From: Greg Kroah-Hartman Date: Sat, 2 Jun 2018 12:44:07 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.9.106~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eab8d47d0311690e0d18787040bb4c8a02770b48;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: selinux-kasan-slab-out-of-bounds-in-xattr_getsecurity.patch series tracing-fix-crash-when-freeing-instances-with-event-triggers.patch --- diff --git a/queue-3.18/selinux-kasan-slab-out-of-bounds-in-xattr_getsecurity.patch b/queue-3.18/selinux-kasan-slab-out-of-bounds-in-xattr_getsecurity.patch new file mode 100644 index 00000000000..c307ba3577b --- /dev/null +++ b/queue-3.18/selinux-kasan-slab-out-of-bounds-in-xattr_getsecurity.patch @@ -0,0 +1,52 @@ +From efe3de79e0b52ca281ef6691480c8c68c82a4657 Mon Sep 17 00:00:00 2001 +From: Sachin Grover +Date: Fri, 25 May 2018 14:01:39 +0530 +Subject: selinux: KASAN: slab-out-of-bounds in xattr_getsecurity + +From: Sachin Grover + +commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream. + +Call trace: + [] dump_backtrace+0x0/0x428 + [] show_stack+0x28/0x38 + [] dump_stack+0xd4/0x124 + [] print_address_description+0x68/0x258 + [] kasan_report.part.2+0x228/0x2f0 + [] kasan_report+0x5c/0x70 + [] check_memory_region+0x12c/0x1c0 + [] memcpy+0x34/0x68 + [] xattr_getsecurity+0xe0/0x160 + [] vfs_getxattr+0xc8/0x120 + [] getxattr+0x100/0x2c8 + [] SyS_fgetxattr+0x64/0xa0 + [] el0_svc_naked+0x24/0x28 + +If user get root access and calls security.selinux setxattr() with an +embedded NUL on a file and then if some process performs a getxattr() +on that file with a length greater than the actual length of the string, +it would result in a panic. + +To fix this, add the actual length of the string to the security context +instead of the length passed by the userspace process. + +Signed-off-by: Sachin Grover +Cc: stable@vger.kernel.org +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/services.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -1271,7 +1271,7 @@ static int security_context_to_sid_core( + scontext_len, &context, def_sid); + if (rc == -EINVAL && force) { + context.str = str; +- context.len = scontext_len; ++ context.len = strlen(str) + 1; + str = NULL; + } else if (rc) + goto out_unlock; diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..9a76557ef04 --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,2 @@ +tracing-fix-crash-when-freeing-instances-with-event-triggers.patch +selinux-kasan-slab-out-of-bounds-in-xattr_getsecurity.patch diff --git a/queue-3.18/tracing-fix-crash-when-freeing-instances-with-event-triggers.patch b/queue-3.18/tracing-fix-crash-when-freeing-instances-with-event-triggers.patch new file mode 100644 index 00000000000..474ac2da7f0 --- /dev/null +++ b/queue-3.18/tracing-fix-crash-when-freeing-instances-with-event-triggers.patch @@ -0,0 +1,70 @@ +From 86b389ff22bd6ad8fd3cb98e41cd271886c6d023 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Sun, 27 May 2018 20:54:44 -0400 +Subject: tracing: Fix crash when freeing instances with event triggers + +From: Steven Rostedt (VMware) + +commit 86b389ff22bd6ad8fd3cb98e41cd271886c6d023 upstream. + +If a instance has an event trigger enabled when it is freed, it could cause +an access of free memory. Here's the case that crashes: + + # cd /sys/kernel/tracing + # mkdir instances/foo + # echo snapshot > instances/foo/events/initcall/initcall_start/trigger + # rmdir instances/foo + +Would produce: + + general protection fault: 0000 [#1] PREEMPT SMP PTI + Modules linked in: tun bridge ... + CPU: 5 PID: 6203 Comm: rmdir Tainted: G W 4.17.0-rc4-test+ #933 + Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016 + RIP: 0010:clear_event_triggers+0x3b/0x70 + RSP: 0018:ffffc90003783de0 EFLAGS: 00010286 + RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b2b RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800c7130ba0 + RBP: ffffc90003783e00 R08: ffff8801131993f8 R09: 0000000100230016 + R10: ffffc90003783d80 R11: 0000000000000000 R12: ffff8800c7130ba0 + R13: ffff8800c7130bd8 R14: ffff8800cc093768 R15: 00000000ffffff9c + FS: 00007f6f4aa86700(0000) GS:ffff88011eb40000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f6f4a5aed60 CR3: 00000000cd552001 CR4: 00000000001606e0 + Call Trace: + event_trace_del_tracer+0x2a/0xc5 + instance_rmdir+0x15c/0x200 + tracefs_syscall_rmdir+0x52/0x90 + vfs_rmdir+0xdb/0x160 + do_rmdir+0x16d/0x1c0 + __x64_sys_rmdir+0x17/0x20 + do_syscall_64+0x55/0x1a0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +This was due to the call the clears out the triggers when an instance is +being deleted not removing the trigger from the link list. + +Cc: stable@vger.kernel.org +Fixes: 85f2b08268c01 ("tracing: Add basic event trigger framework") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_trigger.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -469,9 +469,10 @@ clear_event_triggers(struct trace_array + struct ftrace_event_file *file; + + list_for_each_entry(file, &tr->events, list) { +- struct event_trigger_data *data; +- list_for_each_entry_rcu(data, &file->triggers, list) { ++ struct event_trigger_data *data, *n; ++ list_for_each_entry_safe(data, n, &file->triggers, list) { + trace_event_trigger_enable_disable(file, 0); ++ list_del_rcu(&data->list); + if (data->ops->free) + data->ops->free(data->ops, data); + }