From: Greg Kroah-Hartman Date: Sun, 11 Nov 2018 02:08:23 +0000 (-0800) Subject: 3.18-stable patches X-Git-Tag: v4.19.2~60 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e949bc24e54aeca84159d04a5218a5e380b6f6e9;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch lockd-fix-access-beyond-unterminated-strings-in-prints.patch mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch nfsd-fix-an-oops-in-free_session.patch nfsv4.1-fix-the-r-wsize-checking.patch tc-set-dma-masks-for-devices.patch --- diff --git a/queue-3.18/dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch b/queue-3.18/dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch new file mode 100644 index 00000000000..17ff323c970 --- /dev/null +++ b/queue-3.18/dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch @@ -0,0 +1,70 @@ +From 800a7340ab7dd667edf95e74d8e4f23a17e87076 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 3 Oct 2018 11:43:59 -0500 +Subject: dm ioctl: harden copy_params()'s copy_from_user() from malicious users + +From: Wenwen Wang + +commit 800a7340ab7dd667edf95e74d8e4f23a17e87076 upstream. + +In copy_params(), the struct 'dm_ioctl' is first copied from the user +space buffer 'user' to 'param_kernel' and the field 'data_size' is +checked against 'minimum_data_size' (size of 'struct dm_ioctl' payload +up to its 'data' member). If the check fails, an error code EINVAL will be +returned. Otherwise, param_kernel->data_size is used to do a second copy, +which copies from the same user-space buffer to 'dmi'. After the second +copy, only 'dmi->data_size' is checked against 'param_kernel->data_size'. +Given that the buffer 'user' resides in the user space, a malicious +user-space process can race to change the content in the buffer between +the two copies. This way, the attacker can inject inconsistent data +into 'dmi' (versus previously validated 'param_kernel'). + +Fix redundant copying of 'minimum_data_size' from user-space buffer by +using the first copy stored in 'param_kernel'. Also remove the +'data_size' check after the second copy because it is now unnecessary. + +Cc: stable@vger.kernel.org +Signed-off-by: Wenwen Wang +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-ioctl.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1681,8 +1681,7 @@ static void free_params(struct dm_ioctl + } + + static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel, +- int ioctl_flags, +- struct dm_ioctl **param, int *param_flags) ++ int ioctl_flags, struct dm_ioctl **param, int *param_flags) + { + struct dm_ioctl *dmi; + int secure_data; +@@ -1730,18 +1729,13 @@ static int copy_params(struct dm_ioctl _ + return -ENOMEM; + } + +- if (copy_from_user(dmi, user, param_kernel->data_size)) +- goto bad; ++ /* Copy from param_kernel (which was already copied from user) */ ++ memcpy(dmi, param_kernel, minimum_data_size); + +-data_copied: +- /* +- * Abort if something changed the ioctl data while it was being copied. +- */ +- if (dmi->data_size != param_kernel->data_size) { +- DMERR("rejecting ioctl: data size modified while processing parameters"); ++ if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size, ++ param_kernel->data_size - minimum_data_size)) + goto bad; +- } +- ++data_copied: + /* Wipe the user buffer so we do not return it to userspace */ + if (secure_data && clear_user(user, param_kernel->data_size)) + goto bad; diff --git a/queue-3.18/lockd-fix-access-beyond-unterminated-strings-in-prints.patch b/queue-3.18/lockd-fix-access-beyond-unterminated-strings-in-prints.patch new file mode 100644 index 00000000000..e1d6ac4f40d --- /dev/null +++ b/queue-3.18/lockd-fix-access-beyond-unterminated-strings-in-prints.patch @@ -0,0 +1,32 @@ +From 93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Fri, 28 Sep 2018 20:41:48 +0300 +Subject: lockd: fix access beyond unterminated strings in prints + +From: Amir Goldstein + +commit 93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee upstream. + +printk format used %*s instead of %.*s, so hostname_len does not limit +the number of bytes accessed from hostname. + +Signed-off-by: Amir Goldstein +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/lockd/host.c ++++ b/fs/lockd/host.c +@@ -339,7 +339,7 @@ struct nlm_host *nlmsvc_lookup_host(cons + }; + struct lockd_net *ln = net_generic(net, lockd_net_id); + +- dprintk("lockd: %s(host='%*s', vers=%u, proto=%s)\n", __func__, ++ dprintk("lockd: %s(host='%.*s', vers=%u, proto=%s)\n", __func__, + (int)hostname_len, hostname, rqstp->rq_vers, + (rqstp->rq_prot == IPPROTO_UDP ? "udp" : "tcp")); + diff --git a/queue-3.18/mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch b/queue-3.18/mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch new file mode 100644 index 00000000000..ce8a0895d94 --- /dev/null +++ b/queue-3.18/mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch @@ -0,0 +1,39 @@ +From c0fae7e2452b90c31edd2d25eb3baf0c76b400ca Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sat, 27 Oct 2018 01:46:34 +0300 +Subject: MIPS: OCTEON: fix out of bounds array access on CN68XX + +From: Aaro Koskinen + +commit c0fae7e2452b90c31edd2d25eb3baf0c76b400ca upstream. + +The maximum number of interfaces is returned by +cvmx_helper_get_number_of_interfaces(), and the value is used to access +interface_port_count[]. When CN68XX support was added, we forgot +to increase the array size. Fix that. + +Fixes: 2c8c3f0201333 ("MIPS: Octeon: Support additional interfaces on CN68XX") +Signed-off-by: Aaro Koskinen +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20949/ +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/cavium-octeon/executive/cvmx-helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c ++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c +@@ -67,7 +67,7 @@ void (*cvmx_override_pko_queue_priority) + void (*cvmx_override_ipd_port_setup) (int ipd_port); + + /* Port count per interface */ +-static int interface_port_count[5]; ++static int interface_port_count[9]; + + /* Port last configured link info index by IPD/PKO port */ + static cvmx_helper_link_info_t diff --git a/queue-3.18/nfsd-fix-an-oops-in-free_session.patch b/queue-3.18/nfsd-fix-an-oops-in-free_session.patch new file mode 100644 index 00000000000..c2f22ebb070 --- /dev/null +++ b/queue-3.18/nfsd-fix-an-oops-in-free_session.patch @@ -0,0 +1,33 @@ +From bb6ad5572c0022e17e846b382d7413cdcf8055be Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 9 Oct 2018 15:54:15 -0400 +Subject: nfsd: Fix an Oops in free_session() + +From: Trond Myklebust + +commit bb6ad5572c0022e17e846b382d7413cdcf8055be upstream. + +In call_xpt_users(), we delete the entry from the list, but we +do not reinitialise it. This triggers the list poisoning when +we later call unregister_xpt_user() in nfsd4_del_conns(). + +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/svc_xprt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -902,7 +902,7 @@ static void call_xpt_users(struct svc_xp + spin_lock(&xprt->xpt_lock); + while (!list_empty(&xprt->xpt_users)) { + u = list_first_entry(&xprt->xpt_users, struct svc_xpt_user, list); +- list_del(&u->list); ++ list_del_init(&u->list); + u->callback(u); + } + spin_unlock(&xprt->xpt_lock); diff --git a/queue-3.18/nfsv4.1-fix-the-r-wsize-checking.patch b/queue-3.18/nfsv4.1-fix-the-r-wsize-checking.patch new file mode 100644 index 00000000000..401a93374ce --- /dev/null +++ b/queue-3.18/nfsv4.1-fix-the-r-wsize-checking.patch @@ -0,0 +1,76 @@ +From 943cff67b842839f4f35364ba2db5c2d3f025d94 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 18 Sep 2018 10:07:44 -0400 +Subject: NFSv4.1: Fix the r/wsize checking + +From: Trond Myklebust + +commit 943cff67b842839f4f35364ba2db5c2d3f025d94 upstream. + +The intention of nfs4_session_set_rwsize() was to cap the r/wsize to the +buffer sizes negotiated by the CREATE_SESSION. The initial code had a +bug whereby we would not check the values negotiated by nfs_probe_fsinfo() +(the assumption being that CREATE_SESSION will always negotiate buffer values +that are sane w.r.t. the server's preferred r/wsizes) but would only check +values set by the user in the 'mount' command. + +The code was changed in 4.11 to _always_ set the r/wsize, meaning that we +now never use the server preferred r/wsizes. This is the regression that +this patch fixes. +Also rename the function to nfs4_session_limit_rwsize() in order to avoid +future confusion. + +Fixes: 033853325fe3 (NFSv4.1 respect server's max size in CREATE_SESSION") +Cc: stable@vger.kernel.org # v4.11+ +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4client.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -891,10 +891,10 @@ EXPORT_SYMBOL_GPL(nfs4_set_ds_client); + + /* + * Session has been established, and the client marked ready. +- * Set the mount rsize and wsize with negotiated fore channel +- * attributes which will be bound checked in nfs_server_set_fsinfo. ++ * Limit the mount rsize, wsize and dtsize using negotiated fore ++ * channel attributes. + */ +-static void nfs4_session_set_rwsize(struct nfs_server *server) ++static void nfs4_session_limit_rwsize(struct nfs_server *server) + { + #ifdef CONFIG_NFS_V4_1 + struct nfs4_session *sess; +@@ -907,9 +907,11 @@ static void nfs4_session_set_rwsize(stru + server_resp_sz = sess->fc_attrs.max_resp_sz - nfs41_maxread_overhead; + server_rqst_sz = sess->fc_attrs.max_rqst_sz - nfs41_maxwrite_overhead; + +- if (!server->rsize || server->rsize > server_resp_sz) ++ if (server->dtsize > server_resp_sz) ++ server->dtsize = server_resp_sz; ++ if (server->rsize > server_resp_sz) + server->rsize = server_resp_sz; +- if (!server->wsize || server->wsize > server_rqst_sz) ++ if (server->wsize > server_rqst_sz) + server->wsize = server_rqst_sz; + #endif /* CONFIG_NFS_V4_1 */ + } +@@ -956,12 +958,12 @@ static int nfs4_server_common_setup(stru + (unsigned long long) server->fsid.minor); + nfs_display_fhandle(mntfh, "Pseudo-fs root FH"); + +- nfs4_session_set_rwsize(server); +- + error = nfs_probe_fsinfo(server, mntfh, fattr); + if (error < 0) + goto out; + ++ nfs4_session_limit_rwsize(server); ++ + if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN) + server->namelen = NFS4_MAXNAMLEN; + diff --git a/queue-3.18/series b/queue-3.18/series index 04a45745f1f..37f3c2153ab 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -44,3 +44,9 @@ smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch +nfsv4.1-fix-the-r-wsize-checking.patch +nfsd-fix-an-oops-in-free_session.patch +lockd-fix-access-beyond-unterminated-strings-in-prints.patch +dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch +mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch +tc-set-dma-masks-for-devices.patch diff --git a/queue-3.18/tc-set-dma-masks-for-devices.patch b/queue-3.18/tc-set-dma-masks-for-devices.patch new file mode 100644 index 00000000000..68b3e592b2e --- /dev/null +++ b/queue-3.18/tc-set-dma-masks-for-devices.patch @@ -0,0 +1,107 @@ +From 3f2aa244ee1a0d17ed5b6c86564d2c1b24d1c96b Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Wed, 3 Oct 2018 13:21:07 +0100 +Subject: TC: Set DMA masks for devices + +From: Maciej W. Rozycki + +commit 3f2aa244ee1a0d17ed5b6c86564d2c1b24d1c96b upstream. + +Fix a TURBOchannel support regression with commit 205e1b7f51e4 +("dma-mapping: warn when there is no coherent_dma_mask") that caused +coherent DMA allocations to produce a warning such as: + +defxx: v1.11 2014/07/01 Lawrence V. Stefani and others +tc1: DEFTA at MMIO addr = 0x1e900000, IRQ = 20, Hardware addr = 08-00-2b-a3-a3-29 +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 dfx_dev_register+0x670/0x678 +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 4.19.0-rc6 #2 +Stack : ffffffff8009ffc0 fffffffffffffec0 0000000000000000 ffffffff80647650 + 0000000000000000 0000000000000000 ffffffff806f5f80 ffffffffffffffff + 0000000000000000 0000000000000000 0000000000000001 ffffffff8065d4e8 + 98000000031b6300 ffffffff80563478 ffffffff805685b0 ffffffffffffffff + 0000000000000000 ffffffff805d6720 0000000000000204 ffffffff80388df8 + 0000000000000000 0000000000000009 ffffffff8053efd0 ffffffff806657d0 + 0000000000000000 ffffffff803177f8 0000000000000000 ffffffff806d0000 + 9800000003078000 980000000307b9e0 000000001e900000 ffffffff80067940 + 0000000000000000 ffffffff805d6720 0000000000000204 ffffffff80388df8 + ffffffff805176c0 ffffffff8004dc78 0000000000000000 ffffffff80067940 + ... +Call Trace: +[] show_stack+0xa0/0x130 +[] __warn+0x128/0x170 +---[ end trace b1d1e094f67f3bb2 ]--- + +This is because the TURBOchannel bus driver fails to set the coherent +DMA mask for devices enumerated. + +Set the regular and coherent DMA masks for TURBOchannel devices then, +observing that the bus protocol supports a 34-bit (16GiB) DMA address +space, by interpreting the value presented in the address cycle across +the 32 `ad' lines as a 32-bit word rather than byte address[1]. The +architectural size of the TURBOchannel DMA address space exceeds the +maximum amount of RAM any actual TURBOchannel system in existence may +have, hence both masks are the same. + +This removes the warning shown above. + +References: + +[1] "TURBOchannel Hardware Specification", EK-369AA-OD-007B, Digital + Equipment Corporation, January 1993, Section "DMA", pp. 1-15 -- 1-17 + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20835/ +Fixes: 205e1b7f51e4 ("dma-mapping: warn when there is no coherent_dma_mask") +Cc: stable@vger.kernel.org # 4.16+ +Cc: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tc/tc.c | 8 +++++++- + include/linux/tc.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/tc/tc.c ++++ b/drivers/tc/tc.c +@@ -2,7 +2,7 @@ + * TURBOchannel bus services. + * + * Copyright (c) Harald Koerfgen, 1998 +- * Copyright (c) 2001, 2003, 2005, 2006 Maciej W. Rozycki ++ * Copyright (c) 2001, 2003, 2005, 2006, 2018 Maciej W. Rozycki + * Copyright (c) 2005 James Simmons + * + * This file is subject to the terms and conditions of the GNU +@@ -10,6 +10,7 @@ + * directory of this archive for more details. + */ + #include ++#include + #include + #include + #include +@@ -93,6 +94,11 @@ static void __init tc_bus_add_devices(st + tdev->dev.bus = &tc_bus_type; + tdev->slot = slot; + ++ /* TURBOchannel has 34-bit DMA addressing (16GiB space). */ ++ tdev->dma_mask = DMA_BIT_MASK(34); ++ tdev->dev.dma_mask = &tdev->dma_mask; ++ tdev->dev.coherent_dma_mask = DMA_BIT_MASK(34); ++ + for (i = 0; i < 8; i++) { + tdev->firmware[i] = + readb(module + offset + TC_FIRM_VER + 4 * i); +--- a/include/linux/tc.h ++++ b/include/linux/tc.h +@@ -84,6 +84,7 @@ struct tc_dev { + device. */ + struct device dev; /* Generic device interface. */ + struct resource resource; /* Address space of this device. */ ++ u64 dma_mask; /* DMA addressable range. */ + char vendor[9]; + char name[9]; + char firmware[9];