From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 25 Apr 2019 08:15:25 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.139~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=541f1dd602f0f147e097870be3d19ada0b7d7a7c;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	kernel-sysctl.c-fix-out-of-bounds-access-when-setting-file-max.patch
---

diff --git a/queue-3.18/kernel-sysctl.c-fix-out-of-bounds-access-when-setting-file-max.patch b/queue-3.18/kernel-sysctl.c-fix-out-of-bounds-access-when-setting-file-max.patch
new file mode 100644
index 00000000000..81c7432147f
--- /dev/null
+++ b/queue-3.18/kernel-sysctl.c-fix-out-of-bounds-access-when-setting-file-max.patch
@@ -0,0 +1,89 @@
+From 9002b21465fa4d829edfc94a5a441005cffaa972 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Fri, 5 Apr 2019 18:39:38 -0700
+Subject: kernel/sysctl.c: fix out-of-bounds access when setting file-max
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 9002b21465fa4d829edfc94a5a441005cffaa972 upstream.
+
+Commit 32a5ad9c2285 ("sysctl: handle overflow for file-max") hooked up
+min/max values for the file-max sysctl parameter via the .extra1 and
+.extra2 fields in the corresponding struct ctl_table entry.
+
+Unfortunately, the minimum value points at the global 'zero' variable,
+which is an int.  This results in a KASAN splat when accessed as a long
+by proc_doulongvec_minmax on 64-bit architectures:
+
+  | BUG: KASAN: global-out-of-bounds in __do_proc_doulongvec_minmax+0x5d8/0x6a0
+  | Read of size 8 at addr ffff2000133d1c20 by task systemd/1
+  |
+  | CPU: 0 PID: 1 Comm: systemd Not tainted 5.1.0-rc3-00012-g40b114779944 #2
+  | Hardware name: linux,dummy-virt (DT)
+  | Call trace:
+  |  dump_backtrace+0x0/0x228
+  |  show_stack+0x14/0x20
+  |  dump_stack+0xe8/0x124
+  |  print_address_description+0x60/0x258
+  |  kasan_report+0x140/0x1a0
+  |  __asan_report_load8_noabort+0x18/0x20
+  |  __do_proc_doulongvec_minmax+0x5d8/0x6a0
+  |  proc_doulongvec_minmax+0x4c/0x78
+  |  proc_sys_call_handler.isra.19+0x144/0x1d8
+  |  proc_sys_write+0x34/0x58
+  |  __vfs_write+0x54/0xe8
+  |  vfs_write+0x124/0x3c0
+  |  ksys_write+0xbc/0x168
+  |  __arm64_sys_write+0x68/0x98
+  |  el0_svc_common+0x100/0x258
+  |  el0_svc_handler+0x48/0xc0
+  |  el0_svc+0x8/0xc
+  |
+  | The buggy address belongs to the variable:
+  |  zero+0x0/0x40
+  |
+  | Memory state around the buggy address:
+  |  ffff2000133d1b00: 00 00 00 00 00 00 00 00 fa fa fa fa 04 fa fa fa
+  |  ffff2000133d1b80: fa fa fa fa 04 fa fa fa fa fa fa fa 04 fa fa fa
+  | >ffff2000133d1c00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
+  |                                ^
+  |  ffff2000133d1c80: fa fa fa fa 00 fa fa fa fa fa fa fa 00 00 00 00
+  |  ffff2000133d1d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Fix the splat by introducing a unsigned long 'zero_ul' and using that
+instead.
+
+Link: http://lkml.kernel.org/r/20190403153409.17307-1-will.deacon@arm.com
+Fixes: 32a5ad9c2285 ("sysctl: handle overflow for file-max")
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Acked-by: Christian Brauner <christian@brauner.io>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sysctl.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -124,6 +124,7 @@ static int zero;
+ static int __maybe_unused one = 1;
+ static int __maybe_unused two = 2;
+ static int __maybe_unused four = 4;
++static unsigned long zero_ul;
+ static unsigned long one_ul = 1;
+ static unsigned long long_max = LONG_MAX;
+ static int one_hundred = 100;
+@@ -1522,7 +1523,7 @@ static struct ctl_table fs_table[] = {
+ 		.maxlen		= sizeof(files_stat.max_files),
+ 		.mode		= 0644,
+ 		.proc_handler	= proc_doulongvec_minmax,
+-		.extra1		= &zero,
++		.extra1		= &zero_ul,
+ 		.extra2		= &long_max,
+ 	},
+ 	{
diff --git a/queue-3.18/series b/queue-3.18/series
index d047e8da847..9c2e9d1032f 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -101,3 +101,4 @@ kprobes-fix-error-check-when-reusing-optimized-probes.patch
 sched-fair-limit-sched_cfs_period_timer-loop-to-avoi.patch
 device_cgroup-fix-rcu-imbalance-in-error-case.patch
 arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch
+kernel-sysctl.c-fix-out-of-bounds-access-when-setting-file-max.patch