From: Greg Kroah-Hartman Date: Mon, 5 Sep 2022 16:32:50 +0000 (+0200) Subject: 5.19-stable patches X-Git-Tag: v5.10.142~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd0b450af62b626a2bc0f1329dd12150b7ae15c1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.19-stable patches added patches: binder-fix-alloc-vma_vm_mm-null-ptr-dereference.patch binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch cifs-fix-small-mempool-leak-in-smb2_negotiate.patch --- diff --git a/queue-5.19/binder-fix-alloc-vma_vm_mm-null-ptr-dereference.patch b/queue-5.19/binder-fix-alloc-vma_vm_mm-null-ptr-dereference.patch new file mode 100644 index 00000000000..a1f1ed8697e --- /dev/null +++ b/queue-5.19/binder-fix-alloc-vma_vm_mm-null-ptr-dereference.patch @@ -0,0 +1,97 @@ +From 1da52815d5f1b654c89044db0cdc6adce43da1f1 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Mon, 29 Aug 2022 20:12:48 +0000 +Subject: binder: fix alloc->vma_vm_mm null-ptr dereference + +From: Carlos Llamas + +commit 1da52815d5f1b654c89044db0cdc6adce43da1f1 upstream. + +Syzbot reported a couple issues introduced by commit 44e602b4e52f +("binder_alloc: add missing mmap_lock calls when using the VMA"), in +which we attempt to acquire the mmap_lock when alloc->vma_vm_mm has not +been initialized yet. + +This can happen if a binder_proc receives a transaction without having +previously called mmap() to setup the binder_proc->alloc space in [1]. +Also, a similar issue occurs via binder_alloc_print_pages() when we try +to dump the debugfs binder stats file in [2]. + +Sample of syzbot's crash report: + ================================================================== + KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] + CPU: 0 PID: 3755 Comm: syz-executor229 Not tainted 6.0.0-rc1-next-20220819-syzkaller #0 + syz-executor229[3755] cmdline: ./syz-executor2294415195 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 + RIP: 0010:__lock_acquire+0xd83/0x56d0 kernel/locking/lockdep.c:4923 + [...] + Call Trace: + + lock_acquire kernel/locking/lockdep.c:5666 [inline] + lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631 + down_read+0x98/0x450 kernel/locking/rwsem.c:1499 + mmap_read_lock include/linux/mmap_lock.h:117 [inline] + binder_alloc_new_buf_locked drivers/android/binder_alloc.c:405 [inline] + binder_alloc_new_buf+0xa5/0x19e0 drivers/android/binder_alloc.c:593 + binder_transaction+0x242e/0x9a80 drivers/android/binder.c:3199 + binder_thread_write+0x664/0x3220 drivers/android/binder.c:3986 + binder_ioctl_write_read drivers/android/binder.c:5036 [inline] + binder_ioctl+0x3470/0x6d00 drivers/android/binder.c:5323 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + [...] + ================================================================== + +Fix these issues by setting up alloc->vma_vm_mm pointer during open() +and caching directly from current->mm. This guarantees we have a valid +reference to take the mmap_lock during scenarios described above. + +[1] https://syzkaller.appspot.com/bug?extid=f7dc54e5be28950ac459 +[2] https://syzkaller.appspot.com/bug?extid=a75ebe0452711c9e56d9 + +Fixes: 44e602b4e52f ("binder_alloc: add missing mmap_lock calls when using the VMA") +Cc: # v5.15+ +Cc: Liam R. Howlett +Reported-by: syzbot+f7dc54e5be28950ac459@syzkaller.appspotmail.com +Reported-by: syzbot+a75ebe0452711c9e56d9@syzkaller.appspotmail.com +Reviewed-by: Liam R. Howlett +Acked-by: Todd Kjos +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20220829201254.1814484-2-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder_alloc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -322,7 +322,6 @@ static inline void binder_alloc_set_vma( + */ + if (vma) { + vm_start = vma->vm_start; +- alloc->vma_vm_mm = vma->vm_mm; + mmap_assert_write_locked(alloc->vma_vm_mm); + } else { + mmap_assert_locked(alloc->vma_vm_mm); +@@ -795,7 +794,6 @@ int binder_alloc_mmap_handler(struct bin + binder_insert_free_buffer(alloc, buffer); + alloc->free_async_space = alloc->buffer_size / 2; + binder_alloc_set_vma(alloc, vma); +- mmgrab(alloc->vma_vm_mm); + + return 0; + +@@ -1091,6 +1089,8 @@ static struct shrinker binder_shrinker = + void binder_alloc_init(struct binder_alloc *alloc) + { + alloc->pid = current->group_leader->pid; ++ alloc->vma_vm_mm = current->mm; ++ mmgrab(alloc->vma_vm_mm); + mutex_init(&alloc->mutex); + INIT_LIST_HEAD(&alloc->buffers); + } diff --git a/queue-5.19/binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch b/queue-5.19/binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch new file mode 100644 index 00000000000..244a226fbc0 --- /dev/null +++ b/queue-5.19/binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch @@ -0,0 +1,79 @@ +From a0e44c64b6061dda7e00b7c458e4523e2331b739 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Mon, 1 Aug 2022 18:25:11 +0000 +Subject: binder: fix UAF of ref->proc caused by race condition + +From: Carlos Llamas + +commit a0e44c64b6061dda7e00b7c458e4523e2331b739 upstream. + +A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the +reference for a node. In this case, the target proc normally releases +the failed reference upon close as expected. However, if the target is +dying in parallel the call will race with binder_deferred_release(), so +the target could have released all of its references by now leaving the +cleanup of the new failed reference unhandled. + +The transaction then ends and the target proc gets released making the +ref->proc now a dangling pointer. Later on, ref->node is closed and we +attempt to take spin_lock(&ref->proc->inner_lock), which leads to the +use-after-free bug reported below. Let's fix this by cleaning up the +failed reference on the spot instead of relying on the target to do so. + + ================================================================== + BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150 + Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590 + + CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 + Hardware name: linux,dummy-virt (DT) + Workqueue: events binder_deferred_func + Call trace: + dump_backtrace.part.0+0x1d0/0x1e0 + show_stack+0x18/0x70 + dump_stack_lvl+0x68/0x84 + print_report+0x2e4/0x61c + kasan_report+0xa4/0x110 + kasan_check_range+0xfc/0x1a4 + __kasan_check_write+0x3c/0x50 + _raw_spin_lock+0xa8/0x150 + binder_deferred_func+0x5e0/0x9b0 + process_one_work+0x38c/0x5f0 + worker_thread+0x9c/0x694 + kthread+0x188/0x190 + ret_from_fork+0x10/0x20 + +Acked-by: Christian Brauner (Microsoft) +Signed-off-by: Carlos Llamas +Cc: stable # 4.14+ +Link: https://lore.kernel.org/r/20220801182511.3371447-1-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/android/binder.c b/drivers/android/binder.c +index c964d7c8c384..6428f6be69e3 100644 +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -1385,6 +1385,18 @@ static int binder_inc_ref_for_node(struct binder_proc *proc, + } + ret = binder_inc_ref_olocked(ref, strong, target_list); + *rdata = ref->data; ++ if (ret && ref == new_ref) { ++ /* ++ * Cleanup the failed reference here as the target ++ * could now be dead and have already released its ++ * references by now. Calling on the new reference ++ * with strong=0 and a tmp_refs will not decrement ++ * the node. The new_ref gets kfree'd below. ++ */ ++ binder_cleanup_ref_olocked(new_ref); ++ ref = NULL; ++ } ++ + binder_proc_unlock(proc); + if (new_ref && ref != new_ref) + /* +-- +2.37.3 + diff --git a/queue-5.19/cifs-fix-small-mempool-leak-in-smb2_negotiate.patch b/queue-5.19/cifs-fix-small-mempool-leak-in-smb2_negotiate.patch new file mode 100644 index 00000000000..93b780d733d --- /dev/null +++ b/queue-5.19/cifs-fix-small-mempool-leak-in-smb2_negotiate.patch @@ -0,0 +1,75 @@ +From 27893dfc1285f80f80f46b3b8c95f5d15d2e66d0 Mon Sep 17 00:00:00 2001 +From: Enzo Matsumiya +Date: Tue, 30 Aug 2022 19:51:51 -0300 +Subject: cifs: fix small mempool leak in SMB2_negotiate() + +From: Enzo Matsumiya + +commit 27893dfc1285f80f80f46b3b8c95f5d15d2e66d0 upstream. + +In some cases of failure (dialect mismatches) in SMB2_negotiate(), after +the request is sent, the checks would return -EIO when they should be +rather setting rc = -EIO and jumping to neg_exit to free the response +buffer from mempool. + +Signed-off-by: Enzo Matsumiya +Cc: stable@vger.kernel.org +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -964,16 +964,17 @@ SMB2_negotiate(const unsigned int xid, + } else if (rc != 0) + goto neg_exit; + ++ rc = -EIO; + if (strcmp(server->vals->version_string, + SMB3ANY_VERSION_STRING) == 0) { + if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { + cifs_server_dbg(VFS, + "SMB2 dialect returned but not requested\n"); +- return -EIO; ++ goto neg_exit; + } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { + cifs_server_dbg(VFS, + "SMB2.1 dialect returned but not requested\n"); +- return -EIO; ++ goto neg_exit; + } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) { + /* ops set to 3.0 by default for default so update */ + server->ops = &smb311_operations; +@@ -984,7 +985,7 @@ SMB2_negotiate(const unsigned int xid, + if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { + cifs_server_dbg(VFS, + "SMB2 dialect returned but not requested\n"); +- return -EIO; ++ goto neg_exit; + } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { + /* ops set to 3.0 by default for default so update */ + server->ops = &smb21_operations; +@@ -998,7 +999,7 @@ SMB2_negotiate(const unsigned int xid, + /* if requested single dialect ensure returned dialect matched */ + cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n", + le16_to_cpu(rsp->DialectRevision)); +- return -EIO; ++ goto neg_exit; + } + + cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode); +@@ -1016,9 +1017,10 @@ SMB2_negotiate(const unsigned int xid, + else { + cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n", + le16_to_cpu(rsp->DialectRevision)); +- rc = -EIO; + goto neg_exit; + } ++ ++ rc = 0; + server->dialect = le16_to_cpu(rsp->DialectRevision); + + /* diff --git a/queue-5.19/series b/queue-5.19/series index 85b1e46cf40..7f8e520688b 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -82,3 +82,6 @@ usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch landlock-fix-file-reparenting-without-explicit-landlock_access_fs_refer.patch mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch +binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch +binder-fix-alloc-vma_vm_mm-null-ptr-dereference.patch +cifs-fix-small-mempool-leak-in-smb2_negotiate.patch