Jinjie Ruan (2): posix-clock: Fix missing timespec64 check in pc_clock_settime() posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()
kernel/time/posix-clock.c | 3 +++ 1 file changed, 3 insertions(+)
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/13305 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/7...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/13305 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/7...
From: Jinjie Ruan ruanjinjie@huawei.com
stable inclusion from stable-v4.19.323 commit 29f085345cde24566efb751f39e5d367c381c584 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2YU9 CVE: CVE-2024-50195
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit d8794ac20a299b647ba9958f6d657051fc51a540 upstream.
As Andrew pointed out, it will make sense that the PTP core checked timespec64 struct's tv_sec and tv_nsec range before calling ptp->info->settime64().
As the man manual of clock_settime() said, if tp.tv_sec is negative or tp.tv_nsec is outside the range [0..999,999,999], it should return EINVAL, which include dynamic clocks which handles PTP clock, and the condition is consistent with timespec64_valid(). As Thomas suggested, timespec64_valid() only check the timespec is valid, but not ensure that the time is in a valid range, so check it ahead using timespec64_valid_strict() in pc_clock_settime() and return -EINVAL if not valid.
There are some drivers that use tp->tv_sec and tp->tv_nsec directly to write registers without validity checks and assume that the higher layer has checked it, which is dangerous and will benefit from this, such as hclge_ptp_settime(), igb_ptp_settime_i210(), _rcar_gen4_ptp_settime(), and some drivers can remove the checks of itself.
Cc: stable@vger.kernel.org Fixes: 0606f422b453 ("posix clocks: Introduce dynamic clocks") Acked-by: Richard Cochran richardcochran@gmail.com Suggested-by: Andrew Lunn andrew@lunn.ch Suggested-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Jinjie Ruan ruanjinjie@huawei.com Link: https://patch.msgid.link/20241009072302.1754567-2-ruanjinjie@huawei.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Gu Bowen gubowen5@huawei.com --- kernel/time/posix-clock.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c index c8a8501fae5b..cda319c7529e 100644 --- a/kernel/time/posix-clock.c +++ b/kernel/time/posix-clock.c @@ -312,6 +312,9 @@ static int pc_clock_settime(clockid_t id, const struct timespec64 *ts) goto out; }
+ if (!timespec64_valid_strict(ts)) + return -EINVAL; + if (cd.clk->ops.clock_settime) err = cd.clk->ops.clock_settime(cd.clk, ts); else
From: Jinjie Ruan ruanjinjie@huawei.com
stable inclusion from stable-v4.19.323 commit d005400262ddaf1ca1666bbcd1acf42fe81d57ce category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2YU9 CVE: CVE-2024-50195
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 6e62807c7fbb3c758d233018caf94dfea9c65dbd ]
If get_clock_desc() succeeds, it calls fget() for the clockid's fd, and get the clk->rwsem read lock, so the error path should release the lock to make the lock balance and fput the clockid's fd to make the refcount balance and release the fd related resource.
However the below commit left the error path locked behind resulting in unbalanced locking. Check timespec64_valid_strict() before get_clock_desc() to fix it, because the "ts" is not changed after that.
Fixes: d8794ac20a29 ("posix-clock: Fix missing timespec64 check in pc_clock_settime()") Acked-by: Richard Cochran richardcochran@gmail.com Signed-off-by: Jinjie Ruan ruanjinjie@huawei.com Acked-by: Anna-Maria Behnsen anna-maria@linutronix.de [pabeni@redhat.com: fixed commit message typo] Signed-off-by: Paolo Abeni pabeni@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Gu Bowen gubowen5@huawei.com --- kernel/time/posix-clock.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c index cda319c7529e..c1e5feff8185 100644 --- a/kernel/time/posix-clock.c +++ b/kernel/time/posix-clock.c @@ -303,6 +303,9 @@ static int pc_clock_settime(clockid_t id, const struct timespec64 *ts) struct posix_clock_desc cd; int err;
+ if (!timespec64_valid_strict(ts)) + return -EINVAL; + err = get_clock_desc(id, &cd); if (err) return err; @@ -312,9 +315,6 @@ static int pc_clock_settime(clockid_t id, const struct timespec64 *ts) goto out; }
- if (!timespec64_valid_strict(ts)) - return -EINVAL; - if (cd.clk->ops.clock_settime) err = cd.clk->ops.clock_settime(cd.clk, ts); else
-
Gu Bowen -
patchwork bot