From ffd0b920223dd57788b8aba2baab51f795772769 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 10 Dec 2020 14:07:28 +0100
Subject: [PATCH] 5.9-stable patches

added patches:
	lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch
---
 ...isters-retrieval-on-32-bit-platforms.patch | 62 +++++++++++++++++++
 queue-5.9/series                              |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 queue-5.9/lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch

diff --git a/queue-5.9/lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch b/queue-5.9/lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch
new file mode 100644
index 00000000000..23ca78f840e
--- /dev/null
+++ b/queue-5.9/lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch
@@ -0,0 +1,62 @@
+From 4f134b89a24b965991e7c345b9a4591821f7c2a6 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Mon, 30 Nov 2020 08:36:48 +0100
+Subject: lib/syscall: fix syscall registers retrieval on 32-bit platforms
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit 4f134b89a24b965991e7c345b9a4591821f7c2a6 upstream.
+
+Lilith >_> and Claudio Bozzato of Cisco Talos security team reported
+that collect_syscall() improperly casts the syscall registers to 64-bit
+values leaking the uninitialized last 24 bytes on 32-bit platforms, that
+are visible in /proc/self/syscall.
+
+The cause is that info->data.args are u64 while syscall_get_arguments()
+uses longs, as hinted by the bogus pointer cast in the function.
+
+Let's just proceed like the other call places, by retrieving the
+registers into an array of longs before assigning them to the caller's
+array.  This was successfully tested on x86_64, i386 and ppc32.
+
+Reference: CVE-2020-28588, TALOS-2020-1211
+Fixes: 631b7abacd02 ("ptrace: Remove maxargs from task_current_syscall()")
+Cc: Greg KH <greg@kroah.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Tested-by: Michael Ellerman <mpe@ellerman.id.au> (ppc32)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/syscall.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/lib/syscall.c
++++ b/lib/syscall.c
+@@ -7,6 +7,7 @@
+ 
+ static int collect_syscall(struct task_struct *target, struct syscall_info *info)
+ {
++	unsigned long args[6] = { };
+ 	struct pt_regs *regs;
+ 
+ 	if (!try_get_task_stack(target)) {
+@@ -27,8 +28,14 @@ static int collect_syscall(struct task_s
+ 
+ 	info->data.nr = syscall_get_nr(target, regs);
+ 	if (info->data.nr != -1L)
+-		syscall_get_arguments(target, regs,
+-				      (unsigned long *)&info->data.args[0]);
++		syscall_get_arguments(target, regs, args);
++
++	info->data.args[0] = args[0];
++	info->data.args[1] = args[1];
++	info->data.args[2] = args[2];
++	info->data.args[3] = args[3];
++	info->data.args[4] = args[4];
++	info->data.args[5] = args[5];
+ 
+ 	put_task_stack(target);
+ 	return 0;
diff --git a/queue-5.9/series b/queue-5.9/series
index db3b484fd83..ff34f7386b7 100644
--- a/queue-5.9/series
+++ b/queue-5.9/series
@@ -56,3 +56,4 @@ hugetlb_cgroup-fix-offline-of-hugetlb-cgroup-with-reservations.patch
 revert-amd-amdgpu-disable-vcn-dpg-mode-for-picasso.patch
 iommu-amd-set-dte-to-represent-512-irtes.patch
 mm-memcg-slab-fix-obj_cgroup_charge-return-value-handling.patch
+lib-syscall-fix-syscall-registers-retrieval-on-32-bit-platforms.patch
-- 
2.47.3