--- /dev/null
+From 8176cced706b5e5d15887584150764894e94e02f Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tt.rantala@gmail.com>
+Date: Sat, 13 Apr 2013 22:49:14 +0300
+Subject: perf: Treat attr.config as u64 in perf_swevent_init()
+
+From: Tommi Rantala <tt.rantala@gmail.com>
+
+commit 8176cced706b5e5d15887584150764894e94e02f upstream.
+
+Trinity discovered that we fail to check all 64 bits of
+attr.config passed by user space, resulting to out-of-bounds
+access of the perf_swevent_enabled array in
+sw_perf_event_destroy().
+
+Introduced in commit b0a873ebb ("perf: Register PMU
+implementations").
+
+Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: davej@redhat.com
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
+Link: http://lkml.kernel.org/r/1365882554-30259-1-git-send-email-tt.rantala@gmail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -5328,7 +5328,7 @@ static void sw_perf_event_destroy(struct
+
+ static int perf_swevent_init(struct perf_event *event)
+ {
+- int event_id = event->attr.config;
++ u64 event_id = event->attr.config;
+
+ if (event->attr.type != PERF_TYPE_SOFTWARE)
+ return -ENOENT;
--- /dev/null
+From f1923820c447e986a9da0fc6bf60c1dccdf0408e Mon Sep 17 00:00:00 2001
+From: Stephane Eranian <eranian@google.com>
+Date: Tue, 16 Apr 2013 13:51:43 +0200
+Subject: perf/x86: Fix offcore_rsp valid mask for SNB/IVB
+
+From: Stephane Eranian <eranian@google.com>
+
+commit f1923820c447e986a9da0fc6bf60c1dccdf0408e upstream.
+
+The valid mask for both offcore_response_0 and
+offcore_response_1 was wrong for SNB/SNB-EP,
+IVB/IVB-EP. It was possible to write to
+reserved bit and cause a GP fault crashing
+the kernel.
+
+This patch fixes the problem by correctly marking the
+reserved bits in the valid mask for all the processors
+mentioned above.
+
+A distinction between desktop and server parts is introduced
+because bits 24-30 are only available on the server parts.
+
+This version of the patch is just a rebase to perf/urgent tree
+and should apply to older kernels as well.
+
+Signed-off-by: Stephane Eranian <eranian@google.com>
+Cc: peterz@infradead.org
+Cc: jolsa@redhat.com
+Cc: ak@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_intel.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/cpu/perf_event_intel.c
++++ b/arch/x86/kernel/cpu/perf_event_intel.c
+@@ -128,8 +128,14 @@ static struct event_constraint intel_gen
+ };
+
+ static struct extra_reg intel_snb_extra_regs[] __read_mostly = {
+- INTEL_EVENT_EXTRA_REG(0xb7, MSR_OFFCORE_RSP_0, 0x3fffffffffull, RSP_0),
+- INTEL_EVENT_EXTRA_REG(0xbb, MSR_OFFCORE_RSP_1, 0x3fffffffffull, RSP_1),
++ INTEL_EVENT_EXTRA_REG(0xb7, MSR_OFFCORE_RSP_0, 0x3f807f8fffull, RSP_0),
++ INTEL_EVENT_EXTRA_REG(0xbb, MSR_OFFCORE_RSP_1, 0x3f807f8fffull, RSP_1),
++ EVENT_EXTRA_END
++};
++
++static struct extra_reg intel_snbep_extra_regs[] __read_mostly = {
++ INTEL_EVENT_EXTRA_REG(0xb7, MSR_OFFCORE_RSP_0, 0x3fffff8fffull, RSP_0),
++ INTEL_EVENT_EXTRA_REG(0xbb, MSR_OFFCORE_RSP_1, 0x3fffff8fffull, RSP_1),
+ EVENT_EXTRA_END
+ };
+
+@@ -2072,7 +2078,10 @@ __init int intel_pmu_init(void)
+ x86_pmu.event_constraints = intel_snb_event_constraints;
+ x86_pmu.pebs_constraints = intel_snb_pebs_event_constraints;
+ x86_pmu.pebs_aliases = intel_pebs_aliases_snb;
+- x86_pmu.extra_regs = intel_snb_extra_regs;
++ if (boot_cpu_data.x86_model == 45)
++ x86_pmu.extra_regs = intel_snbep_extra_regs;
++ else
++ x86_pmu.extra_regs = intel_snb_extra_regs;
+ /* all extra regs are per-cpu when HT is on */
+ x86_pmu.er_flags |= ERF_HAS_RSP_1;
+ x86_pmu.er_flags |= ERF_NO_HT_SHARING;
+@@ -2098,7 +2107,10 @@ __init int intel_pmu_init(void)
+ x86_pmu.event_constraints = intel_snb_event_constraints;
+ x86_pmu.pebs_constraints = intel_ivb_pebs_event_constraints;
+ x86_pmu.pebs_aliases = intel_pebs_aliases_snb;
+- x86_pmu.extra_regs = intel_snb_extra_regs;
++ if (boot_cpu_data.x86_model == 62)
++ x86_pmu.extra_regs = intel_snbep_extra_regs;
++ else
++ x86_pmu.extra_regs = intel_snb_extra_regs;
+ /* all extra regs are per-cpu when HT is on */
+ x86_pmu.er_flags |= ERF_HAS_RSP_1;
+ x86_pmu.er_flags |= ERF_NO_HT_SHARING;
mac80211-fix-cfg80211-interaction-on-auth-assoc-request.patch
ssb-implement-spurious-tone-avoidance.patch
crypto-algif-suppress-sending-source-address-information.patch
+perf-treat-attr.config-as-u64-in-perf_swevent_init.patch
+perf-x86-fix-offcore_rsp-valid-mask-for-snb-ivb.patch
+userns-don-t-let-unprivileged-users-trick-privileged-users-into-setting-the-id_map.patch
+userns-check-uid_map-s-opener-s-fsuid-not-the-current-fsuid.patch
+userns-changing-any-namespace-id-mappings-should-require-privileges.patch
--- /dev/null
+From 41c21e351e79004dbb4efa4bc14a53a7e0af38c5 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Sun, 14 Apr 2013 11:44:04 -0700
+Subject: userns: Changing any namespace id mappings should require privileges
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit 41c21e351e79004dbb4efa4bc14a53a7e0af38c5 upstream.
+
+Changing uid/gid/projid mappings doesn't change your id within the
+namespace; it reconfigures the namespace. Unprivileged programs should
+*not* be able to write these files. (We're also checking the privileges
+on the wrong task.)
+
+Given the write-once nature of these files and the other security
+checks, this is likely impossible to usefully exploit.
+
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/user_namespace.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -576,10 +576,10 @@ static ssize_t map_write(struct file *fi
+ if (map->nr_extents != 0)
+ goto out;
+
+- /* Require the appropriate privilege CAP_SETUID or CAP_SETGID
+- * over the user namespace in order to set the id mapping.
++ /*
++ * Adjusting namespace settings requires capabilities on the target.
+ */
+- if (cap_valid(cap_setid) && !ns_capable(ns, cap_setid))
++ if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
+ goto out;
+
+ /* Get a buffer */
--- /dev/null
+From e3211c120a85b792978bcb4be7b2886df18d27f0 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Sun, 14 Apr 2013 16:28:19 -0700
+Subject: userns: Check uid_map's opener's fsuid, not the current fsuid
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit e3211c120a85b792978bcb4be7b2886df18d27f0 upstream.
+
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/user_namespace.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -763,12 +763,12 @@ static bool new_idmap_permitted(const st
+ u32 id = new_map->extent[0].lower_first;
+ if (cap_setid == CAP_SETUID) {
+ kuid_t uid = make_kuid(ns->parent, id);
+- if (uid_eq(uid, current_fsuid()))
++ if (uid_eq(uid, file->f_cred->fsuid))
+ return true;
+ }
+ else if (cap_setid == CAP_SETGID) {
+ kgid_t gid = make_kgid(ns->parent, id);
+- if (gid_eq(gid, current_fsgid()))
++ if (gid_eq(gid, file->f_cred->fsgid))
+ return true;
+ }
+ }
--- /dev/null
+From 6708075f104c3c9b04b23336bb0366ca30c3931b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sun, 14 Apr 2013 13:47:02 -0700
+Subject: userns: Don't let unprivileged users trick privileged users into setting the id_map
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit 6708075f104c3c9b04b23336bb0366ca30c3931b upstream.
+
+When we require privilege for setting /proc/<pid>/uid_map or
+/proc/<pid>/gid_map no longer allow an unprivileged user to
+open the file and pass it to a privileged program to write
+to the file.
+
+Instead when privilege is required require both the opener and the
+writer to have the necessary capabilities.
+
+I have tested this code and verified that setting /proc/<pid>/uid_map
+fails when an unprivileged user opens the file and a privielged user
+attempts to set the mapping, that unprivileged users can still map
+their own id, and that a privileged users can still setup an arbitrary
+mapping.
+
+Reported-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/user_namespace.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -25,7 +25,8 @@
+
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+
+-static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid,
++static bool new_idmap_permitted(const struct file *file,
++ struct user_namespace *ns, int cap_setid,
+ struct uid_gid_map *map);
+
+ static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
+@@ -666,7 +667,7 @@ static ssize_t map_write(struct file *fi
+
+ ret = -EPERM;
+ /* Validate the user is allowed to use user id's mapped to. */
+- if (!new_idmap_permitted(ns, cap_setid, &new_map))
++ if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
+ goto out;
+
+ /* Map the lower ids from the parent user namespace to the
+@@ -753,7 +754,8 @@ ssize_t proc_projid_map_write(struct fil
+ &ns->projid_map, &ns->parent->projid_map);
+ }
+
+-static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid,
++static bool new_idmap_permitted(const struct file *file,
++ struct user_namespace *ns, int cap_setid,
+ struct uid_gid_map *new_map)
+ {
+ /* Allow mapping to your own filesystem ids */
+@@ -777,8 +779,10 @@ static bool new_idmap_permitted(struct u
+
+ /* Allow the specified ids if we have the appropriate capability
+ * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
++ * And the opener of the id file also had the approprpiate capability.
+ */
+- if (ns_capable(ns->parent, cap_setid))
++ if (ns_capable(ns->parent, cap_setid) &&
++ file_ns_capable(file, ns->parent, cap_setid))
+ return true;
+
+ return false;
projects / thirdparty / kernel / stable-queue.git / commitdiff
