From f61372fc90823fe5f2c5cf7908aa420a05ab20bd Mon Sep 17 00:00:00 2001 From: Petr Tesarik Date: Mar 07 2019 22:32:34 +0000 Subject: Merge branch 'SLE15' into SLE15-SP1 Conflicts: blacklist.conf --- diff --git a/blacklist.conf b/blacklist.conf index 65e6155..d1c9bbc 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -895,3 +895,8 @@ e04e7a7bbd4bbabef4e1a58367e5fc9b2edc3b10 # claims to fix 8195b1396ec86dddbba443c b6b6036a5d5591762ee1d9fd5ca9c89148d037f0 # mere cleanup 3d210534cc93dab39a9d1a8d674aa2872c268d38 # same as 8015d93ebd27484418d4952284fd02172fa4b0b2 74abc07dee613086f9c0ded9e263ddc959a6de04 # same as 29dded89e80e3fff61efb34f07a8a3fba3ea146d +b247be3fe89b6aba928bf80f4453d1c4ba8d2063 # no urgent reason to include in SLE15, according to Davidlohr +dbe733642e01dd108f71436aaea7b328cb28fd87 # all our flavors are CONFIG_SMP=y +29434801e7e9c6d05fbea4533b3c0bd6be612f62 # it is removing a comment +65bba0423ecf89fb291d2269e0087707888a1cef # we don't support UML +53bb565fc5439f2c8c57a786feea5946804aa3e9 # CONFIG_PCI_CNB20LE_QUIRK is not set, which enables this compilation unit diff --git a/patches.arch/x86-a-out-clear-the-dump-structure-initially.patch b/patches.arch/x86-a-out-clear-the-dump-structure-initially.patch new file mode 100644 index 0000000..c6e26e6 --- /dev/null +++ b/patches.arch/x86-a-out-clear-the-dump-structure-initially.patch @@ -0,0 +1,58 @@ +From: Borislav Petkov +Date: Tue, 12 Feb 2019 14:28:03 +0100 +Subject: x86/a.out: Clear the dump structure initially +Git-commit: 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c +Patch-mainline: v5.0-rc7 +References: bsc#1114279 + +dump_thread32() in aout_core_dump() does not clear the user32 structure +allocated on the stack as the first thing on function entry. + +As a result, the dump.u_comm, dump.u_ar0 and dump.signal which get +assigned before the clearing, get overwritten. + +Rename that function to fill_dump() to make it clear what it does and +call it first thing. + +This was caught while staring at a patch by Derek Robson +. + +Signed-off-by: Borislav Petkov +Cc: Derek Robson +Cc: Linus Torvalds +Cc: Michael Matz +Cc: x86@kernel.org +Cc: +Link: https://lkml.kernel.org/r/20190202005512.3144-1-robsonde@gmail.com +--- + arch/x86/ia32/ia32_aout.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c +index f65b78d32f5e..7dbbe9ffda17 100644 +--- a/arch/x86/ia32/ia32_aout.c ++++ b/arch/x86/ia32/ia32_aout.c +@@ -51,7 +51,7 @@ static unsigned long get_dr(int n) + /* + * fill in the user structure for a core dump.. + */ +-static void dump_thread32(struct pt_regs *regs, struct user32 *dump) ++static void fill_dump(struct pt_regs *regs, struct user32 *dump) + { + u32 fs, gs; + memset(dump, 0, sizeof(*dump)); +@@ -157,10 +157,12 @@ static int aout_core_dump(struct coredump_params *cprm) + fs = get_fs(); + set_fs(KERNEL_DS); + has_dumped = 1; ++ ++ fill_dump(cprm->regs, &dump); ++ + strncpy(dump.u_comm, current->comm, sizeof(current->comm)); + dump.u_ar0 = offsetof(struct user32, regs); + dump.signal = cprm->siginfo->si_signo; +- dump_thread32(cprm->regs, &dump); + + /* + * If the size of the dump file exceeds the rlimit, then see + diff --git a/patches.arch/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch b/patches.arch/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch new file mode 100644 index 0000000..33fa1ec --- /dev/null +++ b/patches.arch/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch @@ -0,0 +1,40 @@ +From: Daniel Drake +Date: Mon, 7 Jan 2019 11:40:24 +0800 +Subject: x86/kaslr: Fix incorrect i8254 outb() parameters +Git-commit: 7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4 +Patch-mainline: v5.0-rc4 +References: bsc#1114279 + +The outb() function takes parameters value and port, in that order. Fix +the parameters used in the kalsr i8254 fallback code. + +Fixes: 5bfce5ef55cb ("x86, kaslr: Provide randomness functions") +Signed-off-by: Daniel Drake +Signed-off-by: Thomas Gleixner +Cc: bp@alien8.de +Cc: hpa@zytor.com +Cc: linux@endlessm.com +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190107034024.15005-1-drake@endlessm.com + +Acked-by: Borislav Petkov +--- + arch/x86/lib/kaslr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/lib/kaslr.c b/arch/x86/lib/kaslr.c +index 79778ab200e4..a53665116458 100644 +--- a/arch/x86/lib/kaslr.c ++++ b/arch/x86/lib/kaslr.c +@@ -36,8 +36,8 @@ static inline u16 i8254(void) + u16 status, timer; + + do { +- outb(I8254_PORT_CONTROL, +- I8254_CMD_READBACK | I8254_SELECT_COUNTER0); ++ outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0, ++ I8254_PORT_CONTROL); + status = inb(I8254_PORT_COUNTER0); + timer = inb(I8254_PORT_COUNTER0); + timer |= inb(I8254_PORT_COUNTER0) << 8; + diff --git a/patches.arch/x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch b/patches.arch/x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch new file mode 100644 index 0000000..64d6ef0 --- /dev/null +++ b/patches.arch/x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch @@ -0,0 +1,42 @@ +From: Colin Ian King +Date: Tue, 18 Dec 2018 17:29:56 +0000 +Subject: x86/mtrr: Don't copy uninitialized gentry fields back to userspace +Git-commit: 32043fa065b51e0b1433e48d118821c71b5cd65d +Patch-mainline: v4.20 +References: bsc#1114279 + +Currently the copy_to_user of data in the gentry struct is copying +uninitiaized data in field _pad from the stack to userspace. + +Fix this by explicitly memset'ing gentry to zero, this also will zero any +compiler added padding fields that may be in struct (currently there are +none). + +Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable") + +Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls") +Signed-off-by: Colin Ian King +Signed-off-by: Thomas Gleixner +Reviewed-by: Tyler Hicks +Cc: security@kernel.org +Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.king@canonical.com + +Acked-by: Borislav Petkov +--- + arch/x86/kernel/cpu/mtrr/if.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c +index 2e173d47b450..4d36dcc1cf87 100644 +--- a/arch/x86/kernel/cpu/mtrr/if.c ++++ b/arch/x86/kernel/cpu/mtrr/if.c +@@ -165,6 +165,8 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg) + struct mtrr_gentry gentry; + void __user *arg = (void __user *) __arg; + ++ memset(&gentry, 0, sizeof(gentry)); ++ + switch (cmd) { + case MTRRIOC_ADD_ENTRY: + case MTRRIOC_SET_ENTRY: + diff --git a/patches.arch/x86-vdso-remove-obsolete-fake-section-table-reservation.patch b/patches.arch/x86-vdso-remove-obsolete-fake-section-table-reservation.patch new file mode 100644 index 0000000..7c620d7 --- /dev/null +++ b/patches.arch/x86-vdso-remove-obsolete-fake-section-table-reservation.patch @@ -0,0 +1,115 @@ +From: Sean Christopherson +Date: Tue, 4 Dec 2018 13:25:57 -0800 +Subject: x86/vdso: Remove obsolete "fake section table" reservation +Git-commit: 24b7c77bbb24f129beead93574ff248c3db1288e +Patch-mainline: v5.0-rc1 +References: bsc#1114279 + +At one point the vDSO image was manually stripped down by vdso2c in an +attempt to minimize the size of the image mapped into userspace. Part +of that stripping process involved building a fake section table so as +not to break userspace processes that parse the section table. Memory +for the fake section table was reserved in the .rodata section so that +vdso2c could simply copy the entire PT_LOAD segment into the userspace +image after building the fake table. + +Eventually, the entire fake section table approach was dropped in favor +of stripping the vdso "the old fashioned way", i.e. via objdump -S. +But, the reservation in .rodata for the fake table was left behind. +Remove the reserveration along with a few other related defines and +section entries. + +Removing the fake section table placeholder zaps a whopping 0x340 bytes +from the 64-bit vDSO image, which drops the current image's size to +under 4k, i.e. reduces the effective size of the userspace vDSO mapping +by a full page. + +Signed-off-by: Sean Christopherson +Acked-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Rik van Riel +Cc: Thomas Gleixner +Fixes: da861e18eccc ("x86, vdso: Get rid of the fake section mechanism") +Link: http://lkml.kernel.org/r/20181204212600.28090-2-sean.j.christopherson@intel.com +Signed-off-by: Ingo Molnar +Acked-by: Borislav Petkov +--- + arch/x86/entry/vdso/vdso-layout.lds.S | 22 ---------------------- + arch/x86/entry/vdso/vdso2c.c | 8 -------- + 2 files changed, 30 deletions(-) + +diff --git a/arch/x86/entry/vdso/vdso-layout.lds.S b/arch/x86/entry/vdso/vdso-layout.lds.S +index acfd5ba7d943..0cedc905c8d6 100644 +--- a/arch/x86/entry/vdso/vdso-layout.lds.S ++++ b/arch/x86/entry/vdso/vdso-layout.lds.S +@@ -7,16 +7,6 @@ + * This script controls its layout. + */ + +-#if defined(BUILD_VDSO64) +-# define SHDR_SIZE 64 +-#elif defined(BUILD_VDSO32) || defined(BUILD_VDSOX32) +-# define SHDR_SIZE 40 +-#else +-# error unknown VDSO target +-#endif +- +-#define NUM_FAKE_SHDRS 13 +- + SECTIONS + { + /* +@@ -60,20 +50,8 @@ SECTIONS + *(.bss*) + *(.dynbss*) + *(.gnu.linkonce.b.*) +- +- /* +- * Ideally this would live in a C file, but that won't +- * work cleanly for x32 until we start building the x32 +- * C code using an x32 toolchain. +- */ +- VDSO_FAKE_SECTION_TABLE_START = .; +- . = . + NUM_FAKE_SHDRS * SHDR_SIZE; +- VDSO_FAKE_SECTION_TABLE_END = .; + } :text + +- .fake_shstrtab : { *(.fake_shstrtab) } :text +- +- + .note : { *(.note.*) } :text :note + + .eh_frame_hdr : { *(.eh_frame_hdr) } :text :eh_frame_hdr +diff --git a/arch/x86/entry/vdso/vdso2c.c b/arch/x86/entry/vdso/vdso2c.c +index 4674f58581a1..8e470b018512 100644 +--- a/arch/x86/entry/vdso/vdso2c.c ++++ b/arch/x86/entry/vdso/vdso2c.c +@@ -76,8 +76,6 @@ enum { + sym_hpet_page, + sym_pvclock_page, + sym_hvclock_page, +- sym_VDSO_FAKE_SECTION_TABLE_START, +- sym_VDSO_FAKE_SECTION_TABLE_END, + }; + + const int special_pages[] = { +@@ -98,12 +96,6 @@ struct vdso_sym required_syms[] = { + [sym_hpet_page] = {"hpet_page", true}, + [sym_pvclock_page] = {"pvclock_page", true}, + [sym_hvclock_page] = {"hvclock_page", true}, +- [sym_VDSO_FAKE_SECTION_TABLE_START] = { +- "VDSO_FAKE_SECTION_TABLE_START", false +- }, +- [sym_VDSO_FAKE_SECTION_TABLE_END] = { +- "VDSO_FAKE_SECTION_TABLE_END", false +- }, + {"VDSO32_NOTE_MASK", true}, + {"__kernel_vsyscall", true}, + {"__kernel_sigreturn", true}, + diff --git a/patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch b/patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch index d027a89..7f4f2d6 100644 --- a/patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch +++ b/patches.suse/0003-x86-KASLR-public-the-function-for-getting-random-lon.patch @@ -15,9 +15,8 @@ Signed-off-by: Lee, Chun-Yi arch/x86/boot/compressed/kaslr.c | 21 ------------ arch/x86/boot/compressed/misc.c | 17 ++++++++++ arch/x86/boot/compressed/misc.h | 6 +++ - arch/x86/lib/kaslr.c | 61 +----------------------------------- arch/x86/lib/random.c | 66 +++++++++++++++++++++++++++++++++++++++ - 5 files changed, 91 insertions(+), 80 deletions(-) + 4 files changed, 89 insertions(+), 21 deletions(-) create mode 100644 arch/x86/lib/random.c --- a/arch/x86/boot/compressed/kaslr.c @@ -64,7 +63,7 @@ Signed-off-by: Lee, Chun-Yi { --- a/arch/x86/boot/compressed/misc.c +++ b/arch/x86/boot/compressed/misc.c -@@ -411,3 +411,20 @@ asmlinkage __visible void *extract_kerne +@@ -431,3 +431,20 @@ asmlinkage __visible void *extract_kerne debug_putstr("done.\nBooting the kernel.\n"); return output; } @@ -107,78 +106,6 @@ Signed-off-by: Lee, Chun-Yi #else static inline void choose_random_location(unsigned long input, unsigned long input_size, ---- a/arch/x86/lib/kaslr.c -+++ b/arch/x86/lib/kaslr.c -@@ -25,67 +25,10 @@ - #define get_boot_seed() kaslr_offset() - #endif - --#define I8254_PORT_CONTROL 0x43 --#define I8254_PORT_COUNTER0 0x40 --#define I8254_CMD_READBACK 0xC0 --#define I8254_SELECT_COUNTER0 0x02 --#define I8254_STATUS_NOTREADY 0x40 --static inline u16 i8254(void) --{ -- u16 status, timer; -- -- do { -- outb(I8254_PORT_CONTROL, -- I8254_CMD_READBACK | I8254_SELECT_COUNTER0); -- status = inb(I8254_PORT_COUNTER0); -- timer = inb(I8254_PORT_COUNTER0); -- timer |= inb(I8254_PORT_COUNTER0) << 8; -- } while (status & I8254_STATUS_NOTREADY); -- -- return timer; --} -+#include "random.c" - - unsigned long kaslr_get_random_long(const char *purpose) - { --#ifdef CONFIG_X86_64 -- const unsigned long mix_const = 0x5d6008cbf3848dd3UL; --#else -- const unsigned long mix_const = 0x3f39e593UL; --#endif -- unsigned long raw, random = get_boot_seed(); -- bool use_i8254 = true; -- -- debug_putstr(purpose); - debug_putstr(" KASLR using"); -- -- if (has_cpuflag(X86_FEATURE_RDRAND)) { -- debug_putstr(" RDRAND"); -- if (rdrand_long(&raw)) { -- random ^= raw; -- use_i8254 = false; -- } -- } -- -- if (has_cpuflag(X86_FEATURE_TSC)) { -- debug_putstr(" RDTSC"); -- raw = rdtsc(); -- -- random ^= raw; -- use_i8254 = false; -- } -- -- if (use_i8254) { -- debug_putstr(" i8254"); -- random ^= i8254(); -- } -- -- /* Circular multiply for better bit diffusion */ -- asm(_ASM_MUL "%3" -- : "=a" (random), "=d" (raw) -- : "a" (random), "rm" (mix_const)); -- random += raw; -- -- debug_putstr("...\n"); -- -- return random; -+ return get_random_long(purpose); - } --- /dev/null +++ b/arch/x86/lib/random.c @@ -0,0 +1,66 @@ @@ -195,8 +122,8 @@ Signed-off-by: Lee, Chun-Yi + u16 status, timer; + + do { -+ outb(I8254_PORT_CONTROL, -+ I8254_CMD_READBACK | I8254_SELECT_COUNTER0); ++ outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0, ++ I8254_PORT_CONTROL); + status = inb(I8254_PORT_COUNTER0); + timer = inb(I8254_PORT_COUNTER0); + timer |= inb(I8254_PORT_COUNTER0) << 8; diff --git a/series.conf b/series.conf index af51b7f..47107c9 100644 --- a/series.conf +++ b/series.conf @@ -42711,6 +42711,7 @@ patches.drm/0001-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch patches.fixes/x86-mm-Fix-decoy-address-handling-vs-32-bit-builds.patch patches.arch/x86-fsgsbase-64-fix-the-base-write-helper-functions.patch + patches.arch/x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch patches.suse/tcp-fix-a-race-in-inet_diag_dump_icsk.patch patches.suse/packet-validate-address-length.patch patches.drivers/Prevent-overflow-of-sk_msg-in-sk_msg_clone.patch @@ -42935,6 +42936,7 @@ patches.arch/x86-amd_nb-add-support-for-newer-pci-topologies.patch patches.arch/x86-amd_nb-add-pci-device-ids-for-family-17h-model-30h.patch patches.drivers/hwmon-k10temp-add-support-for-amd-family-17h-model-30h-cpus.patch + patches.arch/x86-vdso-remove-obsolete-fake-section-table-reservation.patch patches.arch/x86-mm-drop-usage-of-_flush_tlb_all-in-kernel_physical_mapping_init.patch patches.arch/powerpc-xmon-Fix-invocation-inside-lock-region.patch patches.arch/powerpc-fadump-Reservationless-firmware-assisted-dum.patch @@ -43893,6 +43895,7 @@ patches.fixes/0001-sched-wake_q-Fix-wakeup-ordering-for-wake_q.patch patches.fixes/0001-futex-Fix-possible-missed-wakeup.patch patches.fixes/0001-locking-rwsem-Fix-possible-missed-wakeup.patch + patches.arch/x86-kaslr-fix-incorrect-i8254-outb-parameters.patch patches.fixes/netrom-switch-to-sock-timer-API.patch patches.suse/net-rose-fix-NULL-ax25_cb-kernel-panic.patch patches.drivers/Revert-net-mlx5e-E-Switch-Initialize-eswitch-only-if.patch @@ -44058,6 +44061,7 @@ patches.drivers/Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Lenovo-V3.patch patches.drivers/i2c-cadence-Fix-the-hold-bit-setting.patch patches.drivers/i2c-bcm2835-Clear-current-buffer-pointers-and-counts.patch + patches.arch/x86-a-out-clear-the-dump-structure-initially.patch patches.arch/x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls patches.fixes/mailbox-bcm-flexrm-mailbox-Fix-FlexRM-ring-flush-tim.patch patches.fixes/mac80211-Free-mpath-object-when-rhashtable-insertion.patch