From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 6 Oct 2019 14:53:13 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.9.196~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9acd22f9fe6a9f707f0f2a925dab04c34f375484;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
	smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch
---

diff --git a/queue-4.4/series b/queue-4.4/series
index 05c620efaa2..b6d352dde22 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -31,3 +31,5 @@ sch_dsmark-fix-potential-null-deref-in-dsmark_init.patch
 xen-netfront-do-not-use-0u-as-error-return-value-for-xennet_fill_frags.patch
 net-rds-fix-error-handling-in-rds_ib_add_one.patch
 sch_cbq-validate-tca_cbq_wrropt-to-avoid-crash.patch
+smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
+smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch
diff --git a/queue-4.4/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch b/queue-4.4/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
new file mode 100644
index 00000000000..67021e8a307
--- /dev/null
+++ b/queue-4.4/smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
@@ -0,0 +1,50 @@
+From 3675f052b43ba51b99b85b073c7070e083f3e6fb Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Thu, 4 Jul 2019 20:44:44 +0200
+Subject: Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set
+
+From: Jann Horn <jannh@google.com>
+
+commit 3675f052b43ba51b99b85b073c7070e083f3e6fb upstream.
+
+There is a logic bug in the current smack_bprm_set_creds():
+If LSM_UNSAFE_PTRACE is set, but the ptrace state is deemed to be
+acceptable (e.g. because the ptracer detached in the meantime), the other
+->unsafe flags aren't checked. As far as I can tell, this means that
+something like the following could work (but I haven't tested it):
+
+ - task A: create task B with fork()
+ - task B: set NO_NEW_PRIVS
+ - task B: install a seccomp filter that makes open() return 0 under some
+   conditions
+ - task B: replace fd 0 with a malicious library
+ - task A: attach to task B with PTRACE_ATTACH
+ - task B: execve() a file with an SMACK64EXEC extended attribute
+ - task A: while task B is still in the middle of execve(), exit (which
+   destroys the ptrace relationship)
+
+Make sure that if any flags other than LSM_UNSAFE_PTRACE are set in
+bprm->unsafe, we reject the execve().
+
+Cc: stable@vger.kernel.org
+Fixes: 5663884caab1 ("Smack: unify all ptrace accesses in the smack")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smack_lsm.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -932,7 +932,8 @@ static int smack_bprm_set_creds(struct l
+ 
+ 		if (rc != 0)
+ 			return rc;
+-	} else if (bprm->unsafe)
++	}
++	if (bprm->unsafe & ~LSM_UNSAFE_PTRACE)
+ 		return -EPERM;
+ 
+ 	bsp->smk_task = isp->smk_task;
diff --git a/queue-4.4/smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch b/queue-4.4/smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch
new file mode 100644
index 00000000000..9319c16b9e3
--- /dev/null
+++ b/queue-4.4/smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch
@@ -0,0 +1,57 @@
+From e5bfad3d7acc5702f32aafeb388362994f4d7bd0 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 21 Aug 2019 22:54:41 -0700
+Subject: smack: use GFP_NOFS while holding inode_smack::smk_lock
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit e5bfad3d7acc5702f32aafeb388362994f4d7bd0 upstream.
+
+inode_smack::smk_lock is taken during smack_d_instantiate(), which is
+called during a filesystem transaction when creating a file on ext4.
+Therefore to avoid a deadlock, all code that takes this lock must use
+GFP_NOFS, to prevent memory reclaim from waiting for the filesystem
+transaction to complete.
+
+Reported-by: syzbot+0eefc1e06a77d327a056@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smack_access.c |    4 ++--
+ security/smack/smack_lsm.c    |    2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/security/smack/smack_access.c
++++ b/security/smack/smack_access.c
+@@ -474,7 +474,7 @@ char *smk_parse_smack(const char *string
+ 	if (i == 0 || i >= SMK_LONGLABEL)
+ 		return ERR_PTR(-EINVAL);
+ 
+-	smack = kzalloc(i + 1, GFP_KERNEL);
++	smack = kzalloc(i + 1, GFP_NOFS);
+ 	if (smack == NULL)
+ 		return ERR_PTR(-ENOMEM);
+ 
+@@ -545,7 +545,7 @@ struct smack_known *smk_import_entry(con
+ 	if (skp != NULL)
+ 		goto freeout;
+ 
+-	skp = kzalloc(sizeof(*skp), GFP_KERNEL);
++	skp = kzalloc(sizeof(*skp), GFP_NOFS);
+ 	if (skp == NULL) {
+ 		skp = ERR_PTR(-ENOMEM);
+ 		goto freeout;
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -268,7 +268,7 @@ static struct smack_known *smk_fetch(con
+ 	if (ip->i_op->getxattr == NULL)
+ 		return ERR_PTR(-EOPNOTSUPP);
+ 
+-	buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL);
++	buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS);
+ 	if (buffer == NULL)
+ 		return ERR_PTR(-ENOMEM);
+