diff --git a/patches.suse/nfs-Fix-security-label-length-not-being-reset.patch b/patches.suse/nfs-Fix-security-label-length-not-being-reset.patch new file mode 100644 index 0000000..9b5420a --- /dev/null +++ b/patches.suse/nfs-Fix-security-label-length-not-being-reset.patch @@ -0,0 +1,44 @@ +From: Jeffrey Mitchell +Date: Tue, 15 Sep 2020 16:42:52 -0500 +Subject: [PATCH] nfs: Fix security label length not being reset +Git-commit: d33030e2ee3508d65db5644551435310df86010e +Patch-mainline: v5.9 +References: bsc#1176381 CVE-2020-2521 + +nfs_readdir_page_filler() iterates over entries in a directory, reusing +the same security label buffer, but does not reset the buffer's length. +This causes decode_attr_security_label() to return -ERANGE if an entry's +security label is longer than the previous one's. This error, in +nfs4_decode_dirent(), only gets passed up as -EAGAIN, which causes another +failed attempt to copy into the buffer. The second error is ignored and +the remaining entries do not show up in ls, specifically the getdents64() +syscall. + +Reproduce by creating multiple files in NFS and giving one of the later +files a longer security label. ls will not see that file nor any that are +added afterwards, though they will exist on the backend. + +In nfs_readdir_page_filler(), reset security label buffer length before +every reuse + +Signed-off-by: Jeffrey Mitchell +Fixes: b4487b935452 ("nfs: Fix getxattr kernel panic and memory overflow") +Signed-off-by: Trond Myklebust +Acked-by: NeilBrown + +--- + fs/nfs/dir.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -548,6 +548,9 @@ int nfs_readdir_page_filler(nfs_readdir_ + xdr_set_scratch_buffer(&stream, page_address(scratch), PAGE_SIZE); + + do { ++ if (entry->label) ++ entry->label->len = NFS4_MAXLABELLEN; ++ + status = xdr_decode(desc, entry, &stream); + if (status != 0) { + if (status == -EAGAIN) diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index 68dac04..d33d8be 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -824,7 +824,7 @@ if [ %CONFIG_MODULES = y ]; then fi done - tar -cf - -T %my_builddir/obj-files | \ + tar --exclude=\*.ipa-clones -cf - -T %my_builddir/obj-files | \ tar -xf - -C %rpm_install_dir/%cpu_arch_flavor # bnc#507084 find %rpm_install_dir/%cpu_arch_flavor/scripts -type f -perm -111 | \ @@ -874,6 +874,9 @@ for file in %buildroot/boot/symtypes* %buildroot/lib/modules/*/{build,source}; d f=${file##%buildroot} echo "$f" done | add_dirs_to_filelist >%my_builddir/kernel-devel.files +( cd %buildroot ; find .%obj_install_dir/%cpu_arch_flavor -type f ; ) | \ +sed -e 's/^[.]//' | grep -v -e '[.]ipa-clones$' -e '/Symbols[.]list$' -e '/ipa-clones[.]list$'| \ +add_dirs_to_filelist >> %my_builddir/kernel-devel.files { cd %buildroot for f in boot/*; do @@ -1088,13 +1091,9 @@ kernel module packages) against the %build_flavor flavor of the kernel. %files devel -f kernel-devel.files %defattr(-,root,root) -%dir %obj_install_dir -%dir %obj_install_dir/%cpu_arch %dir /usr/src/linux-obj %dir /usr/src/linux-obj/%cpu_arch %ghost /usr/src/linux-obj/%cpu_arch_flavor -%obj_install_dir/%cpu_arch_flavor -%exclude %obj_install_dir/%cpu_arch_flavor/Symbols.list %if %kmp_target_cpu != %cpu_arch %obj_install_dir/%kmp_target_cpu /usr/src/linux-obj/%kmp_target_cpu diff --git a/series.conf b/series.conf index 6a8f937..1e10ece 100644 --- a/series.conf +++ b/series.conf @@ -56093,6 +56093,7 @@ patches.suse/drm-sun4i-sun8i-csc-Secondary-CSC-register-correctio.patch patches.suse/kvm-svm-add-a-dedicated-invd-intercept-routine.patch patches.suse/clocksource-drivers-h8300_timer8-Fix-wrong-return-va.patch + patches.suse/nfs-Fix-security-label-length-not-being-reset.patch patches.suse/clk-samsung-exynos4-mark-chipid-clock-as-CLK_IGNORE_.patch patches.suse/ftrace-move-rcu-is-watching-check-after-recursion-check.patch patches.suse/iommu-exynos-add-missing-put_device-call-in-exynos_iommu_of_xlate