From: Greg Kroah-Hartman Date: Sat, 29 May 2021 14:45:00 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.271~121 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=abea249e5d51141b31a2ebc60dacfbb1dee54223;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: mac80211-assure-all-fragments-are-encrypted.patch mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch net-hso-fix-control-request-directions.patch perf-intel-pt-fix-sample-instruction-bytes.patch perf-intel-pt-fix-transaction-abort-handling.patch proc-check-proc-pid-attr-writes-against-file-opener.patch --- diff --git a/queue-4.14/mac80211-assure-all-fragments-are-encrypted.patch b/queue-4.14/mac80211-assure-all-fragments-are-encrypted.patch new file mode 100644 index 00000000000..55df58c1730 --- /dev/null +++ b/queue-4.14/mac80211-assure-all-fragments-are-encrypted.patch @@ -0,0 +1,78 @@ +From 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef +Date: Tue, 11 May 2021 20:02:42 +0200 +Subject: mac80211: assure all fragments are encrypted + +From: Mathy Vanhoef + +commit 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad upstream. + +Do not mix plaintext and encrypted fragments in protected Wi-Fi +networks. This fixes CVE-2020-26147. + +Previously, an attacker was able to first forward a legitimate encrypted +fragment towards a victim, followed by a plaintext fragment. The +encrypted and plaintext fragment would then be reassembled. For further +details see Section 6.3 and Appendix D in the paper "Fragment and Forge: +Breaking Wi-Fi Through Frame Aggregation and Fragmentation". + +Because of this change there are now two equivalent conditions in the +code to determine if a received fragment requires sequential PNs, so we +also move this test to a separate function to make the code easier to +maintain. + +Cc: stable@vger.kernel.org +Signed-off-by: Mathy Vanhoef +Link: https://lore.kernel.org/r/20210511200110.30c4394bb835.I5acfdb552cc1d20c339c262315950b3eac491397@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1968,6 +1968,16 @@ ieee80211_reassemble_find(struct ieee802 + return NULL; + } + ++static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc) ++{ ++ return rx->key && ++ (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP || ++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 || ++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP || ++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) && ++ ieee80211_has_protected(fc); ++} ++ + static ieee80211_rx_result debug_noinline + ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + { +@@ -2012,12 +2022,7 @@ ieee80211_rx_h_defragment(struct ieee802 + /* This is the first fragment of a new frame. */ + entry = ieee80211_reassemble_add(rx->sdata, frag, seq, + rx->seqno_idx, &(rx->skb)); +- if (rx->key && +- (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP || +- rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 || +- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP || +- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) && +- ieee80211_has_protected(fc)) { ++ if (requires_sequential_pn(rx, fc)) { + int queue = rx->security_idx; + + /* Store CCMP/GCMP PN so that we can verify that the +@@ -2059,11 +2064,7 @@ ieee80211_rx_h_defragment(struct ieee802 + u8 pn[IEEE80211_CCMP_PN_LEN], *rpn; + int queue; + +- if (!rx->key || +- (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP && +- rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 && +- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP && +- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256)) ++ if (!requires_sequential_pn(rx, fc)) + return RX_DROP_UNUSABLE; + memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN); + for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) { diff --git a/queue-4.14/mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch b/queue-4.14/mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch new file mode 100644 index 00000000000..d2be0cfb44a --- /dev/null +++ b/queue-4.14/mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch @@ -0,0 +1,99 @@ +From 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef +Date: Tue, 11 May 2021 20:02:43 +0200 +Subject: mac80211: prevent mixed key and fragment cache attacks + +From: Mathy Vanhoef + +commit 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 upstream. + +Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment +cache attacks (CVE-2020-24586). This is accomplished by assigning a +unique color to every key (per interface) and using this to track which +key was used to decrypt a fragment. When reassembling frames, it is +now checked whether all fragments were decrypted using the same key. + +To assure that fragment cache attacks are also prevented, the ID that is +assigned to keys is unique even over (re)associations and (re)connects. +This means fragments separated by a (re)association or (re)connect will +not be reassembled. Because mac80211 now also prevents the reassembly of +mixed encrypted and plaintext fragments, all cache attacks are prevented. + +Cc: stable@vger.kernel.org +Signed-off-by: Mathy Vanhoef +Link: https://lore.kernel.org/r/20210511200110.3f8290e59823.I622a67769ed39257327a362cfc09c812320eb979@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 1 + + net/mac80211/key.c | 7 +++++++ + net/mac80211/key.h | 2 ++ + net/mac80211/rx.c | 6 ++++++ + 4 files changed, 16 insertions(+) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -99,6 +99,7 @@ struct ieee80211_fragment_entry { + u8 rx_queue; + bool check_sequential_pn; /* needed for CCMP/GCMP */ + u8 last_pn[6]; /* PN of the last fragment if CCMP was used */ ++ unsigned int key_color; + }; + + +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -647,6 +647,7 @@ int ieee80211_key_link(struct ieee80211_ + struct ieee80211_sub_if_data *sdata, + struct sta_info *sta) + { ++ static atomic_t key_color = ATOMIC_INIT(0); + struct ieee80211_local *local = sdata->local; + struct ieee80211_key *old_key; + int idx = key->conf.keyidx; +@@ -682,6 +683,12 @@ int ieee80211_key_link(struct ieee80211_ + key->sdata = sdata; + key->sta = sta; + ++ /* ++ * Assign a unique ID to every key so we can easily prevent mixed ++ * key and fragment cache attacks. ++ */ ++ key->color = atomic_inc_return(&key_color); ++ + increment_tailroom_need_count(sdata); + + ieee80211_key_replace(sdata, sta, pairwise, old_key, key); +--- a/net/mac80211/key.h ++++ b/net/mac80211/key.h +@@ -127,6 +127,8 @@ struct ieee80211_key { + } debugfs; + #endif + ++ unsigned int color; ++ + /* + * key config, must be last because it contains key + * material as variable length member +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2029,6 +2029,7 @@ ieee80211_rx_h_defragment(struct ieee802 + * next fragment has a sequential PN value. + */ + entry->check_sequential_pn = true; ++ entry->key_color = rx->key->color; + memcpy(entry->last_pn, + rx->key->u.ccmp.rx_pn[queue], + IEEE80211_CCMP_PN_LEN); +@@ -2066,6 +2067,11 @@ ieee80211_rx_h_defragment(struct ieee802 + + if (!requires_sequential_pn(rx, fc)) + return RX_DROP_UNUSABLE; ++ ++ /* Prevent mixed key and fragment cache attacks */ ++ if (entry->key_color != rx->key->color) ++ return RX_DROP_UNUSABLE; ++ + memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN); + for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) { + pn[i]++; diff --git a/queue-4.14/net-hso-fix-control-request-directions.patch b/queue-4.14/net-hso-fix-control-request-directions.patch new file mode 100644 index 00000000000..cc80ca96f13 --- /dev/null +++ b/queue-4.14/net-hso-fix-control-request-directions.patch @@ -0,0 +1,45 @@ +From 1a6e9a9c68c1f183872e4bcc947382111c2e04eb Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 24 May 2021 11:25:11 +0200 +Subject: net: hso: fix control-request directions + +From: Johan Hovold + +commit 1a6e9a9c68c1f183872e4bcc947382111c2e04eb upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Fix the tiocmset and rfkill requests which erroneously used +usb_rcvctrlpipe(). + +Fixes: 72dc1c096c70 ("HSO: add option hso driver") +Cc: stable@vger.kernel.org # 2.6.27 +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/hso.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -1701,7 +1701,7 @@ static int hso_serial_tiocmset(struct tt + spin_unlock_irqrestore(&serial->serial_lock, flags); + + return usb_control_msg(serial->parent->usb, +- usb_rcvctrlpipe(serial->parent->usb, 0), 0x22, ++ usb_sndctrlpipe(serial->parent->usb, 0), 0x22, + 0x21, val, if_num, NULL, 0, + USB_CTRL_SET_TIMEOUT); + } +@@ -2449,7 +2449,7 @@ static int hso_rfkill_set_block(void *da + if (hso_dev->usb_gone) + rv = 0; + else +- rv = usb_control_msg(hso_dev->usb, usb_rcvctrlpipe(hso_dev->usb, 0), ++ rv = usb_control_msg(hso_dev->usb, usb_sndctrlpipe(hso_dev->usb, 0), + enabled ? 0x82 : 0x81, 0x40, 0, 0, NULL, 0, + USB_CTRL_SET_TIMEOUT); + mutex_unlock(&hso_dev->mutex); diff --git a/queue-4.14/perf-intel-pt-fix-sample-instruction-bytes.patch b/queue-4.14/perf-intel-pt-fix-sample-instruction-bytes.patch new file mode 100644 index 00000000000..60aefb89648 --- /dev/null +++ b/queue-4.14/perf-intel-pt-fix-sample-instruction-bytes.patch @@ -0,0 +1,100 @@ +From c954eb72b31a9dc56c99b450253ec5b121add320 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 19 May 2021 10:45:14 +0300 +Subject: perf intel-pt: Fix sample instruction bytes + +From: Adrian Hunter + +commit c954eb72b31a9dc56c99b450253ec5b121add320 upstream. + +The decoder reports the current instruction if it was decoded. In some +cases the current instruction is not decoded, in which case the instruction +bytes length must be set to zero. Ensure that is always done. + +Note perf script can anyway get the instruction bytes for any samples where +they are not present. + +Also note, that there is a redundant "ptq->insn_len = 0" statement which is +not removed until a subsequent patch in order to make this patch apply +cleanly to stable branches. + +Example: + +A machne that supports TSX is required. It will have flag "rtm". Kernel +parameter tsx=on may be required. + + # for w in `cat /proc/cpuinfo | grep -m1 flags `;do echo $w | grep rtm ; done + rtm + +Test program: + + #include + #include + + int main() + { + int x = 0; + + if (_xbegin() == _XBEGIN_STARTED) { + x = 1; + _xabort(1); + } else { + printf("x = %d\n", x); + } + return 0; + } + +Compile with -mrtm i.e. + + gcc -Wall -Wextra -mrtm xabort.c -o xabort + +Record: + + perf record -e intel_pt/cyc/u --filter 'filter main @ ./xabort' ./xabort + +Before: + + # perf script --itrace=xe -F+flags,+insn,-period --xed --ns + xabort 1478 [007] 92161.431348581: transactions: x 400b81 main+0x14 (/root/xabort) mov $0xffffffff, %eax + xabort 1478 [007] 92161.431348624: transactions: tx abrt 400b93 main+0x26 (/root/xabort) mov $0xffffffff, %eax + +After: + + # perf script --itrace=xe -F+flags,+insn,-period --xed --ns + xabort 1478 [007] 92161.431348581: transactions: x 400b81 main+0x14 (/root/xabort) xbegin 0x6 + xabort 1478 [007] 92161.431348624: transactions: tx abrt 400b93 main+0x26 (/root/xabort) xabort $0x1 + +Fixes: faaa87680b25d ("perf intel-pt/bts: Report instruction bytes and length in sample") +Signed-off-by: Adrian Hunter +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/20210519074515.9262-3-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/intel-pt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -535,8 +535,10 @@ static int intel_pt_walk_next_insn(struc + + *ip += intel_pt_insn->length; + +- if (to_ip && *ip == to_ip) ++ if (to_ip && *ip == to_ip) { ++ intel_pt_insn->length = 0; + goto out_no_cache; ++ } + + if (*ip >= al.map->end) + break; +@@ -923,6 +925,7 @@ static void intel_pt_set_pid_tid_cpu(str + + static void intel_pt_sample_flags(struct intel_pt_queue *ptq) + { ++ ptq->insn_len = 0; + if (ptq->state->flags & INTEL_PT_ABORT_TX) { + ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_TX_ABORT; + } else if (ptq->state->flags & INTEL_PT_ASYNC) { diff --git a/queue-4.14/perf-intel-pt-fix-transaction-abort-handling.patch b/queue-4.14/perf-intel-pt-fix-transaction-abort-handling.patch new file mode 100644 index 00000000000..809323ad554 --- /dev/null +++ b/queue-4.14/perf-intel-pt-fix-transaction-abort-handling.patch @@ -0,0 +1,103 @@ +From cb7987837c31b217b28089bbc78922d5c9187869 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 19 May 2021 10:45:13 +0300 +Subject: perf intel-pt: Fix transaction abort handling + +From: Adrian Hunter + +commit cb7987837c31b217b28089bbc78922d5c9187869 upstream. + +When adding support for power events, some handling of FUP packets was +unified. That resulted in breaking reporting of TSX aborts, by not +considering the associated TIP packet. Fix that. + +Example: + +A machine that supports TSX is required. It will have flag "rtm". Kernel +parameter tsx=on may be required. + + # for w in `cat /proc/cpuinfo | grep -m1 flags `;do echo $w | grep rtm ; done + rtm + +Test program: + + #include + #include + + int main() + { + int x = 0; + + if (_xbegin() == _XBEGIN_STARTED) { + x = 1; + _xabort(1); + } else { + printf("x = %d\n", x); + } + return 0; + } + +Compile with -mrtm i.e. + + gcc -Wall -Wextra -mrtm xabort.c -o xabort + +Record: + + perf record -e intel_pt/cyc/u --filter 'filter main @ ./xabort' ./xabort + +Before: + + # perf script --itrace=be -F+flags,+addr,-period,-event --ns + xabort 1478 [007] 92161.431348552: tr strt 0 [unknown] ([unknown]) => 400b6d main+0x0 (/root/xabort) + xabort 1478 [007] 92161.431348624: jmp 400b96 main+0x29 (/root/xabort) => 400bae main+0x41 (/root/xabort) + xabort 1478 [007] 92161.431348624: return 400bb4 main+0x47 (/root/xabort) => 400b87 main+0x1a (/root/xabort) + xabort 1478 [007] 92161.431348637: jcc 400b8a main+0x1d (/root/xabort) => 400b98 main+0x2b (/root/xabort) + xabort 1478 [007] 92161.431348644: tr end call 400ba9 main+0x3c (/root/xabort) => 40f690 printf+0x0 (/root/xabort) + xabort 1478 [007] 92161.431360859: tr strt 0 [unknown] ([unknown]) => 400bae main+0x41 (/root/xabort) + xabort 1478 [007] 92161.431360882: tr end return 400bb4 main+0x47 (/root/xabort) => 401139 __libc_start_main+0x309 (/root/xabort) + +After: + + # perf script --itrace=be -F+flags,+addr,-period,-event --ns + xabort 1478 [007] 92161.431348552: tr strt 0 [unknown] ([unknown]) => 400b6d main+0x0 (/root/xabort) + xabort 1478 [007] 92161.431348624: tx abrt 400b93 main+0x26 (/root/xabort) => 400b87 main+0x1a (/root/xabort) + xabort 1478 [007] 92161.431348637: jcc 400b8a main+0x1d (/root/xabort) => 400b98 main+0x2b (/root/xabort) + xabort 1478 [007] 92161.431348644: tr end call 400ba9 main+0x3c (/root/xabort) => 40f690 printf+0x0 (/root/xabort) + xabort 1478 [007] 92161.431360859: tr strt 0 [unknown] ([unknown]) => 400bae main+0x41 (/root/xabort) + xabort 1478 [007] 92161.431360882: tr end return 400bb4 main+0x47 (/root/xabort) => 401139 __libc_start_main+0x309 (/root/xabort) + +Fixes: a472e65fc490a ("perf intel-pt: Add decoder support for ptwrite and power event packets") +Signed-off-by: Adrian Hunter +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/20210519074515.9262-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -1063,6 +1063,8 @@ static bool intel_pt_fup_event(struct in + decoder->set_fup_tx_flags = false; + decoder->tx_flags = decoder->fup_tx_flags; + decoder->state.type = INTEL_PT_TRANSACTION; ++ if (decoder->fup_tx_flags & INTEL_PT_ABORT_TX) ++ decoder->state.type |= INTEL_PT_BRANCH; + decoder->state.from_ip = decoder->ip; + decoder->state.to_ip = 0; + decoder->state.flags = decoder->fup_tx_flags; +@@ -1129,8 +1131,10 @@ static int intel_pt_walk_fup(struct inte + return 0; + if (err == -EAGAIN || + intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) { ++ bool no_tip = decoder->pkt_state != INTEL_PT_STATE_FUP; ++ + decoder->pkt_state = INTEL_PT_STATE_IN_SYNC; +- if (intel_pt_fup_event(decoder)) ++ if (intel_pt_fup_event(decoder) && no_tip) + return 0; + return -EAGAIN; + } diff --git a/queue-4.14/proc-check-proc-pid-attr-writes-against-file-opener.patch b/queue-4.14/proc-check-proc-pid-attr-writes-against-file-opener.patch new file mode 100644 index 00000000000..2e9f7969124 --- /dev/null +++ b/queue-4.14/proc-check-proc-pid-attr-writes-against-file-opener.patch @@ -0,0 +1,40 @@ +From bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 25 May 2021 12:37:35 -0700 +Subject: proc: Check /proc/$pid/attr/ writes against file opener + +From: Kees Cook + +commit bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 upstream. + +Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/ +files need to check the opener credentials, since these fds do not +transition state across execve(). Without this, it is possible to +trick another process (which may have different credentials) to write +to its own /proc/$pid/attr/ files, leading to unexpected and possibly +exploitable behaviors. + +[1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/base.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -2557,6 +2557,10 @@ static ssize_t proc_pid_attr_write(struc + ssize_t length; + struct task_struct *task = get_proc_task(inode); + ++ /* A task may only write when it was the opener. */ ++ if (file->f_cred != current_real_cred()) ++ return -EPERM; ++ + length = -ESRCH; + if (!task) + goto out_no_task; diff --git a/queue-4.14/series b/queue-4.14/series index f580fdda3f1..b2c10ef3651 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -6,3 +6,9 @@ netfilter-x_tables-use-correct-memory-barriers.patch nfc-nci-fix-memory-leak-in-nci_allocate_device.patch nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch +perf-intel-pt-fix-sample-instruction-bytes.patch +perf-intel-pt-fix-transaction-abort-handling.patch +proc-check-proc-pid-attr-writes-against-file-opener.patch +net-hso-fix-control-request-directions.patch +mac80211-assure-all-fragments-are-encrypted.patch +mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch