--- /dev/null
+From 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Date: Tue, 11 May 2021 20:02:42 +0200
+Subject: mac80211: assure all fragments are encrypted
+
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+
+commit 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad upstream.
+
+Do not mix plaintext and encrypted fragments in protected Wi-Fi
+networks. This fixes CVE-2020-26147.
+
+Previously, an attacker was able to first forward a legitimate encrypted
+fragment towards a victim, followed by a plaintext fragment. The
+encrypted and plaintext fragment would then be reassembled. For further
+details see Section 6.3 and Appendix D in the paper "Fragment and Forge:
+Breaking Wi-Fi Through Frame Aggregation and Fragmentation".
+
+Because of this change there are now two equivalent conditions in the
+code to determine if a received fragment requires sequential PNs, so we
+also move this test to a separate function to make the code easier to
+maintain.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Link: https://lore.kernel.org/r/20210511200110.30c4394bb835.I5acfdb552cc1d20c339c262315950b3eac491397@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2078,6 +2078,16 @@ ieee80211_reassemble_find(struct ieee802
+ return NULL;
+ }
+
++static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc)
++{
++ return rx->key &&
++ (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
++ ieee80211_has_protected(fc);
++}
++
+ static ieee80211_rx_result debug_noinline
+ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ {
+@@ -2122,12 +2132,7 @@ ieee80211_rx_h_defragment(struct ieee802
+ /* This is the first fragment of a new frame. */
+ entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
+ rx->seqno_idx, &(rx->skb));
+- if (rx->key &&
+- (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
+- rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
+- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
+- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
+- ieee80211_has_protected(fc)) {
++ if (requires_sequential_pn(rx, fc)) {
+ int queue = rx->security_idx;
+
+ /* Store CCMP/GCMP PN so that we can verify that the
+@@ -2169,11 +2174,7 @@ ieee80211_rx_h_defragment(struct ieee802
+ u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
+ int queue;
+
+- if (!rx->key ||
+- (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP &&
+- rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 &&
+- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP &&
+- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256))
++ if (!requires_sequential_pn(rx, fc))
+ return RX_DROP_UNUSABLE;
+ memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
+ for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
--- /dev/null
+From 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Date: Tue, 11 May 2021 20:02:43 +0200
+Subject: mac80211: prevent mixed key and fragment cache attacks
+
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+
+commit 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 upstream.
+
+Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment
+cache attacks (CVE-2020-24586). This is accomplished by assigning a
+unique color to every key (per interface) and using this to track which
+key was used to decrypt a fragment. When reassembling frames, it is
+now checked whether all fragments were decrypted using the same key.
+
+To assure that fragment cache attacks are also prevented, the ID that is
+assigned to keys is unique even over (re)associations and (re)connects.
+This means fragments separated by a (re)association or (re)connect will
+not be reassembled. Because mac80211 now also prevents the reassembly of
+mixed encrypted and plaintext fragments, all cache attacks are prevented.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Link: https://lore.kernel.org/r/20210511200110.3f8290e59823.I622a67769ed39257327a362cfc09c812320eb979@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ieee80211_i.h | 1 +
+ net/mac80211/key.c | 7 +++++++
+ net/mac80211/key.h | 2 ++
+ net/mac80211/rx.c | 6 ++++++
+ 4 files changed, 16 insertions(+)
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -100,6 +100,7 @@ struct ieee80211_fragment_entry {
+ u8 rx_queue;
+ bool check_sequential_pn; /* needed for CCMP/GCMP */
+ u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
++ unsigned int key_color;
+ };
+
+
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -653,6 +653,7 @@ int ieee80211_key_link(struct ieee80211_
+ struct ieee80211_sub_if_data *sdata,
+ struct sta_info *sta)
+ {
++ static atomic_t key_color = ATOMIC_INIT(0);
+ struct ieee80211_local *local = sdata->local;
+ struct ieee80211_key *old_key;
+ int idx = key->conf.keyidx;
+@@ -688,6 +689,12 @@ int ieee80211_key_link(struct ieee80211_
+ key->sdata = sdata;
+ key->sta = sta;
+
++ /*
++ * Assign a unique ID to every key so we can easily prevent mixed
++ * key and fragment cache attacks.
++ */
++ key->color = atomic_inc_return(&key_color);
++
+ increment_tailroom_need_count(sdata);
+
+ ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
+--- a/net/mac80211/key.h
++++ b/net/mac80211/key.h
+@@ -127,6 +127,8 @@ struct ieee80211_key {
+ } debugfs;
+ #endif
+
++ unsigned int color;
++
+ /*
+ * key config, must be last because it contains key
+ * material as variable length member
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2139,6 +2139,7 @@ ieee80211_rx_h_defragment(struct ieee802
+ * next fragment has a sequential PN value.
+ */
+ entry->check_sequential_pn = true;
++ entry->key_color = rx->key->color;
+ memcpy(entry->last_pn,
+ rx->key->u.ccmp.rx_pn[queue],
+ IEEE80211_CCMP_PN_LEN);
+@@ -2176,6 +2177,11 @@ ieee80211_rx_h_defragment(struct ieee802
+
+ if (!requires_sequential_pn(rx, fc))
+ return RX_DROP_UNUSABLE;
++
++ /* Prevent mixed key and fragment cache attacks */
++ if (entry->key_color != rx->key->color)
++ return RX_DROP_UNUSABLE;
++
+ memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
+ for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
+ pn[i]++;
--- /dev/null
+From 1a6e9a9c68c1f183872e4bcc947382111c2e04eb Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 24 May 2021 11:25:11 +0200
+Subject: net: hso: fix control-request directions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1a6e9a9c68c1f183872e4bcc947382111c2e04eb upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Fix the tiocmset and rfkill requests which erroneously used
+usb_rcvctrlpipe().
+
+Fixes: 72dc1c096c70 ("HSO: add option hso driver")
+Cc: stable@vger.kernel.org # 2.6.27
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/hso.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -1703,7 +1703,7 @@ static int hso_serial_tiocmset(struct tt
+ spin_unlock_irqrestore(&serial->serial_lock, flags);
+
+ return usb_control_msg(serial->parent->usb,
+- usb_rcvctrlpipe(serial->parent->usb, 0), 0x22,
++ usb_sndctrlpipe(serial->parent->usb, 0), 0x22,
+ 0x21, val, if_num, NULL, 0,
+ USB_CTRL_SET_TIMEOUT);
+ }
+@@ -2450,7 +2450,7 @@ static int hso_rfkill_set_block(void *da
+ if (hso_dev->usb_gone)
+ rv = 0;
+ else
+- rv = usb_control_msg(hso_dev->usb, usb_rcvctrlpipe(hso_dev->usb, 0),
++ rv = usb_control_msg(hso_dev->usb, usb_sndctrlpipe(hso_dev->usb, 0),
+ enabled ? 0x82 : 0x81, 0x40, 0, 0, NULL, 0,
+ USB_CTRL_SET_TIMEOUT);
+ mutex_unlock(&hso_dev->mutex);
--- /dev/null
+From c954eb72b31a9dc56c99b450253ec5b121add320 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 19 May 2021 10:45:14 +0300
+Subject: perf intel-pt: Fix sample instruction bytes
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit c954eb72b31a9dc56c99b450253ec5b121add320 upstream.
+
+The decoder reports the current instruction if it was decoded. In some
+cases the current instruction is not decoded, in which case the instruction
+bytes length must be set to zero. Ensure that is always done.
+
+Note perf script can anyway get the instruction bytes for any samples where
+they are not present.
+
+Also note, that there is a redundant "ptq->insn_len = 0" statement which is
+not removed until a subsequent patch in order to make this patch apply
+cleanly to stable branches.
+
+Example:
+
+A machne that supports TSX is required. It will have flag "rtm". Kernel
+parameter tsx=on may be required.
+
+ # for w in `cat /proc/cpuinfo | grep -m1 flags `;do echo $w | grep rtm ; done
+ rtm
+
+Test program:
+
+ #include <stdio.h>
+ #include <immintrin.h>
+
+ int main()
+ {
+ int x = 0;
+
+ if (_xbegin() == _XBEGIN_STARTED) {
+ x = 1;
+ _xabort(1);
+ } else {
+ printf("x = %d\n", x);
+ }
+ return 0;
+ }
+
+Compile with -mrtm i.e.
+
+ gcc -Wall -Wextra -mrtm xabort.c -o xabort
+
+Record:
+
+ perf record -e intel_pt/cyc/u --filter 'filter main @ ./xabort' ./xabort
+
+Before:
+
+ # perf script --itrace=xe -F+flags,+insn,-period --xed --ns
+ xabort 1478 [007] 92161.431348581: transactions: x 400b81 main+0x14 (/root/xabort) mov $0xffffffff, %eax
+ xabort 1478 [007] 92161.431348624: transactions: tx abrt 400b93 main+0x26 (/root/xabort) mov $0xffffffff, %eax
+
+After:
+
+ # perf script --itrace=xe -F+flags,+insn,-period --xed --ns
+ xabort 1478 [007] 92161.431348581: transactions: x 400b81 main+0x14 (/root/xabort) xbegin 0x6
+ xabort 1478 [007] 92161.431348624: transactions: tx abrt 400b93 main+0x26 (/root/xabort) xabort $0x1
+
+Fixes: faaa87680b25d ("perf intel-pt/bts: Report instruction bytes and length in sample")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20210519074515.9262-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -505,8 +505,10 @@ static int intel_pt_walk_next_insn(struc
+
+ *ip += intel_pt_insn->length;
+
+- if (to_ip && *ip == to_ip)
++ if (to_ip && *ip == to_ip) {
++ intel_pt_insn->length = 0;
+ goto out_no_cache;
++ }
+
+ if (*ip >= al.map->end)
+ break;
+@@ -893,6 +895,7 @@ static void intel_pt_set_pid_tid_cpu(str
+
+ static void intel_pt_sample_flags(struct intel_pt_queue *ptq)
+ {
++ ptq->insn_len = 0;
+ if (ptq->state->flags & INTEL_PT_ABORT_TX) {
+ ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_TX_ABORT;
+ } else if (ptq->state->flags & INTEL_PT_ASYNC) {
--- /dev/null
+From cb7987837c31b217b28089bbc78922d5c9187869 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 19 May 2021 10:45:13 +0300
+Subject: perf intel-pt: Fix transaction abort handling
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit cb7987837c31b217b28089bbc78922d5c9187869 upstream.
+
+When adding support for power events, some handling of FUP packets was
+unified. That resulted in breaking reporting of TSX aborts, by not
+considering the associated TIP packet. Fix that.
+
+Example:
+
+A machine that supports TSX is required. It will have flag "rtm". Kernel
+parameter tsx=on may be required.
+
+ # for w in `cat /proc/cpuinfo | grep -m1 flags `;do echo $w | grep rtm ; done
+ rtm
+
+Test program:
+
+ #include <stdio.h>
+ #include <immintrin.h>
+
+ int main()
+ {
+ int x = 0;
+
+ if (_xbegin() == _XBEGIN_STARTED) {
+ x = 1;
+ _xabort(1);
+ } else {
+ printf("x = %d\n", x);
+ }
+ return 0;
+ }
+
+Compile with -mrtm i.e.
+
+ gcc -Wall -Wextra -mrtm xabort.c -o xabort
+
+Record:
+
+ perf record -e intel_pt/cyc/u --filter 'filter main @ ./xabort' ./xabort
+
+Before:
+
+ # perf script --itrace=be -F+flags,+addr,-period,-event --ns
+ xabort 1478 [007] 92161.431348552: tr strt 0 [unknown] ([unknown]) => 400b6d main+0x0 (/root/xabort)
+ xabort 1478 [007] 92161.431348624: jmp 400b96 main+0x29 (/root/xabort) => 400bae main+0x41 (/root/xabort)
+ xabort 1478 [007] 92161.431348624: return 400bb4 main+0x47 (/root/xabort) => 400b87 main+0x1a (/root/xabort)
+ xabort 1478 [007] 92161.431348637: jcc 400b8a main+0x1d (/root/xabort) => 400b98 main+0x2b (/root/xabort)
+ xabort 1478 [007] 92161.431348644: tr end call 400ba9 main+0x3c (/root/xabort) => 40f690 printf+0x0 (/root/xabort)
+ xabort 1478 [007] 92161.431360859: tr strt 0 [unknown] ([unknown]) => 400bae main+0x41 (/root/xabort)
+ xabort 1478 [007] 92161.431360882: tr end return 400bb4 main+0x47 (/root/xabort) => 401139 __libc_start_main+0x309 (/root/xabort)
+
+After:
+
+ # perf script --itrace=be -F+flags,+addr,-period,-event --ns
+ xabort 1478 [007] 92161.431348552: tr strt 0 [unknown] ([unknown]) => 400b6d main+0x0 (/root/xabort)
+ xabort 1478 [007] 92161.431348624: tx abrt 400b93 main+0x26 (/root/xabort) => 400b87 main+0x1a (/root/xabort)
+ xabort 1478 [007] 92161.431348637: jcc 400b8a main+0x1d (/root/xabort) => 400b98 main+0x2b (/root/xabort)
+ xabort 1478 [007] 92161.431348644: tr end call 400ba9 main+0x3c (/root/xabort) => 40f690 printf+0x0 (/root/xabort)
+ xabort 1478 [007] 92161.431360859: tr strt 0 [unknown] ([unknown]) => 400bae main+0x41 (/root/xabort)
+ xabort 1478 [007] 92161.431360882: tr end return 400bb4 main+0x47 (/root/xabort) => 401139 __libc_start_main+0x309 (/root/xabort)
+
+Fixes: a472e65fc490a ("perf intel-pt: Add decoder support for ptwrite and power event packets")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lore.kernel.org/lkml/20210519074515.9262-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1063,6 +1063,8 @@ static bool intel_pt_fup_event(struct in
+ decoder->set_fup_tx_flags = false;
+ decoder->tx_flags = decoder->fup_tx_flags;
+ decoder->state.type = INTEL_PT_TRANSACTION;
++ if (decoder->fup_tx_flags & INTEL_PT_ABORT_TX)
++ decoder->state.type |= INTEL_PT_BRANCH;
+ decoder->state.from_ip = decoder->ip;
+ decoder->state.to_ip = 0;
+ decoder->state.flags = decoder->fup_tx_flags;
+@@ -1129,8 +1131,10 @@ static int intel_pt_walk_fup(struct inte
+ return 0;
+ if (err == -EAGAIN ||
+ intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) {
++ bool no_tip = decoder->pkt_state != INTEL_PT_STATE_FUP;
++
+ decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
+- if (intel_pt_fup_event(decoder))
++ if (intel_pt_fup_event(decoder) && no_tip)
+ return 0;
+ return -EAGAIN;
+ }
--- /dev/null
+From bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 25 May 2021 12:37:35 -0700
+Subject: proc: Check /proc/$pid/attr/ writes against file opener
+
+From: Kees Cook <keescook@chromium.org>
+
+commit bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 upstream.
+
+Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/
+files need to check the opener credentials, since these fds do not
+transition state across execve(). Without this, it is possible to
+trick another process (which may have different credentials) to write
+to its own /proc/$pid/attr/ files, leading to unexpected and possibly
+exploitable behaviors.
+
+[1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/base.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2564,6 +2564,10 @@ static ssize_t proc_pid_attr_write(struc
+ void *page;
+ int rv;
+
++ /* A task may only write when it was the opener. */
++ if (file->f_cred != current_real_cred())
++ return -EPERM;
++
+ rcu_read_lock();
+ task = pid_task(proc_pid(inode), PIDTYPE_PID);
+ if (!task) {
cifs-set-server-cipher_type-to-aes-128-ccm-for-smb3.0.patch
nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch
+perf-intel-pt-fix-sample-instruction-bytes.patch
+perf-intel-pt-fix-transaction-abort-handling.patch
+proc-check-proc-pid-attr-writes-against-file-opener.patch
+net-hso-fix-control-request-directions.patch
+mac80211-assure-all-fragments-are-encrypted.patch
+mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
