From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 Mar 2024 06:38:54 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v4.19.309~91
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df024355668546018f429b7edb0546e836e05e73;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch
---

diff --git a/queue-5.10/series b/queue-5.10/series
index f9ea2f872a1..8939065b70e 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -22,3 +22,4 @@ power-supply-bq27xxx-i2c-do-not-free-non-existing-ir.patch
 alsa-drop-leftover-snd-rtctimer-stuff-from-makefile.patch
 afs-fix-endless-loop-in-directory-parsing.patch
 riscv-sparse-memory-vmemmap-out-of-bounds-fix.patch
+tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch
diff --git a/queue-5.10/tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch b/queue-5.10/tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch
new file mode 100644
index 00000000000..1de07827251
--- /dev/null
+++ b/queue-5.10/tomoyo-fix-uaf-write-bug-in-tomoyo_write_control.patch
@@ -0,0 +1,43 @@
+From 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 1 Mar 2024 22:04:06 +0900
+Subject: tomoyo: fix UAF write bug in tomoyo_write_control()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 upstream.
+
+Since tomoyo_write_control() updates head->write_buf when write()
+of long lines is requested, we need to fetch head->write_buf after
+head->io_sem is held.  Otherwise, concurrent write() requests can
+cause use-after-free-write and double-free problems.
+
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji8g@mail.gmail.com
+Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.")
+Cc:  <stable@vger.kernel.org> # Linux 3.1+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/tomoyo/common.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/tomoyo/common.c
++++ b/security/tomoyo/common.c
+@@ -2657,13 +2657,14 @@ ssize_t tomoyo_write_control(struct tomo
+ {
+ 	int error = buffer_len;
+ 	size_t avail_len = buffer_len;
+-	char *cp0 = head->write_buf;
++	char *cp0;
+ 	int idx;
+ 
+ 	if (!head->write)
+ 		return -EINVAL;
+ 	if (mutex_lock_interruptible(&head->io_sem))
+ 		return -EINTR;
++	cp0 = head->write_buf;
+ 	head->read_user_buf_avail = 0;
+ 	idx = tomoyo_read_lock();
+ 	/* Read a line and dispatch it to the policy handler. */