Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPetr Tesarik <ptesarik@suse.cz>2019-03-07 23:25:44 +0100
committerPetr Tesarik <ptesarik@suse.cz>2019-03-07 23:25:44 +0100
commit1cbd499e124e01b9e3479a6549c5cc4d827d7fc9 (patch)
tree775cea86aa3d5550e87dfa597160f9e175bd945a
parent5c1f744e376b2fbb00fa5f63906f12b7444cec71 (diff)
parentfc169b3a5cc6c606556bef28d21ed21b85169080 (diff)
Merge branch 'users/bpetkov/SLE15/for-next' into SLE15
Pull x86 fixes from Borislav Petkov
-rw-r--r--blacklist.conf5
-rw-r--r--patches.arch/x86-a-out-clear-the-dump-structure-initially.patch58
-rw-r--r--patches.arch/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch40
-rw-r--r--patches.arch/x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch42
-rw-r--r--patches.arch/x86-vdso-remove-obsolete-fake-section-table-reservation.patch115
-rw-r--r--patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch81
-rw-r--r--series.conf4
7 files changed, 268 insertions, 77 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 26ffdd41b4..8c6c8ba81b 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -978,3 +978,8 @@ ad211f3e94b314a910d4af03178a0b52a7d1ee0a # Causes possible data corruption, got
a2aeea1cc14f9143f973b99950f39b38be144f3e # merge commit
e04e7a7bbd4bbabef4e1a58367e5fc9b2edc3b10 # claims to fix 8195b1396ec86dddbba443c74b2188b423556c74 instead of 7bf7bb37f16a80465ee3bd7c6c966f96f5a075a6
b6b6036a5d5591762ee1d9fd5ca9c89148d037f0 # mere cleanup
+b247be3fe89b6aba928bf80f4453d1c4ba8d2063 # no urgent reason to include in SLE15, according to Davidlohr
+dbe733642e01dd108f71436aaea7b328cb28fd87 # all our flavors are CONFIG_SMP=y
+29434801e7e9c6d05fbea4533b3c0bd6be612f62 # it is removing a comment
+65bba0423ecf89fb291d2269e0087707888a1cef # we don't support UML
+53bb565fc5439f2c8c57a786feea5946804aa3e9 # CONFIG_PCI_CNB20LE_QUIRK is not set, which enables this compilation unit
diff --git a/patches.arch/x86-a-out-clear-the-dump-structure-initially.patch b/patches.arch/x86-a-out-clear-the-dump-structure-initially.patch
new file mode 100644
index 0000000000..c6e26e6329
--- /dev/null
+++ b/patches.arch/x86-a-out-clear-the-dump-structure-initially.patch
@@ -0,0 +1,58 @@
+From: Borislav Petkov <bp@suse.de>
+Date: Tue, 12 Feb 2019 14:28:03 +0100
+Subject: x86/a.out: Clear the dump structure initially
+Git-commit: 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c
+Patch-mainline: v5.0-rc7
+References: bsc#1114279
+
+dump_thread32() in aout_core_dump() does not clear the user32 structure
+allocated on the stack as the first thing on function entry.
+
+As a result, the dump.u_comm, dump.u_ar0 and dump.signal which get
+assigned before the clearing, get overwritten.
+
+Rename that function to fill_dump() to make it clear what it does and
+call it first thing.
+
+This was caught while staring at a patch by Derek Robson
+<robsonde@gmail.com>.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Derek Robson <robsonde@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Matz <matz@suse.de>
+Cc: x86@kernel.org
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20190202005512.3144-1-robsonde@gmail.com
+---
+ arch/x86/ia32/ia32_aout.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
+index f65b78d32f5e..7dbbe9ffda17 100644
+--- a/arch/x86/ia32/ia32_aout.c
++++ b/arch/x86/ia32/ia32_aout.c
+@@ -51,7 +51,7 @@ static unsigned long get_dr(int n)
+ /*
+ * fill in the user structure for a core dump..
+ */
+-static void dump_thread32(struct pt_regs *regs, struct user32 *dump)
++static void fill_dump(struct pt_regs *regs, struct user32 *dump)
+ {
+ u32 fs, gs;
+ memset(dump, 0, sizeof(*dump));
+@@ -157,10 +157,12 @@ static int aout_core_dump(struct coredump_params *cprm)
+ fs = get_fs();
+ set_fs(KERNEL_DS);
+ has_dumped = 1;
++
++ fill_dump(cprm->regs, &dump);
++
+ strncpy(dump.u_comm, current->comm, sizeof(current->comm));
+ dump.u_ar0 = offsetof(struct user32, regs);
+ dump.signal = cprm->siginfo->si_signo;
+- dump_thread32(cprm->regs, &dump);
+
+ /*
+ * If the size of the dump file exceeds the rlimit, then see
+
diff --git a/patches.arch/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch b/patches.arch/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch
new file mode 100644
index 0000000000..33fa1ecb82
--- /dev/null
+++ b/patches.arch/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch
@@ -0,0 +1,40 @@
+From: Daniel Drake <drake@endlessm.com>
+Date: Mon, 7 Jan 2019 11:40:24 +0800
+Subject: x86/kaslr: Fix incorrect i8254 outb() parameters
+Git-commit: 7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4
+Patch-mainline: v5.0-rc4
+References: bsc#1114279
+
+The outb() function takes parameters value and port, in that order. Fix
+the parameters used in the kalsr i8254 fallback code.
+
+Fixes: 5bfce5ef55cb ("x86, kaslr: Provide randomness functions")
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@alien8.de
+Cc: hpa@zytor.com
+Cc: linux@endlessm.com
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190107034024.15005-1-drake@endlessm.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/lib/kaslr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/lib/kaslr.c b/arch/x86/lib/kaslr.c
+index 79778ab200e4..a53665116458 100644
+--- a/arch/x86/lib/kaslr.c
++++ b/arch/x86/lib/kaslr.c
+@@ -36,8 +36,8 @@ static inline u16 i8254(void)
+ u16 status, timer;
+
+ do {
+- outb(I8254_PORT_CONTROL,
+- I8254_CMD_READBACK | I8254_SELECT_COUNTER0);
++ outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0,
++ I8254_PORT_CONTROL);
+ status = inb(I8254_PORT_COUNTER0);
+ timer = inb(I8254_PORT_COUNTER0);
+ timer |= inb(I8254_PORT_COUNTER0) << 8;
+
diff --git a/patches.arch/x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch b/patches.arch/x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch
new file mode 100644
index 0000000000..64d6ef00f4
--- /dev/null
+++ b/patches.arch/x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch
@@ -0,0 +1,42 @@
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 18 Dec 2018 17:29:56 +0000
+Subject: x86/mtrr: Don't copy uninitialized gentry fields back to userspace
+Git-commit: 32043fa065b51e0b1433e48d118821c71b5cd65d
+Patch-mainline: v4.20
+References: bsc#1114279
+
+Currently the copy_to_user of data in the gentry struct is copying
+uninitiaized data in field _pad from the stack to userspace.
+
+Fix this by explicitly memset'ing gentry to zero, this also will zero any
+compiler added padding fields that may be in struct (currently there are
+none).
+
+Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable")
+
+Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
+Cc: security@kernel.org
+Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.king@canonical.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/cpu/mtrr/if.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c
+index 2e173d47b450..4d36dcc1cf87 100644
+--- a/arch/x86/kernel/cpu/mtrr/if.c
++++ b/arch/x86/kernel/cpu/mtrr/if.c
+@@ -165,6 +165,8 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
+ struct mtrr_gentry gentry;
+ void __user *arg = (void __user *) __arg;
+
++ memset(&gentry, 0, sizeof(gentry));
++
+ switch (cmd) {
+ case MTRRIOC_ADD_ENTRY:
+ case MTRRIOC_SET_ENTRY:
+
diff --git a/patches.arch/x86-vdso-remove-obsolete-fake-section-table-reservation.patch b/patches.arch/x86-vdso-remove-obsolete-fake-section-table-reservation.patch
new file mode 100644
index 0000000000..7c620d77b4
--- /dev/null
+++ b/patches.arch/x86-vdso-remove-obsolete-fake-section-table-reservation.patch
@@ -0,0 +1,115 @@
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 4 Dec 2018 13:25:57 -0800
+Subject: x86/vdso: Remove obsolete "fake section table" reservation
+Git-commit: 24b7c77bbb24f129beead93574ff248c3db1288e
+Patch-mainline: v5.0-rc1
+References: bsc#1114279
+
+At one point the vDSO image was manually stripped down by vdso2c in an
+attempt to minimize the size of the image mapped into userspace. Part
+of that stripping process involved building a fake section table so as
+not to break userspace processes that parse the section table. Memory
+for the fake section table was reserved in the .rodata section so that
+vdso2c could simply copy the entire PT_LOAD segment into the userspace
+image after building the fake table.
+
+Eventually, the entire fake section table approach was dropped in favor
+of stripping the vdso "the old fashioned way", i.e. via objdump -S.
+But, the reservation in .rodata for the fake table was left behind.
+Remove the reserveration along with a few other related defines and
+section entries.
+
+Removing the fake section table placeholder zaps a whopping 0x340 bytes
+from the 64-bit vDSO image, which drops the current image's size to
+under 4k, i.e. reduces the effective size of the userspace vDSO mapping
+by a full page.
+
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Acked-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: da861e18eccc ("x86, vdso: Get rid of the fake section mechanism")
+Link: http://lkml.kernel.org/r/20181204212600.28090-2-sean.j.christopherson@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/entry/vdso/vdso-layout.lds.S | 22 ----------------------
+ arch/x86/entry/vdso/vdso2c.c | 8 --------
+ 2 files changed, 30 deletions(-)
+
+diff --git a/arch/x86/entry/vdso/vdso-layout.lds.S b/arch/x86/entry/vdso/vdso-layout.lds.S
+index acfd5ba7d943..0cedc905c8d6 100644
+--- a/arch/x86/entry/vdso/vdso-layout.lds.S
++++ b/arch/x86/entry/vdso/vdso-layout.lds.S
+@@ -7,16 +7,6 @@
+ * This script controls its layout.
+ */
+
+-#if defined(BUILD_VDSO64)
+-# define SHDR_SIZE 64
+-#elif defined(BUILD_VDSO32) || defined(BUILD_VDSOX32)
+-# define SHDR_SIZE 40
+-#else
+-# error unknown VDSO target
+-#endif
+-
+-#define NUM_FAKE_SHDRS 13
+-
+ SECTIONS
+ {
+ /*
+@@ -60,20 +50,8 @@ SECTIONS
+ *(.bss*)
+ *(.dynbss*)
+ *(.gnu.linkonce.b.*)
+-
+- /*
+- * Ideally this would live in a C file, but that won't
+- * work cleanly for x32 until we start building the x32
+- * C code using an x32 toolchain.
+- */
+- VDSO_FAKE_SECTION_TABLE_START = .;
+- . = . + NUM_FAKE_SHDRS * SHDR_SIZE;
+- VDSO_FAKE_SECTION_TABLE_END = .;
+ } :text
+
+- .fake_shstrtab : { *(.fake_shstrtab) } :text
+-
+-
+ .note : { *(.note.*) } :text :note
+
+ .eh_frame_hdr : { *(.eh_frame_hdr) } :text :eh_frame_hdr
+diff --git a/arch/x86/entry/vdso/vdso2c.c b/arch/x86/entry/vdso/vdso2c.c
+index 4674f58581a1..8e470b018512 100644
+--- a/arch/x86/entry/vdso/vdso2c.c
++++ b/arch/x86/entry/vdso/vdso2c.c
+@@ -76,8 +76,6 @@ enum {
+ sym_hpet_page,
+ sym_pvclock_page,
+ sym_hvclock_page,
+- sym_VDSO_FAKE_SECTION_TABLE_START,
+- sym_VDSO_FAKE_SECTION_TABLE_END,
+ };
+
+ const int special_pages[] = {
+@@ -98,12 +96,6 @@ struct vdso_sym required_syms[] = {
+ [sym_hpet_page] = {"hpet_page", true},
+ [sym_pvclock_page] = {"pvclock_page", true},
+ [sym_hvclock_page] = {"hvclock_page", true},
+- [sym_VDSO_FAKE_SECTION_TABLE_START] = {
+- "VDSO_FAKE_SECTION_TABLE_START", false
+- },
+- [sym_VDSO_FAKE_SECTION_TABLE_END] = {
+- "VDSO_FAKE_SECTION_TABLE_END", false
+- },
+ {"VDSO32_NOTE_MASK", true},
+ {"__kernel_vsyscall", true},
+ {"__kernel_sigreturn", true},
+
diff --git a/patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch b/patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch
index d027a89291..7f4f2d6dee 100644
--- a/patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch
+++ b/patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch
@@ -15,9 +15,8 @@ Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
arch/x86/boot/compressed/kaslr.c | 21 ------------
arch/x86/boot/compressed/misc.c | 17 ++++++++++
arch/x86/boot/compressed/misc.h | 6 +++
- arch/x86/lib/kaslr.c | 61 +-----------------------------------
arch/x86/lib/random.c | 66 +++++++++++++++++++++++++++++++++++++++
- 5 files changed, 91 insertions(+), 80 deletions(-)
+ 4 files changed, 89 insertions(+), 21 deletions(-)
create mode 100644 arch/x86/lib/random.c
--- a/arch/x86/boot/compressed/kaslr.c
@@ -64,7 +63,7 @@ Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
{
--- a/arch/x86/boot/compressed/misc.c
+++ b/arch/x86/boot/compressed/misc.c
-@@ -411,3 +411,20 @@ asmlinkage __visible void *extract_kerne
+@@ -431,3 +431,20 @@ asmlinkage __visible void *extract_kerne
debug_putstr("done.\nBooting the kernel.\n");
return output;
}
@@ -107,78 +106,6 @@ Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
#else
static inline void choose_random_location(unsigned long input,
unsigned long input_size,
---- a/arch/x86/lib/kaslr.c
-+++ b/arch/x86/lib/kaslr.c
-@@ -25,67 +25,10 @@
- #define get_boot_seed() kaslr_offset()
- #endif
-
--#define I8254_PORT_CONTROL 0x43
--#define I8254_PORT_COUNTER0 0x40
--#define I8254_CMD_READBACK 0xC0
--#define I8254_SELECT_COUNTER0 0x02
--#define I8254_STATUS_NOTREADY 0x40
--static inline u16 i8254(void)
--{
-- u16 status, timer;
--
-- do {
-- outb(I8254_PORT_CONTROL,
-- I8254_CMD_READBACK | I8254_SELECT_COUNTER0);
-- status = inb(I8254_PORT_COUNTER0);
-- timer = inb(I8254_PORT_COUNTER0);
-- timer |= inb(I8254_PORT_COUNTER0) << 8;
-- } while (status & I8254_STATUS_NOTREADY);
--
-- return timer;
--}
-+#include "random.c"
-
- unsigned long kaslr_get_random_long(const char *purpose)
- {
--#ifdef CONFIG_X86_64
-- const unsigned long mix_const = 0x5d6008cbf3848dd3UL;
--#else
-- const unsigned long mix_const = 0x3f39e593UL;
--#endif
-- unsigned long raw, random = get_boot_seed();
-- bool use_i8254 = true;
--
-- debug_putstr(purpose);
- debug_putstr(" KASLR using");
--
-- if (has_cpuflag(X86_FEATURE_RDRAND)) {
-- debug_putstr(" RDRAND");
-- if (rdrand_long(&raw)) {
-- random ^= raw;
-- use_i8254 = false;
-- }
-- }
--
-- if (has_cpuflag(X86_FEATURE_TSC)) {
-- debug_putstr(" RDTSC");
-- raw = rdtsc();
--
-- random ^= raw;
-- use_i8254 = false;
-- }
--
-- if (use_i8254) {
-- debug_putstr(" i8254");
-- random ^= i8254();
-- }
--
-- /* Circular multiply for better bit diffusion */
-- asm(_ASM_MUL "%3"
-- : "=a" (random), "=d" (raw)
-- : "a" (random), "rm" (mix_const));
-- random += raw;
--
-- debug_putstr("...\n");
--
-- return random;
-+ return get_random_long(purpose);
- }
--- /dev/null
+++ b/arch/x86/lib/random.c
@@ -0,0 +1,66 @@
@@ -195,8 +122,8 @@ Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
+ u16 status, timer;
+
+ do {
-+ outb(I8254_PORT_CONTROL,
-+ I8254_CMD_READBACK | I8254_SELECT_COUNTER0);
++ outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0,
++ I8254_PORT_CONTROL);
+ status = inb(I8254_PORT_COUNTER0);
+ timer = inb(I8254_PORT_COUNTER0);
+ timer |= inb(I8254_PORT_COUNTER0) << 8;
diff --git a/series.conf b/series.conf
index a20241bee9..90dc86feac 100644
--- a/series.conf
+++ b/series.conf
@@ -20044,6 +20044,7 @@
patches.drivers/Input-synaptics-enable-SMBus-for-HP-EliteBook-840-G4.patch
patches.drm/0001-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch
patches.fixes/x86-mm-Fix-decoy-address-handling-vs-32-bit-builds.patch
+ patches.arch/x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch
patches.suse/tcp-fix-a-race-in-inet_diag_dump_icsk.patch
patches.suse/packet-validate-address-length.patch
patches.suse/ipv6-tunnels-fix-two-use-after-free.patch
@@ -20116,6 +20117,7 @@
patches.arch/x86-resctrl-fix-rdt_find_domain-return-value-and-checks.patch
patches.drivers/firmware-efi-Add-NULL-pointer-checks-in-efivars-API-.patch
patches.fixes/tools-lib-lockdep-Rename-trywlock-into-trywrlock.patch
+ patches.arch/x86-vdso-remove-obsolete-fake-section-table-reservation.patch
patches.arch/x86-mm-drop-usage-of-_flush_tlb_all-in-kernel_physical_mapping_init.patch
patches.arch/powerpc-xmon-Fix-invocation-inside-lock-region.patch
patches.arch/powerpc-tm-Set-MSR-TS-just-prior-to-recheckpoint.patch
@@ -20504,6 +20506,7 @@
patches.fixes/0001-sched-wake_q-Fix-wakeup-ordering-for-wake_q.patch
patches.fixes/0001-futex-Fix-possible-missed-wakeup.patch
patches.fixes/0001-locking-rwsem-Fix-possible-missed-wakeup.patch
+ patches.arch/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch
patches.fixes/netrom-switch-to-sock-timer-API.patch
patches.suse/net-rose-fix-NULL-ax25_cb-kernel-panic.patch
patches.suse/net-mlx5e-Allow-MAC-invalidation-while-spoofchk-is-O.patch
@@ -20606,6 +20609,7 @@
patches.drivers/Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Lenovo-V3.patch
patches.drivers/i2c-cadence-Fix-the-hold-bit-setting.patch
patches.drivers/i2c-bcm2835-Clear-current-buffer-pointers-and-counts.patch
+ patches.arch/x86-a-out-clear-the-dump-structure-initially.patch
patches.arch/x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls
patches.fixes/mailbox-bcm-flexrm-mailbox-Fix-FlexRM-ring-flush-tim.patch
patches.fixes/mac80211-Free-mpath-object-when-rhashtable-insertion.patch