From: Greg Kroah-Hartman Date: Mon, 23 May 2022 16:34:44 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.9.316~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5c1c22120ab62c2b693bc6cee6cb2ee52a3662d1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: include-uapi-linux-xfrm.h-fix-xfrm_msg_mapping-abi-breakage.patch module-check-for-exit-sections-in-layout_sections-instead-of-module_init_section.patch net-xfrm-fix-shift-out-of-bounds-in-xfrm_get_default.patch --- diff --git a/queue-5.10/include-uapi-linux-xfrm.h-fix-xfrm_msg_mapping-abi-breakage.patch b/queue-5.10/include-uapi-linux-xfrm.h-fix-xfrm_msg_mapping-abi-breakage.patch new file mode 100644 index 00000000000..17c57d7b57b --- /dev/null +++ b/queue-5.10/include-uapi-linux-xfrm.h-fix-xfrm_msg_mapping-abi-breakage.patch @@ -0,0 +1,68 @@ +From 844f7eaaed9267ae17d33778efe65548cc940205 Mon Sep 17 00:00:00 2001 +From: Eugene Syromiatnikov +Date: Sun, 12 Sep 2021 14:22:34 +0200 +Subject: include/uapi/linux/xfrm.h: Fix XFRM_MSG_MAPPING ABI breakage + +From: Eugene Syromiatnikov + +commit 844f7eaaed9267ae17d33778efe65548cc940205 upstream. + +Commit 2d151d39073a ("xfrm: Add possibility to set the default to block +if we have no policy") broke ABI by changing the value of the XFRM_MSG_MAPPING +enum item, thus also evading the build-time check +in security/selinux/nlmsgtab.c:selinux_nlmsg_lookup for presence of proper +security permission checks in nlmsg_xfrm_perms. Fix it by placing +XFRM_MSG_SETDEFAULT/XFRM_MSG_GETDEFAULT to the end of the enum, right before +__XFRM_MSG_MAX, and updating the nlmsg_xfrm_perms accordingly. + +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +References: https://lore.kernel.org/netdev/20210901151402.GA2557@altlinux.org/ +Signed-off-by: Eugene Syromiatnikov +Acked-by: Antony Antony +Acked-by: Nicolas Dichtel +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/xfrm.h | 6 +++--- + security/selinux/nlmsgtab.c | 4 +++- + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/include/uapi/linux/xfrm.h ++++ b/include/uapi/linux/xfrm.h +@@ -213,13 +213,13 @@ enum { + XFRM_MSG_GETSPDINFO, + #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO + ++ XFRM_MSG_MAPPING, ++#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING ++ + XFRM_MSG_SETDEFAULT, + #define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT + XFRM_MSG_GETDEFAULT, + #define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT +- +- XFRM_MSG_MAPPING, +-#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING + __XFRM_MSG_MAX + }; + #define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1) +--- a/security/selinux/nlmsgtab.c ++++ b/security/selinux/nlmsgtab.c +@@ -123,6 +123,8 @@ static const struct nlmsg_perm nlmsg_xfr + { XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, + { XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ }, + { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ }, ++ { XFRM_MSG_SETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, ++ { XFRM_MSG_GETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_READ }, + }; + + static const struct nlmsg_perm nlmsg_audit_perms[] = +@@ -186,7 +188,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 + * structures at the top of this file with the new mappings + * before updating the BUILD_BUG_ON() macro! + */ +- BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_MAPPING); ++ BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_GETDEFAULT); + err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms, + sizeof(nlmsg_xfrm_perms)); + break; diff --git a/queue-5.10/module-check-for-exit-sections-in-layout_sections-instead-of-module_init_section.patch b/queue-5.10/module-check-for-exit-sections-in-layout_sections-instead-of-module_init_section.patch new file mode 100644 index 00000000000..00982c710e7 --- /dev/null +++ b/queue-5.10/module-check-for-exit-sections-in-layout_sections-instead-of-module_init_section.patch @@ -0,0 +1,87 @@ +From 055f23b74b20f2824ce33047b4cf2e2aa856bf3b Mon Sep 17 00:00:00 2001 +From: Jessica Yu +Date: Wed, 12 May 2021 15:45:46 +0200 +Subject: module: check for exit sections in layout_sections() instead of module_init_section() + +From: Jessica Yu + +commit 055f23b74b20f2824ce33047b4cf2e2aa856bf3b upstream. + +Previously, when CONFIG_MODULE_UNLOAD=n, the module loader just does not +attempt to load exit sections since it never expects that any code in those +sections will ever execute. However, dynamic code patching (alternatives, +jump_label and static_call) can have sites in __exit code, even if __exit is +never executed. Therefore __exit must be present at runtime, at least for as +long as __init code is. + +Commit 33121347fb1c ("module: treat exit sections the same as init +sections when !CONFIG_MODULE_UNLOAD") solves the requirements of +jump_labels and static_calls by putting the exit sections in the init +region of the module so that they are at least present at init, and +discarded afterwards. It does this by including a check for exit +sections in module_init_section(), so that it also returns true for exit +sections, and the module loader will automatically sort them in the init +region of the module. + +However, the solution there was not completely arch-independent. ARM is +a special case where it supplies its own module_{init, exit}_section() +functions. Instead of pushing the exit section checks into +module_init_section(), just implement the exit section check in +layout_sections(), so that we don't have to touch arch-dependent code. + +Fixes: 33121347fb1c ("module: treat exit sections the same as init sections when !CONFIG_MODULE_UNLOAD") +Reviewed-by: Russell King (Oracle) +Signed-off-by: Jessica Yu +Signed-off-by: Greg Kroah-Hartman +--- + kernel/module.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2280,6 +2280,15 @@ void *__symbol_get(const char *symbol) + } + EXPORT_SYMBOL_GPL(__symbol_get); + ++static bool module_init_layout_section(const char *sname) ++{ ++#ifndef CONFIG_MODULE_UNLOAD ++ if (module_exit_section(sname)) ++ return true; ++#endif ++ return module_init_section(sname); ++} ++ + /* + * Ensure that an exported symbol [global namespace] does not already exist + * in the kernel or in some other module's exported symbol table. +@@ -2489,7 +2498,7 @@ static void layout_sections(struct modul + if ((s->sh_flags & masks[m][0]) != masks[m][0] + || (s->sh_flags & masks[m][1]) + || s->sh_entsize != ~0UL +- || module_init_section(sname)) ++ || module_init_layout_section(sname)) + continue; + s->sh_entsize = get_offset(mod, &mod->core_layout.size, s, i); + pr_debug("\t%s\n", sname); +@@ -2522,7 +2531,7 @@ static void layout_sections(struct modul + if ((s->sh_flags & masks[m][0]) != masks[m][0] + || (s->sh_flags & masks[m][1]) + || s->sh_entsize != ~0UL +- || !module_init_section(sname)) ++ || !module_init_layout_section(sname)) + continue; + s->sh_entsize = (get_offset(mod, &mod->init_layout.size, s, i) + | INIT_OFFSET_MASK); +@@ -2861,11 +2870,7 @@ void * __weak module_alloc(unsigned long + + bool __weak module_init_section(const char *name) + { +-#ifndef CONFIG_MODULE_UNLOAD +- return strstarts(name, ".init") || module_exit_section(name); +-#else + return strstarts(name, ".init"); +-#endif + } + + bool __weak module_exit_section(const char *name) diff --git a/queue-5.10/net-xfrm-fix-shift-out-of-bounds-in-xfrm_get_default.patch b/queue-5.10/net-xfrm-fix-shift-out-of-bounds-in-xfrm_get_default.patch new file mode 100644 index 00000000000..f93d0363f14 --- /dev/null +++ b/queue-5.10/net-xfrm-fix-shift-out-of-bounds-in-xfrm_get_default.patch @@ -0,0 +1,38 @@ +From 3c10ffddc61f8a1a59e29a110ba70b47e679206a Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 2 Sep 2021 22:04:00 +0300 +Subject: net: xfrm: fix shift-out-of-bounds in xfrm_get_default + +From: Pavel Skripkin + +commit 3c10ffddc61f8a1a59e29a110ba70b47e679206a upstream. + +Syzbot hit shift-out-of-bounds in xfrm_get_default. The problem was in +missing validation check for user data. + +up->dirmask comes from user-space, so we need to check if this value +is less than XFRM_USERPOLICY_DIRMASK_MAX to avoid shift-out-of-bounds bugs. + +Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") +Reported-and-tested-by: syzbot+b2be9dd8ca6f6c73ee2d@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1989,6 +1989,11 @@ static int xfrm_get_default(struct sk_bu + return -EMSGSIZE; + } + ++ if (up->dirmask >= XFRM_USERPOLICY_DIRMASK_MAX) { ++ kfree_skb(r_skb); ++ return -EINVAL; ++ } ++ + r_up = nlmsg_data(r_nlh); + r_up->in = net->xfrm.policy_default[XFRM_POLICY_IN]; + r_up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD]; diff --git a/queue-5.10/series b/queue-5.10/series index 896f08b8b3c..ac1366527a4 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -93,3 +93,6 @@ dt-bindings-pinctrl-aspeed-g6-remove-fwqspid-group.patch module-treat-exit-sections-the-same-as-init-sections-when-config_module_unload.patch i2c-mt7621-fix-missing-clk_disable_unprepare-on-erro.patch afs-fix-afs_getattr-to-refetch-file-status-if-callba.patch +net-xfrm-fix-shift-out-of-bounds-in-xfrm_get_default.patch +include-uapi-linux-xfrm.h-fix-xfrm_msg_mapping-abi-breakage.patch +module-check-for-exit-sections-in-layout_sections-instead-of-module_init_section.patch