4.14-stable patches

added patches:
	smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
	smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch

diff --git a/queue-4.14/series b/queue-4.14/series
index 0a044b7be597ebb0b500455296a957a2a1e16f1f..fb6b418c6a218eb8857834a2030dc1a490c626bc 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -62,3 +62,5 @@ xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch
 tipc-fix-unlimited-bundling-of-small-messages.patch
 sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch
 ipv6-handle-missing-host-route-in-__ipv6_ifa_notify.patch
+smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
+smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch

diff --git a/queue-4.14/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch b/queue-4.14/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
new file mode 100644 (file)
index 0000000..a32a156
--- /dev/null
+++ b/queue-4.14/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
@@ -0,0 +1,50 @@
+From 3675f052b43ba51b99b85b073c7070e083f3e6fb Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Thu, 4 Jul 2019 20:44:44 +0200
+Subject: Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set
+
+From: Jann Horn <jannh@google.com>
+
+commit 3675f052b43ba51b99b85b073c7070e083f3e6fb upstream.
+
+There is a logic bug in the current smack_bprm_set_creds():
+If LSM_UNSAFE_PTRACE is set, but the ptrace state is deemed to be
+acceptable (e.g. because the ptracer detached in the meantime), the other
+->unsafe flags aren't checked. As far as I can tell, this means that
+something like the following could work (but I haven't tested it):
+
+ - task A: create task B with fork()
+ - task B: set NO_NEW_PRIVS
+ - task B: install a seccomp filter that makes open() return 0 under some
+   conditions
+ - task B: replace fd 0 with a malicious library
+ - task A: attach to task B with PTRACE_ATTACH
+ - task B: execve() a file with an SMACK64EXEC extended attribute
+ - task A: while task B is still in the middle of execve(), exit (which
+   destroys the ptrace relationship)
+
+Make sure that if any flags other than LSM_UNSAFE_PTRACE are set in
+bprm->unsafe, we reject the execve().
+
+Cc: stable@vger.kernel.org
+Fixes: 5663884caab1 ("Smack: unify all ptrace accesses in the smack")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smack_lsm.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -944,7 +944,8 @@ static int smack_bprm_set_creds(struct l
+ 
+               if (rc != 0)
+                       return rc;
+-      } else if (bprm->unsafe)
++      }
++      if (bprm->unsafe & ~LSM_UNSAFE_PTRACE)
+               return -EPERM;
+ 
+       bsp->smk_task = isp->smk_task;

diff --git a/queue-4.14/smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch b/queue-4.14/smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch
new file mode 100644 (file)
index 0000000..4b99d91
--- /dev/null
+++ b/queue-4.14/smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch
@@ -0,0 +1,66 @@
+From e5bfad3d7acc5702f32aafeb388362994f4d7bd0 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 21 Aug 2019 22:54:41 -0700
+Subject: smack: use GFP_NOFS while holding inode_smack::smk_lock
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit e5bfad3d7acc5702f32aafeb388362994f4d7bd0 upstream.
+
+inode_smack::smk_lock is taken during smack_d_instantiate(), which is
+called during a filesystem transaction when creating a file on ext4.
+Therefore to avoid a deadlock, all code that takes this lock must use
+GFP_NOFS, to prevent memory reclaim from waiting for the filesystem
+transaction to complete.
+
+Reported-by: syzbot+0eefc1e06a77d327a056@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smack_access.c |    6 +++---
+ security/smack/smack_lsm.c    |    2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/security/smack/smack_access.c
++++ b/security/smack/smack_access.c
+@@ -469,7 +469,7 @@ char *smk_parse_smack(const char *string
+       if (i == 0 || i >= SMK_LONGLABEL)
+               return ERR_PTR(-EINVAL);
+ 
+-      smack = kzalloc(i + 1, GFP_KERNEL);
++      smack = kzalloc(i + 1, GFP_NOFS);
+       if (smack == NULL)
+               return ERR_PTR(-ENOMEM);
+ 
+@@ -504,7 +504,7 @@ int smk_netlbl_mls(int level, char *cats
+                       if ((m & *cp) == 0)
+                               continue;
+                       rc = netlbl_catmap_setbit(&sap->attr.mls.cat,
+-                                                cat, GFP_KERNEL);
++                                                cat, GFP_NOFS);
+                       if (rc < 0) {
+                               netlbl_catmap_free(sap->attr.mls.cat);
+                               return rc;
+@@ -540,7 +540,7 @@ struct smack_known *smk_import_entry(con
+       if (skp != NULL)
+               goto freeout;
+ 
+-      skp = kzalloc(sizeof(*skp), GFP_KERNEL);
++      skp = kzalloc(sizeof(*skp), GFP_NOFS);
+       if (skp == NULL) {
+               skp = ERR_PTR(-ENOMEM);
+               goto freeout;
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -269,7 +269,7 @@ static struct smack_known *smk_fetch(con
+       if (!(ip->i_opflags & IOP_XATTR))
+               return ERR_PTR(-EOPNOTSUPP);
+ 
+-      buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL);
++      buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS);
+       if (buffer == NULL)
+               return ERR_PTR(-ENOMEM);
+