5.9-stable patches

added patches:
	lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch

diff --git a/queue-5.9/lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch b/queue-5.9/lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch
new file mode 100644 (file)
index 0000000..23ca78f
--- /dev/null
+++ b/queue-5.9/lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch
@@ -0,0 +1,62 @@
+From 4f134b89a24b965991e7c345b9a4591821f7c2a6 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Mon, 30 Nov 2020 08:36:48 +0100
+Subject: lib/syscall: fix syscall registers retrieval on 32-bit platforms
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit 4f134b89a24b965991e7c345b9a4591821f7c2a6 upstream.
+
+Lilith >_> and Claudio Bozzato of Cisco Talos security team reported
+that collect_syscall() improperly casts the syscall registers to 64-bit
+values leaking the uninitialized last 24 bytes on 32-bit platforms, that
+are visible in /proc/self/syscall.
+
+The cause is that info->data.args are u64 while syscall_get_arguments()
+uses longs, as hinted by the bogus pointer cast in the function.
+
+Let's just proceed like the other call places, by retrieving the
+registers into an array of longs before assigning them to the caller's
+array.  This was successfully tested on x86_64, i386 and ppc32.
+
+Reference: CVE-2020-28588, TALOS-2020-1211
+Fixes: 631b7abacd02 ("ptrace: Remove maxargs from task_current_syscall()")
+Cc: Greg KH <greg@kroah.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Tested-by: Michael Ellerman <mpe@ellerman.id.au> (ppc32)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/syscall.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/lib/syscall.c
++++ b/lib/syscall.c
+@@ -7,6 +7,7 @@
+ 
+ static int collect_syscall(struct task_struct *target, struct syscall_info *info)
+ {
++      unsigned long args[6] = { };
+       struct pt_regs *regs;
+ 
+       if (!try_get_task_stack(target)) {
+@@ -27,8 +28,14 @@ static int collect_syscall(struct task_s
+ 
+       info->data.nr = syscall_get_nr(target, regs);
+       if (info->data.nr != -1L)
+-              syscall_get_arguments(target, regs,
+-                                    (unsigned long *)&info->data.args[0]);
++              syscall_get_arguments(target, regs, args);
++
++      info->data.args[0] = args[0];
++      info->data.args[1] = args[1];
++      info->data.args[2] = args[2];
++      info->data.args[3] = args[3];
++      info->data.args[4] = args[4];
++      info->data.args[5] = args[5];
+ 
+       put_task_stack(target);
+       return 0;

diff --git a/queue-5.9/series b/queue-5.9/series
index db3b484fd8334b327de9f553ab1d00feb71898ee..ff34f7386b7e5fc27b0cd0e26bd1f0a7eefaa2ac 100644 (file)
--- a/queue-5.9/series
+++ b/queue-5.9/series
@@ -56,3 +56,4 @@ hugetlb_cgroup-fix-offline-of-hugetlb-cgroup-with-reservations.patch
 revert-amd-amdgpu-disable-vcn-dpg-mode-for-picasso.patch
 iommu-amd-set-dte-to-represent-512-irtes.patch
 mm-memcg-slab-fix-obj_cgroup_charge-return-value-handling.patch
+lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch