diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux')
6 files changed, 294 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-3566.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-3566.patch new file mode 100644 index 000000000..a7d91c7c2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-3566.patch @@ -0,0 +1,127 @@ +From f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima <kuniyu@amazon.com> +Date: Thu, 6 Oct 2022 11:53:49 -0700 +Subject: tcp: Fix data races around icsk->icsk_af_ops. + +setsockopt(IPV6_ADDRFORM) and tcp_v6_connect() change icsk->icsk_af_ops +under lock_sock(), but tcp_(get|set)sockopt() read it locklessly. To +avoid load/store tearing, we need to add READ_ONCE() and WRITE_ONCE() +for the reads and writes. + +Thanks to Eric Dumazet for providing the syzbot report: + +BUG: KCSAN: data-race in tcp_setsockopt / tcp_v6_connect + +write to 0xffff88813c624518 of 8 bytes by task 23936 on cpu 0: +tcp_v6_connect+0x5b3/0xce0 net/ipv6/tcp_ipv6.c:240 +__inet_stream_connect+0x159/0x6d0 net/ipv4/af_inet.c:660 +inet_stream_connect+0x44/0x70 net/ipv4/af_inet.c:724 +__sys_connect_file net/socket.c:1976 [inline] +__sys_connect+0x197/0x1b0 net/socket.c:1993 +__do_sys_connect net/socket.c:2003 [inline] +__se_sys_connect net/socket.c:2000 [inline] +__x64_sys_connect+0x3d/0x50 net/socket.c:2000 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff88813c624518 of 8 bytes by task 23937 on cpu 1: +tcp_setsockopt+0x147/0x1c80 net/ipv4/tcp.c:3789 +sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3585 +__sys_setsockopt+0x212/0x2b0 net/socket.c:2252 +__do_sys_setsockopt net/socket.c:2263 [inline] +__se_sys_setsockopt net/socket.c:2260 [inline] +__x64_sys_setsockopt+0x62/0x70 net/socket.c:2260 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0xffffffff8539af68 -> 0xffffffff8539aff8 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 23937 Comm: syz-executor.5 Not tainted +6.0.0-rc4-syzkaller-00331-g4ed9c1e971b1-dirty #0 + +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS Google 08/26/2022 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot <syzkaller@googlegroups.com> +Reported-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/ipv4/tcp.c | 10 ++++++---- + net/ipv6/ipv6_sockglue.c | 3 ++- + net/ipv6/tcp_ipv6.c | 6 ++++-- + 3 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index f5c336f8b0c8..c86d27d653be 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3652,8 +3652,9 @@ int tcp_setsockopt(struct sock *sk, int level, int optname, sockptr_t optval, + const struct inet_connection_sock *icsk = inet_csk(sk); + + if (level != SOL_TCP) +- return icsk->icsk_af_ops->setsockopt(sk, level, optname, +- optval, optlen); ++ /* Paired with WRITE_ONCE() in do_ipv6_setsockopt() and tcp_v6_connect() */ ++ return READ_ONCE(icsk->icsk_af_ops)->setsockopt(sk, level, optname, ++ optval, optlen); + return do_tcp_setsockopt(sk, level, optname, optval, optlen); + } + EXPORT_SYMBOL(tcp_setsockopt); +@@ -4248,8 +4249,9 @@ int tcp_getsockopt(struct sock *sk, int level, int optname, char __user *optval, + struct inet_connection_sock *icsk = inet_csk(sk); + + if (level != SOL_TCP) +- return icsk->icsk_af_ops->getsockopt(sk, level, optname, +- optval, optlen); ++ /* Paired with WRITE_ONCE() in do_ipv6_setsockopt() and tcp_v6_connect() */ ++ return READ_ONCE(icsk->icsk_af_ops)->getsockopt(sk, level, optname, ++ optval, optlen); + return do_tcp_getsockopt(sk, level, optname, optval, optlen); + } + EXPORT_SYMBOL(tcp_getsockopt); +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index e4bdb09c5586..cd4fd98fb68e 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -474,7 +474,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + sock_prot_inuse_add(net, &tcp_prot, 1); + local_bh_enable(); + sk->sk_prot = &tcp_prot; +- icsk->icsk_af_ops = &ipv4_specific; ++ /* Paired with READ_ONCE() in tcp_(get|set)sockopt() */ ++ WRITE_ONCE(icsk->icsk_af_ops, &ipv4_specific); + sk->sk_socket->ops = &inet_stream_ops; + sk->sk_family = PF_INET; + tcp_sync_mss(sk, icsk->icsk_pmtu_cookie); +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index b03dd02c9f13..7844f4dfbee1 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -237,7 +237,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + sin.sin_port = usin->sin6_port; + sin.sin_addr.s_addr = usin->sin6_addr.s6_addr32[3]; + +- icsk->icsk_af_ops = &ipv6_mapped; ++ /* Paired with READ_ONCE() in tcp_(get|set)sockopt() */ ++ WRITE_ONCE(icsk->icsk_af_ops, &ipv6_mapped); + if (sk_is_mptcp(sk)) + mptcpv6_handle_mapped(sk, true); + sk->sk_backlog_rcv = tcp_v4_do_rcv; +@@ -249,7 +250,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, + + if (err) { + icsk->icsk_ext_hdr_len = exthdrlen; +- icsk->icsk_af_ops = &ipv6_specific; ++ /* Paired with READ_ONCE() in tcp_(get|set)sockopt() */ ++ WRITE_ONCE(icsk->icsk_af_ops, &ipv6_specific); + if (sk_is_mptcp(sk)) + mptcpv6_handle_mapped(sk, false); + sk->sk_backlog_rcv = tcp_v6_do_rcv; +-- +2.34.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2156.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2156.patch new file mode 100644 index 000000000..3ab2ef7c0 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2156.patch @@ -0,0 +1,39 @@ +From 4e006c7a6dac0ead4c1bf606000aa90a372fc253 Mon Sep 17 00:00:00 2001 +From: Alexander Aring <aahringo@redhat.com> +Date: Mon, 17 Apr 2023 09:00:52 -0400 +Subject: [PATCH] net: rpl: fix rpl header size calculation + +This patch fixes a missing 8 byte for the header size calculation. The +ipv6_rpl_srh_size() is used to check a skb_pull() on skb->data which +points to skb_transport_header(). Currently we only check on the +calculated addresses fields using CmprI and CmprE fields, see: + +https://www.rfc-editor.org/rfc/rfc6554#section-3 + +there is however a missing 8 byte inside the calculation which stands +for the fields before the addresses field. Those 8 bytes are represented +by sizeof(struct ipv6_rpl_sr_hdr) expression. + +Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr") +Signed-off-by: Alexander Aring <aahringo@redhat.com> +Reported-by: maxpl0it <maxpl0it@protonmail.com> +Reviewed-by: David Ahern <dsahern@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/rpl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/rpl.c b/net/ipv6/rpl.c +index 488aec9e1a74f3..d1876f19222552 100644 +--- a/net/ipv6/rpl.c ++++ b/net/ipv6/rpl.c +@@ -32,7 +32,8 @@ static void *ipv6_rpl_segdata_pos(const struct ipv6_rpl_sr_hdr *hdr, int i) + size_t ipv6_rpl_srh_size(unsigned char n, unsigned char cmpri, + unsigned char cmpre) + { +- return (n * IPV6_PFXTAIL_LEN(cmpri)) + IPV6_PFXTAIL_LEN(cmpre); ++ return sizeof(struct ipv6_rpl_sr_hdr) + (n * IPV6_PFXTAIL_LEN(cmpri)) + ++ IPV6_PFXTAIL_LEN(cmpre); + } + + void ipv6_rpl_srh_decompress(struct ipv6_rpl_sr_hdr *outhdr, diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-3161.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-3161.patch new file mode 100644 index 000000000..11c8cf418 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-3161.patch @@ -0,0 +1,52 @@ +From 2b09d5d364986f724f17001ccfe4126b9b43a0be Mon Sep 17 00:00:00 2001 +From: Samuel Thibault <samuel.thibault@ens-lyon.org> +Date: Sun, 29 Jan 2023 16:17:40 +0100 +Subject: [PATCH] fbcon: Check font dimension limits + +blit_x and blit_y are u32, so fbcon currently cannot support fonts +larger than 32x32. + +The 32x32 case also needs shifting an unsigned int, to properly set bit +31, otherwise we get "UBSAN: shift-out-of-bounds in fbcon_set_font", +as reported on: + +http://lore.kernel.org/all/IA1PR07MB98308653E259A6F2CE94A4AFABCE9@IA1PR07MB9830.namprd07.prod.outlook.com +Kernel Branch: 6.2.0-rc5-next-20230124 +Kernel config: https://drive.google.com/file/d/1F-LszDAizEEH0ZX0HcSR06v5q8FPl2Uv/view?usp=sharing +Reproducer: https://drive.google.com/file/d/1mP1jcLBY7vWCNM60OMf-ogw-urQRjNrm/view?usp=sharing + +Reported-by: Sanan Hasanov <sanan.hasanov@Knights.ucf.edu> +Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> +Fixes: 2d2699d98492 ("fbcon: font setting should check limitation of driver") +Cc: stable@vger.kernel.org +Tested-by: Miko Larsson <mikoxyzzz@gmail.com> +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Helge Deller <deller@gmx.de> +--- + drivers/video/fbdev/core/fbcon.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c +index 22bb3892f6bd..74f508ec8d4c 100644 +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2434,11 +2434,13 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font, + * If not this check should be changed to charcount < 256 */ + if (charcount != 256 && charcount != 512) + return -EINVAL; ++ if (font->width > 32 || font->height > 32) ++ return -EINVAL; + + /* Make sure drawing engine can handle the font */ +- if (!(info->pixmap.blit_x & (1 << (font->width - 1))) || +- !(info->pixmap.blit_y & (1 << (font->height - 1)))) +- return -EINVAL; ++ if (!(info->pixmap.blit_x & BIT(font->width - 1)) || ++ !(info->pixmap.blit_y & BIT(font->height - 1))) ++ return -EINVAL; + + /* Make sure driver can handle the font length */ + if (fbcon_invalid_charcount(info, charcount)) +-- +2.34.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-3355.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-3355.patch new file mode 100644 index 000000000..c09b3c5d8 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-3355.patch @@ -0,0 +1,36 @@ +From d839f0811a31322c087a859c2b181e2383daa7be Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang <jiasheng@iscas.ac.cn> +Date: Mon, 12 Dec 2022 17:11:17 +0800 +Subject: drm/msm/gem: Add check for kmalloc + +Add the check for the return value of kmalloc in order to avoid +NULL pointer dereference in copy_from_user. + +Fixes: 20224d715a88 ("drm/msm/submit: Move copy_from_user ahead of locking bos") +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> +Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> +Patchwork: https://patchwork.freedesktop.org/patch/514678/ +Link: https://lore.kernel.org/r/20221212091117.43511-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c +index 45a3e5cadc7da..7c2cc1262c05d 100644 +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -209,6 +209,10 @@ static int submit_lookup_cmds(struct msm_gem_submit *submit, + goto out; + } + submit->cmd[i].relocs = kmalloc(sz, GFP_KERNEL); ++ if (!submit->cmd[i].relocs) { ++ ret = -ENOMEM; ++ goto out; ++ } + ret = copy_from_user(submit->cmd[i].relocs, userptr, sz); + if (ret) { + ret = -EFAULT; +-- +cgit + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-3357.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-3357.patch new file mode 100644 index 000000000..722b71f3a --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-3357.patch @@ -0,0 +1,35 @@ +From 53ffa6a9f83b2170c60591da1ead8791d5a42e81 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang <jiasheng@iscas.ac.cn> +Date: Tue, 20 Dec 2022 10:49:21 +0800 +Subject: HID: amd_sfh: Add missing check for dma_alloc_coherent + +Add check for the return value of the dma_alloc_coherent since +it may return NULL pointer if allocation fails. + +Fixes: 4b2c53d93a4b ("SFH:Transport Driver to add support of AMD Sensor Fusion Hub (SFH)") +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> +Acked-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com> +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Link: https://lore.kernel.org/r/20221220024921.21992-1-jiasheng@iscas.ac.cn +--- + drivers/hid/amd-sfh-hid/amd_sfh_client.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_client.c b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +index 8275bba636119..ab125f79408f2 100644 +--- a/drivers/hid/amd-sfh-hid/amd_sfh_client.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_client.c +@@ -237,6 +237,10 @@ int amd_sfh_hid_client_init(struct amd_mp2_dev *privdata) + in_data->sensor_virt_addr[i] = dma_alloc_coherent(dev, sizeof(int) * 8, + &cl_data->sensor_dma_addr[i], + GFP_KERNEL); ++ if (!in_data->sensor_virt_addr[i]) { ++ rc = -ENOMEM; ++ goto cleanup; ++ } + cl_data->sensor_sts[i] = SENSOR_DISABLED; + cl_data->sensor_requested_cnt[i] = 0; + cl_data->cur_hid_dev = i; +-- +cgit + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend index b3b22b408..54ddf246e 100644 --- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend @@ -68,6 +68,11 @@ SRC_URI += " \ file://0005-ext4-add-EXT4_INODE_HAS_XATTR_SPACE-macro-in-xattr-h.patch \ file://CVE-2023-2513.patch \ file://CVE-2023-2269.patch \ + file://CVE-2023-2156.patch \ + file://CVE-2023-3355.patch \ + file://CVE-2023-3357.patch \ + file://CVE-2022-3566.patch \ + file://CVE-2023-3161.patch \ " SRC_URI += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', 'file://1000-128MB-flashmap-for-PFR.patch', '', d)}" SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', 'file://debug.cfg', '', d)}" |