From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 6 Nov 2024 08:12:31 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v4.19.323~17
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ebf8a93eb5d1ffbdd54f364f487a84cdec1a432d;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	drm-shmem-helper-fix-bug_on-on-mmap-prot_write-map_private.patch
	vt-prevent-kernel-infoleak-in-con_font_get.patch
---

diff --git a/queue-5.10/drm-shmem-helper-fix-bug_on-on-mmap-prot_write-map_private.patch b/queue-5.10/drm-shmem-helper-fix-bug_on-on-mmap-prot_write-map_private.patch
new file mode 100644
index 00000000000..bfedff33227
--- /dev/null
+++ b/queue-5.10/drm-shmem-helper-fix-bug_on-on-mmap-prot_write-map_private.patch
@@ -0,0 +1,68 @@
+From 39bc27bd688066a63e56f7f64ad34fae03fbe3b8 Mon Sep 17 00:00:00 2001
+From: "Wachowski, Karol" <karol.wachowski@intel.com>
+Date: Mon, 20 May 2024 12:05:14 +0200
+Subject: drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wachowski, Karol <karol.wachowski@intel.com>
+
+commit 39bc27bd688066a63e56f7f64ad34fae03fbe3b8 upstream.
+
+Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap
+allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag
+causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot:
+BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));
+
+Return -EINVAL early if COW mapping is detected.
+
+This bug affects all drm drivers using default shmem helpers.
+It can be reproduced by this simple example:
+void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset);
+ptr[0] = 0;
+
+Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects")
+Cc: Noralf TrÃ¸nnes <noralf@tronnes.org>
+Cc: Eric Anholt <eric@anholt.net>
+Cc: Rob Herring <robh@kernel.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.2+
+Signed-off-by: Wachowski, Karol <karol.wachowski@intel.com>
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240520100514.925681-1-jacek.lawrynowicz@linux.intel.com
+[ Artem: bp to fix CVE-2024-39497, in order to adapt this patch to branch 5.10
+  add header file mm/internal.h]
+Signed-off-by: Artem Sdvizhkov <raclesdv@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_shmem_helper.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
+@@ -17,6 +17,8 @@
+ #include <drm/drm_prime.h>
+ #include <drm/drm_print.h>
+ 
++#include "../../../mm/internal.h"   /* is_cow_mapping() */
++
+ /**
+  * DOC: overview
+  *
+@@ -630,6 +632,9 @@ int drm_gem_shmem_mmap(struct drm_gem_ob
+ 		return ret;
+ 	}
+ 
++	if (is_cow_mapping(vma->vm_flags))
++		return -EINVAL;
++
+ 	shmem = to_drm_gem_shmem_obj(obj);
+ 
+ 	ret = drm_gem_shmem_get_pages(shmem);
diff --git a/queue-5.10/series b/queue-5.10/series
index c00e2316944..77e4089efd0 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -105,3 +105,5 @@ x86-bugs-use-code-segment-selector-for-verw-operand.patch
 nilfs2-fix-kernel-bug-due-to-missing-clearing-of-checked-flag.patch
 mm-shmem-fix-data-race-in-shmem_getattr.patch
 revert-drm-mipi-dsi-set-the-fwnode-for-mipi_dsi_device.patch
+drm-shmem-helper-fix-bug_on-on-mmap-prot_write-map_private.patch
+vt-prevent-kernel-infoleak-in-con_font_get.patch
diff --git a/queue-5.10/vt-prevent-kernel-infoleak-in-con_font_get.patch b/queue-5.10/vt-prevent-kernel-infoleak-in-con_font_get.patch
new file mode 100644
index 00000000000..2e7776515a4
--- /dev/null
+++ b/queue-5.10/vt-prevent-kernel-infoleak-in-con_font_get.patch
@@ -0,0 +1,35 @@
+From f956052e00de211b5c9ebaa1958366c23f82ee9e Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Fri, 11 Oct 2024 02:46:19 +0900
+Subject: vt: prevent kernel-infoleak in con_font_get()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit f956052e00de211b5c9ebaa1958366c23f82ee9e upstream.
+
+font.data may not initialize all memory spaces depending on the implementation
+of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it
+is safest to modify it to initialize the allocated memory space to 0, and it
+generally does not affect the overall performance of the system.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+955da2d57931604ee691@syzkaller.appspotmail.com
+Fixes: 05e2600cb0a4 ("VT: Bump font size limitation to 64x128 pixels")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Link: https://lore.kernel.org/r/20241010174619.59662-1-aha310510@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vt.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -4603,7 +4603,7 @@ static int con_font_get(struct vc_data *
+ 	int c;
+ 
+ 	if (op->data) {
+-		font.data = kmalloc(max_font_size, GFP_KERNEL);
++		font.data = kzalloc(max_font_size, GFP_KERNEL);
+ 		if (!font.data)
+ 			return -ENOMEM;
+ 	} else