From: Greg Kroah-Hartman Date: Mon, 29 Mar 2021 06:40:04 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.11.11~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=125c7b94094cdf264c3199a8ed1604df0b3b890c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: mac80211-fix-double-free-in-ibss_leave.patch net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch net-sched-validate-stab-values.patch --- diff --git a/queue-4.9/mac80211-fix-double-free-in-ibss_leave.patch b/queue-4.9/mac80211-fix-double-free-in-ibss_leave.patch new file mode 100644 index 00000000000..c7d43e84859 --- /dev/null +++ b/queue-4.9/mac80211-fix-double-free-in-ibss_leave.patch @@ -0,0 +1,71 @@ +From 3bd801b14e0c5d29eeddc7336558beb3344efaa3 Mon Sep 17 00:00:00 2001 +From: Markus Theil +Date: Sat, 13 Feb 2021 14:36:53 +0100 +Subject: mac80211: fix double free in ibss_leave + +From: Markus Theil + +commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream. + +Clear beacon ie pointer and ie length after free +in order to prevent double free. + +================================================================== +BUG: KASAN: double-free or invalid-free \ +in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 + +CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230 + kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355 + ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341 + kasan_slab_free include/linux/kasan.h:192 [inline] + __cache_free mm/slab.c:3424 [inline] + kfree+0xed/0x270 mm/slab.c:3760 + ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 + rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline] + __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212 + __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172 + cfg80211_leave net/wireless/core.c:1221 [inline] + cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 + call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040 + call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] + call_netdevice_notifiers net/core/dev.c:2066 [inline] + __dev_close_many+0xee/0x2e0 net/core/dev.c:1586 + __dev_close net/core/dev.c:1624 [inline] + __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476 + dev_change_flags+0x8a/0x160 net/core/dev.c:8549 + dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265 + dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511 + sock_do_ioctl+0x148/0x2d0 net/socket.c:1060 + sock_ioctl+0x477/0x6a0 net/socket.c:1177 + vfs_ioctl fs/ioctl.c:48 [inline] + __do_sys_ioctl fs/ioctl.c:753 [inline] + __se_sys_ioctl fs/ioctl.c:739 [inline] + __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com +Signed-off-by: Markus Theil +Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ibss.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -1862,6 +1862,8 @@ int ieee80211_ibss_leave(struct ieee8021 + + /* remove beacon */ + kfree(sdata->u.ibss.ie); ++ sdata->u.ibss.ie = NULL; ++ sdata->u.ibss.ie_len = 0; + + /* on the next join, re-program HT parameters */ + memset(&ifibss->ht_capa, 0, sizeof(ifibss->ht_capa)); diff --git a/queue-4.9/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch b/queue-4.9/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch new file mode 100644 index 00000000000..9d0cd54f0ae --- /dev/null +++ b/queue-4.9/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch @@ -0,0 +1,77 @@ +From 50535249f624d0072cd885bcdce4e4b6fb770160 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 12 Mar 2021 08:59:48 -0800 +Subject: net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() + +From: Eric Dumazet + +commit 50535249f624d0072cd885bcdce4e4b6fb770160 upstream. + +struct sockaddr_qrtr has a 2-byte hole, and qrtr_recvmsg() currently +does not clear it before copying kernel data to user space. + +It might be too late to name the hole since sockaddr_qrtr structure is uapi. + +BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 +CPU: 0 PID: 29705 Comm: syz-executor.3 Not tainted 5.11.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:120 + kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 + kmsan_internal_check_memory+0x202/0x520 mm/kmsan/kmsan.c:402 + kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + _copy_to_user+0x1ac/0x270 lib/usercopy.c:33 + copy_to_user include/linux/uaccess.h:209 [inline] + move_addr_to_user+0x3a2/0x640 net/socket.c:237 + ____sys_recvmsg+0x696/0xd50 net/socket.c:2575 + ___sys_recvmsg net/socket.c:2610 [inline] + do_recvmmsg+0xa97/0x22d0 net/socket.c:2710 + __sys_recvmmsg net/socket.c:2789 [inline] + __do_sys_recvmmsg net/socket.c:2812 [inline] + __se_sys_recvmmsg+0x24a/0x410 net/socket.c:2805 + __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2805 + do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x465f69 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f43659d6188 EFLAGS: 00000246 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465f69 +RDX: 0000000000000008 RSI: 0000000020003e40 RDI: 0000000000000003 +RBP: 00000000004bfa8f R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000010060 R11: 0000000000000246 R12: 000000000056bf60 +R13: 0000000000a9fb1f R14: 00007f43659d6300 R15: 0000000000022000 + +Local variable ----addr@____sys_recvmsg created at: + ____sys_recvmsg+0x168/0xd50 net/socket.c:2550 + ____sys_recvmsg+0x168/0xd50 net/socket.c:2550 + +Bytes 2-3 of 12 are uninitialized +Memory access of size 12 starts at ffff88817c627b40 +Data copied to user address 0000000020000140 + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Signed-off-by: Eric Dumazet +Cc: Courtney Cavin +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -728,6 +728,11 @@ static int qrtr_recvmsg(struct socket *s + rc = copied; + + if (addr) { ++ /* There is an anonymous 2-byte hole after sq_family, ++ * make sure to clear it. ++ */ ++ memset(addr, 0, sizeof(*addr)); ++ + addr->sq_family = AF_QIPCRTR; + addr->sq_node = le32_to_cpu(phdr->src_node_id); + addr->sq_port = le32_to_cpu(phdr->src_port_id); diff --git a/queue-4.9/net-sched-validate-stab-values.patch b/queue-4.9/net-sched-validate-stab-values.patch new file mode 100644 index 00000000000..d17d2bd7152 --- /dev/null +++ b/queue-4.9/net-sched-validate-stab-values.patch @@ -0,0 +1,178 @@ +From e323d865b36134e8c5c82c834df89109a5c60dab Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 10 Mar 2021 08:26:41 -0800 +Subject: net: sched: validate stab values + +From: Eric Dumazet + +commit e323d865b36134e8c5c82c834df89109a5c60dab upstream. + +iproute2 package is well behaved, but malicious user space can +provide illegal shift values and trigger UBSAN reports. + +Add stab parameter to red_check_params() to validate user input. + +syzbot reported: + +UBSAN: shift-out-of-bounds in ./include/net/red.h:312:18 +shift exponent 111 is too large for 64-bit type 'long unsigned int' +CPU: 1 PID: 14662 Comm: syz-executor.3 Not tainted 5.12.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 + red_calc_qavg_from_idle_time include/net/red.h:312 [inline] + red_calc_qavg include/net/red.h:353 [inline] + choke_enqueue.cold+0x18/0x3dd net/sched/sch_choke.c:221 + __dev_xmit_skb net/core/dev.c:3837 [inline] + __dev_queue_xmit+0x1943/0x2e00 net/core/dev.c:4150 + neigh_hh_output include/net/neighbour.h:499 [inline] + neigh_output include/net/neighbour.h:508 [inline] + ip6_finish_output2+0x911/0x1700 net/ipv6/ip6_output.c:117 + __ip6_finish_output net/ipv6/ip6_output.c:182 [inline] + __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161 + ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192 + NF_HOOK_COND include/linux/netfilter.h:290 [inline] + ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:215 + dst_output include/net/dst.h:448 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + NF_HOOK include/linux/netfilter.h:295 [inline] + ip6_xmit+0x127e/0x1eb0 net/ipv6/ip6_output.c:320 + inet6_csk_xmit+0x358/0x630 net/ipv6/inet6_connection_sock.c:135 + dccp_transmit_skb+0x973/0x12c0 net/dccp/output.c:138 + dccp_send_reset+0x21b/0x2b0 net/dccp/output.c:535 + dccp_finish_passive_close net/dccp/proto.c:123 [inline] + dccp_finish_passive_close+0xed/0x140 net/dccp/proto.c:118 + dccp_terminate_connection net/dccp/proto.c:958 [inline] + dccp_close+0xb3c/0xe60 net/dccp/proto.c:1028 + inet_release+0x12e/0x280 net/ipv4/af_inet.c:431 + inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478 + __sock_release+0xcd/0x280 net/socket.c:599 + sock_close+0x18/0x20 net/socket.c:1258 + __fput+0x288/0x920 fs/file_table.c:280 + task_work_run+0xdd/0x1a0 kernel/task_work.c:140 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + +Fixes: 8afa10cbe281 ("net_sched: red: Avoid illegal values") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/red.h | 10 +++++++++- + net/sched/sch_choke.c | 7 ++++--- + net/sched/sch_gred.c | 2 +- + net/sched/sch_red.c | 7 +++++-- + net/sched/sch_sfq.c | 2 +- + 5 files changed, 20 insertions(+), 8 deletions(-) + +--- a/include/net/red.h ++++ b/include/net/red.h +@@ -167,7 +167,8 @@ static inline void red_set_vars(struct r + v->qcount = -1; + } + +-static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog, u8 Scell_log) ++static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog, ++ u8 Scell_log, u8 *stab) + { + if (fls(qth_min) + Wlog > 32) + return false; +@@ -177,6 +178,13 @@ static inline bool red_check_params(u32 + return false; + if (qth_max < qth_min) + return false; ++ if (stab) { ++ int i; ++ ++ for (i = 0; i < RED_STAB_SIZE; i++) ++ if (stab[i] >= 32) ++ return false; ++ } + return true; + } + +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -409,6 +409,7 @@ static int choke_change(struct Qdisc *sc + struct sk_buff **old = NULL; + unsigned int mask; + u32 max_P; ++ u8 *stab; + + if (opt == NULL) + return -EINVAL; +@@ -424,8 +425,8 @@ static int choke_change(struct Qdisc *sc + max_P = tb[TCA_CHOKE_MAX_P] ? nla_get_u32(tb[TCA_CHOKE_MAX_P]) : 0; + + ctl = nla_data(tb[TCA_CHOKE_PARMS]); +- +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) ++ stab = nla_data(tb[TCA_CHOKE_STAB]); ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log, stab)) + return -EINVAL; + + if (ctl->limit > CHOKE_MAX_QUEUE) +@@ -478,7 +479,7 @@ static int choke_change(struct Qdisc *sc + + red_set_parms(&q->parms, ctl->qth_min, ctl->qth_max, ctl->Wlog, + ctl->Plog, ctl->Scell_log, +- nla_data(tb[TCA_CHOKE_STAB]), ++ stab, + max_P); + red_set_vars(&q->vars); + +--- a/net/sched/sch_gred.c ++++ b/net/sched/sch_gred.c +@@ -356,7 +356,7 @@ static inline int gred_change_vq(struct + struct gred_sched *table = qdisc_priv(sch); + struct gred_sched_data *q = table->tab[dp]; + +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log, stab)) + return -EINVAL; + + if (!q) { +--- a/net/sched/sch_red.c ++++ b/net/sched/sch_red.c +@@ -169,6 +169,7 @@ static int red_change(struct Qdisc *sch, + struct Qdisc *child = NULL; + int err; + u32 max_P; ++ u8 *stab; + + if (opt == NULL) + return -EINVAL; +@@ -184,7 +185,9 @@ static int red_change(struct Qdisc *sch, + max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0; + + ctl = nla_data(tb[TCA_RED_PARMS]); +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) ++ stab = nla_data(tb[TCA_RED_STAB]); ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ++ ctl->Scell_log, stab)) + return -EINVAL; + + if (ctl->limit > 0) { +@@ -206,7 +209,7 @@ static int red_change(struct Qdisc *sch, + red_set_parms(&q->parms, + ctl->qth_min, ctl->qth_max, ctl->Wlog, + ctl->Plog, ctl->Scell_log, +- nla_data(tb[TCA_RED_STAB]), ++ stab, + max_P); + red_set_vars(&q->vars); + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -645,7 +645,7 @@ static int sfq_change(struct Qdisc *sch, + } + + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, +- ctl_v1->Wlog, ctl_v1->Scell_log)) ++ ctl_v1->Wlog, ctl_v1->Scell_log, NULL)) + return -EINVAL; + if (ctl_v1 && ctl_v1->qth_min) { + p = kmalloc(sizeof(*p), GFP_KERNEL); diff --git a/queue-4.9/series b/queue-4.9/series index 0101b9bedf0..39204a1ed9a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -48,3 +48,6 @@ futex-prevent-robust-futex-exit-race.patch futex-fix-incorrect-should_fail_futex-handling.patch futex-handle-transient-ownerless-rtmutex-state-correctly.patch can-dev-move-device-back-to-init-netns-on-owning-netns-delete.patch +net-sched-validate-stab-values.patch +net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch +mac80211-fix-double-free-in-ibss_leave.patch