December 2023 - Linux-stable-mirror

[merged mm-hotfixes-stable] mm-fix-unmap_mapping_range-high-bits-shift-bug.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: fix unmap_mapping_range high bits shift bug has been removed from the -mm tree. Its filename was mm-fix-unmap_mapping_range-high-bits-shift-bug.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jiajun Xie <jiajun.xie.sh(a)gmail.com> Subject: mm: fix unmap_mapping_range high bits shift bug … [View More]Date: Wed, 20 Dec 2023 13:28:39 +0800 The bug happens when highest bit of holebegin is 1, suppose holebegin is 0x8000000111111000, after shift, hba would be 0xfff8000000111111, then vma_interval_tree_foreach would look it up fail or leads to the wrong result. error call seq e.g.: - mmap(..., offset=0x8000000111111000) |- syscall(mmap, ... unsigned long, off): |- ksys_mmap_pgoff( ... , off >> PAGE_SHIFT); here pgoff is correctly shifted to 0x8000000111111, but pass 0x8000000111111000 as holebegin to unmap would then cause terrible result, as shown below: - unmap_mapping_range(..., loff_t const holebegin) |- pgoff_t hba = holebegin >> PAGE_SHIFT; /* hba = 0xfff8000000111111 unexpectedly */ The issue happens in Heterogeneous computing, where the device(e.g. gpu) and host share the same virtual address space. A simple workflow pattern which hit the issue is: /* host */ 1. userspace first mmap a file backed VA range with specified offset. e.g. (offset=0x800..., mmap return: va_a) 2. write some data to the corresponding sys page e.g. (va_a = 0xAABB) /* device */ 3. gpu workload touches VA, triggers gpu fault and notify the host. /* host */ 4. reviced gpu fault notification, then it will: 4.1 unmap host pages and also takes care of cpu tlb (use unmap_mapping_range with offset=0x800...) 4.2 migrate sys page to device 4.3 setup device page table and resolve device fault. /* device */ 5. gpu workload continued, it accessed va_a and got 0xAABB. 6. gpu workload continued, it wrote 0xBBCC to va_a. /* host */ 7. userspace access va_a, as expected, it will: 7.1 trigger cpu vm fault. 7.2 driver handling fault to migrate gpu local page to host. 8. userspace then could correctly get 0xBBCC from va_a 9. done But in step 4.1, if we hit the bug this patch mentioned, then userspace would never trigger cpu fault, and still get the old value: 0xAABB. Making holebegin unsigned first fixes the bug. Link: https://lkml.kernel.org/r/20231220052839.26970-1-jiajun.xie.sh@gmail.com Signed-off-by: Jiajun Xie <jiajun.xie.sh(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/mm/memory.c~mm-fix-unmap_mapping_range-high-bits-shift-bug +++ a/mm/memory.c @@ -3624,8 +3624,8 @@ EXPORT_SYMBOL_GPL(unmap_mapping_pages); void unmap_mapping_range(struct address_space *mapping, loff_t const holebegin, loff_t const holelen, int even_cows) { - pgoff_t hba = holebegin >> PAGE_SHIFT; - pgoff_t hlen = (holelen + PAGE_SIZE - 1) >> PAGE_SHIFT; + pgoff_t hba = (pgoff_t)(holebegin) >> PAGE_SHIFT; + pgoff_t hlen = ((pgoff_t)(holelen) + PAGE_SIZE - 1) >> PAGE_SHIFT; /* Check for overflow. */ if (sizeof(holelen) > sizeof(hlen)) { _ Patches currently in -mm which might be from jiajun.xie.sh(a)gmail.com are [View Less]

1 year, 3 months

1
0
0 0

[PATCH] ACPI: resource: At another DMI match for the TongFang GMxXGxx

by Hans de Goede

The TongFang GMxXGxx, which needs IRQ overriding for the keyboard to work, is also sold as the Eluktronics RP-15 which does not use the standard TongFang GMxXGxx DMI board_name. Add an entry for this laptop to the irq1_edge_low_force_override[] DMI table to make the internal keyboard functional. Reported-by: Luis Acuna <ldacuna(a)gmail.com> Cc: Werner Sembach <wse(a)tuxedocomputers.com> Cc: All applicable <stable(a)vger.kernel.org> Signed-off-by: Hans de Goede <hdegoede(a)… [View More]

1 year, 3 months

2
1
0 0

[PATCH] netfilter/nf_tables: fix UAF in catchall element removal

by Wander Lairson Costa

From the original report: """ If the catchall element is gc'd when the pipapo set is removed, the element can be deactivated twice. When a set is deleted, the nft_map_deactivate() is called to deactivate the data of the set elements [1]. static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) { int err; err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); if (err < 0) return err; if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) … [View More]nft_map_deactivate(ctx, set); // [1] nft_deactivate_next(ctx->net, set); nft_use_dec(&ctx->table->use); return err; } Then nft_set_commit_update() is called in the nf_tables_commit() and the pipapo set's commit function is called [2]. static void nft_set_commit_update(struct list_head *set_update_list) { struct nft_set *set, *next; list_for_each_entry_safe(set, next, set_update_list, pending_update) { list_del_init(&set->pending_update); if (!set->ops->commit) continue; set->ops->commit(set); // [2] } } In the nft_pipapo_commit(), nft_trans_gc_catchall_sync() is called and nft_setelem_data_deactivate() is called for expired elements [3]. struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc) { struct nft_set_elem_catchall *catchall, *next; const struct nft_set *set = gc->set; struct nft_set_elem elem; struct nft_set_ext *ext; WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)); list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { ext = nft_set_elem_ext(set, catchall->elem); if (!nft_set_elem_expired(ext)) continue; gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL); if (!gc) return NULL; memset(&elem, 0, sizeof(elem)); elem.priv = catchall->elem; nft_setelem_data_deactivate(gc->net, gc->set, &elem); // [3] nft_setelem_catchall_destroy(catchall); nft_trans_gc_elem_add(gc, elem.priv); } return gc; } This element is deactivated by calling the nft_map_deactivate() in the nft_delset() [1], so the data deactivation is done twice. This causes a UAF on an NFT_CHAIN object or NFT_OBJECT object. In nft_data_release, chain->use is underflowed, and the following log is printed. [ 3.709887] ------------[ cut here ]------------ [ 3.710046] WARNING: CPU: 0 PID: 345 at include/net/netfilter/nf_tables.h:1190 nft_data_release+0x5d/0x70 [ 3.710385] Modules linked in: [ 3.710495] CPU: 0 PID: 345 Comm: poc Not tainted 6.7.0-rc6 #251 [ 3.710701] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 3.711005] RIP: 0010:nft_data_release+0x5d/0x70 [ 3.711172] Code: 06 5b c3 cc cc cc cc 48 8d 7b 08 e8 0d f8 ce fe 48 8b 5b 08 48 8d 7b 50 e8 c0 f6 ce fe 8b 43 50 8d 50 ff 89 53 50 85 c0 75 d7 <0f> 0b 5b c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 9 [ 3.711784] RSP: 0018:ffff888107437328 EFLAGS: 00010246 [ 3.711962] RAX: 0000000000000000 RBX: ffff88810031b200 RCX: dffffc0000000000 [ 3.712206] RDX: 00000000ffffffff RSI: 00000000ffffff00 RDI: ffff88810031b250 [ 3.712481] RBP: ffff888104b68000 R08: ffffffffae99d250 R09: ffffed102096d005 [ 3.712722] R10: ffffed102096d004 R11: ffff888104b68023 R12: 0000000000000020 [ 3.712968] R13: ffff888104b680e0 R14: ffff888104b68000 R15: ffff8881061d4018 [ 3.713234] FS: 000000000082e880(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000 [ 3.713523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.713730] CR2: 0000000000839000 CR3: 00000001090ce000 CR4: 0000000000750ef0 [ 3.714072] PKRU: 55555554 [ 3.714213] Call Trace: [ 3.714331] <TASK> [ 3.714432] ? __warn+0xa1/0x1c0 [ 3.714588] ? nft_data_release+0x5d/0x70 [ 3.714783] ? report_bug+0x265/0x270 [ 3.714953] ? handle_bug+0x42/0x80 [ 3.715093] ? exc_invalid_op+0x14/0x50 [ 3.715238] ? asm_exc_invalid_op+0x16/0x20 [ 3.715399] ? nft_data_release+0x50/0x70 [ 3.715553] ? nft_data_release+0x5d/0x70 [ 3.715708] ? nft_data_release+0x50/0x70 [ 3.715864] nft_setelem_data_deactivate+0x67/0xb0 [ 3.716051] nft_trans_gc_catchall_sync+0xae/0x200 [ 3.716246] pipapo_gc+0x356/0x3f0 [ 3.716392] ? __pfx_pipapo_gc+0x10/0x10 [ 3.716565] ? _raw_spin_lock+0x87/0xe0 [ 3.716728] ? __pfx__raw_spin_lock+0x10/0x10 [ 3.716910] ? __rcu_read_unlock+0x4e/0x260 [ 3.717087] ? kasan_quarantine_put+0x55/0x180 [ 3.717273] nft_pipapo_commit+0x7b/0x140 [ 3.717423] nf_tables_commit+0x10a7/0x2200 """ The original patch says expired catchall elements are not deactivated, but nft_setelem_data_deactivate is called for all map objects. So, only call nft_setelem_data_deactivate for non map objects. Fixes: 93995bf4af2c ("netfilter: nf_tables: remove catchall element in GC sync path") Reported-by: Kevin Rich <kevinrich1337(a)gmail.com> Signed-off-by: Wander Lairson Costa <wander(a)redhat.com> Cc: stable(a)vger.kernel.org --- net/netfilter/nf_tables_api.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index c5c17c6e80ed..2defdf56484f 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9728,7 +9728,11 @@ struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc) return NULL; elem_priv = catchall->elem; - nft_setelem_data_deactivate(gc->net, gc->set, elem_priv); + + /* For map objects, nft_map_catchall_deactivate has already been called. */ + if (!(set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))) + nft_setelem_data_deactivate(gc->net, gc->set, elem_priv); + nft_setelem_catchall_destroy(catchall); nft_trans_gc_elem_add(gc, elem_priv); } -- 2.43.0 [View Less]

1 year, 3 months

3
3
0 0

[PATCH 1/2] ALSA: hda/tas2781: move set_drv_data outside tasdevice_init

by Gergo Koteles

allow driver specific driver data in tas2781-hda-i2c and tas2781-i2c Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver") CC: stable(a)vger.kernel.org Signed-off-by: Gergo Koteles <soyer(a)irl.hu> --- sound/pci/hda/tas2781_hda_i2c.c | 2 ++ sound/soc/codecs/tas2781-comlib.c | 2 -- sound/soc/codecs/tas2781-i2c.c | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c index e4c54b2a012c..… [View More]

1 year, 3 months

2
2
0 0

[PATCH] ALSA: hda/tas2781: do not use regcache

by Gergo Koteles

There are two problems with using regcache in this module. The amplifier has 3 addressing levels (BOOK, PAGE, REG). The firmware contains blocks that must be written to BOOK 0x8C. The regcache doesn't know anything about BOOK, so regcache_sync writes invalid values to the actual BOOK. The module handles 2 or more separate amplifiers. The amplifiers have different register values, and the module uses only one regmap/regcache for all the amplifiers. The regcache_sync only writes the last … [View More]amplifier used. The module successfully restores all the written register values (RC profile, program, configuration, calibration) without regcache. Remove regcache functions and set regmap cache_type to REGCACHE_NONE. Link: https://lore.kernel.org/r/21a183b5a08cb23b193af78d4b1114cc59419272.17019064… Fixes: 5be27f1e3ec9 ("ALSA: hda/tas2781: Add tas2781 HDA driver") CC: stable(a)vger.kernel.org Signed-off-by: Gergo Koteles <soyer(a)irl.hu> --- sound/pci/hda/tas2781_hda_i2c.c | 17 +---------------- sound/soc/codecs/tas2781-comlib.c | 2 +- 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c index 2fb1a7037c82..e4c54b2a012c 100644 --- a/sound/pci/hda/tas2781_hda_i2c.c +++ b/sound/pci/hda/tas2781_hda_i2c.c @@ -717,8 +717,6 @@ static int tas2781_runtime_suspend(struct device *dev) tas_priv->tasdevice[i].cur_conf = -1; } - regcache_cache_only(tas_priv->regmap, true); - regcache_mark_dirty(tas_priv->regmap); mutex_unlock(&tas_priv->codec_lock); @@ -730,20 +728,11 @@ static int tas2781_runtime_resume(struct device *dev) struct tasdevice_priv *tas_priv = dev_get_drvdata(dev); unsigned long calib_data_sz = tas_priv->ndev * TASDEVICE_SPEAKER_CALIBRATION_SIZE; - int ret; dev_dbg(tas_priv->dev, "Runtime Resume\n"); mutex_lock(&tas_priv->codec_lock); - regcache_cache_only(tas_priv->regmap, false); - ret = regcache_sync(tas_priv->regmap); - if (ret) { - dev_err(tas_priv->dev, - "Failed to restore register cache: %d\n", ret); - goto out; - } - tasdevice_prmg_load(tas_priv, tas_priv->cur_prog); /* If calibrated data occurs error, dsp will still works with default @@ -752,10 +741,9 @@ static int tas2781_runtime_resume(struct device *dev) if (tas_priv->cali_data.total_sz > calib_data_sz) tas2781_apply_calib(tas_priv); -out: mutex_unlock(&tas_priv->codec_lock); - return ret; + return 0; } static int tas2781_system_suspend(struct device *dev) @@ -770,10 +758,7 @@ static int tas2781_system_suspend(struct device *dev) return ret; /* Shutdown chip before system suspend */ - regcache_cache_only(tas_priv->regmap, false); tasdevice_tuning_switch(tas_priv, 1); - regcache_cache_only(tas_priv->regmap, true); - regcache_mark_dirty(tas_priv->regmap); /* * Reset GPIO may be shared, so cannot reset here. diff --git a/sound/soc/codecs/tas2781-comlib.c b/sound/soc/codecs/tas2781-comlib.c index ffb26e4a7e2f..933cd008e9f5 100644 --- a/sound/soc/codecs/tas2781-comlib.c +++ b/sound/soc/codecs/tas2781-comlib.c @@ -39,7 +39,7 @@ static const struct regmap_range_cfg tasdevice_ranges[] = { static const struct regmap_config tasdevice_regmap = { .reg_bits = 8, .val_bits = 8, - .cache_type = REGCACHE_RBTREE, + .cache_type = REGCACHE_NONE, .ranges = tasdevice_ranges, .num_ranges = ARRAY_SIZE(tasdevice_ranges), .max_register = 256 * 128, base-commit: 916d051730ae48aef8b588fd096fefca4bc0590a -- 2.43.0 [View Less]

1 year, 3 months

3
2
0 0

FAILED: patch "[PATCH] smb: client: fix OOB in smbCalcSize()" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.14.y git checkout FETCH_HEAD git cherry-pick -x b35858b3786ddbb56e1c35138ba25d6adf8d0bef # <… [View More]resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023122818-unroll-herself-4816@gregkh' --subject-prefix 'PATCH 4.14.y' HEAD^.. Possible dependencies: b35858b3786d ("smb: client: fix OOB in smbCalcSize()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b35858b3786ddbb56e1c35138ba25d6adf8d0bef Mon Sep 17 00:00:00 2001 From: Paulo Alcantara <pc(a)manguebit.com> Date: Fri, 15 Dec 2023 19:59:14 -0300 Subject: [PATCH] smb: client: fix OOB in smbCalcSize() Validate @smb->WordCount to avoid reading off the end of @smb and thus causing the following KASAN splat: BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs] Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328 CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __phys_addr+0x46/0x90 kasan_report+0xd8/0x110 ? smbCalcSize+0x32/0x40 [cifs] ? smbCalcSize+0x32/0x40 [cifs] kasan_check_range+0x105/0x1b0 smbCalcSize+0x32/0x40 [cifs] checkSMB+0x162/0x370 [cifs] ? __pfx_checkSMB+0x10/0x10 [cifs] cifs_handle_standard+0xbc/0x2f0 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 cifs_demultiplex_thread+0xed1/0x1360 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? __pfx_lock_release+0x10/0x10 ? srso_alias_return_thunk+0x5/0xfbef5 ? mark_held_locks+0x1a/0x90 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kthread_parkme+0xce/0xf0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x18d/0x1d0 ? kthread+0xdb/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> This fixes CVE-2023-6606. Reported-by: j51569436(a)gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c index 35b176457bbe..c2137ea3c253 100644 --- a/fs/smb/client/misc.c +++ b/fs/smb/client/misc.c @@ -363,6 +363,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) cifs_dbg(VFS, "Length less than smb header size\n"); } return -EIO; + } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) { + cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n", + __func__, smb->WordCount); + return -EIO; } /* otherwise, there is enough to get to the BCC */ [View Less]

1 year, 3 months

1
0
0 0

FAILED: patch "[PATCH] smb: client: fix OOB in smbCalcSize()" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x b35858b3786ddbb56e1c35138ba25d6adf8d0bef # <… [View More]resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023122817-polar-awaken-d9f4@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: b35858b3786d ("smb: client: fix OOB in smbCalcSize()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b35858b3786ddbb56e1c35138ba25d6adf8d0bef Mon Sep 17 00:00:00 2001 From: Paulo Alcantara <pc(a)manguebit.com> Date: Fri, 15 Dec 2023 19:59:14 -0300 Subject: [PATCH] smb: client: fix OOB in smbCalcSize() Validate @smb->WordCount to avoid reading off the end of @smb and thus causing the following KASAN splat: BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs] Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328 CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __phys_addr+0x46/0x90 kasan_report+0xd8/0x110 ? smbCalcSize+0x32/0x40 [cifs] ? smbCalcSize+0x32/0x40 [cifs] kasan_check_range+0x105/0x1b0 smbCalcSize+0x32/0x40 [cifs] checkSMB+0x162/0x370 [cifs] ? __pfx_checkSMB+0x10/0x10 [cifs] cifs_handle_standard+0xbc/0x2f0 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 cifs_demultiplex_thread+0xed1/0x1360 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? __pfx_lock_release+0x10/0x10 ? srso_alias_return_thunk+0x5/0xfbef5 ? mark_held_locks+0x1a/0x90 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kthread_parkme+0xce/0xf0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x18d/0x1d0 ? kthread+0xdb/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> This fixes CVE-2023-6606. Reported-by: j51569436(a)gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c index 35b176457bbe..c2137ea3c253 100644 --- a/fs/smb/client/misc.c +++ b/fs/smb/client/misc.c @@ -363,6 +363,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) cifs_dbg(VFS, "Length less than smb header size\n"); } return -EIO; + } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) { + cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n", + __func__, smb->WordCount); + return -EIO; } /* otherwise, there is enough to get to the BCC */ [View Less]

1 year, 3 months

1
0
0 0

FAILED: patch "[PATCH] smb: client: fix OOB in smbCalcSize()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x b35858b3786ddbb56e1c35138ba25d6adf8d0bef # <… [View More]resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023122815-prowler-sliding-efbd@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: b35858b3786d ("smb: client: fix OOB in smbCalcSize()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b35858b3786ddbb56e1c35138ba25d6adf8d0bef Mon Sep 17 00:00:00 2001 From: Paulo Alcantara <pc(a)manguebit.com> Date: Fri, 15 Dec 2023 19:59:14 -0300 Subject: [PATCH] smb: client: fix OOB in smbCalcSize() Validate @smb->WordCount to avoid reading off the end of @smb and thus causing the following KASAN splat: BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs] Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328 CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __phys_addr+0x46/0x90 kasan_report+0xd8/0x110 ? smbCalcSize+0x32/0x40 [cifs] ? smbCalcSize+0x32/0x40 [cifs] kasan_check_range+0x105/0x1b0 smbCalcSize+0x32/0x40 [cifs] checkSMB+0x162/0x370 [cifs] ? __pfx_checkSMB+0x10/0x10 [cifs] cifs_handle_standard+0xbc/0x2f0 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 cifs_demultiplex_thread+0xed1/0x1360 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? __pfx_lock_release+0x10/0x10 ? srso_alias_return_thunk+0x5/0xfbef5 ? mark_held_locks+0x1a/0x90 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kthread_parkme+0xce/0xf0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x18d/0x1d0 ? kthread+0xdb/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> This fixes CVE-2023-6606. Reported-by: j51569436(a)gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c index 35b176457bbe..c2137ea3c253 100644 --- a/fs/smb/client/misc.c +++ b/fs/smb/client/misc.c @@ -363,6 +363,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) cifs_dbg(VFS, "Length less than smb header size\n"); } return -EIO; + } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) { + cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n", + __func__, smb->WordCount); + return -EIO; } /* otherwise, there is enough to get to the BCC */ [View Less]

1 year, 3 months

1
0
0 0

FAILED: patch "[PATCH] smb: client: fix OOB in smbCalcSize()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b35858b3786ddbb56e1c35138ba25d6adf8d0bef # <… [View More]resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023122814-pregnancy-mumps-c958@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: b35858b3786d ("smb: client: fix OOB in smbCalcSize()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b35858b3786ddbb56e1c35138ba25d6adf8d0bef Mon Sep 17 00:00:00 2001 From: Paulo Alcantara <pc(a)manguebit.com> Date: Fri, 15 Dec 2023 19:59:14 -0300 Subject: [PATCH] smb: client: fix OOB in smbCalcSize() Validate @smb->WordCount to avoid reading off the end of @smb and thus causing the following KASAN splat: BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs] Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328 CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __phys_addr+0x46/0x90 kasan_report+0xd8/0x110 ? smbCalcSize+0x32/0x40 [cifs] ? smbCalcSize+0x32/0x40 [cifs] kasan_check_range+0x105/0x1b0 smbCalcSize+0x32/0x40 [cifs] checkSMB+0x162/0x370 [cifs] ? __pfx_checkSMB+0x10/0x10 [cifs] cifs_handle_standard+0xbc/0x2f0 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 cifs_demultiplex_thread+0xed1/0x1360 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? __pfx_lock_release+0x10/0x10 ? srso_alias_return_thunk+0x5/0xfbef5 ? mark_held_locks+0x1a/0x90 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kthread_parkme+0xce/0xf0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x18d/0x1d0 ? kthread+0xdb/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> This fixes CVE-2023-6606. Reported-by: j51569436(a)gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c index 35b176457bbe..c2137ea3c253 100644 --- a/fs/smb/client/misc.c +++ b/fs/smb/client/misc.c @@ -363,6 +363,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) cifs_dbg(VFS, "Length less than smb header size\n"); } return -EIO; + } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) { + cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n", + __func__, smb->WordCount); + return -EIO; } /* otherwise, there is enough to get to the BCC */ [View Less]

1 year, 3 months

1
0
0 0

FAILED: patch "[PATCH] smb: client: fix OOB in smbCalcSize()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x b35858b3786ddbb56e1c35138ba25d6adf8d0bef # <… [View More]resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023122812-exile-synthesis-b83a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: b35858b3786d ("smb: client: fix OOB in smbCalcSize()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b35858b3786ddbb56e1c35138ba25d6adf8d0bef Mon Sep 17 00:00:00 2001 From: Paulo Alcantara <pc(a)manguebit.com> Date: Fri, 15 Dec 2023 19:59:14 -0300 Subject: [PATCH] smb: client: fix OOB in smbCalcSize() Validate @smb->WordCount to avoid reading off the end of @smb and thus causing the following KASAN splat: BUG: KASAN: slab-out-of-bounds in smbCalcSize+0x32/0x40 [cifs] Read of size 2 at addr ffff88801c024ec5 by task cifsd/1328 CPU: 1 PID: 1328 Comm: cifsd Not tainted 6.7.0-rc5 #9 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __phys_addr+0x46/0x90 kasan_report+0xd8/0x110 ? smbCalcSize+0x32/0x40 [cifs] ? smbCalcSize+0x32/0x40 [cifs] kasan_check_range+0x105/0x1b0 smbCalcSize+0x32/0x40 [cifs] checkSMB+0x162/0x370 [cifs] ? __pfx_checkSMB+0x10/0x10 [cifs] cifs_handle_standard+0xbc/0x2f0 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 cifs_demultiplex_thread+0xed1/0x1360 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? __pfx_lock_release+0x10/0x10 ? srso_alias_return_thunk+0x5/0xfbef5 ? mark_held_locks+0x1a/0x90 ? lockdep_hardirqs_on_prepare+0x136/0x210 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kthread_parkme+0xce/0xf0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x18d/0x1d0 ? kthread+0xdb/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> This fixes CVE-2023-6606. Reported-by: j51569436(a)gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218218 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c index 35b176457bbe..c2137ea3c253 100644 --- a/fs/smb/client/misc.c +++ b/fs/smb/client/misc.c @@ -363,6 +363,10 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) cifs_dbg(VFS, "Length less than smb header size\n"); } return -EIO; + } else if (total_read < sizeof(*smb) + 2 * smb->WordCount) { + cifs_dbg(VFS, "%s: can't read BCC due to invalid WordCount(%u)\n", + __func__, smb->WordCount); + return -EIO; } /* otherwise, there is enough to get to the BCC */ [View Less]

1 year, 3 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2023