From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 5 May 2019 12:49:37 +0000 (+0200)
Subject: 5.0-stable patches
X-Git-Tag: v4.9.174~41
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e03f04f87ec8ba65235d35c45021b4fb0b063c21;p=thirdparty%2Fkernel%2Fstable-queue.git

5.0-stable patches

added patches:
	arc-memset-fix-build-with-l1_cache_shift-6.patch
	seccomp-make-new_listener-and-tsync-flags-exclusive.patch
	selftests-seccomp-prepare-for-exclusive-seccomp-flags.patch
---

diff --git a/queue-4.19/series b/queue-4.19/series
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/queue-5.0/arc-memset-fix-build-with-l1_cache_shift-6.patch b/queue-5.0/arc-memset-fix-build-with-l1_cache_shift-6.patch
new file mode 100644
index 00000000000..ab307f717c3
--- /dev/null
+++ b/queue-5.0/arc-memset-fix-build-with-l1_cache_shift-6.patch
@@ -0,0 +1,38 @@
+From 55c0c4c793b538fb438bcc72481b9dc2f79fe5a9 Mon Sep 17 00:00:00 2001
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Date: Mon, 8 Apr 2019 16:04:38 +0300
+Subject: ARC: memset: fix build with L1_CACHE_SHIFT != 6
+
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+
+commit 55c0c4c793b538fb438bcc72481b9dc2f79fe5a9 upstream.
+
+In case of 'L1_CACHE_SHIFT != 6' we define dummy assembly macroses
+PREALLOC_INSTR and PREFETCHW_INSTR without arguments. However
+we pass arguments to them in code which cause build errors.
+Fix that.
+
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Cc: <stable@vger.kernel.org>    [5.0]
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/lib/memset-archs.S |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arc/lib/memset-archs.S
++++ b/arch/arc/lib/memset-archs.S
+@@ -30,10 +30,10 @@
+ 
+ #else
+ 
+-.macro PREALLOC_INSTR
++.macro PREALLOC_INSTR	reg, off
+ .endm
+ 
+-.macro PREFETCHW_INSTR
++.macro PREFETCHW_INSTR	reg, off
+ .endm
+ 
+ #endif
diff --git a/queue-5.0/seccomp-make-new_listener-and-tsync-flags-exclusive.patch b/queue-5.0/seccomp-make-new_listener-and-tsync-flags-exclusive.patch
new file mode 100644
index 00000000000..f43cc3bb911
--- /dev/null
+++ b/queue-5.0/seccomp-make-new_listener-and-tsync-flags-exclusive.patch
@@ -0,0 +1,96 @@
+From 7a0df7fbc14505e2e2be19ed08654a09e1ed5bf6 Mon Sep 17 00:00:00 2001
+From: Tycho Andersen <tycho@tycho.ws>
+Date: Wed, 6 Mar 2019 13:14:13 -0700
+Subject: seccomp: Make NEW_LISTENER and TSYNC flags exclusive
+
+From: Tycho Andersen <tycho@tycho.ws>
+
+commit 7a0df7fbc14505e2e2be19ed08654a09e1ed5bf6 upstream.
+
+As the comment notes, the return codes for TSYNC and NEW_LISTENER
+conflict, because they both return positive values, one in the case of
+success and one in the case of error. So, let's disallow both of these
+flags together.
+
+While this is technically a userspace break, all the users I know
+of are still waiting on me to land this feature in libseccomp, so I
+think it'll be safe. Also, at present my use case doesn't require
+TSYNC at all, so this isn't a big deal to disallow. If someone
+wanted to support this, a path forward would be to add a new flag like
+TSYNC_AND_LISTENER_YES_I_UNDERSTAND_THAT_TSYNC_WILL_JUST_RETURN_EAGAIN,
+but the use cases are so different I don't see it really happening.
+
+Finally, it's worth noting that this does actually fix a UAF issue: at the
+end of seccomp_set_mode_filter(), we have:
+
+        if (flags & SECCOMP_FILTER_FLAG_NEW_LISTENER) {
+                if (ret < 0) {
+                        listener_f->private_data = NULL;
+                        fput(listener_f);
+                        put_unused_fd(listener);
+                } else {
+                        fd_install(listener, listener_f);
+                        ret = listener;
+                }
+        }
+out_free:
+        seccomp_filter_free(prepared);
+
+But if ret > 0 because TSYNC raced, we'll install the listener fd and then
+free the filter out from underneath it, causing a UAF when the task closes
+it or dies. This patch also switches the condition to be simply if (ret),
+so that if someone does add the flag mentioned above, they won't have to
+remember to fix this too.
+
+Reported-by: syzbot+b562969adb2e04af3442@syzkaller.appspotmail.com
+Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
+CC: stable@vger.kernel.org # v5.0+
+Signed-off-by: Tycho Andersen <tycho@tycho.ws>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: James Morris <jamorris@linux.microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/seccomp.c |   17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -500,7 +500,10 @@ out:
+  *
+  * Caller must be holding current->sighand->siglock lock.
+  *
+- * Returns 0 on success, -ve on error.
++ * Returns 0 on success, -ve on error, or
++ *   - in TSYNC mode: the pid of a thread which was either not in the correct
++ *     seccomp mode or did not have an ancestral seccomp filter
++ *   - in NEW_LISTENER mode: the fd of the new listener
+  */
+ static long seccomp_attach_filter(unsigned int flags,
+ 				  struct seccomp_filter *filter)
+@@ -1256,6 +1259,16 @@ static long seccomp_set_mode_filter(unsi
+ 	if (flags & ~SECCOMP_FILTER_FLAG_MASK)
+ 		return -EINVAL;
+ 
++	/*
++	 * In the successful case, NEW_LISTENER returns the new listener fd.
++	 * But in the failure case, TSYNC returns the thread that died. If you
++	 * combine these two flags, there's no way to tell whether something
++	 * succeeded or failed. So, let's disallow this combination.
++	 */
++	if ((flags & SECCOMP_FILTER_FLAG_TSYNC) &&
++	    (flags & SECCOMP_FILTER_FLAG_NEW_LISTENER))
++		return -EINVAL;
++
+ 	/* Prepare the new filter before holding any locks. */
+ 	prepared = seccomp_prepare_user_filter(filter);
+ 	if (IS_ERR(prepared))
+@@ -1302,7 +1315,7 @@ out:
+ 		mutex_unlock(&current->signal->cred_guard_mutex);
+ out_put_fd:
+ 	if (flags & SECCOMP_FILTER_FLAG_NEW_LISTENER) {
+-		if (ret < 0) {
++		if (ret) {
+ 			listener_f->private_data = NULL;
+ 			fput(listener_f);
+ 			put_unused_fd(listener);
diff --git a/queue-5.0/selftests-seccomp-prepare-for-exclusive-seccomp-flags.patch b/queue-5.0/selftests-seccomp-prepare-for-exclusive-seccomp-flags.patch
new file mode 100644
index 00000000000..401a8dac663
--- /dev/null
+++ b/queue-5.0/selftests-seccomp-prepare-for-exclusive-seccomp-flags.patch
@@ -0,0 +1,79 @@
+From 4ee0776760af03f181e6b80baf5fb1cc1a980f50 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 24 Apr 2019 09:32:55 -0700
+Subject: selftests/seccomp: Prepare for exclusive seccomp flags
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 4ee0776760af03f181e6b80baf5fb1cc1a980f50 upstream.
+
+Some seccomp flags will become exclusive, so the selftest needs to
+be adjusted to mask those out and test them individually for the "all
+flags" tests.
+
+Cc: stable@vger.kernel.org # v5.0+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Tycho Andersen <tycho@tycho.ws>
+Acked-by: James Morris <jamorris@linux.microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c |   34 +++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 9 deletions(-)
+
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -2166,11 +2166,14 @@ TEST(detect_seccomp_filter_flags)
+ 				 SECCOMP_FILTER_FLAG_LOG,
+ 				 SECCOMP_FILTER_FLAG_SPEC_ALLOW,
+ 				 SECCOMP_FILTER_FLAG_NEW_LISTENER };
+-	unsigned int flag, all_flags;
++	unsigned int exclusive[] = {
++				SECCOMP_FILTER_FLAG_TSYNC,
++				SECCOMP_FILTER_FLAG_NEW_LISTENER };
++	unsigned int flag, all_flags, exclusive_mask;
+ 	int i;
+ 	long ret;
+ 
+-	/* Test detection of known-good filter flags */
++	/* Test detection of individual known-good filter flags */
+ 	for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
+ 		int bits = 0;
+ 
+@@ -2197,16 +2200,29 @@ TEST(detect_seccomp_filter_flags)
+ 		all_flags |= flag;
+ 	}
+ 
+-	/* Test detection of all known-good filter flags */
+-	ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL);
+-	EXPECT_EQ(-1, ret);
+-	EXPECT_EQ(EFAULT, errno) {
+-		TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
+-		       all_flags);
++	/*
++	 * Test detection of all known-good filter flags combined. But
++	 * for the exclusive flags we need to mask them out and try them
++	 * individually for the "all flags" testing.
++	 */
++	exclusive_mask = 0;
++	for (i = 0; i < ARRAY_SIZE(exclusive); i++)
++		exclusive_mask |= exclusive[i];
++	for (i = 0; i < ARRAY_SIZE(exclusive); i++) {
++		flag = all_flags & ~exclusive_mask;
++		flag |= exclusive[i];
++
++		ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
++		EXPECT_EQ(-1, ret);
++		EXPECT_EQ(EFAULT, errno) {
++			TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
++			       flag);
++		}
+ 	}
+ 
+-	/* Test detection of an unknown filter flag */
++	/* Test detection of an unknown filter flags, without exclusives. */
+ 	flag = -1;
++	flag &= ~exclusive_mask;
+ 	ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
+ 	EXPECT_EQ(-1, ret);
+ 	EXPECT_EQ(EINVAL, errno) {
diff --git a/queue-5.0/series b/queue-5.0/series
new file mode 100644
index 00000000000..a9e6687265f
--- /dev/null
+++ b/queue-5.0/series
@@ -0,0 +1,3 @@
+selftests-seccomp-prepare-for-exclusive-seccomp-flags.patch
+seccomp-make-new_listener-and-tsync-flags-exclusive.patch
+arc-memset-fix-build-with-l1_cache_shift-6.patch