--- /dev/null
+From d795848ecce24a75dfd46481aee066ae6fe39775 Mon Sep 17 00:00:00 2001
+From: Hagar Hemdan <hagarhem@amazon.com>
+Date: Thu, 23 May 2024 08:53:32 +0000
+Subject: gpio: prevent potential speculation leaks in gpio_device_get_desc()
+
+From: Hagar Hemdan <hagarhem@amazon.com>
+
+commit d795848ecce24a75dfd46481aee066ae6fe39775 upstream.
+
+Userspace may trigger a speculative read of an address outside the gpio
+descriptor array.
+Users can do that by calling gpio_ioctl() with an offset out of range.
+Offset is copied from user and then used as an array index to get
+the gpio descriptor without sanitization in gpio_device_get_desc().
+
+This change ensures that the offset is sanitized by using
+array_index_nospec() to mitigate any possibility of speculative
+information leaks.
+
+This bug was discovered and resolved using Coverity Static Analysis
+Security Testing (SAST) by Synopsys, Inc.
+
+Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
+Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@amazon.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -4,6 +4,7 @@
+ #include <linux/module.h>
+ #include <linux/interrupt.h>
+ #include <linux/irq.h>
++#include <linux/nospec.h>
+ #include <linux/spinlock.h>
+ #include <linux/list.h>
+ #include <linux/device.h>
+@@ -143,7 +144,7 @@ struct gpio_desc *gpiochip_get_desc(stru
+ if (hwnum >= gdev->ngpio)
+ return ERR_PTR(-EINVAL);
+
+- return &gdev->descs[hwnum];
++ return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)];
+ }
+ EXPORT_SYMBOL_GPL(gpiochip_get_desc);
+
--- /dev/null
+From stable+bounces-76616-greg=kroah.com@vger.kernel.org Tue Sep 17 22:26:07 2024
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 17 Sep 2024 22:25:50 +0200
+Subject: netfilter: nf_tables: missing iterator type in lookup walk
+To: netfilter-devel@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org
+Message-ID: <20240917202550.188220-3-pablo@netfilter.org>
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit efefd4f00c967d00ad7abe092554ffbb70c1a793 upstream.
+
+Add missing decorator type to lookup expression and tighten WARN_ON_ONCE
+check in pipapo to spot earlier that this is unset.
+
+Fixes: 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_lookup.c | 1 +
+ net/netfilter/nft_set_pipapo.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_lookup.c
++++ b/net/netfilter/nft_lookup.c
+@@ -207,6 +207,7 @@ static int nft_lookup_validate(const str
+ return 0;
+
+ iter.genmask = nft_genmask_next(ctx->net);
++ iter.type = NFT_ITER_UPDATE;
+ iter.skip = 0;
+ iter.count = 0;
+ iter.err = 0;
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2030,7 +2030,8 @@ static void nft_pipapo_walk(const struct
+ struct nft_pipapo_field *f;
+ int i, r;
+
+- WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC);
++ WARN_ON_ONCE(iter->type != NFT_ITER_READ &&
++ iter->type != NFT_ITER_UPDATE);
+
+ rcu_read_lock();
+ if (iter->type == NFT_ITER_READ)
--- /dev/null
+From stable+bounces-76617-greg=kroah.com@vger.kernel.org Tue Sep 17 22:26:07 2024
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 17 Sep 2024 22:25:49 +0200
+Subject: netfilter: nft_set_pipapo: walk over current view on netlink dump
+To: netfilter-devel@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org
+Message-ID: <20240917202550.188220-2-pablo@netfilter.org>
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 29b359cf6d95fd60730533f7f10464e95bd17c73 upstream.
+
+The generation mask can be updated while netlink dump is in progress.
+The pipapo set backend walk iterator cannot rely on it to infer what
+view of the datastructure is to be used. Add notation to specify if user
+wants to read/update the set.
+
+Based on patch from Florian Westphal.
+
+Fixes: 2b84e215f874 ("netfilter: nft_set_pipapo: .walk does not deal with generations")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nf_tables.h | 13 +++++++++++++
+ net/netfilter/nf_tables_api.c | 5 +++++
+ net/netfilter/nft_set_pipapo.c | 5 +++--
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -262,9 +262,22 @@ struct nft_set_elem {
+ void *priv;
+ };
+
++/**
++ * enum nft_iter_type - nftables set iterator type
++ *
++ * @NFT_ITER_READ: read-only iteration over set elements
++ * @NFT_ITER_UPDATE: iteration under mutex to update set element state
++ */
++enum nft_iter_type {
++ NFT_ITER_UNSPEC,
++ NFT_ITER_READ,
++ NFT_ITER_UPDATE,
++};
++
+ struct nft_set;
+ struct nft_set_iter {
+ u8 genmask;
++ enum nft_iter_type type:8;
+ unsigned int count;
+ unsigned int skip;
+ int err;
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -594,6 +594,7 @@ static void nft_map_deactivate(const str
+ {
+ struct nft_set_iter iter = {
+ .genmask = nft_genmask_next(ctx->net),
++ .type = NFT_ITER_UPDATE,
+ .fn = nft_mapelem_deactivate,
+ };
+
+@@ -4777,6 +4778,7 @@ int nf_tables_bind_set(const struct nft_
+ }
+
+ iter.genmask = nft_genmask_next(ctx->net);
++ iter.type = NFT_ITER_UPDATE;
+ iter.skip = 0;
+ iter.count = 0;
+ iter.err = 0;
+@@ -4830,6 +4832,7 @@ static void nft_map_activate(const struc
+ {
+ struct nft_set_iter iter = {
+ .genmask = nft_genmask_next(ctx->net),
++ .type = NFT_ITER_UPDATE,
+ .fn = nft_mapelem_activate,
+ };
+
+@@ -5142,6 +5145,7 @@ static int nf_tables_dump_set(struct sk_
+ args.cb = cb;
+ args.skb = skb;
+ args.iter.genmask = nft_genmask_cur(net);
++ args.iter.type = NFT_ITER_READ;
+ args.iter.skip = cb->args[0];
+ args.iter.count = 0;
+ args.iter.err = 0;
+@@ -6065,6 +6069,7 @@ static int nf_tables_delsetelem(struct n
+ if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
+ struct nft_set_iter iter = {
+ .genmask = genmask,
++ .type = NFT_ITER_UPDATE,
+ .fn = nft_flush_set,
+ };
+ set->ops->walk(&ctx, set, &iter);
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2026,13 +2026,14 @@ static void nft_pipapo_walk(const struct
+ struct nft_set_iter *iter)
+ {
+ struct nft_pipapo *priv = nft_set_priv(set);
+- struct net *net = read_pnet(&set->net);
+ struct nft_pipapo_match *m;
+ struct nft_pipapo_field *f;
+ int i, r;
+
++ WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC);
++
+ rcu_read_lock();
+- if (iter->genmask == nft_genmask_cur(net))
++ if (iter->type == NFT_ITER_READ)
+ m = rcu_dereference(priv->match);
+ else
+ m = priv->clone;
ocfs2-add-bounds-checking-to-ocfs2_xattr_find_entry.patch
ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xatt.patch
cgroup-make-operations-on-the-cgroup-root_list-rcu-s.patch
+netfilter-nft_set_pipapo-walk-over-current-view-on-netlink-dump.patch
+netfilter-nf_tables-missing-iterator-type-in-lookup-walk.patch
+gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
