From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 18 Jun 2024 13:36:39 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v6.1.95~85
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7f6b21c190c76d51f2777de390f750690b2140db;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	tracing-add-module_description-to-preemptirq_delay_test.patch
	vmci-prevent-speculation-leaks-by-sanitizing-event-in-event_deliver.patch
---

diff --git a/queue-4.19/series b/queue-4.19/series
index 764f3a9b2e1..25d51c27b1f 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -49,3 +49,5 @@ ipv6-route-add-a-missing-check-on-proc_dointvec.patch
 net-ipv6-fix-the-rt-cache-flush-via-sysctl-using-a-p.patch
 drivers-core-synchronize-really_probe-and-dev_uevent.patch
 drm-exynos-vidi-fix-memory-leak-in-.get_modes.patch
+tracing-add-module_description-to-preemptirq_delay_test.patch
+vmci-prevent-speculation-leaks-by-sanitizing-event-in-event_deliver.patch
diff --git a/queue-4.19/tracing-add-module_description-to-preemptirq_delay_test.patch b/queue-4.19/tracing-add-module_description-to-preemptirq_delay_test.patch
new file mode 100644
index 00000000000..5fb5290eaf6
--- /dev/null
+++ b/queue-4.19/tracing-add-module_description-to-preemptirq_delay_test.patch
@@ -0,0 +1,34 @@
+From 23748e3e0fbfe471eff5ce439921629f6a427828 Mon Sep 17 00:00:00 2001
+From: Jeff Johnson <quic_jjohnson@quicinc.com>
+Date: Sat, 18 May 2024 15:54:49 -0700
+Subject: tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test
+
+From: Jeff Johnson <quic_jjohnson@quicinc.com>
+
+commit 23748e3e0fbfe471eff5ce439921629f6a427828 upstream.
+
+Fix the 'make W=1' warning:
+
+WARNING: modpost: missing MODULE_DESCRIPTION() in kernel/trace/preemptirq_delay_test.o
+
+Link: https://lore.kernel.org/linux-trace-kernel/20240518-md-preemptirq_delay_test-v1-1-387d11b30d85@quicinc.com
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Fixes: f96e8577da10 ("lib: Add module for testing preemptoff/irqsoff latency tracers")
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/preemptirq_delay_test.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/preemptirq_delay_test.c
++++ b/kernel/trace/preemptirq_delay_test.c
+@@ -69,4 +69,5 @@ static void __exit preemptirq_delay_exit
+ 
+ module_init(preemptirq_delay_init)
+ module_exit(preemptirq_delay_exit)
++MODULE_DESCRIPTION("Preempt / IRQ disable delay thread to test latency tracers");
+ MODULE_LICENSE("GPL v2");
diff --git a/queue-4.19/vmci-prevent-speculation-leaks-by-sanitizing-event-in-event_deliver.patch b/queue-4.19/vmci-prevent-speculation-leaks-by-sanitizing-event-in-event_deliver.patch
new file mode 100644
index 00000000000..e9f1b07d23c
--- /dev/null
+++ b/queue-4.19/vmci-prevent-speculation-leaks-by-sanitizing-event-in-event_deliver.patch
@@ -0,0 +1,56 @@
+From 8003f00d895310d409b2bf9ef907c56b42a4e0f4 Mon Sep 17 00:00:00 2001
+From: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
+Date: Tue, 30 Apr 2024 08:59:16 +0000
+Subject: vmci: prevent speculation leaks by sanitizing event in event_deliver()
+
+From: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
+
+commit 8003f00d895310d409b2bf9ef907c56b42a4e0f4 upstream.
+
+Coverity spotted that event_msg is controlled by user-space,
+event_msg->event_data.event is passed to event_deliver() and used
+as an index without sanitization.
+
+This change ensures that the event index is sanitized to mitigate any
+possibility of speculative information leaks.
+
+This bug was discovered and resolved using Coverity Static Analysis
+Security Testing (SAST) by Synopsys, Inc.
+
+Only compile tested, no access to HW.
+
+Fixes: 1d990201f9bb ("VMCI: event handling implementation.")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
+Link: https://lore.kernel.org/stable/20231127193533.46174-1-hagarhem%40amazon.com
+Link: https://lore.kernel.org/r/20240430085916.4753-1-hagarhem@amazon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_vmci/vmci_event.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_event.c
++++ b/drivers/misc/vmw_vmci/vmci_event.c
+@@ -17,6 +17,7 @@
+ #include <linux/vmw_vmci_api.h>
+ #include <linux/list.h>
+ #include <linux/module.h>
++#include <linux/nospec.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/rculist.h>
+@@ -94,9 +95,12 @@ static void event_deliver(struct vmci_ev
+ {
+ 	struct vmci_subscription *cur;
+ 	struct list_head *subscriber_list;
++	u32 sanitized_event, max_vmci_event;
+ 
+ 	rcu_read_lock();
+-	subscriber_list = &subscriber_array[event_msg->event_data.event];
++	max_vmci_event = ARRAY_SIZE(subscriber_array);
++	sanitized_event = array_index_nospec(event_msg->event_data.event, max_vmci_event);
++	subscriber_list = &subscriber_array[sanitized_event];
+ 	list_for_each_entry_rcu(cur, subscriber_list, node) {
+ 		cur->callback(cur->id, &event_msg->event_data,
+ 			      cur->callback_data);