From: Greg Kroah-Hartman Date: Sun, 24 Jun 2018 14:24:43 +0000 (+0800) Subject: 4.9-stable patches X-Git-Tag: v4.17.3~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a2460f1203b87bca161ef8a5a2fb0c1c35e072de;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: fs-binfmt_misc.c-do-not-allow-offset-overflow.patch hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch orangefs-set-i_size-on-new-symlink.patch vhost-fix-info-leak-due-to-uninitialized-memory.patch --- diff --git a/queue-4.9/fs-binfmt_misc.c-do-not-allow-offset-overflow.patch b/queue-4.9/fs-binfmt_misc.c-do-not-allow-offset-overflow.patch new file mode 100644 index 00000000000..81c6dfcae80 --- /dev/null +++ b/queue-4.9/fs-binfmt_misc.c-do-not-allow-offset-overflow.patch @@ -0,0 +1,80 @@ +From 5cc41e099504b77014358b58567c5ea6293dd220 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Thu, 7 Jun 2018 17:11:01 -0700 +Subject: fs/binfmt_misc.c: do not allow offset overflow + +From: Thadeu Lima de Souza Cascardo + +commit 5cc41e099504b77014358b58567c5ea6293dd220 upstream. + +WHen registering a new binfmt_misc handler, it is possible to overflow +the offset to get a negative value, which might crash the system, or +possibly leak kernel data. + +Here is a crash log when 2500000000 was used as an offset: + + BUG: unable to handle kernel paging request at ffff989cfd6edca0 + IP: load_misc_binary+0x22b/0x470 [binfmt_misc] + PGD 1ef3e067 P4D 1ef3e067 PUD 0 + Oops: 0000 [#1] SMP NOPTI + Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy + CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014 + RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc] + Call Trace: + search_binary_handler+0x97/0x1d0 + do_execveat_common.isra.34+0x667/0x810 + SyS_execve+0x31/0x40 + do_syscall_64+0x73/0x130 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Use kstrtoint instead of simple_strtoul. It will work as the code +already set the delimiter byte to '\0' and we only do it when the field +is not empty. + +Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested +with examples documented at Documentation/admin-guide/binfmt-misc.rst +and other registrations from packages on Ubuntu. + +Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Andrew Morton +Cc: Alexander Viro +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_misc.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -384,8 +384,13 @@ static Node *create_entry(const char __u + s = strchr(p, del); + if (!s) + goto einval; +- *s++ = '\0'; +- e->offset = simple_strtoul(p, &p, 10); ++ *s = '\0'; ++ if (p != s) { ++ int r = kstrtoint(p, 10, &e->offset); ++ if (r != 0 || e->offset < 0) ++ goto einval; ++ } ++ p = s; + if (*p++) + goto einval; + pr_debug("register: offset: %#x\n", e->offset); +@@ -425,7 +430,8 @@ static Node *create_entry(const char __u + if (e->mask && + string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) + goto einval; +- if (e->size + e->offset > BINPRM_BUF_SIZE) ++ if (e->size > BINPRM_BUF_SIZE || ++ BINPRM_BUF_SIZE - e->size < e->offset) + goto einval; + pr_debug("register: magic/mask length: %i\n", e->size); + if (USE_DEBUG) { diff --git a/queue-4.9/hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch b/queue-4.9/hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch new file mode 100644 index 00000000000..82fc23d34da --- /dev/null +++ b/queue-4.9/hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch @@ -0,0 +1,110 @@ +From ebeaa367548e9e92dd9374b9464ff6e7d157117b Mon Sep 17 00:00:00 2001 +From: Even Xu +Date: Fri, 12 Feb 2016 04:11:34 +0800 +Subject: HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation + +From: Even Xu + +commit ebeaa367548e9e92dd9374b9464ff6e7d157117b upstream. + +Current ISH driver only registers suspend/resume PM callbacks which don't +support hibernation (suspend to disk). Basically after hiberation, the ISH +can't resume properly and user may not see sensor events (for example: screen + rotation may not work). + +User will not see a crash or panic or anything except the following message +in log: + + hid-sensor-hub 001F:8086:22D8.0001: timeout waiting for response from ISHTP device + +So this patch adds support for S4/hiberbation to ISH by using the +SIMPLE_DEV_PM_OPS() MACRO instead of struct dev_pm_ops directly. The suspend +and resume functions will now be used for both suspend to RAM and hibernation. + +If power management is disabled, SIMPLE_DEV_PM_OPS will do nothing, the suspend +and resume related functions won't be used, so mark them as __maybe_unused to +clarify that this is the intended behavior, and remove #ifdefs for power +management. + +Cc: stable@vger.kernel.org +Signed-off-by: Even Xu +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c ++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +@@ -202,8 +202,7 @@ static void ish_remove(struct pci_dev *p + kfree(ishtp_dev); + } + +-#ifdef CONFIG_PM +-static struct device *ish_resume_device; ++static struct device __maybe_unused *ish_resume_device; + + /** + * ish_resume_handler() - Work function to complete resume +@@ -214,7 +213,7 @@ static struct device *ish_resume_device; + * in that case a simple resume message is enough, others we need + * a reset sequence. + */ +-static void ish_resume_handler(struct work_struct *work) ++static void __maybe_unused ish_resume_handler(struct work_struct *work) + { + struct pci_dev *pdev = to_pci_dev(ish_resume_device); + struct ishtp_device *dev = pci_get_drvdata(pdev); +@@ -245,7 +244,7 @@ static void ish_resume_handler(struct wo + * + * Return: 0 to the pm core + */ +-static int ish_suspend(struct device *device) ++static int __maybe_unused ish_suspend(struct device *device) + { + struct pci_dev *pdev = to_pci_dev(device); + struct ishtp_device *dev = pci_get_drvdata(pdev); +@@ -271,7 +270,7 @@ static int ish_suspend(struct device *de + return 0; + } + +-static DECLARE_WORK(resume_work, ish_resume_handler); ++static __maybe_unused DECLARE_WORK(resume_work, ish_resume_handler); + /** + * ish_resume() - ISH resume callback + * @device: device pointer +@@ -280,7 +279,7 @@ static DECLARE_WORK(resume_work, ish_res + * + * Return: 0 to the pm core + */ +-static int ish_resume(struct device *device) ++static int __maybe_unused ish_resume(struct device *device) + { + struct pci_dev *pdev = to_pci_dev(device); + struct ishtp_device *dev = pci_get_drvdata(pdev); +@@ -294,21 +293,14 @@ static int ish_resume(struct device *dev + return 0; + } + +-static const struct dev_pm_ops ish_pm_ops = { +- .suspend = ish_suspend, +- .resume = ish_resume, +-}; +-#define ISHTP_ISH_PM_OPS (&ish_pm_ops) +-#else +-#define ISHTP_ISH_PM_OPS NULL +-#endif /* CONFIG_PM */ ++static SIMPLE_DEV_PM_OPS(ish_pm_ops, ish_suspend, ish_resume); + + static struct pci_driver ish_driver = { + .name = KBUILD_MODNAME, + .id_table = ish_pci_tbl, + .probe = ish_probe, + .remove = ish_remove, +- .driver.pm = ISHTP_ISH_PM_OPS, ++ .driver.pm = &ish_pm_ops, + }; + + module_pci_driver(ish_driver); diff --git a/queue-4.9/orangefs-set-i_size-on-new-symlink.patch b/queue-4.9/orangefs-set-i_size-on-new-symlink.patch new file mode 100644 index 00000000000..d5b7cffd86a --- /dev/null +++ b/queue-4.9/orangefs-set-i_size-on-new-symlink.patch @@ -0,0 +1,59 @@ +From f6a4b4c9d07dda90c7c29dae96d6119ac6425dca Mon Sep 17 00:00:00 2001 +From: Martin Brandenburg +Date: Thu, 31 May 2018 16:36:58 +0000 +Subject: orangefs: set i_size on new symlink + +From: Martin Brandenburg + +commit f6a4b4c9d07dda90c7c29dae96d6119ac6425dca upstream. + +As long as a symlink inode remains in-core, the destination (and +therefore size) will not be re-fetched from the server, as it cannot +change. The original implementation of the attribute cache assumed that +setting the expiry time in the past was sufficient to cause a re-fetch +of all attributes on the next getattr. That does not work in this case. + +The bug manifested itself as follows. When the command sequence + +touch foo; ln -s foo bar; ls -l bar + +is run, the output was + +lrwxrwxrwx. 1 fedora fedora 4906 Apr 24 19:10 bar -> foo + +However, after a re-mount, ls -l bar produces + +lrwxrwxrwx. 1 fedora fedora 3 Apr 24 19:10 bar -> foo + +After this commit, even before a re-mount, the output is + +lrwxrwxrwx. 1 fedora fedora 3 Apr 24 19:10 bar -> foo + +Reported-by: Becky Ligon +Signed-off-by: Martin Brandenburg +Fixes: 71680c18c8f2 ("orangefs: Cache getattr results.") +Cc: stable@vger.kernel.org +Cc: hubcap@omnibond.com +Signed-off-by: Mike Marshall +Signed-off-by: Greg Kroah-Hartman + +--- + fs/orangefs/namei.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/orangefs/namei.c ++++ b/fs/orangefs/namei.c +@@ -312,6 +312,13 @@ static int orangefs_symlink(struct inode + ret = PTR_ERR(inode); + goto out; + } ++ /* ++ * This is necessary because orangefs_inode_getattr will not ++ * re-read symlink size as it is impossible for it to change. ++ * Invalidating the cache does not help. orangefs_new_inode ++ * does not set the correct size (it does not know symname). ++ */ ++ inode->i_size = strlen(symname); + + gossip_debug(GOSSIP_NAME_DEBUG, + "Assigned symlink inode new number of %pU\n", diff --git a/queue-4.9/series b/queue-4.9/series index f7aac71bd8a..f775dfa1bde 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -33,3 +33,7 @@ libata-zpodd-make-arrays-cdb-static-reduces-object-code-size.patch libata-zpodd-small-read-overflow-in-eject_tray.patch libata-drop-sandisk-sd7ub3q-g1001-nolpm-quirk.patch w1-mxc_w1-enable-clock-before-calling-clk_get_rate-on-it.patch +orangefs-set-i_size-on-new-symlink.patch +hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch +vhost-fix-info-leak-due-to-uninitialized-memory.patch +fs-binfmt_misc.c-do-not-allow-offset-overflow.patch diff --git a/queue-4.9/vhost-fix-info-leak-due-to-uninitialized-memory.patch b/queue-4.9/vhost-fix-info-leak-due-to-uninitialized-memory.patch new file mode 100644 index 00000000000..7414ac7a7b8 --- /dev/null +++ b/queue-4.9/vhost-fix-info-leak-due-to-uninitialized-memory.patch @@ -0,0 +1,41 @@ +From 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Sat, 12 May 2018 00:33:10 +0300 +Subject: vhost: fix info leak due to uninitialized memory + +From: Michael S. Tsirkin + +commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad upstream. + +struct vhost_msg within struct vhost_msg_node is copied to userspace. +Unfortunately it turns out on 64 bit systems vhost_msg has padding after +type which gcc doesn't initialize, leaking 4 uninitialized bytes to +userspace. + +This padding also unfortunately means 32 bit users of this interface are +broken on a 64 bit kernel which will need to be fixed separately. + +Fixes: CVE-2018-1118 +Cc: stable@vger.kernel.org +Reported-by: Kevin Easton +Signed-off-by: Michael S. Tsirkin +Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/vhost.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2295,6 +2295,9 @@ struct vhost_msg_node *vhost_new_msg(str + struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); + if (!node) + return NULL; ++ ++ /* Make sure all padding within the structure is initialized. */ ++ memset(&node->msg, 0, sizeof node->msg); + node->vq = vq; + node->msg.type = type; + return node;