From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 2 Jun 2018 12:45:22 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.106~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=515b107cee517162f0356a399d11a406a6137fa1;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	input-elan_i2c_smbus-fix-corrupted-stack.patch
	revert-ima-limit-file-hash-setting-by-user-to-fix-and-log-modes.patch
	selinux-kasan-slab-out-of-bounds-in-xattr_getsecurity.patch
	tracing-fix-crash-when-freeing-instances-with-event-triggers.patch
---

diff --git a/queue-4.9/input-elan_i2c_smbus-fix-corrupted-stack.patch b/queue-4.9/input-elan_i2c_smbus-fix-corrupted-stack.patch
new file mode 100644
index 00000000000..024d58afb5a
--- /dev/null
+++ b/queue-4.9/input-elan_i2c_smbus-fix-corrupted-stack.patch
@@ -0,0 +1,130 @@
+From 40f7090bb1b4ec327ea1e1402ff5783af5b35195 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Tue, 22 May 2018 17:19:57 -0700
+Subject: Input: elan_i2c_smbus - fix corrupted stack
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 40f7090bb1b4ec327ea1e1402ff5783af5b35195 upstream.
+
+New ICs (like the one on the Lenovo T480s) answer to
+ETP_SMBUS_IAP_VERSION_CMD 4 bytes instead of 3. This corrupts the stack
+as i2c_smbus_read_block_data() uses the values returned by the i2c
+device to know how many data it need to return.
+
+i2c_smbus_read_block_data() can read up to 32 bytes (I2C_SMBUS_BLOCK_MAX)
+and there is no safeguard on how many bytes are provided in the return
+value. Ensure we always have enough space for any future firmware.
+Also 0-initialize the values to prevent any access to uninitialized memory.
+
+Cc: <stable@vger.kernel.org> # v4.4.x, v4.9.x, v4.14.x, v4.15.x, v4.16.x
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Acked-by: KT Liao <kt.liao@emc.com.tw>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_smbus.c |   22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/input/mouse/elan_i2c_smbus.c
++++ b/drivers/input/mouse/elan_i2c_smbus.c
+@@ -130,7 +130,7 @@ static int elan_smbus_get_baseline_data(
+ 					bool max_baseline, u8 *value)
+ {
+ 	int error;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 
+ 	error = i2c_smbus_read_block_data(client,
+ 					  max_baseline ?
+@@ -149,7 +149,7 @@ static int elan_smbus_get_version(struct
+ 				  bool iap, u8 *version)
+ {
+ 	int error;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 
+ 	error = i2c_smbus_read_block_data(client,
+ 					  iap ? ETP_SMBUS_IAP_VERSION_CMD :
+@@ -169,7 +169,7 @@ static int elan_smbus_get_sm_version(str
+ 				     u8 *ic_type, u8 *version)
+ {
+ 	int error;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 
+ 	error = i2c_smbus_read_block_data(client,
+ 					  ETP_SMBUS_SM_VERSION_CMD, val);
+@@ -186,7 +186,7 @@ static int elan_smbus_get_sm_version(str
+ static int elan_smbus_get_product_id(struct i2c_client *client, u16 *id)
+ {
+ 	int error;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 
+ 	error = i2c_smbus_read_block_data(client,
+ 					  ETP_SMBUS_UNIQUEID_CMD, val);
+@@ -203,7 +203,7 @@ static int elan_smbus_get_checksum(struc
+ 				   bool iap, u16 *csum)
+ {
+ 	int error;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 
+ 	error = i2c_smbus_read_block_data(client,
+ 					  iap ? ETP_SMBUS_FW_CHECKSUM_CMD :
+@@ -224,7 +224,7 @@ static int elan_smbus_get_max(struct i2c
+ {
+ 	int ret;
+ 	int error;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 
+ 	ret = i2c_smbus_read_block_data(client, ETP_SMBUS_RANGE_CMD, val);
+ 	if (ret != 3) {
+@@ -244,7 +244,7 @@ static int elan_smbus_get_resolution(str
+ {
+ 	int ret;
+ 	int error;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 
+ 	ret = i2c_smbus_read_block_data(client, ETP_SMBUS_RESOLUTION_CMD, val);
+ 	if (ret != 3) {
+@@ -265,7 +265,7 @@ static int elan_smbus_get_num_traces(str
+ {
+ 	int ret;
+ 	int error;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 
+ 	ret = i2c_smbus_read_block_data(client, ETP_SMBUS_XY_TRACENUM_CMD, val);
+ 	if (ret != 3) {
+@@ -292,7 +292,7 @@ static int elan_smbus_iap_get_mode(struc
+ {
+ 	int error;
+ 	u16 constant;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 
+ 	error = i2c_smbus_read_block_data(client, ETP_SMBUS_IAP_CTRL_CMD, val);
+ 	if (error < 0) {
+@@ -343,7 +343,7 @@ static int elan_smbus_prepare_fw_update(
+ 	int len;
+ 	int error;
+ 	enum tp_mode mode;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 	u8 cmd[4] = {0x0F, 0x78, 0x00, 0x06};
+ 	u16 password;
+ 
+@@ -417,7 +417,7 @@ static int elan_smbus_write_fw_block(str
+ 	struct device *dev = &client->dev;
+ 	int error;
+ 	u16 result;
+-	u8 val[3];
++	u8 val[I2C_SMBUS_BLOCK_MAX] = {0};
+ 
+ 	/*
+ 	 * Due to the limitation of smbus protocol limiting
diff --git a/queue-4.9/revert-ima-limit-file-hash-setting-by-user-to-fix-and-log-modes.patch b/queue-4.9/revert-ima-limit-file-hash-setting-by-user-to-fix-and-log-modes.patch
new file mode 100644
index 00000000000..4ebe1672e2f
--- /dev/null
+++ b/queue-4.9/revert-ima-limit-file-hash-setting-by-user-to-fix-and-log-modes.patch
@@ -0,0 +1,52 @@
+From f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Wed, 2 Nov 2016 09:14:16 -0400
+Subject: Revert "ima: limit file hash setting by user to fix and log modes"
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b upstream.
+
+Userspace applications have been modified to write security xattrs,
+but they are not context aware.  In the case of security.ima, the
+security xattr can be either a file hash or a file signature.
+Permitting writing one, but not the other requires the application to
+be context aware.
+
+In addition, userspace applications might write files to a staging
+area, which might not be in policy, and then change some file metadata
+(eg. owner) making it in policy.  As a result, these files are not
+labeled properly.
+
+This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533, which
+prevents writing file hashes as security.ima xattrs.
+
+Requested-by: Patrick Ohly <patrick.ohly@intel.com>
+Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_appraise.c |    8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -389,14 +389,10 @@ int ima_inode_setxattr(struct dentry *de
+ 	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
+ 				   xattr_value_len);
+ 	if (result == 1) {
+-		bool digsig;
+-
+ 		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
+ 			return -EINVAL;
+-		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
+-		if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
+-			return -EPERM;
+-		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
++		ima_reset_appraise_flags(d_backing_inode(dentry),
++			 (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
+ 		result = 0;
+ 	}
+ 	return result;
diff --git a/queue-4.9/selinux-kasan-slab-out-of-bounds-in-xattr_getsecurity.patch b/queue-4.9/selinux-kasan-slab-out-of-bounds-in-xattr_getsecurity.patch
new file mode 100644
index 00000000000..5ebab6e7448
--- /dev/null
+++ b/queue-4.9/selinux-kasan-slab-out-of-bounds-in-xattr_getsecurity.patch
@@ -0,0 +1,52 @@
+From efe3de79e0b52ca281ef6691480c8c68c82a4657 Mon Sep 17 00:00:00 2001
+From: Sachin Grover <sgrover@codeaurora.org>
+Date: Fri, 25 May 2018 14:01:39 +0530
+Subject: selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
+
+From: Sachin Grover <sgrover@codeaurora.org>
+
+commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream.
+
+Call trace:
+ [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
+ [<ffffff9203a8dbf8>] show_stack+0x28/0x38
+ [<ffffff920409bfb8>] dump_stack+0xd4/0x124
+ [<ffffff9203d187e8>] print_address_description+0x68/0x258
+ [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
+ [<ffffff9203d1927c>] kasan_report+0x5c/0x70
+ [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
+ [<ffffff9203d17cdc>] memcpy+0x34/0x68
+ [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
+ [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
+ [<ffffff9203d75d68>] getxattr+0x100/0x2c8
+ [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
+ [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28
+
+If user get root access and calls security.selinux setxattr() with an
+embedded NUL on a file and then if some process performs a getxattr()
+on that file with a length greater than the actual length of the string,
+it would result in a panic.
+
+To fix this, add the actual length of the string to the security context
+instead of the length passed by the userspace process.
+
+Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/services.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -1435,7 +1435,7 @@ static int security_context_to_sid_core(
+ 				      scontext_len, &context, def_sid);
+ 	if (rc == -EINVAL && force) {
+ 		context.str = str;
+-		context.len = scontext_len;
++		context.len = strlen(str) + 1;
+ 		str = NULL;
+ 	} else if (rc)
+ 		goto out_unlock;
diff --git a/queue-4.9/series b/queue-4.9/series
index 82fb81edf14..dc2a5e2441a 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -5,3 +5,7 @@ objtool-improve-detection-of-bug-and-other-dead-ends.patch
 objtool-move-checking-code-to-check.c.patch
 revert-pinctrl-msm-use-dynamic-gpio-numbering.patch
 xfs-detect-agfl-count-corruption-and-reset-agfl.patch
+revert-ima-limit-file-hash-setting-by-user-to-fix-and-log-modes.patch
+input-elan_i2c_smbus-fix-corrupted-stack.patch
+tracing-fix-crash-when-freeing-instances-with-event-triggers.patch
+selinux-kasan-slab-out-of-bounds-in-xattr_getsecurity.patch
diff --git a/queue-4.9/tracing-fix-crash-when-freeing-instances-with-event-triggers.patch b/queue-4.9/tracing-fix-crash-when-freeing-instances-with-event-triggers.patch
new file mode 100644
index 00000000000..eb19308b7ca
--- /dev/null
+++ b/queue-4.9/tracing-fix-crash-when-freeing-instances-with-event-triggers.patch
@@ -0,0 +1,70 @@
+From 86b389ff22bd6ad8fd3cb98e41cd271886c6d023 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Sun, 27 May 2018 20:54:44 -0400
+Subject: tracing: Fix crash when freeing instances with event triggers
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 86b389ff22bd6ad8fd3cb98e41cd271886c6d023 upstream.
+
+If a instance has an event trigger enabled when it is freed, it could cause
+an access of free memory. Here's the case that crashes:
+
+ # cd /sys/kernel/tracing
+ # mkdir instances/foo
+ # echo snapshot > instances/foo/events/initcall/initcall_start/trigger
+ # rmdir instances/foo
+
+Would produce:
+
+ general protection fault: 0000 [#1] PREEMPT SMP PTI
+ Modules linked in: tun bridge ...
+ CPU: 5 PID: 6203 Comm: rmdir Tainted: G        W         4.17.0-rc4-test+ #933
+ Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016
+ RIP: 0010:clear_event_triggers+0x3b/0x70
+ RSP: 0018:ffffc90003783de0 EFLAGS: 00010286
+ RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b2b RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800c7130ba0
+ RBP: ffffc90003783e00 R08: ffff8801131993f8 R09: 0000000100230016
+ R10: ffffc90003783d80 R11: 0000000000000000 R12: ffff8800c7130ba0
+ R13: ffff8800c7130bd8 R14: ffff8800cc093768 R15: 00000000ffffff9c
+ FS:  00007f6f4aa86700(0000) GS:ffff88011eb40000(0000) knlGS:0000000000000000
+ CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f6f4a5aed60 CR3: 00000000cd552001 CR4: 00000000001606e0
+ Call Trace:
+  event_trace_del_tracer+0x2a/0xc5
+  instance_rmdir+0x15c/0x200
+  tracefs_syscall_rmdir+0x52/0x90
+  vfs_rmdir+0xdb/0x160
+  do_rmdir+0x16d/0x1c0
+  __x64_sys_rmdir+0x17/0x20
+  do_syscall_64+0x55/0x1a0
+  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This was due to the call the clears out the triggers when an instance is
+being deleted not removing the trigger from the link list.
+
+Cc: stable@vger.kernel.org
+Fixes: 85f2b08268c01 ("tracing: Add basic event trigger framework")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_trigger.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -481,9 +481,10 @@ clear_event_triggers(struct trace_array
+ 	struct trace_event_file *file;
+ 
+ 	list_for_each_entry(file, &tr->events, list) {
+-		struct event_trigger_data *data;
+-		list_for_each_entry_rcu(data, &file->triggers, list) {
++		struct event_trigger_data *data, *n;
++		list_for_each_entry_safe(data, n, &file->triggers, list) {
+ 			trace_event_trigger_enable_disable(file, 0);
++			list_del_rcu(&data->list);
+ 			if (data->ops->free)
+ 				data->ops->free(data->ops, data);
+ 		}