From: Greg Kroah-Hartman Date: Fri, 20 Oct 2023 17:46:30 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.14.328~89 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9fb199d7cba8d9310c98b3b33c69bfca39ffce82;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: netfilter-nft_payload-fix-wrong-mac-header-matching.patch tcp-check-mptcp-level-constraints-for-backlog-coalescing.patch x86-sev-check-for-user-space-ioio-pointing-to-kernel-space.patch x86-sev-check-iobm-for-ioio-exceptions-from-user-space.patch x86-sev-disable-mmio-emulation-from-user-mode.patch --- diff --git a/queue-5.10/netfilter-nft_payload-fix-wrong-mac-header-matching.patch b/queue-5.10/netfilter-nft_payload-fix-wrong-mac-header-matching.patch new file mode 100644 index 00000000000..65fed73be38 --- /dev/null +++ b/queue-5.10/netfilter-nft_payload-fix-wrong-mac-header-matching.patch @@ -0,0 +1,37 @@ +From d351c1ea2de3e36e608fc355d8ae7d0cc80e6cd6 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sun, 8 Oct 2023 19:36:53 +0200 +Subject: netfilter: nft_payload: fix wrong mac header matching +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Westphal + +commit d351c1ea2de3e36e608fc355d8ae7d0cc80e6cd6 upstream. + +mcast packets get looped back to the local machine. +Such packets have a 0-length mac header, we should treat +this like "mac header not set" and abort rule evaluation. + +As-is, we just copy data from the network header instead. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Reported-by: Blažej Krajňák +Signed-off-by: Florian Westphal +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_payload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -93,7 +93,7 @@ void nft_payload_eval(const struct nft_e + + switch (priv->base) { + case NFT_PAYLOAD_LL_HEADER: +- if (!skb_mac_header_was_set(skb)) ++ if (!skb_mac_header_was_set(skb) || skb_mac_header_len(skb) == 0) + goto err; + + if (skb_vlan_tag_present(skb)) { diff --git a/queue-5.10/series b/queue-5.10/series index 0913939edfd..d8091c131e2 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -99,3 +99,8 @@ ice-reset-first-in-crash-dump-kernels.patch nfc-nci-fix-possible-null-pointer-dereference-in-send_acknowledge.patch regmap-fix-null-deref-on-lookup.patch kvm-x86-mask-lvtpc-when-handling-a-pmi.patch +x86-sev-disable-mmio-emulation-from-user-mode.patch +x86-sev-check-iobm-for-ioio-exceptions-from-user-space.patch +x86-sev-check-for-user-space-ioio-pointing-to-kernel-space.patch +tcp-check-mptcp-level-constraints-for-backlog-coalescing.patch +netfilter-nft_payload-fix-wrong-mac-header-matching.patch diff --git a/queue-5.10/tcp-check-mptcp-level-constraints-for-backlog-coalescing.patch b/queue-5.10/tcp-check-mptcp-level-constraints-for-backlog-coalescing.patch new file mode 100644 index 00000000000..5f1076ff0c1 --- /dev/null +++ b/queue-5.10/tcp-check-mptcp-level-constraints-for-backlog-coalescing.patch @@ -0,0 +1,47 @@ +From 6db8a37dfc541e059851652cfd4f0bb13b8ff6af Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 18 Oct 2023 11:23:53 -0700 +Subject: tcp: check mptcp-level constraints for backlog coalescing + +From: Paolo Abeni + +commit 6db8a37dfc541e059851652cfd4f0bb13b8ff6af upstream. + +The MPTCP protocol can acquire the subflow-level socket lock and +cause the tcp backlog usage. When inserting new skbs into the +backlog, the stack will try to coalesce them. + +Currently, we have no check in place to ensure that such coalescing +will respect the MPTCP-level DSS, and that may cause data stream +corruption, as reported by Christoph. + +Address the issue by adding the relevant admission check for coalescing +in tcp_add_backlog(). + +Note the issue is not easy to reproduce, as the MPTCP protocol tries +hard to avoid acquiring the subflow-level socket lock. + +Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path") +Cc: stable@vger.kernel.org +Reported-by: Christoph Paasch +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/420 +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-2-17ecb002e41d@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1832,6 +1832,7 @@ bool tcp_add_backlog(struct sock *sk, st + #ifdef CONFIG_TLS_DEVICE + tail->decrypted != skb->decrypted || + #endif ++ !mptcp_skb_can_collapse(tail, skb) || + thtail->doff != th->doff || + memcmp(thtail + 1, th + 1, hdrlen - sizeof(*th))) + goto no_coalesce; diff --git a/queue-5.10/x86-sev-check-for-user-space-ioio-pointing-to-kernel-space.patch b/queue-5.10/x86-sev-check-for-user-space-ioio-pointing-to-kernel-space.patch new file mode 100644 index 00000000000..d366d1ce48c --- /dev/null +++ b/queue-5.10/x86-sev-check-for-user-space-ioio-pointing-to-kernel-space.patch @@ -0,0 +1,95 @@ +From 388e3741508d6db3034c544b534400a94cc2c8a1 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Mon, 16 Oct 2023 14:42:50 +0200 +Subject: x86/sev: Check for user-space IOIO pointing to kernel space + +From: Joerg Roedel + +Upstream commit: 63e44bc52047f182601e7817da969a105aa1f721 + +Check the memory operand of INS/OUTS before emulating the instruction. +The #VC exception can get raised from user-space, but the memory operand +can be manipulated to access kernel memory before the emulation actually +begins and after the exception handler has run. + + [ bp: Massage commit message. ] + +Fixes: 597cfe48212a ("x86/boot/compressed/64: Setup a GHCB-based VC Exception handler") +Reported-by: Tom Dohrmann +Signed-off-by: Joerg Roedel +Signed-off-by: Borislav Petkov (AMD) +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/sev-es.c | 5 +++++ + arch/x86/kernel/sev-es-shared.c | 31 +++++++++++++++++++++++++++++-- + 2 files changed, 34 insertions(+), 2 deletions(-) + +--- a/arch/x86/boot/compressed/sev-es.c ++++ b/arch/x86/boot/compressed/sev-es.c +@@ -111,6 +111,11 @@ static enum es_result vc_ioio_check(stru + return ES_OK; + } + ++static bool fault_in_kernel_space(unsigned long address) ++{ ++ return false; ++} ++ + #undef __init + #undef __pa + #define __init +--- a/arch/x86/kernel/sev-es-shared.c ++++ b/arch/x86/kernel/sev-es-shared.c +@@ -217,6 +217,23 @@ fail: + asm volatile("hlt\n"); + } + ++static enum es_result vc_insn_string_check(struct es_em_ctxt *ctxt, ++ unsigned long address, ++ bool write) ++{ ++ if (user_mode(ctxt->regs) && fault_in_kernel_space(address)) { ++ ctxt->fi.vector = X86_TRAP_PF; ++ ctxt->fi.error_code = X86_PF_USER; ++ ctxt->fi.cr2 = address; ++ if (write) ++ ctxt->fi.error_code |= X86_PF_WRITE; ++ ++ return ES_EXCEPTION; ++ } ++ ++ return ES_OK; ++} ++ + static enum es_result vc_insn_string_read(struct es_em_ctxt *ctxt, + void *src, char *buf, + unsigned int data_size, +@@ -224,7 +241,12 @@ static enum es_result vc_insn_string_rea + bool backwards) + { + int i, b = backwards ? -1 : 1; +- enum es_result ret = ES_OK; ++ unsigned long address = (unsigned long)src; ++ enum es_result ret; ++ ++ ret = vc_insn_string_check(ctxt, address, false); ++ if (ret != ES_OK) ++ return ret; + + for (i = 0; i < count; i++) { + void *s = src + (i * data_size * b); +@@ -245,7 +267,12 @@ static enum es_result vc_insn_string_wri + bool backwards) + { + int i, s = backwards ? -1 : 1; +- enum es_result ret = ES_OK; ++ unsigned long address = (unsigned long)dst; ++ enum es_result ret; ++ ++ ret = vc_insn_string_check(ctxt, address, true); ++ if (ret != ES_OK) ++ return ret; + + for (i = 0; i < count; i++) { + void *d = dst + (i * data_size * s); diff --git a/queue-5.10/x86-sev-check-iobm-for-ioio-exceptions-from-user-space.patch b/queue-5.10/x86-sev-check-iobm-for-ioio-exceptions-from-user-space.patch new file mode 100644 index 00000000000..9609e25fb8e --- /dev/null +++ b/queue-5.10/x86-sev-check-iobm-for-ioio-exceptions-from-user-space.patch @@ -0,0 +1,172 @@ +From 988a710b13132a1ca92ee3158937297989ece7b5 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Wed, 21 Jun 2023 17:42:42 +0200 +Subject: x86/sev: Check IOBM for IOIO exceptions from user-space + +From: Joerg Roedel + +Upstream commit: b9cb9c45583b911e0db71d09caa6b56469eb2bdf + +Check the IO permission bitmap (if present) before emulating IOIO #VC +exceptions for user-space. These permissions are checked by hardware +already before the #VC is raised, but due to the VC-handler decoding +race it needs to be checked again in software. + +Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions") +Reported-by: Tom Dohrmann +Signed-off-by: Joerg Roedel +Signed-off-by: Borislav Petkov (AMD) +Tested-by: Tom Dohrmann +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/sev-es.c | 5 +++++ + arch/x86/kernel/sev-es-shared.c | 22 +++++++++++++++------- + arch/x86/kernel/sev-es.c | 27 +++++++++++++++++++++++++++ + 3 files changed, 47 insertions(+), 7 deletions(-) + +--- a/arch/x86/boot/compressed/sev-es.c ++++ b/arch/x86/boot/compressed/sev-es.c +@@ -106,6 +106,11 @@ static enum es_result vc_read_mem(struct + return ES_OK; + } + ++static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size) ++{ ++ return ES_OK; ++} ++ + #undef __init + #undef __pa + #define __init +--- a/arch/x86/kernel/sev-es-shared.c ++++ b/arch/x86/kernel/sev-es-shared.c +@@ -281,6 +281,9 @@ static enum es_result vc_insn_string_wri + static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo) + { + struct insn *insn = &ctxt->insn; ++ size_t size; ++ u64 port; ++ + *exitinfo = 0; + + switch (insn->opcode.bytes[0]) { +@@ -289,7 +292,7 @@ static enum es_result vc_ioio_exitinfo(s + case 0x6d: + *exitinfo |= IOIO_TYPE_INS; + *exitinfo |= IOIO_SEG_ES; +- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16; ++ port = ctxt->regs->dx & 0xffff; + break; + + /* OUTS opcodes */ +@@ -297,41 +300,43 @@ static enum es_result vc_ioio_exitinfo(s + case 0x6f: + *exitinfo |= IOIO_TYPE_OUTS; + *exitinfo |= IOIO_SEG_DS; +- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16; ++ port = ctxt->regs->dx & 0xffff; + break; + + /* IN immediate opcodes */ + case 0xe4: + case 0xe5: + *exitinfo |= IOIO_TYPE_IN; +- *exitinfo |= (u8)insn->immediate.value << 16; ++ port = (u8)insn->immediate.value & 0xffff; + break; + + /* OUT immediate opcodes */ + case 0xe6: + case 0xe7: + *exitinfo |= IOIO_TYPE_OUT; +- *exitinfo |= (u8)insn->immediate.value << 16; ++ port = (u8)insn->immediate.value & 0xffff; + break; + + /* IN register opcodes */ + case 0xec: + case 0xed: + *exitinfo |= IOIO_TYPE_IN; +- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16; ++ port = ctxt->regs->dx & 0xffff; + break; + + /* OUT register opcodes */ + case 0xee: + case 0xef: + *exitinfo |= IOIO_TYPE_OUT; +- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16; ++ port = ctxt->regs->dx & 0xffff; + break; + + default: + return ES_DECODE_FAILED; + } + ++ *exitinfo |= port << 16; ++ + switch (insn->opcode.bytes[0]) { + case 0x6c: + case 0x6e: +@@ -341,12 +346,15 @@ static enum es_result vc_ioio_exitinfo(s + case 0xee: + /* Single byte opcodes */ + *exitinfo |= IOIO_DATA_8; ++ size = 1; + break; + default: + /* Length determined by instruction parsing */ + *exitinfo |= (insn->opnd_bytes == 2) ? IOIO_DATA_16 + : IOIO_DATA_32; ++ size = (insn->opnd_bytes == 2) ? 2 : 4; + } ++ + switch (insn->addr_bytes) { + case 2: + *exitinfo |= IOIO_ADDR_16; +@@ -362,7 +370,7 @@ static enum es_result vc_ioio_exitinfo(s + if (insn_has_rep_prefix(insn)) + *exitinfo |= IOIO_REP; + +- return ES_OK; ++ return vc_ioio_check(ctxt, (u16)port, size); + } + + static enum es_result vc_handle_ioio(struct ghcb *ghcb, struct es_em_ctxt *ctxt) +--- a/arch/x86/kernel/sev-es.c ++++ b/arch/x86/kernel/sev-es.c +@@ -448,6 +448,33 @@ static enum es_result vc_slow_virt_to_ph + return ES_OK; + } + ++static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size) ++{ ++ BUG_ON(size > 4); ++ ++ if (user_mode(ctxt->regs)) { ++ struct thread_struct *t = ¤t->thread; ++ struct io_bitmap *iobm = t->io_bitmap; ++ size_t idx; ++ ++ if (!iobm) ++ goto fault; ++ ++ for (idx = port; idx < port + size; ++idx) { ++ if (test_bit(idx, iobm->bitmap)) ++ goto fault; ++ } ++ } ++ ++ return ES_OK; ++ ++fault: ++ ctxt->fi.vector = X86_TRAP_GP; ++ ctxt->fi.error_code = 0; ++ ++ return ES_EXCEPTION; ++} ++ + /* Include code shared with pre-decompression boot stage */ + #include "sev-es-shared.c" + diff --git a/queue-5.10/x86-sev-disable-mmio-emulation-from-user-mode.patch b/queue-5.10/x86-sev-disable-mmio-emulation-from-user-mode.patch new file mode 100644 index 00000000000..ad6dc6575c9 --- /dev/null +++ b/queue-5.10/x86-sev-disable-mmio-emulation-from-user-mode.patch @@ -0,0 +1,42 @@ +From bb543abcb1fb0cba2ba7b7916ac7092678ba0a15 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Thu, 5 Oct 2023 11:06:36 +0200 +Subject: x86/sev: Disable MMIO emulation from user mode + +From: "Borislav Petkov (AMD)" + +Upstream commit: a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba + +A virt scenario can be constructed where MMIO memory can be user memory. +When that happens, a race condition opens between when the hardware +raises the #VC and when the #VC handler gets to emulate the instruction. + +If the MOVS is replaced with a MOVS accessing kernel memory in that +small race window, then write to kernel memory happens as the access +checks are not done at emulation time. + +Disable MMIO emulation in user mode temporarily until a sensible use +case appears and justifies properly handling the race window. + +Fixes: 0118b604c2c9 ("x86/sev-es: Handle MMIO String Instructions") +Reported-by: Tom Dohrmann +Signed-off-by: Borislav Petkov (AMD) +Tested-by: Tom Dohrmann +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/sev-es.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/sev-es.c ++++ b/arch/x86/kernel/sev-es.c +@@ -970,6 +970,9 @@ static enum es_result vc_handle_mmio(str + enum es_result ret; + long *reg_data; + ++ if (user_mode(ctxt->regs)) ++ return ES_UNSUPPORTED; ++ + switch (insn->opcode.bytes[0]) { + /* MMIO Write */ + case 0x88: