c4789f87f6d0ca825230cfbec78d78ee85e55dfa
3022 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
c4789f87f6 |
Merge 4.9.61 into android-4.9
Changes in 4.9.61 ALSA: timer: Add missing mutex lock for compat ioctls ALSA: seq: Fix nested rwsem annotation for lockdep splat cifs: check MaxPathNameComponentLength != 0 before using it KEYS: return full count in keyring_read() if buffer is too small KEYS: fix out-of-bounds read during ASN.1 parsing ASoC: adau17x1: Workaround for noise bug in ADC arm64: ensure __dump_instr() checks addr_limit arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort arm/arm64: kvm: Disable branch profiling in HYP code ARM: 8715/1: add a private asm/unaligned.h drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting ocfs2: fstrim: Fix start offset of first cluster group during fstrim drm/i915/edp: read edp display control registers unconditionally drm/msm: Fix potential buffer overflow issue drm/msm: fix an integer overflow test tracing/samples: Fix creation and deletion of simple_thread_fn creation Fix tracing sample code warning. cpufreq: Do not clear real_cpus mask on policy init crypto: ccp - Set the AES size field for all modes staging: fsl-mc: Add missing header IB/mlx5: Assign DSCP for R-RoCE QPs Address Path PM / wakeirq: report a wakeup_event on dedicated wekup irq scsi: megaraid_sas: Do not set fp_possible if TM capable for non-RW syspdIO, change fp_possible to bool mmc: s3cmci: include linux/interrupt.h for tasklet_struct mfd: ab8500-sysctrl: Handle probe deferral mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped bnxt_en: Added PCI IDs for BCM57452 and BCM57454 ASICs staging: rtl8712u: Fix endian settings for structs describing network packets PCI/MSI: Return failure when msix_setup_entries() fails net: mvneta: fix build errors when linux/phy*.h is removed from net/dsa.h ext4: fix stripe-unaligned allocations ext4: do not use stripe_width if it is not set net/ena: change driver's default timeouts i2c: riic: correctly finish transfers drm/amdgpu: when dpm disabled, also need to stop/start vce. perf tools: Only increase index if perf_evsel__new_idx() succeeds iwlwifi: mvm: use the PROBE_RESP_QUEUE to send deauth to unknown station drm/fsl-dcu: check for clk_prepare_enable() error clocksource/drivers/arm_arch_timer: Add dt binding for hisilicon-161010101 erratum net: phy: dp83867: Recover from "port mirroring" N/A MODE4 cx231xx: Fix I2C on Internal Master 3 Bus ath10k: fix reading sram contents for QCA4019 clk: sunxi-ng: Check kzalloc() for errors and cleanup error path mtd: nand: sunxi: Fix the non-polling case in sunxi_nfc_wait_events() gpio: mcp23s08: Select REGMAP/REGMAP_I2C to fix build error xen/manage: correct return value check on xenbus_scanf() scsi: aacraid: Process Error for response I/O platform/x86: intel_mid_thermal: Fix module autoload staging: lustre: llite: don't invoke direct_IO for the EOF case staging: lustre: hsm: stack overrun in hai_dump_data_field staging: lustre: ptlrpc: skip lock if export failed staging: lustre: lmv: Error not handled for lmv_find_target brcmfmac: check brcmf_bus_get_memdump result for error vfs: open() with O_CREAT should not create inodes with unknown ids ASoC: Intel: boards: remove .pm_ops in all Atom/DPCM machine drivers exynos4-is: fimc-is: Unmap region obtained by of_iomap() mei: return error on notification request to a disconnected client s390/dasd: check for device error pointer within state change interrupts s390/prng: Adjust generation of entropy to produce real 256 bits. s390/crypto: Extend key length check for AES-XTS in fips mode. bt8xx: fix memory leak drm/exynos: g2d: prevent integer overflow in PCI: Avoid possible deadlock on pci_lock and p->pi_lock powerpc/64: Don't try to use radix MMU under a hypervisor xen: don't print error message in case of missing Xenstore entry staging: r8712u: Fix Sparse warning in rtl871x_xmit.c ARM: dts: mvebu: pl310-cache disable double-linefill Linux 4.9.61 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
|
0be72aebbf |
KEYS: return full count in keyring_read() if buffer is too small
commit 3239b6f29bdfb4b0a2ba59df995fc9e6f4df7f1f upstream.
Commit e645016abc80 ("KEYS: fix writing past end of user-supplied buffer
in keyring_read()") made keyring_read() stop corrupting userspace memory
when the user-supplied buffer is too small. However it also made the
return value in that case be the short buffer size rather than the size
required, yet keyctl_read() is actually documented to return the size
required. Therefore, switch it over to the documented behavior.
Note that for now we continue to have it fill the short buffer, since it
did that before (pre-v3.13) and dump_key_tree_aux() in keyutils arguably
relies on it.
Fixes: e645016abc80 ("KEYS: fix writing past end of user-supplied buffer in keyring_read()")
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
|
0521e0b3fc |
UPSTREAM: selinux: bpf: Add addtional check for bpf object file receive
Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege to read/write the bpf map or use the bpf program. This check is necessary because the bpf maps and programs are using a anonymous inode as their shared inode so the normal way of checking the files and sockets when passing between processes cannot work properly on eBPF object. This check only works when the BPF_SYSCALL is configured. Signed-off-by: Chenbo Feng <fengc@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: James Morris <james.l.morris@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry-pick from net-next: f66e448cfda021b0bcd884f26709796fe19c7cc1) Bug: 30950746 Change-Id: I5b2cf4ccb4eab7eda91ddd7091d6aa3e7ed9f2cd |
||
|
|
9b62913289 |
UPSTREAM: selinux: bpf: Add selinux check for eBPF syscall operations
Implement the actual checks introduced to eBPF related syscalls. This implementation use the security field inside bpf object to store a sid that identify the bpf object. And when processes try to access the object, selinux will check if processes have the right privileges. The creation of eBPF object are also checked at the general bpf check hook and new cmd introduced to eBPF domain can also be checked there. Signed-off-by: Chenbo Feng <fengc@google.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Reviewed-by: James Morris <james.l.morris@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry-pick from net-next: ec27c3568a34c7fe5fcf4ac0a354eda77687f7eb) Bug: 30950746 Change-Id: Ifb0cdd4b7d470223b143646b339ba511ac77c156 |
||
|
|
f3ad3766a9 |
BACKPORT: security: bpf: Add LSM hooks for bpf object related syscall
Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the right priviliges can read/write to a specific map or use a specific eBPF program. Besides that, a general security hook is added before the multiplexer of bpf syscall to check the cmd and the attribute used for the command. The actual security module can decide which command need to be checked and how the cmd should be checked. Signed-off-by: Chenbo Feng <fengc@google.com> Acked-by: James Morris <james.l.morris@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Added the LIST_HEAD_INIT call for security hooks, it nolonger exist in uptream code. (cherry-pick from net-next: afdb09c720b62b8090584c11151d856df330e57d) Bug: 30950746 Change-Id: Ieb3ac74392f531735fc7c949b83346a5f587a77b |
||
|
|
16cc920a0f |
Merge 4.9.59 into android-4.9
Changes in 4.9.59 USB: devio: Revert "USB: devio: Don't corrupt user memory" USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() USB: serial: metro-usb: add MS7820 device id usb: cdc_acm: Add quirk for Elatec TWN3 usb: quirks: add quirk for WORLDE MINI MIDI keyboard usb: hub: Allow reset retry for USB2 devices on connect bounce ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital can: gs_usb: fix busy loop if no more TX context is available parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels iio: dummy: events: Add missing break usb: musb: sunxi: Explicitly release USB PHY on exit usb: musb: Check for host-mode using is_host_active() on reset interrupt xhci: Identify USB 3.1 capable hosts by their port protocol capability can: esd_usb2: Fix can_dlc value for received RTR, frames drm/nouveau/bsp/g92: disable by default drm/nouveau/mmu: flush tlbs before deleting page tables ALSA: seq: Enable 'use' locking in all configurations ALSA: hda: Remove superfluous '-' added by printk conversion ALSA: hda: Abort capability probe at invalid register read i2c: ismt: Separate I2C block read from SMBus block read i2c: piix4: Fix SMBus port selection for AMD Family 17h chips brcmfmac: Add check for short event packets brcmsmac: make some local variables 'static const' to reduce stack size bus: mbus: fix window size calculation for 4GB windows clockevents/drivers/cs5535: Improve resilience to spurious interrupts rtlwifi: rtl8821ae: Fix connection lost problem x86/microcode/intel: Disable late loading on model 79 KEYS: encrypted: fix dereference of NULL user_key_payload lib/digsig: fix dereference of NULL user_key_payload KEYS: don't let add_key() update an uninstantiated key pkcs7: Prevent NULL pointer dereference, since sinfo is not always set. vmbus: fix missing signaling in hv_signal_on_read() xfs: don't unconditionally clear the reflink flag on zero-block files xfs: evict CoW fork extents when performing finsert/fcollapse fs/xfs: Use %pS printk format for direct addresses xfs: report zeroed or not correctly in xfs_zero_range() xfs: update i_size after unwritten conversion in dio completion xfs: perag initialization should only touch m_ag_max_usable for AG 0 xfs: Capture state of the right inode in xfs_iflush_done xfs: always swap the cow forks when swapping extents xfs: handle racy AIO in xfs_reflink_end_cow xfs: Don't log uninitialised fields in inode structures xfs: move more RT specific code under CONFIG_XFS_RT xfs: don't change inode mode if ACL update fails xfs: reinit btree pointer on attr tree inactivation walk xfs: handle error if xfs_btree_get_bufs fails xfs: cancel dirty pages on invalidation xfs: trim writepage mapping to within eof fscrypt: fix dereference of NULL user_key_payload KEYS: Fix race between updating and finding a negative key FS-Cache: fix dereference of NULL user_key_payload Linux 4.9.59 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
|
63c8e45255 |
KEYS: Fix race between updating and finding a negative key
commit 363b02dab09b3226f3bd1420dad9c72b79a42a76 upstream.
Consolidate KEY_FLAG_INSTANTIATED, KEY_FLAG_NEGATIVE and the rejection
error into one field such that:
(1) The instantiation state can be modified/read atomically.
(2) The error can be accessed atomically with the state.
(3) The error isn't stored unioned with the payload pointers.
This deals with the problem that the state is spread over three different
objects (two bits and a separate variable) and reading or updating them
atomically isn't practical, given that not only can uninstantiated keys
change into instantiated or rejected keys, but rejected keys can also turn
into instantiated keys - and someone accessing the key might not be using
any locking.
The main side effect of this problem is that what was held in the payload
may change, depending on the state. For instance, you might observe the
key to be in the rejected state. You then read the cached error, but if
the key semaphore wasn't locked, the key might've become instantiated
between the two reads - and you might now have something in hand that isn't
actually an error code.
The state is now KEY_IS_UNINSTANTIATED, KEY_IS_POSITIVE or a negative error
code if the key is negatively instantiated. The key_is_instantiated()
function is replaced with key_is_positive() to avoid confusion as negative
keys are also 'instantiated'.
Additionally, barriering is included:
(1) Order payload-set before state-set during instantiation.
(2) Order state-read before payload-read when using the key.
Further separate barriering is necessary if RCU is being used to access the
payload content after reading the payload pointers.
Fixes:
|
||
|
|
da0c7503c0 |
KEYS: don't let add_key() update an uninstantiated key
commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream.
Currently, when passed a key that already exists, add_key() will call the
key's ->update() method if such exists. But this is heavily broken in the
case where the key is uninstantiated because it doesn't call
__key_instantiate_and_link(). Consequently, it doesn't do most of the
things that are supposed to happen when the key is instantiated, such as
setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and
awakening tasks waiting on it, and incrementing key->user->nikeys.
It also never takes key_construction_mutex, which means that
->instantiate() can run concurrently with ->update() on the same key. In
the case of the "user" and "logon" key types this causes a memory leak, at
best. Maybe even worse, the ->update() methods of the "encrypted" and
"trusted" key types actually just dereference a NULL pointer when passed an
uninstantiated key.
Change key_create_or_update() to wait interruptibly for the key to finish
construction before continuing.
This patch only affects *uninstantiated* keys. For now we still allow a
negatively instantiated key to be updated (thereby positively
instantiating it), although that's broken too (the next patch fixes it)
and I'm not sure that anyone actually uses that functionality either.
Here is a simple reproducer for the bug using the "encrypted" key type
(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug
pertained to more than just the "encrypted" key type:
#include <stdlib.h>
#include <unistd.h>
#include <keyutils.h>
int main(void)
{
int ringid = keyctl_join_session_keyring(NULL);
if (fork()) {
for (;;) {
const char payload[] = "update user:foo 32";
usleep(rand() % 10000);
add_key("encrypted", "desc", payload, sizeof(payload), ringid);
keyctl_clear(ringid);
}
} else {
for (;;)
request_key("encrypted", "desc", "callout_info", ringid);
}
}
It causes:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
IP: encrypted_update+0xb0/0x170
PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0
PREEMPT SMP
CPU: 0 PID: 340 Comm: reproduce Tainted: G D 4.14.0-rc1-00025-g428490e38b2e #796
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff8a467a39a340 task.stack: ffffb15c40770000
RIP: 0010:encrypted_update+0xb0/0x170
RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000
RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303
RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17
R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f
FS: 00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0
Call Trace:
key_create_or_update+0x2bc/0x460
SyS_add_key+0x10c/0x1d0
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x7f5d7f211259
RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259
RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04
RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004
R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868
R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000
Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b
RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8
CR2: 0000000000000018
Reported-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
|
fec442e32b |
KEYS: encrypted: fix dereference of NULL user_key_payload
commit 13923d0865ca96312197962522e88bc0aedccd74 upstream.
A key of type "encrypted" references a "master key" which is used to
encrypt and decrypt the encrypted key's payload. However, when we
accessed the master key's payload, we failed to handle the case where
the master key has been revoked, which sets the payload pointer to NULL.
Note that request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.
Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.
This was an issue for master keys of type "user" only. Master keys can
also be of type "trusted", but those cannot be revoked.
Fixes:
|
||
|
|
63da4200cb |
f2fs: catch up to v4.14-rc1
Cherry-picked from upstream-f2fs-stable-linux-4.9.y
Changes include:
commit 30da3a4de96733 ("f2fs: hurry up to issue discard after io interruption")
commit d1c363b48398d4 ("f2fs: fix to show correct discard_granularity in sysfs")
...
commit e6b120d4d01ab0 ("f2fs/fscrypt: catch up to v4.12")
commit 4d7931d72758db ("KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload()")
Signed-off-by: Hyojun Kim <hyojun@google.com>
|
||
|
|
cdbe07ad26 |
Merge 4.9.55 into android-4.9
Changes in 4.9.55
USB: gadgetfs: Fix crash caused by inadequate synchronization
USB: gadgetfs: fix copy_to_user while holding spinlock
usb: gadget: udc: atmel: set vbus irqflags explicitly
usb: gadget: udc: renesas_usb3: fix for no-data control transfer
usb: gadget: udc: renesas_usb3: fix Pn_RAMMAP.Pn_MPKT value
usb: gadget: udc: renesas_usb3: Fix return value of usb3_write_pipe()
usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
usb-storage: fix bogus hardware error messages for ATA pass-thru devices
usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
usb: pci-quirks.c: Corrected timeout values used in handshake
USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
USB: dummy-hcd: fix connection failures (wrong speed)
USB: dummy-hcd: fix infinite-loop resubmission bug
USB: dummy-hcd: Fix erroneous synchronization change
USB: devio: Don't corrupt user memory
usb: gadget: mass_storage: set msg_registered after msg registered
USB: g_mass_storage: Fix deadlock when driver is unbound
USB: uas: fix bug in handling of alternate settings
USB: core: harden cdc_parse_cdc_header
usb: Increase quirk delay for USB devices
USB: fix out-of-bounds in usb_set_configuration
xhci: fix finding correct bus_state structure for USB 3.1 hosts
xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'
iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()'
iio: ad_sigma_delta: Implement a dedicated reset function
staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
iio: core: Return error for failed read_reg
IIO: BME280: Updates to Humidity readings need ctrl_reg write!
iio: ad7793: Fix the serial interface reset
iio: adc: mcp320x: Fix readout of negative voltages
iio: adc: mcp320x: Fix oops on module unload
uwb: properly check kthread_run return value
uwb: ensure that endpoint is interrupt
staging: vchiq_2835_arm: Fix NULL ptr dereference in free_pagelist
mm, oom_reaper: skip mm structs with mmu notifiers
lib/ratelimit.c: use deferred printk() version
lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
ALSA: compress: Remove unused variable
Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members"
ALSA: usx2y: Suppress kernel warning at page allocation failures
mlxsw: spectrum: Prevent mirred-related crash on removal
net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
tcp: update skb->skb_mstamp more carefully
bpf/verifier: reject BPF_ALU64|BPF_END
tcp: fix data delivery rate
udpv6: Fix the checksum computation when HW checksum does not apply
ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
net: phy: Fix mask value write on gmii2rgmii converter speed register
ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
net/sched: cls_matchall: fix crash when used with classful qdisc
tcp: fastopen: fix on syn-data transmit failure
net: emac: Fix napi poll list corruption
packet: hold bind lock when rebinding to fanout hook
bpf: one perf event close won't free bpf program attached by another perf event
isdn/i4l: fetch the ppp_write buffer in one shot
net_sched: always reset qdisc backlog in qdisc_reset()
net: qcom/emac: specify the correct size when mapping a DMA buffer
vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
l2tp: Avoid schedule while atomic in exit_net
l2tp: fix race condition in l2tp_tunnel_delete
tun: bail out from tun_get_user() if the skb is empty
net: dsa: Fix network device registration order
packet: in packet_do_bind, test fanout with bind_lock held
packet: only test po->has_vnet_hdr once in packet_snd
net: Set sk_prot_creator when cloning sockets to the right proto
netlink: do not proceed if dump's start() errs
ip6_gre: ip6gre_tap device should keep dst
ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
tipc: use only positive error codes in messages
net: rtnetlink: fix info leak in RTM_GETSTATS call
socket, bpf: fix possible use after free
powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks
powerpc/tm: Fix illegal TM state in signal handler
percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
driver core: platform: Don't read past the end of "driver_override" buffer
Drivers: hv: fcopy: restore correct transfer length
stm class: Fix a use-after-free
ftrace: Fix kmemleak in unregister_ftrace_graph
HID: i2c-hid: allocate hid buffers for real worst case
HID: wacom: leds: Don't try to control the EKR's read-only LEDs
HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
HID: wacom: bits shifted too much for 9th and 10th buttons
rocker: fix rocker_tlv_put_* functions for KASAN
netlink: fix nla_put_{u8,u16,u32} for KASAN
iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
iwlwifi: add workaround to disable wide channels in 5GHz
scsi: sd: Do not override max_sectors_kb sysfs setting
brcmfmac: add length check in brcmf_cfg80211_escan_handler()
brcmfmac: setup passive scan if requested by user-space
drm/i915/bios: ignore HDMI on port A
nvme-pci: Use PCI bus address for data/queues in CMB
mmc: core: add driver strength selection when selecting hs400es
sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
vfs: deny copy_file_range() for non regular files
ext4: fix data corruption for mmap writes
ext4: Don't clear SGID when inheriting ACLs
ext4: don't allow encrypted operations without keys
f2fs: don't allow encrypted operations without keys
KVM: x86: fix singlestepping over syscall
Linux 4.9.55
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
|
88c195d638 |
lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
commit 57e7ba04d422c3d41c8426380303ec9b7533ded9 upstream. security_inode_getsecurity() provides the text string value of a security attribute. It does not provide a "secctx". The code in xattr_getsecurity() that calls security_inode_getsecurity() and then calls security_release_secctx() happened to work because SElinux and Smack treat the attribute and the secctx the same way. It fails for cap_inode_getsecurity(), because that module has no secctx that ever needs releasing. It turns out that Smack is the one that's doing things wrong by not allocating memory when instructed to do so by the "alloc" parameter. The fix is simple enough. Change the security_release_secctx() to kfree() because it isn't a secctx being returned by security_inode_getsecurity(). Change Smack to allocate the string when told to do so. Note: this also fixes memory leaks for LSMs which implement inode_getsecurity but not release_secctx, such as capabilities. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
|
379e3b2a6d |
Merge 4.9.53 into android-4.9
Changes in 4.9.53 cifs: release cifs root_cred after exit_cifs cifs: release auth_key.response for reconnect. fs/proc: Report eip/esp in /prod/PID/stat for coredumping mac80211: fix VLAN handling with TXQs mac80211_hwsim: Use proper TX power mac80211: flush hw_roc_start work before cancelling the ROC genirq: Make sparse_irq_lock protect what it should protect KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() KVM: PPC: Book3S HV: Protect updates to spapr_tce_tables list tracing: Fix trace_pipe behavior for instance traces tracing: Erase irqsoff trace with empty write md/raid5: fix a race condition in stripe batch md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly drm/radeon: disable hard reset in hibernate for APUs crypto: drbg - fix freeing of resources crypto: talitos - Don't provide setkey for non hmac hashing algs. crypto: talitos - fix sha224 crypto: talitos - fix hashing security/keys: properly zero out sensitive key material in big_key security/keys: rewrite all of big_key crypto KEYS: fix writing past end of user-supplied buffer in keyring_read() KEYS: prevent creating a different user's keyrings KEYS: prevent KEYCTL_READ on negative key powerpc/pseries: Fix parent_dn reference leak in add_dt_node() powerpc/tm: Flush TM only if CPU has TM feature powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS s390/mm: fix write access check in gup_huge_pmd() PM: core: Fix device_pm_check_callbacks() Fix SMB3.1.1 guest authentication to Samba SMB3: Warn user if trying to sign connection that authenticated as guest SMB: Validate negotiate (to protect against downgrade) even if signing off SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets nl80211: check for the required netlink attributes presence bsg-lib: don't free job in bsg_prepare_job iw_cxgb4: remove the stid on listen create failure iw_cxgb4: put ep reference in pass_accept_req() selftests/seccomp: Support glibc 2.26 siginfo_t.h seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() arm64: Make sure SPsel is always set arm64: fault: Route pte translation faults via do_translation_fault KVM: VMX: extract __pi_post_block KVM: VMX: avoid double list add with VT-d posted interrupts KVM: VMX: simplify and fix vmx_vcpu_pi_load kvm/x86: Handle async PF in RCU read-side critical sections KVM: VMX: Do not BUG() on out-of-bounds guest IRQ kvm: nVMX: Don't allow L2 to access the hardware CR8 xfs: validate bdev support for DAX inode flag etnaviv: fix gem object list corruption PCI: Fix race condition with driver_override btrfs: fix NULL pointer dereference from free_reloc_roots() btrfs: propagate error to btrfs_cmp_data_prepare caller btrfs: prevent to set invalid default subvolid x86/mm: Fix fault error path using unsafe vma pointer x86/fpu: Don't let userspace set bogus xcomp_bv gfs2: Fix debugfs glocks dump timer/sysclt: Restrict timer migration sysctl values to 0 and 1 KVM: VMX: do not change SN bit in vmx_update_pi_irte() KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt cxl: Fix driver use count KVM: VMX: use cmpxchg64 video: fbdev: aty: do not leak uninitialized padding in clk to userspace swiotlb-xen: implement xen_swiotlb_dma_mmap callback Linux 4.9.53 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
|
dda70d28c0 |
KEYS: prevent KEYCTL_READ on negative key
commit 37863c43b2c6464f252862bf2e9768264e961678 upstream.
Because keyctl_read_key() looks up the key with no permissions
requested, it may find a negatively instantiated key. If the key is
also possessed, we went ahead and called ->read() on the key. But the
key payload will actually contain the ->reject_error rather than the
normal payload. Thus, the kernel oopses trying to read the
user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.
Fortunately the payload data is stored inline, so it shouldn't be
possible to abuse this as an arbitrary memory read primitive...
Reproducer:
keyctl new_session
keyctl request2 user desc '' @s
keyctl read $(keyctl show | awk '/user: desc/ {print $1}')
It causes a crash like the following:
BUG: unable to handle kernel paging request at 00000000ffffff92
IP: user_read+0x33/0xa0
PGD 36a54067 P4D 36a54067 PUD 0
Oops: 0000 [#1] SMP
CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
RIP: 0010:user_read+0x33/0xa0
RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
Call Trace:
keyctl_read_key+0xac/0xe0
SyS_keyctl+0x99/0x120
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x7f58ec787bb9
RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
CR2: 00000000ffffff92
Fixes:
|
||
|
|
bfe9d7b8e0 |
KEYS: prevent creating a different user's keyrings
commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.
It was possible for an unprivileged user to create the user and user
session keyrings for another user. For example:
sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
keyctl add keyring _uid_ses.4000 "" @u
sleep 15' &
sleep 1
sudo -u '#4000' keyctl describe @u
sudo -u '#4000' keyctl describe @us
This is problematic because these "fake" keyrings won't have the right
permissions. In particular, the user who created them first will own
them and will have full access to them via the possessor permissions,
which can be used to compromise the security of a user's keys:
-4: alswrv-----v------------ 3000 0 keyring: _uid.4000
-5: alswrv-----v------------ 3000 0 keyring: _uid_ses.4000
Fix it by marking user and user session keyrings with a flag
KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session
keyring by name, skip all keyrings that don't have the flag set.
Fixes:
|
||
|
|
47e8bd1965 |
KEYS: fix writing past end of user-supplied buffer in keyring_read()
commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
Userspace can call keyctl_read() on a keyring to get the list of IDs of
keys in the keyring. But if the user-supplied buffer is too small, the
kernel would write the full list anyway --- which will corrupt whatever
userspace memory happened to be past the end of the buffer. Fix it by
only filling the space that is available.
Fixes:
|
||
|
|
0c70fb88c7 |
security/keys: rewrite all of big_key crypto
commit 428490e38b2e352812e0b765d8bceafab0ec441d upstream.
This started out as just replacing the use of crypto/rng with
get_random_bytes_wait, so that we wouldn't use bad randomness at boot
time. But, upon looking further, it appears that there were even deeper
underlying cryptographic problems, and that this seems to have been
committed with very little crypto review. So, I rewrote the whole thing,
trying to keep to the conventions introduced by the previous author, to
fix these cryptographic flaws.
It makes no sense to seed crypto/rng at boot time and then keep
using it like this, when in fact there's already get_random_bytes_wait,
which can ensure there's enough entropy and be a much more standard way
of generating keys. Since this sensitive material is being stored
untrusted, using ECB and no authentication is simply not okay at all. I
find it surprising and a bit horrifying that this code even made it past
basic crypto review, which perhaps points to some larger issues. This
patch moves from using AES-ECB to using AES-GCM. Since keys are uniquely
generated each time, we can set the nonce to zero. There was also a race
condition in which the same key would be reused at the same time in
different threads. A mutex fixes this issue now.
So, to summarize, this commit fixes the following vulnerabilities:
* Low entropy key generation, allowing an attacker to potentially
guess or predict keys.
* Unauthenticated encryption, allowing an attacker to modify the
cipher text in particular ways in order to manipulate the plaintext,
which is is even more frightening considering the next point.
* Use of ECB mode, allowing an attacker to trivially swap blocks or
compare identical plaintext blocks.
* Key re-use.
* Faulty memory zeroing.
[Note that in backporting this commit to 4.9, get_random_bytes_wait was
replaced with get_random_bytes, since 4.9 does not have the former
function. This might result in slightly worse entropy in key generation,
but common use cases of big_keys makes that likely not a huge deal. And,
this is the best we can do with this old kernel. Alas.]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
Cc: security@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
|
2f9be92dff |
security/keys: properly zero out sensitive key material in big_key
commit 910801809b2e40a4baedd080ef5d80b4a180e70e upstream. Error paths forgot to zero out sensitive material, so this patch changes some kfrees into a kzfrees. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Eric Biggers <ebiggers3@gmail.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kirill Marinushkin <k.marinushkin@gmail.com> Cc: security@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
|
0268f76e4b |
ANDROID: commoncap: Begin to warn users of implicit PARANOID_NETWORK capability grants
CAP_NET_ADMIN and CAP_NET_RAW are implicity granted to the "special" Android groups net_admin and net_raw. This is a byproduct of the init system not being able to specify capabilities back in the day, but has now been resolved and .rc files can explictly specify the capabilities to be granted to a service. Thus, we should start to remove this implict capability grant, and the first step is to warn when a process doesn't have explicit capablity but is a member of the implicitly granted group, when that capability is checked. This will allow for the PARANOID_NETWORK checks in commoncap.c to be totally removed in a future kernel. Change-Id: I6dac90e23608b6dba14a8f2049ba29ae56cb7ae4 Signed-off-by: John Stultz <john.stultz@linaro.org> |
||
|
|
598195a906 |
Merge 4.9.37 into android-4.9
Changes in 4.9.37 fs: add a VALID_OPEN_FLAGS fs: completely ignore unknown open flags driver core: platform: fix race condition with driver_override ceph: choose readdir frag based on previous readdir reply tracing/kprobes: Allow to create probe with a module name starting with a digit media: entity: Fix stream count check drm/virtio: don't leak bo on drm_gem_object_init failure usb: dwc3: replace %p with %pK USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick Add USB quirk for HVR-950q to avoid intermittent device resets usb: usbip: set buffer pointers to NULL after free usb: Fix typo in the definition of Endpoint[out]Request USB: core: fix device node leak mac80211_hwsim: Replace bogus hrtimer clockid sysctl: don't print negative flag for proc_douintvec sysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec pinctrl: qcom: ipq4019: add missing pingroups for pins > 70 pinctrl: cherryview: Add a quirk to make Acer Chromebook keyboard work again pinctrl: sh-pfc: r8a7794: Swap ATA signals pinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data pinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal pinctrl: sh-pfc: r8a7795: Fix hscif2_clk_b and hscif4_ctrl pinctrl: meson: meson8b: fix the NAND DQS pins pinctrl: stm32: Fix bad function call pinctrl: sunxi: Fix SPDIF function name for A83T pinctrl: cherryview: Add terminate entry for dmi_system_id tables pinctrl: mxs: atomically switch mux and drive strength config pinctrl: sh-pfc: r8a7791: Add missing HSCIF1 pinmux data pinctrl: sh-pfc: Update info pointer after SoC-specific init USB: serial: option: add two Longcheer device ids USB: serial: qcserial: new Sierra Wireless EM7305 device ID xhci: Limit USB2 port wake support for AMD Promontory hosts gfs2: Fix glock rhashtable rcu bug tpm: fix a kernel memory leak in tpm-sysfs.c x86/tools: Fix gcc-7 warning in relocs.c x86/uaccess: Optimize copy_user_enhanced_fast_string() for short strings ath10k: override CE5 config for QCA9377 KEYS: Fix an error code in request_master_key() crypto: drbg - Fixes panic in wait_for_completion call RDMA/uverbs: Check port number supplied by user verbs cmds rt286: add Thinkpad Helix 2 to force_combo_jack_table Linux 4.9.37 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
|
73a0a68779 |
KEYS: Fix an error code in request_master_key()
commit 57cb17e764ba0aaa169d07796acce54ccfbc6cae upstream.
This function has two callers and neither are able to handle a NULL
return. Really, -EINVAL is the correct thing return here anyway. This
fixes some static checker warnings like:
security/keys/encrypted-keys/encrypted.c:709 encrypted_key_decrypt()
error: uninitialized symbol 'master_key'.
Fixes:
|
||
|
|
8bdee6783c |
UPSTREAM: selinux: enable genfscon labeling for tracefs
In kernel version 4.1, tracefs was separated from debugfs into its own filesystem. Prior to this split, files in /sys/kernel/debug/tracing could be labeled during filesystem creation using genfscon or later from userspace using setxattr. This change re-enables support for genfscon labeling. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com> (cherry picked from commit 6a3911837da0a90ed599fd0a9836472f5e7ddf1b) Change-Id: I98ad8c829302346705c1abcdc8f019f479fdefb6 Bug: 62413700 |
||
|
|
da3493c028 |
Merge 4.9.32 into android-4.9
Changes in 4.9.32 bnx2x: Fix Multi-Cos vxlan: eliminate cached dst leak ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() cxgb4: avoid enabling napi twice to the same queue tcp: disallow cwnd undo when switching congestion control vxlan: fix use-after-free on deletion ipv6: Fix leak in ipv6_gso_segment(). net: ping: do not abuse udp_poll() net/ipv6: Fix CALIPSO causing GPF with datagram support net: ethoc: enable NAPI before poll may be scheduled net: stmmac: fix completely hung TX when using TSO net: bridge: start hello timer only if device is up sparc64: Add __multi3 for gcc 7.x and later. sparc64: mm: fix copy_tsb to correctly copy huge page TSBs sparc: Machine description indices can vary sparc64: reset mm cpumask after wrap sparc64: combine activate_mm and switch_mm sparc64: redefine first version sparc64: add per-cpu mm of secondary contexts sparc64: new context wrap sparc64: delete old wrap code arch/sparc: support NR_CPUS = 4096 serial: ifx6x60: fix use-after-free on module unload ptrace: Properly initialize ptracer_cred on fork crypto: asymmetric_keys - handle EBUSY due to backlog correctly KEYS: fix dereferencing NULL payload with nonzero length KEYS: fix freeing uninitialized memory in key_update() KEYS: encrypted: avoid encrypting/decrypting stack buffers crypto: drbg - wait for crypto op not signal safe crypto: gcm - wait for crypto op not signal safe drm/amdgpu/ci: disable mclk switching for high refresh rates (v2) nfsd4: fix null dereference on replay nfsd: Fix up the "supattr_exclcreat" attributes efi: Don't issue error message when booted under Xen kvm: async_pf: fix rcu_irq_enter() with irqs enabled KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation arm64: KVM: Preserve RES1 bits in SCTLR_EL2 arm64: KVM: Allow unaligned accesses at EL2 arm: KVM: Allow unaligned accesses at HYP KVM: async_pf: avoid async pf injection when in guest mode KVM: arm/arm64: vgic-v3: Do not use Active+Pending state for a HW interrupt KVM: arm/arm64: vgic-v2: Do not use Active+Pending state for a HW interrupt dmaengine: usb-dmac: Fix DMAOR AE bit definition dmaengine: ep93xx: Always start from BASE0 dmaengine: ep93xx: Don't drain the transfers in terminate_all() dmaengine: mv_xor_v2: handle mv_xor_v2_prep_sw_desc() error properly dmaengine: mv_xor_v2: properly handle wrapping in the array of HW descriptors dmaengine: mv_xor_v2: do not use descriptors not acked by async_tx dmaengine: mv_xor_v2: enable XOR engine after its configuration dmaengine: mv_xor_v2: fix tx_submit() implementation dmaengine: mv_xor_v2: remove interrupt coalescing dmaengine: mv_xor_v2: set DMA mask to 40 bits cfq-iosched: fix the delay of cfq_group's vdisktime under iops mode xen/privcmd: Support correctly 64KB page granularity when mapping memory ext4: fix SEEK_HOLE ext4: keep existing extra fields when inode expands ext4: fix data corruption with EXT4_GET_BLOCKS_ZERO ext4: fix fdatasync(2) after extent manipulation operations drm: Fix oops + Xserver hang when unplugging USB drm devices usb: gadget: f_mass_storage: Serialize wake and sleep execution usb: chipidea: udc: fix NULL pointer dereference if udc_start failed usb: chipidea: debug: check before accessing ci_role staging/lustre/lov: remove set_fs() call from lov_getstripe() iio: adc: bcm_iproc_adc: swap primary and secondary isr handler's iio: light: ltr501 Fix interchanged als/ps register field iio: proximity: as3935: fix AS3935_INT mask iio: proximity: as3935: fix iio_trigger_poll issue mei: make sysfs modalias format similar as uevent modalias cpufreq: cpufreq_register_driver() should return -ENODEV if init fails target: Re-add check to reject control WRITEs with overflow data drm/msm: Expose our reservation object when exporting a dmabuf. ahci: Acer SA5-271 SSD Not Detected Fix cgroup: Prevent kill_css() from being called more than once Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled cpuset: consider dying css as offline fs: add i_blocksize() ufs: restore proper tail allocation fix ufs_isblockset() ufs: restore maintaining ->i_blocks ufs: set correct ->s_maxsize ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments() ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path cxl: Fix error path on bad ioctl cxl: Avoid double free_irq() for psl,slice interrupts btrfs: use correct types for page indices in btrfs_page_exists_in_range btrfs: fix memory leak in update_space_info failure path KVM: arm/arm64: Handle possible NULL stage2 pud when ageing pages scsi: qla2xxx: don't disable a not previously enabled PCI device scsi: qla2xxx: Modify T262 FW dump template to specify same start/end to debug customer issues scsi: qla2xxx: Set bit 15 for DIAG_ECHO_TEST MBC scsi: qla2xxx: Fix mailbox pointer error in fwdump capture powerpc/sysdev/simple_gpio: Fix oops in gpio save_regs function powerpc/numa: Fix percpu allocations to be NUMA aware powerpc/hotplug-mem: Fix missing endian conversion of aa_index powerpc/kernel: Fix FP and vector register restoration powerpc/kernel: Initialize load_tm on task creation perf/core: Drop kernel samples even though :u is specified drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() drm/vmwgfx: Make sure backup_handle is always valid drm/nouveau/tmr: fully separate alarm execution/pending lists ALSA: timer: Fix race between read and ioctl ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT ASoC: Fix use-after-free at card unregistration cpu/hotplug: Drop the device lock on error drivers: char: mem: Fix wraparound check to allow mappings up to the end serial: sh-sci: Fix panic when serial console and DMA are enabled arm64: traps: fix userspace cache maintenance emulation on a tagged pointer arm64: hw_breakpoint: fix watchpoint matching for tagged pointers arm64: entry: improve data abort handling of tagged pointers ARM: 8636/1: Cleanup sanity_check_meminfo ARM: 8637/1: Adjust memory boundaries after reservations usercopy: Adjust tests to deal with SMAP/PAN drm/i915/vbt: don't propagate errors from intel_bios_init() drm/i915/vbt: split out defaults that are set when there is no VBT cpufreq: schedutil: move cached_raw_freq to struct sugov_policy cpufreq: schedutil: Fix per-CPU structure initialization in sugov_start() netfilter: nft_set_rbtree: handle element re-addition after deletion Linux 4.9.32 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
|
d24c1c1977 |
KEYS: encrypted: avoid encrypting/decrypting stack buffers
commit e9ff56ac352446f55141aaef1553cee662b2e310 upstream. Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt stack buffers because the stack may be virtually mapped. Fix this for the padding buffers in encrypted-keys by using ZERO_PAGE for the encryption padding and by allocating a temporary heap buffer for the decryption padding. Tested with CONFIG_DEBUG_SG=y: keyctl new_session keyctl add user master "abcdefghijklmnop" @s keyid=$(keyctl add encrypted desc "new user:master 25" @s) datablob="$(keyctl pipe $keyid)" keyctl unlink $keyid keyid=$(keyctl add encrypted desc "load $datablob" @s) datablob2="$(keyctl pipe $keyid)" [ "$datablob" = "$datablob2" ] && echo "Success!" Cc: Andy Lutomirski <luto@kernel.org> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
|
2436976102 |
KEYS: fix freeing uninitialized memory in key_update()
commit 63a0b0509e700717a59f049ec6e4e04e903c7fe2 upstream.
key_update() freed the key_preparsed_payload even if it was not
initialized first. This would cause a crash if userspace called
keyctl_update() on a key with type like "asymmetric" that has a
->preparse() method but not an ->update() method. Possibly it could
even be triggered for other key types by racing with keyctl_setperm() to
make the KEY_NEED_WRITE check fail (the permission was already checked,
so normally it wouldn't fail there).
Reproducer with key type "asymmetric", given a valid cert.der:
keyctl new_session
keyid=$(keyctl padd asymmetric desc @s < cert.der)
keyctl setperm $keyid 0x3f000000
keyctl update $keyid data
[ 150.686666] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
[ 150.687601] IP: asymmetric_key_free_kids+0x12/0x30
[ 150.688139] PGD 38a3d067
[ 150.688141] PUD 3b3de067
[ 150.688447] PMD 0
[ 150.688745]
[ 150.689160] Oops: 0000 [#1] SMP
[ 150.689455] Modules linked in:
[ 150.689769] CPU: 1 PID: 2478 Comm: keyctl Not tainted 4.11.0-rc4-xfstests-00187-ga9f6b6b8cd2f #742
[ 150.690916] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
[ 150.692199] task: ffff88003b30c480 task.stack: ffffc90000350000
[ 150.692952] RIP: 0010:asymmetric_key_free_kids+0x12/0x30
[ 150.693556] RSP: 0018:ffffc90000353e58 EFLAGS: 00010202
[ 150.694142] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000004
[ 150.694845] RDX: ffffffff81ee3920 RSI: ffff88003d4b0700 RDI: 0000000000000001
[ 150.697569] RBP: ffffc90000353e60 R08: ffff88003d5d2140 R09: 0000000000000000
[ 150.702483] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 150.707393] R13: 0000000000000004 R14: ffff880038a4d2d8 R15: 000000000040411f
[ 150.709720] FS: 00007fcbcee35700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
[ 150.711504] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 150.712733] CR2: 0000000000000001 CR3: 0000000039eab000 CR4: 00000000003406e0
[ 150.714487] Call Trace:
[ 150.714975] asymmetric_key_free_preparse+0x2f/0x40
[ 150.715907] key_update+0xf7/0x140
[ 150.716560] ? key_default_cmp+0x20/0x20
[ 150.717319] keyctl_update_key+0xb0/0xe0
[ 150.718066] SyS_keyctl+0x109/0x130
[ 150.718663] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 150.719440] RIP: 0033:0x7fcbce75ff19
[ 150.719926] RSP: 002b:00007ffd5d167088 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
[ 150.720918] RAX: ffffffffffffffda RBX: 0000000000404d80 RCX: 00007fcbce75ff19
[ 150.721874] RDX: 00007ffd5d16785e RSI: 000000002866cd36 RDI: 0000000000000002
[ 150.722827] RBP: 0000000000000006 R08: 000000002866cd36 R09: 00007ffd5d16785e
[ 150.723781] R10: 0000000000000004 R11: 0000000000000206 R12: 0000000000404d80
[ 150.724650] R13: 00007ffd5d16784d R14: 00007ffd5d167238 R15: 000000000040411f
[ 150.725447] Code: 83 c4 08 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 85 ff 74 23 55 48 89 e5 53 48 89 fb <48> 8b 3f e8 06 21 c5 ff 48 8b 7b 08 e8 fd 20 c5 ff 48 89 df e8
[ 150.727489] RIP: asymmetric_key_free_kids+0x12/0x30 RSP: ffffc90000353e58
[ 150.728117] CR2: 0000000000000001
[ 150.728430] ---[ end trace f7f8fe1da2d5ae8d ]---
Fixes:
|
||
|
|
1b253e023f |
KEYS: fix dereferencing NULL payload with nonzero length
commit 5649645d725c73df4302428ee4e02c869248b4c5 upstream. sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a NULL payload with nonzero length to be passed to the key type's ->preparse(), ->instantiate(), and/or ->update() methods. Various key types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did not handle this case, allowing an unprivileged user to trivially cause a NULL pointer dereference (kernel oops) if one of these key types was present. Fix it by doing the copy_from_user() when 'plen' is nonzero rather than when '_payload' is non-NULL, causing the syscall to fail with EFAULT as expected when an invalid buffer is specified. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
|
951d823c04 |
Merge 4.9.30 into android-4.9
Changes in 4.9.30 usb: misc: legousbtower: Fix buffers on stack usb: misc: legousbtower: Fix memory leak USB: ene_usb6250: fix DMA to the stack watchdog: pcwd_usb: fix NULL-deref at probe char: lp: fix possible integer overflow in lp_setup() USB: core: replace %p with %pK tpm_tis_core: Choose appropriate timeout for reading burstcount ALSA: hda: Fix cpu lockup when stopping the cmd dmas ARM: tegra: paz00: Mark panel regulator as enabled on boot fanotify: don't expose EOPENSTALE to userspace tpm_tis_spi: Use single function to transfer data tpm_tis_spi: Abort transfer when too many wait states are signaled tpm_tis_spi: Check correct byte for wait state indicator tpm_tis_spi: Remove limitation of transfers to MAX_SPI_FRAMESIZE bytes tpm_tis_spi: Add small delay after last transfer tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver tpm: add sleep only for retry in i2c_nuvoton_write_status() tpm_crb: check for bad response size ASoC: cs4271: configure reset GPIO as output mlx5: Fix mlx5_ib_map_mr_sg mr length infiniband: call ipv6 route lookup via the stub interface dm btree: fix for dm_btree_find_lowest_key() dm raid: select the Kconfig option CONFIG_MD_RAID0 dm bufio: avoid a possible ABBA deadlock dm bufio: check new buffer allocation watermark every 30 seconds dm mpath: split and rename activate_path() to prepare for its expanded use dm cache metadata: fail operations if fail_io mode has been established dm bufio: make the parameter "retain_bytes" unsigned long dm thin metadata: call precommit before saving the roots dm space map disk: fix some book keeping in the disk space map md: update slab_cache before releasing new stripes when stripes resizing md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop rtlwifi: rtl8821ae: setup 8812ae RFE according to device type mwifiex: MAC randomization should not be persistent mwifiex: pcie: fix cmd_buf use-after-free in remove/reset ima: accept previously set IMA_NEW_FILE KVM: x86: Fix load damaged SSEx MXCSR register KVM: x86: Fix potential preemption when get the current kvmclock timestamp KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation x86: fix 32-bit case of __get_user_asm_u64() regulator: rk808: Fix RK818 LDO2 regulator: tps65023: Fix inverted core enable logic. s390/kdump: Add final note s390/cputime: fix incorrect system time ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device ath9k_htc: fix NULL-deref at probe drm/amdgpu: Make display watermark calculations more accurate drm/amdgpu: Avoid overflows/divide-by-zero in latency_watermark calculations. drm/amdgpu: Add missing lb_vblank_lead_lines setup to DCE-6 path. drm/nouveau/therm: remove ineffective workarounds for alarm bugs drm/nouveau/tmr: ack interrupt before processing alarms drm/nouveau/tmr: fix corruption of the pending list when rescheduling an alarm drm/nouveau/tmr: avoid processing completed alarms when adding a new one drm/nouveau/tmr: handle races with hw when updating the next alarm time gpio: omap: return error if requested debounce time is not possible cdc-acm: fix possible invalid access when processing notification ohci-pci: add qemu quirk cxl: Force context lock during EEH flow cxl: Route eeh events to all drivers in cxl_pci_error_detected() proc: Fix unbalanced hard link numbers of: fix sparse warning in of_pci_range_parser_one of: fix "/cpus" reference leak in of_numa_parse_cpu_nodes() of: fdt: add missing allocation-failure check ibmvscsis: Do not send aborted task response iio: dac: ad7303: fix channel description IIO: bmp280-core.c: fix error in humidity calculation IB/hfi1: Return an error on memory allocation failure IB/hfi1: Fix a subcontext memory leak pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes() USB: serial: ftdi_sio: fix setting latency for unprivileged users USB: serial: ftdi_sio: add Olimex ARM-USB-TINY(H) PIDs USB: chaoskey: fix Alea quirk on big-endian hosts f2fs: check entire encrypted bigname when finding a dentry fscrypt: avoid collisions when presenting long encrypted filenames libnvdimm: fix clear length of nvdimm_forget_poison() xhci: remove GFP_DMA flag from allocation usb: host: xhci-plat: propagate return value of platform_get_irq() xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton usb: host: xhci-mem: allocate zeroed Scratchpad Buffer net: irda: irda-usb: fix firmware name on big-endian hosts usbvision: fix NULL-deref at probe mceusb: fix NULL-deref at probe ttusb2: limit messages to buffer size dvb-usb-dibusb-mc-common: Add MODULE_LICENSE usb: dwc3: gadget: Prevent losing events in event cache usb: musb: tusb6010_omap: Do not reset the other direction's packet size usb: musb: Fix trying to suspend while active for OTG configurations USB: iowarrior: fix info ioctl on big-endian hosts usb: serial: option: add Telit ME910 support USB: serial: qcserial: add more Lenovo EM74xx device IDs USB: serial: mct_u232: fix big-endian baud-rate handling USB: serial: io_ti: fix div-by-zero in set_termios USB: hub: fix SS hub-descriptor handling USB: hub: fix non-SS hub-descriptor handling ipx: call ipxitf_put() in ioctl error path iio: proximity: as3935: fix as3935_write iio: hid-sensor: Store restore poll and hysteresis on S3 s5p-mfc: Fix race between interrupt routine and device functions gspca: konica: add missing endpoint sanity check s5p-mfc: Fix unbalanced call to clock management dib0700: fix NULL-deref at probe zr364xx: enforce minimum size when reading header dvb-frontends/cxd2841er: define symbol_rate_min/max in T/C fe-ops digitv: limit messages to buffer size dw2102: limit messages to buffer size cx231xx-audio: fix init error path cx231xx-audio: fix NULL-deref at probe cx231xx-cards: fix NULL-deref at probe powerpc/mm: Ensure IRQs are off in switch_mm() powerpc/eeh: Avoid use after free in eeh_handle_special_event() powerpc/book3s/mce: Move add_taint() later in virtual mode powerpc/pseries: Fix of_node_put() underflow during DLPAR remove powerpc/iommu: Do not call PageTransHuge() on tail pages powerpc/64e: Fix hang when debugging programs with relocated kernel powerpc/tm: Fix FP and VMX register corruption arm64: KVM: Do not use stack-protector to compile EL2 code arm: KVM: Do not use stack-protector to compile HYP code KVM: arm: plug potential guest hardware debug leakage ARM: 8662/1: module: split core and init PLT sections ARM: 8670/1: V7M: Do not corrupt vector table around v7m_invalidate_l1 call ARM: dts: at91: sama5d3_xplained: fix ADC vref ARM: dts: at91: sama5d3_xplained: not all ADC channels are available ARM: dts: imx6sx-sdb: Remove OPP override arm64: dts: hi6220: Reset the mmc hosts arm64: xchg: hazard against entire exchange variable arm64: ensure extension of smp_store_release value arm64: armv8_deprecated: ensure extension of addr arm64: uaccess: ensure extension of access_ok() addr arm64: documentation: document tagged pointer stack constraints staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory. staging: rtl8192e: fix 2 byte alignment of register BSSIDR. staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD. staging: rtl8192e: GetTs Fix invalid TID 7 warning. iommu/vt-d: Flush the IOTLB to get rid of the initial kdump mappings metag/uaccess: Fix access_ok() metag/uaccess: Check access_ok in strncpy_from_user stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms uwb: fix device quirk on big-endian hosts genirq: Fix chained interrupt data ordering nvme: unmap CMB and remove sysfs file in reset path MIPS: Loongson-3: Select MIPS_L1_CACHE_SHIFT_6 osf_wait4(): fix infoleak um: Fix to call read_initrd after init_bootmem tracing/kprobes: Enforce kprobes teardown after testing PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms PCI: Fix another sanity check bug in /proc/pci mmap PCI: Only allow WC mmap on prefetchable resources PCI: Freeze PME scan before suspending devices mtd: nand: orion: fix clk handling mtd: nand: omap2: Fix partition creation via cmdline mtdparts mtd: nand: add ooblayout for old hamming layout drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2 NFSv4: Fix a hang in OPEN related to server reboot NFS: Fix use after free in write error path NFS: Use GFP_NOIO for two allocations in writeback nfsd: fix undefined behavior in nfsd4_layout_verify nfsd: encoders mustn't use unitialized values in error cases drivers: char: mem: Check for address space wraparound with mmap() drm/i915/gvt: Disable access to stolen memory as a guest Linux 4.9.30 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
|
91034255e4 |
ima: accept previously set IMA_NEW_FILE
commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream. Modifying the attributes of a file makes ima_inode_post_setattr reset the IMA cache flags. So if the file, which has just been created, is opened a second time before the first file descriptor is closed, verification fails since the security.ima xattr has not been written yet. We therefore have to look at the IMA_NEW_FILE even if the file already existed. With this patch there should no longer be an error when cat tries to open testfile: $ rm -f testfile $ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile A file being new is no reason to accept that it is missing a digital signature demanded by the policy. Signed-off-by: Daniel Glöckner <dg@emlix.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
|
bae751b9ab |
Merge 4.9.25 into android-4.9
Changes in 4.9.25: KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings KEYS: Change the name of the dead type to ".dead" to prevent user access KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings tracing: Allocate the snapshot buffer before enabling probe ring-buffer: Have ring_buffer_iter_empty() return true when empty mm: prevent NR_ISOLATE_* stats from going negative cifs: Do not send echoes before Negotiate is complete CIFS: remove bad_network_name flag s390/mm: fix CMMA vs KSM vs others Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled ACPI / power: Avoid maybe-uninitialized warning mmc: sdhci-esdhc-imx: increase the pad I/O drive strength for DDR50 card ubifs: Fix RENAME_WHITEOUT support ubifs: Fix O_TMPFILE corner case in ubifs_link() mac80211: reject ToDS broadcast data frames mac80211: fix MU-MIMO follow-MAC mode ubi/upd: Always flush after prepared for an update powerpc/kprobe: Fix oops when kprobed on 'stdu' instruction x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs x86/mce: Make the MCE notifier a blocking one device-dax: switch to srcu, fix rcu_read_lock() vs pte allocation Linux 4.9.25 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
|
174a74dbca |
KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
commit c9f838d104fed6f2f61d68164712e3204bf5271b upstream.
This fixes CVE-2017-7472.
Running the following program as an unprivileged user exhausts kernel
memory by leaking thread keyrings:
#include <keyutils.h>
int main()
{
for (;;)
keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
}
Fix it by only creating a new thread keyring if there wasn't one before.
To make things more consistent, make install_thread_keyring_to_cred()
and install_process_keyring_to_cred() both return 0 if the corresponding
keyring is already present.
Fixes:
|
||
|
|
b2dd90e812 |
KEYS: Change the name of the dead type to ".dead" to prevent user access
commit c1644fe041ebaf6519f6809146a77c3ead9193af upstream.
This fixes CVE-2017-6951.
Userspace should not be able to do things with the "dead" key type as it
doesn't have some of the helper functions set upon it that the kernel
needs. Attempting to use it may cause the kernel to crash.
Fix this by changing the name of the type to ".dead" so that it's rejected
up front on userspace syscalls by key_get_type_from_user().
Though this doesn't seem to affect recent kernels, it does affect older
ones, certainly those prior to:
commit
|
||
|
|
a5c6e0a768 |
KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
commit ee8f844e3c5a73b999edf733df1c529d6503ec2f upstream. This fixes CVE-2016-9604. Keyrings whose name begin with a '.' are special internal keyrings and so userspace isn't allowed to create keyrings by this name to prevent shadowing. However, the patch that added the guard didn't fix KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings, it can also subscribe to them as a session keyring if they grant SEARCH permission to the user. This, for example, allows a root process to set .builtin_trusted_keys as its session keyring, at which point it has full access because now the possessor permissions are added. This permits root to add extra public keys, thereby bypassing module verification. This also affects kexec and IMA. This can be tested by (as root): keyctl session .builtin_trusted_keys keyctl add user a a @s keyctl list @s which on my test box gives me: 2 keys in keyring: 180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05 801382539: --alswrv 0 0 user: a Fix this by rejecting names beginning with a '.' in the keyctl. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> cc: linux-ima-devel@lists.sourceforge.net Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
|
a28be72802 |
ANDROID: export security_path_chown
Signed-off-by: Daniel Rosenberg <drosen@google.com> BUG: 35142419 Change-Id: I05a9430a3c1bc624e019055175ad377290b4e774 |
||
|
|
5f835db2b5 |
ima: fix ima_d_path() possible race with rename
am:
|
||
|
|
d9cc31683a |
ima: fix ima_d_path() possible race with rename
commit bc15ed663e7e53ee4dc3e60f8d09c93a0528c694 upstream. On failure to return a pathname from ima_d_path(), a pointer to dname is returned, which is subsequently used in the IMA measurement list, the IMA audit records, and other audit logging. Saving the pointer to dname for later use has the potential to race with rename. Intead of returning a pointer to dname on failure, this patch returns a pointer to a copy of the filename. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
|
cb057345da |
Merge tag 'v4.9.10' into android-4.9-aosp
This is the 4.9.10 stable release |
||
|
|
6cbaf7b943 |
selinux: fix off-by-one in setprocattr
commit 0c461cb727d146c9ef2d3e86214f498b78b7d125 upstream.
SELinux tries to support setting/clearing of /proc/pid/attr attributes
from the shell by ignoring terminating newlines and treating an
attribute value that begins with a NUL or newline as an attempt to
clear the attribute. However, the test for clearing attributes has
always been wrong; it has an off-by-one error, and this could further
lead to reading past the end of the allocated buffer since commit
|
||
|
|
cd08287396 |
Merge tag 'v4.9.6' into android-4.9
This is the 4.9.6 stable release Change-Id: I318df4b9d706d50c13fe3969d734117c25fc94bc |
||
|
|
bbcd0ffae5 |
ANDROID: vfs: Add permission2 for filesystems with per mount permissions
This allows filesystems to use their mount private data to influence the permssions they return in permission2. It has been separated into a new call to avoid disrupting current permission users. Change-Id: I9d416e3b8b6eca84ef3e336bd2af89ddd51df6ca Signed-off-by: Daniel Rosenberg <drosen@google.com> |
||
|
|
d28f856d2c |
FROMLIST: security,perf: Allow further restriction of perf_event_open
When kernel.perf_event_open is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that makes this value the default. This is based on a similar feature in grsecurity (CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making the variable read-only. It also allows enabling further restriction at run-time regardless of whether the default is changed. https://lkml.org/lkml/2016/1/11/587 Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Bug: 29054680 Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8 |
||
|
|
93f1d0b105 |
ANDROID: quick selinux support for tracefs
Here is just the quick fix for tracefs with selinux. just add tracefs to the list of whitelisted filesystem types in selinux_is_sblabel_mnt(), but the right fix would be to generalize this logic as described in the last item on the todo list, https://bitbucket.org/seandroid/wiki/wiki/ToDo Change-Id: I2aa803ccffbcd2802a7287514da7648e6b364157 Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org> |
||
|
|
122dd3c680 |
ANDROID: security: Add proper checks for Android specific capability checks
Commit b641072 ("security: Add AID_NET_RAW and AID_NET_ADMIN capability
check in cap_capable().") introduces additional checks for AID_NET_xxx
macros. Since the header file including those macros are conditionally
included, the checks should also be conditionally executed.
Change-Id: Iaec5208d5b95a46b1ac3f2db8449c661e803fa5b
Signed-off-by: Tushar Behera <tushar.behera@linaro.org>
Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
|
||
|
|
15caf71a3f |
ANDROID: security: Add AID_NET_RAW and AID_NET_ADMIN capability check in cap_capable().
Signed-off-by: Chia-chi Yeh <chiachi@android.com> |
||
|
|
825e6a0f7c |
ima: fix memory leak in ima_release_policy
commit 9a11a18902bc3b904353063763d06480620245a6 upstream.
When the "policy" securityfs file is opened for read, it is opened as a
sequential file. However, when it is eventually released, there is no
cleanup for the sequential file, therefore some memory is leaked.
This patch adds a call to seq_release() in ima_release_policy() to clean up
the memory when the file is opened for read.
Fixes:
|
||
|
|
3d40658c97 |
apparmor: fix change_hat not finding hat after policy replacement
After a policy replacement, the task cred may be out of date and need to be updated. However change_hat is using the stale profiles from the out of date cred resulting in either: a stale profile being applied or, incorrect failure when searching for a hat profile as it has been migrated to the new parent profile. Fixes: |
||
|
|
31e6ec4519 |
security/keys: make BIG_KEYS dependent on stdrng.
Since BIG_KEYS can't be compiled as module it requires one of the "stdrng"
providers to be compiled into kernel. Otherwise big_key_crypto_init() fails
on crypto_alloc_rng step and next dereference of big_key_skcipher (e.g. in
big_key_preparse()) results in a NULL pointer dereference.
Fixes:
|
||
|
|
7df3e59c3d |
KEYS: Sort out big_key initialisation
big_key has two separate initialisation functions, one that registers the
key type and one that registers the crypto. If the key type fails to
register, there's no problem if the crypto registers successfully because
there's no way to reach the crypto except through the key type.
However, if the key type registers successfully but the crypto does not,
big_key_rng and big_key_blkcipher may end up set to NULL - but the code
neither checks for this nor unregisters the big key key type.
Furthermore, since the key type is registered before the crypto, it is
theoretically possible for the kernel to try adding a big_key before the
crypto is set up, leading to the same effect.
Fix this by merging big_key_crypto_init() and big_key_init() and calling
the resulting function late. If they're going to be encrypted, we
shouldn't be creating big_keys before we have the facilities to do the
encryption available. The key type registration is also moved after the
crypto initialisation.
The fix also includes message printing on failure.
If the big_key type isn't correctly set up, simply doing:
dd if=/dev/zero bs=4096 count=1 | keyctl padd big_key a @s
ought to cause an oops.
Fixes:
|
||
|
|
03dab869b7 |
KEYS: Fix short sprintf buffer in /proc/keys show function
This fixes CVE-2016-7042. Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector is turned on, this can cause a panic due to stack corruption. The problem is that xbuf[] is not big enough to hold a 64-bit timeout rendered as weeks: (gdb) p 0xffffffffffffffffULL/(60*60*24*7) $2 = 30500568904943 That's 14 chars plus NUL, not 11 chars plus NUL. Expand the buffer to 16 chars. I think the unpatched code apparently works if the stack-protector is not enabled because on a 32-bit machine the buffer won't be overflowed and on a 64-bit machine there's a 64-bit aligned pointer at one side and an int that isn't checked again on the other side. The panic incurred looks something like: Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6 ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679 Call Trace: [<ffffffff813d941f>] dump_stack+0x63/0x84 [<ffffffff811b2cb6>] panic+0xde/0x22a [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0 [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30 [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0 [<ffffffff81350410>] ? key_validate+0x50/0x50 [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20 [<ffffffff8126b31c>] seq_read+0x2cc/0x390 [<ffffffff812b6b12>] proc_reg_read+0x42/0x70 [<ffffffff81244fc7>] __vfs_read+0x37/0x150 [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0 [<ffffffff81246156>] vfs_read+0x96/0x130 [<ffffffff81247635>] SyS_read+0x55/0xc0 [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4 Reported-by: Ondrej Kozina <okozina@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Ondrej Kozina <okozina@redhat.com> cc: stable@vger.kernel.org Signed-off-by: James Morris <james.l.morris@oracle.com> |
||
|
|
86c5bf7101 |
Merge branch 'mm-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull vmap stack fixes from Ingo Molnar: "This is fallout from CONFIG_HAVE_ARCH_VMAP_STACK=y on x86: stack accesses that used to be just somewhat questionable are now totally buggy. These changes try to do it without breaking the ABI: the fields are left there, they are just reporting zero, or reporting narrower information (the maps file change)" * 'mm-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: mm: Change vm_is_stack_for_task() to vm_is_stack_for_current() fs/proc: Stop trying to report thread stacks fs/proc: Stop reporting eip and esp in /proc/PID/stat mm/numa: Remove duplicated include from mprotect.c |
||
|
|
d17af5056c |
mm: Change vm_is_stack_for_task() to vm_is_stack_for_current()
Asking for a non-current task's stack can't be done without races unless the task is frozen in kernel mode. As far as I know, vm_is_stack_for_task() never had a safe non-current use case. The __unused annotation is because some KSTK_ESP implementations ignore their parameter, which IMO is further justification for this patch. Signed-off-by: Andy Lutomirski <luto@kernel.org> Acked-by: Thomas Gleixner <tglx@linutronix.de> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Jann Horn <jann@thejh.net> Cc: Kees Cook <keescook@chromium.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Linux API <linux-api@vger.kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Tycho Andersen <tycho.andersen@canonical.com> Link: http://lkml.kernel.org/r/4c3f68f426e6c061ca98b4fc7ef85ffbb0a25b0c.1475257877.git.luto@kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org> |