From 92e7b9bb88f69dbbc2f48242008f6b7496ab4450 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 13 Oct 2025 10:18:57 +0200 Subject: [PATCH] 6.12-stable patches added patches: squashfs-fix-uninit-value-in-squashfs_get_parent.patch tpm-disable-tpm2_tcg_hmac-by-default.patch --- queue-6.12/series | 2 + ...-uninit-value-in-squashfs_get_parent.patch | 119 ++++++++++++++++++ ...tpm-disable-tpm2_tcg_hmac-by-default.patch | 50 ++++++++ 3 files changed, 171 insertions(+) create mode 100644 queue-6.12/squashfs-fix-uninit-value-in-squashfs_get_parent.patch create mode 100644 queue-6.12/tpm-disable-tpm2_tcg_hmac-by-default.patch diff --git a/queue-6.12/series b/queue-6.12/series index 3b42b893cb..d31c0a122b 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -222,3 +222,5 @@ smb-client-fix-crypto-buffers-in-non-linear-memory.patch revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch vhost-vringh-modify-the-return-value-check.patch bpf-reject-negative-offsets-for-alu-ops.patch +tpm-disable-tpm2_tcg_hmac-by-default.patch +squashfs-fix-uninit-value-in-squashfs_get_parent.patch diff --git a/queue-6.12/squashfs-fix-uninit-value-in-squashfs_get_parent.patch b/queue-6.12/squashfs-fix-uninit-value-in-squashfs_get_parent.patch new file mode 100644 index 0000000000..af4b772b65 --- /dev/null +++ b/queue-6.12/squashfs-fix-uninit-value-in-squashfs_get_parent.patch @@ -0,0 +1,119 @@ +From 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Fri, 19 Sep 2025 00:33:08 +0100 +Subject: Squashfs: fix uninit-value in squashfs_get_parent + +From: Phillip Lougher + +commit 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf upstream. + +Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug. + +This is caused by open_by_handle_at() being called with a file handle +containing an invalid parent inode number. In particular the inode number +is that of a symbolic link, rather than a directory. + +Squashfs_get_parent() gets called with that symbolic link inode, and +accesses the parent member field. + + unsigned int parent_ino = squashfs_i(inode)->parent; + +Because non-directory inodes in Squashfs do not have a parent value, this +is uninitialised, and this causes an uninitialised value access. + +The fix is to initialise parent with the invalid inode 0, which will cause +an EINVAL error to be returned. + +Regular inodes used to share the parent field with the block_list_start +field. This is removed in this commit to enable the parent field to +contain the invalid inode number 0. + +Link: https://lkml.kernel.org/r/20250918233308.293861-1-phillip@squashfs.org.uk +Fixes: 122601408d20 ("Squashfs: export operations") +Signed-off-by: Phillip Lougher +Reported-by: syzbot+157bdef5cf596ad0da2c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68cc2431.050a0220.139b6.0001.GAE@google.com/ +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/inode.c | 7 +++++++ + fs/squashfs/squashfs_fs_i.h | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/squashfs/inode.c ++++ b/fs/squashfs/inode.c +@@ -165,6 +165,7 @@ int squashfs_read_inode(struct inode *in + squashfs_i(inode)->start = le32_to_cpu(sqsh_ino->start_block); + squashfs_i(inode)->block_list_start = block; + squashfs_i(inode)->offset = offset; ++ squashfs_i(inode)->parent = 0; + inode->i_data.a_ops = &squashfs_aops; + + TRACE("File inode %x:%x, start_block %llx, block_list_start " +@@ -212,6 +213,7 @@ int squashfs_read_inode(struct inode *in + squashfs_i(inode)->start = le64_to_cpu(sqsh_ino->start_block); + squashfs_i(inode)->block_list_start = block; + squashfs_i(inode)->offset = offset; ++ squashfs_i(inode)->parent = 0; + inode->i_data.a_ops = &squashfs_aops; + + TRACE("File inode %x:%x, start_block %llx, block_list_start " +@@ -292,6 +294,7 @@ int squashfs_read_inode(struct inode *in + inode->i_mode |= S_IFLNK; + squashfs_i(inode)->start = block; + squashfs_i(inode)->offset = offset; ++ squashfs_i(inode)->parent = 0; + + if (type == SQUASHFS_LSYMLINK_TYPE) { + __le32 xattr; +@@ -329,6 +332,7 @@ int squashfs_read_inode(struct inode *in + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + rdev = le32_to_cpu(sqsh_ino->rdev); + init_special_inode(inode, inode->i_mode, new_decode_dev(rdev)); ++ squashfs_i(inode)->parent = 0; + + TRACE("Device inode %x:%x, rdev %x\n", + SQUASHFS_INODE_BLK(ino), offset, rdev); +@@ -353,6 +357,7 @@ int squashfs_read_inode(struct inode *in + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + rdev = le32_to_cpu(sqsh_ino->rdev); + init_special_inode(inode, inode->i_mode, new_decode_dev(rdev)); ++ squashfs_i(inode)->parent = 0; + + TRACE("Device inode %x:%x, rdev %x\n", + SQUASHFS_INODE_BLK(ino), offset, rdev); +@@ -373,6 +378,7 @@ int squashfs_read_inode(struct inode *in + inode->i_mode |= S_IFSOCK; + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + init_special_inode(inode, inode->i_mode, 0); ++ squashfs_i(inode)->parent = 0; + break; + } + case SQUASHFS_LFIFO_TYPE: +@@ -392,6 +398,7 @@ int squashfs_read_inode(struct inode *in + inode->i_op = &squashfs_inode_ops; + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + init_special_inode(inode, inode->i_mode, 0); ++ squashfs_i(inode)->parent = 0; + break; + } + default: +--- a/fs/squashfs/squashfs_fs_i.h ++++ b/fs/squashfs/squashfs_fs_i.h +@@ -16,6 +16,7 @@ struct squashfs_inode_info { + u64 xattr; + unsigned int xattr_size; + int xattr_count; ++ int parent; + union { + struct { + u64 fragment_block; +@@ -27,7 +28,6 @@ struct squashfs_inode_info { + u64 dir_idx_start; + int dir_idx_offset; + int dir_idx_cnt; +- int parent; + }; + }; + struct inode vfs_inode; diff --git a/queue-6.12/tpm-disable-tpm2_tcg_hmac-by-default.patch b/queue-6.12/tpm-disable-tpm2_tcg_hmac-by-default.patch new file mode 100644 index 0000000000..75b8bae960 --- /dev/null +++ b/queue-6.12/tpm-disable-tpm2_tcg_hmac-by-default.patch @@ -0,0 +1,50 @@ +From 4bddf4587c131d7b8ce8952cd32b284dcda0dd1f Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 25 Aug 2025 23:32:23 +0300 +Subject: tpm: Disable TPM2_TCG_HMAC by default + +From: Jarkko Sakkinen + +commit 4bddf4587c131d7b8ce8952cd32b284dcda0dd1f upstream. + +After reading all the feedback, right now disabling the TPM2_TCG_HMAC +is the right call. + +Other views discussed: + +A. Having a kernel command-line parameter or refining the feature + otherwise. This goes to the area of improvements. E.g., one + example is my own idea where the null key specific code would be + replaced with a persistent handle parameter (which can be + *unambigously* defined as part of attestation process when + done correctly). + +B. Removing the code. I don't buy this because that is same as saying + that HMAC encryption cannot work at all (if really nitpicking) in + any form. Also I disagree on the view that the feature could not + be refined to something more reasoable. + +Also, both A and B are worst options in terms of backporting. + +Thuss, this is the best possible choice. + +Cc: stable@vger.kernel.or # v6.10+ +Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") +Suggested-by: Chris Fenner +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tpm/Kconfig ++++ b/drivers/char/tpm/Kconfig +@@ -29,7 +29,7 @@ if TCG_TPM + + config TCG_TPM2_HMAC + bool "Use HMAC and encrypted transactions on the TPM bus" +- default X86_64 ++ default n + select CRYPTO_ECDH + select CRYPTO_LIB_AESCFB + select CRYPTO_LIB_SHA256 -- 2.47.3