From: Greg Kroah-Hartman Date: Fri, 3 Jun 2022 15:28:21 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.9.317~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e6481f08538eab7776fb3d2a52fec4d221fed95c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: block-map-add-__gfp_zero-flag-for-alloc_page-in-function-bio_copy_kern.patch drm-i915-fix-wstringop-overflow-warning-in-call-to-intel_read_wm_latency.patch exec-force-single-empty-string-when-argv-is-empty.patch netfilter-conntrack-re-fetch-conntrack-after-insertion.patch --- diff --git a/queue-4.14/block-map-add-__gfp_zero-flag-for-alloc_page-in-function-bio_copy_kern.patch b/queue-4.14/block-map-add-__gfp_zero-flag-for-alloc_page-in-function-bio_copy_kern.patch new file mode 100644 index 00000000000..f08ae438921 --- /dev/null +++ b/queue-4.14/block-map-add-__gfp_zero-flag-for-alloc_page-in-function-bio_copy_kern.patch @@ -0,0 +1,35 @@ +From cc8f7fe1f5eab010191aa4570f27641876fa1267 Mon Sep 17 00:00:00 2001 +From: Haimin Zhang +Date: Wed, 16 Feb 2022 16:40:38 +0800 +Subject: block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern + +From: Haimin Zhang + +commit cc8f7fe1f5eab010191aa4570f27641876fa1267 upstream. + +Add __GFP_ZERO flag for alloc_page in function bio_copy_kern to initialize +the buffer of a bio. + +Signed-off-by: Haimin Zhang +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20220216084038.15635-1-tcs.kernel@gmail.com +Signed-off-by: Jens Axboe +[DP: Backported to 4.19: Manually added __GFP_ZERO flag] +Signed-off-by: Dragos-Marian Panait +Signed-off-by: Greg Kroah-Hartman +--- + block/bio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1657,7 +1657,7 @@ struct bio *bio_copy_kern(struct request + if (bytes > len) + bytes = len; + +- page = alloc_page(q->bounce_gfp | gfp_mask); ++ page = alloc_page(q->bounce_gfp | __GFP_ZERO | gfp_mask); + if (!page) + goto cleanup; + diff --git a/queue-4.14/drm-i915-fix-wstringop-overflow-warning-in-call-to-intel_read_wm_latency.patch b/queue-4.14/drm-i915-fix-wstringop-overflow-warning-in-call-to-intel_read_wm_latency.patch new file mode 100644 index 00000000000..2ff0e2c1657 --- /dev/null +++ b/queue-4.14/drm-i915-fix-wstringop-overflow-warning-in-call-to-intel_read_wm_latency.patch @@ -0,0 +1,57 @@ +From 336feb502a715909a8136eb6a62a83d7268a353b Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 27 Apr 2022 17:47:14 -0500 +Subject: drm/i915: Fix -Wstringop-overflow warning in call to intel_read_wm_latency() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gustavo A. R. Silva + +commit 336feb502a715909a8136eb6a62a83d7268a353b upstream. + +Fix the following -Wstringop-overflow warnings when building with GCC-11: + +drivers/gpu/drm/i915/intel_pm.c:3106:9: warning: ‘intel_read_wm_latency’ accessing 16 bytes in a region of size 10 [-Wstringop-overflow=] + 3106 | intel_read_wm_latency(dev_priv, dev_priv->wm.pri_latency); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/gpu/drm/i915/intel_pm.c:3106:9: note: referencing argument 2 of type ‘u16 *’ {aka ‘short unsigned int *’} +drivers/gpu/drm/i915/intel_pm.c:2861:13: note: in a call to function ‘intel_read_wm_latency’ + 2861 | static void intel_read_wm_latency(struct drm_i915_private *dev_priv, + | ^~~~~~~~~~~~~~~~~~~~~ + +by removing the over-specified array size from the argument declarations. + +It seems that this code is actually safe because the size of the +array depends on the hardware generation, and the function checks +for that. + +Notice that wm can be an array of 5 elements: +drivers/gpu/drm/i915/intel_pm.c:3109: intel_read_wm_latency(dev_priv, dev_priv->wm.pri_latency); + +or an array of 8 elements: +drivers/gpu/drm/i915/intel_pm.c:3131: intel_read_wm_latency(dev_priv, dev_priv->wm.skl_latency); + +and the compiler legitimately complains about that. + +This helps with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/181 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/intel_pm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -2793,7 +2793,7 @@ hsw_compute_linetime_wm(const struct int + } + + static void intel_read_wm_latency(struct drm_i915_private *dev_priv, +- uint16_t wm[8]) ++ uint16_t wm[]) + { + if (INTEL_GEN(dev_priv) >= 9) { + uint32_t val; diff --git a/queue-4.14/exec-force-single-empty-string-when-argv-is-empty.patch b/queue-4.14/exec-force-single-empty-string-when-argv-is-empty.patch new file mode 100644 index 00000000000..c85e15ca321 --- /dev/null +++ b/queue-4.14/exec-force-single-empty-string-when-argv-is-empty.patch @@ -0,0 +1,116 @@ +From dcd46d897adb70d63e025f175a00a89797d31a43 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 31 Jan 2022 16:09:47 -0800 +Subject: exec: Force single empty string when argv is empty + +From: Kees Cook + +commit dcd46d897adb70d63e025f175a00a89797d31a43 upstream. + +Quoting[1] Ariadne Conill: + +"In several other operating systems, it is a hard requirement that the +second argument to execve(2) be the name of a program, thus prohibiting +a scenario where argc < 1. POSIX 2017 also recommends this behaviour, +but it is not an explicit requirement[2]: + + The argument arg0 should point to a filename string that is + associated with the process being started by one of the exec + functions. +... +Interestingly, Michael Kerrisk opened an issue about this in 2008[3], +but there was no consensus to support fixing this issue then. +Hopefully now that CVE-2021-4034 shows practical exploitative use[4] +of this bug in a shellcode, we can reconsider. + +This issue is being tracked in the KSPP issue tracker[5]." + +While the initial code searches[6][7] turned up what appeared to be +mostly corner case tests, trying to that just reject argv == NULL +(or an immediately terminated pointer list) quickly started tripping[8] +existing userspace programs. + +The next best approach is forcing a single empty string into argv and +adjusting argc to match. The number of programs depending on argc == 0 +seems a smaller set than those calling execve with a NULL argv. + +Account for the additional stack space in bprm_stack_limits(). Inject an +empty string when argc == 0 (and set argc = 1). Warn about the case so +userspace has some notice about the change: + + process './argc0' launched './argc0' with NULL argv: empty string added + +Additionally WARN() and reject NULL argv usage for kernel threads. + +[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/ +[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html +[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408 +[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt +[5] https://github.com/KSPP/linux/issues/176 +[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0 +[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0 +[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/ + +Reported-by: Ariadne Conill +Reported-by: Michael Kerrisk +Cc: Matthew Wilcox +Cc: Christian Brauner +Cc: Rich Felker +Cc: Eric Biederman +Cc: Alexander Viro +Cc: linux-fsdevel@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Acked-by: Christian Brauner +Acked-by: Ariadne Conill +Acked-by: Andy Lutomirski +Link: https://lore.kernel.org/r/20220201000947.2453721-1-keescook@chromium.org +[vegard: fixed conflicts due to missing + 886d7de631da71e30909980fdbf318f7caade262^- and + 3950e975431bc914f7e81b8f2a2dbdf2064acb0f^- and + 655c16a8ce9c15842547f40ce23fd148aeccc074] +Signed-off-by: Vegard Nossum +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +This has been tested in both argc == 0 and argc >= 1 cases, but I would +still appreciate a review given the differences with mainline. If it's +considered too risky I'm also fine with dropping it -- just wanted to +make sure this didn't fall through the cracks, as it does block a real +(albeit old by now) exploit. + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1788,6 +1788,9 @@ static int do_execveat_common(int fd, st + goto out_unmark; + + bprm->argc = count(argv, MAX_ARG_STRINGS); ++ if (bprm->argc == 0) ++ pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n", ++ current->comm, bprm->filename); + if ((retval = bprm->argc) < 0) + goto out; + +@@ -1812,6 +1815,20 @@ static int do_execveat_common(int fd, st + if (retval < 0) + goto out; + ++ /* ++ * When argv is empty, add an empty string ("") as argv[0] to ++ * ensure confused userspace programs that start processing ++ * from argv[1] won't end up walking envp. See also ++ * bprm_stack_limits(). ++ */ ++ if (bprm->argc == 0) { ++ const char *argv[] = { "", NULL }; ++ retval = copy_strings_kernel(1, argv, bprm); ++ if (retval < 0) ++ goto out; ++ bprm->argc = 1; ++ } ++ + retval = exec_binprm(bprm); + if (retval < 0) + goto out; diff --git a/queue-4.14/netfilter-conntrack-re-fetch-conntrack-after-insertion.patch b/queue-4.14/netfilter-conntrack-re-fetch-conntrack-after-insertion.patch new file mode 100644 index 00000000000..d01ba241ba9 --- /dev/null +++ b/queue-4.14/netfilter-conntrack-re-fetch-conntrack-after-insertion.patch @@ -0,0 +1,43 @@ +From 56b14ecec97f39118bf85c9ac2438c5a949509ed Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 20 May 2022 00:02:04 +0200 +Subject: netfilter: conntrack: re-fetch conntrack after insertion + +From: Florian Westphal + +commit 56b14ecec97f39118bf85c9ac2438c5a949509ed upstream. + +In case the conntrack is clashing, insertion can free skb->_nfct and +set skb->_nfct to the already-confirmed entry. + +This wasn't found before because the conntrack entry and the extension +space used to free'd after an rcu grace period, plus the race needs +events enabled to trigger. + +Reported-by: +Fixes: 71d8c47fc653 ("netfilter: conntrack: introduce clash resolution on insertion race") +Fixes: 2ad9d7747c10 ("netfilter: conntrack: free extension area immediately") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_conntrack_core.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/include/net/netfilter/nf_conntrack_core.h ++++ b/include/net/netfilter/nf_conntrack_core.h +@@ -67,8 +67,13 @@ static inline int nf_conntrack_confirm(s + int ret = NF_ACCEPT; + + if (ct) { +- if (!nf_ct_is_confirmed(ct)) ++ if (!nf_ct_is_confirmed(ct)) { + ret = __nf_conntrack_confirm(skb); ++ ++ if (ret == NF_ACCEPT) ++ ct = (struct nf_conn *)skb_nfct(skb); ++ } ++ + if (likely(ret == NF_ACCEPT)) + nf_ct_deliver_cached_events(ct); + } diff --git a/queue-4.14/series b/queue-4.14/series index 2c184184076..1cf68f842b0 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -8,3 +8,7 @@ net-af_key-check-encryption-module-availability-cons.patch net-ftgmac100-disable-hardware-checksum-on-ast2600.patch drivers-i2c-thunderx-allow-driver-to-work-with-acpi-.patch assoc_array-fix-bug_on-during-garbage-collect.patch +drm-i915-fix-wstringop-overflow-warning-in-call-to-intel_read_wm_latency.patch +block-map-add-__gfp_zero-flag-for-alloc_page-in-function-bio_copy_kern.patch +exec-force-single-empty-string-when-argv-is-empty.patch +netfilter-conntrack-re-fetch-conntrack-after-insertion.patch