From 878e5fefab13341f2d8e16db441bba3b2146253f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 24 May 2025 17:38:07 +0200 Subject: [PATCH] 5.15-stable patches added patches: can-bcm-add-locking-for-bcm_op-runtime-updates.patch can-bcm-add-missing-rcu-read-protection-for-procfs-content.patch crypto-algif_hash-fix-double-free-in-hash_accept.patch padata-do-not-leak-refcount-in-reorder_work.patch --- ...d-locking-for-bcm_op-runtime-updates.patch | 192 ++++++++++++++++++ ...u-read-protection-for-procfs-content.patch | 79 +++++++ ..._hash-fix-double-free-in-hash_accept.patch | 36 ++++ ...do-not-leak-refcount-in-reorder_work.patch | 55 +++++ queue-5.15/series | 4 + 5 files changed, 366 insertions(+) create mode 100644 queue-5.15/can-bcm-add-locking-for-bcm_op-runtime-updates.patch create mode 100644 queue-5.15/can-bcm-add-missing-rcu-read-protection-for-procfs-content.patch create mode 100644 queue-5.15/crypto-algif_hash-fix-double-free-in-hash_accept.patch create mode 100644 queue-5.15/padata-do-not-leak-refcount-in-reorder_work.patch diff --git a/queue-5.15/can-bcm-add-locking-for-bcm_op-runtime-updates.patch b/queue-5.15/can-bcm-add-locking-for-bcm_op-runtime-updates.patch new file mode 100644 index 0000000000..6a11842c17 --- /dev/null +++ b/queue-5.15/can-bcm-add-locking-for-bcm_op-runtime-updates.patch @@ -0,0 +1,192 @@ +From c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Mon, 19 May 2025 14:50:26 +0200 +Subject: can: bcm: add locking for bcm_op runtime updates + +From: Oliver Hartkopp + +commit c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7 upstream. + +The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via +hrtimer. The content and also the length of the sequence can be changed +resp reduced at runtime where the 'currframe' counter is then set to zero. + +Although this appeared to be a safe operation the updates of 'currframe' +can be triggered from user space and hrtimer context in bcm_can_tx(). +Anderson Nascimento created a proof of concept that triggered a KASAN +slab-out-of-bounds read access which can be prevented with a spin_lock_bh. + +At the rework of bcm_can_tx() the 'count' variable has been moved into +the protected section as this variable can be modified from both contexts +too. + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Reported-by: Anderson Nascimento +Tested-by: Anderson Nascimento +Reviewed-by: Marc Kleine-Budde +Signed-off-by: Oliver Hartkopp +Link: https://patch.msgid.link/20250519125027.11900-1-socketcan@hartkopp.net +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 66 +++++++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 45 insertions(+), 21 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -58,6 +58,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -120,6 +121,7 @@ struct bcm_op { + struct canfd_frame last_sframe; + struct sock *sk; + struct net_device *rx_reg_dev; ++ spinlock_t bcm_tx_lock; /* protect currframe/count in runtime updates */ + }; + + struct bcm_sock { +@@ -273,13 +275,18 @@ static void bcm_can_tx(struct bcm_op *op + { + struct sk_buff *skb; + struct net_device *dev; +- struct canfd_frame *cf = op->frames + op->cfsiz * op->currframe; ++ struct canfd_frame *cf; + int err; + + /* no target device? => exit */ + if (!op->ifindex) + return; + ++ /* read currframe under lock protection */ ++ spin_lock_bh(&op->bcm_tx_lock); ++ cf = op->frames + op->cfsiz * op->currframe; ++ spin_unlock_bh(&op->bcm_tx_lock); ++ + dev = dev_get_by_index(sock_net(op->sk), op->ifindex); + if (!dev) { + /* RFC: should this bcm_op remove itself here? */ +@@ -300,6 +307,10 @@ static void bcm_can_tx(struct bcm_op *op + skb->dev = dev; + can_skb_set_owner(skb, op->sk); + err = can_send(skb, 1); ++ ++ /* update currframe and count under lock protection */ ++ spin_lock_bh(&op->bcm_tx_lock); ++ + if (!err) + op->frames_abs++; + +@@ -308,6 +319,11 @@ static void bcm_can_tx(struct bcm_op *op + /* reached last frame? */ + if (op->currframe >= op->nframes) + op->currframe = 0; ++ ++ if (op->count > 0) ++ op->count--; ++ ++ spin_unlock_bh(&op->bcm_tx_lock); + out: + dev_put(dev); + } +@@ -404,7 +420,7 @@ static enum hrtimer_restart bcm_tx_timeo + struct bcm_msg_head msg_head; + + if (op->kt_ival1 && (op->count > 0)) { +- op->count--; ++ bcm_can_tx(op); + if (!op->count && (op->flags & TX_COUNTEVT)) { + + /* create notification to user */ +@@ -419,7 +435,6 @@ static enum hrtimer_restart bcm_tx_timeo + + bcm_send_to_user(op, &msg_head, NULL, 0); + } +- bcm_can_tx(op); + + } else if (op->kt_ival2) { + bcm_can_tx(op); +@@ -909,6 +924,27 @@ static int bcm_tx_setup(struct bcm_msg_h + } + op->flags = msg_head->flags; + ++ /* only lock for unlikely count/nframes/currframe changes */ ++ if (op->nframes != msg_head->nframes || ++ op->flags & TX_RESET_MULTI_IDX || ++ op->flags & SETTIMER) { ++ ++ spin_lock_bh(&op->bcm_tx_lock); ++ ++ if (op->nframes != msg_head->nframes || ++ op->flags & TX_RESET_MULTI_IDX) { ++ /* potentially update changed nframes */ ++ op->nframes = msg_head->nframes; ++ /* restart multiple frame transmission */ ++ op->currframe = 0; ++ } ++ ++ if (op->flags & SETTIMER) ++ op->count = msg_head->count; ++ ++ spin_unlock_bh(&op->bcm_tx_lock); ++ } ++ + } else { + /* insert new BCM operation for the given can_id */ + +@@ -916,9 +952,14 @@ static int bcm_tx_setup(struct bcm_msg_h + if (!op) + return -ENOMEM; + ++ spin_lock_init(&op->bcm_tx_lock); + op->can_id = msg_head->can_id; + op->cfsiz = CFSIZ(msg_head->flags); + op->flags = msg_head->flags; ++ op->nframes = msg_head->nframes; ++ ++ if (op->flags & SETTIMER) ++ op->count = msg_head->count; + + /* create array for CAN frames and copy the data */ + if (msg_head->nframes > 1) { +@@ -977,22 +1018,8 @@ static int bcm_tx_setup(struct bcm_msg_h + + } /* if ((op = bcm_find_op(&bo->tx_ops, msg_head->can_id, ifindex))) */ + +- if (op->nframes != msg_head->nframes) { +- op->nframes = msg_head->nframes; +- /* start multiple frame transmission with index 0 */ +- op->currframe = 0; +- } +- +- /* check flags */ +- +- if (op->flags & TX_RESET_MULTI_IDX) { +- /* start multiple frame transmission with index 0 */ +- op->currframe = 0; +- } +- + if (op->flags & SETTIMER) { + /* set timer values */ +- op->count = msg_head->count; + op->ival1 = msg_head->ival1; + op->ival2 = msg_head->ival2; + op->kt_ival1 = bcm_timeval_to_ktime(msg_head->ival1); +@@ -1009,11 +1036,8 @@ static int bcm_tx_setup(struct bcm_msg_h + op->flags |= TX_ANNOUNCE; + } + +- if (op->flags & TX_ANNOUNCE) { ++ if (op->flags & TX_ANNOUNCE) + bcm_can_tx(op); +- if (op->count) +- op->count--; +- } + + if (op->flags & STARTTIMER) + bcm_tx_start_timer(op); diff --git a/queue-5.15/can-bcm-add-missing-rcu-read-protection-for-procfs-content.patch b/queue-5.15/can-bcm-add-missing-rcu-read-protection-for-procfs-content.patch new file mode 100644 index 0000000000..d770b2d52e --- /dev/null +++ b/queue-5.15/can-bcm-add-missing-rcu-read-protection-for-procfs-content.patch @@ -0,0 +1,79 @@ +From dac5e6249159ac255dad9781793dbe5908ac9ddb Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Mon, 19 May 2025 14:50:27 +0200 +Subject: can: bcm: add missing rcu read protection for procfs content + +From: Oliver Hartkopp + +commit dac5e6249159ac255dad9781793dbe5908ac9ddb upstream. + +When the procfs content is generated for a bcm_op which is in the process +to be removed the procfs output might show unreliable data (UAF). + +As the removal of bcm_op's is already implemented with rcu handling this +patch adds the missing rcu_read_lock() and makes sure the list entries +are properly removed under rcu protection. + +Fixes: f1b4e32aca08 ("can: bcm: use call_rcu() instead of costly synchronize_rcu()") +Reported-by: Anderson Nascimento +Suggested-by: Anderson Nascimento +Tested-by: Anderson Nascimento +Signed-off-by: Oliver Hartkopp +Link: https://patch.msgid.link/20250519125027.11900-2-socketcan@hartkopp.net +Cc: stable@vger.kernel.org # >= 5.4 +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -207,7 +207,9 @@ static int bcm_proc_show(struct seq_file + seq_printf(m, " / bound %s", bcm_proc_getifname(net, ifname, bo->ifindex)); + seq_printf(m, " <<<\n"); + +- list_for_each_entry(op, &bo->rx_ops, list) { ++ rcu_read_lock(); ++ ++ list_for_each_entry_rcu(op, &bo->rx_ops, list) { + + unsigned long reduction; + +@@ -263,6 +265,9 @@ static int bcm_proc_show(struct seq_file + seq_printf(m, "# sent %ld\n", op->frames_abs); + } + seq_putc(m, '\n'); ++ ++ rcu_read_unlock(); ++ + return 0; + } + #endif /* CONFIG_PROC_FS */ +@@ -811,7 +816,7 @@ static int bcm_delete_rx_op(struct list_ + REGMASK(op->can_id), + bcm_rx_handler, op); + +- list_del(&op->list); ++ list_del_rcu(&op->list); + bcm_remove_op(op); + return 1; /* done */ + } +@@ -831,7 +836,7 @@ static int bcm_delete_tx_op(struct list_ + list_for_each_entry_safe(op, n, ops, list) { + if ((op->can_id == mh->can_id) && (op->ifindex == ifindex) && + (op->flags & CAN_FD_FRAME) == (mh->flags & CAN_FD_FRAME)) { +- list_del(&op->list); ++ list_del_rcu(&op->list); + bcm_remove_op(op); + return 1; /* done */ + } +@@ -1253,7 +1258,7 @@ static int bcm_rx_setup(struct bcm_msg_h + bcm_rx_handler, op, "bcm", sk); + if (err) { + /* this bcm rx op is broken -> remove it */ +- list_del(&op->list); ++ list_del_rcu(&op->list); + bcm_remove_op(op); + return err; + } diff --git a/queue-5.15/crypto-algif_hash-fix-double-free-in-hash_accept.patch b/queue-5.15/crypto-algif_hash-fix-double-free-in-hash_accept.patch new file mode 100644 index 0000000000..65ac48aaa9 --- /dev/null +++ b/queue-5.15/crypto-algif_hash-fix-double-free-in-hash_accept.patch @@ -0,0 +1,36 @@ +From b2df03ed4052e97126267e8c13ad4204ea6ba9b6 Mon Sep 17 00:00:00 2001 +From: Ivan Pravdin +Date: Sun, 18 May 2025 18:41:02 -0400 +Subject: crypto: algif_hash - fix double free in hash_accept + +From: Ivan Pravdin + +commit b2df03ed4052e97126267e8c13ad4204ea6ba9b6 upstream. + +If accept(2) is called on socket type algif_hash with +MSG_MORE flag set and crypto_ahash_import fails, +sk2 is freed. However, it is also freed in af_alg_release, +leading to slab-use-after-free error. + +Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations") +Cc: +Signed-off-by: Ivan Pravdin +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/algif_hash.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/crypto/algif_hash.c ++++ b/crypto/algif_hash.c +@@ -262,10 +262,6 @@ static int hash_accept(struct socket *so + return err; + + err = crypto_ahash_import(&ctx2->req, state); +- if (err) { +- sock_orphan(sk2); +- sock_put(sk2); +- } + + return err; + } diff --git a/queue-5.15/padata-do-not-leak-refcount-in-reorder_work.patch b/queue-5.15/padata-do-not-leak-refcount-in-reorder_work.patch new file mode 100644 index 0000000000..bc202c4c68 --- /dev/null +++ b/queue-5.15/padata-do-not-leak-refcount-in-reorder_work.patch @@ -0,0 +1,55 @@ +From d6ebcde6d4ecf34f8495fb30516645db3aea8993 Mon Sep 17 00:00:00 2001 +From: Dominik Grzegorzek +Date: Sun, 18 May 2025 19:45:31 +0200 +Subject: padata: do not leak refcount in reorder_work + +From: Dominik Grzegorzek + +commit d6ebcde6d4ecf34f8495fb30516645db3aea8993 upstream. + +A recent patch that addressed a UAF introduced a reference count leak: +the parallel_data refcount is incremented unconditionally, regardless +of the return value of queue_work(). If the work item is already queued, +the incremented refcount is never decremented. + +Fix this by checking the return value of queue_work() and decrementing +the refcount when necessary. + +Resolves: + +Unreferenced object 0xffff9d9f421e3d80 (size 192): + comm "cryptomgr_probe", pid 157, jiffies 4294694003 + hex dump (first 32 bytes): + 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ + d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. + backtrace (crc 838fb36): + __kmalloc_cache_noprof+0x284/0x320 + padata_alloc_pd+0x20/0x1e0 + padata_alloc_shell+0x3b/0xa0 + 0xffffffffc040a54d + cryptomgr_probe+0x43/0xc0 + kthread+0xf6/0x1f0 + ret_from_fork+0x2f/0x50 + ret_from_fork_asm+0x1a/0x30 + +Fixes: dd7d37ccf6b1 ("padata: avoid UAF for reorder_work") +Cc: +Signed-off-by: Dominik Grzegorzek +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + kernel/padata.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -350,7 +350,8 @@ static void padata_reorder(struct parall + * To avoid UAF issue, add pd ref here, and put pd ref after reorder_work finish. + */ + padata_get_pd(pd); +- queue_work(pinst->serial_wq, &pd->reorder_work); ++ if (!queue_work(pinst->serial_wq, &pd->reorder_work)) ++ padata_put_pd(pd); + } + } + diff --git a/queue-5.15/series b/queue-5.15/series index ef4d292c95..ff2b23ed7d 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -169,3 +169,7 @@ net-dwmac-sun8i-use-parsed-internal-phy-address-inst.patch sch_hfsc-fix-qlen-accounting-bug-when-using-peek-in-.patch net-tipc-fix-slab-use-after-free-read-in-tipc_aead_e.patch octeontx2-af-set-lmt_ena-bit-for-apr-table-entries.patch +crypto-algif_hash-fix-double-free-in-hash_accept.patch +padata-do-not-leak-refcount-in-reorder_work.patch +can-bcm-add-locking-for-bcm_op-runtime-updates.patch +can-bcm-add-missing-rcu-read-protection-for-procfs-content.patch -- 2.47.3