From: Sasha Levin Date: Mon, 28 Oct 2024 00:24:31 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.15.170~24^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9b64c06fdb51ea4353e2898a03431f19702af6d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/selinux-improve-error-checking-in-sel_write_load.patch b/queue-5.10/selinux-improve-error-checking-in-sel_write_load.patch new file mode 100644 index 00000000000..d6fcdd76943 --- /dev/null +++ b/queue-5.10/selinux-improve-error-checking-in-sel_write_load.patch @@ -0,0 +1,95 @@ +From 2ca31f348583a7284513adda36f471302c676571 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 11:21:07 -0300 +Subject: selinux: improve error checking in sel_write_load() + +From: Paul Moore + +[ Upstream commit 42c773238037c90b3302bf37a57ae3b5c3f6004a ] + +Move our existing input sanity checking to the top of sel_write_load() +and add a check to ensure the buffer size is non-zero. + +Move a local variable initialization from the declaration to before it +is used. + +Minor style adjustments. + +Reported-by: Sam Sun +Signed-off-by: Paul Moore +[cascardo: keep fsi initialization at its declaration point as it is used earlier] +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Sasha Levin +--- + security/selinux/selinuxfs.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index d893c2280f595..7415f49a3d81e 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -620,6 +620,13 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, + ssize_t length; + void *data = NULL; + ++ /* no partial writes */ ++ if (*ppos) ++ return -EINVAL; ++ /* no empty policies */ ++ if (!count) ++ return -EINVAL; ++ + mutex_lock(&fsi->state->policy_mutex); + + length = avc_has_perm(&selinux_state, +@@ -628,26 +635,21 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, + if (length) + goto out; + +- /* No partial writes. */ +- length = -EINVAL; +- if (*ppos != 0) +- goto out; +- +- length = -ENOMEM; + data = vmalloc(count); +- if (!data) ++ if (!data) { ++ length = -ENOMEM; + goto out; +- +- length = -EFAULT; +- if (copy_from_user(data, buf, count) != 0) ++ } ++ if (copy_from_user(data, buf, count) != 0) { ++ length = -EFAULT; + goto out; ++ } + + length = security_load_policy(fsi->state, data, count, &load_state); + if (length) { + pr_warn_ratelimited("SELinux: failed to load policy\n"); + goto out; + } +- + length = sel_make_policy_nodes(fsi, load_state.policy); + if (length) { + selinux_policy_cancel(fsi->state, &load_state); +@@ -655,13 +657,12 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, + } + + selinux_policy_commit(fsi->state, &load_state); +- + length = count; +- + audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, + "auid=%u ses=%u lsm=selinux res=1", + from_kuid(&init_user_ns, audit_get_loginuid(current)), + audit_get_sessionid(current)); ++ + out: + mutex_unlock(&fsi->state->policy_mutex); + vfree(data); +-- +2.43.0 + diff --git a/queue-5.10/serial-protect-uart_port_dtr_rts-in-uart_shutdown-to.patch b/queue-5.10/serial-protect-uart_port_dtr_rts-in-uart_shutdown-to.patch new file mode 100644 index 00000000000..e78424b209a --- /dev/null +++ b/queue-5.10/serial-protect-uart_port_dtr_rts-in-uart_shutdown-to.patch @@ -0,0 +1,67 @@ +From dd66ed873c407426006132010efde09e93cad919 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 11:05:48 +0000 +Subject: serial: protect uart_port_dtr_rts() in uart_shutdown() too + +From: Jiri Slaby (SUSE) + +[ Upstream commit 602babaa84d627923713acaf5f7e9a4369e77473 ] + +Commit af224ca2df29 (serial: core: Prevent unsafe uart port access, part +3) added few uport == NULL checks. It added one to uart_shutdown(), so +the commit assumes, uport can be NULL in there. But right after that +protection, there is an unprotected "uart_port_dtr_rts(uport, false);" +call. That is invoked only if HUPCL is set, so I assume that is the +reason why we do not see lots of these reports. + +Or it cannot be NULL at this point at all for some reason :P. + +Until the above is investigated, stay on the safe side and move this +dereference to the if too. + +I got this inconsistency from Coverity under CID 1585130. Thanks. + +Signed-off-by: Jiri Slaby (SUSE) +Cc: Peter Hurley +Cc: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20240805102046.307511-3-jirislaby@kernel.org +Signed-off-by: Greg Kroah-Hartman +[Adapted over commit 5701cb8bf50e ("tty: Call ->dtr_rts() parameter +active consistently") not in the tree] +Signed-off-by: Tomas Krcka +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_core.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index c7adcf97e2a33..6d7d448d0fbf5 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -286,14 +286,16 @@ static void uart_shutdown(struct tty_struct *tty, struct uart_state *state) + /* + * Turn off DTR and RTS early. + */ +- if (uport && uart_console(uport) && tty) { +- uport->cons->cflag = tty->termios.c_cflag; +- uport->cons->ispeed = tty->termios.c_ispeed; +- uport->cons->ospeed = tty->termios.c_ospeed; +- } ++ if (uport) { ++ if (uart_console(uport) && tty) { ++ uport->cons->cflag = tty->termios.c_cflag; ++ uport->cons->ispeed = tty->termios.c_ispeed; ++ uport->cons->ospeed = tty->termios.c_ospeed; ++ } + +- if (!tty || C_HUPCL(tty)) +- uart_port_dtr_rts(uport, 0); ++ if (!tty || C_HUPCL(tty)) ++ uart_port_dtr_rts(uport, 0); ++ } + + uart_port_shutdown(port); + } +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index cfbfed7fe65..373b63d35b6 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -40,3 +40,5 @@ r8169-avoid-unsolicited-interrupts.patch posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch alsa-firewire-lib-avoid-division-by-zero-in-apply_co.patch alsa-hda-realtek-update-default-depop-procedure.patch +selinux-improve-error-checking-in-sel_write_load.patch +serial-protect-uart_port_dtr_rts-in-uart_shutdown-to.patch