From: Greg Kroah-Hartman Date: Wed, 20 Mar 2019 20:25:35 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v3.18.137~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a0fa28a3ecde3c9eff617822b7416222aae5ee7e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch --- diff --git a/queue-3.18/kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch b/queue-3.18/kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch new file mode 100644 index 00000000000..0129d1e4002 --- /dev/null +++ b/queue-3.18/kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch @@ -0,0 +1,52 @@ +From 8cf7630b29701d364f8df4a50e4f1f5e752b2778 Mon Sep 17 00:00:00 2001 +From: Zev Weiss +Date: Mon, 11 Mar 2019 23:28:02 -0700 +Subject: kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv + +From: Zev Weiss + +commit 8cf7630b29701d364f8df4a50e4f1f5e752b2778 upstream. + +This bug has apparently existed since the introduction of this function +in the pre-git era (4500e91754d3 in Thomas Gleixner's history.git, +"[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of +neighbour sysctls."). + +As a minimal fix we can simply duplicate the corresponding check in +do_proc_dointvec_conv(). + +Link: http://lkml.kernel.org/r/20190207123426.9202-3-zev@bewilderbeest.net +Signed-off-by: Zev Weiss +Cc: Brendan Higgins +Cc: Iurii Zaikin +Cc: Kees Cook +Cc: Luis Chamberlain +Cc: [2.6.2+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sysctl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2153,7 +2153,16 @@ static int do_proc_dointvec_minmax_conv( + { + struct do_proc_dointvec_minmax_conv_param *param = data; + if (write) { +- int val = *negp ? -*lvalp : *lvalp; ++ int val; ++ if (*negp) { ++ if (*lvalp > (unsigned long) INT_MAX + 1) ++ return -EINVAL; ++ val = -*lvalp; ++ } else { ++ if (*lvalp > (unsigned long) INT_MAX) ++ return -EINVAL; ++ val = *lvalp; ++ } + if ((param->min && *param->min > val) || + (param->max && *param->max < val)) + return -EINVAL; diff --git a/queue-3.18/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch b/queue-3.18/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch new file mode 100644 index 00000000000..c17b68e99ae --- /dev/null +++ b/queue-3.18/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch @@ -0,0 +1,86 @@ +From 401592d2e095947344e10ec0623adbcd58934dd4 Mon Sep 17 00:00:00 2001 +From: Roman Penyaev +Date: Tue, 5 Mar 2019 15:43:20 -0800 +Subject: mm/vmalloc: fix size check for remap_vmalloc_range_partial() + +From: Roman Penyaev + +commit 401592d2e095947344e10ec0623adbcd58934dd4 upstream. + +When VM_NO_GUARD is not set area->size includes adjacent guard page, +thus for correct size checking get_vm_area_size() should be used, but +not area->size. + +This fixes possible kernel oops when userspace tries to mmap an area on +1 page bigger than was allocated by vmalloc_user() call: the size check +inside remap_vmalloc_range_partial() accounts non-existing guard page +also, so check successfully passes but vmalloc_to_page() returns NULL +(guard page does not physically exist). + +The following code pattern example should trigger an oops: + + static int oops_mmap(struct file *file, struct vm_area_struct *vma) + { + void *mem; + + mem = vmalloc_user(4096); + BUG_ON(!mem); + /* Do not care about mem leak */ + + return remap_vmalloc_range(vma, mem, 0); + } + +And userspace simply mmaps size + PAGE_SIZE: + + mmap(NULL, 8192, PROT_WRITE|PROT_READ, MAP_PRIVATE, fd, 0); + +Possible candidates for oops which do not have any explicit size +checks: + + *** drivers/media/usb/stkwebcam/stk-webcam.c: + v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, sbuf->buffer, 0); + +Or the following one: + + *** drivers/video/fbdev/core/fbmem.c + static int + fb_mmap(struct file *file, struct vm_area_struct * vma) + ... + res = fb->fb_mmap(info, vma); + +Where fb_mmap callback calls remap_vmalloc_range() directly without any +explicit checks: + + *** drivers/video/fbdev/vfb.c + static int vfb_mmap(struct fb_info *info, + struct vm_area_struct *vma) + { + return remap_vmalloc_range(vma, (void *)info->fix.smem_start, vma->vm_pgoff); + } + +Link: http://lkml.kernel.org/r/20190103145954.16942-2-rpenyaev@suse.de +Signed-off-by: Roman Penyaev +Acked-by: Michal Hocko +Cc: Andrey Ryabinin +Cc: Joe Perches +Cc: "Luis R. Rodriguez" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/vmalloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -2140,7 +2140,7 @@ int remap_vmalloc_range_partial(struct v + if (!(area->flags & VM_USERMAP)) + return -EINVAL; + +- if (kaddr + size > area->addr + area->size) ++ if (kaddr + size > area->addr + get_vm_area_size(area)) + return -EINVAL; + + do { diff --git a/queue-3.18/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch b/queue-3.18/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch new file mode 100644 index 00000000000..0deff712d87 --- /dev/null +++ b/queue-3.18/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch @@ -0,0 +1,40 @@ +From 21698fd57984cd28207d841dbdaa026d6061bceb Mon Sep 17 00:00:00 2001 +From: QiaoChong +Date: Sat, 9 Feb 2019 20:59:07 +0000 +Subject: parport_pc: fix find_superio io compare code, should use equal test. + +From: QiaoChong + +commit 21698fd57984cd28207d841dbdaa026d6061bceb upstream. + +In the original code before 181bf1e815a2 the loop was continuing until +it finds the first matching superios[i].io and p->base. +But after 181bf1e815a2 the logic changed and the loop now returns the +pointer to the first mismatched array element which is then used in +get_superio_dma() and get_superio_irq() and thus returning the wrong +value. +Fix the condition so that it now returns the correct pointer. + +Fixes: 181bf1e815a2 ("parport_pc: clean up the modified while loops using for") +Cc: Alan Cox +Cc: stable@vger.kernel.org +Signed-off-by: QiaoChong +[rewrite the commit message] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/parport/parport_pc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/parport/parport_pc.c ++++ b/drivers/parport/parport_pc.c +@@ -1377,7 +1377,7 @@ static struct superio_struct *find_super + { + int i; + for (i = 0; i < NR_SUPERIOS; i++) +- if (superios[i].io != p->base) ++ if (superios[i].io == p->base) + return &superios[i]; + return NULL; + } diff --git a/queue-3.18/series b/queue-3.18/series index 04796715162..ffbe20f0cc3 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -119,3 +119,6 @@ crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch ext4-fix-crash-during-online-resizing.patch ext2-fix-underflow-in-ext2_max_size.patch +mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch +kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch +parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch