From: Greg Kroah-Hartman Date: Fri, 14 Aug 2015 16:46:55 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.10.87~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ef4bba65659375df10019bf2280713b84a8c6537;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: arm-7819-1-fiq-cast-the-first-argument-of-flush_icache_range.patch arm-fix-fiq-code-on-vivt-cpus.patch arm-fix-kuser-helpers-case.patch signal-fix-information-leak-in-copy_siginfo_from_user32.patch signal-fix-information-leak-in-copy_siginfo_to_user.patch signalfd-fix-information-leak-in-signalfd_copyinfo.patch --- diff --git a/queue-3.10/arm-7819-1-fiq-cast-the-first-argument-of-flush_icache_range.patch b/queue-3.10/arm-7819-1-fiq-cast-the-first-argument-of-flush_icache_range.patch new file mode 100644 index 00000000000..18b1b5bfa20 --- /dev/null +++ b/queue-3.10/arm-7819-1-fiq-cast-the-first-argument-of-flush_icache_range.patch @@ -0,0 +1,36 @@ +From 7cb3be0a27805c625ff7cce20c53c926d9483243 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 16 Aug 2013 12:55:56 +0100 +Subject: ARM: 7819/1: fiq: Cast the first argument of flush_icache_range() + +From: Fabio Estevam + +commit 7cb3be0a27805c625ff7cce20c53c926d9483243 upstream. + +Commit 2ba85e7af4 (ARM: Fix FIQ code on VIVT CPUs) causes the following build warning: + +arch/arm/kernel/fiq.c:92:3: warning: passing argument 1 of 'cpu_cache.coherent_kern_range' makes integer from pointer without a cast [enabled by default] + +Cast it as '(unsigned long)base' to avoid the warning. + +Signed-off-by: Fabio Estevam +Signed-off-by: Russell King +Cc: Martin Kaiser +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/fiq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/kernel/fiq.c ++++ b/arch/arm/kernel/fiq.c +@@ -89,7 +89,8 @@ void set_fiq_handler(void *start, unsign + + memcpy(base + offset, start, length); + if (!cache_is_vipt_nonaliasing()) +- flush_icache_range(base + offset, offset + length); ++ flush_icache_range((unsigned long)base + offset, offset + ++ length); + flush_icache_range(0xffff0000 + offset, 0xffff0000 + offset + length); + } + diff --git a/queue-3.10/arm-fix-fiq-code-on-vivt-cpus.patch b/queue-3.10/arm-fix-fiq-code-on-vivt-cpus.patch new file mode 100644 index 00000000000..341d5552d84 --- /dev/null +++ b/queue-3.10/arm-fix-fiq-code-on-vivt-cpus.patch @@ -0,0 +1,58 @@ +From 2ba85e7af4c639d933c9a87a6d7363f2983d5ada Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 8 Aug 2013 11:51:21 +0100 +Subject: ARM: Fix FIQ code on VIVT CPUs + +From: Russell King + +commit 2ba85e7af4c639d933c9a87a6d7363f2983d5ada upstream. + +Aaro Koskinen reports the following oops: +Installing fiq handler from c001b110, length 0x164 +Unable to handle kernel paging request at virtual address ffff1224 +pgd = c0004000 +[ffff1224] *pgd=00000000, *pte=11fff0cb, *ppte=11fff00a +... +[] (set_fiq_handler+0x0/0x6c) from [] (ams_delta_init_fiq+0xa8/0x160) + r6:00000164 r5:c001b110 r4:00000000 r3:fefecb4c +[] (ams_delta_init_fiq+0x0/0x160) from [] (ams_delta_init+0xd4/0x114) + r6:00000000 r5:fffece10 r4:c037a9e0 +[] (ams_delta_init+0x0/0x114) from [] (customize_machine+0x24/0x30) + +This is because the vectors page is now write-protected, and to change +code in there we must write to its original alias. Make that change, +and adjust the cache flushing such that the code will become visible +to the instruction stream on VIVT CPUs. + +Reported-by: Aaro Koskinen +Tested-by: Aaro Koskinen +Signed-off-by: Russell King +Cc: Martin Kaiser +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/fiq.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/arch/arm/kernel/fiq.c ++++ b/arch/arm/kernel/fiq.c +@@ -84,17 +84,13 @@ int show_fiq_list(struct seq_file *p, in + + void set_fiq_handler(void *start, unsigned int length) + { +-#if defined(CONFIG_CPU_USE_DOMAINS) +- void *base = (void *)0xffff0000; +-#else + void *base = vectors_page; +-#endif + unsigned offset = FIQ_OFFSET; + + memcpy(base + offset, start, length); ++ if (!cache_is_vipt_nonaliasing()) ++ flush_icache_range(base + offset, offset + length); + flush_icache_range(0xffff0000 + offset, 0xffff0000 + offset + length); +- if (!vectors_high()) +- flush_icache_range(offset, offset + length); + } + + int claim_fiq(struct fiq_handler *f) diff --git a/queue-3.10/arm-fix-kuser-helpers-case.patch b/queue-3.10/arm-fix-kuser-helpers-case.patch new file mode 100644 index 00000000000..a72362a606e --- /dev/null +++ b/queue-3.10/arm-fix-kuser-helpers-case.patch @@ -0,0 +1,44 @@ +From 1b16c4bcf80e319b2226a886b72b8466179c8e3a Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 6 Aug 2013 09:48:42 +0100 +Subject: ARM: Fix !kuser helpers case + +From: Russell King + +commit 1b16c4bcf80e319b2226a886b72b8466179c8e3a upstream. + +Fix yet another build failure caused by a weird set of configuration +settings: + + LD init/built-in.o +arch/arm/kernel/built-in.o: In function `__dabt_usr': +/home/tom3q/kernel/arch/arm/kernel/entry-armv.S:377: undefined reference to `kuser_cmpxchg64_fixup' +arch/arm/kernel/built-in.o: In function `__irq_usr': +/home/tom3q/kernel/arch/arm/kernel/entry-armv.S:387: undefined reference to `kuser_cmpxchg64_fixup' + +caused by: +CONFIG_KUSER_HELPERS=n +CONFIG_CPU_32v6K=n +CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG=n + +Reported-by: Tomasz Figa +Signed-off-by: Russell King +Cc: Martin Kaiser +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/entry-armv.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -358,7 +358,8 @@ ENDPROC(__pabt_svc) + .endm + + .macro kuser_cmpxchg_check +-#if !defined(CONFIG_CPU_32v6K) && !defined(CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG) ++#if !defined(CONFIG_CPU_32v6K) && defined(CONFIG_KUSER_HELPERS) && \ ++ !defined(CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG) + #ifndef CONFIG_MMU + #warning "NPTL on non MMU needs fixing" + #else diff --git a/queue-3.10/series b/queue-3.10/series index d4d46f06e46..9f52b817045 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -24,3 +24,9 @@ ipc-modify-message-queue-accounting-to-not-take-kernel-data-structures-into-acco ocfs2-fix-bug-in-ocfs2_downconvert_thread_do_work.patch md-raid1-extend-spinlock-to-protect-raid1_end_read_request-against-inconsistencies.patch sg_start_req-make-sure-that-there-s-not-too-many-elements-in-iovec.patch +arm-fix-kuser-helpers-case.patch +arm-fix-fiq-code-on-vivt-cpus.patch +arm-7819-1-fiq-cast-the-first-argument-of-flush_icache_range.patch +signalfd-fix-information-leak-in-signalfd_copyinfo.patch +signal-fix-information-leak-in-copy_siginfo_to_user.patch +signal-fix-information-leak-in-copy_siginfo_from_user32.patch diff --git a/queue-3.10/signal-fix-information-leak-in-copy_siginfo_from_user32.patch b/queue-3.10/signal-fix-information-leak-in-copy_siginfo_from_user32.patch new file mode 100644 index 00000000000..1add18be8dc --- /dev/null +++ b/queue-3.10/signal-fix-information-leak-in-copy_siginfo_from_user32.patch @@ -0,0 +1,105 @@ +From 3c00cb5e68dc719f2fc73a33b1b230aadfcb1309 Mon Sep 17 00:00:00 2001 +From: Amanieu d'Antras +Date: Thu, 6 Aug 2015 15:46:26 -0700 +Subject: signal: fix information leak in copy_siginfo_from_user32 + +From: Amanieu d'Antras + +commit 3c00cb5e68dc719f2fc73a33b1b230aadfcb1309 upstream. + +This function can leak kernel stack data when the user siginfo_t has a +positive si_code value. The top 16 bits of si_code descibe which fields +in the siginfo_t union are active, but they are treated inconsistently +between copy_siginfo_from_user32, copy_siginfo_to_user32 and +copy_siginfo_to_user. + +copy_siginfo_from_user32 is called from rt_sigqueueinfo and +rt_tgsigqueueinfo in which the user has full control overthe top 16 bits +of si_code. + +This fixes the following information leaks: +x86: 8 bytes leaked when sending a signal from a 32-bit process to + itself. This leak grows to 16 bytes if the process uses x32. + (si_code = __SI_CHLD) +x86: 100 bytes leaked when sending a signal from a 32-bit process to + a 64-bit process. (si_code = -1) +sparc: 4 bytes leaked when sending a signal from a 32-bit process to a + 64-bit process. (si_code = any) + +parsic and s390 have similar bugs, but they are not vulnerable because +rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code +to a different process. These bugs are also fixed for consistency. + +Signed-off-by: Amanieu d'Antras +Cc: Oleg Nesterov +Cc: Ingo Molnar +Cc: Russell King +Cc: Ralf Baechle +Cc: Benjamin Herrenschmidt +Cc: Chris Metcalf +Cc: Paul Mackerras +Cc: Michael Ellerman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/signal32.c | 2 -- + arch/mips/kernel/signal32.c | 2 -- + arch/powerpc/kernel/signal_32.c | 2 -- + kernel/signal.c | 4 ++-- + 4 files changed, 2 insertions(+), 8 deletions(-) + +--- a/arch/arm64/kernel/signal32.c ++++ b/arch/arm64/kernel/signal32.c +@@ -221,8 +221,6 @@ int copy_siginfo_to_user32(compat_siginf + + int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from) + { +- memset(to, 0, sizeof *to); +- + if (copy_from_user(to, from, __ARCH_SI_PREAMBLE_SIZE) || + copy_from_user(to->_sifields._pad, + from->_sifields._pad, SI_PAD_SIZE)) +--- a/arch/mips/kernel/signal32.c ++++ b/arch/mips/kernel/signal32.c +@@ -368,8 +368,6 @@ int copy_siginfo_to_user32(compat_siginf + + int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from) + { +- memset(to, 0, sizeof *to); +- + if (copy_from_user(to, from, 3*sizeof(int)) || + copy_from_user(to->_sifields._pad, + from->_sifields._pad, SI_PAD_SIZE32)) +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -949,8 +949,6 @@ int copy_siginfo_to_user32(struct compat + + int copy_siginfo_from_user32(siginfo_t *to, struct compat_siginfo __user *from) + { +- memset(to, 0, sizeof *to); +- + if (copy_from_user(to, from, 3*sizeof(int)) || + copy_from_user(to->_sifields._pad, + from->_sifields._pad, SI_PAD_SIZE32)) +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -3036,7 +3036,7 @@ COMPAT_SYSCALL_DEFINE3(rt_sigqueueinfo, + int, sig, + struct compat_siginfo __user *, uinfo) + { +- siginfo_t info; ++ siginfo_t info = {}; + int ret = copy_siginfo_from_user32(&info, uinfo); + if (unlikely(ret)) + return ret; +@@ -3082,7 +3082,7 @@ COMPAT_SYSCALL_DEFINE4(rt_tgsigqueueinfo + int, sig, + struct compat_siginfo __user *, uinfo) + { +- siginfo_t info; ++ siginfo_t info = {}; + + if (copy_siginfo_from_user32(&info, uinfo)) + return -EFAULT; diff --git a/queue-3.10/signal-fix-information-leak-in-copy_siginfo_to_user.patch b/queue-3.10/signal-fix-information-leak-in-copy_siginfo_to_user.patch new file mode 100644 index 00000000000..b0f19f3ae75 --- /dev/null +++ b/queue-3.10/signal-fix-information-leak-in-copy_siginfo_to_user.patch @@ -0,0 +1,54 @@ +From 26135022f85105ad725cda103fa069e29e83bd16 Mon Sep 17 00:00:00 2001 +From: Amanieu d'Antras +Date: Thu, 6 Aug 2015 15:46:29 -0700 +Subject: signal: fix information leak in copy_siginfo_to_user + +From: Amanieu d'Antras + +commit 26135022f85105ad725cda103fa069e29e83bd16 upstream. + +This function may copy the si_addr_lsb, si_lower and si_upper fields to +user mode when they haven't been initialized, which can leak kernel +stack data to user mode. + +Just checking the value of si_code is insufficient because the same +si_code value is shared between multiple signals. This is solved by +checking the value of si_signo in addition to si_code. + +Signed-off-by: Amanieu d'Antras +Cc: Oleg Nesterov +Cc: Ingo Molnar +Cc: Russell King +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/signal32.c | 3 ++- + kernel/signal.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/signal32.c ++++ b/arch/arm64/kernel/signal32.c +@@ -193,7 +193,8 @@ int copy_siginfo_to_user32(compat_siginf + * Other callers might not initialize the si_lsb field, + * so check explicitely for the right codes here. + */ +- if (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO) ++ if (from->si_signo == SIGBUS && ++ (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO)) + err |= __put_user(from->si_addr_lsb, &to->si_addr_lsb); + #endif + break; +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2768,7 +2768,8 @@ int copy_siginfo_to_user(siginfo_t __use + * Other callers might not initialize the si_lsb field, + * so check explicitly for the right codes here. + */ +- if (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO) ++ if (from->si_signo == SIGBUS && ++ (from->si_code == BUS_MCEERR_AR || from->si_code == BUS_MCEERR_AO)) + err |= __put_user(from->si_addr_lsb, &to->si_addr_lsb); + #endif + break; diff --git a/queue-3.10/signalfd-fix-information-leak-in-signalfd_copyinfo.patch b/queue-3.10/signalfd-fix-information-leak-in-signalfd_copyinfo.patch new file mode 100644 index 00000000000..c7fbba1bff2 --- /dev/null +++ b/queue-3.10/signalfd-fix-information-leak-in-signalfd_copyinfo.patch @@ -0,0 +1,41 @@ +From 3ead7c52bdb0ab44f4bb1feed505a8323cc12ba7 Mon Sep 17 00:00:00 2001 +From: Amanieu d'Antras +Date: Thu, 6 Aug 2015 15:46:33 -0700 +Subject: signalfd: fix information leak in signalfd_copyinfo + +From: Amanieu d'Antras + +commit 3ead7c52bdb0ab44f4bb1feed505a8323cc12ba7 upstream. + +This function may copy the si_addr_lsb field to user mode when it hasn't +been initialized, which can leak kernel stack data to user mode. + +Just checking the value of si_code is insufficient because the same +si_code value is shared between multiple signals. This is solved by +checking the value of si_signo in addition to si_code. + +Signed-off-by: Amanieu d'Antras +Cc: Oleg Nesterov +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/signalfd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/signalfd.c ++++ b/fs/signalfd.c +@@ -121,8 +121,9 @@ static int signalfd_copyinfo(struct sign + * Other callers might not initialize the si_lsb field, + * so check explicitly for the right codes here. + */ +- if (kinfo->si_code == BUS_MCEERR_AR || +- kinfo->si_code == BUS_MCEERR_AO) ++ if (kinfo->si_signo == SIGBUS && ++ (kinfo->si_code == BUS_MCEERR_AR || ++ kinfo->si_code == BUS_MCEERR_AO)) + err |= __put_user((short) kinfo->si_addr_lsb, + &uinfo->ssi_addr_lsb); + #endif