1. 18 Apr, 2016 34 commits
  2. 13 Apr, 2016 6 commits
    • Vasily Kulikov's avatar
      include/linux/poison.h: fix LIST_POISON{1,2} offset · 46460a03
      Vasily Kulikov authored
      [ Upstream commit 8a5e5e02 ]
      
      Poison pointer values should be small enough to find a room in
      non-mmap'able/hardly-mmap'able space.  E.g.  on x86 "poison pointer space"
      is located starting from 0x0.  Given unprivileged users cannot mmap
      anything below mmap_min_addr, it should be safe to use poison pointers
      lower than mmap_min_addr.
      
      The current poison pointer values of LIST_POISON{1,2} might be too big for
      mmap_min_addr values equal or less than 1 MB (common case, e.g.  Ubuntu
      uses only 0x10000).  There is little point to use such a big value given
      the "poison pointer space" below 1 MB is not yet exhausted.  Changing it
      to a smaller value solves the problem for small mmap_min_addr setups.
      
      The values are suggested by Solar Designer:
      http://www.openwall.com/lists/oss-security/2015/05/02/6Signed-off-by: default avatarVasily Kulikov <segoon@openwall.com>
      Cc: Solar Designer <solar@openwall.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      46460a03
    • David Howells's avatar
      KEYS: Fix handling of stored error in a negatively instantiated user key · d979e967
      David Howells authored
      [ Upstream commit 096fe9ea ]
      
      If a user key gets negatively instantiated, an error code is cached in the
      payload area.  A negatively instantiated key may be then be positively
      instantiated by updating it with valid data.  However, the ->update key
      type method must be aware that the error code may be there.
      
      The following may be used to trigger the bug in the user key type:
      
          keyctl request2 user user "" @u
          keyctl add user user "a" @u
      
      which manifests itself as:
      
      	BUG: unable to handle kernel paging request at 00000000ffffff8a
      	IP: [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
      	PGD 7cc30067 PUD 0
      	Oops: 0002 [#1] SMP
      	Modules linked in:
      	CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      	task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000
      	RIP: 0010:[<ffffffff810a376f>]  [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280
      	 [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
      	RSP: 0018:ffff88003dd8bdb0  EFLAGS: 00010246
      	RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001
      	RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82
      	RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000
      	R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82
      	R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700
      	FS:  0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000
      	CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      	CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0
      	Stack:
      	 ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82
      	 ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5
      	 ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620
      	Call Trace:
      	 [<ffffffff810a39e5>] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136
      	 [<ffffffff812a31ab>] user_update+0x8b/0xb0 security/keys/user_defined.c:129
      	 [<     inline     >] __key_update security/keys/key.c:730
      	 [<ffffffff8129e5c1>] key_create_or_update+0x291/0x440 security/keys/key.c:908
      	 [<     inline     >] SYSC_add_key security/keys/keyctl.c:125
      	 [<ffffffff8129fc21>] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60
      	 [<ffffffff8185f617>] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185
      
      Note the error code (-ENOKEY) in EDX.
      
      A similar bug can be tripped by:
      
          keyctl request2 trusted user "" @u
          keyctl add trusted user "a" @u
      
      This should also affect encrypted keys - but that has to be correctly
      parameterised or it will fail with EINVAL before getting to the bit that
      will crashes.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d979e967
    • Andrew Honig's avatar
      KVM: x86: Reload pit counters for all channels when restoring state · 90352f3f
      Andrew Honig authored
      [ Upstream commit 0185604c ]
      
      Currently if userspace restores the pit counters with a count of 0
      on channels 1 or 2 and the guest attempts to read the count on those
      channels, then KVM will perform a mod of 0 and crash.  This will ensure
      that 0 values are converted to 65536 as per the spec.
      
      This is CVE-2015-7513.
      Signed-off-by: default avatarAndy Honig <ahonig@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      90352f3f
    • Roman Gushchin's avatar
      fuse: break infinite loop in fuse_fill_write_pages() · ea44bf73
      Roman Gushchin authored
      [ Upstream commit 3ca8138f ]
      
      I got a report about unkillable task eating CPU. Further
      investigation shows, that the problem is in the fuse_fill_write_pages()
      function. If iov's first segment has zero length, we get an infinite
      loop, because we never reach iov_iter_advance() call.
      
      Fix this by calling iov_iter_advance() before repeating an attempt to
      copy data from userspace.
      
      A similar problem is described in 124d3b70 ("fix writev regression:
      pan hanging unkillable and un-straceable"). If zero-length segmend
      is followed by segment with invalid address,
      iov_iter_fault_in_readable() checks only first segment (zero-length),
      iov_iter_copy_from_user_atomic() skips it, fails at second and
      returns zero -> goto again without skipping zero-length segment.
      
      Patch calls iov_iter_advance() before goto again: we'll skip zero-length
      segment at second iteraction and iov_iter_fault_in_readable() will detect
      invalid address.
      
      Special thanks to Konstantin Khlebnikov, who helped a lot with the commit
      description.
      
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Maxim Patlasov <mpatlasov@parallels.com>
      Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarRoman Gushchin <klamm@yandex-team.ru>
      Signed-off-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Fixes: ea9b9907 ("fuse: implement perform_write")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ea44bf73
    • Miklos Szeredi's avatar
      ovl: fix permission checking for setattr · 2cadb57d
      Miklos Szeredi authored
      [ Upstream commit acff81ec ]
      
      [Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()
      away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"
      (with the former being always safe and the latter failing in case of
      insufficient permissions) it tries to combine these two.  Note that copyup
      itself will have to do ->setattr() anyway; _that_ is where the elevated
      capabilities are right.  Having these two ->setattr() (one to set verbatim
      copy of metadata, another to do what overlayfs ->setattr() had been asked
      to do in the first place) combined is where it breaks.
      Signed-off-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      2cadb57d
    • James Hogan's avatar
      MIPS: smp.c: Fix uninitialised temp_foreign_map · 50d93d38
      James Hogan authored
      [ Upstream commit d825c06b ]
      
      When calculate_cpu_foreign_map() recalculates the cpu_foreign_map
      cpumask it uses the local variable temp_foreign_map without initialising
      it to zero. Since the calculation only ever sets bits in this cpumask
      any existing bits at that memory location will remain set and find their
      way into cpu_foreign_map too. This could potentially lead to cache
      operations suboptimally doing smp calls to multiple VPEs in the same
      core, even though the VPEs share primary caches.
      
      Therefore initialise temp_foreign_map using cpumask_clear() before use.
      
      Fixes: cccf34e9 ("MIPS: c-r4k: Fix cache flushing for MT cores")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/12759/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      50d93d38