From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 2 Aug 2020 06:50:41 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v5.7.13~32
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f1f4a4efba7a3262e81fb35bab98f67db8cf035;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
---

diff --git a/queue-4.4/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch b/queue-4.4/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
new file mode 100644
index 00000000000..8409b0b9f3e
--- /dev/null
+++ b/queue-4.4/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
@@ -0,0 +1,47 @@
+From bbc8a99e952226c585ac17477a85ef1194501762 Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Thu, 30 Jul 2020 15:20:26 -0400
+Subject: rds: Prevent kernel-infoleak in rds_notify_queue_get()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit bbc8a99e952226c585ac17477a85ef1194501762 upstream.
+
+rds_notify_queue_get() is potentially copying uninitialized kernel stack
+memory to userspace since the compiler may leave a 4-byte hole at the end
+of `cmsg`.
+
+In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which
+unfortunately does not always initialize that 4-byte hole. Fix it by using
+memset() instead.
+
+Cc: stable@vger.kernel.org
+Fixes: f037590fff30 ("rds: fix a leak of kernel memory")
+Fixes: bdbe6fbc6a2f ("RDS: recv.c")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/recv.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -301,12 +301,13 @@ static int rds_still_queued(struct rds_s
+ int rds_notify_queue_get(struct rds_sock *rs, struct msghdr *msghdr)
+ {
+ 	struct rds_notifier *notifier;
+-	struct rds_rdma_notify cmsg = { 0 }; /* fill holes with zero */
++	struct rds_rdma_notify cmsg;
+ 	unsigned int count = 0, max_messages = ~0U;
+ 	unsigned long flags;
+ 	LIST_HEAD(copy);
+ 	int err = 0;
+ 
++	memset(&cmsg, 0, sizeof(cmsg));	/* fill holes with zero */
+ 
+ 	/* put_cmsg copies to user space and thus may sleep. We can't do this
+ 	 * with rs_lock held, so first grab as many notifications as we can stuff
diff --git a/queue-4.4/series b/queue-4.4/series
index d135d9783bb..3898fde2b88 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -17,3 +17,4 @@ arm-8986-1-hw_breakpoint-don-t-invoke-overflow-handl.patch
 x86-build-lto-fix-truncated-.bss-with-fdata-sections.patch
 x86-vmlinux.lds-page-align-end-of-.page_aligned-sect.patch
 fbdev-detect-integer-underflow-at-struct-fbcon_ops-c.patch
+rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch