diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-06-23 15:40:04 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-06-23 21:41:08 +0200 |
commit | ee11bfc383ff2bb9e037e58c408e0819aefdc7d1 (patch) | |
tree | e503454b553335780dc10529a6e74b628aafed32 | |
parent | 1a4b3ac2923e16a6202d27aaf216546ff69678ec (diff) | |
download | kernel_replicant_linux-ee11bfc383ff2bb9e037e58c408e0819aefdc7d1.tar.gz kernel_replicant_linux-ee11bfc383ff2bb9e037e58c408e0819aefdc7d1.tar.bz2 kernel_replicant_linux-ee11bfc383ff2bb9e037e58c408e0819aefdc7d1.zip |
Update to 5.10.46
Drop patches applied upstream for CVE fixes
Cleanup debian/changelog file
6 files changed, 118 insertions, 419 deletions
diff --git a/debian/changelog b/debian/changelog index 5cdfa86cc5dc..45621b4720e2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (5.10.45-1) UNRELEASED; urgency=medium +linux (5.10.46-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.41 @@ -477,6 +477,123 @@ linux (5.10.45-1) UNRELEASED; urgency=medium - rtnetlink: Fix missing error code in rtnl_bridge_notify() - net: Return the correct errno code - fib: Return the correct errno code + https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.46 + - afs: Fix an IS_ERR() vs NULL check + - mm/memory-failure: make sure wait for page writeback in memory_failure + - [x86] kvm: LAPIC: Restore guard to prevent illegal APIC register access + - fanotify: fix copy_event_to_user() fid error clean up + - batman-adv: Avoid WARN_ON timing related checks + - mac80211: fix skb length check in ieee80211_scan_rx() + - net: ipv4: fix memory leak in netlbl_cipsov4_add_std + - vrf: fix maximum MTU + - net: rds: fix memory leak in rds_recvmsg + - [arm64] net: dsa: felix: re-enable TX flow control in ocelot_port_flush() + - netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local + - ice: add ndo_bpf callback for safe mode netdev ops + - ice: parameterize functions responsible for Tx ring management + - udp: fix race between close() and udp_abort() + - rtnetlink: Fix regression in bridge VLAN configuration + - net/sched: act_ct: handle DNAT tuple collision + - net/mlx5e: Fix page reclaim for dead peer hairpin + - net/mlx5: Consider RoCE cap before init RDMA resources + - net/mlx5: DR, Allow SW steering for sw_owner_v2 devices + - net/mlx5: DR, Don't use SW steering when RoCE is not supported + - net/mlx5e: Block offload of outer header csum for UDP tunnels + - netfilter: synproxy: Fix out of bounds when parsing TCP options + - sch_cake: Fix out of bounds when parsing TCP options and header + - alx: Fix an error handling path in 'alx_probe()' + - cxgb4: fix endianness when flashing boot image + - cxgb4: fix sleep in atomic when flashing PHY firmware + - cxgb4: halt chip before flashing PHY firmware image + - net: make get_net_ns return error if NET_NS is disabled + - ethtool: strset: fix message length calculation + - qlcnic: Fix an error handling path in 'qlcnic_probe()' + - netxen_nic: Fix an error handling path in 'netxen_nic_probe()' + - cxgb4: fix wrong ethtool n-tuple rule lookup + - ipv4: Fix device used for dst_alloc with local routes + - net: qrtr: fix OOB Read in qrtr_endpoint_post + - bpf: Fix leakage under speculation on mispredicted branches + (CVE-2021-33624) + - ptp: improve max_adj check against unreasonable values + - net: cdc_ncm: switch to eth%d interface naming + - net: usb: fix possible use-after-free in smsc75xx_bind + - [arm64,armhf] net: fec_ptp: fix issue caused by refactor the fec_devtype + - net: ipv4: fix memory leak in ip_mc_add1_src + - net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock + - net/mlx5: E-Switch, Read PF mac address + - net/mlx5: E-Switch, Allow setting GUID for host PF vport + - net/mlx5: Reset mkey index on creation + - be2net: Fix an error handling path in 'be_probe()' + - net: hamradio: fix memory leak in mkiss_close + - net: cdc_eem: fix tx fixup skb leak + - cxgb4: fix wrong shift. + - bnxt_en: Rediscover PHY capabilities after firmware reset + - bnxt_en: Fix TQM fastpath ring backing store computation + - bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path + - icmp: don't send out ICMP messages with a source address of 0.0.0.0 + - [x86] platform/x86: thinkpad_acpi: Add X1 Carbon Gen 9 second fan support + - sched/pelt: Ensure that *_sum is always synced with *_avg + - [armhf] spi: stm32-qspi: Always wait BUSY bit to be cleared in + stm32_qspi_wait_cmd() + - ASoC: rt5682: Fix the fast discharge for headset unplugging in soundwire + mode + - [arm64,armhf] drm/sun4i: dw-hdmi: Make HDMI PHY into a platform device + - [arm64] ASoC: qcom: lpass-cpu: Fix pop noise during audio capture begin + - radeon: use memcpy_to/fromio for UVD fw upload + - mm: relocate 'write_protect_seq' in struct mm_struct + - [arm64,armhf] irqchip/gic-v3: Workaround inconsistent PMR setting on NMI + entry + - bpf: Inherit expanded/patched seen count from old aux data + (CVE-2021-33624) + - bpf: Do not mark insn as seen under speculative path verification + (CVE-2021-33624) + - can: bcm: fix infoleak in struct bcm_msg_head (CVE-2021-34693) + - can: bcm/raw/isotp: use per module netdevice notifier + - can: j1939: fix Use-after-Free, hold skb ref while in use + - can: mcba_usb: fix memory leak in mcba_usb + - usb: core: hub: Disable autosuspend for Cypress CY7C65632 + - [arm64,armhf] usb: chipidea: imx: Fix Battery Charger 1.2 CDP detection + - tracing: Do not stop recording cmdlines when tracing is off + - tracing: Do not stop recording comms if the trace file is being read + - tracing: Do no increment trace_clock_global() by one + - PCI: Mark TI C667X to avoid bus reset + - PCI: Mark some NVIDIA GPUs to avoid bus reset + - [arm64] PCI: aardvark: Fix kernel panic during PIO transfer + - PCI: Add ACS quirk for Broadcom BCM57414 NIC + - PCI: Work around Huawei Intelligent NIC VF FLR erratum + - [x86] KVM: x86: Immediately reset the MMU context when the SMM flag is + cleared + - [x86] KVM: x86/mmu: Calculate and check "full" mmu_role for nested MMU + - [x86] KVM: X86: Fix x86_emulator slab cache leak + - [s390x] mcck: fix calculation of SIE critical section size + - [s390x] ap: Fix hanging ioctl caused by wrong msg counter + - [amd64] x86/mm: Avoid truncating memblocks for SGX memory + - [x86] process: Check PF_KTHREAD and not current->mm for kernel threads + - [x86] ioremap: Map EFI-reserved memory as encrypted for SEV + - [x86] pkru: Write hardware init value to PKRU when xstate is init + - [x86] fpu: Prevent state corruption in __fpu__restore_sig() + - [x86] fpu: Invalidate FPU state after a failed XRSTOR from a user buffer + - [x86] fpu: Reset state for all signal restore failures + - crash_core, vmcoreinfo: append 'SECTION_SIZE_BITS' to vmcoreinfo + - [arm64,armhf] dmaengine: pl330: fix wrong usage of spinlock flags in + dma_cyclc + - mac80211: Fix NULL ptr deref for injected rate info + - cfg80211: avoid double free of PMSR request + - drm/amdgpu/gfx10: enlarge CP_MEC_DOORBELL_RANGE_UPPER to cover full + doorbell. + - drm/amdgpu/gfx9: fix the doorbell missing when in CGPG issue. + - net: ll_temac: Fix TX BD buffer overwrite + - net: bridge: fix vlan tunnel dst null pointer dereference + - net: bridge: fix vlan tunnel dst refcnt when egressing + - mm/swap: fix pte_same_as_swp() not removing uffd-wp bit when compare + - mm/slub: clarify verification reporting + - mm/slub: fix redzoning for small allocations + - mm/slub: actually fix freelist pointer vs redzoning + - mm/slub.c: include swab.h + - net: stmmac: disable clocks in stmmac_remove_config_dt() + - [arm64,armhf] net: fec_ptp: add clock rate zero check + - [arm64,armhf] usb: dwc3: debugfs: Add and remove endpoint dirs dynamically + - [arm64,armhf] usb: dwc3: core: fix kernel panic when do reboot [ Josua Mayer ] * [armhf] drivers/bluetooth: Enable BT_HCIUART as a module, with support @@ -495,13 +612,8 @@ linux (5.10.45-1) UNRELEASED; urgency=medium * Ignore some ABI changes that should not affect OOT modules * Bump ABI to 8 * [rt] Refresh "tracing: Merge irqflags + preempt counter" - * can: bcm: fix infoleak in struct bcm_msg_head (CVE-2021-34693) * can: bcm: delay release of struct bcm_op after synchronize_rcu() (CVE-2021-3609) - * bpf: Inherit expanded/patched seen count from old aux data (CVE-2021-33624) - * bpf: Do not mark insn as seen under speculative path verification - (CVE-2021-33624) - * bpf: Fix leakage under speculation on mispredicted branches (CVE-2021-33624) [ Vagrant Cascadian ] * [arm64] Add pwm-rockchip to fb-modules udeb. diff --git a/debian/patches/bugfix/all/bpf-Do-not-mark-insn-as-seen-under-speculative-path-.patch b/debian/patches/bugfix/all/bpf-Do-not-mark-insn-as-seen-under-speculative-path-.patch deleted file mode 100644 index 85e950ab71c7..000000000000 --- a/debian/patches/bugfix/all/bpf-Do-not-mark-insn-as-seen-under-speculative-path-.patch +++ /dev/null @@ -1,83 +0,0 @@ -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Fri, 28 May 2021 13:47:27 +0000 -Subject: bpf: Do not mark insn as seen under speculative path verification -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=00acadc662e55bfcf5e00ca31da2e5338a01c1c5 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-33624 - -[ Upstream commit fe9a5ca7e370e613a9a75a13008a3845ea759d6e ] - -... in such circumstances, we do not want to mark the instruction as seen given -the goal is still to jmp-1 rewrite/sanitize dead code, if it is not reachable -from the non-speculative path verification. We do however want to verify it for -safety regardless. - -With the patch as-is all the insns that have been marked as seen before the -patch will also be marked as seen after the patch (just with a potentially -different non-zero count). An upcoming patch will also verify paths that are -unreachable in the non-speculative domain, hence this extension is needed. - -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Reviewed-by: John Fastabend <john.fastabend@gmail.com> -Reviewed-by: Benedict Schlueter <benedict.schlueter@rub.de> -Reviewed-by: Piotr Krysiuk <piotras@gmail.com> -Acked-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - kernel/bpf/verifier.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 71ac1da127a6..e97724e36dfb 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5851,6 +5851,19 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, - return !ret ? REASON_STACK : 0; - } - -+static void sanitize_mark_insn_seen(struct bpf_verifier_env *env) -+{ -+ struct bpf_verifier_state *vstate = env->cur_state; -+ -+ /* If we simulate paths under speculation, we don't update the -+ * insn as 'seen' such that when we verify unreachable paths in -+ * the non-speculative domain, sanitize_dead_code() can still -+ * rewrite/sanitize them. -+ */ -+ if (!vstate->speculative) -+ env->insn_aux_data[env->insn_idx].seen = env->pass_cnt; -+} -+ - static int sanitize_err(struct bpf_verifier_env *env, - const struct bpf_insn *insn, int reason, - const struct bpf_reg_state *off_reg, -@@ -9847,7 +9860,7 @@ static int do_check(struct bpf_verifier_env *env) - } - - regs = cur_regs(env); -- env->insn_aux_data[env->insn_idx].seen = env->pass_cnt; -+ sanitize_mark_insn_seen(env); - prev_insn_idx = env->insn_idx; - - if (class == BPF_ALU || class == BPF_ALU64) { -@@ -10067,7 +10080,7 @@ static int do_check(struct bpf_verifier_env *env) - return err; - - env->insn_idx++; -- env->insn_aux_data[env->insn_idx].seen = env->pass_cnt; -+ sanitize_mark_insn_seen(env); - } else { - verbose(env, "invalid BPF_LD mode\n"); - return -EINVAL; -@@ -11741,6 +11754,9 @@ static void free_states(struct bpf_verifier_env *env) - * insn_aux_data was touched. These variables are compared to clear temporary - * data from failed pass. For testing and experiments do_check_common() can be - * run multiple times even when prior attempt to verify is unsuccessful. -+ * -+ * Note that special handling is needed on !env->bypass_spec_v1 if this is -+ * ever called outside of error path with subsequent program rejection. - */ - static void sanitize_insn_aux_data(struct bpf_verifier_env *env) - { --- -2.32.0 - diff --git a/debian/patches/bugfix/all/bpf-Fix-leakage-under-speculation-on-mispredicted-br.patch b/debian/patches/bugfix/all/bpf-Fix-leakage-under-speculation-on-mispredicted-br.patch deleted file mode 100644 index 15a4697b748f..000000000000 --- a/debian/patches/bugfix/all/bpf-Fix-leakage-under-speculation-on-mispredicted-br.patch +++ /dev/null @@ -1,221 +0,0 @@ -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Fri, 28 May 2021 15:47:32 +0000 -Subject: bpf: Fix leakage under speculation on mispredicted branches -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=bdc75fc8e3f4bb9c674bdc6b7c789de706c378f8 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-33624 - -[ Upstream commit 9183671af6dbf60a1219371d4ed73e23f43b49db ] - -The verifier only enumerates valid control-flow paths and skips paths that -are unreachable in the non-speculative domain. And so it can miss issues -under speculative execution on mispredicted branches. - -For example, a type confusion has been demonstrated with the following -crafted program: - - // r0 = pointer to a map array entry - // r6 = pointer to readable stack slot - // r9 = scalar controlled by attacker - 1: r0 = *(u64 *)(r0) // cache miss - 2: if r0 != 0x0 goto line 4 - 3: r6 = r9 - 4: if r0 != 0x1 goto line 6 - 5: r9 = *(u8 *)(r6) - 6: // leak r9 - -Since line 3 runs iff r0 == 0 and line 5 runs iff r0 == 1, the verifier -concludes that the pointer dereference on line 5 is safe. But: if the -attacker trains both the branches to fall-through, such that the following -is speculatively executed ... - - r6 = r9 - r9 = *(u8 *)(r6) - // leak r9 - -... then the program will dereference an attacker-controlled value and could -leak its content under speculative execution via side-channel. This requires -to mistrain the branch predictor, which can be rather tricky, because the -branches are mutually exclusive. However such training can be done at -congruent addresses in user space using different branches that are not -mutually exclusive. That is, by training branches in user space ... - - A: if r0 != 0x0 goto line C - B: ... - C: if r0 != 0x0 goto line D - D: ... - -... such that addresses A and C collide to the same CPU branch prediction -entries in the PHT (pattern history table) as those of the BPF program's -lines 2 and 4, respectively. A non-privileged attacker could simply brute -force such collisions in the PHT until observing the attack succeeding. - -Alternative methods to mistrain the branch predictor are also possible that -avoid brute forcing the collisions in the PHT. A reliable attack has been -demonstrated, for example, using the following crafted program: - - // r0 = pointer to a [control] map array entry - // r7 = *(u64 *)(r0 + 0), training/attack phase - // r8 = *(u64 *)(r0 + 8), oob address - // [...] - // r0 = pointer to a [data] map array entry - 1: if r7 == 0x3 goto line 3 - 2: r8 = r0 - // crafted sequence of conditional jumps to separate the conditional - // branch in line 193 from the current execution flow - 3: if r0 != 0x0 goto line 5 - 4: if r0 == 0x0 goto exit - 5: if r0 != 0x0 goto line 7 - 6: if r0 == 0x0 goto exit - [...] - 187: if r0 != 0x0 goto line 189 - 188: if r0 == 0x0 goto exit - // load any slowly-loaded value (due to cache miss in phase 3) ... - 189: r3 = *(u64 *)(r0 + 0x1200) - // ... and turn it into known zero for verifier, while preserving slowly- - // loaded dependency when executing: - 190: r3 &= 1 - 191: r3 &= 2 - // speculatively bypassed phase dependency - 192: r7 += r3 - 193: if r7 == 0x3 goto exit - 194: r4 = *(u8 *)(r8 + 0) - // leak r4 - -As can be seen, in training phase (phase != 0x3), the condition in line 1 -turns into false and therefore r8 with the oob address is overridden with -the valid map value address, which in line 194 we can read out without -issues. However, in attack phase, line 2 is skipped, and due to the cache -miss in line 189 where the map value is (zeroed and later) added to the -phase register, the condition in line 193 takes the fall-through path due -to prior branch predictor training, where under speculation, it'll load the -byte at oob address r8 (unknown scalar type at that point) which could then -be leaked via side-channel. - -One way to mitigate these is to 'branch off' an unreachable path, meaning, -the current verification path keeps following the is_branch_taken() path -and we push the other branch to the verification stack. Given this is -unreachable from the non-speculative domain, this branch's vstate is -explicitly marked as speculative. This is needed for two reasons: i) if -this path is solely seen from speculative execution, then we later on still -want the dead code elimination to kick in in order to sanitize these -instructions with jmp-1s, and ii) to ensure that paths walked in the -non-speculative domain are not pruned from earlier walks of paths walked in -the speculative domain. Additionally, for robustness, we mark the registers -which have been part of the conditional as unknown in the speculative path -given there should be no assumptions made on their content. - -The fix in here mitigates type confusion attacks described earlier due to -i) all code paths in the BPF program being explored and ii) existing -verifier logic already ensuring that given memory access instruction -references one specific data structure. - -An alternative to this fix that has also been looked at in this scope was to -mark aux->alu_state at the jump instruction with a BPF_JMP_TAKEN state as -well as direction encoding (always-goto, always-fallthrough, unknown), such -that mixing of different always-* directions themselves as well as mixing of -always-* with unknown directions would cause a program rejection by the -verifier, e.g. programs with constructs like 'if ([...]) { x = 0; } else -{ x = 1; }' with subsequent 'if (x == 1) { [...] }'. For unprivileged, this -would result in only single direction always-* taken paths, and unknown taken -paths being allowed, such that the former could be patched from a conditional -jump to an unconditional jump (ja). Compared to this approach here, it would -have two downsides: i) valid programs that otherwise are not performing any -pointer arithmetic, etc, would potentially be rejected/broken, and ii) we are -required to turn off path pruning for unprivileged, where both can be avoided -in this work through pushing the invalid branch to the verification stack. - -The issue was originally discovered by Adam and Ofek, and later independently -discovered and reported as a result of Benedict and Piotr's research work. - -Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation") -Reported-by: Adam Morrison <mad@cs.tau.ac.il> -Reported-by: Ofek Kirzner <ofekkir@gmail.com> -Reported-by: Benedict Schlueter <benedict.schlueter@rub.de> -Reported-by: Piotr Krysiuk <piotras@gmail.com> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Reviewed-by: John Fastabend <john.fastabend@gmail.com> -Reviewed-by: Benedict Schlueter <benedict.schlueter@rub.de> -Reviewed-by: Piotr Krysiuk <piotras@gmail.com> -Acked-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - kernel/bpf/verifier.c | 44 +++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 40 insertions(+), 4 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 4f50d6f128be..da8fc57ff5b2 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5740,6 +5740,27 @@ struct bpf_sanitize_info { - bool mask_to_left; - }; - -+static struct bpf_verifier_state * -+sanitize_speculative_path(struct bpf_verifier_env *env, -+ const struct bpf_insn *insn, -+ u32 next_idx, u32 curr_idx) -+{ -+ struct bpf_verifier_state *branch; -+ struct bpf_reg_state *regs; -+ -+ branch = push_stack(env, next_idx, curr_idx, true); -+ if (branch && insn) { -+ regs = branch->frame[branch->curframe]->regs; -+ if (BPF_SRC(insn->code) == BPF_K) { -+ mark_reg_unknown(env, regs, insn->dst_reg); -+ } else if (BPF_SRC(insn->code) == BPF_X) { -+ mark_reg_unknown(env, regs, insn->dst_reg); -+ mark_reg_unknown(env, regs, insn->src_reg); -+ } -+ } -+ return branch; -+} -+ - static int sanitize_ptr_alu(struct bpf_verifier_env *env, - struct bpf_insn *insn, - const struct bpf_reg_state *ptr_reg, -@@ -5823,7 +5844,8 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, - tmp = *dst_reg; - *dst_reg = *ptr_reg; - } -- ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); -+ ret = sanitize_speculative_path(env, NULL, env->insn_idx + 1, -+ env->insn_idx); - if (!ptr_is_dst_reg && ret) - *dst_reg = tmp; - return !ret ? REASON_STACK : 0; -@@ -7974,14 +7996,28 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, - if (err) - return err; - } -+ - if (pred == 1) { -- /* only follow the goto, ignore fall-through */ -+ /* Only follow the goto, ignore fall-through. If needed, push -+ * the fall-through branch for simulation under speculative -+ * execution. -+ */ -+ if (!env->bypass_spec_v1 && -+ !sanitize_speculative_path(env, insn, *insn_idx + 1, -+ *insn_idx)) -+ return -EFAULT; - *insn_idx += insn->off; - return 0; - } else if (pred == 0) { -- /* only follow fall-through branch, since -- * that's where the program will go -+ /* Only follow the fall-through branch, since that's where the -+ * program will go. If needed, push the goto branch for -+ * simulation under speculative execution. - */ -+ if (!env->bypass_spec_v1 && -+ !sanitize_speculative_path(env, insn, -+ *insn_idx + insn->off + 1, -+ *insn_idx)) -+ return -EFAULT; - return 0; - } - --- -2.32.0 - diff --git a/debian/patches/bugfix/all/bpf-Inherit-expanded-patched-seen-count-from-old-aux.patch b/debian/patches/bugfix/all/bpf-Inherit-expanded-patched-seen-count-from-old-aux.patch deleted file mode 100644 index fa90a944b4df..000000000000 --- a/debian/patches/bugfix/all/bpf-Inherit-expanded-patched-seen-count-from-old-aux.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Fri, 28 May 2021 13:03:30 +0000 -Subject: bpf: Inherit expanded/patched seen count from old aux data -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=a3af1b946a814c6aa7c3db735cba05bb096329bf -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-33624 - -[ Upstream commit d203b0fd863a2261e5d00b97f3d060c4c2a6db71 ] - -Instead of relying on current env->pass_cnt, use the seen count from the -old aux data in adjust_insn_aux_data(), and expand it to the new range of -patched instructions. This change is valid given we always expand 1:n -with n>=1, so what applies to the old/original instruction needs to apply -for the replacement as well. - -Not relying on env->pass_cnt is a prerequisite for a later change where we -want to avoid marking an instruction seen when verified under speculative -execution path. - -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Reviewed-by: John Fastabend <john.fastabend@gmail.com> -Reviewed-by: Benedict Schlueter <benedict.schlueter@rub.de> -Reviewed-by: Piotr Krysiuk <piotras@gmail.com> -Acked-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - kernel/bpf/verifier.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index da8fc57ff5b2..71ac1da127a6 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -10475,6 +10475,7 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, - { - struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; - struct bpf_insn *insn = new_prog->insnsi; -+ u32 old_seen = old_data[off].seen; - u32 prog_len; - int i; - -@@ -10495,7 +10496,8 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, - memcpy(new_data + off + cnt - 1, old_data + off, - sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); - for (i = off; i < off + cnt - 1; i++) { -- new_data[i].seen = env->pass_cnt; -+ /* Expand insni[off]'s seen count to the patched range. */ -+ new_data[i].seen = old_seen; - new_data[i].zext_dst = insn_has_def32(env, insn + i); - } - env->insn_aux_data = new_data; --- -2.32.0 - diff --git a/debian/patches/bugfix/all/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch b/debian/patches/bugfix/all/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch deleted file mode 100644 index 592668c44e6c..000000000000 --- a/debian/patches/bugfix/all/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Norbert Slusarek <nslusarek@gmx.net> -Date: Sat, 12 Jun 2021 22:18:54 +0200 -Subject: can: bcm: fix infoleak in struct bcm_msg_head -Origin: https://git.kernel.org/linus/5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-34693 - -On 64-bit systems, struct bcm_msg_head has an added padding of 4 bytes between -struct members count and ival1. Even though all struct members are initialized, -the 4-byte hole will contain data from the kernel stack. This patch zeroes out -struct bcm_msg_head before usage, preventing infoleaks to userspace. - -Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") -Link: https://lore.kernel.org/r/trinity-7c1b2e82-e34f-4885-8060-2cd7a13769ce-1623532166177@3c-app-gmx-bs52 -Cc: linux-stable <stable@vger.kernel.org> -Signed-off-by: Norbert Slusarek <nslusarek@gmx.net> -Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> -Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> ---- - net/can/bcm.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/can/bcm.c b/net/can/bcm.c -index f00176b2a6c3..f3e4d9528fa3 100644 ---- a/net/can/bcm.c -+++ b/net/can/bcm.c -@@ -406,6 +406,7 @@ static enum hrtimer_restart bcm_tx_timeout_handler(struct hrtimer *hrtimer) - if (!op->count && (op->flags & TX_COUNTEVT)) { - - /* create notification to user */ -+ memset(&msg_head, 0, sizeof(msg_head)); - msg_head.opcode = TX_EXPIRED; - msg_head.flags = op->flags; - msg_head.count = op->count; -@@ -443,6 +444,7 @@ static void bcm_rx_changed(struct bcm_op *op, struct canfd_frame *data) - /* this element is not throttled anymore */ - data->flags &= (BCM_CAN_FLAGS_MASK|RX_RECV); - -+ memset(&head, 0, sizeof(head)); - head.opcode = RX_CHANGED; - head.flags = op->flags; - head.count = op->count; -@@ -564,6 +566,7 @@ static enum hrtimer_restart bcm_rx_timeout_handler(struct hrtimer *hrtimer) - } - - /* create notification to user */ -+ memset(&msg_head, 0, sizeof(msg_head)); - msg_head.opcode = RX_TIMEOUT; - msg_head.flags = op->flags; - msg_head.count = op->count; --- -2.32.0 - diff --git a/debian/patches/series b/debian/patches/series index b026252bc3ae..44126e6a3731 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -115,11 +115,7 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch -bugfix/all/can-bcm-fix-infoleak-in-struct-bcm_msg_head.patch bugfix/all/can-bcm-delay-release-of-struct-bcm_op-after-synchro.patch -bugfix/all/bpf-Inherit-expanded-patched-seen-count-from-old-aux.patch -bugfix/all/bpf-Do-not-mark-insn-as-seen-under-speculative-path-.patch -bugfix/all/bpf-Fix-leakage-under-speculation-on-mispredicted-br.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |