- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 v5] can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
by Yipeng Zou 29 May '24

29 May '24

From: Marc Kleine-Budde <mkl(a)pengutronix.de> mainline inclusion from mainline-v6.7-rc1 commit 6411959c10fe917288cbb1038886999148560057 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9REA2 CVE: CVE-2023-52878 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- If the "struct can_priv::echoo_skb" is accessed out of bounds, this would cause a kernel crash. Instead, issue a meaningful warning message and return with an error. Fixes: a6e4bc530403 ("can: make the number of echo skb's configurable") Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-5-91b5c1fd9… Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Conflicts: drivers/net/can/dev/skb.c drivers/net/can/dev/dev.c [Since 18f2dbfd2232 ("can: dev: move skb related into seperate file") can_put_echo_skb has been moved to skb.c without any functional change. So we can fix this cve directly in dev.c.] Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> --- drivers/net/can/dev/dev.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index b5e79d63d59b..535bf277ba90 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -462,7 +462,11 @@ int can_put_echo_skb(struct sk_buff *skb, struct net_device *dev, { struct can_priv *priv = netdev_priv(dev); - BUG_ON(idx >= priv->echo_skb_max); + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", + __func__, idx, priv->echo_skb_max); + return -EINVAL; + } /* check flag whether this packet has to be looped back */ if (!(dev->flags & IFF_ECHO) || skb->pkt_type != PACKET_LOOPBACK || -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS v5] can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
by Yipeng Zou 29 May '24

29 May '24

From: Marc Kleine-Budde <mkl(a)pengutronix.de> mainline inclusion from mainline-v6.7-rc1 commit 6411959c10fe917288cbb1038886999148560057 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9REA2 CVE: CVE-2023-52878 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- If the "struct can_priv::echoo_skb" is accessed out of bounds, this would cause a kernel crash. Instead, issue a meaningful warning message and return with an error. Fixes: a6e4bc530403 ("can: make the number of echo skb's configurable") Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-5-91b5c1fd9… Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Conflicts: drivers/net/can/dev/skb.c drivers/net/can/dev/dev.c [Since 18f2dbfd2232 ("can: dev: move skb related into seperate file") can_put_echo_skb has been moved to skb.c without any functional change. So we can fix this cve directly in dev.c.] Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> --- drivers/net/can/dev/dev.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index 40e2e1bbb8a6..5667f1ebd8e7 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -447,7 +447,11 @@ void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev, { struct can_priv *priv = netdev_priv(dev); - BUG_ON(idx >= priv->echo_skb_max); + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", + __func__, idx, priv->echo_skb_max); + return; + } /* check flag whether this packet has to be looped back */ if (!(dev->flags & IFF_ECHO) || skb->pkt_type != PACKET_LOOPBACK || -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] powerpc/mm: Fix lockup on kernel exec fault
by Liu Shixin 29 May '24

29 May '24

From: Christophe Leroy <christophe.leroy(a)csgroup.eu> stable inclusion from stable-v5.4.133 commit a82471a14aad90f79d1608d2bcbb019f0ffb53f0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4CI CVE: CVE-2021-47350 -------------------------------- commit cd5d5e602f502895e47e18cd46804d6d7014e65c upstream. The powerpc kernel is not prepared to handle exec faults from kernel. Especially, the function is_exec_fault() will return 'false' when an exec fault is taken by kernel, because the check is based on reading current->thread.regs->trap which contains the trap from user. For instance, when provoking a LKDTM EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap (0xc00), and the fault taken by the kernel is not seen as an exec fault by set_access_flags_filter(). Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix with autonuma") made it clear and handled it properly. But later on commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") removed that handling, introducing test based on error_code. And here is the problem, because on the 603 all upper bits of SRR1 get cleared when the TLB instruction miss handler bails out to ISI. Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy search_exception_tables() verification"), an exec fault from kernel at a userspace address was indirectly caught by the lack of entry for that address in the exception tables. But after that commit the kernel mainly relies on KUAP or on core mm handling to catch wrong user accesses. Here the access is not wrong, so mm handles it. It is a minor fault because PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and voila. But as is_exec_fault() returns false as explained in the beginning, set_access_flags_filter() bails out without setting PAGE_EXEC flag, which leads to a forever minor exec fault. As the kernel is not prepared to handle such exec faults, the thing to do is to fire in bad_kernel_fault() for any exec fault taken by the kernel, as it was prior to commit d3ca587404b3. Fixes: d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") Cc: stable(a)vger.kernel.org # v4.14+ Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Acked-by: Nicholas Piggin <npiggin(a)gmail.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://lore.kernel.org/r/024bb05105050f704743a0083fe3548702be5706.16251382… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: arch/powerpc/mm/fault.c [ Context conflicts due to lack of commit de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection"). ] Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- arch/powerpc/mm/fault.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c index 5b04d029f824..41f1de87edb6 100644 --- a/arch/powerpc/mm/fault.c +++ b/arch/powerpc/mm/fault.c @@ -221,9 +221,7 @@ static int mm_fault_error(struct pt_regs *regs, unsigned long addr, static bool bad_kernel_fault(bool is_exec, unsigned long error_code, unsigned long address) { - /* NX faults set DSISR_PROTFAULT on the 8xx, DSISR_NOEXEC_OR_G on others */ - if (is_exec && (error_code & (DSISR_NOEXEC_OR_G | DSISR_KEYFAULT | - DSISR_PROTFAULT))) { + if (is_exec) { printk_ratelimited(KERN_CRIT "kernel tried to execute" " exec-protected page (%lx) -" "exploit attempt? (uid: %d)\n", -- 2.25.1

2 1

[PATCH OLK-5.10] IMA: Introduce a config for fix on IMA with Overlayfs issue
by Xiang Yang 29 May '24

29 May '24

From: GUO Zihua <guozihua(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9T6ZD CVE: NA -------------------------------- IMA detect the backing inode changes through i_version of the backing inode would introduce a performance degrade, so introduce a config to allow users to turn the i_version detection on and off. Signed-off-by: GUO Zihua <guozihua(a)huawei.com> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- security/integrity/ima/Kconfig | 8 ++++++++ security/integrity/ima/ima_main.c | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 213dc7079f84..9e254c5cb117 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -368,3 +368,11 @@ config IMA_PARSER_BINARY_PATH default "/usr/bin/upload_digest_lists" help This option defines the path of the parser binary. + +config IMA_FIX_OVERLAYFS_DETECTION + bool + default y + help + This option enables the fix for overlayfs backing inode change + detection. With this config enabled, IMA would be detecting + backing inode changes through i_version of the backing inode. diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 389d6e957357..0a202a4f07c1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -267,7 +267,11 @@ static int process_measurement(struct file *file, const struct cred *cred, u32 secid, char *buf, loff_t size, int mask, enum ima_hooks func) { +#ifdef IMA_FIX_OVERLAYFS_DETECTION struct inode *backing_inode, *inode = file_inode(file); +#else + struct inode *inode = file_inode(file); +#endif struct integrity_iint_cache *iint = NULL; struct ima_template_desc *template_desc = NULL; char *pathbuf = NULL; @@ -344,6 +348,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; } +#ifdef IMA_FIX_OVERLAYFS_DETECTION /* Detect and re-evaluate changes made to the backing file. */ backing_inode = d_real_inode(file_dentry(file)); if (backing_inode != inode && @@ -356,6 +361,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; } } +#endif /* Determine if already appraised/measured based on bitmask * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, -- 2.34.1

2 1

[PATCH OLK-5.10] sysv: don't call sb_bread() with pointers_lock held
by Yifan Qiao 29 May '24

29 May '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> stable inclusion from stable-v6.6.27 commit 89e8524135a3902e7563a5a59b7b5ec1bf4904ac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIO CVE: CVE-2023-52699 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- syzbot is reporting sleep in atomic context in SysV filesystem [1], for sb_bread() is called with rw_spinlock held. A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by "Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12. Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the former bug by moving pointers_lock lock to the callers, but instead introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made this problem easier to hit). Al Viro suggested that why not to do like get_branch()/get_block()/ find_shared() in Minix filesystem does. And doing like that is almost a revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch() from with find_shared() is called without write_lock(&pointers_lock). Reported-by: syzbot <syzbot+69b40dc5fd40f32c199f(a)syzkaller.appspotmail.com> Link: https://syzkaller.appspot.com/bug?extid=69b40dc5fd40f32c199f Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Link: https://lore.kernel.org/r/0d195f93-a22a-49a2-0020-103534d6f7f6@I-love.SAKUR… Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/sysv/itree.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c index e3d1673b8ec9..ef9bcfeec21a 100644 --- a/fs/sysv/itree.c +++ b/fs/sysv/itree.c @@ -82,9 +82,6 @@ static inline sysv_zone_t *block_end(struct buffer_head *bh) return (sysv_zone_t*)((char*)bh->b_data + bh->b_size); } -/* - * Requires read_lock(&pointers_lock) or write_lock(&pointers_lock) - */ static Indirect *get_branch(struct inode *inode, int depth, int offsets[], @@ -104,15 +101,18 @@ static Indirect *get_branch(struct inode *inode, bh = sb_bread(sb, block); if (!bh) goto failure; + read_lock(&pointers_lock); if (!verify_chain(chain, p)) goto changed; add_chain(++p, bh, (sysv_zone_t*)bh->b_data + *++offsets); + read_unlock(&pointers_lock); if (!p->key) goto no_block; } return NULL; changed: + read_unlock(&pointers_lock); brelse(bh); *err = -EAGAIN; goto no_block; @@ -218,9 +218,7 @@ static int get_block(struct inode *inode, sector_t iblock, struct buffer_head *b goto out; reread: - read_lock(&pointers_lock); partial = get_branch(inode, depth, offsets, chain, &err); - read_unlock(&pointers_lock); /* Simplest case - block found, no allocation needed */ if (!partial) { @@ -290,9 +288,9 @@ static Indirect *find_shared(struct inode *inode, *top = 0; for (k = depth; k > 1 && !offsets[k-1]; k--) ; + partial = get_branch(inode, k, offsets, chain, &err); write_lock(&pointers_lock); - partial = get_branch(inode, k, offsets, chain, &err); if (!partial) partial = chain + k-1; /* -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP2 v2 0/2] CVE-2024-35956
by iceleaf 29 May '24

29 May '24

Boris Burkov (1): btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Omar Sandoval (1): btrfs: fix anon_dev leak in create_subvol() fs/btrfs/ctree.h | 2 -- fs/btrfs/inode.c | 13 ++++++- fs/btrfs/ioctl.c | 81 +++++++++++++++++++++++++++----------------- fs/btrfs/root-tree.c | 10 ------ 4 files changed, 61 insertions(+), 45 deletions(-) -- 2.31.1

2 3

[PATCH openEuler-1.0-LTS] sysv: don't call sb_bread() with pointers_lock held
by Yifan Qiao 29 May '24

29 May '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> stable inclusion from stable-v6.6.27 commit 89e8524135a3902e7563a5a59b7b5ec1bf4904ac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIO CVE: CVE-2023-52699 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- syzbot is reporting sleep in atomic context in SysV filesystem [1], for sb_bread() is called with rw_spinlock held. A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by "Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12. Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the former bug by moving pointers_lock lock to the callers, but instead introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made this problem easier to hit). Al Viro suggested that why not to do like get_branch()/get_block()/ find_shared() in Minix filesystem does. And doing like that is almost a revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch() from with find_shared() is called without write_lock(&pointers_lock). Reported-by: syzbot <syzbot+69b40dc5fd40f32c199f(a)syzkaller.appspotmail.com> Link: https://syzkaller.appspot.com/bug?extid=69b40dc5fd40f32c199f Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Link: https://lore.kernel.org/r/0d195f93-a22a-49a2-0020-103534d6f7f6@I-love.SAKUR… Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/sysv/itree.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c index bcb67b0cabe7..1714ff9a9b0e 100644 --- a/fs/sysv/itree.c +++ b/fs/sysv/itree.c @@ -82,9 +82,6 @@ static inline sysv_zone_t *block_end(struct buffer_head *bh) return (sysv_zone_t*)((char*)bh->b_data + bh->b_size); } -/* - * Requires read_lock(&pointers_lock) or write_lock(&pointers_lock) - */ static Indirect *get_branch(struct inode *inode, int depth, int offsets[], @@ -104,15 +101,18 @@ static Indirect *get_branch(struct inode *inode, bh = sb_bread(sb, block); if (!bh) goto failure; + read_lock(&pointers_lock); if (!verify_chain(chain, p)) goto changed; add_chain(++p, bh, (sysv_zone_t*)bh->b_data + *++offsets); + read_unlock(&pointers_lock); if (!p->key) goto no_block; } return NULL; changed: + read_unlock(&pointers_lock); brelse(bh); *err = -EAGAIN; goto no_block; @@ -214,9 +214,7 @@ static int get_block(struct inode *inode, sector_t iblock, struct buffer_head *b goto out; reread: - read_lock(&pointers_lock); partial = get_branch(inode, depth, offsets, chain, &err); - read_unlock(&pointers_lock); /* Simplest case - block found, no allocation needed */ if (!partial) { @@ -286,9 +284,9 @@ static Indirect *find_shared(struct inode *inode, *top = 0; for (k = depth; k > 1 && !offsets[k-1]; k--) ; + partial = get_branch(inode, k, offsets, chain, &err); write_lock(&pointers_lock); - partial = get_branch(inode, k, offsets, chain, &err); if (!partial) partial = chain + k-1; /* -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1 v2 0/2] CVE-2024-35956
by iceleaf 29 May '24

29 May '24

Boris Burkov (1): btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Omar Sandoval (1): btrfs: fix anon_dev leak in create_subvol() fs/btrfs/ctree.h | 2 -- fs/btrfs/inode.c | 13 ++++++- fs/btrfs/ioctl.c | 81 +++++++++++++++++++++++++++----------------- fs/btrfs/root-tree.c | 10 ------ 4 files changed, 61 insertions(+), 45 deletions(-) -- 2.31.1

2 3

[PATCH OLK-5.10] Control KABI reservation codes with config
by Xiang Yang 29 May '24

29 May '24

From: GUO Zihua <guozihua(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9T6ZD CVE: NA -------------------------------- Control KABI reservation codes with CONFIG_KABI_RESERVE. Minimizing risk. Signed-off-by: GUO Zihua <guozihua(a)huawei.com> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- include/linux/proc_ns.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h index 81e99aa97cd7..737c98ebb7b3 100644 --- a/include/linux/proc_ns.h +++ b/include/linux/proc_ns.h @@ -16,7 +16,11 @@ struct inode; struct proc_ns_operations { const char *name; const char *real_ns_name; +#ifdef CONFIG_KABI_RESERVE u64 type; +#else + int type; +#endif struct ns_common *(*get)(struct task_struct *task); void (*put)(struct ns_common *ns); int (*install)(struct nsset *nsset, struct ns_common *ns); -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS v2 0/2] CVE-2024-35956
by iceleaf 29 May '24

29 May '24

Boris Burkov (1): btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Omar Sandoval (1): btrfs: fix anon_dev leak in create_subvol() fs/btrfs/ctree.h | 2 -- fs/btrfs/inode.c | 13 ++++++- fs/btrfs/ioctl.c | 81 +++++++++++++++++++++++++++----------------- fs/btrfs/root-tree.c | 10 ------ 4 files changed, 61 insertions(+), 45 deletions(-) -- 2.31.1

2 3