From: Greg Kroah-Hartman Date: Sun, 14 Aug 2016 16:01:06 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v3.14.76~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1b1a3408cdc0eb01fb8604759550913a4dc3eb08;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch arm-oabi-compat-add-missing-access-checks.patch ib-hfi1-disable-by-default.patch keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch random-strengthen-input-validation-for-rndaddtoentcnt.patch --- diff --git a/queue-4.7/apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch b/queue-4.7/apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch new file mode 100644 index 00000000000..80d7f82019b --- /dev/null +++ b/queue-4.7/apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch @@ -0,0 +1,27 @@ +From 0b938a2e2cf0b0a2c8bac9769111545aff0fee97 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Wed, 18 Nov 2015 11:41:05 -0800 +Subject: apparmor: fix ref count leak when profile sha1 hash is read + +From: John Johansen + +commit 0b938a2e2cf0b0a2c8bac9769111545aff0fee97 upstream. + +Signed-off-by: John Johansen +Acked-by: Seth Arnold +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/apparmorfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct se + seq_printf(seq, "%.2x", profile->hash[i]); + seq_puts(seq, "\n"); + } ++ aa_put_profile(profile); + + return 0; + } diff --git a/queue-4.7/arm-oabi-compat-add-missing-access-checks.patch b/queue-4.7/arm-oabi-compat-add-missing-access-checks.patch new file mode 100644 index 00000000000..c1912a4a013 --- /dev/null +++ b/queue-4.7/arm-oabi-compat-add-missing-access-checks.patch @@ -0,0 +1,49 @@ +From 7de249964f5578e67b99699c5f0b405738d820a2 Mon Sep 17 00:00:00 2001 +From: Dave Weinstein +Date: Thu, 28 Jul 2016 11:55:41 -0700 +Subject: arm: oabi compat: add missing access checks + +From: Dave Weinstein + +commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream. + +Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop(). +This fixes CVE-2016-3857, a local privilege escalation under +CONFIG_OABI_COMPAT. + +Reported-by: Chiachih Wu +Reviewed-by: Kees Cook +Reviewed-by: Nicolas Pitre +Signed-off-by: Dave Weinstein +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/sys_oabi-compat.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/arm/kernel/sys_oabi-compat.c ++++ b/arch/arm/kernel/sys_oabi-compat.c +@@ -279,8 +279,12 @@ asmlinkage long sys_oabi_epoll_wait(int + mm_segment_t fs; + long ret, err, i; + +- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) ++ if (maxevents <= 0 || ++ maxevents > (INT_MAX/sizeof(*kbuf)) || ++ maxevents > (INT_MAX/sizeof(*events))) + return -EINVAL; ++ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) ++ return -EFAULT; + kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); + if (!kbuf) + return -ENOMEM; +@@ -317,6 +321,8 @@ asmlinkage long sys_oabi_semtimedop(int + + if (nsops < 1 || nsops > SEMOPM) + return -EINVAL; ++ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) ++ return -EFAULT; + sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); + if (!sops) + return -ENOMEM; diff --git a/queue-4.7/ib-hfi1-disable-by-default.patch b/queue-4.7/ib-hfi1-disable-by-default.patch new file mode 100644 index 00000000000..a22fa68c69e --- /dev/null +++ b/queue-4.7/ib-hfi1-disable-by-default.patch @@ -0,0 +1,36 @@ +From a154a8cd080b437969ef194dee365bbb60a3b38a Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 19 Jul 2016 10:03:44 -0700 +Subject: IB/hfi1: Disable by default + +From: Bart Van Assche + +commit a154a8cd080b437969ef194dee365bbb60a3b38a upstream. + +There is a strict policy in the Linux kernel that new drivers must be +disabled by default. Hence leave out the "default m" line from Kconfig. + +Fixes: f48ad614c100 ("IB/hfi1: Move driver out of staging") +Signed-off-by: Bart Van Assche +Cc: Jubin John +Cc: Dennis Dalessandro +Cc: Ira Weiny +Cc: Mike Marciniszyn +Acked-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/Kconfig ++++ b/drivers/infiniband/hw/hfi1/Kconfig +@@ -3,7 +3,6 @@ config INFINIBAND_HFI1 + depends on X86_64 && INFINIBAND_RDMAVT + select MMU_NOTIFIER + select CRC32 +- default m + ---help--- + This is a low-level driver for Intel OPA Gen1 adapter. + config HFI1_DEBUG_SDMA_ORDER diff --git a/queue-4.7/keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch b/queue-4.7/keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch new file mode 100644 index 00000000000..5086ef7d904 --- /dev/null +++ b/queue-4.7/keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch @@ -0,0 +1,50 @@ +From 20f06ed9f61a185c6dabd662c310bed6189470df Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 27 Jul 2016 11:43:37 +0100 +Subject: KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace + +From: David Howells + +commit 20f06ed9f61a185c6dabd662c310bed6189470df upstream. + +MIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than +calling sys_keyctl. The latter will work in a lot of cases, thereby hiding +the issue. + +Reported-by: Stephan Mueller +Signed-off-by: David Howells +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Cc: keyrings@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13832/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -348,7 +348,7 @@ EXPORT(sysn32_call_table) + PTR sys_ni_syscall /* available, was setaltroot */ + PTR sys_add_key + PTR sys_request_key +- PTR sys_keyctl /* 6245 */ ++ PTR compat_sys_keyctl /* 6245 */ + PTR sys_set_thread_area + PTR sys_inotify_init + PTR sys_inotify_add_watch +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -504,7 +504,7 @@ EXPORT(sys32_call_table) + PTR sys_ni_syscall /* available, was setaltroot */ + PTR sys_add_key /* 4280 */ + PTR sys_request_key +- PTR sys_keyctl ++ PTR compat_sys_keyctl + PTR sys_set_thread_area + PTR sys_inotify_init + PTR sys_inotify_add_watch /* 4285 */ diff --git a/queue-4.7/random-strengthen-input-validation-for-rndaddtoentcnt.patch b/queue-4.7/random-strengthen-input-validation-for-rndaddtoentcnt.patch new file mode 100644 index 00000000000..acd853f658a --- /dev/null +++ b/queue-4.7/random-strengthen-input-validation-for-rndaddtoentcnt.patch @@ -0,0 +1,107 @@ +From 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 3 Jul 2016 17:01:26 -0400 +Subject: random: strengthen input validation for RNDADDTOENTCNT + +From: Theodore Ts'o + +commit 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec upstream. + +Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative +entropy value. It doesn't make any sense to subtract from the entropy +counter, and it can trigger a warning: + +random: negative entropy/overflow: pool input count -40000 +------------[ cut here ]------------ +WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[< none + >] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670 +Modules linked in: +CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40 + fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40 + ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f +Call Trace: + [< inline >] __dump_stack lib/dump_stack.c:15 + [] dump_stack+0x12e/0x18f lib/dump_stack.c:51 + [] __warn+0x19f/0x1e0 kernel/panic.c:516 + [] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551 + [] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670 + [< inline >] credit_entropy_bits_safe drivers/char/random.c:734 + [] random_ioctl+0x21d/0x250 drivers/char/random.c:1546 + [< inline >] vfs_ioctl fs/ioctl.c:43 + [] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674 + [< inline >] SYSC_ioctl fs/ioctl.c:689 + [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680 + [] entry_SYSCALL_64_fastpath+0x23/0xc1 +arch/x86/entry/entry_64.S:207 +---[ end trace 5d4902b2ba842f1f ]--- + +This was triggered using the test program: + +// autogenerated by syzkaller (http://github.com/google/syzkaller) + +int main() { + int fd = open("/dev/random", O_RDWR); + int val = -5000; + ioctl(fd, RNDADDTOENTCNT, &val); + return 0; +} + +It's harmless in that (a) only root can trigger it, and (b) after +complaining the code never does let the entropy count go negative, but +it's better to simply not allow this userspace from passing in a +negative entropy value altogether. + +Google-Bug-Id: #29575089 +Reported-By: Dmitry Vyukov +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -723,15 +723,18 @@ retry: + } + } + +-static void credit_entropy_bits_safe(struct entropy_store *r, int nbits) ++static int credit_entropy_bits_safe(struct entropy_store *r, int nbits) + { + const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1)); + ++ if (nbits < 0) ++ return -EINVAL; ++ + /* Cap the value to avoid overflows */ + nbits = min(nbits, nbits_max); +- nbits = max(nbits, -nbits_max); + + credit_entropy_bits(r, nbits); ++ return 0; + } + + /********************************************************************* +@@ -1543,8 +1546,7 @@ static long random_ioctl(struct file *f, + return -EPERM; + if (get_user(ent_count, p)) + return -EFAULT; +- credit_entropy_bits_safe(&input_pool, ent_count); +- return 0; ++ return credit_entropy_bits_safe(&input_pool, ent_count); + case RNDADDENTROPY: + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -1558,8 +1560,7 @@ static long random_ioctl(struct file *f, + size); + if (retval < 0) + return retval; +- credit_entropy_bits_safe(&input_pool, ent_count); +- return 0; ++ return credit_entropy_bits_safe(&input_pool, ent_count); + case RNDZAPENTCNT: + case RNDCLEARPOOL: + /* diff --git a/queue-4.7/series b/queue-4.7/series index ed560777b35..c3c4fcd7339 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -11,3 +11,8 @@ net-sctp-terminate-rhashtable-walk-correctly.patch qed-fix-setting-clearing-bit-in-completion-bitmap.patch macsec-ensure-rx_sa-is-set-when-validation-is-disabled.patch tcp-consider-recv-buf-for-the-initial-window-scale.patch +arm-oabi-compat-add-missing-access-checks.patch +keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch +ib-hfi1-disable-by-default.patch +apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch +random-strengthen-input-validation-for-rndaddtoentcnt.patch