From: Sasha Levin <sashal@kernel.org>
Date: Thu, 27 Feb 2020 03:38:58 +0000 (-0500)
Subject: fixes for 4.4
X-Git-Tag: v4.4.215~47
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=85bbdd396c57064852161147da9b01337b05de67;p=thirdparty%2Fkernel%2Fstable-queue.git

fixes for 4.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.4/kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch b/queue-4.4/kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch
new file mode 100644
index 00000000000..3fde74d9c79
--- /dev/null
+++ b/queue-4.4/kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch
@@ -0,0 +1,38 @@
+From 9c3d7c0f86762b77d5cc0a931abf0e046dfcb7ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Feb 2020 15:26:29 -0800
+Subject: KVM: nVMX: Don't emulate instructions in guest mode
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+[ Upstream commit 07721feee46b4b248402133228235318199b05ec ]
+
+vmx_check_intercept is not yet fully implemented. To avoid emulating
+instructions disallowed by the L1 hypervisor, refuse to emulate
+instructions by default.
+
+Cc: stable@vger.kernel.org
+[Made commit, added commit msg - Oliver]
+Signed-off-by: Oliver Upton <oupton@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 6c2b45f5d5016..be7f4c018943b 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10744,7 +10744,7 @@ static int vmx_check_intercept(struct kvm_vcpu *vcpu,
+ 			       struct x86_instruction_info *info,
+ 			       enum x86_intercept_stage stage)
+ {
+-	return X86EMUL_CONTINUE;
++	return X86EMUL_UNHANDLEABLE;
+ }
+ 
+ static void vmx_sched_in(struct kvm_vcpu *vcpu, int cpu)
+-- 
+2.20.1
+
diff --git a/queue-4.4/netfilter-xt_bpf-add-overflow-checks.patch b/queue-4.4/netfilter-xt_bpf-add-overflow-checks.patch
new file mode 100644
index 00000000000..99268e517fa
--- /dev/null
+++ b/queue-4.4/netfilter-xt_bpf-add-overflow-checks.patch
@@ -0,0 +1,75 @@
+From a2ff7136d227bca57e64b1064a2f963cc3cc4d9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Feb 2020 13:35:01 -0800
+Subject: netfilter: xt_bpf: add overflow checks
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 6ab405114b0b229151ef06f4e31c7834dd09d0c0 ]
+
+Check whether inputs from userspace are too long (explicit length field too
+big or string not null-terminated) to avoid out-of-bounds reads.
+
+As far as I can tell, this can at worst lead to very limited kernel heap
+memory disclosure or oopses.
+
+This bug can be triggered by an unprivileged user even if the xt_bpf module
+is not loaded: iptables is available in network namespaces, and the xt_bpf
+module can be autoloaded.
+
+Triggering the bug with a classic BPF filter with fake length 0x1000 causes
+the following KASAN report:
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in bpf_prog_create+0x84/0xf0
+Read of size 32768 at addr ffff8801eff2c494 by task test/4627
+
+CPU: 0 PID: 4627 Comm: test Not tainted 4.15.0-rc1+ #1
+[...]
+Call Trace:
+ dump_stack+0x5c/0x85
+ print_address_description+0x6a/0x260
+ kasan_report+0x254/0x370
+ ? bpf_prog_create+0x84/0xf0
+ memcpy+0x1f/0x50
+ bpf_prog_create+0x84/0xf0
+ bpf_mt_check+0x90/0xd6 [xt_bpf]
+[...]
+Allocated by task 4627:
+ kasan_kmalloc+0xa0/0xd0
+ __kmalloc_node+0x47/0x60
+ xt_alloc_table_info+0x41/0x70 [x_tables]
+[...]
+The buggy address belongs to the object at ffff8801eff2c3c0
+                which belongs to the cache kmalloc-2048 of size 2048
+The buggy address is located 212 bytes inside of
+                2048-byte region [ffff8801eff2c3c0, ffff8801eff2cbc0)
+[...]
+==================================================================
+
+Fixes: e6f30c731718 ("netfilter: x_tables: add xt_bpf match")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_bpf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
+index dffee9d47ec4b..7b993f25aab92 100644
+--- a/net/netfilter/xt_bpf.c
++++ b/net/netfilter/xt_bpf.c
+@@ -25,6 +25,9 @@ static int bpf_mt_check(const struct xt_mtchk_param *par)
+ 	struct xt_bpf_info *info = par->matchinfo;
+ 	struct sock_fprog_kern program;
+ 
++	if (info->bpf_program_num_elem > XT_BPF_MAX_NUM_INSTR)
++		return -EINVAL;
++
+ 	program.len = info->bpf_program_num_elem;
+ 	program.filter = info->bpf_program;
+ 
+-- 
+2.20.1
+
diff --git a/queue-4.4/series b/queue-4.4/series
index cddb7e88e15..047ec82efdb 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -92,3 +92,7 @@ x86-mce-amd-fix-kobject-lifetime.patch
 tty-serial-imx-setup-the-correct-sg-entry-for-tx-dma.patch
 revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch
 xhci-apply-xhci_pme_stuck_quirk-to-intel-comet-lake-platforms.patch
+vt_resizex-get-rid-of-field-by-field-copyin.patch
+vt-vt_ioctl-fix-race-in-vt_resizex.patch
+kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch
+netfilter-xt_bpf-add-overflow-checks.patch
diff --git a/queue-4.4/vt-vt_ioctl-fix-race-in-vt_resizex.patch b/queue-4.4/vt-vt_ioctl-fix-race-in-vt_resizex.patch
new file mode 100644
index 00000000000..f73b1776313
--- /dev/null
+++ b/queue-4.4/vt-vt_ioctl-fix-race-in-vt_resizex.patch
@@ -0,0 +1,107 @@
+From f46da4763627097b6a68c4a01693f3deeaf05dbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2020 11:07:21 -0800
+Subject: vt: vt_ioctl: fix race in VT_RESIZEX
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6cd1ed50efd88261298577cd92a14f2768eddeeb ]
+
+We need to make sure vc_cons[i].d is not NULL after grabbing
+console_lock(), or risk a crash.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347]
+CPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883
+Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40
+RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000
+RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340
+RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d
+R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d
+R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f
+FS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
+ vfs_ioctl fs/ioctl.c:47 [inline]
+ ksys_ioctl+0x123/0x180 fs/ioctl.c:763
+ __do_sys_ioctl fs/ioctl.c:772 [inline]
+ __se_sys_ioctl fs/ioctl.c:770 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x45b399
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399
+RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003
+RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c
+Modules linked in:
+---[ end trace 80970faf7a67eb77 ]---
+RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883
+Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40
+RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000
+RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340
+RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d
+R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d
+R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f
+FS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index a1e5c408c931b..e9d9f9f3dc886 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -879,15 +879,20 @@ int vt_ioctl(struct tty_struct *tty,
+ 			return -EINVAL;
+ 
+ 		for (i = 0; i < MAX_NR_CONSOLES; i++) {
++			struct vc_data *vcp;
++
+ 			if (!vc_cons[i].d)
+ 				continue;
+ 			console_lock();
+-			if (v.v_vlin)
+-				vc_cons[i].d->vc_scan_lines = v.v_vlin;
+-			if (v.v_clin)
+-				vc_cons[i].d->vc_font.height = v.v_clin;
+-			vc_cons[i].d->vc_resize_user = 1;
+-			vc_resize(vc_cons[i].d, v.v_cols, v.v_rows);
++			vcp = vc_cons[i].d;
++			if (vcp) {
++				if (v.v_vlin)
++					vcp->vc_scan_lines = v.v_vlin;
++				if (v.v_clin)
++					vcp->vc_font.height = v.v_clin;
++				vcp->vc_resize_user = 1;
++				vc_resize(vcp, v.v_cols, v.v_rows);
++			}
+ 			console_unlock();
+ 		}
+ 		break;
+-- 
+2.20.1
+
diff --git a/queue-4.4/vt_resizex-get-rid-of-field-by-field-copyin.patch b/queue-4.4/vt_resizex-get-rid-of-field-by-field-copyin.patch
new file mode 100644
index 00000000000..4b8ce1a023a
--- /dev/null
+++ b/queue-4.4/vt_resizex-get-rid-of-field-by-field-copyin.patch
@@ -0,0 +1,108 @@
+From 384eea419bf20af984ea4e6c7debb011424d80d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2017 12:34:13 -0400
+Subject: VT_RESIZEX: get rid of field-by-field copyin
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 1b3bce4d6bf839304a90951b4b25a5863533bf2a ]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 68 ++++++++++++++++-----------------------
+ 1 file changed, 27 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index a86bc7afb3b28..a1e5c408c931b 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -850,58 +850,44 @@ int vt_ioctl(struct tty_struct *tty,
+ 
+ 	case VT_RESIZEX:
+ 	{
+-		struct vt_consize __user *vtconsize = up;
+-		ushort ll,cc,vlin,clin,vcol,ccol;
++		struct vt_consize v;
+ 		if (!perm)
+ 			return -EPERM;
+-		if (!access_ok(VERIFY_READ, vtconsize,
+-				sizeof(struct vt_consize))) {
+-			ret = -EFAULT;
+-			break;
+-		}
++		if (copy_from_user(&v, up, sizeof(struct vt_consize)))
++			return -EFAULT;
+ 		/* FIXME: Should check the copies properly */
+-		__get_user(ll, &vtconsize->v_rows);
+-		__get_user(cc, &vtconsize->v_cols);
+-		__get_user(vlin, &vtconsize->v_vlin);
+-		__get_user(clin, &vtconsize->v_clin);
+-		__get_user(vcol, &vtconsize->v_vcol);
+-		__get_user(ccol, &vtconsize->v_ccol);
+-		vlin = vlin ? vlin : vc->vc_scan_lines;
+-		if (clin) {
+-			if (ll) {
+-				if (ll != vlin/clin) {
+-					/* Parameters don't add up */
+-					ret = -EINVAL;
+-					break;
+-				}
+-			} else 
+-				ll = vlin/clin;
++		if (!v.v_vlin)
++			v.v_vlin = vc->vc_scan_lines;
++		if (v.v_clin) {
++			int rows = v.v_vlin/v.v_clin;
++			if (v.v_rows != rows) {
++				if (v.v_rows) /* Parameters don't add up */
++					return -EINVAL;
++				v.v_rows = rows;
++			}
+ 		}
+-		if (vcol && ccol) {
+-			if (cc) {
+-				if (cc != vcol/ccol) {
+-					ret = -EINVAL;
+-					break;
+-				}
+-			} else
+-				cc = vcol/ccol;
++		if (v.v_vcol && v.v_ccol) {
++			int cols = v.v_vcol/v.v_ccol;
++			if (v.v_cols != cols) {
++				if (v.v_cols)
++					return -EINVAL;
++				v.v_cols = cols;
++			}
+ 		}
+ 
+-		if (clin > 32) {
+-			ret =  -EINVAL;
+-			break;
+-		}
+-		    
++		if (v.v_clin > 32)
++			return -EINVAL;
++
+ 		for (i = 0; i < MAX_NR_CONSOLES; i++) {
+ 			if (!vc_cons[i].d)
+ 				continue;
+ 			console_lock();
+-			if (vlin)
+-				vc_cons[i].d->vc_scan_lines = vlin;
+-			if (clin)
+-				vc_cons[i].d->vc_font.height = clin;
++			if (v.v_vlin)
++				vc_cons[i].d->vc_scan_lines = v.v_vlin;
++			if (v.v_clin)
++				vc_cons[i].d->vc_font.height = v.v_clin;
+ 			vc_cons[i].d->vc_resize_user = 1;
+-			vc_resize(vc_cons[i].d, cc, ll);
++			vc_resize(vc_cons[i].d, v.v_cols, v.v_rows);
+ 			console_unlock();
+ 		}
+ 		break;
+-- 
+2.20.1
+