From: Greg Kroah-Hartman Date: Fri, 29 Jan 2021 10:40:35 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.4.254~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b33f51ca7501b0f6a138e48f847b39128b364b71;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: printk-fix-buffer-overflow-potential-for-print_text.patch printk-fix-string-termination-for-record_print_text.patch tools-factor-hostcc-hostld-hostar-definitions.patch --- diff --git a/queue-5.10/printk-fix-buffer-overflow-potential-for-print_text.patch b/queue-5.10/printk-fix-buffer-overflow-potential-for-print_text.patch new file mode 100644 index 00000000000..495eafb7f82 --- /dev/null +++ b/queue-5.10/printk-fix-buffer-overflow-potential-for-print_text.patch @@ -0,0 +1,116 @@ +From f0e386ee0c0b71ea6f7238506a4d0965a2dbef11 Mon Sep 17 00:00:00 2001 +From: John Ogness +Date: Thu, 14 Jan 2021 18:10:12 +0106 +Subject: printk: fix buffer overflow potential for print_text() + +From: John Ogness + +commit f0e386ee0c0b71ea6f7238506a4d0965a2dbef11 upstream. + +Before the commit 896fbe20b4e2333fb55 ("printk: use the lockless +ringbuffer"), msg_print_text() would only write up to size-1 bytes +into the provided buffer. Some callers expect this behavior and +append a terminator to returned string. In particular: + +arch/powerpc/xmon/xmon.c:dump_log_buf() +arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout() + +msg_print_text() has been replaced by record_print_text(), which +currently fills the full size of the buffer. This causes a +buffer overflow for the above callers. + +Change record_print_text() so that it will only use size-1 bytes +for text data. Also, for paranoia sakes, add a terminator after +the text data. + +And finally, document this behavior so that it is clear that only +size-1 bytes are used and a terminator is added. + +Fixes: 896fbe20b4e2333fb55 ("printk: use the lockless ringbuffer") +Cc: stable@vger.kernel.org # 5.10+ +Signed-off-by: John Ogness +Reviewed-by: Petr Mladek +Acked-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20210114170412.4819-1-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk.c | 36 +++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -1338,11 +1338,16 @@ static size_t info_print_prefix(const st + * done: + * + * - Add prefix for each line. ++ * - Drop truncated lines that no longer fit into the buffer. + * - Add the trailing newline that has been removed in vprintk_store(). +- * - Drop truncated lines that do not longer fit into the buffer. ++ * - Add a string terminator. ++ * ++ * Since the produced string is always terminated, the maximum possible ++ * return value is @r->text_buf_size - 1; + * + * Return: The length of the updated/prepared text, including the added +- * prefixes and the newline. The dropped line(s) are not counted. ++ * prefixes and the newline. The terminator is not counted. The dropped ++ * line(s) are not counted. + */ + static size_t record_print_text(struct printk_record *r, bool syslog, + bool time) +@@ -1385,26 +1390,31 @@ static size_t record_print_text(struct p + + /* + * Truncate the text if there is not enough space to add the +- * prefix and a trailing newline. ++ * prefix and a trailing newline and a terminator. + */ +- if (len + prefix_len + text_len + 1 > buf_size) { ++ if (len + prefix_len + text_len + 1 + 1 > buf_size) { + /* Drop even the current line if no space. */ +- if (len + prefix_len + line_len + 1 > buf_size) ++ if (len + prefix_len + line_len + 1 + 1 > buf_size) + break; + +- text_len = buf_size - len - prefix_len - 1; ++ text_len = buf_size - len - prefix_len - 1 - 1; + truncated = true; + } + + memmove(text + prefix_len, text, text_len); + memcpy(text, prefix, prefix_len); + ++ /* ++ * Increment the prepared length to include the text and ++ * prefix that were just moved+copied. Also increment for the ++ * newline at the end of this line. If this is the last line, ++ * there is no newline, but it will be added immediately below. ++ */ + len += prefix_len + line_len + 1; +- + if (text_len == line_len) { + /* +- * Add the trailing newline removed in +- * vprintk_store(). ++ * This is the last line. Add the trailing newline ++ * removed in vprintk_store(). + */ + text[prefix_len + line_len] = '\n'; + break; +@@ -1429,6 +1439,14 @@ static size_t record_print_text(struct p + text_len -= line_len + 1; + } + ++ /* ++ * If a buffer was provided, it will be terminated. Space for the ++ * string terminator is guaranteed to be available. The terminator is ++ * not counted in the return value. ++ */ ++ if (buf_size > 0) ++ text[len] = 0; ++ + return len; + } + diff --git a/queue-5.10/printk-fix-string-termination-for-record_print_text.patch b/queue-5.10/printk-fix-string-termination-for-record_print_text.patch new file mode 100644 index 00000000000..6dbf7da4262 --- /dev/null +++ b/queue-5.10/printk-fix-string-termination-for-record_print_text.patch @@ -0,0 +1,38 @@ +From 08d60e5999540110576e7c1346d486220751b7f9 Mon Sep 17 00:00:00 2001 +From: John Ogness +Date: Sun, 24 Jan 2021 21:33:28 +0106 +Subject: printk: fix string termination for record_print_text() + +From: John Ogness + +commit 08d60e5999540110576e7c1346d486220751b7f9 upstream. + +Commit f0e386ee0c0b ("printk: fix buffer overflow potential for +print_text()") added string termination in record_print_text(). +However it used the wrong base pointer for adding the terminator. +This led to a 0-byte being written somewhere beyond the buffer. + +Use the correct base pointer when adding the terminator. + +Fixes: f0e386ee0c0b ("printk: fix buffer overflow potential for print_text()") +Reported-by: Sven Schnelle +Signed-off-by: John Ogness +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20210124202728.4718-1-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -1445,7 +1445,7 @@ static size_t record_print_text(struct p + * not counted in the return value. + */ + if (buf_size > 0) +- text[len] = 0; ++ r->text_buf[len] = 0; + + return len; + } diff --git a/queue-5.10/series b/queue-5.10/series index fee46e1b10c..83a39a8a16a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -27,3 +27,6 @@ io_uring-fix-sleeping-under-spin-in-__io_clean_op.patch objtool-don-t-fail-on-missing-symbol-table.patch mm-page_alloc-add-a-missing-mm_page_alloc_zone_locked-tracepoint.patch mm-fix-a-race-on-nr_swap_pages.patch +tools-factor-hostcc-hostld-hostar-definitions.patch +printk-fix-buffer-overflow-potential-for-print_text.patch +printk-fix-string-termination-for-record_print_text.patch diff --git a/queue-5.10/tools-factor-hostcc-hostld-hostar-definitions.patch b/queue-5.10/tools-factor-hostcc-hostld-hostar-definitions.patch new file mode 100644 index 00000000000..e18a74f972c --- /dev/null +++ b/queue-5.10/tools-factor-hostcc-hostld-hostar-definitions.patch @@ -0,0 +1,120 @@ +From c8a950d0d3b926a02c7b2e713850d38217cec3d1 Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Brucker +Date: Tue, 10 Nov 2020 17:43:05 +0100 +Subject: tools: Factor HOSTCC, HOSTLD, HOSTAR definitions + +From: Jean-Philippe Brucker + +commit c8a950d0d3b926a02c7b2e713850d38217cec3d1 upstream. + +Several Makefiles in tools/ need to define the host toolchain variables. +Move their definition to tools/scripts/Makefile.include + +Signed-off-by: Jean-Philippe Brucker +Signed-off-by: Andrii Nakryiko +Acked-by: Jiri Olsa +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/bpf/20201110164310.2600671-2-jean-philippe@linaro.org +Cc: Alistair Delva +Signed-off-by: Greg Kroah-Hartman + +--- + tools/bpf/resolve_btfids/Makefile | 9 --------- + tools/build/Makefile | 4 ---- + tools/objtool/Makefile | 9 --------- + tools/perf/Makefile.perf | 4 ---- + tools/power/acpi/Makefile.config | 1 - + tools/scripts/Makefile.include | 10 ++++++++++ + 6 files changed, 10 insertions(+), 27 deletions(-) + +--- a/tools/bpf/resolve_btfids/Makefile ++++ b/tools/bpf/resolve_btfids/Makefile +@@ -18,15 +18,6 @@ else + endif + + # always use the host compiler +-ifneq ($(LLVM),) +-HOSTAR ?= llvm-ar +-HOSTCC ?= clang +-HOSTLD ?= ld.lld +-else +-HOSTAR ?= ar +-HOSTCC ?= gcc +-HOSTLD ?= ld +-endif + AR = $(HOSTAR) + CC = $(HOSTCC) + LD = $(HOSTLD) +--- a/tools/build/Makefile ++++ b/tools/build/Makefile +@@ -15,10 +15,6 @@ endef + $(call allow-override,CC,$(CROSS_COMPILE)gcc) + $(call allow-override,LD,$(CROSS_COMPILE)ld) + +-HOSTCC ?= gcc +-HOSTLD ?= ld +-HOSTAR ?= ar +- + export HOSTCC HOSTLD HOSTAR + + ifeq ($(V),1) +--- a/tools/objtool/Makefile ++++ b/tools/objtool/Makefile +@@ -3,15 +3,6 @@ include ../scripts/Makefile.include + include ../scripts/Makefile.arch + + # always use the host compiler +-ifneq ($(LLVM),) +-HOSTAR ?= llvm-ar +-HOSTCC ?= clang +-HOSTLD ?= ld.lld +-else +-HOSTAR ?= ar +-HOSTCC ?= gcc +-HOSTLD ?= ld +-endif + AR = $(HOSTAR) + CC = $(HOSTCC) + LD = $(HOSTLD) +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -175,10 +175,6 @@ endef + + LD += $(EXTRA_LDFLAGS) + +-HOSTCC ?= gcc +-HOSTLD ?= ld +-HOSTAR ?= ar +- + PKG_CONFIG = $(CROSS_COMPILE)pkg-config + LLVM_CONFIG ?= llvm-config + +--- a/tools/power/acpi/Makefile.config ++++ b/tools/power/acpi/Makefile.config +@@ -54,7 +54,6 @@ INSTALL_SCRIPT = ${INSTALL_PROGRAM} + CROSS = #/usr/i386-linux-uclibc/usr/bin/i386-uclibc- + CROSS_COMPILE ?= $(CROSS) + LD = $(CC) +-HOSTCC = gcc + + # check if compiler option is supported + cc-supports = ${shell if $(CC) ${1} -S -o /dev/null -x c /dev/null > /dev/null 2>&1; then echo "$(1)"; fi;} +--- a/tools/scripts/Makefile.include ++++ b/tools/scripts/Makefile.include +@@ -59,6 +59,16 @@ $(call allow-override,LD,$(CROSS_COMPILE + $(call allow-override,CXX,$(CROSS_COMPILE)g++) + $(call allow-override,STRIP,$(CROSS_COMPILE)strip) + ++ifneq ($(LLVM),) ++HOSTAR ?= llvm-ar ++HOSTCC ?= clang ++HOSTLD ?= ld.lld ++else ++HOSTAR ?= ar ++HOSTCC ?= gcc ++HOSTLD ?= ld ++endif ++ + ifeq ($(CC_NO_CLANG), 1) + EXTRA_WARNINGS += -Wstrict-aliasing=3 + endif