From: Greg Kroah-Hartman Date: Sat, 1 Aug 2020 13:35:57 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.7.13~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8d21d29bc3dcfc332cde3a460758f0b27a0ad803;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch drm-hold-gem-reference-until-object-is-no-longer-accessed.patch revert-drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch --- diff --git a/queue-4.19/drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch b/queue-4.19/drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch new file mode 100644 index 00000000000..057d5081432 --- /dev/null +++ b/queue-4.19/drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch @@ -0,0 +1,47 @@ +From 543e8669ed9bfb30545fd52bc0e047ca4df7fb31 Mon Sep 17 00:00:00 2001 +From: Peilin Ye +Date: Tue, 28 Jul 2020 15:29:24 -0400 +Subject: drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peilin Ye + +commit 543e8669ed9bfb30545fd52bc0e047ca4df7fb31 upstream. + +Compiler leaves a 4-byte hole near the end of `dev_info`, causing +amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace +when `size` is greater than 356. + +In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which +unfortunately does not initialize that 4-byte hole. Fix it by using +memset() instead. + +Cc: stable@vger.kernel.org +Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()") +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Suggested-by: Dan Carpenter +Reviewed-by: Christian König +Signed-off-by: Peilin Ye +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -549,9 +549,10 @@ static int amdgpu_info_ioctl(struct drm_ + return n ? -EFAULT : 0; + } + case AMDGPU_INFO_DEV_INFO: { +- struct drm_amdgpu_info_device dev_info = {}; ++ struct drm_amdgpu_info_device dev_info; + uint64_t vm_size; + ++ memset(&dev_info, 0, sizeof(dev_info)); + dev_info.device_id = dev->pdev->device; + dev_info.chip_rev = adev->rev_id; + dev_info.external_rev = adev->external_rev_id; diff --git a/queue-4.19/drm-hold-gem-reference-until-object-is-no-longer-accessed.patch b/queue-4.19/drm-hold-gem-reference-until-object-is-no-longer-accessed.patch new file mode 100644 index 00000000000..55ddabe4747 --- /dev/null +++ b/queue-4.19/drm-hold-gem-reference-until-object-is-no-longer-accessed.patch @@ -0,0 +1,57 @@ +From 8490d6a7e0a0a6fab5c2d82d57a3937306660864 Mon Sep 17 00:00:00 2001 +From: Steve Cohen +Date: Mon, 20 Jul 2020 18:30:50 -0400 +Subject: drm: hold gem reference until object is no longer accessed + +From: Steve Cohen + +commit 8490d6a7e0a0a6fab5c2d82d57a3937306660864 upstream. + +A use-after-free in drm_gem_open_ioctl can happen if the +GEM object handle is closed between the idr lookup and +retrieving the size from said object since a local reference +is not being held at that point. Hold the local reference +while the object can still be accessed to fix this and +plug the potential security hole. + +Signed-off-by: Steve Cohen +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/1595284250-31580-1-git-send-email-cohens@codeaurora.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_gem.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -731,9 +731,6 @@ err: + * @file_priv: drm file-private structure + * + * Open an object using the global name, returning a handle and the size. +- * +- * This handle (of course) holds a reference to the object, so the object +- * will not go away until the handle is deleted. + */ + int + drm_gem_open_ioctl(struct drm_device *dev, void *data, +@@ -758,14 +755,15 @@ drm_gem_open_ioctl(struct drm_device *de + + /* drm_gem_handle_create_tail unlocks dev->object_name_lock. */ + ret = drm_gem_handle_create_tail(file_priv, obj, &handle); +- drm_gem_object_put_unlocked(obj); + if (ret) +- return ret; ++ goto err; + + args->handle = handle; + args->size = obj->size; + +- return 0; ++err: ++ drm_gem_object_put_unlocked(obj); ++ return ret; + } + + /** diff --git a/queue-4.19/revert-drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch b/queue-4.19/revert-drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch new file mode 100644 index 00000000000..d17853284e0 --- /dev/null +++ b/queue-4.19/revert-drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch @@ -0,0 +1,54 @@ +From 87004abfbc27261edd15716515d89ab42198b405 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 30 Jul 2020 11:02:30 -0400 +Subject: Revert "drm/amdgpu: Fix NULL dereference in dpm sysfs handlers" + +From: Alex Deucher + +commit 87004abfbc27261edd15716515d89ab42198b405 upstream. + +This regressed some working configurations so revert it. Will +fix this properly for 5.9 and backport then. + +This reverts commit 38e0c89a19fd13f28d2b4721035160a3e66e270b. + +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c +@@ -529,7 +529,8 @@ static ssize_t amdgpu_set_pp_od_clk_volt + + while (isspace(*++tmp_str)); + +- while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { ++ while (tmp_str[0]) { ++ sub_str = strsep(&tmp_str, delimiter); + ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); + if (ret) + return -EINVAL; +@@ -629,7 +630,8 @@ static ssize_t amdgpu_read_mask(const ch + memcpy(buf_cpy, buf, bytes); + buf_cpy[bytes] = '\0'; + tmp = buf_cpy; +- while ((sub_str = strsep(&tmp, delimiter)) != NULL) { ++ while (tmp[0]) { ++ sub_str = strsep(&tmp, delimiter); + if (strlen(sub_str)) { + ret = kstrtol(sub_str, 0, &level); + if (ret) +@@ -880,7 +882,8 @@ static ssize_t amdgpu_set_pp_power_profi + i++; + memcpy(buf_cpy, buf, count-i); + tmp_str = buf_cpy; +- while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { ++ while (tmp_str[0]) { ++ sub_str = strsep(&tmp_str, delimiter); + ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); + if (ret) { + count = -EINVAL; diff --git a/queue-4.19/series b/queue-4.19/series index 2a2a1d4a96d..a74bddefb2c 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -15,3 +15,6 @@ wireless-use-offsetof-instead-of-custom-macro.patch arm-8986-1-hw_breakpoint-don-t-invoke-overflow-handler-on-uaccess-watchpoints.patch random32-update-the-net-random-state-on-interrupt-and-activity.patch arm-percpu.h-fix-build-error.patch +revert-drm-amdgpu-fix-null-dereference-in-dpm-sysfs-handlers.patch +drm-amdgpu-prevent-kernel-infoleak-in-amdgpu_info_ioctl.patch +drm-hold-gem-reference-until-object-is-no-longer-accessed.patch