From 74963ab28422d9d5be3fd6906b4c55d28b530cf5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 12 Sep 2014 16:27:18 -0700 Subject: [PATCH] 3.16-stable patches added patches: capabilities-remove-undefined-caps-from-all-processes.patch tpm-missing-tpm_chip_put-in-tpm_get_random.patch tpm-properly-clean-sysfs-entries-in-error-path.patch tpm-provide-a-generic-means-to-override-the-chip-returned-timeouts.patch --- ...ve-undefined-caps-from-all-processes.patch | 178 ++++++++++++++++++ queue-3.16/series | 4 + ...ssing-tpm_chip_put-in-tpm_get_random.patch | 48 +++++ ...ly-clean-sysfs-entries-in-error-path.patch | 41 ++++ ...-override-the-chip-returned-timeouts.patch | 169 +++++++++++++++++ 5 files changed, 440 insertions(+) create mode 100644 queue-3.16/capabilities-remove-undefined-caps-from-all-processes.patch create mode 100644 queue-3.16/tpm-missing-tpm_chip_put-in-tpm_get_random.patch create mode 100644 queue-3.16/tpm-properly-clean-sysfs-entries-in-error-path.patch create mode 100644 queue-3.16/tpm-provide-a-generic-means-to-override-the-chip-returned-timeouts.patch diff --git a/queue-3.16/capabilities-remove-undefined-caps-from-all-processes.patch b/queue-3.16/capabilities-remove-undefined-caps-from-all-processes.patch new file mode 100644 index 00000000000..229e3b95c10 --- /dev/null +++ b/queue-3.16/capabilities-remove-undefined-caps-from-all-processes.patch @@ -0,0 +1,178 @@ +From 7d8b6c63751cfbbe5eef81a48c22978b3407a3ad Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Wed, 23 Jul 2014 15:36:26 -0400 +Subject: CAPABILITIES: remove undefined caps from all processes + +From: Eric Paris + +commit 7d8b6c63751cfbbe5eef81a48c22978b3407a3ad upstream. + +This is effectively a revert of 7b9a7ec565505699f503b4fcf61500dceb36e744 +plus fixing it a different way... + +We found, when trying to run an application from an application which +had dropped privs that the kernel does security checks on undefined +capability bits. This was ESPECIALLY difficult to debug as those +undefined bits are hidden from /proc/$PID/status. + +Consider a root application which drops all capabilities from ALL 4 +capability sets. We assume, since the application is going to set +eff/perm/inh from an array that it will clear not only the defined caps +less than CAP_LAST_CAP, but also the higher 28ish bits which are +undefined future capabilities. + +The BSET gets cleared differently. Instead it is cleared one bit at a +time. The problem here is that in security/commoncap.c::cap_task_prctl() +we actually check the validity of a capability being read. So any task +which attempts to 'read all things set in bset' followed by 'unset all +things set in bset' will not even attempt to unset the undefined bits +higher than CAP_LAST_CAP. + +So the 'parent' will look something like: +CapInh: 0000000000000000 +CapPrm: 0000000000000000 +CapEff: 0000000000000000 +CapBnd: ffffffc000000000 + +All of this 'should' be fine. Given that these are undefined bits that +aren't supposed to have anything to do with permissions. But they do... + +So lets now consider a task which cleared the eff/perm/inh completely +and cleared all of the valid caps in the bset (but not the invalid caps +it couldn't read out of the kernel). We know that this is exactly what +the libcap-ng library does and what the go capabilities library does. +They both leave you in that above situation if you try to clear all of +you capapabilities from all 4 sets. If that root task calls execve() +the child task will pick up all caps not blocked by the bset. The bset +however does not block bits higher than CAP_LAST_CAP. So now the child +task has bits in eff which are not in the parent. These are +'meaningless' undefined bits, but still bits which the parent doesn't +have. + +The problem is now in cred_cap_issubset() (or any operation which does a +subset test) as the child, while a subset for valid cap bits, is not a +subset for invalid cap bits! So now we set durring commit creds that +the child is not dumpable. Given it is 'more priv' than its parent. It +also means the parent cannot ptrace the child and other stupidity. + +The solution here: +1) stop hiding capability bits in status + This makes debugging easier! + +2) stop giving any task undefined capability bits. it's simple, it you +don't put those invalid bits in CAP_FULL_SET you won't get them in init +and you won't get them in any other task either. + This fixes the cap_issubset() tests and resulting fallout (which + made the init task in a docker container untraceable among other + things) + +3) mask out undefined bits when sys_capset() is called as it might use +~0, ~0 to denote 'all capabilities' for backward/forward compatibility. + This lets 'capsh --caps="all=eip" -- -c /bin/bash' run. + +4) mask out undefined bit when we read a file capability off of disk as +again likely all bits are set in the xattr for forward/backward +compatibility. + This lets 'setcap all+pe /bin/bash; /bin/bash' run + +Signed-off-by: Eric Paris +Reviewed-by: Kees Cook +Cc: Andrew Vagin +Cc: Andrew G. Morgan +Cc: Serge E. Hallyn +Cc: Kees Cook +Cc: Steve Grubb +Cc: Dan Walsh +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/array.c | 11 +---------- + include/linux/capability.h | 5 ++++- + kernel/audit.c | 2 +- + kernel/capability.c | 4 ++++ + security/commoncap.c | 3 +++ + 5 files changed, 13 insertions(+), 12 deletions(-) + +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -297,15 +297,11 @@ static void render_cap_t(struct seq_file + seq_puts(m, header); + CAP_FOR_EACH_U32(__capi) { + seq_printf(m, "%08x", +- a->cap[(_KERNEL_CAPABILITY_U32S-1) - __capi]); ++ a->cap[CAP_LAST_U32 - __capi]); + } + seq_putc(m, '\n'); + } + +-/* Remove non-existent capabilities */ +-#define NORM_CAPS(v) (v.cap[CAP_TO_INDEX(CAP_LAST_CAP)] &= \ +- CAP_TO_MASK(CAP_LAST_CAP + 1) - 1) +- + static inline void task_cap(struct seq_file *m, struct task_struct *p) + { + const struct cred *cred; +@@ -319,11 +315,6 @@ static inline void task_cap(struct seq_f + cap_bset = cred->cap_bset; + rcu_read_unlock(); + +- NORM_CAPS(cap_inheritable); +- NORM_CAPS(cap_permitted); +- NORM_CAPS(cap_effective); +- NORM_CAPS(cap_bset); +- + render_cap_t(m, "CapInh:\t", &cap_inheritable); + render_cap_t(m, "CapPrm:\t", &cap_permitted); + render_cap_t(m, "CapEff:\t", &cap_effective); +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -78,8 +78,11 @@ extern const kernel_cap_t __cap_init_eff + # error Fix up hand-coded capability macro initializers + #else /* HAND-CODED capability initializers */ + ++#define CAP_LAST_U32 ((_KERNEL_CAPABILITY_U32S) - 1) ++#define CAP_LAST_U32_VALID_MASK (CAP_TO_MASK(CAP_LAST_CAP + 1) -1) ++ + # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) +-# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }}) ++# define CAP_FULL_SET ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }}) + # define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ + | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \ + CAP_FS_MASK_B1 } }) +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1677,7 +1677,7 @@ void audit_log_cap(struct audit_buffer * + audit_log_format(ab, " %s=", prefix); + CAP_FOR_EACH_U32(i) { + audit_log_format(ab, "%08x", +- cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]); ++ cap->cap[CAP_LAST_U32 - i]); + } + } + +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -258,6 +258,10 @@ SYSCALL_DEFINE2(capset, cap_user_header_ + i++; + } + ++ effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; ++ permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; ++ inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; ++ + new = prepare_creds(); + if (!new) + return -ENOMEM; +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -421,6 +421,9 @@ int get_vfs_caps_from_disk(const struct + cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable); + } + ++ cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; ++ cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; ++ + return 0; + } + diff --git a/queue-3.16/series b/queue-3.16/series index ff4ec546565..c0e1475e2e9 100644 --- a/queue-3.16/series +++ b/queue-3.16/series @@ -18,3 +18,7 @@ s390-locking-reenable-optimistic-spinning.patch powerpc-cpufreq-add-pr_warn-on-opal-firmware-failures.patch drm-radeon-use-packet2-for-nop-on-hawaii-with-old-firmware.patch firmware-do-not-use-warn_on-spin_is_locked.patch +tpm-missing-tpm_chip_put-in-tpm_get_random.patch +tpm-provide-a-generic-means-to-override-the-chip-returned-timeouts.patch +tpm-properly-clean-sysfs-entries-in-error-path.patch +capabilities-remove-undefined-caps-from-all-processes.patch diff --git a/queue-3.16/tpm-missing-tpm_chip_put-in-tpm_get_random.patch b/queue-3.16/tpm-missing-tpm_chip_put-in-tpm_get_random.patch new file mode 100644 index 00000000000..229b8b0efec --- /dev/null +++ b/queue-3.16/tpm-missing-tpm_chip_put-in-tpm_get_random.patch @@ -0,0 +1,48 @@ +From 3e14d83ef94a5806a865b85b513b4e891923c19b Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Fri, 9 May 2014 14:23:10 +0300 +Subject: tpm: missing tpm_chip_put in tpm_get_random() + +From: Jarkko Sakkinen + +commit 3e14d83ef94a5806a865b85b513b4e891923c19b upstream. + +Regression in 41ab999c. Call to tpm_chip_put is missing. This +will cause TPM device driver not to unload if tmp_get_random() +is called. + +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Peter Huewe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-interface.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -991,13 +991,13 @@ int tpm_get_random(u32 chip_num, u8 *out + int err, total = 0, retries = 5; + u8 *dest = out; + ++ if (!out || !num_bytes || max > TPM_MAX_RNG_DATA) ++ return -EINVAL; ++ + chip = tpm_chip_find_get(chip_num); + if (chip == NULL) + return -ENODEV; + +- if (!out || !num_bytes || max > TPM_MAX_RNG_DATA) +- return -EINVAL; +- + do { + tpm_cmd.header.in = tpm_getrandom_header; + tpm_cmd.params.getrandom_in.num_bytes = cpu_to_be32(num_bytes); +@@ -1016,6 +1016,7 @@ int tpm_get_random(u32 chip_num, u8 *out + num_bytes -= recd; + } while (retries-- && total < max); + ++ tpm_chip_put(chip); + return total ? total : -EIO; + } + EXPORT_SYMBOL_GPL(tpm_get_random); diff --git a/queue-3.16/tpm-properly-clean-sysfs-entries-in-error-path.patch b/queue-3.16/tpm-properly-clean-sysfs-entries-in-error-path.patch new file mode 100644 index 00000000000..d1b822b1fdb --- /dev/null +++ b/queue-3.16/tpm-properly-clean-sysfs-entries-in-error-path.patch @@ -0,0 +1,41 @@ +From b49e1043c48dac23f64fba684d31c4a96c1ffaa0 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Thu, 19 Jun 2014 15:00:19 -0400 +Subject: tpm: Properly clean sysfs entries in error path + +From: Stefan Berger + +commit b49e1043c48dac23f64fba684d31c4a96c1ffaa0 upstream. + +Properly clean the sysfs entries in the error path + +Reported-by: Dmitry Kasatkin +Signed-off-by: Stefan Berger +Reviewed-by: Jason Gunthorpe +Signed-off-by: Peter Huewe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-interface.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -1116,7 +1116,7 @@ struct tpm_chip *tpm_register_hardware(s + goto del_misc; + + if (tpm_add_ppi(&dev->kobj)) +- goto del_misc; ++ goto del_sysfs; + + chip->bios_dir = tpm_bios_log_setup(chip->devname); + +@@ -1127,6 +1127,8 @@ struct tpm_chip *tpm_register_hardware(s + + return chip; + ++del_sysfs: ++ tpm_sysfs_del_device(chip); + del_misc: + tpm_dev_del_device(chip); + put_device: diff --git a/queue-3.16/tpm-provide-a-generic-means-to-override-the-chip-returned-timeouts.patch b/queue-3.16/tpm-provide-a-generic-means-to-override-the-chip-returned-timeouts.patch new file mode 100644 index 00000000000..2d9ca40f9fc --- /dev/null +++ b/queue-3.16/tpm-provide-a-generic-means-to-override-the-chip-returned-timeouts.patch @@ -0,0 +1,169 @@ +From 8e54caf407b98efa05409e1fee0e5381abd2b088 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 21 May 2014 18:26:44 -0600 +Subject: tpm: Provide a generic means to override the chip returned timeouts + +From: Jason Gunthorpe + +commit 8e54caf407b98efa05409e1fee0e5381abd2b088 upstream. + +Some Atmel TPMs provide completely wrong timeouts from their +TPM_CAP_PROP_TIS_TIMEOUT query. This patch detects that and returns +new correct values via a DID/VID table in the TIS driver. + +Tested on ARM using an AT97SC3204T FW version 37.16 + +[PHuewe: without this fix these 'broken' Atmel TPMs won't function on +older kernels] +Signed-off-by: "Berg, Christopher" +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Peter Huewe + +--- + drivers/char/tpm/tpm-interface.c | 62 +++++++++++++++++++++++++-------------- + drivers/char/tpm/tpm_tis.c | 31 +++++++++++++++++++ + include/linux/tpm.h | 3 + + 3 files changed, 75 insertions(+), 21 deletions(-) + +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -491,11 +491,10 @@ static int tpm_startup(struct tpm_chip * + int tpm_get_timeouts(struct tpm_chip *chip) + { + struct tpm_cmd_t tpm_cmd; +- struct timeout_t *timeout_cap; ++ unsigned long new_timeout[4]; ++ unsigned long old_timeout[4]; + struct duration_t *duration_cap; + ssize_t rc; +- u32 timeout; +- unsigned int scale = 1; + + tpm_cmd.header.in = tpm_getcap_header; + tpm_cmd.params.getcap_in.cap = TPM_CAP_PROP; +@@ -529,25 +528,46 @@ int tpm_get_timeouts(struct tpm_chip *ch + != sizeof(tpm_cmd.header.out) + sizeof(u32) + 4 * sizeof(u32)) + return -EINVAL; + +- timeout_cap = &tpm_cmd.params.getcap_out.cap.timeout; +- /* Don't overwrite default if value is 0 */ +- timeout = be32_to_cpu(timeout_cap->a); +- if (timeout && timeout < 1000) { +- /* timeouts in msec rather usec */ +- scale = 1000; +- chip->vendor.timeout_adjusted = true; ++ old_timeout[0] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.a); ++ old_timeout[1] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.b); ++ old_timeout[2] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.c); ++ old_timeout[3] = be32_to_cpu(tpm_cmd.params.getcap_out.cap.timeout.d); ++ memcpy(new_timeout, old_timeout, sizeof(new_timeout)); ++ ++ /* ++ * Provide ability for vendor overrides of timeout values in case ++ * of misreporting. ++ */ ++ if (chip->ops->update_timeouts != NULL) ++ chip->vendor.timeout_adjusted = ++ chip->ops->update_timeouts(chip, new_timeout); ++ ++ if (!chip->vendor.timeout_adjusted) { ++ /* Don't overwrite default if value is 0 */ ++ if (new_timeout[0] != 0 && new_timeout[0] < 1000) { ++ int i; ++ ++ /* timeouts in msec rather usec */ ++ for (i = 0; i != ARRAY_SIZE(new_timeout); i++) ++ new_timeout[i] *= 1000; ++ chip->vendor.timeout_adjusted = true; ++ } + } +- if (timeout) +- chip->vendor.timeout_a = usecs_to_jiffies(timeout * scale); +- timeout = be32_to_cpu(timeout_cap->b); +- if (timeout) +- chip->vendor.timeout_b = usecs_to_jiffies(timeout * scale); +- timeout = be32_to_cpu(timeout_cap->c); +- if (timeout) +- chip->vendor.timeout_c = usecs_to_jiffies(timeout * scale); +- timeout = be32_to_cpu(timeout_cap->d); +- if (timeout) +- chip->vendor.timeout_d = usecs_to_jiffies(timeout * scale); ++ ++ /* Report adjusted timeouts */ ++ if (chip->vendor.timeout_adjusted) { ++ dev_info(chip->dev, ++ HW_ERR "Adjusting reported timeouts: A %lu->%luus B %lu->%luus C %lu->%luus D %lu->%luus\n", ++ old_timeout[0], new_timeout[0], ++ old_timeout[1], new_timeout[1], ++ old_timeout[2], new_timeout[2], ++ old_timeout[3], new_timeout[3]); ++ } ++ ++ chip->vendor.timeout_a = usecs_to_jiffies(new_timeout[0]); ++ chip->vendor.timeout_b = usecs_to_jiffies(new_timeout[1]); ++ chip->vendor.timeout_c = usecs_to_jiffies(new_timeout[2]); ++ chip->vendor.timeout_d = usecs_to_jiffies(new_timeout[3]); + + duration: + tpm_cmd.header.in = tpm_getcap_header; +--- a/drivers/char/tpm/tpm_tis.c ++++ b/drivers/char/tpm/tpm_tis.c +@@ -373,6 +373,36 @@ out_err: + return rc; + } + ++struct tis_vendor_timeout_override { ++ u32 did_vid; ++ unsigned long timeout_us[4]; ++}; ++ ++static const struct tis_vendor_timeout_override vendor_timeout_overrides[] = { ++ /* Atmel 3204 */ ++ { 0x32041114, { (TIS_SHORT_TIMEOUT*1000), (TIS_LONG_TIMEOUT*1000), ++ (TIS_SHORT_TIMEOUT*1000), (TIS_SHORT_TIMEOUT*1000) } }, ++}; ++ ++static bool tpm_tis_update_timeouts(struct tpm_chip *chip, ++ unsigned long *timeout_cap) ++{ ++ int i; ++ u32 did_vid; ++ ++ did_vid = ioread32(chip->vendor.iobase + TPM_DID_VID(0)); ++ ++ for (i = 0; i != ARRAY_SIZE(vendor_timeout_overrides); i++) { ++ if (vendor_timeout_overrides[i].did_vid != did_vid) ++ continue; ++ memcpy(timeout_cap, vendor_timeout_overrides[i].timeout_us, ++ sizeof(vendor_timeout_overrides[i].timeout_us)); ++ return true; ++ } ++ ++ return false; ++} ++ + /* + * Early probing for iTPM with STS_DATA_EXPECT flaw. + * Try sending command without itpm flag set and if that +@@ -437,6 +467,7 @@ static const struct tpm_class_ops tpm_ti + .recv = tpm_tis_recv, + .send = tpm_tis_send, + .cancel = tpm_tis_ready, ++ .update_timeouts = tpm_tis_update_timeouts, + .req_complete_mask = TPM_STS_DATA_AVAIL | TPM_STS_VALID, + .req_complete_val = TPM_STS_DATA_AVAIL | TPM_STS_VALID, + .req_canceled = tpm_tis_req_canceled, +--- a/include/linux/tpm.h ++++ b/include/linux/tpm.h +@@ -39,6 +39,9 @@ struct tpm_class_ops { + int (*send) (struct tpm_chip *chip, u8 *buf, size_t len); + void (*cancel) (struct tpm_chip *chip); + u8 (*status) (struct tpm_chip *chip); ++ bool (*update_timeouts)(struct tpm_chip *chip, ++ unsigned long *timeout_cap); ++ + }; + + #if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE) -- 2.47.3