--- /dev/null
+From 7d8b6c63751cfbbe5eef81a48c22978b3407a3ad Mon Sep 17 00:00:00 2001
+From: Eric Paris <eparis@redhat.com>
+Date: Wed, 23 Jul 2014 15:36:26 -0400
+Subject: CAPABILITIES: remove undefined caps from all processes
+
+From: Eric Paris <eparis@redhat.com>
+
+commit 7d8b6c63751cfbbe5eef81a48c22978b3407a3ad upstream.
+
+This is effectively a revert of 7b9a7ec565505699f503b4fcf61500dceb36e744
+plus fixing it a different way...
+
+We found, when trying to run an application from an application which
+had dropped privs that the kernel does security checks on undefined
+capability bits. This was ESPECIALLY difficult to debug as those
+undefined bits are hidden from /proc/$PID/status.
+
+Consider a root application which drops all capabilities from ALL 4
+capability sets. We assume, since the application is going to set
+eff/perm/inh from an array that it will clear not only the defined caps
+less than CAP_LAST_CAP, but also the higher 28ish bits which are
+undefined future capabilities.
+
+The BSET gets cleared differently. Instead it is cleared one bit at a
+time. The problem here is that in security/commoncap.c::cap_task_prctl()
+we actually check the validity of a capability being read. So any task
+which attempts to 'read all things set in bset' followed by 'unset all
+things set in bset' will not even attempt to unset the undefined bits
+higher than CAP_LAST_CAP.
+
+So the 'parent' will look something like:
+CapInh: 0000000000000000
+CapPrm: 0000000000000000
+CapEff: 0000000000000000
+CapBnd: ffffffc000000000
+
+All of this 'should' be fine. Given that these are undefined bits that
+aren't supposed to have anything to do with permissions. But they do...
+
+So lets now consider a task which cleared the eff/perm/inh completely
+and cleared all of the valid caps in the bset (but not the invalid caps
+it couldn't read out of the kernel). We know that this is exactly what
+the libcap-ng library does and what the go capabilities library does.
+They both leave you in that above situation if you try to clear all of
+you capapabilities from all 4 sets. If that root task calls execve()
+the child task will pick up all caps not blocked by the bset. The bset
+however does not block bits higher than CAP_LAST_CAP. So now the child
+task has bits in eff which are not in the parent. These are
+'meaningless' undefined bits, but still bits which the parent doesn't
+have.
+
+The problem is now in cred_cap_issubset() (or any operation which does a
+subset test) as the child, while a subset for valid cap bits, is not a
+subset for invalid cap bits! So now we set durring commit creds that
+the child is not dumpable. Given it is 'more priv' than its parent. It
+also means the parent cannot ptrace the child and other stupidity.
+
+The solution here:
+1) stop hiding capability bits in status
+ This makes debugging easier!
+
+2) stop giving any task undefined capability bits. it's simple, it you
+don't put those invalid bits in CAP_FULL_SET you won't get them in init
+and you won't get them in any other task either.
+ This fixes the cap_issubset() tests and resulting fallout (which
+ made the init task in a docker container untraceable among other
+ things)
+
+3) mask out undefined bits when sys_capset() is called as it might use
+~0, ~0 to denote 'all capabilities' for backward/forward compatibility.
+ This lets 'capsh --caps="all=eip" -- -c /bin/bash' run.
+
+4) mask out undefined bit when we read a file capability off of disk as
+again likely all bits are set in the xattr for forward/backward
+compatibility.
+ This lets 'setcap all+pe /bin/bash; /bin/bash' run
+
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Andrew Vagin <avagin@openvz.org>
+Cc: Andrew G. Morgan <morgan@kernel.org>
+Cc: Serge E. Hallyn <serge.hallyn@canonical.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Steve Grubb <sgrubb@redhat.com>
+Cc: Dan Walsh <dwalsh@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/array.c | 11 +----------
+ include/linux/capability.h | 5 ++++-
+ kernel/audit.c | 2 +-
+ kernel/capability.c | 4 ++++
+ security/commoncap.c | 3 +++
+ 5 files changed, 13 insertions(+), 12 deletions(-)
+
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -297,15 +297,11 @@ static void render_cap_t(struct seq_file
+ seq_puts(m, header);
+ CAP_FOR_EACH_U32(__capi) {
+ seq_printf(m, "%08x",
+- a->cap[(_KERNEL_CAPABILITY_U32S-1) - __capi]);
++ a->cap[CAP_LAST_U32 - __capi]);
+ }
+ seq_putc(m, '\n');
+ }
+
+-/* Remove non-existent capabilities */
+-#define NORM_CAPS(v) (v.cap[CAP_TO_INDEX(CAP_LAST_CAP)] &= \
+- CAP_TO_MASK(CAP_LAST_CAP + 1) - 1)
+-
+ static inline void task_cap(struct seq_file *m, struct task_struct *p)
+ {
+ const struct cred *cred;
+@@ -319,11 +315,6 @@ static inline void task_cap(struct seq_f
+ cap_bset = cred->cap_bset;
+ rcu_read_unlock();
+
+- NORM_CAPS(cap_inheritable);
+- NORM_CAPS(cap_permitted);
+- NORM_CAPS(cap_effective);
+- NORM_CAPS(cap_bset);
+-
+ render_cap_t(m, "CapInh:\t", &cap_inheritable);
+ render_cap_t(m, "CapPrm:\t", &cap_permitted);
+ render_cap_t(m, "CapEff:\t", &cap_effective);
+--- a/include/linux/capability.h
++++ b/include/linux/capability.h
+@@ -78,8 +78,11 @@ extern const kernel_cap_t __cap_init_eff
+ # error Fix up hand-coded capability macro initializers
+ #else /* HAND-CODED capability initializers */
+
++#define CAP_LAST_U32 ((_KERNEL_CAPABILITY_U32S) - 1)
++#define CAP_LAST_U32_VALID_MASK (CAP_TO_MASK(CAP_LAST_CAP + 1) -1)
++
+ # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
+-# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
++# define CAP_FULL_SET ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }})
+ # define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
+ | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
+ CAP_FS_MASK_B1 } })
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1677,7 +1677,7 @@ void audit_log_cap(struct audit_buffer *
+ audit_log_format(ab, " %s=", prefix);
+ CAP_FOR_EACH_U32(i) {
+ audit_log_format(ab, "%08x",
+- cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
++ cap->cap[CAP_LAST_U32 - i]);
+ }
+ }
+
+--- a/kernel/capability.c
++++ b/kernel/capability.c
+@@ -258,6 +258,10 @@ SYSCALL_DEFINE2(capset, cap_user_header_
+ i++;
+ }
+
++ effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
++ permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
++ inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
++
+ new = prepare_creds();
+ if (!new)
+ return -ENOMEM;
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -421,6 +421,9 @@ int get_vfs_caps_from_disk(const struct
+ cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
+ }
+
++ cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
++ cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
++
+ return 0;
+ }
+
powerpc-cpufreq-add-pr_warn-on-opal-firmware-failures.patch
drm-radeon-use-packet2-for-nop-on-hawaii-with-old-firmware.patch
firmware-do-not-use-warn_on-spin_is_locked.patch
+tpm-missing-tpm_chip_put-in-tpm_get_random.patch
+tpm-provide-a-generic-means-to-override-the-chip-returned-timeouts.patch
+tpm-properly-clean-sysfs-entries-in-error-path.patch
+capabilities-remove-undefined-caps-from-all-processes.patch
--- /dev/null
+From 3e14d83ef94a5806a865b85b513b4e891923c19b Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Date: Fri, 9 May 2014 14:23:10 +0300
+Subject: tpm: missing tpm_chip_put in tpm_get_random()
+
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+
+commit 3e14d83ef94a5806a865b85b513b4e891923c19b upstream.
+
+Regression in 41ab999c. Call to tpm_chip_put is missing. This
+will cause TPM device driver not to unload if tmp_get_random()
+is called.
+
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm-interface.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -991,13 +991,13 @@ int tpm_get_random(u32 chip_num, u8 *out
+ int err, total = 0, retries = 5;
+ u8 *dest = out;
+
++ if (!out || !num_bytes || max > TPM_MAX_RNG_DATA)
++ return -EINVAL;
++
+ chip = tpm_chip_find_get(chip_num);
+ if (chip == NULL)
+ return -ENODEV;
+
+- if (!out || !num_bytes || max > TPM_MAX_RNG_DATA)
+- return -EINVAL;
+-
+ do {
+ tpm_cmd.header.in = tpm_getrandom_header;
+ tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes);
+@@ -1016,6 +1016,7 @@ int tpm_get_random(u32 chip_num, u8 *out
+ num_bytes -= recd;
+ } while (retries-- && total < max);
+
++ tpm_chip_put(chip);
+ return total ? total : -EIO;
+ }
+ EXPORT_SYMBOL_GPL(tpm_get_random);
--- /dev/null
+From b49e1043c48dac23f64fba684d31c4a96c1ffaa0 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Thu, 19 Jun 2014 15:00:19 -0400
+Subject: tpm: Properly clean sysfs entries in error path
+
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+
+commit b49e1043c48dac23f64fba684d31c4a96c1ffaa0 upstream.
+
+Properly clean the sysfs entries in the error path
+
+Reported-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
+Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm-interface.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -1116,7 +1116,7 @@ struct tpm_chip *tpm_register_hardware(s
+ goto del_misc;
+
+ if (tpm_add_ppi(&dev->kobj))
+- goto del_misc;
++ goto del_sysfs;
+
+ chip->bios_dir = tpm_bios_log_setup(chip->devname);
+
+@@ -1127,6 +1127,8 @@ struct tpm_chip *tpm_register_hardware(s
+
+ return chip;
+
++del_sysfs:
++ tpm_sysfs_del_device(chip);
+ del_misc:
+ tpm_dev_del_device(chip);
+ put_device:
--- /dev/null
+From 8e54caf407b98efa05409e1fee0e5381abd2b088 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Date: Wed, 21 May 2014 18:26:44 -0600
+Subject: tpm: Provide a generic means to override the chip returned timeouts
+
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+
+commit 8e54caf407b98efa05409e1fee0e5381abd2b088 upstream.
+
+Some Atmel TPMs provide completely wrong timeouts from their
+TPM_CAP_PROP_TIS_TIMEOUT query. This patch detects that and returns
+new correct values via a DID/VID table in the TIS driver.
+
+Tested on ARM using an AT97SC3204T FW version 37.16
+
+[PHuewe: without this fix these 'broken' Atmel TPMs won't function on
+older kernels]
+Signed-off-by: "Berg, Christopher" <Christopher.Berg@atmel.com>
+Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
+
+---
+ drivers/char/tpm/tpm-interface.c | 62 +++++++++++++++++++++++++--------------
+ drivers/char/tpm/tpm_tis.c | 31 +++++++++++++++++++
+ include/linux/tpm.h | 3 +
+ 3 files changed, 75 insertions(+), 21 deletions(-)
+
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -491,11 +491,10 @@ static int tpm_startup(struct tpm_chip *
+ int tpm_get_timeouts(struct tpm_chip *chip)
+ {
+ struct tpm_cmd_t tpm_cmd;
+- struct timeout_t *timeout_cap;
++ unsigned long new_timeout[4];
++ unsigned long old_timeout[4];
+ struct duration_t *duration_cap;
+ ssize_t rc;
+- u32 timeout;
+- unsigned int scale = 1;
+
+ tpm_cmd.header.in = tpm_getcap_header;
+ tpm_cmd.params.getcap_in.cap = TPM_CAP_PROP;
+@@ -529,25 +528,46 @@ int tpm_get_timeouts(struct tpm_chip *ch
+ != sizeof(tpm_cmd.header.out) + sizeof(u32) + 4 * sizeof(u32))
+ return -EINVAL;
+
+- timeout_cap = &tpm_cmd.params.getcap_out.cap.timeout;
+- /* Don't overwrite default if value is 0 */
+- timeout = be32_to_cpu(timeout_cap->a);
+- if (timeout && timeout < 1000) {
+- /* timeouts in msec rather usec */
+- scale = 1000;
+- chip->vendor.timeout_adjusted = true;
++ old_timeout[0] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.a);
++ old_timeout[1] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.b);
++ old_timeout[2] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.c);
++ old_timeout[3] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.d);
++ memcpy(new_timeout, old_timeout, sizeof(new_timeout));
++
++ /*
++ * Provide ability for vendor overrides of timeout values in case
++ * of misreporting.
++ */
++ if (chip->ops->update_timeouts != NULL)
++ chip->vendor.timeout_adjusted =
++ chip->ops->update_timeouts(chip, new_timeout);
++
++ if (!chip->vendor.timeout_adjusted) {
++ /* Don't overwrite default if value is 0 */
++ if (new_timeout[0] != 0 && new_timeout[0] < 1000) {
++ int i;
++
++ /* timeouts in msec rather usec */
++ for (i = 0; i != ARRAY_SIZE(new_timeout); i++)
++ new_timeout[i] *= 1000;
++ chip->vendor.timeout_adjusted = true;
++ }
+ }
+- if (timeout)
+- chip->vendor.timeout_a = usecs_to_jiffies(timeout * scale);
+- timeout = be32_to_cpu(timeout_cap->b);
+- if (timeout)
+- chip->vendor.timeout_b = usecs_to_jiffies(timeout * scale);
+- timeout = be32_to_cpu(timeout_cap->c);
+- if (timeout)
+- chip->vendor.timeout_c = usecs_to_jiffies(timeout * scale);
+- timeout = be32_to_cpu(timeout_cap->d);
+- if (timeout)
+- chip->vendor.timeout_d = usecs_to_jiffies(timeout * scale);
++
++ /* Report adjusted timeouts */
++ if (chip->vendor.timeout_adjusted) {
++ dev_info(chip->dev,
++ HW_ERR "Adjusting reported timeouts: A %lu->%luus B %lu->%luus C %lu->%luus D %lu->%luus\n",
++ old_timeout[0], new_timeout[0],
++ old_timeout[1], new_timeout[1],
++ old_timeout[2], new_timeout[2],
++ old_timeout[3], new_timeout[3]);
++ }
++
++ chip->vendor.timeout_a = usecs_to_jiffies(new_timeout[0]);
++ chip->vendor.timeout_b = usecs_to_jiffies(new_timeout[1]);
++ chip->vendor.timeout_c = usecs_to_jiffies(new_timeout[2]);
++ chip->vendor.timeout_d = usecs_to_jiffies(new_timeout[3]);
+
+ duration:
+ tpm_cmd.header.in = tpm_getcap_header;
+--- a/drivers/char/tpm/tpm_tis.c
++++ b/drivers/char/tpm/tpm_tis.c
+@@ -373,6 +373,36 @@ out_err:
+ return rc;
+ }
+
++struct tis_vendor_timeout_override {
++ u32 did_vid;
++ unsigned long timeout_us[4];
++};
++
++static const struct tis_vendor_timeout_override vendor_timeout_overrides[] = {
++ /* Atmel 3204 */
++ { 0x32041114, { (TIS_SHORT_TIMEOUT*1000), (TIS_LONG_TIMEOUT*1000),
++ (TIS_SHORT_TIMEOUT*1000), (TIS_SHORT_TIMEOUT*1000) } },
++};
++
++static bool tpm_tis_update_timeouts(struct tpm_chip *chip,
++ unsigned long *timeout_cap)
++{
++ int i;
++ u32 did_vid;
++
++ did_vid = ioread32(chip->vendor.iobase + TPM_DID_VID(0));
++
++ for (i = 0; i != ARRAY_SIZE(vendor_timeout_overrides); i++) {
++ if (vendor_timeout_overrides[i].did_vid != did_vid)
++ continue;
++ memcpy(timeout_cap, vendor_timeout_overrides[i].timeout_us,
++ sizeof(vendor_timeout_overrides[i].timeout_us));
++ return true;
++ }
++
++ return false;
++}
++
+ /*
+ * Early probing for iTPM with STS_DATA_EXPECT flaw.
+ * Try sending command without itpm flag set and if that
+@@ -437,6 +467,7 @@ static const struct tpm_class_ops tpm_ti
+ .recv = tpm_tis_recv,
+ .send = tpm_tis_send,
+ .cancel = tpm_tis_ready,
++ .update_timeouts = tpm_tis_update_timeouts,
+ .req_complete_mask = TPM_STS_DATA_AVAIL | TPM_STS_VALID,
+ .req_complete_val = TPM_STS_DATA_AVAIL | TPM_STS_VALID,
+ .req_canceled = tpm_tis_req_canceled,
+--- a/include/linux/tpm.h
++++ b/include/linux/tpm.h
+@@ -39,6 +39,9 @@ struct tpm_class_ops {
+ int (*send) (struct tpm_chip *chip, u8 *buf, size_t len);
+ void (*cancel) (struct tpm_chip *chip);
+ u8 (*status) (struct tpm_chip *chip);
++ bool (*update_timeouts)(struct tpm_chip *chip,
++ unsigned long *timeout_cap);
++
+ };
+
+ #if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE)
projects / thirdparty / kernel / stable-queue.git / commitdiff
