From: Greg Kroah-Hartman Date: Thu, 21 Jan 2021 13:33:56 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.4.253~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ca5a79ca64634f36e2fc77d589767a1fc9a75f6f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch bpf-fix-signed_-sub-add32-_overflows-type-handling.patch bpf-support-ptr_to_mem-_or_null-register-spilling.patch nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch x.509-fix-crash-caused-by-null-pointer.patch --- diff --git a/queue-5.10/bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch b/queue-5.10/bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch new file mode 100644 index 00000000000..bb442fc110b --- /dev/null +++ b/queue-5.10/bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch @@ -0,0 +1,43 @@ +From 4be34f3d0731b38a1b24566b37fbb39500aaf3a2 Mon Sep 17 00:00:00 2001 +From: Stanislav Fomichev +Date: Tue, 12 Jan 2021 08:28:29 -0800 +Subject: bpf: Don't leak memory in bpf getsockopt when optlen == 0 + +From: Stanislav Fomichev + +commit 4be34f3d0731b38a1b24566b37fbb39500aaf3a2 upstream. + +optlen == 0 indicates that the kernel should ignore BPF buffer +and use the original one from the user. We, however, forget +to free the temporary buffer that we've allocated for BPF. + +Fixes: d8fe449a9c51 ("bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE") +Reported-by: Martin KaFai Lau +Signed-off-by: Stanislav Fomichev +Signed-off-by: Daniel Borkmann +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20210112162829.775079-1-sdf@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/cgroup.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -1391,12 +1391,13 @@ int __cgroup_bpf_run_filter_setsockopt(s + if (ctx.optlen != 0) { + *optlen = ctx.optlen; + *kernel_optval = ctx.optval; ++ /* export and don't free sockopt buf */ ++ return 0; + } + } + + out: +- if (ret) +- sockopt_free_buf(&ctx); ++ sockopt_free_buf(&ctx); + return ret; + } + diff --git a/queue-5.10/bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch b/queue-5.10/bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch new file mode 100644 index 00000000000..899c9f66868 --- /dev/null +++ b/queue-5.10/bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch @@ -0,0 +1,36 @@ +From 301a33d51880619d0c5a581b5a48d3a5248fa84b Mon Sep 17 00:00:00 2001 +From: Mircea Cirjaliu +Date: Tue, 19 Jan 2021 21:53:18 +0100 +Subject: bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback + +From: Mircea Cirjaliu + +commit 301a33d51880619d0c5a581b5a48d3a5248fa84b upstream. + +I assume this was obtained by copy/paste. Point it to bpf_map_peek_elem() +instead of bpf_map_pop_elem(). In practice it may have been less likely +hit when under JIT given shielded via 84430d4232c3 ("bpf, verifier: avoid +retpoline for map push/pop/peek operation"). + +Fixes: f1a2e44a3aec ("bpf: add queue and stack maps") +Signed-off-by: Mircea Cirjaliu +Signed-off-by: Daniel Borkmann +Cc: Mauricio Vasquez +Link: https://lore.kernel.org/bpf/AM7PR02MB6082663DFDCCE8DA7A6DD6B1BBA30@AM7PR02MB6082.eurprd02.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/helpers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -108,7 +108,7 @@ BPF_CALL_2(bpf_map_peek_elem, struct bpf + } + + const struct bpf_func_proto bpf_map_peek_elem_proto = { +- .func = bpf_map_pop_elem, ++ .func = bpf_map_peek_elem, + .gpl_only = false, + .ret_type = RET_INTEGER, + .arg1_type = ARG_CONST_MAP_PTR, diff --git a/queue-5.10/bpf-fix-signed_-sub-add32-_overflows-type-handling.patch b/queue-5.10/bpf-fix-signed_-sub-add32-_overflows-type-handling.patch new file mode 100644 index 00000000000..f9392d3f38a --- /dev/null +++ b/queue-5.10/bpf-fix-signed_-sub-add32-_overflows-type-handling.patch @@ -0,0 +1,57 @@ +From bc895e8b2a64e502fbba72748d59618272052a8b Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Wed, 20 Jan 2021 00:24:24 +0100 +Subject: bpf: Fix signed_{sub,add32}_overflows type handling + +From: Daniel Borkmann + +commit bc895e8b2a64e502fbba72748d59618272052a8b upstream. + +Fix incorrect signed_{sub,add32}_overflows() input types (and a related buggy +comment). It looks like this might have slipped in via copy/paste issue, also +given prior to 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") +the signature of signed_sub_overflows() had s64 a and s64 b as its input args +whereas now they are truncated to s32. Thus restore proper types. Also, the case +of signed_add32_overflows() is not consistent to signed_sub32_overflows(). Both +have s32 as inputs, therefore align the former. + +Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") +Reported-by: De4dCr0w +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/verifier.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5255,7 +5255,7 @@ static bool signed_add_overflows(s64 a, + return res < a; + } + +-static bool signed_add32_overflows(s64 a, s64 b) ++static bool signed_add32_overflows(s32 a, s32 b) + { + /* Do the add in u32, where overflow is well-defined */ + s32 res = (s32)((u32)a + (u32)b); +@@ -5265,7 +5265,7 @@ static bool signed_add32_overflows(s64 a + return res < a; + } + +-static bool signed_sub_overflows(s32 a, s32 b) ++static bool signed_sub_overflows(s64 a, s64 b) + { + /* Do the sub in u64, where overflow is well-defined */ + s64 res = (s64)((u64)a - (u64)b); +@@ -5277,7 +5277,7 @@ static bool signed_sub_overflows(s32 a, + + static bool signed_sub32_overflows(s32 a, s32 b) + { +- /* Do the sub in u64, where overflow is well-defined */ ++ /* Do the sub in u32, where overflow is well-defined */ + s32 res = (s32)((u32)a - (u32)b); + + if (b < 0) diff --git a/queue-5.10/bpf-support-ptr_to_mem-_or_null-register-spilling.patch b/queue-5.10/bpf-support-ptr_to_mem-_or_null-register-spilling.patch new file mode 100644 index 00000000000..0bbe0d6c42b --- /dev/null +++ b/queue-5.10/bpf-support-ptr_to_mem-_or_null-register-spilling.patch @@ -0,0 +1,38 @@ +From 744ea4e3885eccb6d332a06fae9eb7420a622c0f Mon Sep 17 00:00:00 2001 +From: Gilad Reti +Date: Wed, 13 Jan 2021 07:38:07 +0200 +Subject: bpf: Support PTR_TO_MEM{,_OR_NULL} register spilling + +From: Gilad Reti + +commit 744ea4e3885eccb6d332a06fae9eb7420a622c0f upstream. + +Add support for pointer to mem register spilling, to allow the verifier +to track pointers to valid memory addresses. Such pointers are returned +for example by a successful call of the bpf_ringbuf_reserve helper. + +The patch was partially contributed by CyberArk Software, Inc. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Suggested-by: Yonghong Song +Signed-off-by: Gilad Reti +Signed-off-by: Alexei Starovoitov +Acked-by: KP Singh +Link: https://lore.kernel.org/bpf/20210113053810.13518-1-gilad.reti@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/verifier.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2214,6 +2214,8 @@ static bool is_spillable_regtype(enum bp + case PTR_TO_RDWR_BUF: + case PTR_TO_RDWR_BUF_OR_NULL: + case PTR_TO_PERCPU_BTF_ID: ++ case PTR_TO_MEM: ++ case PTR_TO_MEM_OR_NULL: + return true; + default: + return false; diff --git a/queue-5.10/nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch b/queue-5.10/nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch new file mode 100644 index 00000000000..bd316858d1f --- /dev/null +++ b/queue-5.10/nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch @@ -0,0 +1,52 @@ +From 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 11 Jan 2021 16:01:29 -0500 +Subject: nfsd4: readdirplus shouldn't return parent of export + +From: J. Bruce Fields + +commit 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6 upstream. + +If you export a subdirectory of a filesystem, a READDIRPLUS on the root +of that export will return the filehandle of the parent with the ".." +entry. + +The filehandle is optional, so let's just not return the filehandle for +".." if we're at the root of an export. + +Note that once the client learns one filehandle outside of the export, +they can trivially access the rest of the export using further lookups. + +However, it is also not very difficult to guess filehandles outside of +the export. So exporting a subdirectory of a filesystem should +considered equivalent to providing access to the entire filesystem. To +avoid confusion, we recommend only exporting entire filesystems. + +Reported-by: Youjipeng +Signed-off-by: J. Bruce Fields +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs3xdr.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -863,9 +863,14 @@ compose_entry_fh(struct nfsd3_readdirres + if (isdotent(name, namlen)) { + if (namlen == 2) { + dchild = dget_parent(dparent); +- /* filesystem root - cannot return filehandle for ".." */ ++ /* ++ * Don't return filehandle for ".." if we're at ++ * the filesystem or export root: ++ */ + if (dchild == dparent) + goto out; ++ if (dparent == exp->ex_path.dentry) ++ goto out; + } else + dchild = dget(dparent); + } else diff --git a/queue-5.10/series b/queue-5.10/series index 5eeab8fe3dd..1aa99126a5a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -2,3 +2,9 @@ revert-kconfig-remove-kvmconfig-and-xenconfig-shorthands.patch bpf-fix-selftest-compilation-on-clang-11.patch x86-hyperv-initialize-clockevents-after-lapic-is-ini.patch drm-amdgpu-display-drop-dcn-support-for-aarch64.patch +bpf-fix-signed_-sub-add32-_overflows-type-handling.patch +x.509-fix-crash-caused-by-null-pointer.patch +nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch +bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch +bpf-support-ptr_to_mem-_or_null-register-spilling.patch +bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch diff --git a/queue-5.10/x.509-fix-crash-caused-by-null-pointer.patch b/queue-5.10/x.509-fix-crash-caused-by-null-pointer.patch new file mode 100644 index 00000000000..aad6a42ecb8 --- /dev/null +++ b/queue-5.10/x.509-fix-crash-caused-by-null-pointer.patch @@ -0,0 +1,51 @@ +From 7178a107f5ea7bdb1cc23073234f0ded0ef90ec7 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Tue, 19 Jan 2021 00:13:19 +0000 +Subject: X.509: Fix crash caused by NULL pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tianjia Zhang + +commit 7178a107f5ea7bdb1cc23073234f0ded0ef90ec7 upstream. + +On the following call path, `sig->pkey_algo` is not assigned +in asymmetric_key_verify_signature(), which causes runtime +crash in public_key_verify_signature(). + + keyctl_pkey_verify + asymmetric_key_verify_signature + verify_signature + public_key_verify_signature + +This patch simply check this situation and fixes the crash +caused by NULL pointer. + +Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") +Reported-by: Tobias Markus +Signed-off-by: Tianjia Zhang +Signed-off-by: David Howells +Reviewed-and-tested-by: Toke Høiland-Jørgensen +Tested-by: João Fonseca +Acked-by: Jarkko Sakkinen +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/public_key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/asymmetric_keys/public_key.c ++++ b/crypto/asymmetric_keys/public_key.c +@@ -356,7 +356,8 @@ int public_key_verify_signature(const st + if (ret) + goto error_free_key; + +- if (strcmp(sig->pkey_algo, "sm2") == 0 && sig->data_size) { ++ if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 && ++ sig->data_size) { + ret = cert_sig_digest_update(sig, tfm); + if (ret) + goto error_free_key;