diff options
Diffstat (limited to 'debian/patches')
6 files changed, 181 insertions, 607 deletions
diff --git a/debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch b/debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch deleted file mode 100644 index a6e35b7f2..000000000 --- a/debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Florian Westphal <fw@strlen.de> -Date: Sat, 20 Jan 2024 22:50:04 +0100 -Subject: netfilter: nf_tables: reject QUEUE/DROP verdict parameters -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=11351dcb86e3eec82492e20a63bb36f5a340dc85 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-1086 - -commit f342de4e2f33e0e39165d8639387aa6c19dff660 upstream. - -This reverts commit e0abdadcc6e1. - -core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP -verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar, -or 0. - -Due to the reverted commit, its possible to provide a positive -value, e.g. NF_ACCEPT (1), which results in use-after-free. - -Its not clear to me why this commit was made. - -NF_QUEUE is not used by nftables; "queue" rules in nftables -will result in use of "nft_queue" expression. - -If we later need to allow specifiying errno values from userspace -(do not know why), this has to call NF_DROP_GETERR and check that -"err <= 0" holds true. - -Fixes: e0abdadcc6e1 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters") -Cc: stable@vger.kernel.org -Reported-by: Notselwyn <notselwyn@pwning.tech> -Signed-off-by: Florian Westphal <fw@strlen.de> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/netfilter/nf_tables_api.c | 16 ++++++---------- - 1 file changed, 6 insertions(+), 10 deletions(-) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 0d0b76a5ddfa..f586e8b3c6cf 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -9340,16 +9340,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, - data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); - - switch (data->verdict.code) { -- default: -- switch (data->verdict.code & NF_VERDICT_MASK) { -- case NF_ACCEPT: -- case NF_DROP: -- case NF_QUEUE: -- break; -- default: -- return -EINVAL; -- } -- fallthrough; -+ case NF_ACCEPT: -+ case NF_DROP: -+ case NF_QUEUE: -+ break; - case NFT_CONTINUE: - case NFT_BREAK: - case NFT_RETURN: -@@ -9384,6 +9378,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, - - data->verdict.chain = chain; - break; -+ default: -+ return -EINVAL; - } - - desc->len = sizeof(data->verdict); --- -2.43.0 - diff --git a/debian/patches/bugfix/all/smb3-Replace-smb2pdu-1-element-arrays-with-flex-arra.patch b/debian/patches/bugfix/all/smb3-Replace-smb2pdu-1-element-arrays-with-flex-arra.patch deleted file mode 100644 index bc4e28488..000000000 --- a/debian/patches/bugfix/all/smb3-Replace-smb2pdu-1-element-arrays-with-flex-arra.patch +++ /dev/null @@ -1,375 +0,0 @@ -From: Kees Cook <keescook@chromium.org> -Date: Fri, 26 Jan 2024 22:31:43 +0300 -Subject: smb3: Replace smb2pdu 1-element arrays with flex-arrays -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=06aa6eff7b243891c631b40852a0c453e274955d - -commit eb3e28c1e89b4984308777231887e41aa8a0151f upstream. - -The kernel is globally removing the ambiguous 0-length and 1-element -arrays in favor of flexible arrays, so that we can gain both compile-time -and run-time array bounds checking[1]. - -Replace the trailing 1-element array with a flexible array in the -following structures: - - struct smb2_err_rsp - struct smb2_tree_connect_req - struct smb2_negotiate_rsp - struct smb2_sess_setup_req - struct smb2_sess_setup_rsp - struct smb2_read_req - struct smb2_read_rsp - struct smb2_write_req - struct smb2_write_rsp - struct smb2_query_directory_req - struct smb2_query_directory_rsp - struct smb2_set_info_req - struct smb2_change_notify_rsp - struct smb2_create_rsp - struct smb2_query_info_req - struct smb2_query_info_rsp - -Replace the trailing 1-element array with a flexible array, but leave -the existing structure padding: - - struct smb2_file_all_info - struct smb2_lock_req - -Adjust all related size calculations to match the changes to sizeof(). - -No machine code output or .data section differences are produced after -these changes. - -[1] For lots of details, see both: - https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays - https://people.kernel.org/kees/bounded-flexible-arrays-in-c - -Cc: Steve French <sfrench@samba.org> -Cc: Paulo Alcantara <pc@cjr.nz> -Cc: Ronnie Sahlberg <lsahlber@redhat.com> -Cc: Shyam Prasad N <sprasad@microsoft.com> -Cc: Tom Talpey <tom@talpey.com> -Cc: Namjae Jeon <linkinjeon@kernel.org> -Cc: Sergey Senozhatsky <senozhatsky@chromium.org> -Cc: linux-cifs@vger.kernel.org -Cc: samba-technical@lists.samba.org -Reviewed-by: Namjae Jeon <linkinjeon@kernel.org> -Signed-off-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Steve French <stfrench@microsoft.com> -Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - fs/cifs/smb2misc.c | 2 +- - fs/cifs/smb2ops.c | 14 +++++++------- - fs/cifs/smb2pdu.c | 13 ++++++------- - fs/cifs/smb2pdu.h | 42 ++++++++++++++++++++++++------------------ - 4 files changed, 38 insertions(+), 33 deletions(-) - -diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c -index b98bba887f84..660e00eb4206 100644 ---- a/fs/cifs/smb2misc.c -+++ b/fs/cifs/smb2misc.c -@@ -117,7 +117,7 @@ static __u32 get_neg_ctxt_len(struct smb2_sync_hdr *hdr, __u32 len, - } else if (nc_offset + 1 == non_ctxlen) { - cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n"); - size_of_pad_before_neg_ctxts = 0; -- } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE) -+ } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE + 1) - /* has padding, but no SPNEGO blob */ - size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1; - else -diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c -index 26edaeb4245d..84850a55c8b7 100644 ---- a/fs/cifs/smb2ops.c -+++ b/fs/cifs/smb2ops.c -@@ -5561,7 +5561,7 @@ struct smb_version_values smb20_values = { - .header_size = sizeof(struct smb2_sync_hdr), - .header_preamble_size = 0, - .max_header_size = MAX_SMB2_HDR_SIZE, -- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, -+ .read_rsp_size = sizeof(struct smb2_read_rsp), - .lock_cmd = SMB2_LOCK, - .cap_unix = 0, - .cap_nt_find = SMB2_NT_FIND, -@@ -5583,7 +5583,7 @@ struct smb_version_values smb21_values = { - .header_size = sizeof(struct smb2_sync_hdr), - .header_preamble_size = 0, - .max_header_size = MAX_SMB2_HDR_SIZE, -- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, -+ .read_rsp_size = sizeof(struct smb2_read_rsp), - .lock_cmd = SMB2_LOCK, - .cap_unix = 0, - .cap_nt_find = SMB2_NT_FIND, -@@ -5604,7 +5604,7 @@ struct smb_version_values smb3any_values = { - .header_size = sizeof(struct smb2_sync_hdr), - .header_preamble_size = 0, - .max_header_size = MAX_SMB2_HDR_SIZE, -- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, -+ .read_rsp_size = sizeof(struct smb2_read_rsp), - .lock_cmd = SMB2_LOCK, - .cap_unix = 0, - .cap_nt_find = SMB2_NT_FIND, -@@ -5625,7 +5625,7 @@ struct smb_version_values smbdefault_values = { - .header_size = sizeof(struct smb2_sync_hdr), - .header_preamble_size = 0, - .max_header_size = MAX_SMB2_HDR_SIZE, -- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, -+ .read_rsp_size = sizeof(struct smb2_read_rsp), - .lock_cmd = SMB2_LOCK, - .cap_unix = 0, - .cap_nt_find = SMB2_NT_FIND, -@@ -5646,7 +5646,7 @@ struct smb_version_values smb30_values = { - .header_size = sizeof(struct smb2_sync_hdr), - .header_preamble_size = 0, - .max_header_size = MAX_SMB2_HDR_SIZE, -- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, -+ .read_rsp_size = sizeof(struct smb2_read_rsp), - .lock_cmd = SMB2_LOCK, - .cap_unix = 0, - .cap_nt_find = SMB2_NT_FIND, -@@ -5667,7 +5667,7 @@ struct smb_version_values smb302_values = { - .header_size = sizeof(struct smb2_sync_hdr), - .header_preamble_size = 0, - .max_header_size = MAX_SMB2_HDR_SIZE, -- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, -+ .read_rsp_size = sizeof(struct smb2_read_rsp), - .lock_cmd = SMB2_LOCK, - .cap_unix = 0, - .cap_nt_find = SMB2_NT_FIND, -@@ -5688,7 +5688,7 @@ struct smb_version_values smb311_values = { - .header_size = sizeof(struct smb2_sync_hdr), - .header_preamble_size = 0, - .max_header_size = MAX_SMB2_HDR_SIZE, -- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, -+ .read_rsp_size = sizeof(struct smb2_read_rsp), - .lock_cmd = SMB2_LOCK, - .cap_unix = 0, - .cap_nt_find = SMB2_NT_FIND, -diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c -index 76679dc4e632..4aec01841f0f 100644 ---- a/fs/cifs/smb2pdu.c -+++ b/fs/cifs/smb2pdu.c -@@ -1261,7 +1261,7 @@ SMB2_sess_sendreceive(struct SMB2_sess_data *sess_data) - - /* Testing shows that buffer offset must be at location of Buffer[0] */ - req->SecurityBufferOffset = -- cpu_to_le16(sizeof(struct smb2_sess_setup_req) - 1 /* pad */); -+ cpu_to_le16(sizeof(struct smb2_sess_setup_req)); - req->SecurityBufferLength = cpu_to_le16(sess_data->iov[1].iov_len); - - memset(&rqst, 0, sizeof(struct smb_rqst)); -@@ -1760,8 +1760,7 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, - iov[0].iov_len = total_len - 1; - - /* Testing shows that buffer offset must be at location of Buffer[0] */ -- req->PathOffset = cpu_to_le16(sizeof(struct smb2_tree_connect_req) -- - 1 /* pad */); -+ req->PathOffset = cpu_to_le16(sizeof(struct smb2_tree_connect_req)); - req->PathLength = cpu_to_le16(unc_path_len - 2); - iov[1].iov_base = unc_path; - iov[1].iov_len = unc_path_len; -@@ -4676,7 +4675,7 @@ int SMB2_query_directory_init(const unsigned int xid, - memcpy(bufptr, &asteriks, len); - - req->FileNameOffset = -- cpu_to_le16(sizeof(struct smb2_query_directory_req) - 1); -+ cpu_to_le16(sizeof(struct smb2_query_directory_req)); - req->FileNameLength = cpu_to_le16(len); - /* - * BB could be 30 bytes or so longer if we used SMB2 specific -@@ -4873,7 +4872,7 @@ SMB2_set_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server, - req->AdditionalInformation = cpu_to_le32(additional_info); - - req->BufferOffset = -- cpu_to_le16(sizeof(struct smb2_set_info_req) - 1); -+ cpu_to_le16(sizeof(struct smb2_set_info_req)); - req->BufferLength = cpu_to_le32(*size); - - memcpy(req->Buffer, *data, *size); -@@ -5105,9 +5104,9 @@ build_qfs_info_req(struct kvec *iov, struct cifs_tcon *tcon, - req->VolatileFileId = volatile_fid; - /* 1 for pad */ - req->InputBufferOffset = -- cpu_to_le16(sizeof(struct smb2_query_info_req) - 1); -+ cpu_to_le16(sizeof(struct smb2_query_info_req)); - req->OutputBufferLength = cpu_to_le32( -- outbuf_len + sizeof(struct smb2_query_info_rsp) - 1); -+ outbuf_len + sizeof(struct smb2_query_info_rsp)); - - iov->iov_base = (char *)req; - iov->iov_len = total_len; -diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h -index 89a732b31390..eaa873175318 100644 ---- a/fs/cifs/smb2pdu.h -+++ b/fs/cifs/smb2pdu.h -@@ -220,7 +220,7 @@ struct smb2_err_rsp { - __le16 StructureSize; - __le16 Reserved; /* MBZ */ - __le32 ByteCount; /* even if zero, at least one byte follows */ -- __u8 ErrorData[1]; /* variable length */ -+ __u8 ErrorData[]; /* variable length */ - } __packed; - - #define SYMLINK_ERROR_TAG 0x4c4d5953 -@@ -464,7 +464,7 @@ struct smb2_negotiate_rsp { - __le16 SecurityBufferOffset; - __le16 SecurityBufferLength; - __le32 NegotiateContextOffset; /* Pre:SMB3.1.1 was reserved/ignored */ -- __u8 Buffer[1]; /* variable length GSS security buffer */ -+ __u8 Buffer[]; /* variable length GSS security buffer */ - } __packed; - - /* Flags */ -@@ -481,7 +481,7 @@ struct smb2_sess_setup_req { - __le16 SecurityBufferOffset; - __le16 SecurityBufferLength; - __u64 PreviousSessionId; -- __u8 Buffer[1]; /* variable length GSS security buffer */ -+ __u8 Buffer[]; /* variable length GSS security buffer */ - } __packed; - - /* Currently defined SessionFlags */ -@@ -494,7 +494,7 @@ struct smb2_sess_setup_rsp { - __le16 SessionFlags; - __le16 SecurityBufferOffset; - __le16 SecurityBufferLength; -- __u8 Buffer[1]; /* variable length GSS security buffer */ -+ __u8 Buffer[]; /* variable length GSS security buffer */ - } __packed; - - struct smb2_logoff_req { -@@ -520,7 +520,7 @@ struct smb2_tree_connect_req { - __le16 Flags; /* Reserved MBZ for dialects prior to SMB3.1.1 */ - __le16 PathOffset; - __le16 PathLength; -- __u8 Buffer[1]; /* variable length */ -+ __u8 Buffer[]; /* variable length */ - } __packed; - - /* See MS-SMB2 section 2.2.9.2 */ -@@ -828,7 +828,7 @@ struct smb2_create_rsp { - __u64 VolatileFileId; /* opaque endianness */ - __le32 CreateContextsOffset; - __le32 CreateContextsLength; -- __u8 Buffer[1]; -+ __u8 Buffer[]; - } __packed; - - struct create_context { -@@ -1289,7 +1289,7 @@ struct smb2_read_plain_req { - __le32 RemainingBytes; - __le16 ReadChannelInfoOffset; - __le16 ReadChannelInfoLength; -- __u8 Buffer[1]; -+ __u8 Buffer[]; - } __packed; - - /* Read flags */ -@@ -1304,7 +1304,7 @@ struct smb2_read_rsp { - __le32 DataLength; - __le32 DataRemaining; - __u32 Flags; -- __u8 Buffer[1]; -+ __u8 Buffer[]; - } __packed; - - /* For write request Flags field below the following flags are defined: */ -@@ -1324,7 +1324,7 @@ struct smb2_write_req { - __le16 WriteChannelInfoOffset; - __le16 WriteChannelInfoLength; - __le32 Flags; -- __u8 Buffer[1]; -+ __u8 Buffer[]; - } __packed; - - struct smb2_write_rsp { -@@ -1335,7 +1335,7 @@ struct smb2_write_rsp { - __le32 DataLength; - __le32 DataRemaining; - __u32 Reserved2; -- __u8 Buffer[1]; -+ __u8 Buffer[]; - } __packed; - - /* notify flags */ -@@ -1371,7 +1371,7 @@ struct smb2_change_notify_rsp { - __le16 StructureSize; /* Must be 9 */ - __le16 OutputBufferOffset; - __le32 OutputBufferLength; -- __u8 Buffer[1]; /* array of file notify structs */ -+ __u8 Buffer[]; /* array of file notify structs */ - } __packed; - - #define SMB2_LOCKFLAG_SHARED_LOCK 0x0001 -@@ -1394,7 +1394,10 @@ struct smb2_lock_req { - __u64 PersistentFileId; /* opaque endianness */ - __u64 VolatileFileId; /* opaque endianness */ - /* Followed by at least one */ -- struct smb2_lock_element locks[1]; -+ union { -+ struct smb2_lock_element lock; -+ DECLARE_FLEX_ARRAY(struct smb2_lock_element, locks); -+ }; - } __packed; - - struct smb2_lock_rsp { -@@ -1434,7 +1437,7 @@ struct smb2_query_directory_req { - __le16 FileNameOffset; - __le16 FileNameLength; - __le32 OutputBufferLength; -- __u8 Buffer[1]; -+ __u8 Buffer[]; - } __packed; - - struct smb2_query_directory_rsp { -@@ -1442,7 +1445,7 @@ struct smb2_query_directory_rsp { - __le16 StructureSize; /* Must be 9 */ - __le16 OutputBufferOffset; - __le32 OutputBufferLength; -- __u8 Buffer[1]; -+ __u8 Buffer[]; - } __packed; - - /* Possible InfoType values */ -@@ -1483,7 +1486,7 @@ struct smb2_query_info_req { - __le32 Flags; - __u64 PersistentFileId; /* opaque endianness */ - __u64 VolatileFileId; /* opaque endianness */ -- __u8 Buffer[1]; -+ __u8 Buffer[]; - } __packed; - - struct smb2_query_info_rsp { -@@ -1491,7 +1494,7 @@ struct smb2_query_info_rsp { - __le16 StructureSize; /* Must be 9 */ - __le16 OutputBufferOffset; - __le32 OutputBufferLength; -- __u8 Buffer[1]; -+ __u8 Buffer[]; - } __packed; - - /* -@@ -1514,7 +1517,7 @@ struct smb2_set_info_req { - __le32 AdditionalInformation; - __u64 PersistentFileId; /* opaque endianness */ - __u64 VolatileFileId; /* opaque endianness */ -- __u8 Buffer[1]; -+ __u8 Buffer[]; - } __packed; - - struct smb2_set_info_rsp { -@@ -1716,7 +1719,10 @@ struct smb2_file_all_info { /* data block encoding of response to level 18 */ - __le32 Mode; - __le32 AlignmentRequirement; - __le32 FileNameLength; -- char FileName[1]; -+ union { -+ char __pad; /* Legacy structure padding */ -+ DECLARE_FLEX_ARRAY(char, FileName); -+ }; - } __packed; /* level 18 Query */ - - struct smb2_file_eof_info { /* encoding of request for level 10 */ --- -2.43.0 - diff --git a/debian/patches/bugfix/all/stddef-Introduce-DECLARE_FLEX_ARRAY-helper.patch b/debian/patches/bugfix/all/stddef-Introduce-DECLARE_FLEX_ARRAY-helper.patch deleted file mode 100644 index 8f8066530..000000000 --- a/debian/patches/bugfix/all/stddef-Introduce-DECLARE_FLEX_ARRAY-helper.patch +++ /dev/null @@ -1,156 +0,0 @@ -From: Kees Cook <keescook@chromium.org> -Date: Fri, 26 Jan 2024 22:31:42 +0300 -Subject: stddef: Introduce DECLARE_FLEX_ARRAY() helper -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=ef8316e0e29e98d9cf7e0689ddffa37e79d33736 - -commit 3080ea5553cc909b000d1f1d964a9041962f2c5b upstream. - -There are many places where kernel code wants to have several different -typed trailing flexible arrays. This would normally be done with multiple -flexible arrays in a union, but since GCC and Clang don't (on the surface) -allow this, there have been many open-coded workarounds, usually involving -neighboring 0-element arrays at the end of a structure. For example, -instead of something like this: - -struct thing { - ... - union { - struct type1 foo[]; - struct type2 bar[]; - }; -}; - -code works around the compiler with: - -struct thing { - ... - struct type1 foo[0]; - struct type2 bar[]; -}; - -Another case is when a flexible array is wanted as the single member -within a struct (which itself is usually in a union). For example, this -would be worked around as: - -union many { - ... - struct { - struct type3 baz[0]; - }; -}; - -These kinds of work-arounds cause problems with size checks against such -zero-element arrays (for example when building with -Warray-bounds and --Wzero-length-bounds, and with the coming FORTIFY_SOURCE improvements), -so they must all be converted to "real" flexible arrays, avoiding warnings -like this: - -fs/hpfs/anode.c: In function 'hpfs_add_sector_to_btree': -fs/hpfs/anode.c:209:27: warning: array subscript 0 is outside the bounds of an interior zero-length array 'struct bplus_internal_node[0]' [-Wzero-length-bounds] - 209 | anode->btree.u.internal[0].down = cpu_to_le32(a); - | ~~~~~~~~~~~~~~~~~~~~~~~^~~ -In file included from fs/hpfs/hpfs_fn.h:26, - from fs/hpfs/anode.c:10: -fs/hpfs/hpfs.h:412:32: note: while referencing 'internal' - 412 | struct bplus_internal_node internal[0]; /* (internal) 2-word entries giving - | ^~~~~~~~ - -drivers/net/can/usb/etas_es58x/es58x_fd.c: In function 'es58x_fd_tx_can_msg': -drivers/net/can/usb/etas_es58x/es58x_fd.c:360:35: warning: array subscript 65535 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[]'} [-Wzero-length-bounds] - 360 | tx_can_msg = (typeof(tx_can_msg))&es58x_fd_urb_cmd->raw_msg[msg_len]; - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -In file included from drivers/net/can/usb/etas_es58x/es58x_core.h:22, - from drivers/net/can/usb/etas_es58x/es58x_fd.c:17: -drivers/net/can/usb/etas_es58x/es58x_fd.h:231:6: note: while referencing 'raw_msg' - 231 | u8 raw_msg[0]; - | ^~~~~~~ - -However, it _is_ entirely possible to have one or more flexible arrays -in a struct or union: it just has to be in another struct. And since it -cannot be alone in a struct, such a struct must have at least 1 other -named member -- but that member can be zero sized. Wrap all this nonsense -into the new DECLARE_FLEX_ARRAY() in support of having flexible arrays -in unions (or alone in a struct). - -As with struct_group(), since this is needed in UAPI headers as well, -implement the core there, with a non-UAPI wrapper. - -Additionally update kernel-doc to understand its existence. - -https://github.com/KSPP/linux/issues/137 - -Cc: Arnd Bergmann <arnd@arndb.de> -Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> -Signed-off-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - include/linux/stddef.h | 13 +++++++++++++ - include/uapi/linux/stddef.h | 16 ++++++++++++++++ - scripts/kernel-doc | 3 ++- - 3 files changed, 31 insertions(+), 1 deletion(-) - -diff --git a/include/linux/stddef.h b/include/linux/stddef.h -index 938216f8ab7e..31fdbb784c24 100644 ---- a/include/linux/stddef.h -+++ b/include/linux/stddef.h -@@ -84,4 +84,17 @@ enum { - #define struct_group_tagged(TAG, NAME, MEMBERS...) \ - __struct_group(TAG, NAME, /* no attrs */, MEMBERS) - -+/** -+ * DECLARE_FLEX_ARRAY() - Declare a flexible array usable in a union -+ * -+ * @TYPE: The type of each flexible array element -+ * @NAME: The name of the flexible array member -+ * -+ * In order to have a flexible array member in a union or alone in a -+ * struct, it needs to be wrapped in an anonymous struct with at least 1 -+ * named member, but that member can be empty. -+ */ -+#define DECLARE_FLEX_ARRAY(TYPE, NAME) \ -+ __DECLARE_FLEX_ARRAY(TYPE, NAME) -+ - #endif -diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h -index c3725b492263..7837ba4fe728 100644 ---- a/include/uapi/linux/stddef.h -+++ b/include/uapi/linux/stddef.h -@@ -28,4 +28,20 @@ - struct { MEMBERS } ATTRS; \ - struct TAG { MEMBERS } ATTRS NAME; \ - } -+ -+/** -+ * __DECLARE_FLEX_ARRAY() - Declare a flexible array usable in a union -+ * -+ * @TYPE: The type of each flexible array element -+ * @NAME: The name of the flexible array member -+ * -+ * In order to have a flexible array member in a union or alone in a -+ * struct, it needs to be wrapped in an anonymous struct with at least 1 -+ * named member, but that member can be empty. -+ */ -+#define __DECLARE_FLEX_ARRAY(TYPE, NAME) \ -+ struct { \ -+ struct { } __empty_ ## NAME; \ -+ TYPE NAME[]; \ -+ } - #endif -diff --git a/scripts/kernel-doc b/scripts/kernel-doc -index 19af6dd160e6..7a04d4c05326 100755 ---- a/scripts/kernel-doc -+++ b/scripts/kernel-doc -@@ -1232,7 +1232,8 @@ sub dump_struct($$) { - $members =~ s/DECLARE_KFIFO\s*\(([^,)]+),\s*([^,)]+),\s*([^,)]+)\)/$2 \*$1/gos; - # replace DECLARE_KFIFO_PTR - $members =~ s/DECLARE_KFIFO_PTR\s*\(([^,)]+),\s*([^,)]+)\)/$2 \*$1/gos; -- -+ # replace DECLARE_FLEX_ARRAY -+ $members =~ s/(?:__)?DECLARE_FLEX_ARRAY\s*\($args,\s*$args\)/$1 $2\[\]/gos; - my $declaration = $members; - - # Split nested struct/union elements as newer ones --- -2.43.0 - diff --git a/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch b/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch new file mode 100644 index 000000000..b21318ecc --- /dev/null +++ b/debian/patches/bugfix/all/tipc-fix-UAF-in-error-path.patch @@ -0,0 +1,141 @@ +From: Paolo Abeni <pabeni@redhat.com> +Date: Tue, 30 Apr 2024 15:53:37 +0200 +Subject: tipc: fix UAF in error path +Origin: https://git.kernel.org/linus/080cbb890286cd794f1ee788bbc5463e2deb7c2b + +Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported +a UAF in the tipc_buf_append() error path: + +BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0 +linux/net/core/skbuff.c:1183 +Read of size 8 at addr ffff88804d2a7c80 by task poc/8034 + +CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.16.0-debian-1.16.0-5 04/01/2014 +Call Trace: + <IRQ> + __dump_stack linux/lib/dump_stack.c:88 + dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106 + print_address_description linux/mm/kasan/report.c:377 + print_report+0xc4/0x620 linux/mm/kasan/report.c:488 + kasan_report+0xda/0x110 linux/mm/kasan/report.c:601 + kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 + skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026 + skb_release_all linux/net/core/skbuff.c:1094 + __kfree_skb linux/net/core/skbuff.c:1108 + kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144 + kfree_skb linux/./include/linux/skbuff.h:1244 + tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186 + tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324 + tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824 + tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159 + tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390 + udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108 + udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186 + udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346 + __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422 + ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233 + NF_HOOK linux/./include/linux/netfilter.h:314 + NF_HOOK linux/./include/linux/netfilter.h:308 + ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254 + dst_input linux/./include/net/dst.h:461 + ip_rcv_finish linux/net/ipv4/ip_input.c:449 + NF_HOOK linux/./include/linux/netfilter.h:314 + NF_HOOK linux/./include/linux/netfilter.h:308 + ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569 + __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534 + __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648 + process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976 + __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576 + napi_poll linux/net/core/dev.c:6645 + net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781 + __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553 + do_softirq linux/kernel/softirq.c:454 + do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441 + </IRQ> + <TASK> + __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381 + local_bh_enable linux/./include/linux/bottom_half.h:33 + rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851 + __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378 + dev_queue_xmit linux/./include/linux/netdevice.h:3169 + neigh_hh_output linux/./include/net/neighbour.h:526 + neigh_output linux/./include/net/neighbour.h:540 + ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235 + __ip_finish_output linux/net/ipv4/ip_output.c:313 + __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295 + ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323 + NF_HOOK_COND linux/./include/linux/netfilter.h:303 + ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433 + dst_output linux/./include/net/dst.h:451 + ip_local_out linux/net/ipv4/ip_output.c:129 + ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492 + udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963 + udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250 + inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850 + sock_sendmsg_nosec linux/net/socket.c:730 + __sock_sendmsg linux/net/socket.c:745 + __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191 + __do_sys_sendto linux/net/socket.c:2203 + __se_sys_sendto linux/net/socket.c:2199 + __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199 + do_syscall_x64 linux/arch/x86/entry/common.c:52 + do_syscall_64+0xd8/0x270 linux/arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 linux/arch/x86/entry/entry_64.S:120 +RIP: 0033:0x7f3434974f29 +Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48 +RSP: 002b:00007fff9154f2b8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3434974f29 +RDX: 00000000000032c8 RSI: 00007fff9154f300 RDI: 0000000000000003 +RBP: 00007fff915532e0 R08: 00007fff91553360 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000212 R12: 000055ed86d261d0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + </TASK> + +In the critical scenario, either the relevant skb is freed or its +ownership is transferred into a frag_lists. In both cases, the cleanup +code must not free it again: we need to clear the skb reference earlier. + +Fixes: 1149557d64c9 ("tipc: eliminate unnecessary linearization of incoming buffers") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23852 +Acked-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Link: https://lore.kernel.org/r/752f1ccf762223d109845365d07f55414058e5a3.1714484273.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/tipc/msg.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index 5c9fd4791c4b..9a6e9bcbf694 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -156,6 +156,11 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (!head) + goto err; + ++ /* Either the input skb ownership is transferred to headskb ++ * or the input skb is freed, clear the reference to avoid ++ * bad access on error path. ++ */ ++ *buf = NULL; + if (skb_try_coalesce(head, frag, &headstolen, &delta)) { + kfree_skb_partial(frag, headstolen); + } else { +@@ -179,7 +184,6 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + *headbuf = NULL; + return 1; + } +- *buf = NULL; + return 0; + err: + kfree_skb(*buf); +-- +2.43.0 + diff --git a/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch b/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch new file mode 100644 index 000000000..0b0ac04c6 --- /dev/null +++ b/debian/patches/bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch @@ -0,0 +1,38 @@ +From: Xin Long <lucien.xin@gmail.com> +Date: Tue, 30 Apr 2024 10:03:38 -0400 +Subject: tipc: fix a possible memleak in tipc_buf_append +Origin: https://git.kernel.org/linus/97bf6f81b29a8efaf5d0983251a7450e5794370d + +__skb_linearize() doesn't free the skb when it fails, so move +'*buf = NULL' after __skb_linearize(), so that the skb can be +freed on the err path. + +Fixes: b7df21cf1b79 ("tipc: skb_linearize the head skb when reassembling msgs") +Reported-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Reviewed-by: Simon Horman <horms@kernel.org> +Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au> +Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/tipc/msg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/msg.c b/net/tipc/msg.c +index 9a6e9bcbf694..76284fc538eb 100644 +--- a/net/tipc/msg.c ++++ b/net/tipc/msg.c +@@ -142,9 +142,9 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf) + if (fragid == FIRST_FRAGMENT) { + if (unlikely(head)) + goto err; +- *buf = NULL; + if (skb_has_frag_list(frag) && __skb_linearize(frag)) + goto err; ++ *buf = NULL; + frag = skb_unshare(frag, GFP_ATOMIC); + if (unlikely(!frag)) + goto err; +-- +2.43.0 + diff --git a/debian/patches/series b/debian/patches/series index 772b165a1..f6c377885 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -94,8 +94,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch bugfix/all/wireguard-ignore-config_android.patch -bugfix/all/stddef-Introduce-DECLARE_FLEX_ARRAY-helper.patch -bugfix/all/smb3-Replace-smb2pdu-1-element-arrays-with-flex-arra.patch # Miscellaneous features @@ -117,7 +115,8 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch bugfix/all/ovl-fail-on-invalid-uid-gid-mapping-at-copy-up.patch -bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch +bugfix/all/tipc-fix-UAF-in-error-path.patch +bugfix/all/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |