[4.4.y PATCH 0/4] Backported fixes for 4.4 stable tree

[4.4.y PATCH 0/4] Backported fixes for 4.4 stable tree

[Srivatsa S. Bhat]

Hi,

This patchset includes a few backported fixes for the 4.4 stable tree.
I would appreciate if you could kindly consider including them in the
next release.

Thank you!

Regards,
Srivatsa

---

Gen Zhang (2):
      ip_sockglue: Fix missing-check bug in ip_ra_control()
      ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()

Vivek Goyal (1):
      ovl: modify ovl_permission() to do checks on two inodes

Wanpeng Li (1):
      KVM: X86: Fix scan ioapic use-before-initialization


 arch/x86/kvm/x86.c       |    3 ++-
 fs/overlayfs/inode.c     |   13 +++++++++++++
 net/ipv4/ip_sockglue.c   |    2 ++
 net/ipv6/ipv6_sockglue.c |    2 ++
 4 files changed, 19 insertions(+), 1 deletion(-)

[4.4.y PATCH 1/4] ovl: modify ovl_permission() to do checks on two inodes

[Srivatsa S. Bhat]

From: Vivek Goyal <vgoyal@redhat.com>

commit c0ca3d70e8d3cf81e2255a217f7ca402f5ed0862 upstream.

Right now ovl_permission() calls __inode_permission(realinode), to do
permission checks on real inode and no checks are done on overlay inode.

Modify it to do checks both on overlay inode as well as underlying inode.
Checks on overlay inode will be done with the creds of calling task while
checks on underlying inode will be done with the creds of mounter.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
[ Srivatsa: 4.4.y backport:
  - Skipped the hunk modifying non-existent function ovl_get_acl()
  - Adjusted the error path
  - Included linux/cred.h to get prototype for revert_creds() ]
Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
---

 fs/overlayfs/inode.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index 985a4cd..9aff817 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -9,6 +9,7 @@
 
 #include <linux/fs.h>
 #include <linux/slab.h>
+#include <linux/cred.h>
 #include <linux/xattr.h>
 #include "overlayfs.h"
 
@@ -91,6 +92,7 @@ int ovl_permission(struct inode *inode, int mask)
 	struct ovl_entry *oe;
 	struct dentry *alias = NULL;
 	struct inode *realinode;
+	const struct cred *old_cred;
 	struct dentry *realdentry;
 	bool is_upper;
 	int err;
@@ -143,7 +145,18 @@ int ovl_permission(struct inode *inode, int mask)
 			goto out_dput;
 	}
 
+	/*
+	 * Check overlay inode with the creds of task and underlying inode
+	 * with creds of mounter
+	 */
+	err = generic_permission(inode, mask);
+	if (err)
+		goto out_dput;
+
+	old_cred = ovl_override_creds(inode->i_sb);
 	err = __inode_permission(realinode, mask);
+	revert_creds(old_cred);
+
 out_dput:
 	dput(alias);
 	return err;

Re: [4.4.y PATCH 1/4] ovl: modify ovl_permission() to do checks on two inodes

[Greg KH]

On Fri, Jun 28, 2019 at 11:45:58AM -0700, Srivatsa S. Bhat wrote:
> From: Vivek Goyal <vgoyal@redhat.com>
> 
> commit c0ca3d70e8d3cf81e2255a217f7ca402f5ed0862 upstream.
> 
> Right now ovl_permission() calls __inode_permission(realinode), to do
> permission checks on real inode and no checks are done on overlay inode.
> 
> Modify it to do checks both on overlay inode as well as underlying inode.
> Checks on overlay inode will be done with the creds of calling task while
> checks on underlying inode will be done with the creds of mounter.
> 
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
> [ Srivatsa: 4.4.y backport:
>   - Skipped the hunk modifying non-existent function ovl_get_acl()
>   - Adjusted the error path
>   - Included linux/cred.h to get prototype for revert_creds() ]
> Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>

Applied, thanks.

greg k-h

[4.4.y PATCH 2/4] KVM: X86: Fix scan ioapic use-before-initialization

[Srivatsa S. Bhat]

From: Wanpeng Li <wanpengli@tencent.com>

commit e97f852fd4561e77721bb9a4e0ea9d98305b1e93 upstream.

Reported by syzkaller:

 BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
 PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
 Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
 RIP: 0010:__lock_acquire+0x1a6/0x1990
 Call Trace:
  lock_acquire+0xdb/0x210
  _raw_spin_lock+0x38/0x70
  kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
  vcpu_enter_guest+0x167e/0x1910 [kvm]
  kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
  kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
  do_vfs_ioctl+0xa5/0x690
  ksys_ioctl+0x6d/0x80
  __x64_sys_ioctl+0x1a/0x20
  do_syscall_64+0x83/0x6e0
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
However, irqchip is not initialized by this simple testcase, ioapic/apic
objects should not be accessed.
This can be triggered by the following program:

    #define _GNU_SOURCE

    #include <endian.h>
    #include <stdint.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <sys/syscall.h>
    #include <sys/types.h>
    #include <unistd.h>

    uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};

    int main(void)
    {
    	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
    	long res = 0;
    	memcpy((void*)0x20000040, "/dev/kvm", 9);
    	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
    	if (res != -1)
    		r[0] = res;
    	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
    	if (res != -1)
    		r[1] = res;
    	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
    	if (res != -1)
    		r[2] = res;
    	memcpy(
    			(void*)0x20000080,
    			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
    			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
    			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
    			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
    			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
    			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
    			106);
    	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
    	syscall(__NR_ioctl, r[2], 0xae80, 0);
    	return 0;
    }

This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
kernel.

Reported-by: Wei Wu <ww9210@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Wei Wu <ww9210@gmail.com>
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ Srivatsa: Adjusted the context for 4.4.y ]
Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
---

 arch/x86/kvm/x86.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 516d8b1..e1f1851 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6409,7 +6409,8 @@ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
 		kvm_scan_ioapic_routes(vcpu, vcpu->arch.eoi_exit_bitmap);
 	else {
 		kvm_x86_ops->sync_pir_to_irr(vcpu);
-		kvm_ioapic_scan_entry(vcpu, vcpu->arch.eoi_exit_bitmap);
+		if (ioapic_in_kernel(vcpu->kvm))
+			kvm_ioapic_scan_entry(vcpu, vcpu->arch.eoi_exit_bitmap);
 	}
 	kvm_x86_ops->load_eoi_exitmap(vcpu);
 }

Re: [4.4.y PATCH 2/4] KVM: X86: Fix scan ioapic use-before-initialization

[Greg KH]

On Fri, Jun 28, 2019 at 11:46:10AM -0700, Srivatsa S. Bhat wrote:
> From: Wanpeng Li <wanpengli@tencent.com>
> 
> commit e97f852fd4561e77721bb9a4e0ea9d98305b1e93 upstream.
> 
> Reported by syzkaller:
> 
>  BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
>  PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
>  Oops: 0000 [#1] PREEMPT SMP PTI
>  CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
>  RIP: 0010:__lock_acquire+0x1a6/0x1990
>  Call Trace:
>   lock_acquire+0xdb/0x210
>   _raw_spin_lock+0x38/0x70
>   kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
>   vcpu_enter_guest+0x167e/0x1910 [kvm]
>   kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
>   kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
>   do_vfs_ioctl+0xa5/0x690
>   ksys_ioctl+0x6d/0x80
>   __x64_sys_ioctl+0x1a/0x20
>   do_syscall_64+0x83/0x6e0
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
> and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
> However, irqchip is not initialized by this simple testcase, ioapic/apic
> objects should not be accessed.
> This can be triggered by the following program:
> 
>     #define _GNU_SOURCE
> 
>     #include <endian.h>
>     #include <stdint.h>
>     #include <stdio.h>
>     #include <stdlib.h>
>     #include <string.h>
>     #include <sys/syscall.h>
>     #include <sys/types.h>
>     #include <unistd.h>
> 
>     uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
> 
>     int main(void)
>     {
>     	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
>     	long res = 0;
>     	memcpy((void*)0x20000040, "/dev/kvm", 9);
>     	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
>     	if (res != -1)
>     		r[0] = res;
>     	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
>     	if (res != -1)
>     		r[1] = res;
>     	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
>     	if (res != -1)
>     		r[2] = res;
>     	memcpy(
>     			(void*)0x20000080,
>     			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
>     			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
>     			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
>     			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
>     			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
>     			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
>     			106);
>     	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
>     	syscall(__NR_ioctl, r[2], 0xae80, 0);
>     	return 0;
>     }
> 
> This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
> kernel.
> 
> Reported-by: Wei Wu <ww9210@gmail.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Radim Krčmář <rkrcmar@redhat.com>
> Cc: Wei Wu <ww9210@gmail.com>
> Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> [ Srivatsa: Adjusted the context for 4.4.y ]
> Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
> ---
> 
>  arch/x86/kvm/x86.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 516d8b1..e1f1851 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -6409,7 +6409,8 @@ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
>  		kvm_scan_ioapic_routes(vcpu, vcpu->arch.eoi_exit_bitmap);
>  	else {
>  		kvm_x86_ops->sync_pir_to_irr(vcpu);
> -		kvm_ioapic_scan_entry(vcpu, vcpu->arch.eoi_exit_bitmap);
> +		if (ioapic_in_kernel(vcpu->kvm))
> +			kvm_ioapic_scan_entry(vcpu, vcpu->arch.eoi_exit_bitmap);
>  	}
>  	kvm_x86_ops->load_eoi_exitmap(vcpu);
>  }
>

Applied, thanks.

greg k-h

[4.4.y PATCH 3/4] ip_sockglue: Fix missing-check bug in ip_ra_control()

[Srivatsa S. Bhat]

From: Gen Zhang <blackgod016574@gmail.com>

commit 425aa0e1d01513437668fa3d4a971168bbaa8515 upstream.

In function ip_ra_control(), the pointer new_ra is allocated a memory
space via kmalloc(). And it is used in the following codes. However,
when  there is a memory allocation error, kmalloc() fails. Thus null
pointer dereference may happen. And it will cause the kernel to crash.
Therefore, we should check the return value and handle the error.

Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
---

 net/ipv4/ip_sockglue.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 1ea36bf..03fbdcb 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -328,6 +328,8 @@ int ip_ra_control(struct sock *sk, unsigned char on,
 		return -EINVAL;
 
 	new_ra = on ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
+	if (on && !new_ra)
+		return -ENOMEM;
 
 	spin_lock_bh(&ip_ra_lock);
 	for (rap = &ip_ra_chain;

[4.4.y PATCH 4/4] ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()

[Srivatsa S. Bhat]

From: Gen Zhang <blackgod016574@gmail.com>

commit 95baa60a0da80a0143e3ddd4d3725758b4513825 upstream.

In function ip6_ra_control(), the pointer new_ra is allocated a memory
space via kmalloc(). And it is used in the following codes. However,
when there is a memory allocation error, kmalloc() fails. Thus null
pointer dereference may happen. And it will cause the kernel to crash.
Therefore, we should check the return value and handle the error.

Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
---

 net/ipv6/ipv6_sockglue.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 7126375..06a11ba 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -67,6 +67,8 @@ int ip6_ra_control(struct sock *sk, int sel)
 		return -ENOPROTOOPT;
 
 	new_ra = (sel >= 0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
+	if (sel >= 0 && !new_ra)
+		return -ENOMEM;
 
 	write_lock_bh(&ip6_ra_lock);
 	for (rap = &ip6_ra_chain; (ra = *rap) != NULL; rap = &ra->next) {

Re: [4.4.y PATCH 0/4] Backported fixes for 4.4 stable tree

[Vivek Goyal]

On Fri, Jun 28, 2019 at 11:45:40AM -0700, Srivatsa S. Bhat wrote:
> Hi,
> 
> This patchset includes a few backported fixes for the 4.4 stable tree.
> I would appreciate if you could kindly consider including them in the
> next release.
> 
> Thank you!
> 
> Regards,
> Srivatsa
> 
> ---
> 
> Gen Zhang (2):
>       ip_sockglue: Fix missing-check bug in ip_ra_control()
>       ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()
> 
> Vivek Goyal (1):
>       ovl: modify ovl_permission() to do checks on two inodes

Hi Srivatsa,

Curious, why are you backporting above patch. These changes were done in
a series primarily to support SELinux with overlay. Are you fixing a
particular issue with this single patch?

Vivek

> 
> Wanpeng Li (1):
>       KVM: X86: Fix scan ioapic use-before-initialization
> 
> 
>  arch/x86/kvm/x86.c       |    3 ++-
>  fs/overlayfs/inode.c     |   13 +++++++++++++
>  net/ipv4/ip_sockglue.c   |    2 ++
>  net/ipv6/ipv6_sockglue.c |    2 ++
>  4 files changed, 19 insertions(+), 1 deletion(-)

Re: [4.4.y PATCH 0/4] Backported fixes for 4.4 stable tree

[Srivatsa S. Bhat]

Hi Vivek,

On 7/1/19 8:32 AM, Vivek Goyal wrote:
> On Fri, Jun 28, 2019 at 11:45:40AM -0700, Srivatsa S. Bhat wrote:
>> Hi,
>>
>> This patchset includes a few backported fixes for the 4.4 stable tree.
>> I would appreciate if you could kindly consider including them in the
>> next release.
>>
>> Thank you!
>>
>> Regards,
>> Srivatsa
>>
>> ---
>>
>> Gen Zhang (2):
>>       ip_sockglue: Fix missing-check bug in ip_ra_control()
>>       ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()
>>
>> Vivek Goyal (1):
>>       ovl: modify ovl_permission() to do checks on two inodes
> 
> Hi Srivatsa,
> 
> Curious, why are you backporting above patch. These changes were done in
> a series primarily to support SELinux with overlay. Are you fixing a
> particular issue with this single patch?
> 
Sorry for the late reply. I backported this patch because it fixes
CVE-2018-16597.

Regards,
Srivatsa