code. And here is the problem, because on the 603 all upper bits of SRR1 get cleared when the TLB instruction miss handler bails out to ISI. Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy search_exception_tables() verification"), an exec fault from kernel at a userspace address was indirectly caught by the lack of entry for that address in the exception tables. But after that commit the kernel mainly relies on KUAP or on core mm handling to catch wrong user accesses. Here the access is not wrong, so mm handles it. It is a minor fault because PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and voila. But as is_exec_fault() returns false as explained in the beginning, set_access_flags_filter() bails out without setting PAGE_EXEC flag, which leads to a forever minor exec fault. As the kernel is not prepared to handle such exec faults, the thing to do is to fire in bad_kernel_fault() for any exec fault taken by the kernel, as it was prior to commit d3ca587404b3. Fixes: d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") Cc: stable(a)vger.kernel.org # v4.14+ Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Acked-by: Nicholas Piggin <npiggin(a)gmail.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://lore.kernel.org/r/024bb05105050f704743a0083fe3548702be5706.16251382… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: arch/powerpc/mm/fault.c [ Context conflicts due to lack of commit de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection"). ] Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- arch/powerpc/mm/fault.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c index 5b04d029f824..41f1de87edb6 100644 --- a/arch/powerpc/mm/fault.c +++ b/arch/powerpc/mm/fault.c @@ -221,9 +221,7 @@ static int mm_fault_error(struct pt_regs *regs, unsigned long addr, static bool bad_kernel_fault(bool is_exec, unsigned long error_code, unsigned long address) { - /* NX faults set DSISR_PROTFAULT on the 8xx, DSISR_NOEXEC_OR_G on others */ - if (is_exec && (error_code & (DSISR_NOEXEC_OR_G | DSISR_KEYFAULT | - DSISR_PROTFAULT))) { + if (is_exec) { printk_ratelimited(KERN_CRIT "kernel tried to execute" " exec-protected page (%lx) -" "exploit attempt? (uid: %d)\n", -- 2.25.1

2 1

[PATCH OLK-5.10] IMA: Introduce a config for fix on IMA with Overlayfs issue
by Xiang Yang 29 May '24

29 May '24

From: GUO Zihua <guozihua(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9T6ZD CVE: NA -------------------------------- IMA detect the backing inode changes through i_version of the backing inode would introduce a performance degrade, so introduce a config to allow users to turn the i_version detection on and off. Signed-off-by: GUO Zihua <guozihua(a)huawei.com> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- security/integrity/ima/Kconfig | 8 ++++++++ security/integrity/ima/ima_main.c | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 213dc7079f84..9e254c5cb117 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -368,3 +368,11 @@ config IMA_PARSER_BINARY_PATH default "/usr/bin/upload_digest_lists" help This option defines the path of the parser binary. + +config IMA_FIX_OVERLAYFS_DETECTION + bool + default y + help + This option enables the fix for overlayfs backing inode change + detection. With this config enabled, IMA would be detecting + backing inode changes through i_version of the backing inode. diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 389d6e957357..0a202a4f07c1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -267,7 +267,11 @@ static int process_measurement(struct file *file, const struct cred *cred, u32 secid, char *buf, loff_t size, int mask, enum ima_hooks func) { +#ifdef IMA_FIX_OVERLAYFS_DETECTION struct inode *backing_inode, *inode = file_inode(file); +#else + struct inode *inode = file_inode(file); +#endif struct integrity_iint_cache *iint = NULL; struct ima_template_desc *template_desc = NULL; char *pathbuf = NULL; @@ -344,6 +348,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; } +#ifdef IMA_FIX_OVERLAYFS_DETECTION /* Detect and re-evaluate changes made to the backing file. */ backing_inode = d_real_inode(file_dentry(file)); if (backing_inode != inode && @@ -356,6 +361,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; } } +#endif /* Determine if already appraised/measured based on bitmask * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, -- 2.34.1

2 1

[PATCH OLK-5.10] sysv: don't call sb_bread() with pointers_lock held
by Yifan Qiao 29 May '24

29 May '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> stable inclusion from stable-v6.6.27 commit 89e8524135a3902e7563a5a59b7b5ec1bf4904ac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIO CVE: CVE-2023-52699 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- syzbot is reporting sleep in atomic context in SysV filesystem [1], for sb_bread() is called with rw_spinlock held. A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by "Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12. Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the former bug by moving pointers_lock lock to the callers, but instead introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made this problem easier to hit). Al Viro suggested that why not to do like get_branch()/get_block()/ find_shared() in Minix filesystem does. And doing like that is almost a revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch() from with find_shared() is called without write_lock(&pointers_lock). Reported-by: syzbot <syzbot+69b40dc5fd40f32c199f(a)syzkaller.appspotmail.com> Link: https://syzkaller.appspot.com/bug?extid=69b40dc5fd40f32c199f Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Link: https://lore.kernel.org/r/0d195f93-a22a-49a2-0020-103534d6f7f6@I-love.SAKUR… Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/sysv/itree.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c index e3d1673b8ec9..ef9bcfeec21a 100644 --- a/fs/sysv/itree.c +++ b/fs/sysv/itree.c @@ -82,9 +82,6 @@ static inline sysv_zone_t *block_end(struct buffer_head *bh) return (sysv_zone_t*)((char*)bh->b_data + bh->b_size); } -/* - * Requires read_lock(&pointers_lock) or write_lock(&pointers_lock) - */ static Indirect *get_branch(struct inode *inode, int depth, int offsets[], @@ -104,15 +101,18 @@ static Indirect *get_branch(struct inode *inode, bh = sb_bread(sb, block); if (!bh) goto failure; + read_lock(&pointers_lock); if (!verify_chain(chain, p)) goto changed; add_chain(++p, bh, (sysv_zone_t*)bh->b_data + *++offsets); + read_unlock(&pointers_lock); if (!p->key) goto no_block; } return NULL; changed: + read_unlock(&pointers_lock); brelse(bh); *err = -EAGAIN; goto no_block; @@ -218,9 +218,7 @@ static int get_block(struct inode *inode, sector_t iblock, struct buffer_head *b goto out; reread: - read_lock(&pointers_lock); partial = get_branch(inode, depth, offsets, chain, &err); - read_unlock(&pointers_lock); /* Simplest case - block found, no allocation needed */ if (!partial) { @@ -290,9 +288,9 @@ static Indirect *find_shared(struct inode *inode, *top = 0; for (k = depth; k > 1 && !offsets[k-1]; k--) ; + partial = get_branch(inode, k, offsets, chain, &err); write_lock(&pointers_lock); - partial = get_branch(inode, k, offsets, chain, &err); if (!partial) partial = chain + k-1; /* -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP2 v2 0/2] CVE-2024-35956
by iceleaf 29 May '24

29 May '24

Boris Burkov (1): btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Omar Sandoval (1): btrfs: fix anon_dev leak in create_subvol() fs/btrfs/ctree.h | 2 -- fs/btrfs/inode.c | 13 ++++++- fs/btrfs/ioctl.c | 81 +++++++++++++++++++++++++++----------------- fs/btrfs/root-tree.c | 10 ------ 4 files changed, 61 insertions(+), 45 deletions(-) -- 2.31.1

2 3

[PATCH openEuler-1.0-LTS] sysv: don't call sb_bread() with pointers_lock held
by Yifan Qiao 29 May '24

29 May '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> stable inclusion from stable-v6.6.27 commit 89e8524135a3902e7563a5a59b7b5ec1bf4904ac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIO CVE: CVE-2023-52699 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- syzbot is reporting sleep in atomic context in SysV filesystem [1], for sb_bread() is called with rw_spinlock held. A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by "Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12. Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the former bug by moving pointers_lock lock to the callers, but instead introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made this problem easier to hit). Al Viro suggested that why not to do like get_branch()/get_block()/ find_shared() in Minix filesystem does. And doing like that is almost a revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch() from with find_shared() is called without write_lock(&pointers_lock). Reported-by: syzbot <syzbot+69b40dc5fd40f32c199f(a)syzkaller.appspotmail.com> Link: https://syzkaller.appspot.com/bug?extid=69b40dc5fd40f32c199f Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Link: https://lore.kernel.org/r/0d195f93-a22a-49a2-0020-103534d6f7f6@I-love.SAKUR… Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/sysv/itree.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c index bcb67b0cabe7..1714ff9a9b0e 100644 --- a/fs/sysv/itree.c +++ b/fs/sysv/itree.c @@ -82,9 +82,6 @@ static inline sysv_zone_t *block_end(struct buffer_head *bh) return (sysv_zone_t*)((char*)bh->b_data + bh->b_size); } -/* - * Requires read_lock(&pointers_lock) or write_lock(&pointers_lock) - */ static Indirect *get_branch(struct inode *inode, int depth, int offsets[], @@ -104,15 +101,18 @@ static Indirect *get_branch(struct inode *inode, bh = sb_bread(sb, block); if (!bh) goto failure; + read_lock(&pointers_lock); if (!verify_chain(chain, p)) goto changed; add_chain(++p, bh, (sysv_zone_t*)bh->b_data + *++offsets); + read_unlock(&pointers_lock); if (!p->key) goto no_block; } return NULL; changed: + read_unlock(&pointers_lock); brelse(bh); *err = -EAGAIN; goto no_block; @@ -214,9 +214,7 @@ static int get_block(struct inode *inode, sector_t iblock, struct buffer_head *b goto out; reread: - read_lock(&pointers_lock); partial = get_branch(inode, depth, offsets, chain, &err); - read_unlock(&pointers_lock); /* Simplest case - block found, no allocation needed */ if (!partial) { @@ -286,9 +284,9 @@ static Indirect *find_shared(struct inode *inode, *top = 0; for (k = depth; k > 1 && !offsets[k-1]; k--) ; + partial = get_branch(inode, k, offsets, chain, &err); write_lock(&pointers_lock); - partial = get_branch(inode, k, offsets, chain, &err); if (!partial) partial = chain + k-1; /* -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1 v2 0/2] CVE-2024-35956
by iceleaf 29 May '24

29 May '24

Boris Burkov (1): btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Omar Sandoval (1): btrfs: fix anon_dev leak in create_subvol() fs/btrfs/ctree.h | 2 -- fs/btrfs/inode.c | 13 ++++++- fs/btrfs/ioctl.c | 81 +++++++++++++++++++++++++++----------------- fs/btrfs/root-tree.c | 10 ------ 4 files changed, 61 insertions(+), 45 deletions(-) -- 2.31.1

2 3

[PATCH OLK-5.10] Control KABI reservation codes with config
by Xiang Yang 29 May '24

29 May '24

From: GUO Zihua <guozihua(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9T6ZD CVE: NA -------------------------------- Control KABI reservation codes with CONFIG_KABI_RESERVE. Minimizing risk. Signed-off-by: GUO Zihua <guozihua(a)huawei.com> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- include/linux/proc_ns.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h index 81e99aa97cd7..737c98ebb7b3 100644 --- a/include/linux/proc_ns.h +++ b/include/linux/proc_ns.h @@ -16,7 +16,11 @@ struct inode; struct proc_ns_operations { const char *name; const char *real_ns_name; +#ifdef CONFIG_KABI_RESERVE u64 type; +#else + int type; +#endif struct ns_common *(*get)(struct task_struct *task); void (*put)(struct ns_common *ns); int (*install)(struct nsset *nsset, struct ns_common *ns); -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS v2 0/2] CVE-2024-35956
by iceleaf 29 May '24

29 May '24

Boris Burkov (1): btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Omar Sandoval (1): btrfs: fix anon_dev leak in create_subvol() fs/btrfs/ctree.h | 2 -- fs/btrfs/inode.c | 13 ++++++- fs/btrfs/ioctl.c | 81 +++++++++++++++++++++++++++----------------- fs/btrfs/root-tree.c | 10 ------ 4 files changed, 61 insertions(+), 45 deletions(-) -- 2.31.1

2 3

[PATCH openEuler-1.0-LTS] gfs2: ignore negated quota changes
by Yifan Qiao 29 May '24

29 May '24

From: Bob Peterson <rpeterso(a)redhat.com> stable inclusion from stable-v5.10.202 commit 2a054b87a1b799b391e578597a42ee6e57a987ae category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4LN CVE: CVE-2023-52759 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4c6a08125f2249531ec01783a5f4317d7342add5 ] When lots of quota changes are made, there may be cases in which an inode's quota information is increased and then decreased, such as when blocks are added to a file, then deleted from it. If the timing is right, function do_qc can add pending quota changes to a transaction, then later, another call to do_qc can negate those changes, resulting in a net gain of 0. The quota_change information is recorded in the qc buffer (and qd element of the inode as well). The buffer is added to the transaction by the first call to do_qc, but a subsequent call changes the value from non-zero back to zero. At that point it's too late to remove the buffer_head from the transaction. Later, when the quota sync code is called, the zero-change qd element is discovered and flagged as an assert warning. If the fs is mounted with errors=panic, the kernel will panic. This is usually seen when files are truncated and the quota changes are negated by punch_hole/truncate which uses gfs2_quota_hold and gfs2_quota_unhold rather than block allocations that use gfs2_quota_lock and gfs2_quota_unlock which automatically do quota sync. This patch solves the problem by adding a check to qd_check_sync such that net-zero quota changes already added to the transaction are no longer deemed necessary to be synced, and skipped. In this case references are taken for the qd and the slot from do_qc so those need to be put. The normal sequence of events for a normal non-zero quota change is as follows: gfs2_quota_change do_qc qd_hold slot_hold Later, when the changes are to be synced: gfs2_quota_sync qd_fish qd_check_sync gets qd ref via lockref_get_not_dead do_sync do_qc(QC_SYNC) qd_put lockref_put_or_lock qd_unlock qd_put lockref_put_or_lock In the net-zero change case, we add a check to qd_check_sync so it puts the qd and slot references acquired in gfs2_quota_change and skip the unneeded sync. Signed-off-by: Bob Peterson <rpeterso(a)redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/gfs2/quota.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c index 0efae7a0ee80..3f7dd85af851 100644 --- a/fs/gfs2/quota.c +++ b/fs/gfs2/quota.c @@ -434,6 +434,17 @@ static int qd_check_sync(struct gfs2_sbd *sdp, struct gfs2_quota_data *qd, (sync_gen && (qd->qd_sync_gen >= *sync_gen))) return 0; + /* + * If qd_change is 0 it means a pending quota change was negated. + * We should not sync it, but we still have a qd reference and slot + * reference taken by gfs2_quota_change -> do_qc that need to be put. + */ + if (!qd->qd_change && test_and_clear_bit(QDF_CHANGE, &qd->qd_flags)) { + slot_put(qd); + qd_put(qd); + return 0; + } + if (!lockref_get_not_dead(&qd->qd_lockref)) return 0; -- 2.39.2

2 1