5.10-stable patches

added patches:
	block-fix-use-after-free-in-disk_part_iter_next.patch
	can-isotp-isotp_getname-fix-kernel-information-leak.patch
	net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch

diff --git a/queue-5.10/block-fix-use-after-free-in-disk_part_iter_next.patch b/queue-5.10/block-fix-use-after-free-in-disk_part_iter_next.patch
new file mode 100644 (file)
index 0000000..d35d74f
--- /dev/null
+++ b/queue-5.10/block-fix-use-after-free-in-disk_part_iter_next.patch
@@ -0,0 +1,46 @@
+From aebf5db917055b38f4945ed6d621d9f07a44ff30 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 21 Dec 2020 12:33:35 +0800
+Subject: block: fix use-after-free in disk_part_iter_next
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit aebf5db917055b38f4945ed6d621d9f07a44ff30 upstream.
+
+Make sure that bdgrab() is done on the 'block_device' instance before
+referring to it for avoiding use-after-free.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+825f0f9657d4e528046e@syzkaller.appspotmail.com
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/genhd.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -256,14 +256,17 @@ struct hd_struct *disk_part_iter_next(st
+               part = rcu_dereference(ptbl->part[piter->idx]);
+               if (!part)
+                       continue;
++              get_device(part_to_dev(part));
++              piter->part = part;
+               if (!part_nr_sects_read(part) &&
+                   !(piter->flags & DISK_PITER_INCL_EMPTY) &&
+                   !(piter->flags & DISK_PITER_INCL_EMPTY_PART0 &&
+-                    piter->idx == 0))
++                    piter->idx == 0)) {
++                      put_device(part_to_dev(part));
++                      piter->part = NULL;
+                       continue;
++              }
+ 
+-              get_device(part_to_dev(part));
+-              piter->part = part;
+               piter->idx += inc;
+               break;
+       }

diff --git a/queue-5.10/can-isotp-isotp_getname-fix-kernel-information-leak.patch b/queue-5.10/can-isotp-isotp_getname-fix-kernel-information-leak.patch
new file mode 100644 (file)
index 0000000..cdd2c46
--- /dev/null
+++ b/queue-5.10/can-isotp-isotp_getname-fix-kernel-information-leak.patch
@@ -0,0 +1,33 @@
+From b42b3a2744b3e8f427de79896720c72823af91ad Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Tue, 12 Jan 2021 10:16:43 +0100
+Subject: can: isotp: isotp_getname(): fix kernel information leak
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit b42b3a2744b3e8f427de79896720c72823af91ad upstream.
+
+Initialize the sockaddr_can structure to prevent a data leak to user space.
+
+Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reported-by: syzbot+057884e2f453e8afebc8@syzkaller.appspotmail.com
+Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/r/20210112091643.11789-1-socketcan@hartkopp.net
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/can/isotp.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -1139,6 +1139,7 @@ static int isotp_getname(struct socket *
+       if (peer)
+               return -EOPNOTSUPP;
+ 
++      memset(addr, 0, sizeof(*addr));
+       addr->can_family = AF_CAN;
+       addr->can_ifindex = so->ifindex;
+       addr->can_addr.tp.rx_id = so->rxid;

diff --git a/queue-5.10/net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch b/queue-5.10/net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch
new file mode 100644 (file)
index 0000000..2895c64
--- /dev/null
+++ b/queue-5.10/net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch
@@ -0,0 +1,50 @@
+From 54970a2fbb673f090b7f02d7f57b10b2e0707155 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 14 Dec 2020 22:07:39 +0300
+Subject: net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of trimmed packet
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 54970a2fbb673f090b7f02d7f57b10b2e0707155 upstream.
+
+syzbot reproduces BUG_ON in skb_checksum_help():
+tun creates (bogus) skb with huge partial-checksummed area and
+small ip packet inside. Then ip_rcv trims the skb based on size
+of internal ip packet, after that csum offset points beyond of
+trimmed skb. Then checksum_tg() called via netfilter hook
+triggers BUG_ON:
+
+        offset = skb_checksum_start_offset(skb);
+        BUG_ON(offset >= skb_headlen(skb));
+
+To work around the problem this patch forces pskb_trim_rcsum_slow()
+to return -EINVAL in described scenario. It allows its callers to
+drop such kind of packets.
+
+Link: https://syzkaller.appspot.com/bug?id=b419a5ca95062664fe1a60b764621eb4526e2cd0
+Reported-by: syzbot+7010af67ced6105e5ab6@syzkaller.appspotmail.com
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/1b2494af-2c56-8ee2-7bc0-923fcad1cdf8@virtuozzo.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/skbuff.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2011,6 +2011,12 @@ int pskb_trim_rcsum_slow(struct sk_buff
+               skb->csum = csum_block_sub(skb->csum,
+                                          skb_checksum(skb, len, delta, 0),
+                                          len);
++      } else if (skb->ip_summed == CHECKSUM_PARTIAL) {
++              int hdlen = (len > skb_headlen(skb)) ? skb_headlen(skb) : len;
++              int offset = skb_checksum_start_offset(skb) + skb->csum_offset;
++
++              if (offset + sizeof(__sum16) > hdlen)
++                      return -EINVAL;
+       }
+       return __pskb_trim(skb, len);
+ }

diff --git a/queue-5.10/series b/queue-5.10/series
index de303e375c63725f920e0d099347cc4041c519d6..47ba07ad3fd559174d7dc5c6a07e0c05c54f3006 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -95,3 +95,6 @@ kvm-arm64-don-t-access-pmcr_el0-when-no-pmu-is-available.patch
 xsk-fix-race-in-skb-mode-transmit-with-shared-cq.patch
 xsk-rollback-reservation-at-netdev_tx_busy.patch
 block-rnbd-clt-avoid-module-unload-race-with-close-confirmation.patch
+can-isotp-isotp_getname-fix-kernel-information-leak.patch
+block-fix-use-after-free-in-disk_part_iter_next.patch
+net-drop-bogus-skb-with-checksum_partial-and-offset-beyond-end-of-trimmed-packet.patch