~ubuntu-kernel/ubuntu/+source/linux/+git/mantic:master-next--s2024.03.04-1

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

d5fdb47... by Edward Adam Davis <email address hidden> on 2024-03-22

jfs: fix uaf in jfs_evict_inode

When the execution of diMount(ipimap) fails, the object ipimap that has been
released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs
when rcu_core() calls jfs_free_node().

Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as
ipimap.

Reported-and-tested-by: <email address hidden>
Signed-off-by: Edward Adam Davis <email address hidden>
Signed-off-by: Dave Kleikamp <email address hidden>

CVE-2023-52600
(cherry picked from commit e0e1958f4c365e380b17ccb35617345b31ef7bf3)
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

6886d89... by Osama Muhammad <email address hidden> on 2023-10-13

UBSAN: array-index-out-of-bounds in dtSplitRoot

BugLink: https://bugs.launchpad.net/bugs/2059284

[ Upstream commit 27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16 ]

Syzkaller reported the following issue:

oop0: detected capacity change from 0 to 32768

UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9
index -2 is out of range for type 'struct dtslot [128]'
CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283
 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971
 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]
 dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863
 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270
 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013
 do_mkdirat+0x279/0x550 fs/namei.c:4038
 __do_sys_mkdirat fs/namei.c:4053 [inline]
 __se_sys_mkdirat fs/namei.c:4051 [inline]
 __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fcdc0113fd9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9
RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003
RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0
R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000
R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000
 </TASK>

The issue is caused when the value of fsi becomes less than -1.
The check to break the loop when fsi value becomes -1 is present
but syzbot was able to produce value less than -1 which cause the error.
This patch simply add the change for the values less than 0.

The patch is tested via syzbot.

Reported-and-tested-by: <email address hidden>
Link: https://syzkaller.appspot.com/bug?extid=d4b1df2e9d4ded6488ec
Signed-off-by: Osama Muhammad <email address hidden>
Signed-off-by: Dave Kleikamp <email address hidden>
Signed-off-by: Sasha Levin <email address hidden>

CVE-2023-52603
Signed-off-by: Manuel Diewald <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

d2a8df2... by Pablo Neira Ayuso <email address hidden> on 2024-03-15

netfilter: nft_set_rbtree: skip end interval element from gc

rbtree lazy gc on insert might collect an end interval element that has
been just added in this transactions, skip end interval elements that
are not yet active.

Fixes: f718863aca46 ("netfilter: nft_set_rbtree: fix overlap expiration walk")
Cc: <email address hidden>
Reported-by: lonial con <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
(cherry picked from commit 60c0c230c6f046da536d3df8b39a20b9a9fd6af0)
CVE-2024-26581
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Cengiz Can <email address hidden>
Acked-by: Philip Cox <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>

f5b6e0d... by Hao Sun on 2024-01-15

bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

BugLink: https://bugs.launchpad.net/bugs/2056403

[ Upstream commit 22c7fa171a02d310e3a3f6ed46a698ca8a0060ed ]

For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off
for validation. However, variable offset ptr alu is not prohibited
for this ptr kind. So the variable offset is not checked.

The following prog is accepted:

  func#0 @0
  0: R1=ctx() R10=fp0
  0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()
  1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys()
  2: (b7) r8 = 1024 ; R8_w=1024
  3: (37) r8 /= 1 ; R8_w=scalar()
  4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0,
  smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400))
  5: (0f) r7 += r8
  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1
  mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024
  mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1
  mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024
  6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off
  =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024,
  var_off=(0x0; 0x400))
  6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar()
  7: (95) exit

This prog loads flow_keys to r7, and adds the variable offset r8
to r7, and finally causes out-of-bounds access:

  BUG: unable to handle page fault for address: ffffc90014c80038
  [...]
  Call Trace:
   <TASK>
   bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]
   __bpf_prog_run include/linux/filter.h:651 [inline]
   bpf_prog_run include/linux/filter.h:658 [inline]
   bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]
   bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991
   bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359
   bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]
   __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475
   __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]
   __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]
   __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83
   entry_SYSCALL_64_after_hwframe+0x63/0x6b

Fix this by rejecting ptr alu with variable offset on flow_keys.
Applying the patch rejects the program with "R7 pointer arithmetic
on flow_keys prohibited".

Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
Signed-off-by: Hao Sun <email address hidden>
Signed-off-by: Daniel Borkmann <email address hidden>
Acked-by: Yonghong Song <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Sasha Levin <email address hidden>

CVE-2024-26589
Signed-off-by: Portia Stephens <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>

571b841... by Jiri Olsa on 2024-01-03

bpf: Fix re-attachment branch in bpf_tracing_prog_attach

BugLink: https://bugs.launchpad.net/bugs/2056403

commit 715d82ba636cb3629a6e18a33bb9dbe53f9936ee upstream.

The following case can cause a crash due to missing attach_btf:

1) load rawtp program
2) load fentry program with rawtp as target_fd
3) create tracing link for fentry program with target_fd = 0
4) repeat 3

In the end we have:

- prog->aux->dst_trampoline == NULL
- tgt_prog == NULL (because we did not provide target_fd to link_create)
- prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X)
- the program was loaded for tgt_prog but we have no way to find out which one

    BUG: kernel NULL pointer dereference, address: 0000000000000058
    Call Trace:
     <TASK>
     ? __die+0x20/0x70
     ? page_fault_oops+0x15b/0x430
     ? fixup_exception+0x22/0x330
     ? exc_page_fault+0x6f/0x170
     ? asm_exc_page_fault+0x22/0x30
     ? bpf_tracing_prog_attach+0x279/0x560
     ? btf_obj_id+0x5/0x10
     bpf_tracing_prog_attach+0x439/0x560
     __sys_bpf+0x1cf4/0x2de0
     __x64_sys_bpf+0x1c/0x30
     do_syscall_64+0x41/0xf0
     entry_SYSCALL_64_after_hwframe+0x6e/0x76

Return -EINVAL in this situation.

Fixes: f3a95075549e0 ("bpf: Allow trampoline re-attach for tracing and lsm programs")
Cc: <email address hidden>
Signed-off-by: Jiri Olsa <email address hidden>
Acked-by: Jiri Olsa <email address hidden>
Acked-by: Song Liu <email address hidden>
Signed-off-by: Dmitrii Dolgov <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Alexei Starovoitov <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>

CVE-2024-26591
Signed-off-by: Portia Stephens <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>

1a20f46... by Johannes Berg on 2024-03-27

wifi: iwlwifi: pcie: fix RB status reading

BugLink: https://bugs.launchpad.net/bugs/2058808

On newer hardware, a queue's RB status / write pointer
can be bigger than 4095 (0xFFF), so we cannot mask the
value by 0xFFF unconditionally. Since anyway that's
only necessary on older hardware, move the masking to
the helper function and apply it only for older HW.
This also moves the endian conversion in to handle it
more easily.

Signed-off-by: Johannes Berg <email address hidden>
Signed-off-by: Gregory Greenman <email address hidden>
Link: https://lore.kernel.org/r/20230830112059.7be2a3fff6f4.I94f11dee314a4f7c1941d2d223936b1fa8aa9ee4@changeid
Signed-off-by: Johannes Berg <email address hidden>

(cherry picked from commit 9f9797c7de18d2ec6be4ef6e0abbaea585040b39)
Signed-off-by: Aaron Ma <email address hidden>
Acked-by: Timo Aaltonen <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

cc7f506... by Roxana Nicolescu on 2024-03-07

UBUNTU: Ubuntu-6.5.0-27.28

Signed-off-by: Roxana Nicolescu <email address hidden>

296571d... by Roxana Nicolescu on 2024-03-07

UBUNTU: debian.master/dkms-versions -- update from kernel-versions (main/2024.03.04)

BugLink: https://bugs.launchpad.net/bugs/1786013
Signed-off-by: Roxana Nicolescu <email address hidden>

d565cc6... by Roxana Nicolescu on 2024-03-07

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/2055584
Properties: no-test-build
Signed-off-by: Roxana Nicolescu <email address hidden>

641e282... by Roxana Nicolescu on 2024-03-07

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Roxana Nicolescu <email address hidden>