From: Greg Kroah-Hartman Date: Mon, 9 Nov 2020 10:01:41 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.242~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cba931af0b850923f61cca3a534889f3bd88e4ea;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: vt-disable-kd_font_op_copy.patch --- diff --git a/queue-4.14/nvme-rdma-handle-unexpected-nvme-completion-data-len.patch b/queue-4.14/nvme-rdma-handle-unexpected-nvme-completion-data-len.patch deleted file mode 100644 index c7373d35908..00000000000 --- a/queue-4.14/nvme-rdma-handle-unexpected-nvme-completion-data-len.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 3d19bdec779c3c21fa1c6662a1bac2b85b0a8aa5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 25 Oct 2020 19:51:24 +0800 -Subject: nvme-rdma: handle unexpected nvme completion data length - -From: zhenwei pi - -[ Upstream commit 25c1ca6ecaba3b751d3f7ff92d5cddff3b05f8d0 ] - -Receiving a zero length message leads to the following warnings because -the CQE is processed twice: - -refcount_t: underflow; use-after-free. -WARNING: CPU: 0 PID: 0 at lib/refcount.c:28 - -RIP: 0010:refcount_warn_saturate+0xd9/0xe0 -Call Trace: - - nvme_rdma_recv_done+0xf3/0x280 [nvme_rdma] - __ib_process_cq+0x76/0x150 [ib_core] - ... - -Sanity check the received data length, to avoids this. - -Thanks to Chao Leng & Sagi for suggestions. - -Signed-off-by: zhenwei pi -Reviewed-by: Sagi Grimberg -Signed-off-by: Christoph Hellwig -Signed-off-by: Sasha Levin ---- - drivers/nvme/host/rdma.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c -index 564e457f1345e..d04c9769ebfa2 100644 ---- a/drivers/nvme/host/rdma.c -+++ b/drivers/nvme/host/rdma.c -@@ -1382,6 +1382,14 @@ static int __nvme_rdma_recv_done(struct ib_cq *cq, struct ib_wc *wc, int tag) - return 0; - } - -+ /* sanity checking for received data length */ -+ if (unlikely(wc->byte_len < len)) { -+ dev_err(queue->ctrl->ctrl.device, -+ "Unexpected nvme completion length(%d)\n", wc->byte_len); -+ nvme_rdma_error_recovery(queue->ctrl); -+ return; -+ } -+ - ib_dma_sync_single_for_cpu(ibdev, qe->dma, len, DMA_FROM_DEVICE); - /* - * AEN requests are special as they don't time out and can --- -2.27.0 - diff --git a/queue-4.14/series b/queue-4.14/series index bc7d837edef..a274274d836 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -30,6 +30,6 @@ blk-cgroup-fix-memleak-on-error-path.patch blk-cgroup-pre-allocate-tree-node-on-blkg_conf_prep.patch scsi-core-don-t-start-concurrent-async-scan-on-same-.patch vsock-use-ns_capable_noaudit-on-socket-create.patch -nvme-rdma-handle-unexpected-nvme-completion-data-len.patch drm-vc4-drv-add-error-handding-for-bind.patch acpi-nfit-fix-comparison-to-enxio.patch +vt-disable-kd_font_op_copy.patch diff --git a/queue-4.14/vt-disable-kd_font_op_copy.patch b/queue-4.14/vt-disable-kd_font_op_copy.patch new file mode 100644 index 00000000000..b2e1ebe0b3c --- /dev/null +++ b/queue-4.14/vt-disable-kd_font_op_copy.patch @@ -0,0 +1,117 @@ +From 3c4e0dff2095c579b142d5a0693257f1c58b4804 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sun, 8 Nov 2020 16:38:06 +0100 +Subject: vt: Disable KD_FONT_OP_COPY + +From: Daniel Vetter + +commit 3c4e0dff2095c579b142d5a0693257f1c58b4804 upstream. + +It's buggy: + +On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote: +> We recently discovered a slab-out-of-bounds read in fbcon in the latest +> kernel ( v5.10-rc2 for now ). The root cause of this vulnerability is that +> "fbcon_do_set_font" did not handle "vc->vc_font.data" and +> "vc->vc_font.height" correctly, and the patch +> for VT_RESIZEX can't handle this +> issue. +> +> Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and +> use KD_FONT_OP_SET again to set a large font.height for tty1. After that, +> we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data +> in "fbcon_do_set_font", while tty1 retains the original larger +> height. Obviously, this will cause an out-of-bounds read, because we can +> access a smaller vc_font.data with a larger vc_font.height. + +Further there was only one user ever. +- Android's loadfont, busybox and console-tools only ever use OP_GET + and OP_SET +- fbset documentation only mentions the kernel cmdline font: option, + not anything else. +- systemd used OP_COPY before release 232 published in Nov 2016 + +Now unfortunately the crucial report seems to have gone down with +gmane, and the commit message doesn't say much. But the pull request +hints at OP_COPY being broken + +https://github.com/systemd/systemd/pull/3651 + +So in other words, this never worked, and the only project which +foolishly every tried to use it, realized that rather quickly too. + +Instead of trying to fix security issues here on dead code by adding +missing checks, fix the entire thing by removing the functionality. + +Note that systemd code using the OP_COPY function ignored the return +value, so it doesn't matter what we're doing here really - just in +case a lone server somewhere happens to be extremely unlucky and +running an affected old version of systemd. The relevant code from +font_copy_to_all_vcs() in systemd was: + + /* copy font from active VT, where the font was uploaded to */ + cfo.op = KD_FONT_OP_COPY; + cfo.height = vcs.v_active-1; /* tty1 == index 0 */ + (void) ioctl(vcfd, KDFONTOP, &cfo); + +Note this just disables the ioctl, garbage collecting the now unused +callbacks is left for -next. + +v2: Tetsuo found the old mail, which allowed me to find it on another +archive. Add the link too. + +Acked-by: Peilin Ye +Reported-by: Minh Yuan +References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html +References: https://github.com/systemd/systemd/pull/3651 +Cc: Greg KH +Cc: Peilin Ye +Cc: Tetsuo Handa +Signed-off-by: Daniel Vetter +Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.ch +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 24 ++---------------------- + 1 file changed, 2 insertions(+), 22 deletions(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -4227,27 +4227,6 @@ static int con_font_default(struct vc_da + return rc; + } + +-static int con_font_copy(struct vc_data *vc, struct console_font_op *op) +-{ +- int con = op->height; +- int rc; +- +- +- console_lock(); +- if (vc->vc_mode != KD_TEXT) +- rc = -EINVAL; +- else if (!vc->vc_sw->con_font_copy) +- rc = -ENOSYS; +- else if (con < 0 || !vc_cons_allocated(con)) +- rc = -ENOTTY; +- else if (con == vc->vc_num) /* nothing to do */ +- rc = 0; +- else +- rc = vc->vc_sw->con_font_copy(vc, con); +- console_unlock(); +- return rc; +-} +- + int con_font_op(struct vc_data *vc, struct console_font_op *op) + { + switch (op->op) { +@@ -4258,7 +4237,8 @@ int con_font_op(struct vc_data *vc, stru + case KD_FONT_OP_SET_DEFAULT: + return con_font_default(vc, op); + case KD_FONT_OP_COPY: +- return con_font_copy(vc, op); ++ /* was buggy and never really used */ ++ return -EINVAL; + } + return -ENOSYS; + }