Signed-off-by: Shih-Yuan Lee (FourDollars) <email address hidden>
Suggested-by: Owen Lin <email address hidden>
Signed-off-by: Marcel Holtmann <email address hidden>
(cherry picked from commit 06e41d8a36689f465006f017bbcd8a73edb98109 linux-next)
Signed-off-by: AceLan Kao <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
8e827f9...
by
"J. Bruce Fields" <email address hidden>
nfsd: stricter decoding of write-like NFSv2/v3 ops
CVE-2017-7895
The NFSv2/v3 code does not systematically check whether we decode past
the end of the buffer. This generally appears to be harmless, but there
are a few places where we do arithmetic on the pointers involved and
don't account for the possibility that a length could be negative. Add
checks to catch these.
Reported-by: Tuomas Haanpää <email address hidden>
Reported-by: Ari Kauppi <email address hidden>
Reviewed-by: NeilBrown <email address hidden>
Cc: <email address hidden>
Signed-off-by: J. Bruce Fields <email address hidden>
(cherry picked from commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309)
Signed-off-by: Po-Hsu Lin <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
a4a1fb7...
by
"J. Bruce Fields" <email address hidden>
nfsd4: minor NFSv2/v3 write decoding cleanup
CVE-2017-7895
Use a couple shortcuts that will simplify a following bugfix.
Cc: <email address hidden>
Signed-off-by: J. Bruce Fields <email address hidden>
(cherry picked from commit db44bac41bbfc0c0d9dd943092d8bded3c9db19b)
Signed-off-by: Po-Hsu Lin <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
This change was missed the tmpfs modification in In CVE-2016-7097
commit 073931017b49 ("posix_acl: Clear SGID bit when setting
file permissions")
It can test by xfstest generic/375, which failed to clear
setgid bit in the following test case on tmpfs:
Signed-off-by: Gu Zheng <email address hidden>
Signed-off-by: Al Viro <email address hidden>
(cherry picked from commit 497de07d89c1410d76a15bec2bb41f24a2a89f31)
Signed-off-by: Po-Hsu Lin <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
drm/vmwgfx: Make sure backup_handle is always valid
When vmw_gb_surface_define_ioctl() is called with an existing buffer,
we end up returning an uninitialized variable in the backup_handle.
The fix is to first initialize backup_handle to 0 just to be sure, and
second, when a user-provided buffer is found, we will use the
req->buffer_handle as the backup_handle.
(cherry picked from commit 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c)
Signed-off-by: Stefan Bader <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Acked-by: Po-Hsu Lin <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
snd_timer_user_tselect() reallocates the queue buffer dynamically, but
it forgot to reset its indices. Since the read may happen
concurrently with ioctl and snd_timer_user_tselect() allocates the
buffer via kmalloc(), this may lead to the leak of uninitialized
kernel-space data, as spotted via KMSAN:
BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x143/0x1b0 lib/dump_stack.c:52
kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
copy_to_user ./arch/x86/include/asm/uaccess.h:725
snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
do_loop_readv_writev fs/read_write.c:716
__do_readv_writev+0x94c/0x1380 fs/read_write.c:864
do_readv_writev fs/read_write.c:894
vfs_readv fs/read_write.c:908
do_readv+0x52a/0x5d0 fs/read_write.c:934
SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
SyS_readv+0x87/0xb0 fs/read_write.c:1018
This patch adds the missing reset of queue indices. Together with the
previous fix for the ioctl/read race, we cover the whole problem.
The read from ALSA timer device, the function snd_timer_user_tread(),
may access to an uninitialized struct snd_timer_user fields when the
read is concurrently performed while the ioctl like
snd_timer_user_tselect() is invoked. We have already fixed the races
among ioctls via a mutex, but we seem to have forgotten the race
between read vs ioctl.
This patch simply applies (more exactly extends the already applied
range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
race window.
bpf: don't let ldimm64 leak map addresses on unprivileged
CVE-2017-9150
The patch fixes two things at once:
1) It checks the env->allow_ptr_leaks and only prints the map address to
the log if we have the privileges to do so, otherwise it just dumps 0
as we would when kptr_restrict is enabled on %pK. Given the latter is
off by default and not every distro sets it, I don't want to rely on
this, hence the 0 by default for unprivileged.
2) Printing of ldimm64 in the verifier log is currently broken in that
we don't print the full immediate, but only the 32 bit part of the
first insn part for ldimm64. Thus, fix this up as well; it's okay to
access, since we verified all ldimm64 earlier already (including just
constants) through replace_map_fd_with_map_ptr().
Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)")
Reported-by: Jann Horn <email address hidden>
Signed-off-by: Daniel Borkmann <email address hidden>
Acked-by: Alexei Starovoitov <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(backported from commit 0d0e57697f162da4aa218b5feafe614fb666db07)
Signed-off-by: Wen-chien Jesse Sung <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Shrirang Bagul <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
drm/vc4: Fix an integer overflow in temporary allocation layout.
We copy the unvalidated ioctl arguments from the user into kernel
temporary memory to run the validation from, to avoid a race where the
user updates the unvalidate contents in between validating them and
copying them into the validated BO.
However, in setting up the layout of the kernel side, we failed to
check one of the additions (the roundup() for shader_rec_offset)
against integer overflow, allowing a nearly MAX_UINT value of
bin_cl_size to cause us to under-allocate the temporary space that we
then copy_from_user into.
Reported-by: Murray McAllister <email address hidden>
Signed-off-by: Eric Anholt <email address hidden>
Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
CVE-2017-5576
(cherry picked from commit 0f2ff82e11c86c05d051cae32b58226392d33bbf)
Signed-off-by: Po-Hsu Lin <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Colin King <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
