From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 May 2024 15:27:56 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.19.314~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf19391822f5f32d67e464f748cb10f8241b5dab;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch
	net-fix-out-of-bounds-access-in-ops_init.patch
---

diff --git a/queue-4.19/drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch b/queue-4.19/drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch
new file mode 100644
index 00000000000..6ba6303b04d
--- /dev/null
+++ b/queue-4.19/drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch
@@ -0,0 +1,46 @@
+From a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c Mon Sep 17 00:00:00 2001
+From: Zack Rusin <zack.rusin@broadcom.com>
+Date: Thu, 25 Apr 2024 15:27:48 -0400
+Subject: drm/vmwgfx: Fix invalid reads in fence signaled events
+
+From: Zack Rusin <zack.rusin@broadcom.com>
+
+commit a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c upstream.
+
+Correctly set the length of the drm_event to the size of the structure
+that's actually used.
+
+The length of the drm_event was set to the parent structure instead of
+to the drm_vmw_event_fence which is supposed to be read. drm_read
+uses the length parameter to copy the event to the user space thus
+resuling in oob reads.
+
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action")
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23566
+Cc: David Airlie <airlied@gmail.com>
+CC: Daniel Vetter <daniel@ffwll.ch>
+Cc: Zack Rusin <zack.rusin@broadcom.com>
+Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: linux-kernel@vger.kernel.org
+Cc: <stable@vger.kernel.org> # v3.4+
+Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
+Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240425192748.1761522-1-zack.rusin@broadcom.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_fence.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
+@@ -1064,7 +1064,7 @@ static int vmw_event_fence_action_create
+ 	}
+ 
+ 	event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED;
+-	event->event.base.length = sizeof(*event);
++	event->event.base.length = sizeof(event->event);
+ 	event->event.user_data = user_data;
+ 
+ 	ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base);
diff --git a/queue-4.19/net-fix-out-of-bounds-access-in-ops_init.patch b/queue-4.19/net-fix-out-of-bounds-access-in-ops_init.patch
new file mode 100644
index 00000000000..5415300100c
--- /dev/null
+++ b/queue-4.19/net-fix-out-of-bounds-access-in-ops_init.patch
@@ -0,0 +1,66 @@
+From a26ff37e624d12e28077e5b24d2b264f62764ad6 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Thu, 2 May 2024 10:20:06 -0300
+Subject: net: fix out-of-bounds access in ops_init
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit a26ff37e624d12e28077e5b24d2b264f62764ad6 upstream.
+
+net_alloc_generic is called by net_alloc, which is called without any
+locking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It
+is read twice, first to allocate an array, then to set s.len, which is
+later used to limit the bounds of the array access.
+
+It is possible that the array is allocated and another thread is
+registering a new pernet ops, increments max_gen_ptrs, which is then used
+to set s.len with a larger than allocated length for the variable array.
+
+Fix it by reading max_gen_ptrs only once in net_alloc_generic. If
+max_gen_ptrs is later incremented, it will be caught in net_assign_generic.
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Fixes: 073862ba5d24 ("netns: fix net_alloc_generic()")
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240502132006.3430840-1-cascardo@igalia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/net_namespace.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -63,12 +63,15 @@ static unsigned int max_gen_ptrs = INITI
+ 
+ static struct net_generic *net_alloc_generic(void)
+ {
++	unsigned int gen_ptrs = READ_ONCE(max_gen_ptrs);
++	unsigned int generic_size;
+ 	struct net_generic *ng;
+-	unsigned int generic_size = offsetof(struct net_generic, ptr[max_gen_ptrs]);
++
++	generic_size = offsetof(struct net_generic, ptr[gen_ptrs]);
+ 
+ 	ng = kzalloc(generic_size, GFP_KERNEL);
+ 	if (ng)
+-		ng->s.len = max_gen_ptrs;
++		ng->s.len = gen_ptrs;
+ 
+ 	return ng;
+ }
+@@ -1032,7 +1035,11 @@ static int register_pernet_operations(st
+ 		if (error < 0)
+ 			return error;
+ 		*ops->id = error;
+-		max_gen_ptrs = max(max_gen_ptrs, *ops->id + 1);
++		/* This does not require READ_ONCE as writers already hold
++		 * pernet_ops_rwsem. But WRITE_ONCE is needed to protect
++		 * net_alloc_generic.
++		 */
++		WRITE_ONCE(max_gen_ptrs, max(max_gen_ptrs, *ops->id + 1));
+ 	}
+ 	error = __register_pernet_operations(list, ops);
+ 	if (error) {
diff --git a/queue-4.19/series b/queue-4.19/series
index 1db6f2574d0..f2a27138423 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -58,3 +58,5 @@ usb-gadget-composite-fix-os-descriptors-w_value-logic.patch
 usb-gadget-f_fs-fix-a-race-condition-when-processing-setup-packets.patch
 tipc-fix-uaf-in-error-path.patch
 dyndbg-fix-old-bug_on-in-control-parser.patch
+drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch
+net-fix-out-of-bounds-access-in-ops_init.patch