From: Greg Kroah-Hartman Date: Tue, 18 Jan 2022 08:54:30 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.16.2~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=133ce21239bd81ae1693003dab6d97f79a6f9a66;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch --- diff --git a/queue-5.4/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch b/queue-5.4/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..8f1aa46d2d0 --- /dev/null +++ b/queue-5.4/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch @@ -0,0 +1,67 @@ +From 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 Dec 2021 14:25:26 +0100 +Subject: firmware: qemu_fw_cfg: fix kobject leak in probe error path + +From: Johan Hovold + +commit 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 upstream. + +An initialised kobject must be freed using kobject_put() to avoid +leaking associated resources (e.g. the object name). + +Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed" +the leak in the first error path of the file registration helper but +left the second one unchanged. This "fix" would however result in a NULL +pointer dereference due to the release function also removing the never +added entry from the fw_cfg_entry_cache list. This has now been +addressed. + +Fix the remaining kobject leak by restoring the common error path and +adding the missing kobject_put(). + +Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device") +Cc: stable@vger.kernel.org # 4.6 +Cc: Gabriel Somlo +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211201132528.30025-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/qemu_fw_cfg.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -600,15 +600,13 @@ static int fw_cfg_register_file(const st + /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */ + err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype, + fw_cfg_sel_ko, "%d", entry->select); +- if (err) { +- kobject_put(&entry->kobj); +- return err; +- } ++ if (err) ++ goto err_put_entry; + + /* add raw binary content access */ + err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw); + if (err) +- goto err_add_raw; ++ goto err_del_entry; + + /* try adding "/sys/firmware/qemu_fw_cfg/by_name/" symlink */ + fw_cfg_build_symlink(fw_cfg_fname_kset, &entry->kobj, entry->name); +@@ -617,9 +615,10 @@ static int fw_cfg_register_file(const st + fw_cfg_sysfs_cache_enlist(entry); + return 0; + +-err_add_raw: ++err_del_entry: + kobject_del(&entry->kobj); +- kfree(entry); ++err_put_entry: ++ kobject_put(&entry->kobj); + return err; + } + diff --git a/queue-5.4/firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch b/queue-5.4/firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch new file mode 100644 index 00000000000..773f533a4b2 --- /dev/null +++ b/queue-5.4/firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch @@ -0,0 +1,60 @@ +From d3e305592d69e21e36b76d24ca3c01971a2d09be Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 Dec 2021 14:25:25 +0100 +Subject: firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries + +From: Johan Hovold + +commit d3e305592d69e21e36b76d24ca3c01971a2d09be upstream. + +Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed" +a kobject leak in the file registration helper by properly calling +kobject_put() for the entry in case registration of the object fails +(e.g. due to a name collision). + +This would however result in a NULL pointer dereference when the +release function tries to remove the never added entry from the +fw_cfg_entry_cache list. + +Fix this by moving the list-removal out of the release function. + +Note that the offending commit was one of the benign looking umn.edu +fixes which was reviewed but not reverted. [1][2] + +[1] https://lore.kernel.org/r/202105051005.49BFABCE@keescook +[2] https://lore.kernel.org/all/YIg7ZOZvS3a8LjSv@kroah.com + +Fixes: fe3c60684377 ("firmware: Fix a reference count leak.") +Cc: stable@vger.kernel.org # 5.8 +Cc: Qiushi Wu +Cc: Kees Cook +Cc: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211201132528.30025-2-johan@kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/qemu_fw_cfg.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -385,9 +385,7 @@ static void fw_cfg_sysfs_cache_cleanup(v + struct fw_cfg_sysfs_entry *entry, *next; + + list_for_each_entry_safe(entry, next, &fw_cfg_entry_cache, list) { +- /* will end up invoking fw_cfg_sysfs_cache_delist() +- * via each object's release() method (i.e. destructor) +- */ ++ fw_cfg_sysfs_cache_delist(entry); + kobject_put(&entry->kobj); + } + } +@@ -445,7 +443,6 @@ static void fw_cfg_sysfs_release_entry(s + { + struct fw_cfg_sysfs_entry *entry = to_entry(kobj); + +- fw_cfg_sysfs_cache_delist(entry); + kfree(entry); + } + diff --git a/queue-5.4/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch b/queue-5.4/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch new file mode 100644 index 00000000000..1e055c6eeb6 --- /dev/null +++ b/queue-5.4/firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch @@ -0,0 +1,35 @@ +From 1b656e9aad7f4886ed466094d1dc5ee4dd900d20 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 Dec 2021 14:25:27 +0100 +Subject: firmware: qemu_fw_cfg: fix sysfs information leak + +From: Johan Hovold + +commit 1b656e9aad7f4886ed466094d1dc5ee4dd900d20 upstream. + +Make sure to always NUL-terminate file names retrieved from the firmware +to avoid accessing data beyond the entry slab buffer and exposing it +through sysfs in case the firmware data is corrupt. + +Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device") +Cc: stable@vger.kernel.org # 4.6 +Cc: Gabriel Somlo +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211201132528.30025-4-johan@kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/qemu_fw_cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -598,7 +598,7 @@ static int fw_cfg_register_file(const st + /* set file entry information */ + entry->size = be32_to_cpu(f->size); + entry->select = be16_to_cpu(f->select); +- memcpy(entry->name, f->name, FW_CFG_MAX_FILE_PATH); ++ strscpy(entry->name, f->name, FW_CFG_MAX_FILE_PATH); + + /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */ + err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype, diff --git a/queue-5.4/series b/queue-5.4/series index ed42b8be1b4..b283c8df1db 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -6,3 +6,6 @@ perf-protect-perf_guest_cbs-with-rcu.patch kvm-s390-clarify-sigp-orders-versus-stop-restart.patch media-uvcvideo-fix-division-by-zero-at-stream-start.patch rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch +firmware-qemu_fw_cfg-fix-sysfs-information-leak.patch +firmware-qemu_fw_cfg-fix-null-pointer-deref-on-duplicate-entries.patch +firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch