4.19-stable patches

added patches:
	drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch
	net-fix-out-of-bounds-access-in-ops_init.patch

diff --git a/queue-4.19/drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch b/queue-4.19/drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch
new file mode 100644 (file)
index 0000000..6ba6303
--- /dev/null
+++ b/queue-4.19/drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch
@@ -0,0 +1,46 @@
+From a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c Mon Sep 17 00:00:00 2001
+From: Zack Rusin <zack.rusin@broadcom.com>
+Date: Thu, 25 Apr 2024 15:27:48 -0400
+Subject: drm/vmwgfx: Fix invalid reads in fence signaled events
+
+From: Zack Rusin <zack.rusin@broadcom.com>
+
+commit a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c upstream.
+
+Correctly set the length of the drm_event to the size of the structure
+that's actually used.
+
+The length of the drm_event was set to the parent structure instead of
+to the drm_vmw_event_fence which is supposed to be read. drm_read
+uses the length parameter to copy the event to the user space thus
+resuling in oob reads.
+
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action")
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23566
+Cc: David Airlie <airlied@gmail.com>
+CC: Daniel Vetter <daniel@ffwll.ch>
+Cc: Zack Rusin <zack.rusin@broadcom.com>
+Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: linux-kernel@vger.kernel.org
+Cc: <stable@vger.kernel.org> # v3.4+
+Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
+Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240425192748.1761522-1-zack.rusin@broadcom.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_fence.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
+@@ -1064,7 +1064,7 @@ static int vmw_event_fence_action_create
+       }
+ 
+       event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED;
+-      event->event.base.length = sizeof(*event);
++      event->event.base.length = sizeof(event->event);
+       event->event.user_data = user_data;
+ 
+       ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base);

diff --git a/queue-4.19/net-fix-out-of-bounds-access-in-ops_init.patch b/queue-4.19/net-fix-out-of-bounds-access-in-ops_init.patch
new file mode 100644 (file)
index 0000000..5415300
--- /dev/null
+++ b/queue-4.19/net-fix-out-of-bounds-access-in-ops_init.patch
@@ -0,0 +1,66 @@
+From a26ff37e624d12e28077e5b24d2b264f62764ad6 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Thu, 2 May 2024 10:20:06 -0300
+Subject: net: fix out-of-bounds access in ops_init
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit a26ff37e624d12e28077e5b24d2b264f62764ad6 upstream.
+
+net_alloc_generic is called by net_alloc, which is called without any
+locking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It
+is read twice, first to allocate an array, then to set s.len, which is
+later used to limit the bounds of the array access.
+
+It is possible that the array is allocated and another thread is
+registering a new pernet ops, increments max_gen_ptrs, which is then used
+to set s.len with a larger than allocated length for the variable array.
+
+Fix it by reading max_gen_ptrs only once in net_alloc_generic. If
+max_gen_ptrs is later incremented, it will be caught in net_assign_generic.
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Fixes: 073862ba5d24 ("netns: fix net_alloc_generic()")
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240502132006.3430840-1-cascardo@igalia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/net_namespace.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -63,12 +63,15 @@ static unsigned int max_gen_ptrs = INITI
+ 
+ static struct net_generic *net_alloc_generic(void)
+ {
++      unsigned int gen_ptrs = READ_ONCE(max_gen_ptrs);
++      unsigned int generic_size;
+       struct net_generic *ng;
+-      unsigned int generic_size = offsetof(struct net_generic, ptr[max_gen_ptrs]);
++
++      generic_size = offsetof(struct net_generic, ptr[gen_ptrs]);
+ 
+       ng = kzalloc(generic_size, GFP_KERNEL);
+       if (ng)
+-              ng->s.len = max_gen_ptrs;
++              ng->s.len = gen_ptrs;
+ 
+       return ng;
+ }
+@@ -1032,7 +1035,11 @@ static int register_pernet_operations(st
+               if (error < 0)
+                       return error;
+               *ops->id = error;
+-              max_gen_ptrs = max(max_gen_ptrs, *ops->id + 1);
++              /* This does not require READ_ONCE as writers already hold
++               * pernet_ops_rwsem. But WRITE_ONCE is needed to protect
++               * net_alloc_generic.
++               */
++              WRITE_ONCE(max_gen_ptrs, max(max_gen_ptrs, *ops->id + 1));
+       }
+       error = __register_pernet_operations(list, ops);
+       if (error) {

diff --git a/queue-4.19/series b/queue-4.19/series
index 1db6f2574d0298d07c6b5928372172341b007f21..f2a271384235b76cdceb63bbeff5932e079bb49d 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -58,3 +58,5 @@ usb-gadget-composite-fix-os-descriptors-w_value-logic.patch
 usb-gadget-f_fs-fix-a-race-condition-when-processing-setup-packets.patch
 tipc-fix-uaf-in-error-path.patch
 dyndbg-fix-old-bug_on-in-control-parser.patch
+drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch
+net-fix-out-of-bounds-access-in-ops_init.patch