From: Greg Kroah-Hartman Date: Wed, 11 Sep 2019 09:22:51 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.193~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c7631c3ab831659b7e676391d9be344b0c14b3bb;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch powerpc-tm-fix-restoring-fp-vmx-facility-incorrectly-on-interrupts.patch --- diff --git a/queue-4.19/batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch b/queue-4.19/batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch new file mode 100644 index 00000000000..e2397aa192f --- /dev/null +++ b/queue-4.19/batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch @@ -0,0 +1,65 @@ +From 3ee1bb7aae97324ec9078da1f00cb2176919563f Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 12 Aug 2019 04:57:27 -0700 +Subject: batman-adv: fix uninit-value in batadv_netlink_get_ifindex() + +From: Eric Dumazet + +commit 3ee1bb7aae97324ec9078da1f00cb2176919563f upstream. + +batadv_netlink_get_ifindex() needs to make sure user passed +a correct u32 attribute. + +syzbot reported : +BUG: KMSAN: uninit-value in batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968 +CPU: 1 PID: 11705 Comm: syz-executor888 Not tainted 5.1.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x191/0x1f0 lib/dump_stack.c:113 + kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622 + __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310 + batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968 + genl_lock_dumpit+0xc6/0x130 net/netlink/genetlink.c:482 + netlink_dump+0xa84/0x1ab0 net/netlink/af_netlink.c:2253 + __netlink_dump_start+0xa3a/0xb30 net/netlink/af_netlink.c:2361 + genl_family_rcv_msg net/netlink/genetlink.c:550 [inline] + genl_rcv_msg+0xfc1/0x1a40 net/netlink/genetlink.c:627 + netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2486 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:638 + netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] + netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1337 + netlink_sendmsg+0x127e/0x12f0 net/netlink/af_netlink.c:1926 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg net/socket.c:661 [inline] + ___sys_sendmsg+0xcc6/0x1200 net/socket.c:2260 + __sys_sendmsg net/socket.c:2298 [inline] + __do_sys_sendmsg net/socket.c:2307 [inline] + __se_sys_sendmsg+0x305/0x460 net/socket.c:2305 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2305 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x440209 + +Fixes: b60620cf567b ("batman-adv: netlink: hardif query") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/netlink.c ++++ b/net/batman-adv/netlink.c +@@ -118,7 +118,7 @@ batadv_netlink_get_ifindex(const struct + { + struct nlattr *attr = nlmsg_find_attr(nlh, GENL_HDRLEN, attrtype); + +- return attr ? nla_get_u32(attr) : 0; ++ return (attr && nla_len(attr) == sizeof(u32)) ? nla_get_u32(attr) : 0; + } + + /** diff --git a/queue-4.19/batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch b/queue-4.19/batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch new file mode 100644 index 00000000000..9ed087af304 --- /dev/null +++ b/queue-4.19/batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch @@ -0,0 +1,81 @@ +From a15d56a60760aa9dbe26343b9a0ac5228f35d445 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Thu, 22 Aug 2019 08:55:36 +0200 +Subject: batman-adv: Only read OGM tvlv_len after buffer len check + +From: Sven Eckelmann + +commit a15d56a60760aa9dbe26343b9a0ac5228f35d445 upstream. + +Multiple batadv_ogm_packet can be stored in an skbuff. The functions +batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use +batadv_iv_ogm_aggr_packet() to check if there is another additional +batadv_ogm_packet in the skb or not before they continue processing the +packet. + +The length for such an OGM is BATADV_OGM_HLEN + +batadv_ogm_packet->tvlv_len. The check must first check that at least +BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is +part of the header. Otherwise it might try read outside of the currently +available skbuff to get the content of tvlv_len. + +Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure") +Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com +Signed-off-by: Sven Eckelmann +Acked-by: Antonio Quartulli +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/bat_iv_ogm.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -463,17 +463,23 @@ static u8 batadv_hop_penalty(u8 tq, cons + * batadv_iv_ogm_aggr_packet() - checks if there is another OGM attached + * @buff_pos: current position in the skb + * @packet_len: total length of the skb +- * @tvlv_len: tvlv length of the previously considered OGM ++ * @ogm_packet: potential OGM in buffer + * + * Return: true if there is enough space for another OGM, false otherwise. + */ +-static bool batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len, +- __be16 tvlv_len) ++static bool ++batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len, ++ const struct batadv_ogm_packet *ogm_packet) + { + int next_buff_pos = 0; + +- next_buff_pos += buff_pos + BATADV_OGM_HLEN; +- next_buff_pos += ntohs(tvlv_len); ++ /* check if there is enough space for the header */ ++ next_buff_pos += buff_pos + sizeof(*ogm_packet); ++ if (next_buff_pos > packet_len) ++ return false; ++ ++ /* check if there is enough space for the optional TVLV */ ++ next_buff_pos += ntohs(ogm_packet->tvlv_len); + + return (next_buff_pos <= packet_len) && + (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); +@@ -501,7 +507,7 @@ static void batadv_iv_ogm_send_to_if(str + + /* adjust all flags and log packets */ + while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len, +- batadv_ogm_packet->tvlv_len)) { ++ batadv_ogm_packet)) { + /* we might have aggregated direct link packets with an + * ordinary base packet + */ +@@ -1852,7 +1858,7 @@ static int batadv_iv_ogm_receive(struct + + /* unpack the aggregated packets and process them one by one */ + while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb), +- ogm_packet->tvlv_len)) { ++ ogm_packet)) { + batadv_iv_ogm_process(skb, ogm_offset, if_incoming); + + ogm_offset += BATADV_OGM_HLEN; diff --git a/queue-4.19/powerpc-tm-fix-restoring-fp-vmx-facility-incorrectly-on-interrupts.patch b/queue-4.19/powerpc-tm-fix-restoring-fp-vmx-facility-incorrectly-on-interrupts.patch new file mode 100644 index 00000000000..233584c5c97 --- /dev/null +++ b/queue-4.19/powerpc-tm-fix-restoring-fp-vmx-facility-incorrectly-on-interrupts.patch @@ -0,0 +1,135 @@ +From a8318c13e79badb92bc6640704a64cc022a6eb97 Mon Sep 17 00:00:00 2001 +From: Gustavo Romero +Date: Wed, 4 Sep 2019 00:55:28 -0400 +Subject: powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts + +From: Gustavo Romero + +commit a8318c13e79badb92bc6640704a64cc022a6eb97 upstream. + +When in userspace and MSR FP=0 the hardware FP state is unrelated to +the current process. This is extended for transactions where if tbegin +is run with FP=0, the hardware checkpoint FP state will also be +unrelated to the current process. Due to this, we need to ensure this +hardware checkpoint is updated with the correct state before we enable +FP for this process. + +Unfortunately we get this wrong when returning to a process from a +hardware interrupt. A process that starts a transaction with FP=0 can +take an interrupt. When the kernel returns back to that process, we +change to FP=1 but with hardware checkpoint FP state not updated. If +this transaction is then rolled back, the FP registers now contain the +wrong state. + +The process looks like this: + Userspace: Kernel + + Start userspace + with MSR FP=0 TM=1 + < ----- + ... + tbegin + bne + Hardware interrupt + ---- > + + .... + ret_from_except + restore_math() + /* sees FP=0 */ + restore_fp() + tm_active_with_fp() + /* sees FP=1 (Incorrect) */ + load_fp_state() + FP = 0 -> 1 + < ----- + Return to userspace + with MSR TM=1 FP=1 + with junk in the FP TM checkpoint + TM rollback + reads FP junk + +When returning from the hardware exception, tm_active_with_fp() is +incorrectly making restore_fp() call load_fp_state() which is setting +FP=1. + +The fix is to remove tm_active_with_fp(). + +tm_active_with_fp() is attempting to handle the case where FP state +has been changed inside a transaction. In this case the checkpointed +and transactional FP state is different and hence we must restore the +FP state (ie. we can't do lazy FP restore inside a transaction that's +used FP). It's safe to remove tm_active_with_fp() as this case is +handled by restore_tm_state(). restore_tm_state() detects if FP has +been using inside a transaction and will set load_fp and call +restore_math() to ensure the FP state (checkpoint and transaction) is +restored. + +This is a data integrity problem for the current process as the FP +registers are corrupted. It's also a security problem as the FP +registers from one process may be leaked to another. + +Similarly for VMX. + +A simple testcase to replicate this will be posted to +tools/testing/selftests/powerpc/tm/tm-poison.c + +This fixes CVE-2019-15031. + +Fixes: a7771176b439 ("powerpc: Don't enable FP/Altivec if not checkpointed") +Cc: stable@vger.kernel.org # 4.15+ +Signed-off-by: Gustavo Romero +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190904045529.23002-2-gromero@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/process.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -106,23 +106,9 @@ static inline bool msr_tm_active(unsigne + { + return MSR_TM_ACTIVE(msr); + } +- +-static bool tm_active_with_fp(struct task_struct *tsk) +-{ +- return msr_tm_active(tsk->thread.regs->msr) && +- (tsk->thread.ckpt_regs.msr & MSR_FP); +-} +- +-static bool tm_active_with_altivec(struct task_struct *tsk) +-{ +- return msr_tm_active(tsk->thread.regs->msr) && +- (tsk->thread.ckpt_regs.msr & MSR_VEC); +-} + #else + static inline bool msr_tm_active(unsigned long msr) { return false; } + static inline void check_if_tm_restore_required(struct task_struct *tsk) { } +-static inline bool tm_active_with_fp(struct task_struct *tsk) { return false; } +-static inline bool tm_active_with_altivec(struct task_struct *tsk) { return false; } + #endif /* CONFIG_PPC_TRANSACTIONAL_MEM */ + + bool strict_msr_control; +@@ -256,7 +242,7 @@ EXPORT_SYMBOL(enable_kernel_fp); + + static int restore_fp(struct task_struct *tsk) + { +- if (tsk->thread.load_fp || tm_active_with_fp(tsk)) { ++ if (tsk->thread.load_fp) { + load_fp_state(¤t->thread.fp_state); + current->thread.load_fp++; + return 1; +@@ -337,8 +323,7 @@ EXPORT_SYMBOL_GPL(flush_altivec_to_threa + + static int restore_altivec(struct task_struct *tsk) + { +- if (cpu_has_feature(CPU_FTR_ALTIVEC) && +- (tsk->thread.load_vec || tm_active_with_altivec(tsk))) { ++ if (cpu_has_feature(CPU_FTR_ALTIVEC) && (tsk->thread.load_vec)) { + load_vr_state(&tsk->thread.vr_state); + tsk->thread.used_vr = 1; + tsk->thread.load_vec++; diff --git a/queue-4.19/series b/queue-4.19/series index ccc07356a78..848e8f669cb 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -8,3 +8,6 @@ drm-vmwgfx-fix-double-free-in-vmw_recv_msg.patch vhost-test-fix-build-for-vhost-test.patch vhost-test-fix-build-for-vhost-test-again.patch powerpc-tm-fix-fp-vmx-unavailable-exceptions-inside-a-transaction.patch +powerpc-tm-fix-restoring-fp-vmx-facility-incorrectly-on-interrupts.patch +batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch +batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch