From: Greg Kroah-Hartman Date: Mon, 11 Jan 2021 11:46:06 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.251~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=caa387b465fbc586cd5586c6e956af854446127f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch --- diff --git a/queue-4.4/netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch b/queue-4.4/netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch new file mode 100644 index 00000000000..fb76013a1d7 --- /dev/null +++ b/queue-4.4/netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch @@ -0,0 +1,89 @@ +From 5c8193f568ae16f3242abad6518dc2ca6c8eef86 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 17 Dec 2020 17:53:18 +0300 +Subject: netfilter: ipset: fix shift-out-of-bounds in htable_bits() + +From: Vasily Averin + +commit 5c8193f568ae16f3242abad6518dc2ca6c8eef86 upstream. + +htable_bits() can call jhash_size(32) and trigger shift-out-of-bounds + +UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6 +shift exponent 32 is too large for 32-bit type 'unsigned int' +CPU: 0 PID: 8498 Comm: syz-executor519 + Not tainted 5.10.0-rc7-next-20201208-syzkaller #0 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 + htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline] + hash_mac_create.cold+0x58/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524 + ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115 + nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 + nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600 + netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 + netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:652 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:672 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +This patch replaces htable_bits() by simple fls(hashsize - 1) call: +it alone returns valid nbits both for round and non-round hashsizes. +It is normal to set any nbits here because it is validated inside +following htable_size() call which returns 0 for nbits>31. + +Fixes: 1feab10d7e6d("netfilter: ipset: Unified hash type generation") +Reported-by: syzbot+d66bfadebca46cf61a2b@syzkaller.appspotmail.com +Signed-off-by: Vasily Averin +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_hash_gen.h | 20 +++++--------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -113,20 +113,6 @@ htable_size(u8 hbits) + return hsize * sizeof(struct hbucket *) + sizeof(struct htable); + } + +-/* Compute htable_bits from the user input parameter hashsize */ +-static u8 +-htable_bits(u32 hashsize) +-{ +- /* Assume that hashsize == 2^htable_bits */ +- u8 bits = fls(hashsize - 1); +- +- if (jhash_size(bits) != hashsize) +- /* Round up to the first 2^n value */ +- bits = fls(hashsize); +- +- return bits; +-} +- + #ifdef IP_SET_HASH_WITH_NETS + #if IPSET_NET_COUNT > 1 + #define __CIDR(cidr, i) (cidr[i]) +@@ -1309,7 +1295,11 @@ IPSET_TOKEN(HTYPE, _create)(struct net * + get_random_bytes(&h->initval, sizeof(h->initval)); + set->timeout = IPSET_NO_TIMEOUT; + +- hbits = htable_bits(hashsize); ++ /* Compute htable_bits from the user input parameter hashsize. ++ * Assume that hashsize == 2^htable_bits, ++ * otherwise round up to the first 2^n value. ++ */ ++ hbits = fls(hashsize - 1); + hsize = htable_size(hbits); + if (hsize == 0) { + kfree(h); diff --git a/queue-4.4/netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch b/queue-4.4/netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch new file mode 100644 index 00000000000..dbb862364e5 --- /dev/null +++ b/queue-4.4/netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch @@ -0,0 +1,41 @@ +From 6cb56218ad9e580e519dcd23bfb3db08d8692e5a Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 22 Dec 2020 23:23:56 +0100 +Subject: netfilter: xt_RATEEST: reject non-null terminated string from userspace + +From: Florian Westphal + +commit 6cb56218ad9e580e519dcd23bfb3db08d8692e5a upstream. + +syzbot reports: +detected buffer overflow in strlen +[..] +Call Trace: + strlen include/linux/string.h:325 [inline] + strlcpy include/linux/string.h:348 [inline] + xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143 + +strlcpy assumes src is a c-string. Check info->name before its used. + +Reported-by: syzbot+e86f7c428c8c50db65b4@syzkaller.appspotmail.com +Fixes: 5859034d7eb8793 ("[NETFILTER]: x_tables: add RATEEST target") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_RATEEST.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/xt_RATEEST.c ++++ b/net/netfilter/xt_RATEEST.c +@@ -107,6 +107,9 @@ static int xt_rateest_tg_checkentry(cons + } cfg; + int ret; + ++ if (strnlen(info->name, sizeof(est->name)) >= sizeof(est->name)) ++ return -ENAMETOOLONG; ++ + if (unlikely(!rnd_inited)) { + get_random_bytes(&jhash_rnd, sizeof(jhash_rnd)); + rnd_inited = true; diff --git a/queue-4.4/series b/queue-4.4/series index 83173e57e9c..3b57d91c988 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -33,3 +33,6 @@ usb-serial-keyspan_pda-remove-unused-variable.patch x86-mm-fix-leak-of-pmd-ptlock.patch alsa-hda-conexant-add-a-new-hda-codec-cx11970.patch revert-device-property-keep-secondary-firmware-node-secondary-by-type.patch +netfilter-ipset-fix-shift-out-of-bounds-in-htable_bits.patch +netfilter-xt_rateest-reject-non-null-terminated-string-from-userspace.patch +x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch diff --git a/queue-4.4/x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch b/queue-4.4/x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch new file mode 100644 index 00000000000..93ca6d2ab09 --- /dev/null +++ b/queue-4.4/x86-mtrr-correct-the-range-check-before-performing-mtrr-type-lookups.patch @@ -0,0 +1,62 @@ +From cb7f4a8b1fb426a175d1708f05581939c61329d4 Mon Sep 17 00:00:00 2001 +From: Ying-Tsun Huang +Date: Tue, 15 Dec 2020 15:07:20 +0800 +Subject: x86/mtrr: Correct the range check before performing MTRR type lookups + +From: Ying-Tsun Huang + +commit cb7f4a8b1fb426a175d1708f05581939c61329d4 upstream. + +In mtrr_type_lookup(), if the input memory address region is not in the +MTRR, over 4GB, and not over the top of memory, a write-back attribute +is returned. These condition checks are for ensuring the input memory +address region is actually mapped to the physical memory. + +However, if the end address is just aligned with the top of memory, +the condition check treats the address is over the top of memory, and +write-back attribute is not returned. + +And this hits in a real use case with NVDIMM: the nd_pmem module tries +to map NVDIMMs as cacheable memories when NVDIMMs are connected. If a +NVDIMM is the last of the DIMMs, the performance of this NVDIMM becomes +very low since it is aligned with the top of memory and its memory type +is uncached-minus. + +Move the input end address change to inclusive up into +mtrr_type_lookup(), before checking for the top of memory in either +mtrr_type_lookup_{variable,fixed}() helpers. + + [ bp: Massage commit message. ] + +Fixes: 0cc705f56e40 ("x86/mm/mtrr: Clean up mtrr_type_lookup()") +Signed-off-by: Ying-Tsun Huang +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20201215070721.4349-1-ying-tsun.huang@amd.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mtrr/generic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -166,9 +166,6 @@ static u8 mtrr_type_lookup_variable(u64 + *repeat = 0; + *uniform = 1; + +- /* Make end inclusive instead of exclusive */ +- end--; +- + prev_match = MTRR_TYPE_INVALID; + for (i = 0; i < num_var_ranges; ++i) { + unsigned short start_state, end_state, inclusive; +@@ -260,6 +257,9 @@ u8 mtrr_type_lookup(u64 start, u64 end, + int repeat; + u64 partial_end; + ++ /* Make end inclusive instead of exclusive */ ++ end--; ++ + if (!mtrr_state_set) + return MTRR_TYPE_INVALID; +