From: Sasha Levin Date: Mon, 15 Mar 2021 14:46:38 +0000 (-0400) Subject: Drop prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch X-Git-Tag: v4.4.262~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=31119a5ccafba103e5fc0ec4439bb3bae3335773;p=thirdparty%2Fkernel%2Fstable-queue.git Drop prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-4.14/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch deleted file mode 100644 index d203041ddbf..00000000000 --- a/queue-4.14/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 47b47fc59d25cad965dabdcc10a9261e63d168cf Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 14 Mar 2021 23:51:14 +0300 -Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak - -From: Alexey Dobriyan - -[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] - -Doing a - - prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); - -will copy 1 byte from userspace to (quite big) on-stack array -and then stash everything to mm->saved_auxv. -AT_NULL terminator will be inserted at the very end. - -/proc/*/auxv handler will find that AT_NULL terminator -and copy original stack contents to userspace. - -This devious scheme requires CAP_SYS_RESOURCE. - -Signed-off-by: Alexey Dobriyan -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - kernel/sys.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sys.c b/kernel/sys.c -index 2e4f017f7c5a..03fc0152cc54 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -2005,7 +2005,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, - * up to the caller to provide sane values here, otherwise userspace - * tools which use this vector might be unhappy. - */ -- unsigned long user_auxv[AT_VECTOR_SIZE]; -+ unsigned long user_auxv[AT_VECTOR_SIZE] = {}; - - if (len > sizeof(user_auxv)) - return -EINVAL; --- -2.30.1 - diff --git a/queue-4.14/series b/queue-4.14/series index 1003a174f9b..fed63a7bd30 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -84,7 +84,6 @@ block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch configfs-fix-a-use-after-free-in-__configfs_open_fil.patch stop_machine-mark-helpers-__always_inline.patch include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch -prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch powerpc-64s-fix-instruction-encoding-for-lis-in-ppc_function_entry.patch binfmt_misc-fix-possible-deadlock-in-bm_register_write.patch hwmon-lm90-fix-max6658-sporadic-wrong-temperature-reading.patch diff --git a/queue-4.19/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-4.19/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch deleted file mode 100644 index c673dc3aed0..00000000000 --- a/queue-4.19/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch +++ /dev/null @@ -1,45 +0,0 @@ -From a1fd7d2e22b7f94b9bc2e83180d2880a0974b89a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 14 Mar 2021 23:51:14 +0300 -Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak - -From: Alexey Dobriyan - -[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] - -Doing a - - prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); - -will copy 1 byte from userspace to (quite big) on-stack array -and then stash everything to mm->saved_auxv. -AT_NULL terminator will be inserted at the very end. - -/proc/*/auxv handler will find that AT_NULL terminator -and copy original stack contents to userspace. - -This devious scheme requires CAP_SYS_RESOURCE. - -Signed-off-by: Alexey Dobriyan -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - kernel/sys.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sys.c b/kernel/sys.c -index baf60a3aa34b..81ed6023d01b 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -2069,7 +2069,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, - * up to the caller to provide sane values here, otherwise userspace - * tools which use this vector might be unhappy. - */ -- unsigned long user_auxv[AT_VECTOR_SIZE]; -+ unsigned long user_auxv[AT_VECTOR_SIZE] = {}; - - if (len > sizeof(user_auxv)) - return -EINVAL; --- -2.30.1 - diff --git a/queue-4.19/series b/queue-4.19/series index c53099f999f..dc5c46b0272 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -109,7 +109,6 @@ configfs-fix-a-use-after-free-in-__configfs_open_fil.patch hrtimer-update-softirq_expires_next-correctly-after-.patch stop_machine-mark-helpers-__always_inline.patch include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch -prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch powerpc-64s-fix-instruction-encoding-for-lis-in-ppc_function_entry.patch binfmt_misc-fix-possible-deadlock-in-bm_register_write.patch x86-unwind-orc-disable-kasan-checking-in-the-orc-unwinder-part-2.patch diff --git a/queue-4.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-4.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch deleted file mode 100644 index ce8a7909adf..00000000000 --- a/queue-4.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 6c68e2f8d2f09af655f81c176bf6e5100a34a8da Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 14 Mar 2021 23:51:14 +0300 -Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak - -From: Alexey Dobriyan - -[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] - -Doing a - - prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); - -will copy 1 byte from userspace to (quite big) on-stack array -and then stash everything to mm->saved_auxv. -AT_NULL terminator will be inserted at the very end. - -/proc/*/auxv handler will find that AT_NULL terminator -and copy original stack contents to userspace. - -This devious scheme requires CAP_SYS_RESOURCE. - -Signed-off-by: Alexey Dobriyan -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - kernel/sys.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sys.c b/kernel/sys.c -index e98664039cb2..8ac977df4dd4 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -1910,7 +1910,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, - * up to the caller to provide sane values here, otherwise userspace - * tools which use this vector might be unhappy. - */ -- unsigned long user_auxv[AT_VECTOR_SIZE]; -+ unsigned long user_auxv[AT_VECTOR_SIZE] = {}; - - if (len > sizeof(user_auxv)) - return -EINVAL; --- -2.30.1 - diff --git a/queue-4.4/series b/queue-4.4/series index 3f9b961dd84..25e4798dfe3 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -57,7 +57,6 @@ staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch -prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch alpha-add-src-rather-than-obj-to-make-source-file-path.patch alpha-merge-build-rules-of-division-routines.patch alpha-make-short-build-log-available-for-division-routines.patch diff --git a/queue-4.9/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-4.9/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch deleted file mode 100644 index 7521a176dc3..00000000000 --- a/queue-4.9/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 941b8d3cf860169527e80a665fb4320460bec106 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 14 Mar 2021 23:51:14 +0300 -Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak - -From: Alexey Dobriyan - -[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] - -Doing a - - prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); - -will copy 1 byte from userspace to (quite big) on-stack array -and then stash everything to mm->saved_auxv. -AT_NULL terminator will be inserted at the very end. - -/proc/*/auxv handler will find that AT_NULL terminator -and copy original stack contents to userspace. - -This devious scheme requires CAP_SYS_RESOURCE. - -Signed-off-by: Alexey Dobriyan -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - kernel/sys.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sys.c b/kernel/sys.c -index 546cdc911dad..76b3d9262644 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -1910,7 +1910,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, - * up to the caller to provide sane values here, otherwise userspace - * tools which use this vector might be unhappy. - */ -- unsigned long user_auxv[AT_VECTOR_SIZE]; -+ unsigned long user_auxv[AT_VECTOR_SIZE] = {}; - - if (len > sizeof(user_auxv)) - return -EINVAL; --- -2.30.1 - diff --git a/queue-4.9/series b/queue-4.9/series index b290806f724..2e20370c1f0 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -61,7 +61,6 @@ sh_eth-fix-trscer-mask-for-r7s72100.patch nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch configfs-fix-a-use-after-free-in-__configfs_open_fil.patch -prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch alpha-add-src-rather-than-obj-to-make-source-file-path.patch alpha-merge-build-rules-of-division-routines.patch alpha-make-short-build-log-available-for-division-routines.patch diff --git a/queue-5.10/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-5.10/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch deleted file mode 100644 index 1f0fbac333d..00000000000 --- a/queue-5.10/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch +++ /dev/null @@ -1,45 +0,0 @@ -From c82294f7036c82b48b3fe96460ae73a437474eb2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 14 Mar 2021 23:51:14 +0300 -Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak - -From: Alexey Dobriyan - -[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] - -Doing a - - prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); - -will copy 1 byte from userspace to (quite big) on-stack array -and then stash everything to mm->saved_auxv. -AT_NULL terminator will be inserted at the very end. - -/proc/*/auxv handler will find that AT_NULL terminator -and copy original stack contents to userspace. - -This devious scheme requires CAP_SYS_RESOURCE. - -Signed-off-by: Alexey Dobriyan -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - kernel/sys.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sys.c b/kernel/sys.c -index a730c03ee607..2603280b97be 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -2079,7 +2079,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, - * up to the caller to provide sane values here, otherwise userspace - * tools which use this vector might be unhappy. - */ -- unsigned long user_auxv[AT_VECTOR_SIZE]; -+ unsigned long user_auxv[AT_VECTOR_SIZE] = {}; - - if (len > sizeof(user_auxv)) - return -EINVAL; --- -2.30.1 - diff --git a/queue-5.10/series b/queue-5.10/series index 7b8a6e84e8e..eabd67a4827 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -257,7 +257,6 @@ powerpc-64s-exception-clean-up-a-missed-srr-specifie.patch seqlock-lockdep-fix-seqcount_latch_init.patch stop_machine-mark-helpers-__always_inline.patch include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch -prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch zram-fix-return-value-on-writeback_store.patch linux-compiler-clang.h-define-have_builtin_bswap.patch sched-membarrier-fix-missing-local-execution-of-ipi_sync_rq_state.patch diff --git a/queue-5.11/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-5.11/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch deleted file mode 100644 index 0328e0a66ae..00000000000 --- a/queue-5.11/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 4c2dea371361044b4b321e251f65fbaa9bda03ff Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 14 Mar 2021 23:51:14 +0300 -Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak - -From: Alexey Dobriyan - -[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] - -Doing a - - prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); - -will copy 1 byte from userspace to (quite big) on-stack array -and then stash everything to mm->saved_auxv. -AT_NULL terminator will be inserted at the very end. - -/proc/*/auxv handler will find that AT_NULL terminator -and copy original stack contents to userspace. - -This devious scheme requires CAP_SYS_RESOURCE. - -Signed-off-by: Alexey Dobriyan -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - kernel/sys.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sys.c b/kernel/sys.c -index 51f00fe20e4d..7cf21c947649 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -2080,7 +2080,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, - * up to the caller to provide sane values here, otherwise userspace - * tools which use this vector might be unhappy. - */ -- unsigned long user_auxv[AT_VECTOR_SIZE]; -+ unsigned long user_auxv[AT_VECTOR_SIZE] = {}; - - if (len > sizeof(user_auxv)) - return -EINVAL; --- -2.30.1 - diff --git a/queue-5.11/series b/queue-5.11/series index fdc962fecc4..b62895770c4 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -265,7 +265,6 @@ seqlock-lockdep-fix-seqcount_latch_init.patch memblock-fix-section-mismatch-warning.patch stop_machine-mark-helpers-__always_inline.patch include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch -prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch zram-fix-return-value-on-writeback_store.patch zram-fix-broken-page-writeback.patch linux-compiler-clang.h-define-have_builtin_bswap.patch diff --git a/queue-5.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-5.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch deleted file mode 100644 index d59bef17c54..00000000000 --- a/queue-5.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 00ed686852c3c89957a82274bd1cae70422dc256 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 14 Mar 2021 23:51:14 +0300 -Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak - -From: Alexey Dobriyan - -[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] - -Doing a - - prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); - -will copy 1 byte from userspace to (quite big) on-stack array -and then stash everything to mm->saved_auxv. -AT_NULL terminator will be inserted at the very end. - -/proc/*/auxv handler will find that AT_NULL terminator -and copy original stack contents to userspace. - -This devious scheme requires CAP_SYS_RESOURCE. - -Signed-off-by: Alexey Dobriyan -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - kernel/sys.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sys.c b/kernel/sys.c -index 3459a5ce0da0..867ec3e003fd 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -2062,7 +2062,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, - * up to the caller to provide sane values here, otherwise userspace - * tools which use this vector might be unhappy. - */ -- unsigned long user_auxv[AT_VECTOR_SIZE]; -+ unsigned long user_auxv[AT_VECTOR_SIZE] = {}; - - if (len > sizeof(user_auxv)) - return -EINVAL; --- -2.30.1 - diff --git a/queue-5.4/series b/queue-5.4/series index 9f547b6f5ef..b4277a5b8ae 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -152,7 +152,6 @@ arm64-mm-use-a-48-bit-id-map-when-possible-on-52-bit.patch hrtimer-update-softirq_expires_next-correctly-after-.patch stop_machine-mark-helpers-__always_inline.patch include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch -prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch zram-fix-return-value-on-writeback_store.patch sched-membarrier-fix-missing-local-execution-of-ipi_sync_rq_state.patch powerpc-64s-fix-instruction-encoding-for-lis-in-ppc_function_entry.patch