From: Greg Kroah-Hartman Date: Thu, 16 Jan 2020 08:29:03 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.14.166~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=892a38df520175ebda7573fd880f535156483cd8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: syscalls-x86-fix-function-types-in-cond_syscall.patch syscalls-x86-use-compat_syscall_define0-for-ia32-rt_-sigreturn.patch syscalls-x86-use-the-correct-function-type-for-sys_ni_syscall.patch syscalls-x86-wire-up-compat_syscall_define0.patch --- diff --git a/queue-5.4/series b/queue-5.4/series index 5e067412462..190618b175c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -44,3 +44,7 @@ dt-bindings-reset-fix-brcmstb-reset-example.patch reset-brcmstb-remove-resource-checks.patch afs-fix-missing-cell-comparison-in-afs_test_super.patch perf-vendor-events-s390-remove-name-from-l1d_ro_excl_writes-description.patch +syscalls-x86-wire-up-compat_syscall_define0.patch +syscalls-x86-use-compat_syscall_define0-for-ia32-rt_-sigreturn.patch +syscalls-x86-use-the-correct-function-type-for-sys_ni_syscall.patch +syscalls-x86-fix-function-types-in-cond_syscall.patch diff --git a/queue-5.4/syscalls-x86-fix-function-types-in-cond_syscall.patch b/queue-5.4/syscalls-x86-fix-function-types-in-cond_syscall.patch new file mode 100644 index 00000000000..68bd6af449d --- /dev/null +++ b/queue-5.4/syscalls-x86-fix-function-types-in-cond_syscall.patch @@ -0,0 +1,80 @@ +From 6e4847640c6aebcaa2d9b3686cecc91b41f09269 Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Tue, 8 Oct 2019 15:40:49 -0700 +Subject: syscalls/x86: Fix function types in COND_SYSCALL + +From: Sami Tolvanen + +commit 6e4847640c6aebcaa2d9b3686cecc91b41f09269 upstream. + +Define a weak function in COND_SYSCALL instead of a weak alias to +sys_ni_syscall(), which has an incompatible type. This fixes indirect +call mismatches with Control-Flow Integrity (CFI) checking. + +Signed-off-by: Sami Tolvanen +Acked-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: H . Peter Anvin +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20191008224049.115427-6-samitolvanen@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/syscall_wrapper.h | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/arch/x86/include/asm/syscall_wrapper.h ++++ b/arch/x86/include/asm/syscall_wrapper.h +@@ -6,6 +6,8 @@ + #ifndef _ASM_X86_SYSCALL_WRAPPER_H + #define _ASM_X86_SYSCALL_WRAPPER_H + ++struct pt_regs; ++ + /* Mapping of registers to parameters for syscalls on x86-64 and x32 */ + #define SC_X86_64_REGS_TO_ARGS(x, ...) \ + __MAP(x,__SC_ARGS \ +@@ -64,9 +66,15 @@ + SYSCALL_ALIAS(__ia32_sys_##sname, __x64_sys_##sname); \ + asmlinkage long __x64_sys_##sname(const struct pt_regs *__unused) + +-#define COND_SYSCALL(name) \ +- cond_syscall(__x64_sys_##name); \ +- cond_syscall(__ia32_sys_##name) ++#define COND_SYSCALL(name) \ ++ asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \ ++ { \ ++ return sys_ni_syscall(); \ ++ } \ ++ asmlinkage __weak long __ia32_sys_##name(const struct pt_regs *__unused)\ ++ { \ ++ return sys_ni_syscall(); \ ++ } + + #define SYS_NI(name) \ + SYSCALL_ALIAS(__x64_sys_##name, sys_ni_posix_timers); \ +@@ -218,7 +226,11 @@ + #endif + + #ifndef COND_SYSCALL +-#define COND_SYSCALL(name) cond_syscall(__x64_sys_##name) ++#define COND_SYSCALL(name) \ ++ asmlinkage __weak long __x64_sys_##name(const struct pt_regs *__unused) \ ++ { \ ++ return sys_ni_syscall(); \ ++ } + #endif + + #ifndef SYS_NI +@@ -230,7 +242,6 @@ + * For VSYSCALLS, we need to declare these three syscalls with the new + * pt_regs-based calling convention for in-kernel use. + */ +-struct pt_regs; + asmlinkage long __x64_sys_getcpu(const struct pt_regs *regs); + asmlinkage long __x64_sys_gettimeofday(const struct pt_regs *regs); + asmlinkage long __x64_sys_time(const struct pt_regs *regs); diff --git a/queue-5.4/syscalls-x86-use-compat_syscall_define0-for-ia32-rt_-sigreturn.patch b/queue-5.4/syscalls-x86-use-compat_syscall_define0-for-ia32-rt_-sigreturn.patch new file mode 100644 index 00000000000..df2b88007ad --- /dev/null +++ b/queue-5.4/syscalls-x86-use-compat_syscall_define0-for-ia32-rt_-sigreturn.patch @@ -0,0 +1,78 @@ +From 00198a6eaf66609de5e4de9163bb42c7ca9dd7b7 Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Tue, 8 Oct 2019 15:40:47 -0700 +Subject: syscalls/x86: Use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn + +From: Sami Tolvanen + +commit 00198a6eaf66609de5e4de9163bb42c7ca9dd7b7 upstream. + +Use COMPAT_SYSCALL_DEFINE0 to define (rt_)sigreturn() syscalls to +replace sys32_sigreturn() and sys32_rt_sigreturn(). This fixes indirect +call mismatches with Control-Flow Integrity (CFI) checking. + +Signed-off-by: Sami Tolvanen +Acked-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: H . Peter Anvin +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20191008224049.115427-4-samitolvanen@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/syscalls/syscall_32.tbl | 4 ++-- + arch/x86/ia32/ia32_signal.c | 5 +++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/x86/entry/syscalls/syscall_32.tbl ++++ b/arch/x86/entry/syscalls/syscall_32.tbl +@@ -130,7 +130,7 @@ + 116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo + 117 i386 ipc sys_ipc __ia32_compat_sys_ipc + 118 i386 fsync sys_fsync __ia32_sys_fsync +-119 i386 sigreturn sys_sigreturn sys32_sigreturn ++119 i386 sigreturn sys_sigreturn __ia32_compat_sys_sigreturn + 120 i386 clone sys_clone __ia32_compat_sys_x86_clone + 121 i386 setdomainname sys_setdomainname __ia32_sys_setdomainname + 122 i386 uname sys_newuname __ia32_sys_newuname +@@ -184,7 +184,7 @@ + 170 i386 setresgid sys_setresgid16 __ia32_sys_setresgid16 + 171 i386 getresgid sys_getresgid16 __ia32_sys_getresgid16 + 172 i386 prctl sys_prctl __ia32_sys_prctl +-173 i386 rt_sigreturn sys_rt_sigreturn sys32_rt_sigreturn ++173 i386 rt_sigreturn sys_rt_sigreturn __ia32_compat_sys_rt_sigreturn + 174 i386 rt_sigaction sys_rt_sigaction __ia32_compat_sys_rt_sigaction + 175 i386 rt_sigprocmask sys_rt_sigprocmask __ia32_compat_sys_rt_sigprocmask + 176 i386 rt_sigpending sys_rt_sigpending __ia32_compat_sys_rt_sigpending +--- a/arch/x86/ia32/ia32_signal.c ++++ b/arch/x86/ia32/ia32_signal.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -118,7 +119,7 @@ static int ia32_restore_sigcontext(struc + return err; + } + +-asmlinkage long sys32_sigreturn(void) ++COMPAT_SYSCALL_DEFINE0(sigreturn) + { + struct pt_regs *regs = current_pt_regs(); + struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); +@@ -144,7 +145,7 @@ badframe: + return 0; + } + +-asmlinkage long sys32_rt_sigreturn(void) ++COMPAT_SYSCALL_DEFINE0(rt_sigreturn) + { + struct pt_regs *regs = current_pt_regs(); + struct rt_sigframe_ia32 __user *frame; diff --git a/queue-5.4/syscalls-x86-use-the-correct-function-type-for-sys_ni_syscall.patch b/queue-5.4/syscalls-x86-use-the-correct-function-type-for-sys_ni_syscall.patch new file mode 100644 index 00000000000..9dc8e29e6dd --- /dev/null +++ b/queue-5.4/syscalls-x86-use-the-correct-function-type-for-sys_ni_syscall.patch @@ -0,0 +1,117 @@ +From f48f01a92cca09e86d46c91d8edf9d5a71c61727 Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Tue, 8 Oct 2019 15:40:48 -0700 +Subject: syscalls/x86: Use the correct function type for sys_ni_syscall + +From: Sami Tolvanen + +commit f48f01a92cca09e86d46c91d8edf9d5a71c61727 upstream. + +Use the correct function type for sys_ni_syscall() in system +call tables to fix indirect call mismatches with Control-Flow +Integrity (CFI) checking. + +Signed-off-by: Sami Tolvanen +Acked-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: H . Peter Anvin +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20191008224049.115427-5-samitolvanen@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/syscall_32.c | 8 +++----- + arch/x86/entry/syscall_64.c | 14 ++++++++++---- + arch/x86/entry/syscalls/syscall_32.tbl | 4 ++-- + 3 files changed, 15 insertions(+), 11 deletions(-) + +--- a/arch/x86/entry/syscall_32.c ++++ b/arch/x86/entry/syscall_32.c +@@ -10,13 +10,11 @@ + #ifdef CONFIG_IA32_EMULATION + /* On X86_64, we use struct pt_regs * to pass parameters to syscalls */ + #define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *); +- +-/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */ +-extern asmlinkage long sys_ni_syscall(const struct pt_regs *); +- ++#define __sys_ni_syscall __ia32_sys_ni_syscall + #else /* CONFIG_IA32_EMULATION */ + #define __SYSCALL_I386(nr, sym, qual) extern asmlinkage long sym(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); + extern asmlinkage long sys_ni_syscall(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long); ++#define __sys_ni_syscall sys_ni_syscall + #endif /* CONFIG_IA32_EMULATION */ + + #include +@@ -29,6 +27,6 @@ __visible const sys_call_ptr_t ia32_sys_ + * Smells like a compiler bug -- it doesn't work + * when the & below is removed. + */ +- [0 ... __NR_syscall_compat_max] = &sys_ni_syscall, ++ [0 ... __NR_syscall_compat_max] = &__sys_ni_syscall, + #include + }; +--- a/arch/x86/entry/syscall_64.c ++++ b/arch/x86/entry/syscall_64.c +@@ -4,11 +4,17 @@ + #include + #include + #include ++#include + #include + #include + +-/* this is a lie, but it does not hurt as sys_ni_syscall just returns -EINVAL */ +-extern asmlinkage long sys_ni_syscall(const struct pt_regs *); ++extern asmlinkage long sys_ni_syscall(void); ++ ++SYSCALL_DEFINE0(ni_syscall) ++{ ++ return sys_ni_syscall(); ++} ++ + #define __SYSCALL_64(nr, sym, qual) extern asmlinkage long sym(const struct pt_regs *); + #define __SYSCALL_X32(nr, sym, qual) __SYSCALL_64(nr, sym, qual) + #include +@@ -23,7 +29,7 @@ asmlinkage const sys_call_ptr_t sys_call + * Smells like a compiler bug -- it doesn't work + * when the & below is removed. + */ +- [0 ... __NR_syscall_max] = &sys_ni_syscall, ++ [0 ... __NR_syscall_max] = &__x64_sys_ni_syscall, + #include + }; + +@@ -40,7 +46,7 @@ asmlinkage const sys_call_ptr_t x32_sys_ + * Smells like a compiler bug -- it doesn't work + * when the & below is removed. + */ +- [0 ... __NR_syscall_x32_max] = &sys_ni_syscall, ++ [0 ... __NR_syscall_x32_max] = &__x64_sys_ni_syscall, + #include + }; + +--- a/arch/x86/entry/syscalls/syscall_32.tbl ++++ b/arch/x86/entry/syscalls/syscall_32.tbl +@@ -124,7 +124,7 @@ + 110 i386 iopl sys_iopl __ia32_sys_iopl + 111 i386 vhangup sys_vhangup __ia32_sys_vhangup + 112 i386 idle +-113 i386 vm86old sys_vm86old sys_ni_syscall ++113 i386 vm86old sys_vm86old __ia32_sys_ni_syscall + 114 i386 wait4 sys_wait4 __ia32_compat_sys_wait4 + 115 i386 swapoff sys_swapoff __ia32_sys_swapoff + 116 i386 sysinfo sys_sysinfo __ia32_compat_sys_sysinfo +@@ -177,7 +177,7 @@ + 163 i386 mremap sys_mremap __ia32_sys_mremap + 164 i386 setresuid sys_setresuid16 __ia32_sys_setresuid16 + 165 i386 getresuid sys_getresuid16 __ia32_sys_getresuid16 +-166 i386 vm86 sys_vm86 sys_ni_syscall ++166 i386 vm86 sys_vm86 __ia32_sys_ni_syscall + 167 i386 query_module + 168 i386 poll sys_poll __ia32_sys_poll + 169 i386 nfsservctl diff --git a/queue-5.4/syscalls-x86-wire-up-compat_syscall_define0.patch b/queue-5.4/syscalls-x86-wire-up-compat_syscall_define0.patch new file mode 100644 index 00000000000..e74460d136d --- /dev/null +++ b/queue-5.4/syscalls-x86-wire-up-compat_syscall_define0.patch @@ -0,0 +1,98 @@ +From cf3b83e19d7c928e05a5d193c375463182c6029a Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Tue, 8 Oct 2019 15:40:46 -0700 +Subject: syscalls/x86: Wire up COMPAT_SYSCALL_DEFINE0 + +From: Andy Lutomirski + +commit cf3b83e19d7c928e05a5d193c375463182c6029a upstream. + +x86 has special handling for COMPAT_SYSCALL_DEFINEx, but there was +no override for COMPAT_SYSCALL_DEFINE0. Wire it up so that we can +use it for rt_sigreturn. + +Signed-off-by: Andy Lutomirski +Signed-off-by: Sami Tolvanen +Cc: Borislav Petkov +Cc: H . Peter Anvin +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20191008224049.115427-3-samitolvanen@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/syscall_wrapper.h | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/syscall_wrapper.h ++++ b/arch/x86/include/asm/syscall_wrapper.h +@@ -28,13 +28,21 @@ + * kernel/sys_ni.c and SYS_NI in kernel/time/posix-stubs.c to cover this + * case as well. + */ ++#define __IA32_COMPAT_SYS_STUB0(x, name) \ ++ asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs);\ ++ ALLOW_ERROR_INJECTION(__ia32_compat_sys_##name, ERRNO); \ ++ asmlinkage long __ia32_compat_sys_##name(const struct pt_regs *regs)\ ++ { \ ++ return __se_compat_sys_##name(); \ ++ } ++ + #define __IA32_COMPAT_SYS_STUBx(x, name, ...) \ + asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs);\ + ALLOW_ERROR_INJECTION(__ia32_compat_sys##name, ERRNO); \ + asmlinkage long __ia32_compat_sys##name(const struct pt_regs *regs)\ + { \ + return __se_compat_sys##name(SC_IA32_REGS_TO_ARGS(x,__VA_ARGS__));\ +- } \ ++ } + + #define __IA32_SYS_STUBx(x, name, ...) \ + asmlinkage long __ia32_sys##name(const struct pt_regs *regs); \ +@@ -76,15 +84,24 @@ + * of the x86-64-style parameter ordering of x32 syscalls. The syscalls common + * with x86_64 obviously do not need such care. + */ ++#define __X32_COMPAT_SYS_STUB0(x, name, ...) \ ++ asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs);\ ++ ALLOW_ERROR_INJECTION(__x32_compat_sys_##name, ERRNO); \ ++ asmlinkage long __x32_compat_sys_##name(const struct pt_regs *regs)\ ++ { \ ++ return __se_compat_sys_##name();\ ++ } ++ + #define __X32_COMPAT_SYS_STUBx(x, name, ...) \ + asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs);\ + ALLOW_ERROR_INJECTION(__x32_compat_sys##name, ERRNO); \ + asmlinkage long __x32_compat_sys##name(const struct pt_regs *regs)\ + { \ + return __se_compat_sys##name(SC_X86_64_REGS_TO_ARGS(x,__VA_ARGS__));\ +- } \ ++ } + + #else /* CONFIG_X86_X32 */ ++#define __X32_COMPAT_SYS_STUB0(x, name) + #define __X32_COMPAT_SYS_STUBx(x, name, ...) + #endif /* CONFIG_X86_X32 */ + +@@ -95,6 +112,17 @@ + * mapping of registers to parameters, we need to generate stubs for each + * of them. + */ ++#define COMPAT_SYSCALL_DEFINE0(name) \ ++ static long __se_compat_sys_##name(void); \ ++ static inline long __do_compat_sys_##name(void); \ ++ __IA32_COMPAT_SYS_STUB0(x, name) \ ++ __X32_COMPAT_SYS_STUB0(x, name) \ ++ static long __se_compat_sys_##name(void) \ ++ { \ ++ return __do_compat_sys_##name(); \ ++ } \ ++ static inline long __do_compat_sys_##name(void) ++ + #define COMPAT_SYSCALL_DEFINEx(x, name, ...) \ + static long __se_compat_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \ + static inline long __do_compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\