diff options
Diffstat (limited to 'kernels/linux-libre-x86_64')
4 files changed, 190 insertions, 12 deletions
diff --git a/kernels/linux-libre-x86_64/0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch b/kernels/linux-libre-x86_64/0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch new file mode 100644 index 000000000..b88dd07df --- /dev/null +++ b/kernels/linux-libre-x86_64/0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch @@ -0,0 +1,121 @@ +From 39ed3f341657277612ad6879fbc460198c6e5396 Mon Sep 17 00:00:00 2001 +From: Mao Wenan <maowenan@huawei.com> +Date: Mon, 18 Feb 2019 10:44:44 +0800 +Subject: [PATCH 2/3] net: crypto set sk to NULL when af_alg_release. + +KASAN has found use-after-free in sockfs_setattr. +The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close() +and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore +that crypto module forgets to set the sk to NULL after af_alg_release. + +KASAN report details as below: +BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150 +Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186 + +CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.10.2-1ubuntu1 04/01/2014 +Call Trace: + dump_stack+0xca/0x13e + print_address_description+0x79/0x330 + ? vprintk_func+0x5e/0xf0 + kasan_report+0x18a/0x2e0 + ? sockfs_setattr+0x120/0x150 + sockfs_setattr+0x120/0x150 + ? sock_register+0x2d0/0x2d0 + notify_change+0x90c/0xd40 + ? chown_common+0x2ef/0x510 + chown_common+0x2ef/0x510 + ? chmod_common+0x3b0/0x3b0 + ? __lock_is_held+0xbc/0x160 + ? __sb_start_write+0x13d/0x2b0 + ? __mnt_want_write+0x19a/0x250 + do_fchownat+0x15c/0x190 + ? __ia32_sys_chmod+0x80/0x80 + ? trace_hardirqs_on_thunk+0x1a/0x1c + __x64_sys_fchownat+0xbf/0x160 + ? lockdep_hardirqs_on+0x39a/0x5e0 + do_syscall_64+0xc8/0x580 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462589 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 +f7 48 89 d6 48 89 +ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 +48 c7 c1 bc ff ff +ff f7 d8 64 89 01 48 +RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104 +RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589 +RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007 +RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc +R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff + +Allocated by task 4185: + kasan_kmalloc+0xa0/0xd0 + __kmalloc+0x14a/0x350 + sk_prot_alloc+0xf6/0x290 + sk_alloc+0x3d/0xc00 + af_alg_accept+0x9e/0x670 + hash_accept+0x4a3/0x650 + __sys_accept4+0x306/0x5c0 + __x64_sys_accept4+0x98/0x100 + do_syscall_64+0xc8/0x580 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 4184: + __kasan_slab_free+0x12e/0x180 + kfree+0xeb/0x2f0 + __sk_destruct+0x4e6/0x6a0 + sk_destruct+0x48/0x70 + __sk_free+0xa9/0x270 + sk_free+0x2a/0x30 + af_alg_release+0x5c/0x70 + __sock_release+0xd3/0x280 + sock_close+0x1a/0x20 + __fput+0x27f/0x7f0 + task_work_run+0x136/0x1b0 + exit_to_usermode_loop+0x1a7/0x1d0 + do_syscall_64+0x461/0x580 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Syzkaller reproducer: +r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, +0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, +0xffffffffffffffff, 0x0) +r1 = socket$alg(0x26, 0x5, 0x0) +getrusage(0x0, 0x0) +bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0, +'sha256-ssse3\x00'}, 0x80) +r2 = accept(r1, 0x0, 0x0) +r3 = accept4$unix(r2, 0x0, 0x0, 0x0) +r4 = dup3(r3, r0, 0x0) +fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000) + +Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()") +Signed-off-by: Mao Wenan <maowenan@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + crypto/af_alg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 17eb09d222ff..ec78a04eb136 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -122,8 +122,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private) + + int af_alg_release(struct socket *sock) + { +- if (sock->sk) ++ if (sock->sk) { + sock_put(sock->sk); ++ sock->sk = NULL; ++ } + return 0; + } + EXPORT_SYMBOL_GPL(af_alg_release); +-- +2.20.1 + diff --git a/kernels/linux-libre-x86_64/0003-exec-Fix-mem-leak-in-kernel_read_file.patch b/kernels/linux-libre-x86_64/0003-exec-Fix-mem-leak-in-kernel_read_file.patch new file mode 100644 index 000000000..e8c87ad80 --- /dev/null +++ b/kernels/linux-libre-x86_64/0003-exec-Fix-mem-leak-in-kernel_read_file.patch @@ -0,0 +1,49 @@ +From 3096ba94fa87b22664baa91e71a55ce698bb8aed Mon Sep 17 00:00:00 2001 +From: YueHaibing <yuehaibing@huawei.com> +Date: Tue, 19 Feb 2019 10:10:38 +0800 +Subject: [PATCH 3/3] exec: Fix mem leak in kernel_read_file + +syzkaller report this: +BUG: memory leak +unreferenced object 0xffffc9000488d000 (size 9195520): + comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) + hex dump (first 32 bytes): + ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................ + 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z..... + backtrace: + [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] + [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] + [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 + [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 + [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 + [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895 + [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [<00000000241f889b>] 0xffffffffffffffff + +It should goto 'out_free' lable to free allocated buf while kernel_read +fails. + +Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory") +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exec.c b/fs/exec.c +index fc281b738a98..20c33029a062 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -929,7 +929,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, + bytes = kernel_read(file, *buf + pos, i_size - pos, &pos); + if (bytes < 0) { + ret = bytes; +- goto out; ++ goto out_free; + } + + if (bytes == 0) +-- +2.20.1 + diff --git a/kernels/linux-libre-x86_64/PKGBUILD b/kernels/linux-libre-x86_64/PKGBUILD index d68c22409..98b39e318 100644 --- a/kernels/linux-libre-x86_64/PKGBUILD +++ b/kernels/linux-libre-x86_64/PKGBUILD @@ -12,7 +12,7 @@ pkgbase=linux-libre-x86_64 # Build stock kernel #pkgbase=linux-libre-custom # Build kernel with a different name _srcbasever=4.20-gnu -_srcver=4.20.6-gnu +_srcver=4.20.11-gnu _replacesarchkernel=('linux%') # '%' gets replaced with _kernelname _replacesoldkernels=() # '%' gets replaced with _kernelname @@ -35,15 +35,17 @@ source=( "https://repo.parabola.nu/other/linux-libre/logos/logo_linux_mono.pbm"{,.sig} "https://repo.parabola.nu/other/linux-libre/logos/logo_linux_vga16.ppm"{,.sig} # the kernel config file - 'config.x86_64' + config.x86_64 # pacman hooks for depmod and initramfs regeneration - '60-linux.hook' '90-linux.hook' + 60-linux.hook 90-linux.hook # standard config files for mkinitcpio ramdisk - 'linux.preset' + linux.preset # other patches - '0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch' - '0002-fix-Atmel-maXTouch-touchscreen-support.patch' - '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch' + 0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch + 0002-fix-Atmel-maXTouch-touchscreen-support.patch + 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch + 0003-exec-Fix-mem-leak-in-kernel_read_file.patch ) validpgpkeys=( '474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva @@ -51,7 +53,7 @@ validpgpkeys=( ) sha512sums=('a4a0a25fd490c051deb32ff84ba51e8807bfc8db1ad46c22c7807e9be2e5db5e1c22c211e47fca2509d5d75d64626fb28e9bbc8ccadc565f27fe9c8e47e12dc4' 'SKIP' - '8560fba880d6ff04e9361371824a55eb7ef78b183b7343a553a85b32ecb3a44e5c31e078d43d84181f371617fdfb6eb2f07dd298c1727c01c6bfd514bde4f4a7' + '3cb387665734be799f3c833939f0938e17216f08aff5113a85a845dcf382d997f3574e8ea30c0fb6d5e85295106a347324c3b50858939d4568b6fa25c40a05ff' 'SKIP' '13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3' 'SKIP' @@ -59,13 +61,15 @@ sha512sums=('a4a0a25fd490c051deb32ff84ba51e8807bfc8db1ad46c22c7807e9be2e5db5e1c2 'SKIP' '7a3716bfe3b9f546da309c7492f3e08f8f506813afeb1c737a474c83313d5c313cf4582b65215c2cfce3b74d9d1021c96e8badafe8f6e5b01fe28d2b5c61ae78' 'SKIP' - '5d9cd0b0e31444c7047db5dbcd9f7515a0bfc9756eb227facd5b13eed79adb6d2caf6b28318af8ac879cdf8d67ebf59b8f5813012bf2fda3bd14dafa1ab31634' + '57a551ed21d37caca08409139183feac42111f5f6a2b110aa4dbdbbd5ede88b8fbec74060511c83ca02c9748760b1f9ef72da37899f0c33ddde804a431049105' '7ad5be75ee422dda3b80edd2eb614d8a9181e2c8228cd68b3881e2fb95953bf2dea6cbe7900ce1013c9de89b2802574b7b24869fc5d7a95d3cc3112c4d27063a' '2718b58dbbb15063bacb2bde6489e5b3c59afac4c0e0435b97fe720d42c711b6bcba926f67a8687878bd51373c9cf3adb1915a11666d79ccb220bf36e0788ab7' '2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf' '02af4dd2a007e41db0c63822c8ab3b80b5d25646af1906dc85d0ad9bb8bbf5236f8e381d7f91cf99ed4b0978c50aee37cb9567cdeef65b7ec3d91b882852b1af' 'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168' - '9d24dff68a11aee6b5f1b6b003b27603a8c431e76c3cb638e852cd8c0ccd2a298b1116bbad0dc816e9de7d987dcf329a5d250673067ec125760eee543f65eed5') + '9d24dff68a11aee6b5f1b6b003b27603a8c431e76c3cb638e852cd8c0ccd2a298b1116bbad0dc816e9de7d987dcf329a5d250673067ec125760eee543f65eed5' + '67710358e51ffd30aaf64351e6c3542bdfa9e4e3db43ee38fca8b15357d71be3cd18db0180d196c8b2d44781ce2625e5b709d496dea0723d0616ebdfb048028a' + 'e81e85b98f126a1e298d54a289659e648582070db617194a8ed13796535341f3a052e3103ee87c4d9bd797103429b883ae2e761cb6f4b61b15f0c0fea017ff95') _kernelname=${pkgbase#linux-libre} _replacesarchkernel=("${_replacesarchkernel[@]/\%/${_kernelname}}") @@ -88,6 +92,8 @@ prepare() { # Arch's linux patches patch -p1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + patch -p1 -i ../0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch + patch -p1 -i ../0003-exec-Fix-mem-leak-in-kernel_read_file.patch # maintain the TTY over USB disconnects # http://www.coreboot.org/EHCI_Gadget_Debug diff --git a/kernels/linux-libre-x86_64/config.x86_64 b/kernels/linux-libre-x86_64/config.x86_64 index 8764b6666..77c721b1d 100644 --- a/kernels/linux-libre-x86_64/config.x86_64 +++ b/kernels/linux-libre-x86_64/config.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.20.6-gnu Kernel Configuration +# Linux/x86 4.20.11-gnu Kernel Configuration # # @@ -3738,7 +3738,9 @@ CONFIG_MOUSE_SERIAL=m CONFIG_MOUSE_APPLETOUCH=m CONFIG_MOUSE_BCM5974=m CONFIG_MOUSE_CYAPA=m -# CONFIG_MOUSE_ELAN_I2C is not set +CONFIG_MOUSE_ELAN_I2C=m +CONFIG_MOUSE_ELAN_I2C_I2C=y +CONFIG_MOUSE_ELAN_I2C_SMBUS=y CONFIG_MOUSE_VSXXXAA=m CONFIG_MOUSE_GPIO=m CONFIG_MOUSE_SYNAPTICS_I2C=m |