From: Greg Kroah-Hartman Date: Tue, 21 Nov 2017 16:57:08 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.84~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d215260f58fdad034c7cbafa758fac759ca9ce13;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm64-fix-dump_instr-when-pan-and-uao-are-in-use.patch ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch serial-omap-fix-efr-write-on-rts-deassertion.patch --- diff --git a/queue-4.4/arm64-fix-dump_instr-when-pan-and-uao-are-in-use.patch b/queue-4.4/arm64-fix-dump_instr-when-pan-and-uao-are-in-use.patch new file mode 100644 index 00000000000..c14074c3f91 --- /dev/null +++ b/queue-4.4/arm64-fix-dump_instr-when-pan-and-uao-are-in-use.patch @@ -0,0 +1,95 @@ +From c5cea06be060f38e5400d796e61cfc8c36e52924 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Mon, 13 Jun 2016 11:15:14 +0100 +Subject: arm64: fix dump_instr when PAN and UAO are in use + +From: Mark Rutland + +commit c5cea06be060f38e5400d796e61cfc8c36e52924 upstream. + +If the kernel is set to show unhandled signals, and a user task does not +handle a SIGILL as a result of an instruction abort, we will attempt to +log the offending instruction with dump_instr before killing the task. + +We use dump_instr to log the encoding of the offending userspace +instruction. However, dump_instr is also used to dump instructions from +kernel space, and internally always switches to KERNEL_DS before dumping +the instruction with get_user. When both PAN and UAO are in use, reading +a user instruction via get_user while in KERNEL_DS will result in a +permission fault, which leads to an Oops. + +As we have regs corresponding to the context of the original instruction +abort, we can inspect this and only flip to KERNEL_DS if the original +abort was taken from the kernel, avoiding this issue. At the same time, +remove the redundant (and incorrect) comments regarding the order +dump_mem and dump_instr are called in. + +Cc: Catalin Marinas +Cc: James Morse +Cc: Robin Murphy +Signed-off-by: Mark Rutland +Reported-by: Vladimir Murzin +Tested-by: Vladimir Murzin +Fixes: 57f4959bad0a154a ("arm64: kernel: Add support for User Access Override") +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/traps.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -64,8 +64,7 @@ static void dump_mem(const char *lvl, co + + /* + * We need to switch to kernel mode so that we can use __get_user +- * to safely read from kernel space. Note that we now dump the +- * code first, just in case the backtrace kills us. ++ * to safely read from kernel space. + */ + fs = get_fs(); + set_fs(KERNEL_DS); +@@ -111,21 +110,12 @@ static void dump_backtrace_entry(unsigne + print_ip_sym(where); + } + +-static void dump_instr(const char *lvl, struct pt_regs *regs) ++static void __dump_instr(const char *lvl, struct pt_regs *regs) + { + unsigned long addr = instruction_pointer(regs); +- mm_segment_t fs; + char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; + int i; + +- /* +- * We need to switch to kernel mode so that we can use __get_user +- * to safely read from kernel space. Note that we now dump the +- * code first, just in case the backtrace kills us. +- */ +- fs = get_fs(); +- set_fs(KERNEL_DS); +- + for (i = -4; i < 1; i++) { + unsigned int val, bad; + +@@ -139,8 +129,18 @@ static void dump_instr(const char *lvl, + } + } + printk("%sCode: %s\n", lvl, str); ++} + +- set_fs(fs); ++static void dump_instr(const char *lvl, struct pt_regs *regs) ++{ ++ if (!user_mode(regs)) { ++ mm_segment_t fs = get_fs(); ++ set_fs(KERNEL_DS); ++ __dump_instr(lvl, regs); ++ set_fs(fs); ++ } else { ++ __dump_instr(lvl, regs); ++ } + } + + static void dump_backtrace(struct pt_regs *regs, struct task_struct *tsk) diff --git a/queue-4.4/ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch b/queue-4.4/ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch new file mode 100644 index 00000000000..ef72b1d6053 --- /dev/null +++ b/queue-4.4/ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch @@ -0,0 +1,46 @@ +From 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Tue, 7 Nov 2017 11:37:07 +0100 +Subject: ima: do not update security.ima if appraisal status is not INTEGRITY_PASS + +From: Roberto Sassu + +commit 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb upstream. + +Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters") +moved the call of ima_file_check() from may_open() to do_filp_open() at a +point where the file descriptor is already opened. + +This breaks the assumption made by IMA that file descriptors being closed +belong to files whose access was granted by ima_file_check(). The +consequence is that security.ima and security.evm are updated with good +values, regardless of the current appraisal status. + +For example, if a file does not have security.ima, IMA will create it after +opening the file for writing, even if access is denied. Access to the file +will be allowed afterwards. + +Avoid this issue by checking the appraisal status before updating +security.ima. + +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_appraise.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -297,6 +297,9 @@ void ima_update_xattr(struct integrity_i + if (iint->flags & IMA_DIGSIG) + return; + ++ if (iint->ima_file_status != INTEGRITY_PASS) ++ return; ++ + rc = ima_collect_measurement(iint, file, NULL, NULL); + if (rc < 0) + return; diff --git a/queue-4.4/serial-omap-fix-efr-write-on-rts-deassertion.patch b/queue-4.4/serial-omap-fix-efr-write-on-rts-deassertion.patch new file mode 100644 index 00000000000..0c9fba9bb10 --- /dev/null +++ b/queue-4.4/serial-omap-fix-efr-write-on-rts-deassertion.patch @@ -0,0 +1,34 @@ +From 2a71de2f7366fb1aec632116d0549ec56d6a3940 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sat, 21 Oct 2017 10:50:18 +0200 +Subject: serial: omap: Fix EFR write on RTS deassertion + +From: Lukas Wunner + +commit 2a71de2f7366fb1aec632116d0549ec56d6a3940 upstream. + +Commit 348f9bb31c56 ("serial: omap: Fix RTS handling") sought to enable +auto RTS upon manual RTS assertion and disable it on deassertion. +However it seems the latter was done incorrectly, it clears all bits in +the Extended Features Register *except* auto RTS. + +Fixes: 348f9bb31c56 ("serial: omap: Fix RTS handling") +Cc: Peter Hurley +Signed-off-by: Lukas Wunner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/omap-serial.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/omap-serial.c ++++ b/drivers/tty/serial/omap-serial.c +@@ -693,7 +693,7 @@ static void serial_omap_set_mctrl(struct + if ((mctrl & TIOCM_RTS) && (port->status & UPSTAT_AUTORTS)) + up->efr |= UART_EFR_RTS; + else +- up->efr &= UART_EFR_RTS; ++ up->efr &= ~UART_EFR_RTS; + serial_out(up, UART_EFR, up->efr); + serial_out(up, UART_LCR, lcr); + diff --git a/queue-4.4/series b/queue-4.4/series index d75d2591719..3a4274df3ff 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -6,3 +6,6 @@ af_netlink-ensure-that-nlmsg_done-never-fails-in-dumps.patch sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch fealnx-fix-building-error-on-mips.patch net-sctp-always-set-scope_id-in-sctp_inet6_skb_msgname.patch +ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch +serial-omap-fix-efr-write-on-rts-deassertion.patch +arm64-fix-dump_instr-when-pan-and-uao-are-in-use.patch