lp:~canonical-kernel/ubuntu/+source/linux-oem/+git/jammy

Author: Timo Aaltonen
Author Date: 2024-05-07 11:22:13 UTC

UBUNTU: Ubuntu-oem-6.5-6.5.0-1023.24

Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-05-02 02:05:18 UTC

UBUNTU: Ubuntu-oem-6.5-6.5.0-1021.22

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-04-03 05:37:04 UTC

UBUNTU: Ubuntu-oem-6.5-6.5.0-1020.21

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-03-22 05:45:58 UTC

UBUNTU: Ubuntu-oem-6.5-6.5.0-1017.18

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-03-15 15:33:21 UTC

UBUNTU: Ubuntu-oem-6.1-6.1.0-1036.36

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-03-14 20:42:04 UTC

UBUNTU: Ubuntu-oem-6.1-6.1.0-1037.37

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-03-14 15:25:01 UTC

UBUNTU: Ubuntu-oem-6.5-6.5.0-1015.16

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-03-14 13:41:28 UTC

UBUNTU: Ubuntu-oem-6.1-6.1.0-1034.34

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-03-14 00:29:38 UTC

UBUNTU: Ubuntu-oem-6.1-6.1.0-1035.35

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Timo Aaltonen
Author Date: 2024-03-11 15:31:52 UTC

UBUNTU: Ubuntu-oem-6.1-6.1.0-1036.36

Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-03-11 07:45:38 UTC

UBUNTU: Ubuntu-oem-6.5-6.5.0-1017.18

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Duoming Zhou
Author Date: 2024-02-20 19:24:21 UTC

net: usb: lan78xx: reorder cleanup operations to avoid UAF bugs

The timer dev->stat_monitor can schedule the delayed work dev->wq and
the delayed work dev->wq can also arm the dev->stat_monitor timer.

When the device is detaching, the net_device will be deallocated. but
the net_device private data could still be dereferenced in delayed work
or timer handler. As a result, the UAF bugs will happen.

One racy situation is shown below:

      (Thread 1) | (Thread 2)
lan78xx_stat_monitor() |
 ... | lan78xx_disconnect()
 lan78xx_defer_kevent() | ...
  ... | cancel_delayed_work_sync(&dev->wq);
  schedule_delayed_work() | ...
  (wait some time) | free_netdev(net); //free net_device
  lan78xx_delayedwork() |
  //use net_device private data |
  dev-> //use |

Although we use cancel_delayed_work_sync() to cancel the delayed work
in lan78xx_disconnect(), it could still be scheduled in timer handler
lan78xx_stat_monitor().

Another racy situation is shown below:

      (Thread 1) | (Thread 2)
lan78xx_delayedwork |
 mod_timer() | lan78xx_disconnect()
                                | cancel_delayed_work_sync()
 (wait some time) | if (timer_pending(&dev->stat_monitor))
                              | del_timer_sync(&dev->stat_monitor);
 lan78xx_stat_monitor() | ...
  lan78xx_defer_kevent() | free_netdev(net); //free
   //use net_device private data|
   dev-> //use |

Although we use del_timer_sync() to delete the timer, the function
timer_pending() returns 0 when the timer is activated. As a result,
the del_timer_sync() will not be executed and the timer could be
re-armed.

In order to mitigate this bug, We use timer_shutdown_sync() to shutdown
the timer and then use cancel_delayed_work_sync() to cancel the delayed
work. As a result, the net_device could be deallocated safely.

What's more, the dev->flags is set to EVENT_DEV_DISCONNECT in
lan78xx_disconnect(). But it could still be set to EVENT_STAT_UPDATE
in lan78xx_stat_monitor(). So this patch put the set_bit() behind
timer_shutdown_sync().

Fixes: 77dfff5bb7e2 ("lan78xx: Fix race condition in disconnect handling")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3)
CVE-2023-6039
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>

Author: Timo Aaltonen
Author Date: 2023-09-07 13:59:43 UTC

UBUNTU: Ubuntu-oem-6.0-6.0.0-1021.21

Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>

Author: Lin Ma
Author Date: 2023-08-09 16:02:22 UTC

net: nfc: Fix use-after-free caused by nfc_llcp_find_local

This commit fixes several use-after-free that caused by function
nfc_llcp_find_local(). For example, one UAF can happen when below buggy
time window occurs.

// nfc_genl_llc_get_params | // nfc_unregister_device
                             |
dev = nfc_get_device(idx); | device_lock(...)
if (!dev) | dev->shutting_down = true;
    return -ENODEV; | device_unlock(...);
                             |
device_lock(...); | // nfc_llcp_unregister_device
                             | nfc_llcp_find_local()
nfc_llcp_find_local(...); |
                             | local_cleanup()
if (!local) { |
    rc = -ENODEV; | // nfc_llcp_local_put
    goto exit; | kref_put(.., local_release)
} |
                             | // local_release
                             | list_del(&local->list)
  // nfc_genl_send_params | kfree()
  local->dev->idx !!!UAF!!! |
                             |

and the crash trace for the one of the discussed UAF like:

BUG: KASAN: slab-use-after-free in nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045
Read of size 8 at addr ffff888105b0e410 by task 20114

Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:319 [inline]
 print_report+0xcc/0x620 mm/kasan/report.c:430
 kasan_report+0xb2/0xe0 mm/kasan/report.c:536
 nfc_genl_send_params net/nfc/netlink.c:999 [inline]
 nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045
 genl_family_rcv_msg_doit.isra.0+0x1ee/0x2e0 net/netlink/genetlink.c:968
 genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
 genl_rcv_msg+0x503/0x7d0 net/netlink/genetlink.c:1065
 netlink_rcv_skb+0x161/0x430 net/netlink/af_netlink.c:2548
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
 netlink_unicast+0x644/0x900 net/netlink/af_netlink.c:1365
 netlink_sendmsg+0x934/0xe70 net/netlink/af_netlink.c:1913
 sock_sendmsg_nosec net/socket.c:724 [inline]
 sock_sendmsg+0x1b6/0x200 net/socket.c:747
 ____sys_sendmsg+0x6e9/0x890 net/socket.c:2501
 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2555
 __sys_sendmsg+0xf7/0x1d0 net/socket.c:2584
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f34640a2389
RSP: 002b:00007f3463415168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f34641c1f80 RCX: 00007f34640a2389
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000006
RBP: 00007f34640ed493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe38449ecf R14: 00007f3463415300 R15: 0000000000022000
 </TASK>

Allocated by task 20116:
 kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x7f/0x90 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:580 [inline]
 kzalloc include/linux/slab.h:720 [inline]
 nfc_llcp_register_device+0x49/0xa40 net/nfc/llcp_core.c:1567
 nfc_register_device+0x61/0x260 net/nfc/core.c:1124
 nci_register_device+0x776/0xb20 net/nfc/nci/core.c:1257
 virtual_ncidev_open+0x147/0x230 drivers/nfc/virtual_ncidev.c:148
 misc_open+0x379/0x4a0 drivers/char/misc.c:165
 chrdev_open+0x26c/0x780 fs/char_dev.c:414
 do_dentry_open+0x6c4/0x12a0 fs/open.c:920
 do_open fs/namei.c:3560 [inline]
 path_openat+0x24fe/0x37e0 fs/namei.c:3715
 do_filp_open+0x1ba/0x410 fs/namei.c:3742
 do_sys_openat2+0x171/0x4c0 fs/open.c:1356
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x143/0x200 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

Freed by task 20115:
 kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free mm/kasan/common.c:200 [inline]
 __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:162 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook mm/slub.c:1807 [inline]
 slab_free mm/slub.c:3787 [inline]
 __kmem_cache_free+0x7a/0x190 mm/slub.c:3800
 local_release net/nfc/llcp_core.c:174 [inline]
 kref_put include/linux/kref.h:65 [inline]
 nfc_llcp_local_put net/nfc/llcp_core.c:182 [inline]
 nfc_llcp_local_put net/nfc/llcp_core.c:177 [inline]
 nfc_llcp_unregister_device+0x206/0x290 net/nfc/llcp_core.c:1620
 nfc_unregister_device+0x160/0x1d0 net/nfc/core.c:1179
 virtual_ncidev_close+0x52/0xa0 drivers/nfc/virtual_ncidev.c:163
 __fput+0x252/0xa20 fs/file_table.c:321
 task_work_run+0x174/0x270 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x108/0x110 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:297
 do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

Last potentially related work creation:
 kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
 __kasan_record_aux_stack+0x95/0xb0 mm/kasan/generic.c:491
 kvfree_call_rcu+0x29/0xa80 kernel/rcu/tree.c:3328
 drop_sysctl_table+0x3be/0x4e0 fs/proc/proc_sysctl.c:1735
 unregister_sysctl_table.part.0+0x9c/0x190 fs/proc/proc_sysctl.c:1773
 unregister_sysctl_table+0x24/0x30 fs/proc/proc_sysctl.c:1753
 neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3895
 addrconf_notify+0x140/0x17b0 net/ipv6/addrconf.c:3684
 notifier_call_chain+0xbe/0x210 kernel/notifier.c:87
 call_netdevice_notifiers_info+0xb5/0x150 net/core/dev.c:1937
 call_netdevice_notifiers_extack net/core/dev.c:1975 [inline]
 call_netdevice_notifiers net/core/dev.c:1989 [inline]
 dev_change_name+0x3c3/0x870 net/core/dev.c:1211
 dev_ifsioc+0x800/0xf70 net/core/dev_ioctl.c:376
 dev_ioctl+0x3d9/0xf80 net/core/dev_ioctl.c:542
 sock_do_ioctl+0x160/0x260 net/socket.c:1213
 sock_ioctl+0x3f9/0x670 net/socket.c:1316
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x19e/0x210 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

The buggy address belongs to the object at ffff888105b0e400
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 16 bytes inside of
 freed 1024-byte region [ffff888105b0e400, ffff888105b0e800)

The buggy address belongs to the physical page:
head:ffffea000416c200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 ffff8881000430c0 ffffea00044c7010 ffffea0004510e10
raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888105b0e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888105b0e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888105b0e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff888105b0e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888105b0e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

In summary, this patch solves those use-after-free by

1. Re-implement the nfc_llcp_find_local(). The current version does not
grab the reference when getting the local from the linked list. For
example, the llcp_sock_bind() gets the reference like below:

// llcp_sock_bind()

    local = nfc_llcp_find_local(dev); // A
    ..... \
           | raceable
    ..... /
    llcp_sock->local = nfc_llcp_local_get(local); // B

There is an apparent race window that one can drop the reference
and free the local object fetched in (A) before (B) gets the reference.

2. Some callers of the nfc_llcp_find_local() do not grab the reference
at all. For example, the nfc_genl_llc_{{get/set}_params/sdreq} functions.
We add the nfc_llcp_local_put() for them. Moreover, we add the necessary
error handling function to put the reference.

3. Add the nfc_llcp_remove_local() helper. The local object is removed
from the linked list in local_release() when all reference is gone. This
patch removes it when nfc_llcp_unregister_device() is called.

Therefore, every caller of nfc_llcp_find_local() will get a reference
even when the nfc_llcp_unregister_device() is called. This promises no
use-after-free for the local object is ever possible.

Fixes: 52feb444a903 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support")
Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 6709d4b7bc2e079241fdef15d1160581c5261c10)
CVE-2023-3863
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>

Author: Pablo Neira Ayuso
Author Date: 2023-08-03 18:31:02 UTC

netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR

On error when building the rule, the immediate expression unbinds the
chain, hence objects can be deactivated by the transaction records.

Otherwise, it is possible to trigger the following warning:

 WARNING: CPU: 3 PID: 915 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
 CPU: 3 PID: 915 Comm: chain-bind-err- Not tainted 6.1.39 #1
 RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]

Fixes: 4bedf9eee016 ("netfilter: nf_tables: fix chain binding transaction logic")
Reported-by: Kevin Rich <kevinrich1337@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 0a771f7b266b02d262900c75f1e175c7fe76fec2)
CVE-2023-4015
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>

Author: Timo Aaltonen
Author Date: 2022-11-02 11:30:18 UTC

UBUNTU: Ubuntu-oem-5.17-5.17.0-1021.22

Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>

Author: Timo Aaltonen
Author Date: 2022-10-18 19:43:59 UTC

UBUNTU: Ubuntu-oem-6.0-6.0.0-1006.6

Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>