From 50e547532d346f4f668ac8f1f99034bf88c9218e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 11 Dec 2017 23:17:04 +0100 Subject: [PATCH] 3.18-stable patches added patches: alsa-pcm-prevent-uaf-in-snd_pcm_info.patch alsa-seq-remove-spurious-warn_on-at-timer-check.patch alsa-usb-audio-add-check-return-value-for-usb_string.patch alsa-usb-audio-fix-out-of-bound-error.patch arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch asn.1-check-for-error-from-asn1_op_end__act-actions.patch efi-move-some-sysfs-files-to-be-read-only-by-root.patch hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch iommu-vt-d-fix-scatterlist-offset-handling.patch isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch keys-add-missing-permission-check-for-request_key-destination.patch kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch virtio-release-virtio-index-when-fail-to-device_register.patch x.509-reject-invalid-bit-string-for-subjectpublickey.patch x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch --- ...alsa-pcm-prevent-uaf-in-snd_pcm_info.patch | 37 ++++ ...move-spurious-warn_on-at-timer-check.patch | 35 ++++ ...dd-check-return-value-for-usb_string.patch | 42 +++++ ...lsa-usb-audio-fix-out-of-bound-error.patch | 95 +++++++++++ ...nt-registers-leaking-from-dead-tasks.patch | 95 +++++++++++ ...x-vttbr_baddr_mask-bug_on-off-by-one.patch | 53 ++++++ ...-error-from-asn1_op_end__act-actions.patch | 46 +++++ ...-sysfs-files-to-be-read-only-by-root.patch | 80 +++++++++ ...-past-allocated-blocks-from-kvp-file.patch | 140 +++++++++++++++ ...vt-d-fix-scatterlist-offset-handling.patch | 86 ++++++++++ ...eference-in-isa_bus-driver-callbacks.patch | 76 +++++++++ ...of-kallsyms_symbol_next-return-value.patch | 36 ++++ ...on-check-for-request_key-destination.patch | 159 ++++++++++++++++++ ...-i-o-port-0x80-bypass-on-intel-hosts.patch | 50 ++++++ ...s-over-usb-cannot-be-done-from-stack.patch | 43 +++++ ...ways-provide-dma_get_cache_alignment.patch | 39 +++++ ...e_alignment-as-minimum-dma-alignment.patch | 46 +++++ queue-3.18/series | 20 +++ ...o-index-when-fail-to-device_register.patch | 31 ++++ ...alid-bit-string-for-subjectpublickey.patch | 68 ++++++++ ...om_postcore_init-check-acpi_disabled.patch | 40 +++++ 21 files changed, 1317 insertions(+) create mode 100644 queue-3.18/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch create mode 100644 queue-3.18/alsa-seq-remove-spurious-warn_on-at-timer-check.patch create mode 100644 queue-3.18/alsa-usb-audio-add-check-return-value-for-usb_string.patch create mode 100644 queue-3.18/alsa-usb-audio-fix-out-of-bound-error.patch create mode 100644 queue-3.18/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch create mode 100644 queue-3.18/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch create mode 100644 queue-3.18/asn.1-check-for-error-from-asn1_op_end__act-actions.patch create mode 100644 queue-3.18/efi-move-some-sysfs-files-to-be-read-only-by-root.patch create mode 100644 queue-3.18/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch create mode 100644 queue-3.18/iommu-vt-d-fix-scatterlist-offset-handling.patch create mode 100644 queue-3.18/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch create mode 100644 queue-3.18/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch create mode 100644 queue-3.18/keys-add-missing-permission-check-for-request_key-destination.patch create mode 100644 queue-3.18/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch create mode 100644 queue-3.18/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch create mode 100644 queue-3.18/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch create mode 100644 queue-3.18/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch create mode 100644 queue-3.18/virtio-release-virtio-index-when-fail-to-device_register.patch create mode 100644 queue-3.18/x.509-reject-invalid-bit-string-for-subjectpublickey.patch create mode 100644 queue-3.18/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch diff --git a/queue-3.18/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch b/queue-3.18/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch new file mode 100644 index 00000000000..ac87987a1f2 --- /dev/null +++ b/queue-3.18/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch @@ -0,0 +1,37 @@ +From 362bca57f5d78220f8b5907b875961af9436e229 Mon Sep 17 00:00:00 2001 +From: Robb Glasser +Date: Tue, 5 Dec 2017 09:16:55 -0800 +Subject: ALSA: pcm: prevent UAF in snd_pcm_info + +From: Robb Glasser + +commit 362bca57f5d78220f8b5907b875961af9436e229 upstream. + +When the device descriptor is closed, the `substream->runtime` pointer +is freed. But another thread may be in the ioctl handler, case +SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which +calls snd_pcm_info() which accesses the now freed `substream->runtime`. + +Note: this fixes CVE-2017-0861 + +Signed-off-by: Robb Glasser +Signed-off-by: Nick Desaulniers +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct + err = -ENXIO; + goto _error; + } ++ mutex_lock(&pcm->open_mutex); + err = snd_pcm_info_user(substream, info); ++ mutex_unlock(&pcm->open_mutex); + _error: + mutex_unlock(®ister_mutex); + return err; diff --git a/queue-3.18/alsa-seq-remove-spurious-warn_on-at-timer-check.patch b/queue-3.18/alsa-seq-remove-spurious-warn_on-at-timer-check.patch new file mode 100644 index 00000000000..88b0551a0ce --- /dev/null +++ b/queue-3.18/alsa-seq-remove-spurious-warn_on-at-timer-check.patch @@ -0,0 +1,35 @@ +From 43a3542870328601be02fcc9d27b09db467336ef Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 30 Nov 2017 10:08:28 +0100 +Subject: ALSA: seq: Remove spurious WARN_ON() at timer check + +From: Takashi Iwai + +commit 43a3542870328601be02fcc9d27b09db467336ef upstream. + +The use of snd_BUG_ON() in ALSA sequencer timer may lead to a spurious +WARN_ON() when a slave timer is deployed as its backend and a +corresponding master timer stops meanwhile. The symptom was triggered +by syzkaller spontaneously. + +Since the NULL timer is valid there, rip off snd_BUG_ON(). + +Reported-by: syzbot +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/seq/seq_timer.c ++++ b/sound/core/seq/seq_timer.c +@@ -355,7 +355,7 @@ static int initialize_timer(struct snd_s + unsigned long freq; + + t = tmr->timeri->timer; +- if (snd_BUG_ON(!t)) ++ if (!t) + return -EINVAL; + + freq = tmr->preferred_resolution; diff --git a/queue-3.18/alsa-usb-audio-add-check-return-value-for-usb_string.patch b/queue-3.18/alsa-usb-audio-add-check-return-value-for-usb_string.patch new file mode 100644 index 00000000000..8f3055e3200 --- /dev/null +++ b/queue-3.18/alsa-usb-audio-add-check-return-value-for-usb_string.patch @@ -0,0 +1,42 @@ +From 89b89d121ffcf8d9546633b98ded9d18b8f75891 Mon Sep 17 00:00:00 2001 +From: Jaejoong Kim +Date: Mon, 4 Dec 2017 15:31:49 +0900 +Subject: ALSA: usb-audio: Add check return value for usb_string() + +From: Jaejoong Kim + +commit 89b89d121ffcf8d9546633b98ded9d18b8f75891 upstream. + +snd_usb_copy_string_desc() returns zero if usb_string() fails. +In case of failure, we need to check the snd_usb_copy_string_desc()'s +return value and add an exception case + +Signed-off-by: Jaejoong Kim +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2099,13 +2099,14 @@ static int parse_audio_selector_unit(str + if (len) + ; + else if (nameid) +- snd_usb_copy_string_desc(state, nameid, kctl->id.name, ++ len = snd_usb_copy_string_desc(state, nameid, kctl->id.name, + sizeof(kctl->id.name)); +- else { ++ else + len = get_term_name(state, &state->oterm, + kctl->id.name, sizeof(kctl->id.name), 0); +- if (!len) +- strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name)); ++ ++ if (!len) { ++ strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name)); + + if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR) + append_ctl_name(kctl, " Clock Source"); diff --git a/queue-3.18/alsa-usb-audio-fix-out-of-bound-error.patch b/queue-3.18/alsa-usb-audio-fix-out-of-bound-error.patch new file mode 100644 index 00000000000..5205b4861e2 --- /dev/null +++ b/queue-3.18/alsa-usb-audio-fix-out-of-bound-error.patch @@ -0,0 +1,95 @@ +From 251552a2b0d454badc8f486e6d79100970c744b0 Mon Sep 17 00:00:00 2001 +From: Jaejoong Kim +Date: Mon, 4 Dec 2017 15:31:48 +0900 +Subject: ALSA: usb-audio: Fix out-of-bound error + +From: Jaejoong Kim + +commit 251552a2b0d454badc8f486e6d79100970c744b0 upstream. + +The snd_usb_copy_string_desc() retrieves the usb string corresponding to +the index number through the usb_string(). The problem is that the +usb_string() returns the length of the string (>= 0) when successful, but +it can also return a negative value about the error case or status of +usb_control_msg(). + +If iClockSource is '0' as shown below, usb_string() will returns -EINVAL. +This will result in '0' being inserted into buf[-22], and the following +KASAN out-of-bound error message will be output. + +AudioControl Interface Descriptor: + bLength 8 + bDescriptorType 36 + bDescriptorSubtype 10 (CLOCK_SOURCE) + bClockID 1 + bmAttributes 0x07 Internal programmable Clock (synced to SOF) + bmControls 0x07 + Clock Frequency Control (read/write) + Clock Validity Control (read-only) + bAssocTerminal 0 + iClockSource 0 + +To fix it, check usb_string()'return value and bail out. + +================================================================== +BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio] +Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376 + +CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3 +Hardware name: LG Electronics 15N540-RFLGL/White Tip Mountain, BIOS 15N5 +Call Trace: +dump_stack+0x63/0x8d +print_address_description+0x70/0x290 +? parse_audio_unit+0x1327/0x1960 [snd_usb_audio] +kasan_report+0x265/0x350 +__asan_store1+0x4a/0x50 +parse_audio_unit+0x1327/0x1960 [snd_usb_audio] +? save_stack+0xb5/0xd0 +? save_stack_trace+0x1b/0x20 +? save_stack+0x46/0xd0 +? kasan_kmalloc+0xad/0xe0 +? kmem_cache_alloc_trace+0xff/0x230 +? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio] +? usb_audio_probe+0x4de/0xf40 [snd_usb_audio] +? usb_probe_interface+0x1f5/0x440 +? driver_probe_device+0x3ed/0x660 +? build_feature_ctl+0xb10/0xb10 [snd_usb_audio] +? save_stack_trace+0x1b/0x20 +? init_object+0x69/0xa0 +? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio] +snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio] +? build_audio_procunit+0x890/0x890 [snd_usb_audio] +? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio] +? kmem_cache_alloc_trace+0xff/0x230 +? usb_ifnum_to_if+0xbd/0xf0 +snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio] +? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio] +usb_audio_probe+0x4de/0xf40 [snd_usb_audio] +? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio] +? __pm_runtime_idle+0x90/0x90 +? kernfs_activate+0xa6/0xc0 +? usb_match_one_id_intf+0xdc/0x130 +? __pm_runtime_set_status+0x2d4/0x450 +usb_probe_interface+0x1f5/0x440 + +Signed-off-by: Jaejoong Kim +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -199,6 +199,10 @@ static int snd_usb_copy_string_desc(stru + int index, char *buf, int maxlen) + { + int len = usb_string(state->chip->dev, index, buf, maxlen - 1); ++ ++ if (len < 0) ++ return 0; ++ + buf[len] = 0; + return len; + } diff --git a/queue-3.18/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch b/queue-3.18/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch new file mode 100644 index 00000000000..08968d58091 --- /dev/null +++ b/queue-3.18/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch @@ -0,0 +1,95 @@ +From 071b6d4a5d343046f253a5a8835d477d93992002 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Tue, 5 Dec 2017 14:56:42 +0000 +Subject: arm64: fpsimd: Prevent registers leaking from dead tasks + +From: Dave Martin + +commit 071b6d4a5d343046f253a5a8835d477d93992002 upstream. + +Currently, loading of a task's fpsimd state into the CPU registers +is skipped if that task's state is already present in the registers +of that CPU. + +However, the code relies on the struct fpsimd_state * (and by +extension struct task_struct *) to unambiguously identify a task. + +There is a particular case in which this doesn't work reliably: +when a task exits, its task_struct may be recycled to describe a +new task. + +Consider the following scenario: + + 1) Task P loads its fpsimd state onto cpu C. + per_cpu(fpsimd_last_state, C) := P; + P->thread.fpsimd_state.cpu := C; + + 2) Task X is scheduled onto C and loads its fpsimd state on C. + per_cpu(fpsimd_last_state, C) := X; + X->thread.fpsimd_state.cpu := C; + + 3) X exits, causing X's task_struct to be freed. + + 4) P forks a new child T, which obtains X's recycled task_struct. + T == X. + T->thread.fpsimd_state.cpu == C (inherited from P). + + 5) T is scheduled on C. + T's fpsimd state is not loaded, because + per_cpu(fpsimd_last_state, C) == T (== X) && + T->thread.fpsimd_state.cpu == C. + + (This is the check performed by fpsimd_thread_switch().) + +So, T gets X's registers because the last registers loaded onto C +were those of X, in (2). + +This patch fixes the problem by ensuring that the sched-in check +fails in (5): fpsimd_flush_task_state(T) is called when T is +forked, so that T->thread.fpsimd_state.cpu == C cannot be true. +This relies on the fact that T is not schedulable until after +copy_thread() completes. + +Once T's fpsimd state has been loaded on some CPU C there may still +be other cpus D for which per_cpu(fpsimd_last_state, D) == +&X->thread.fpsimd_state. But D is necessarily != C in this case, +and the check in (5) must fail. + +An alternative fix would be to do refcounting on task_struct. This +would result in each CPU holding a reference to the last task whose +fpsimd state was loaded there. It's not clear whether this is +preferable, and it involves higher overhead than the fix proposed +in this patch. It would also move all the task_struct freeing +work into the context switch critical section, or otherwise some +deferred cleanup mechanism would need to be introduced, neither of +which seems obviously justified. + +Fixes: 005f78cd8849 ("arm64: defer reloading a task's FPSIMD state to userland resume") +Signed-off-by: Dave Martin +Reviewed-by: Ard Biesheuvel +[will: word-smithed the comment so it makes more sense] +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/process.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -250,6 +250,15 @@ int copy_thread(unsigned long clone_flag + + memset(&p->thread.cpu_context, 0, sizeof(struct cpu_context)); + ++ /* ++ * In case p was allocated the same task_struct pointer as some ++ * other recently-exited task, make sure p is disassociated from ++ * any cpu that may have run that now-exited task recently. ++ * Otherwise we could erroneously skip reloading the FPSIMD ++ * registers for p. ++ */ ++ fpsimd_flush_task_state(p); ++ + if (likely(!(p->flags & PF_KTHREAD))) { + *childregs = *current_pt_regs(); + childregs->regs[0] = 0; diff --git a/queue-3.18/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch b/queue-3.18/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch new file mode 100644 index 00000000000..f75d87e27a3 --- /dev/null +++ b/queue-3.18/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch @@ -0,0 +1,53 @@ +From 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 Mon Sep 17 00:00:00 2001 +From: Kristina Martsenko +Date: Thu, 16 Nov 2017 17:58:20 +0000 +Subject: arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one + +From: Kristina Martsenko + +commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream. + +VTTBR_BADDR_MASK is used to sanity check the size and alignment of the +VTTBR address. It seems to currently be off by one, thereby only +allowing up to 47-bit addresses (instead of 48-bit) and also +insufficiently checking the alignment. This patch fixes it. + +As an example, with 4k pages, before this patch we have: + + PHYS_MASK_SHIFT = 48 + VTTBR_X = 37 - 24 = 13 + VTTBR_BADDR_SHIFT = 13 - 1 = 12 + VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000 + +Which is wrong, because the mask doesn't allow bit 47 of the VTTBR +address to be set, and only requires the address to be 12-bit (4k) +aligned, while it actually needs to be 13-bit (8k) aligned because we +concatenate two 4k tables. + +With this patch, the mask becomes 0x0000ffffffffe000, which is what we +want. + +Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions") +Reviewed-by: Suzuki K Poulose +Reviewed-by: Christoffer Dall +Signed-off-by: Kristina Martsenko +Signed-off-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/kvm_arm.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/kvm_arm.h ++++ b/arch/arm64/include/asm/kvm_arm.h +@@ -160,8 +160,7 @@ + #define VTTBR_X (37 - VTCR_EL2_T0SZ_40B) + #endif + +-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1) +-#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT) ++#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X) + #define VTTBR_VMID_SHIFT (UL(48)) + #define VTTBR_VMID_MASK (UL(0xFF) << VTTBR_VMID_SHIFT) + diff --git a/queue-3.18/asn.1-check-for-error-from-asn1_op_end__act-actions.patch b/queue-3.18/asn.1-check-for-error-from-asn1_op_end__act-actions.patch new file mode 100644 index 00000000000..e221853a6b1 --- /dev/null +++ b/queue-3.18/asn.1-check-for-error-from-asn1_op_end__act-actions.patch @@ -0,0 +1,46 @@ +From 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 8 Dec 2017 15:13:27 +0000 +Subject: ASN.1: check for error from ASN1_OP_END__ACT actions + +From: Eric Biggers + +commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream. + +asn1_ber_decoder() was ignoring errors from actions associated with the +opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT, +ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT. In practice, this +meant the pkcs7_note_signed_info() action (since that was the only user +of those opcodes). Fix it by checking for the error, just like the +decoder does for actions associated with the other opcodes. + +This bug allowed users to leak slab memory by repeatedly trying to add a +specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY). + +In theory, this bug could also be used to bypass module signature +verification, by providing a PKCS#7 message that is misparsed such that +a signature's ->authattrs do not contain its ->msgdigest. But it +doesn't seem practical in normal cases, due to restrictions on the +format of the ->authattrs. + +Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder") +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Reviewed-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + lib/asn1_decoder.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/lib/asn1_decoder.c ++++ b/lib/asn1_decoder.c +@@ -422,6 +422,8 @@ next_op: + else + act = machine[pc + 1]; + ret = actions[act](context, hdr, 0, data + tdp, len); ++ if (ret < 0) ++ return ret; + } + pc += asn1_op_lengths[op]; + goto next_op; diff --git a/queue-3.18/efi-move-some-sysfs-files-to-be-read-only-by-root.patch b/queue-3.18/efi-move-some-sysfs-files-to-be-read-only-by-root.patch new file mode 100644 index 00000000000..587416015d2 --- /dev/null +++ b/queue-3.18/efi-move-some-sysfs-files-to-be-read-only-by-root.patch @@ -0,0 +1,80 @@ +From af97a77bc01ce49a466f9d4c0125479e2e2230b6 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 6 Dec 2017 09:50:08 +0000 +Subject: efi: Move some sysfs files to be read-only by root + +From: Greg Kroah-Hartman + +commit af97a77bc01ce49a466f9d4c0125479e2e2230b6 upstream. + +Thanks to the scripts/leaking_addresses.pl script, it was found that +some EFI values should not be readable by non-root users. + +So make them root-only, and to do that, add a __ATTR_RO_MODE() macro to +make this easier, and use it in other places at the same time. + +Reported-by: Linus Torvalds +Tested-by: Dave Young +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Ard Biesheuvel +Cc: H. Peter Anvin +Cc: Matt Fleming +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20171206095010.24170-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/efi.c | 3 +-- + drivers/firmware/efi/runtime-map.c | 10 +++++----- + include/linux/sysfs.h | 6 ++++++ + 3 files changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -96,8 +96,7 @@ static ssize_t systab_show(struct kobjec + return str - buf; + } + +-static struct kobj_attribute efi_attr_systab = +- __ATTR(systab, 0400, systab_show, NULL); ++static struct kobj_attribute efi_attr_systab = __ATTR_RO_MODE(systab, 0400); + + #define EFI_FIELD(var) efi.var + +--- a/drivers/firmware/efi/runtime-map.c ++++ b/drivers/firmware/efi/runtime-map.c +@@ -67,11 +67,11 @@ static ssize_t map_attr_show(struct kobj + return map_attr->show(entry, buf); + } + +-static struct map_attribute map_type_attr = __ATTR_RO(type); +-static struct map_attribute map_phys_addr_attr = __ATTR_RO(phys_addr); +-static struct map_attribute map_virt_addr_attr = __ATTR_RO(virt_addr); +-static struct map_attribute map_num_pages_attr = __ATTR_RO(num_pages); +-static struct map_attribute map_attribute_attr = __ATTR_RO(attribute); ++static struct map_attribute map_type_attr = __ATTR_RO_MODE(type, 0400); ++static struct map_attribute map_phys_addr_attr = __ATTR_RO_MODE(phys_addr, 0400); ++static struct map_attribute map_virt_addr_attr = __ATTR_RO_MODE(virt_addr, 0400); ++static struct map_attribute map_num_pages_attr = __ATTR_RO_MODE(num_pages, 0400); ++static struct map_attribute map_attribute_attr = __ATTR_RO_MODE(attribute, 0400); + + /* + * These are default attributes that are added for every memmap entry. +--- a/include/linux/sysfs.h ++++ b/include/linux/sysfs.h +@@ -82,6 +82,12 @@ struct attribute_group { + .show = _name##_show, \ + } + ++#define __ATTR_RO_MODE(_name, _mode) { \ ++ .attr = { .name = __stringify(_name), \ ++ .mode = VERIFY_OCTAL_PERMISSIONS(_mode) }, \ ++ .show = _name##_show, \ ++} ++ + #define __ATTR_WO(_name) { \ + .attr = { .name = __stringify(_name), .mode = S_IWUSR }, \ + .store = _name##_store, \ diff --git a/queue-3.18/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch b/queue-3.18/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch new file mode 100644 index 00000000000..29b9d8e56af --- /dev/null +++ b/queue-3.18/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch @@ -0,0 +1,140 @@ +From 297d6b6e56c2977fc504c61bbeeaa21296923f89 Mon Sep 17 00:00:00 2001 +From: Paul Meyer +Date: Tue, 14 Nov 2017 13:06:47 -0700 +Subject: hv: kvp: Avoid reading past allocated blocks from KVP file + +From: Paul Meyer + +commit 297d6b6e56c2977fc504c61bbeeaa21296923f89 upstream. + +While reading in more than one block (50) of KVP records, the allocation +goes per block, but the reads used the total number of allocated records +(without resetting the pointer/stream). This causes the records buffer to +overrun when the refresh reads more than one block over the previous +capacity (e.g. reading more than 100 KVP records whereas the in-memory +database was empty before). + +Fix this by reading the correct number of KVP records from file each time. + +Signed-off-by: Paul Meyer +Signed-off-by: Long Li +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + tools/hv/hv_kvp_daemon.c | 70 +++++++++-------------------------------------- + 1 file changed, 14 insertions(+), 56 deletions(-) + +--- a/tools/hv/hv_kvp_daemon.c ++++ b/tools/hv/hv_kvp_daemon.c +@@ -196,11 +196,14 @@ static void kvp_update_mem_state(int poo + for (;;) { + readp = &record[records_read]; + records_read += fread(readp, sizeof(struct kvp_record), +- ENTRIES_PER_BLOCK * num_blocks, +- filep); ++ ENTRIES_PER_BLOCK * num_blocks - records_read, ++ filep); + + if (ferror(filep)) { +- syslog(LOG_ERR, "Failed to read file, pool: %d", pool); ++ syslog(LOG_ERR, ++ "Failed to read file, pool: %d; error: %d %s", ++ pool, errno, strerror(errno)); ++ kvp_release_lock(pool); + exit(EXIT_FAILURE); + } + +@@ -213,6 +216,7 @@ static void kvp_update_mem_state(int poo + + if (record == NULL) { + syslog(LOG_ERR, "malloc failed"); ++ kvp_release_lock(pool); + exit(EXIT_FAILURE); + } + continue; +@@ -227,15 +231,11 @@ static void kvp_update_mem_state(int poo + fclose(filep); + kvp_release_lock(pool); + } ++ + static int kvp_file_init(void) + { + int fd; +- FILE *filep; +- size_t records_read; + char *fname; +- struct kvp_record *record; +- struct kvp_record *readp; +- int num_blocks; + int i; + int alloc_unit = sizeof(struct kvp_record) * ENTRIES_PER_BLOCK; + +@@ -249,61 +249,19 @@ static int kvp_file_init(void) + + for (i = 0; i < KVP_POOL_COUNT; i++) { + fname = kvp_file_info[i].fname; +- records_read = 0; +- num_blocks = 1; + sprintf(fname, "%s/.kvp_pool_%d", KVP_CONFIG_LOC, i); + fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0644 /* rw-r--r-- */); + + if (fd == -1) + return 1; + +- +- filep = fopen(fname, "re"); +- if (!filep) { +- close(fd); +- return 1; +- } +- +- record = malloc(alloc_unit * num_blocks); +- if (record == NULL) { +- fclose(filep); +- close(fd); +- return 1; +- } +- for (;;) { +- readp = &record[records_read]; +- records_read += fread(readp, sizeof(struct kvp_record), +- ENTRIES_PER_BLOCK, +- filep); +- +- if (ferror(filep)) { +- syslog(LOG_ERR, "Failed to read file, pool: %d", +- i); +- exit(EXIT_FAILURE); +- } +- +- if (!feof(filep)) { +- /* +- * We have more data to read. +- */ +- num_blocks++; +- record = realloc(record, alloc_unit * +- num_blocks); +- if (record == NULL) { +- fclose(filep); +- close(fd); +- return 1; +- } +- continue; +- } +- break; +- } + kvp_file_info[i].fd = fd; +- kvp_file_info[i].num_blocks = num_blocks; +- kvp_file_info[i].records = record; +- kvp_file_info[i].num_records = records_read; +- fclose(filep); +- ++ kvp_file_info[i].num_blocks = 1; ++ kvp_file_info[i].records = malloc(alloc_unit); ++ if (kvp_file_info[i].records == NULL) ++ return 1; ++ kvp_file_info[i].num_records = 0; ++ kvp_update_mem_state(i); + } + + return 0; diff --git a/queue-3.18/iommu-vt-d-fix-scatterlist-offset-handling.patch b/queue-3.18/iommu-vt-d-fix-scatterlist-offset-handling.patch new file mode 100644 index 00000000000..e4a00011f7a --- /dev/null +++ b/queue-3.18/iommu-vt-d-fix-scatterlist-offset-handling.patch @@ -0,0 +1,86 @@ +From 29a90b70893817e2f2bb3cea40a29f5308e21b21 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Thu, 28 Sep 2017 15:14:01 +0100 +Subject: iommu/vt-d: Fix scatterlist offset handling + +From: Robin Murphy + +commit 29a90b70893817e2f2bb3cea40a29f5308e21b21 upstream. + +The intel-iommu DMA ops fail to correctly handle scatterlists where +sg->offset is greater than PAGE_SIZE - the IOVA allocation is computed +appropriately based on the page-aligned portion of the offset, but the +mapping is set up relative to sg->page, which means it fails to actually +cover the whole buffer (and in the worst case doesn't cover it at all): + + (sg->dma_address + sg->dma_len) ----+ + sg->dma_address ---------+ | + iov_pfn------+ | | + | | | + v v v +iova: a b c d e f + |--------|--------|--------|--------|--------| + <...calculated....> + [_____mapped______] +pfn: 0 1 2 3 4 5 + |--------|--------|--------|--------|--------| + ^ ^ ^ + | | | + sg->page ----+ | | + sg->offset --------------+ | + (sg->offset + sg->length) ----------+ + +As a result, the caller ends up overrunning the mapping into whatever +lies beyond, which usually goes badly: + +[ 429.645492] DMAR: DRHD: handling fault status reg 2 +[ 429.650847] DMAR: [DMA Write] Request device [02:00.4] fault addr f2682000 ... + +Whilst this is a fairly rare occurrence, it can happen from the result +of intermediate scatterlist processing such as scatterwalk_ffwd() in the +crypto layer. Whilst that particular site could be fixed up, it still +seems worthwhile to bring intel-iommu in line with other DMA API +implementations in handling this robustly. + +To that end, fix the intel_map_sg() path to line up the mapping +correctly (in units of MM pages rather than VT-d pages to match the +aligned_nrpages() calculation) regardless of the offset, and use +sg_phys() consistently for clarity. + +Reported-by: Harsh Jain +Signed-off-by: Robin Murphy +Reviewed by: Ashok Raj +Tested by: Jacob Pan +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2016,10 +2016,12 @@ static int __domain_mapping(struct dmar_ + uint64_t tmp; + + if (!sg_res) { ++ unsigned int pgoff = sg->offset & ~PAGE_MASK; ++ + sg_res = aligned_nrpages(sg->offset, sg->length); +- sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + sg->offset; ++ sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + pgoff; + sg->dma_length = sg->length; +- pteval = page_to_phys(sg_page(sg)) | prot; ++ pteval = (sg_phys(sg) - pgoff) | prot; + phys_pfn = pteval >> VTD_PAGE_SHIFT; + } + +@@ -3326,7 +3328,7 @@ static int intel_nontranslate_map_sg(str + + for_each_sg(sglist, sg, nelems, i) { + BUG_ON(!sg_page(sg)); +- sg->dma_address = page_to_phys(sg_page(sg)) + sg->offset; ++ sg->dma_address = sg_phys(sg); + sg->dma_length = sg->length; + } + return nelems; diff --git a/queue-3.18/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch b/queue-3.18/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch new file mode 100644 index 00000000000..455d4c77a7f --- /dev/null +++ b/queue-3.18/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch @@ -0,0 +1,76 @@ +From 5a244727f428a06634f22bb890e78024ab0c89f3 Mon Sep 17 00:00:00 2001 +From: William Breathitt Gray +Date: Wed, 8 Nov 2017 10:23:11 -0500 +Subject: isa: Prevent NULL dereference in isa_bus driver callbacks + +From: William Breathitt Gray + +commit 5a244727f428a06634f22bb890e78024ab0c89f3 upstream. + +The isa_driver structure for an isa_bus device is stored in the device +platform_data member of the respective device structure. This +platform_data member may be reset to NULL if isa_driver match callback +for the device fails, indicating a device unsupported by the ISA driver. + +This patch fixes a possible NULL pointer dereference if one of the +isa_driver callbacks to attempted for an unsupported device. This error +should not occur in practice since ISA devices are typically manually +configured and loaded by the users, but we may as well prevent this +error from popping up for the 0day testers. + +Fixes: a5117ba7da37 ("[PATCH] Driver model: add ISA bus") +Signed-off-by: William Breathitt Gray +Acked-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/isa.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/base/isa.c ++++ b/drivers/base/isa.c +@@ -39,7 +39,7 @@ static int isa_bus_probe(struct device * + { + struct isa_driver *isa_driver = dev->platform_data; + +- if (isa_driver->probe) ++ if (isa_driver && isa_driver->probe) + return isa_driver->probe(dev, to_isa_dev(dev)->id); + + return 0; +@@ -49,7 +49,7 @@ static int isa_bus_remove(struct device + { + struct isa_driver *isa_driver = dev->platform_data; + +- if (isa_driver->remove) ++ if (isa_driver && isa_driver->remove) + return isa_driver->remove(dev, to_isa_dev(dev)->id); + + return 0; +@@ -59,7 +59,7 @@ static void isa_bus_shutdown(struct devi + { + struct isa_driver *isa_driver = dev->platform_data; + +- if (isa_driver->shutdown) ++ if (isa_driver && isa_driver->shutdown) + isa_driver->shutdown(dev, to_isa_dev(dev)->id); + } + +@@ -67,7 +67,7 @@ static int isa_bus_suspend(struct device + { + struct isa_driver *isa_driver = dev->platform_data; + +- if (isa_driver->suspend) ++ if (isa_driver && isa_driver->suspend) + return isa_driver->suspend(dev, to_isa_dev(dev)->id, state); + + return 0; +@@ -77,7 +77,7 @@ static int isa_bus_resume(struct device + { + struct isa_driver *isa_driver = dev->platform_data; + +- if (isa_driver->resume) ++ if (isa_driver && isa_driver->resume) + return isa_driver->resume(dev, to_isa_dev(dev)->id); + + return 0; diff --git a/queue-3.18/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch b/queue-3.18/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch new file mode 100644 index 00000000000..6eb703fedcd --- /dev/null +++ b/queue-3.18/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch @@ -0,0 +1,36 @@ +From c07d35338081d107e57cf37572d8cc931a8e32e2 Mon Sep 17 00:00:00 2001 +From: Daniel Thompson +Date: Mon, 2 Mar 2015 14:13:36 +0000 +Subject: kdb: Fix handling of kallsyms_symbol_next() return value + +From: Daniel Thompson + +commit c07d35338081d107e57cf37572d8cc931a8e32e2 upstream. + +kallsyms_symbol_next() returns a boolean (true on success). Currently +kdb_read() tests the return value with an inequality that +unconditionally evaluates to true. + +This is fixed in the obvious way and, since the conditional branch is +supposed to be unreachable, we also add a WARN_ON(). + +Reported-by: Dan Carpenter +Signed-off-by: Daniel Thompson +Signed-off-by: Jason Wessel +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/debug/kdb/kdb_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -349,7 +349,7 @@ poll_again: + } + kdb_printf("\n"); + for (i = 0; i < count; i++) { +- if (kallsyms_symbol_next(p_tmp, i) < 0) ++ if (WARN_ON(!kallsyms_symbol_next(p_tmp, i))) + break; + kdb_printf("%s ", p_tmp); + *(p_tmp + len) = '\0'; diff --git a/queue-3.18/keys-add-missing-permission-check-for-request_key-destination.patch b/queue-3.18/keys-add-missing-permission-check-for-request_key-destination.patch new file mode 100644 index 00000000000..43aaf367743 --- /dev/null +++ b/queue-3.18/keys-add-missing-permission-check-for-request_key-destination.patch @@ -0,0 +1,159 @@ +From 4dca6ea1d9432052afb06baf2e3ae78188a4410b Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 8 Dec 2017 15:13:27 +0000 +Subject: KEYS: add missing permission check for request_key() destination + +From: Eric Biggers + +commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream. + +When the request_key() syscall is not passed a destination keyring, it +links the requested key (if constructed) into the "default" request-key +keyring. This should require Write permission to the keyring. However, +there is actually no permission check. + +This can be abused to add keys to any keyring to which only Search +permission is granted. This is because Search permission allows joining +the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING) +then will set the default request-key keyring to the session keyring. +Then, request_key() can be used to add keys to the keyring. + +Both negatively and positively instantiated keys can be added using this +method. Adding negative keys is trivial. Adding a positive key is a +bit trickier. It requires that either /sbin/request-key positively +instantiates the key, or that another thread adds the key to the process +keyring at just the right time, such that request_key() misses it +initially but then finds it in construct_alloc_key(). + +Fix this bug by checking for Write permission to the keyring in +construct_get_dest_keyring() when the default keyring is being used. + +We don't do the permission check for non-default keyrings because that +was already done by the earlier call to lookup_user_key(). Also, +request_key_and_link() is currently passed a 'struct key *' rather than +a key_ref_t, so the "possessed" bit is unavailable. + +We also don't do the permission check for the "requestor keyring", to +continue to support the use case described by commit 8bbf4976b59f +("KEYS: Alter use of key instantiation link-to-keyring argument") where +/sbin/request-key recursively calls request_key() to add keys to the +original requestor's destination keyring. (I don't know of any users +who actually do that, though...) + +Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key") +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/request_key.c | 46 +++++++++++++++++++++++++++++++++++--------- + 1 file changed, 37 insertions(+), 9 deletions(-) + +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -250,11 +250,12 @@ static int construct_key(struct key *key + * The keyring selected is returned with an extra reference upon it which the + * caller must release. + */ +-static void construct_get_dest_keyring(struct key **_dest_keyring) ++static int construct_get_dest_keyring(struct key **_dest_keyring) + { + struct request_key_auth *rka; + const struct cred *cred = current_cred(); + struct key *dest_keyring = *_dest_keyring, *authkey; ++ int ret; + + kenter("%p", dest_keyring); + +@@ -263,6 +264,8 @@ static void construct_get_dest_keyring(s + /* the caller supplied one */ + key_get(dest_keyring); + } else { ++ bool do_perm_check = true; ++ + /* use a default keyring; falling through the cases until we + * find one that we actually have */ + switch (cred->jit_keyring) { +@@ -277,8 +280,10 @@ static void construct_get_dest_keyring(s + dest_keyring = + key_get(rka->dest_keyring); + up_read(&authkey->sem); +- if (dest_keyring) ++ if (dest_keyring) { ++ do_perm_check = false; + break; ++ } + } + + case KEY_REQKEY_DEFL_THREAD_KEYRING: +@@ -313,11 +318,29 @@ static void construct_get_dest_keyring(s + default: + BUG(); + } ++ ++ /* ++ * Require Write permission on the keyring. This is essential ++ * because the default keyring may be the session keyring, and ++ * joining a keyring only requires Search permission. ++ * ++ * However, this check is skipped for the "requestor keyring" so ++ * that /sbin/request-key can itself use request_key() to add ++ * keys to the original requestor's destination keyring. ++ */ ++ if (dest_keyring && do_perm_check) { ++ ret = key_permission(make_key_ref(dest_keyring, 1), ++ KEY_NEED_WRITE); ++ if (ret) { ++ key_put(dest_keyring); ++ return ret; ++ } ++ } + } + + *_dest_keyring = dest_keyring; + kleave(" [dk %d]", key_serial(dest_keyring)); +- return; ++ return 0; + } + + /* +@@ -439,11 +462,15 @@ static struct key *construct_key_and_lin + + kenter(""); + +- user = key_user_lookup(current_fsuid()); +- if (!user) +- return ERR_PTR(-ENOMEM); ++ ret = construct_get_dest_keyring(&dest_keyring); ++ if (ret) ++ goto error; + +- construct_get_dest_keyring(&dest_keyring); ++ user = key_user_lookup(current_fsuid()); ++ if (!user) { ++ ret = -ENOMEM; ++ goto error_put_dest_keyring; ++ } + + ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key); + key_user_put(user); +@@ -458,7 +485,7 @@ static struct key *construct_key_and_lin + } else if (ret == -EINPROGRESS) { + ret = 0; + } else { +- goto couldnt_alloc_key; ++ goto error_put_dest_keyring; + } + + key_put(dest_keyring); +@@ -468,8 +495,9 @@ static struct key *construct_key_and_lin + construction_failed: + key_negate_and_link(key, key_negative_timeout, NULL, NULL); + key_put(key); +-couldnt_alloc_key: ++error_put_dest_keyring: + key_put(dest_keyring); ++error: + kleave(" = %d", ret); + return ERR_PTR(ret); + } diff --git a/queue-3.18/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch b/queue-3.18/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch new file mode 100644 index 00000000000..6c2f656fc4f --- /dev/null +++ b/queue-3.18/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch @@ -0,0 +1,50 @@ +From d59d51f088014f25c2562de59b9abff4f42a7468 Mon Sep 17 00:00:00 2001 +From: Andrew Honig +Date: Fri, 1 Dec 2017 10:21:09 -0800 +Subject: KVM: VMX: remove I/O port 0x80 bypass on Intel hosts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrew Honig + +commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream. + +This fixes CVE-2017-1000407. + +KVM allows guests to directly access I/O port 0x80 on Intel hosts. If +the guest floods this port with writes it generates exceptions and +instability in the host kernel, leading to a crash. With this change +guest writes to port 0x80 on Intel will behave the same as they +currently behave on AMD systems. + +Prevent the flooding by removing the code that sets port 0x80 as a +passthrough port. This is essentially the same as upstream patch +99f85a28a78e96d28907fe036e1671a218fee597, except that patch was +for AMD chipsets and this patch is for Intel. + +Signed-off-by: Andrew Honig +Signed-off-by: Jim Mattson +Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs") +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -9280,12 +9280,7 @@ static int __init vmx_init(void) + memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); + memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); + +- /* +- * Allow direct access to the PC debug port (it is often used for I/O +- * delays, but the vmexits simply slow things down). +- */ + memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); +- clear_bit(0x80, vmx_io_bitmap_a); + + memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE); + diff --git a/queue-3.18/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch b/queue-3.18/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch new file mode 100644 index 00000000000..0b0f37d013c --- /dev/null +++ b/queue-3.18/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch @@ -0,0 +1,43 @@ +From 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a Mon Sep 17 00:00:00 2001 +From: Laurent Caumont +Date: Sat, 11 Nov 2017 12:44:46 -0500 +Subject: media: dvb: i2c transfers over usb cannot be done from stack + +From: Laurent Caumont + +commit 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a upstream. + +Signed-off-by: Laurent Caumont +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dibusb-common.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dibusb-common.c ++++ b/drivers/media/usb/dvb-usb/dibusb-common.c +@@ -179,8 +179,20 @@ EXPORT_SYMBOL(dibusb_i2c_algo); + + int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val) + { +- u8 wbuf[1] = { offs }; +- return dibusb_i2c_msg(d, 0x50, wbuf, 1, val, 1); ++ u8 *buf; ++ int rc; ++ ++ buf = kmalloc(2, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ buf[0] = offs; ++ ++ rc = dibusb_i2c_msg(d, 0x50, &buf[0], 1, &buf[1], 1); ++ *val = buf[1]; ++ kfree(buf); ++ ++ return rc; + } + EXPORT_SYMBOL(dibusb_read_eeprom_byte); + diff --git a/queue-3.18/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch b/queue-3.18/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch new file mode 100644 index 00000000000..adf66c78ab2 --- /dev/null +++ b/queue-3.18/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch @@ -0,0 +1,39 @@ +From 860dd4424f344400b491b212ee4acb3a358ba9d9 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 21 Nov 2017 14:23:37 +0100 +Subject: scsi: dma-mapping: always provide dma_get_cache_alignment + +From: Christoph Hellwig + +commit 860dd4424f344400b491b212ee4acb3a358ba9d9 upstream. + +Provide the dummy version of dma_get_cache_alignment that always returns +1 even if CONFIG_HAS_DMA is not set, so that drivers and subsystems can +use it without ifdefs. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/dma-mapping.h | 2 -- + 1 file changed, 2 deletions(-) + +--- a/include/linux/dma-mapping.h ++++ b/include/linux/dma-mapping.h +@@ -181,7 +181,6 @@ static inline void *dma_zalloc_coherent( + return ret; + } + +-#ifdef CONFIG_HAS_DMA + static inline int dma_get_cache_alignment(void) + { + #ifdef ARCH_DMA_MINALIGN +@@ -189,7 +188,6 @@ static inline int dma_get_cache_alignmen + #endif + return 1; + } +-#endif + + /* flags for the coherent memory api */ + #define DMA_MEMORY_MAP 0x01 diff --git a/queue-3.18/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch b/queue-3.18/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch new file mode 100644 index 00000000000..4fdc99c8849 --- /dev/null +++ b/queue-3.18/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch @@ -0,0 +1,46 @@ +From 90addc6b3c9cda0146fbd62a08e234c2b224a80c Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Tue, 21 Nov 2017 14:23:38 +0100 +Subject: scsi: use dma_get_cache_alignment() as minimum DMA alignment + +From: Huacai Chen + +commit 90addc6b3c9cda0146fbd62a08e234c2b224a80c upstream. + +In non-coherent DMA mode, kernel uses cache flushing operations to +maintain I/O coherency, so scsi's block queue should be aligned to the +value returned by dma_get_cache_alignment(). Otherwise, If a DMA buffer +and a kernel structure share a same cache line, and if the kernel +structure has dirty data, cache_invalidate (no writeback) will cause +data corruption. + +Signed-off-by: Huacai Chen +[hch: rebased and updated the comment and changelog] +Signed-off-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_lib.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -2028,11 +2028,13 @@ static void __scsi_init_queue(struct Scs + q->limits.cluster = 0; + + /* +- * set a reasonable default alignment on word boundaries: the +- * host and device may alter it using +- * blk_queue_update_dma_alignment() later. ++ * Set a reasonable default alignment: The larger of 32-byte (dword), ++ * which is a common minimum for HBAs, and the minimum DMA alignment, ++ * which is set by the platform. ++ * ++ * Devices that require a bigger alignment can increase it later. + */ +- blk_queue_dma_alignment(q, 0x03); ++ blk_queue_dma_alignment(q, max(4, dma_get_cache_alignment()) - 1); + } + + struct request_queue *__scsi_alloc_queue(struct Scsi_Host *shost, diff --git a/queue-3.18/series b/queue-3.18/series index ecfc5d0e13a..ba715dd23d7 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -5,3 +5,23 @@ can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch can-ems_usb-cancel-urb-on-epipe-and-eproto.patch can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch +virtio-release-virtio-index-when-fail-to-device_register.patch +hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch +isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch +scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch +scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch +efi-move-some-sysfs-files-to-be-read-only-by-root.patch +asn.1-check-for-error-from-asn1_op_end__act-actions.patch +keys-add-missing-permission-check-for-request_key-destination.patch +x.509-reject-invalid-bit-string-for-subjectpublickey.patch +x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch +alsa-pcm-prevent-uaf-in-snd_pcm_info.patch +alsa-seq-remove-spurious-warn_on-at-timer-check.patch +alsa-usb-audio-fix-out-of-bound-error.patch +alsa-usb-audio-add-check-return-value-for-usb_string.patch +iommu-vt-d-fix-scatterlist-offset-handling.patch +kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch +media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch +arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch +kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch +arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch diff --git a/queue-3.18/virtio-release-virtio-index-when-fail-to-device_register.patch b/queue-3.18/virtio-release-virtio-index-when-fail-to-device_register.patch new file mode 100644 index 00000000000..737cec5ec92 --- /dev/null +++ b/queue-3.18/virtio-release-virtio-index-when-fail-to-device_register.patch @@ -0,0 +1,31 @@ +From e60ea67bb60459b95a50a156296041a13e0e380e Mon Sep 17 00:00:00 2001 +From: weiping zhang +Date: Wed, 29 Nov 2017 09:23:01 +0800 +Subject: virtio: release virtio index when fail to device_register + +From: weiping zhang + +commit e60ea67bb60459b95a50a156296041a13e0e380e upstream. + +index can be reused by other virtio device. + +Signed-off-by: weiping zhang +Reviewed-by: Cornelia Huck +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/virtio/virtio.c ++++ b/drivers/virtio/virtio.c +@@ -268,6 +268,8 @@ int register_virtio_device(struct virtio + /* device_register() causes the bus infrastructure to look for a + * matching driver. */ + err = device_register(&dev->dev); ++ if (err) ++ ida_simple_remove(&virtio_index_ida, dev->index); + out: + if (err) + add_status(dev, VIRTIO_CONFIG_S_FAILED); diff --git a/queue-3.18/x.509-reject-invalid-bit-string-for-subjectpublickey.patch b/queue-3.18/x.509-reject-invalid-bit-string-for-subjectpublickey.patch new file mode 100644 index 00000000000..07abc820918 --- /dev/null +++ b/queue-3.18/x.509-reject-invalid-bit-string-for-subjectpublickey.patch @@ -0,0 +1,68 @@ +From 0f30cbea005bd3077bd98cd29277d7fc2699c1da Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 8 Dec 2017 15:13:27 +0000 +Subject: X.509: reject invalid BIT STRING for subjectPublicKey + +From: Eric Biggers + +commit 0f30cbea005bd3077bd98cd29277d7fc2699c1da upstream. + +Adding a specially crafted X.509 certificate whose subjectPublicKey +ASN.1 value is zero-length caused x509_extract_key_data() to set the +public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING +metadata byte. Then, x509_cert_parse() called kmemdup() with that bogus +size, triggering the WARN_ON_ONCE() in kmalloc_slab(). + +This appears to be harmless, but it still must be fixed since WARNs are +never supposed to be user-triggerable. + +Fix it by updating x509_cert_parse() to validate that the value has a +BIT STRING metadata byte, and that the byte is 0 which indicates that +the number of bits in the bitstring is a multiple of 8. + +It would be nice to handle the metadata byte in asn1_ber_decoder() +instead. But that would be tricky because in the general case a BIT +STRING could be implicitly tagged, and/or could legitimately have a +length that is not a whole number of bytes. + +Here was the WARN (cleaned up slightly): + + WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971 + Modules linked in: + CPU: 1 PID: 202 Comm: keyctl Tainted: G B 4.14.0-09238-g1d3b78bbc6e9 #26 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 + task: ffff880033014180 task.stack: ffff8800305c8000 + Call Trace: + __do_kmalloc mm/slab.c:3706 [inline] + __kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726 + kmemdup+0x17/0x40 mm/util.c:118 + kmemdup include/linux/string.h:414 [inline] + x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106 + x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174 + asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388 + key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850 + SYSC_add_key security/keys/keyctl.c:122 [inline] + SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62 + entry_SYSCALL_64_fastpath+0x1f/0x96 + +Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder") +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Reviewed-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/x509_cert_parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/asymmetric_keys/x509_cert_parser.c ++++ b/crypto/asymmetric_keys/x509_cert_parser.c +@@ -381,6 +381,8 @@ int x509_extract_key_data(void *context, + ctx->cert->pub->pkey_algo = PKEY_ALGO_RSA; + + /* Discard the BIT STRING metadata */ ++ if (vlen < 1 || *(const u8 *)value != 0) ++ return -EBADMSG; + ctx->key = value + 1; + ctx->key_size = vlen - 1; + return 0; diff --git a/queue-3.18/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch b/queue-3.18/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch new file mode 100644 index 00000000000..a58dee0b8b1 --- /dev/null +++ b/queue-3.18/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch @@ -0,0 +1,40 @@ +From ddec3bdee05b06f1dda20ded003c3e10e4184cab Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Fri, 1 Dec 2017 15:08:12 +0100 +Subject: x86/PCI: Make broadcom_postcore_init() check acpi_disabled + +From: Rafael J. Wysocki + +commit ddec3bdee05b06f1dda20ded003c3e10e4184cab upstream. + +acpi_os_get_root_pointer() may return a valid address even if acpi_disabled +is set, but the host bridge information from the ACPI tables is not going +to be used in that case and the Broadcom host bridge initialization should +not be skipped then, So make broadcom_postcore_init() check acpi_disabled +too to avoid this issue. + +Fixes: 6361d72b04d1 (x86/PCI: read Broadcom CNB20LE host bridge info before PCI scan) +Reported-by: Dave Hansen +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Thomas Gleixner +Cc: Bjorn Helgaas +Cc: Linux PCI +Link: https://lkml.kernel.org/r/3186627.pxZj1QbYNg@aspire.rjw.lan +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/broadcom_bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/pci/broadcom_bus.c ++++ b/arch/x86/pci/broadcom_bus.c +@@ -97,7 +97,7 @@ static int __init broadcom_postcore_init + * We should get host bridge information from ACPI unless the BIOS + * doesn't support it. + */ +- if (acpi_os_get_root_pointer()) ++ if (!acpi_disabled && acpi_os_get_root_pointer()) + return 0; + #endif + -- 2.47.3