March 2022 - Linux-stable-mirror

[PATCH v2] carl9170: tx: fix an incorrect use of list iterator

by Xiaomeng Tong

If the previous list_for_each_entry_continue_rcu() don't exit early (no goto hit inside the loop), the iterator 'cvif' after the loop will be a bogus pointer to an invalid structure object containing the HEAD (&ar->vif_list). As a result, the use of 'cvif' after that will lead to a invalid memory access (i.e., 'cvif->id': the invalid pointer dereference when return back to/after the callsite in the carl9170_update_beacon()). The original intention should have been to return the valid 'cvif' when found in list, NULL otherwise. So just return NULL when no entry found, to fix this bug. Cc: stable(a)vger.kernel.org Fixes: 1f1d9654e183c ("carl9170: refactor carl9170_update_beacon") Signed-off-by: Xiaomeng Tong <xiam0nd.tong(a)gmail.com> --- drivers/net/wireless/ath/carl9170/tx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c index 1b76f4434c06..791f9f120af3 100644 --- a/drivers/net/wireless/ath/carl9170/tx.c +++ b/drivers/net/wireless/ath/carl9170/tx.c @@ -1558,6 +1558,9 @@ static struct carl9170_vif_info *carl9170_pick_beaconing_vif(struct ar9170 *ar) goto out; } } while (ar->beacon_enabled && i--); + + /* no entry found in list */ + return NULL; } out: -- 2.17.1

2 years, 9 months

1
0
0 0

[PATCH v3] char: tty3270: fix a missing check on list iterator

by Xiaomeng Tong

The bug is here: if (s->len != flen) { The list iterator 's' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it may bypass the 'if (s->len != flen) {' in theory if s->len's value is flen, or/and lead to an invalid memory access lately. To fix this bug, use a new variable 'iter' as the list iterator, while using the origin variable 's' as a dedicated pointer to point to the found element. And if the list is empty or no element is found, WARN_ON and return. Cc: stable(a)vger.kernel.org Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xiaomeng Tong <xiam0nd.tong(a)gmail.com> --- changes since v2: - WARN_ON and return (Sven Schnelle) changes since v1: - reallocate s when s == NULL (Sven Schnelle) v1:https://lore.kernel.org/lkml/20220327064931.7775-1-xiam0nd.tong@gmail.co… v2:https://lore.kernel.org/lkml/20220328070543.24671-1-xiam0nd.tong@gmail.c… --- drivers/s390/char/tty3270.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c index 5c83f71c1d0e..9d0952178322 100644 --- a/drivers/s390/char/tty3270.c +++ b/drivers/s390/char/tty3270.c @@ -1109,9 +1109,9 @@ static void tty3270_put_character(struct tty3270 *tp, char ch) static void tty3270_convert_line(struct tty3270 *tp, int line_nr) { + struct string *s = NULL, *n, *iter; struct tty3270_line *line; struct tty3270_cell *cell; - struct string *s, *n; unsigned char highlight; unsigned char f_color; char *cp; @@ -1142,9 +1142,14 @@ tty3270_convert_line(struct tty3270 *tp, int line_nr) /* Find the line in the list. */ i = tp->view.rows - 2 - line_nr; - list_for_each_entry_reverse(s, &tp->lines, list) - if (--i <= 0) + list_for_each_entry_reverse(iter, &tp->lines, list) + if (--i <= 0) { + s = iter; break; + } + + if(WARN_ON(!s)) + return; /* * Check if the line needs to get reallocated. */ -- 2.17.1

2 years, 9 months

1
0
0 0

[PATCH AUTOSEL 4.19 01/12] selinux: use correct type for context length

by Sasha Levin

From: Christian Göttsche <cgzones(a)googlemail.com> [ Upstream commit b97df7c098c531010e445da88d02b7bf7bf59ef6 ] security_sid_to_context() expects a pointer to an u32 as the address where to store the length of the computed context. Reported by sparse: security/selinux/xfrm.c:359:39: warning: incorrect type in arg 4 (different signedness) security/selinux/xfrm.c:359:39: expected unsigned int [usertype] *scontext_len security/selinux/xfrm.c:359:39: got int * Signed-off-by: Christian Göttsche <cgzones(a)googlemail.com> [PM: wrapped commit description] Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- security/selinux/xfrm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 91dc3783ed94..9e803d2a687a 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -349,7 +349,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, int rc; struct xfrm_sec_ctx *ctx; char *ctx_str = NULL; - int str_len; + u32 str_len; if (!polsec) return 0; -- 2.34.1

2 years, 9 months

2
12
0 0

[PATCH] damon: vaddr-test: fix a missing check on list iterator

by Xiaomeng Tong

The bug is here: KUNIT_EXPECT_EQ(test, r->ar.start, start + i * expected_width); KUNIT_EXPECT_EQ(test, r->ar.end, end); For the damon_for_each_region(), just like list_for_each_entry(), the list iterator 'drm_crtc' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to a invalid memory access. To fix this bug, just mov two KUNIT_EXPECT_EQ() into the loop when found. Cc: stable(a)vger.kernel.org Fixes: 044cd9750fe01 ("mm/damon/vaddr-test: split a test function having >1024 bytes frame size") Signed-off-by: Xiaomeng Tong <xiam0nd.tong(a)gmail.com> --- mm/damon/vaddr-test.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/mm/damon/vaddr-test.h b/mm/damon/vaddr-test.h index 6a1b9272ea12..98b7a9f54b35 100644 --- a/mm/damon/vaddr-test.h +++ b/mm/damon/vaddr-test.h @@ -281,14 +281,16 @@ static void damon_test_split_evenly_succ(struct kunit *test, KUNIT_EXPECT_EQ(test, damon_nr_regions(t), nr_pieces); damon_for_each_region(r, t) { - if (i == nr_pieces - 1) + if (i == nr_pieces - 1) { + KUNIT_EXPECT_EQ(test, + r->ar.start, start + i * expected_width); + KUNIT_EXPECT_EQ(test, r->ar.end, end); break; + } KUNIT_EXPECT_EQ(test, r->ar.start, start + i++ * expected_width); KUNIT_EXPECT_EQ(test, r->ar.end, start + i * expected_width); } - KUNIT_EXPECT_EQ(test, r->ar.start, start + i * expected_width); - KUNIT_EXPECT_EQ(test, r->ar.end, end); damon_free_target(t); } -- 2.17.1

2 years, 9 months

2
2
0 0

[PATCH AUTOSEL 4.9 1/8] selinux: use correct type for context length

by Sasha Levin

From: Christian Göttsche <cgzones(a)googlemail.com> [ Upstream commit b97df7c098c531010e445da88d02b7bf7bf59ef6 ] security_sid_to_context() expects a pointer to an u32 as the address where to store the length of the computed context. Reported by sparse: security/selinux/xfrm.c:359:39: warning: incorrect type in arg 4 (different signedness) security/selinux/xfrm.c:359:39: expected unsigned int [usertype] *scontext_len security/selinux/xfrm.c:359:39: got int * Signed-off-by: Christian Göttsche <cgzones(a)googlemail.com> [PM: wrapped commit description] Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- security/selinux/xfrm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 56e354fcdfc6..5304dd49e054 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -344,7 +344,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, int rc; struct xfrm_sec_ctx *ctx; char *ctx_str = NULL; - int str_len; + u32 str_len; if (!polsec) return 0; -- 2.34.1

2 years, 9 months

1
7
0 0

[PATCH AUTOSEL 4.14 1/8] selinux: use correct type for context length

by Sasha Levin

From: Christian Göttsche <cgzones(a)googlemail.com> [ Upstream commit b97df7c098c531010e445da88d02b7bf7bf59ef6 ] security_sid_to_context() expects a pointer to an u32 as the address where to store the length of the computed context. Reported by sparse: security/selinux/xfrm.c:359:39: warning: incorrect type in arg 4 (different signedness) security/selinux/xfrm.c:359:39: expected unsigned int [usertype] *scontext_len security/selinux/xfrm.c:359:39: got int * Signed-off-by: Christian Göttsche <cgzones(a)googlemail.com> [PM: wrapped commit description] Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- security/selinux/xfrm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 56e354fcdfc6..5304dd49e054 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -344,7 +344,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, int rc; struct xfrm_sec_ctx *ctx; char *ctx_str = NULL; - int str_len; + u32 str_len; if (!polsec) return 0; -- 2.34.1

2 years, 9 months

1
7
0 0

[PATCH AUTOSEL 5.4 01/16] LSM: general protection fault in legacy_parse_param

by Sasha Levin

From: Casey Schaufler <casey(a)schaufler-ca.com> [ Upstream commit ecff30575b5ad0eda149aadad247b7f75411fd47 ] The usual LSM hook "bail on fail" scheme doesn't work for cases where a security module may return an error code indicating that it does not recognize an input. In this particular case Smack sees a mount option that it recognizes, and returns 0. A call to a BPF hook follows, which returns -ENOPARAM, which confuses the caller because Smack has processed its data. The SELinux hook incorrectly returns 1 on success. There was a time when this was correct, however the current expectation is that it return 0 on success. This is repaired. Reported-by: syzbot+d1e3b1d92d25abf97943(a)syzkaller.appspotmail.com Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com> Acked-by: James Morris <jamorris(a)linux.microsoft.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- security/security.c | 17 +++++++++++++++-- security/selinux/hooks.c | 5 ++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/security/security.c b/security/security.c index c34ec4c7d98c..f633717311a3 100644 --- a/security/security.c +++ b/security/security.c @@ -802,9 +802,22 @@ int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) return call_int_hook(fs_context_dup, 0, fc, src_fc); } -int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param) +int security_fs_context_parse_param(struct fs_context *fc, + struct fs_parameter *param) { - return call_int_hook(fs_context_parse_param, -ENOPARAM, fc, param); + struct security_hook_list *hp; + int trc; + int rc = -ENOPARAM; + + hlist_for_each_entry(hp, &security_hook_heads.fs_context_parse_param, + list) { + trc = hp->hook.fs_context_parse_param(fc, param); + if (trc == 0) + rc = 0; + else if (trc != -ENOPARAM) + return trc; + } + return rc; } int security_sb_alloc(struct super_block *sb) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 56418cf72069..d9f15c84aab7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2855,10 +2855,9 @@ static int selinux_fs_context_parse_param(struct fs_context *fc, return opt; rc = selinux_add_opt(opt, param->string, &fc->security); - if (!rc) { + if (!rc) param->string = NULL; - rc = 1; - } + return rc; } -- 2.34.1

2 years, 9 months

1
15
0 0

[PATCH AUTOSEL 5.10 01/21] LSM: general protection fault in legacy_parse_param

by Sasha Levin

From: Casey Schaufler <casey(a)schaufler-ca.com> [ Upstream commit ecff30575b5ad0eda149aadad247b7f75411fd47 ] The usual LSM hook "bail on fail" scheme doesn't work for cases where a security module may return an error code indicating that it does not recognize an input. In this particular case Smack sees a mount option that it recognizes, and returns 0. A call to a BPF hook follows, which returns -ENOPARAM, which confuses the caller because Smack has processed its data. The SELinux hook incorrectly returns 1 on success. There was a time when this was correct, however the current expectation is that it return 0 on success. This is repaired. Reported-by: syzbot+d1e3b1d92d25abf97943(a)syzkaller.appspotmail.com Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com> Acked-by: James Morris <jamorris(a)linux.microsoft.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- security/security.c | 17 +++++++++++++++-- security/selinux/hooks.c | 5 ++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/security/security.c b/security/security.c index a864ff824dd3..d9d42d64f89f 100644 --- a/security/security.c +++ b/security/security.c @@ -860,9 +860,22 @@ int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) return call_int_hook(fs_context_dup, 0, fc, src_fc); } -int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param) +int security_fs_context_parse_param(struct fs_context *fc, + struct fs_parameter *param) { - return call_int_hook(fs_context_parse_param, -ENOPARAM, fc, param); + struct security_hook_list *hp; + int trc; + int rc = -ENOPARAM; + + hlist_for_each_entry(hp, &security_hook_heads.fs_context_parse_param, + list) { + trc = hp->hook.fs_context_parse_param(fc, param); + if (trc == 0) + rc = 0; + else if (trc != -ENOPARAM) + return trc; + } + return rc; } int security_sb_alloc(struct super_block *sb) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 86159b32921c..63e61f2f1ad6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2820,10 +2820,9 @@ static int selinux_fs_context_parse_param(struct fs_context *fc, return opt; rc = selinux_add_opt(opt, param->string, &fc->security); - if (!rc) { + if (!rc) param->string = NULL; - rc = 1; - } + return rc; } -- 2.34.1

2 years, 9 months

1
20
0 0

[PATCH AUTOSEL 5.15 01/29] LSM: general protection fault in legacy_parse_param

by Sasha Levin

From: Casey Schaufler <casey(a)schaufler-ca.com> [ Upstream commit ecff30575b5ad0eda149aadad247b7f75411fd47 ] The usual LSM hook "bail on fail" scheme doesn't work for cases where a security module may return an error code indicating that it does not recognize an input. In this particular case Smack sees a mount option that it recognizes, and returns 0. A call to a BPF hook follows, which returns -ENOPARAM, which confuses the caller because Smack has processed its data. The SELinux hook incorrectly returns 1 on success. There was a time when this was correct, however the current expectation is that it return 0 on success. This is repaired. Reported-by: syzbot+d1e3b1d92d25abf97943(a)syzkaller.appspotmail.com Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com> Acked-by: James Morris <jamorris(a)linux.microsoft.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- security/security.c | 17 +++++++++++++++-- security/selinux/hooks.c | 5 ++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/security/security.c b/security/security.c index 67264cb08fb3..da631339e969 100644 --- a/security/security.c +++ b/security/security.c @@ -884,9 +884,22 @@ int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) return call_int_hook(fs_context_dup, 0, fc, src_fc); } -int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param) +int security_fs_context_parse_param(struct fs_context *fc, + struct fs_parameter *param) { - return call_int_hook(fs_context_parse_param, -ENOPARAM, fc, param); + struct security_hook_list *hp; + int trc; + int rc = -ENOPARAM; + + hlist_for_each_entry(hp, &security_hook_heads.fs_context_parse_param, + list) { + trc = hp->hook.fs_context_parse_param(fc, param); + if (trc == 0) + rc = 0; + else if (trc != -ENOPARAM) + return trc; + } + return rc; } int security_sb_alloc(struct super_block *sb) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index baa12d1007c7..cb938890f40b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2908,10 +2908,9 @@ static int selinux_fs_context_parse_param(struct fs_context *fc, return opt; rc = selinux_add_opt(opt, param->string, &fc->security); - if (!rc) { + if (!rc) param->string = NULL; - rc = 1; - } + return rc; } -- 2.34.1

2 years, 9 months

1
28
0 0

[PATCH AUTOSEL 5.16 01/35] LSM: general protection fault in legacy_parse_param

by Sasha Levin

From: Casey Schaufler <casey(a)schaufler-ca.com> [ Upstream commit ecff30575b5ad0eda149aadad247b7f75411fd47 ] The usual LSM hook "bail on fail" scheme doesn't work for cases where a security module may return an error code indicating that it does not recognize an input. In this particular case Smack sees a mount option that it recognizes, and returns 0. A call to a BPF hook follows, which returns -ENOPARAM, which confuses the caller because Smack has processed its data. The SELinux hook incorrectly returns 1 on success. There was a time when this was correct, however the current expectation is that it return 0 on success. This is repaired. Reported-by: syzbot+d1e3b1d92d25abf97943(a)syzkaller.appspotmail.com Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com> Acked-by: James Morris <jamorris(a)linux.microsoft.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- security/security.c | 17 +++++++++++++++-- security/selinux/hooks.c | 5 ++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/security/security.c b/security/security.c index 64abdfb20bc2..8a1b26be08dd 100644 --- a/security/security.c +++ b/security/security.c @@ -884,9 +884,22 @@ int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) return call_int_hook(fs_context_dup, 0, fc, src_fc); } -int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param) +int security_fs_context_parse_param(struct fs_context *fc, + struct fs_parameter *param) { - return call_int_hook(fs_context_parse_param, -ENOPARAM, fc, param); + struct security_hook_list *hp; + int trc; + int rc = -ENOPARAM; + + hlist_for_each_entry(hp, &security_hook_heads.fs_context_parse_param, + list) { + trc = hp->hook.fs_context_parse_param(fc, param); + if (trc == 0) + rc = 0; + else if (trc != -ENOPARAM) + return trc; + } + return rc; } int security_sb_alloc(struct super_block *sb) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 49b4f59db35e..d582479dfd62 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2909,10 +2909,9 @@ static int selinux_fs_context_parse_param(struct fs_context *fc, return opt; rc = selinux_add_opt(opt, param->string, &fc->security); - if (!rc) { + if (!rc) param->string = NULL; - rc = 1; - } + return rc; } -- 2.34.1

2 years, 9 months

1
34
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2022