From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 2 Aug 2020 06:51:26 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v5.7.13~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=49c3b7add478485e0702ee7d81d4ff3c3f284f51;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
---

diff --git a/queue-4.19/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch b/queue-4.19/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
new file mode 100644
index 00000000000..b2e79401e29
--- /dev/null
+++ b/queue-4.19/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
@@ -0,0 +1,47 @@
+From bbc8a99e952226c585ac17477a85ef1194501762 Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Thu, 30 Jul 2020 15:20:26 -0400
+Subject: rds: Prevent kernel-infoleak in rds_notify_queue_get()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit bbc8a99e952226c585ac17477a85ef1194501762 upstream.
+
+rds_notify_queue_get() is potentially copying uninitialized kernel stack
+memory to userspace since the compiler may leave a 4-byte hole at the end
+of `cmsg`.
+
+In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which
+unfortunately does not always initialize that 4-byte hole. Fix it by using
+memset() instead.
+
+Cc: stable@vger.kernel.org
+Fixes: f037590fff30 ("rds: fix a leak of kernel memory")
+Fixes: bdbe6fbc6a2f ("RDS: recv.c")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/recv.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -455,12 +455,13 @@ static int rds_still_queued(struct rds_s
+ int rds_notify_queue_get(struct rds_sock *rs, struct msghdr *msghdr)
+ {
+ 	struct rds_notifier *notifier;
+-	struct rds_rdma_notify cmsg = { 0 }; /* fill holes with zero */
++	struct rds_rdma_notify cmsg;
+ 	unsigned int count = 0, max_messages = ~0U;
+ 	unsigned long flags;
+ 	LIST_HEAD(copy);
+ 	int err = 0;
+ 
++	memset(&cmsg, 0, sizeof(cmsg));	/* fill holes with zero */
+ 
+ 	/* put_cmsg copies to user space and thus may sleep. We can't do this
+ 	 * with rs_lock held, so first grab as many notifications as we can stuff
diff --git a/queue-4.19/series b/queue-4.19/series
index 28b4f8ff6e0..799c50bf98d 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -20,3 +20,4 @@ drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch
 drm-hold-gem-reference-until-object-is-no-longer-accessed.patch
 random-fix-circular-include-dependency-on-arm64-after-addition-of-percpu.h.patch
 random32-remove-net_rand_state-from-the-latent-entropy-gcc-plugin.patch
+rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch