From: Greg Kroah-Hartman Date: Sun, 15 Jan 2023 14:14:36 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.14.303~54 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d3b4d94bc924d776457485f10fd819b9553d2d8a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch --- diff --git a/queue-5.15/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch b/queue-5.15/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch new file mode 100644 index 00000000000..cdabf343b50 --- /dev/null +++ b/queue-5.15/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch @@ -0,0 +1,41 @@ +From 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Wed, 11 Jan 2023 11:57:39 +0000 +Subject: netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. + +From: Gavrilov Ilia + +commit 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 upstream. + +When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of +an arithmetic expression 2 << (netmask - mask_bits - 1) is subject +to overflow due to a failure casting operands to a larger data type +before performing the arithmetic. + +Note that it's harmless since the value will be checked at the next step. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters") +Signed-off-by: Ilia.Gavrilov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipset/ip_set_bitmap_ip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/ipset/ip_set_bitmap_ip.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c +@@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct + return -IPSET_ERR_BITMAP_RANGE; + + pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); +- hosts = 2 << (32 - netmask - 1); +- elements = 2 << (netmask - mask_bits - 1); ++ hosts = 2U << (32 - netmask - 1); ++ elements = 2UL << (netmask - mask_bits - 1); + } + if (elements > IPSET_BITMAP_MAX_RANGE + 1) + return -IPSET_ERR_BITMAP_RANGE_SIZE; diff --git a/queue-5.15/sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch b/queue-5.15/sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch new file mode 100644 index 00000000000..622655df15a --- /dev/null +++ b/queue-5.15/sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch @@ -0,0 +1,99 @@ +From 87ca4f9efbd7cc649ff43b87970888f2812945b8 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Fri, 30 Dec 2022 23:11:19 -0500 +Subject: sched/core: Fix use-after-free bug in dup_user_cpus_ptr() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Waiman Long + +commit 87ca4f9efbd7cc649ff43b87970888f2812945b8 upstream. + +Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be +restricted on asymmetric systems"), the setting and clearing of +user_cpus_ptr are done under pi_lock for arm64 architecture. However, +dup_user_cpus_ptr() accesses user_cpus_ptr without any lock +protection. Since sched_setaffinity() can be invoked from another +process, the process being modified may be undergoing fork() at +the same time. When racing with the clearing of user_cpus_ptr in +__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and +possibly double-free in arm64 kernel. + +Commit 8f9ea86fdf99 ("sched: Always preserve the user requested +cpumask") fixes this problem as user_cpus_ptr, once set, will never +be cleared in a task's lifetime. However, this bug was re-introduced +in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in +do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in +do_set_cpus_allowed(). This time, it will affect all arches. + +Fix this bug by always clearing the user_cpus_ptr of the newly +cloned/forked task before the copying process starts and check the +user_cpus_ptr state of the source task under pi_lock. + +Note to stable, this patch won't be applicable to stable releases. +Just copy the new dup_user_cpus_ptr() function over. + +Fixes: 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems") +Fixes: 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()") +Reported-by: David Wang 王标 +Signed-off-by: Waiman Long +Signed-off-by: Ingo Molnar +Reviewed-by: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221231041120.440785-2-longman@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 37 +++++++++++++++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 4 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -2501,14 +2501,43 @@ void do_set_cpus_allowed(struct task_str + int dup_user_cpus_ptr(struct task_struct *dst, struct task_struct *src, + int node) + { +- if (!src->user_cpus_ptr) ++ cpumask_t *user_mask; ++ unsigned long flags; ++ ++ /* ++ * Always clear dst->user_cpus_ptr first as their user_cpus_ptr's ++ * may differ by now due to racing. ++ */ ++ dst->user_cpus_ptr = NULL; ++ ++ /* ++ * This check is racy and losing the race is a valid situation. ++ * It is not worth the extra overhead of taking the pi_lock on ++ * every fork/clone. ++ */ ++ if (data_race(!src->user_cpus_ptr)) + return 0; + +- dst->user_cpus_ptr = kmalloc_node(cpumask_size(), GFP_KERNEL, node); +- if (!dst->user_cpus_ptr) ++ user_mask = kmalloc_node(cpumask_size(), GFP_KERNEL, node); ++ if (!user_mask) + return -ENOMEM; + +- cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr); ++ /* ++ * Use pi_lock to protect content of user_cpus_ptr ++ * ++ * Though unlikely, user_cpus_ptr can be reset to NULL by a concurrent ++ * do_set_cpus_allowed(). ++ */ ++ raw_spin_lock_irqsave(&src->pi_lock, flags); ++ if (src->user_cpus_ptr) { ++ swap(dst->user_cpus_ptr, user_mask); ++ cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr); ++ } ++ raw_spin_unlock_irqrestore(&src->pi_lock, flags); ++ ++ if (unlikely(user_mask)) ++ kfree(user_mask); ++ + return 0; + } + diff --git a/queue-5.15/series b/queue-5.15/series index 585f4c53046..214cdb54344 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -36,3 +36,5 @@ bus-mhi-host-fix-race-between-channel-preparation-an.patch usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch iommu-iova-fix-alloc-iova-overflows-issue.patch iommu-mediatek-v1-fix-an-error-handling-path-in-mtk_iommu_v1_probe.patch +sched-core-fix-use-after-free-bug-in-dup_user_cpus_ptr.patch +netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch