From: Greg Kroah-Hartman Date: Mon, 8 Apr 2024 10:34:40 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.154~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b6998098ee0d2ff0455ccf83a6d87338497a4b1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: riscv-fix-spurious-errors-from-__get-put_kernel_nofault.patch riscv-process-fix-kernel-gp-leakage.patch s390-entry-align-system-call-table-on-8-bytes.patch --- diff --git a/queue-5.15/riscv-fix-spurious-errors-from-__get-put_kernel_nofault.patch b/queue-5.15/riscv-fix-spurious-errors-from-__get-put_kernel_nofault.patch new file mode 100644 index 00000000000..a51085637db --- /dev/null +++ b/queue-5.15/riscv-fix-spurious-errors-from-__get-put_kernel_nofault.patch @@ -0,0 +1,44 @@ +From d080a08b06b6266cc3e0e86c5acfd80db937cb6b Mon Sep 17 00:00:00 2001 +From: Samuel Holland +Date: Mon, 11 Mar 2024 19:19:13 -0700 +Subject: riscv: Fix spurious errors from __get/put_kernel_nofault + +From: Samuel Holland + +commit d080a08b06b6266cc3e0e86c5acfd80db937cb6b upstream. + +These macros did not initialize __kr_err, so they could fail even if +the access did not fault. + +Cc: stable@vger.kernel.org +Fixes: d464118cdc41 ("riscv: implement __get_kernel_nofault and __put_user_nofault") +Signed-off-by: Samuel Holland +Reviewed-by: Alexandre Ghiti +Reviewed-by: Charlie Jenkins +Link: https://lore.kernel.org/r/20240312022030.320789-1-samuel.holland@sifive.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/uaccess.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/uaccess.h ++++ b/arch/riscv/include/asm/uaccess.h +@@ -467,7 +467,7 @@ unsigned long __must_check clear_user(vo + + #define __get_kernel_nofault(dst, src, type, err_label) \ + do { \ +- long __kr_err; \ ++ long __kr_err = 0; \ + \ + __get_user_nocheck(*((type *)(dst)), (type *)(src), __kr_err); \ + if (unlikely(__kr_err)) \ +@@ -476,7 +476,7 @@ do { \ + + #define __put_kernel_nofault(dst, src, type, err_label) \ + do { \ +- long __kr_err; \ ++ long __kr_err = 0; \ + \ + __put_user_nocheck(*((type *)(src)), (type *)(dst), __kr_err); \ + if (unlikely(__kr_err)) \ diff --git a/queue-5.15/riscv-process-fix-kernel-gp-leakage.patch b/queue-5.15/riscv-process-fix-kernel-gp-leakage.patch new file mode 100644 index 00000000000..1b262069d14 --- /dev/null +++ b/queue-5.15/riscv-process-fix-kernel-gp-leakage.patch @@ -0,0 +1,80 @@ +From d14fa1fcf69db9d070e75f1c4425211fa619dfc8 Mon Sep 17 00:00:00 2001 +From: Stefan O'Rear +Date: Wed, 27 Mar 2024 02:12:58 -0400 +Subject: riscv: process: Fix kernel gp leakage + +From: Stefan O'Rear + +commit d14fa1fcf69db9d070e75f1c4425211fa619dfc8 upstream. + +childregs represents the registers which are active for the new thread +in user context. For a kernel thread, childregs->gp is never used since +the kernel gp is not touched by switch_to. For a user mode helper, the +gp value can be observed in user space after execve or possibly by other +means. + +[From the email thread] + +The /* Kernel thread */ comment is somewhat inaccurate in that it is also used +for user_mode_helper threads, which exec a user process, e.g. /sbin/init or +when /proc/sys/kernel/core_pattern is a pipe. Such threads do not have +PF_KTHREAD set and are valid targets for ptrace etc. even before they exec. + +childregs is the *user* context during syscall execution and it is observable +from userspace in at least five ways: + +1. kernel_execve does not currently clear integer registers, so the starting + register state for PID 1 and other user processes started by the kernel has + sp = user stack, gp = kernel __global_pointer$, all other integer registers + zeroed by the memset in the patch comment. + + This is a bug in its own right, but I'm unwilling to bet that it is the only + way to exploit the issue addressed by this patch. + +2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread + before it execs, but ptrace requires SIGSTOP to be delivered which can only + happen at user/kernel boundaries. + +3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for + user_mode_helpers before the exec completes, but gp is not one of the + registers it returns. + +4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel + addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses + are also exposed via PERF_SAMPLE_REGS_USER which is permitted under + LOCKDOWN_PERF. I have not attempted to write exploit code. + +5. Much of the tracing infrastructure allows access to user registers. I have + not attempted to determine which forms of tracing allow access to user + registers without already allowing access to kernel registers. + +Fixes: 7db91e57a0ac ("RISC-V: Task implementation") +Cc: stable@vger.kernel.org +Signed-off-by: Stefan O'Rear +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20240327061258.2370291-1-sorear@fastmail.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/process.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/arch/riscv/kernel/process.c ++++ b/arch/riscv/kernel/process.c +@@ -24,8 +24,6 @@ + #include + #include + +-register unsigned long gp_in_global __asm__("gp"); +- + #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK) + #include + unsigned long __stack_chk_guard __read_mostly; +@@ -130,7 +128,6 @@ int copy_thread(unsigned long clone_flag + if (unlikely(p->flags & (PF_KTHREAD | PF_IO_WORKER))) { + /* Kernel thread */ + memset(childregs, 0, sizeof(struct pt_regs)); +- childregs->gp = gp_in_global; + /* Supervisor/Machine, irqs on: */ + childregs->status = SR_PP | SR_PIE; + diff --git a/queue-5.15/s390-entry-align-system-call-table-on-8-bytes.patch b/queue-5.15/s390-entry-align-system-call-table-on-8-bytes.patch new file mode 100644 index 00000000000..4952a1da596 --- /dev/null +++ b/queue-5.15/s390-entry-align-system-call-table-on-8-bytes.patch @@ -0,0 +1,33 @@ +From 378ca2d2ad410a1cd5690d06b46c5e2297f4c8c0 Mon Sep 17 00:00:00 2001 +From: Sumanth Korikkar +Date: Tue, 26 Mar 2024 18:12:13 +0100 +Subject: s390/entry: align system call table on 8 bytes + +From: Sumanth Korikkar + +commit 378ca2d2ad410a1cd5690d06b46c5e2297f4c8c0 upstream. + +Align system call table on 8 bytes. With sys_call_table entry size +of 8 bytes that eliminates the possibility of a system call pointer +crossing cache line boundary. + +Cc: stable@kernel.org +Suggested-by: Ulrich Weigand +Reviewed-by: Alexander Gordeev +Signed-off-by: Sumanth Korikkar +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/entry.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -685,6 +685,7 @@ ENDPROC(stack_overflow) + .Lthis_cpu: .short 0 + .Lstosm_tmp: .byte 0 + .section .rodata, "a" ++ .balign 8 + #define SYSCALL(esame,emu) .quad __s390x_ ## esame + .globl sys_call_table + sys_call_table: diff --git a/queue-5.15/series b/queue-5.15/series index d65a538ccd6..b3e0b9081ad 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -679,3 +679,6 @@ alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphon driver-core-introduce-device_link_wait_removal.patch of-dynamic-synchronize-of_changeset_destroy-with-the-devlink-removals.patch x86-mce-make-sure-to-grab-mce_sysfs_mutex-in-set_bank.patch +s390-entry-align-system-call-table-on-8-bytes.patch +riscv-fix-spurious-errors-from-__get-put_kernel_nofault.patch +riscv-process-fix-kernel-gp-leakage.patch