The patch below does not apply to the 4.14-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From dcd46d897adb70d63e025f175a00a89797d31a43 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook(a)chromium.org>
Date: Mon, 31 Jan 2022 16:09:47 -0800
Subject: [PATCH] exec: Force single empty string when argv is empty
Quoting[1] Ariadne Conill:
"In several other operating systems, it is a hard requirement that the
second argument to execve(2) be the name of a program, thus prohibiting
a scenario where argc < 1. POSIX 2017 also recommends this behaviour,
but it is not an explicit requirement[2]:
The argument arg0 should point to a filename string that is
associated with the process being started by one of the exec
functions.
...
Interestingly, Michael Kerrisk opened an issue about this in 2008[3],
but there was no consensus to support fixing this issue then.
Hopefully now that CVE-2021-4034 shows practical exploitative use[4]
of this bug in a shellcode, we can reconsider.
This issue is being tracked in the KSPP issue tracker[5]."
While the initial code searches[6][7] turned up what appeared to be
mostly corner case tests, trying to that just reject argv == NULL
(or an immediately terminated pointer list) quickly started tripping[8]
existing userspace programs.
The next best approach is forcing a single empty string into argv and
adjusting argc to match. The number of programs depending on argc == 0
seems a smaller set than those calling execve with a NULL argv.
Account for the additional stack space in bprm_stack_limits(). Inject an
empty string when argc == 0 (and set argc = 1). Warn about the case so
userspace has some notice about the change:
process './argc0' launched './argc0' with NULL argv: empty string added
Additionally WARN() and reject NULL argv usage for kernel threads.
[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.or…
[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408
[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
[5] https://github.com/KSPP/linux/issues/176
[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+…
[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%…
[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/
Reported-by: Ariadne Conill <ariadne(a)dereferenced.org>
Reported-by: Michael Kerrisk <mtk.manpages(a)gmail.com>
Cc: Matthew Wilcox <willy(a)infradead.org>
Cc: Christian Brauner <brauner(a)kernel.org>
Cc: Rich Felker <dalias(a)libc.org>
Cc: Eric Biederman <ebiederm(a)xmission.com>
Cc: Alexander Viro <viro(a)zeniv.linux.org.uk>
Cc: linux-fsdevel(a)vger.kernel.org
Cc: stable(a)vger.kernel.org
Signed-off-by: Kees Cook <keescook(a)chromium.org>
Acked-by: Christian Brauner <brauner(a)kernel.org>
Acked-by: Ariadne Conill <ariadne(a)dereferenced.org>
Acked-by: Andy Lutomirski <luto(a)kernel.org>
Link: https://lore.kernel.org/r/20220201000947.2453721-1-keescook@chromium.org
diff --git a/fs/exec.c b/fs/exec.c
index 79f2c9483302..40b1008fb0f7 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -495,8 +495,14 @@ static int bprm_stack_limits(struct linux_binprm *bprm)
* the stack. They aren't stored until much later when we can't
* signal to the parent that the child has run out of stack space.
* Instead, calculate it here so it's possible to fail gracefully.
+ *
+ * In the case of argc = 0, make sure there is space for adding a
+ * empty string (which will bump argc to 1), to ensure confused
+ * userspace programs don't start processing from argv[1], thinking
+ * argc can never be 0, to keep them from walking envp by accident.
+ * See do_execveat_common().
*/
- ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
+ ptr_size = (max(bprm->argc, 1) + bprm->envc) * sizeof(void *);
if (limit <= ptr_size)
return -E2BIG;
limit -= ptr_size;
@@ -1897,6 +1903,9 @@ static int do_execveat_common(int fd, struct filename *filename,
}
retval = count(argv, MAX_ARG_STRINGS);
+ if (retval == 0)
+ pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n",
+ current->comm, bprm->filename);
if (retval < 0)
goto out_free;
bprm->argc = retval;
@@ -1923,6 +1932,19 @@ static int do_execveat_common(int fd, struct filename *filename,
if (retval < 0)
goto out_free;
+ /*
+ * When argv is empty, add an empty string ("") as argv[0] to
+ * ensure confused userspace programs that start processing
+ * from argv[1] won't end up walking envp. See also
+ * bprm_stack_limits().
+ */
+ if (bprm->argc == 0) {
+ retval = copy_string_kernel("", bprm);
+ if (retval < 0)
+ goto out_free;
+ bprm->argc = 1;
+ }
+
retval = bprm_execve(bprm, fd, filename, flags);
out_free:
free_bprm(bprm);
@@ -1951,6 +1973,8 @@ int kernel_execve(const char *kernel_filename,
}
retval = count_strings_kernel(argv);
+ if (WARN_ON_ONCE(retval == 0))
+ retval = -EINVAL;
if (retval < 0)
goto out_free;
bprm->argc = retval;
The patch below does not apply to the 4.19-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From dcd46d897adb70d63e025f175a00a89797d31a43 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook(a)chromium.org>
Date: Mon, 31 Jan 2022 16:09:47 -0800
Subject: [PATCH] exec: Force single empty string when argv is empty
Quoting[1] Ariadne Conill:
"In several other operating systems, it is a hard requirement that the
second argument to execve(2) be the name of a program, thus prohibiting
a scenario where argc < 1. POSIX 2017 also recommends this behaviour,
but it is not an explicit requirement[2]:
The argument arg0 should point to a filename string that is
associated with the process being started by one of the exec
functions.
...
Interestingly, Michael Kerrisk opened an issue about this in 2008[3],
but there was no consensus to support fixing this issue then.
Hopefully now that CVE-2021-4034 shows practical exploitative use[4]
of this bug in a shellcode, we can reconsider.
This issue is being tracked in the KSPP issue tracker[5]."
While the initial code searches[6][7] turned up what appeared to be
mostly corner case tests, trying to that just reject argv == NULL
(or an immediately terminated pointer list) quickly started tripping[8]
existing userspace programs.
The next best approach is forcing a single empty string into argv and
adjusting argc to match. The number of programs depending on argc == 0
seems a smaller set than those calling execve with a NULL argv.
Account for the additional stack space in bprm_stack_limits(). Inject an
empty string when argc == 0 (and set argc = 1). Warn about the case so
userspace has some notice about the change:
process './argc0' launched './argc0' with NULL argv: empty string added
Additionally WARN() and reject NULL argv usage for kernel threads.
[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.or…
[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408
[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
[5] https://github.com/KSPP/linux/issues/176
[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+…
[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%…
[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/
Reported-by: Ariadne Conill <ariadne(a)dereferenced.org>
Reported-by: Michael Kerrisk <mtk.manpages(a)gmail.com>
Cc: Matthew Wilcox <willy(a)infradead.org>
Cc: Christian Brauner <brauner(a)kernel.org>
Cc: Rich Felker <dalias(a)libc.org>
Cc: Eric Biederman <ebiederm(a)xmission.com>
Cc: Alexander Viro <viro(a)zeniv.linux.org.uk>
Cc: linux-fsdevel(a)vger.kernel.org
Cc: stable(a)vger.kernel.org
Signed-off-by: Kees Cook <keescook(a)chromium.org>
Acked-by: Christian Brauner <brauner(a)kernel.org>
Acked-by: Ariadne Conill <ariadne(a)dereferenced.org>
Acked-by: Andy Lutomirski <luto(a)kernel.org>
Link: https://lore.kernel.org/r/20220201000947.2453721-1-keescook@chromium.org
diff --git a/fs/exec.c b/fs/exec.c
index 79f2c9483302..40b1008fb0f7 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -495,8 +495,14 @@ static int bprm_stack_limits(struct linux_binprm *bprm)
* the stack. They aren't stored until much later when we can't
* signal to the parent that the child has run out of stack space.
* Instead, calculate it here so it's possible to fail gracefully.
+ *
+ * In the case of argc = 0, make sure there is space for adding a
+ * empty string (which will bump argc to 1), to ensure confused
+ * userspace programs don't start processing from argv[1], thinking
+ * argc can never be 0, to keep them from walking envp by accident.
+ * See do_execveat_common().
*/
- ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
+ ptr_size = (max(bprm->argc, 1) + bprm->envc) * sizeof(void *);
if (limit <= ptr_size)
return -E2BIG;
limit -= ptr_size;
@@ -1897,6 +1903,9 @@ static int do_execveat_common(int fd, struct filename *filename,
}
retval = count(argv, MAX_ARG_STRINGS);
+ if (retval == 0)
+ pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n",
+ current->comm, bprm->filename);
if (retval < 0)
goto out_free;
bprm->argc = retval;
@@ -1923,6 +1932,19 @@ static int do_execveat_common(int fd, struct filename *filename,
if (retval < 0)
goto out_free;
+ /*
+ * When argv is empty, add an empty string ("") as argv[0] to
+ * ensure confused userspace programs that start processing
+ * from argv[1] won't end up walking envp. See also
+ * bprm_stack_limits().
+ */
+ if (bprm->argc == 0) {
+ retval = copy_string_kernel("", bprm);
+ if (retval < 0)
+ goto out_free;
+ bprm->argc = 1;
+ }
+
retval = bprm_execve(bprm, fd, filename, flags);
out_free:
free_bprm(bprm);
@@ -1951,6 +1973,8 @@ int kernel_execve(const char *kernel_filename,
}
retval = count_strings_kernel(argv);
+ if (WARN_ON_ONCE(retval == 0))
+ retval = -EINVAL;
if (retval < 0)
goto out_free;
bprm->argc = retval;
The patch below does not apply to the 5.4-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From dcd46d897adb70d63e025f175a00a89797d31a43 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook(a)chromium.org>
Date: Mon, 31 Jan 2022 16:09:47 -0800
Subject: [PATCH] exec: Force single empty string when argv is empty
Quoting[1] Ariadne Conill:
"In several other operating systems, it is a hard requirement that the
second argument to execve(2) be the name of a program, thus prohibiting
a scenario where argc < 1. POSIX 2017 also recommends this behaviour,
but it is not an explicit requirement[2]:
The argument arg0 should point to a filename string that is
associated with the process being started by one of the exec
functions.
...
Interestingly, Michael Kerrisk opened an issue about this in 2008[3],
but there was no consensus to support fixing this issue then.
Hopefully now that CVE-2021-4034 shows practical exploitative use[4]
of this bug in a shellcode, we can reconsider.
This issue is being tracked in the KSPP issue tracker[5]."
While the initial code searches[6][7] turned up what appeared to be
mostly corner case tests, trying to that just reject argv == NULL
(or an immediately terminated pointer list) quickly started tripping[8]
existing userspace programs.
The next best approach is forcing a single empty string into argv and
adjusting argc to match. The number of programs depending on argc == 0
seems a smaller set than those calling execve with a NULL argv.
Account for the additional stack space in bprm_stack_limits(). Inject an
empty string when argc == 0 (and set argc = 1). Warn about the case so
userspace has some notice about the change:
process './argc0' launched './argc0' with NULL argv: empty string added
Additionally WARN() and reject NULL argv usage for kernel threads.
[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.or…
[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408
[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
[5] https://github.com/KSPP/linux/issues/176
[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+…
[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%…
[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/
Reported-by: Ariadne Conill <ariadne(a)dereferenced.org>
Reported-by: Michael Kerrisk <mtk.manpages(a)gmail.com>
Cc: Matthew Wilcox <willy(a)infradead.org>
Cc: Christian Brauner <brauner(a)kernel.org>
Cc: Rich Felker <dalias(a)libc.org>
Cc: Eric Biederman <ebiederm(a)xmission.com>
Cc: Alexander Viro <viro(a)zeniv.linux.org.uk>
Cc: linux-fsdevel(a)vger.kernel.org
Cc: stable(a)vger.kernel.org
Signed-off-by: Kees Cook <keescook(a)chromium.org>
Acked-by: Christian Brauner <brauner(a)kernel.org>
Acked-by: Ariadne Conill <ariadne(a)dereferenced.org>
Acked-by: Andy Lutomirski <luto(a)kernel.org>
Link: https://lore.kernel.org/r/20220201000947.2453721-1-keescook@chromium.org
diff --git a/fs/exec.c b/fs/exec.c
index 79f2c9483302..40b1008fb0f7 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -495,8 +495,14 @@ static int bprm_stack_limits(struct linux_binprm *bprm)
* the stack. They aren't stored until much later when we can't
* signal to the parent that the child has run out of stack space.
* Instead, calculate it here so it's possible to fail gracefully.
+ *
+ * In the case of argc = 0, make sure there is space for adding a
+ * empty string (which will bump argc to 1), to ensure confused
+ * userspace programs don't start processing from argv[1], thinking
+ * argc can never be 0, to keep them from walking envp by accident.
+ * See do_execveat_common().
*/
- ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
+ ptr_size = (max(bprm->argc, 1) + bprm->envc) * sizeof(void *);
if (limit <= ptr_size)
return -E2BIG;
limit -= ptr_size;
@@ -1897,6 +1903,9 @@ static int do_execveat_common(int fd, struct filename *filename,
}
retval = count(argv, MAX_ARG_STRINGS);
+ if (retval == 0)
+ pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n",
+ current->comm, bprm->filename);
if (retval < 0)
goto out_free;
bprm->argc = retval;
@@ -1923,6 +1932,19 @@ static int do_execveat_common(int fd, struct filename *filename,
if (retval < 0)
goto out_free;
+ /*
+ * When argv is empty, add an empty string ("") as argv[0] to
+ * ensure confused userspace programs that start processing
+ * from argv[1] won't end up walking envp. See also
+ * bprm_stack_limits().
+ */
+ if (bprm->argc == 0) {
+ retval = copy_string_kernel("", bprm);
+ if (retval < 0)
+ goto out_free;
+ bprm->argc = 1;
+ }
+
retval = bprm_execve(bprm, fd, filename, flags);
out_free:
free_bprm(bprm);
@@ -1951,6 +1973,8 @@ int kernel_execve(const char *kernel_filename,
}
retval = count_strings_kernel(argv);
+ if (WARN_ON_ONCE(retval == 0))
+ retval = -EINVAL;
if (retval < 0)
goto out_free;
bprm->argc = retval;
This is the start of the stable review cycle for the 5.10.119 release.
There are 163 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sun, 29 May 2022 08:46:26 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.119-r…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.10.119-rc1
Edward Matijevic <motolav(a)gmail.com>
ALSA: ctxfi: Add SB046x PCI ID
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: check for signals after page of pool writes
Jens Axboe <axboe(a)kernel.dk>
random: wire up fops->splice_{read,write}_iter()
Jens Axboe <axboe(a)kernel.dk>
random: convert to using fops->write_iter()
Jens Axboe <axboe(a)kernel.dk>
random: convert to using fops->read_iter()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: unify batched entropy implementations
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: move randomize_page() into mm where it belongs
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: move initialization functions out of hot pages
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: make consistent use of buf and len
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use proper return types on get_random_{int,long}_wait()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove extern from functions in header
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use static branch for crng_ready()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: credit architectural init the exact amount
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: handle latent entropy and command line from random_init()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use proper jiffies comparison macro
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove ratelimiting for in-kernel unseeded randomness
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: move initialization out of reseeding hot path
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: avoid initializing twice in credit race
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use symbolic constants for crng_init states
Jason A. Donenfeld <Jason(a)zx2c4.com>
siphash: use one source of truth for siphash permutations
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: help compiler out with fast_mix() by using simpler arguments
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: do not use input pool from hard IRQs
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: order timer entropy functions below interrupt functions
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: do not pretend to handle premature next security model
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use first 128 bits of input as fast init
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: do not use batches when !crng_ready()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: insist on random_get_entropy() existing in order to simplify
Jason A. Donenfeld <Jason(a)zx2c4.com>
xtensa: use fallback for random_get_entropy() instead of zero
Jason A. Donenfeld <Jason(a)zx2c4.com>
sparc: use fallback for random_get_entropy() instead of zero
Jason A. Donenfeld <Jason(a)zx2c4.com>
um: use fallback for random_get_entropy() instead of zero
Jason A. Donenfeld <Jason(a)zx2c4.com>
x86/tsc: Use fallback for random_get_entropy() instead of zero
Jason A. Donenfeld <Jason(a)zx2c4.com>
nios2: use fallback for random_get_entropy() instead of zero
Jason A. Donenfeld <Jason(a)zx2c4.com>
arm: use fallback for random_get_entropy() instead of zero
Jason A. Donenfeld <Jason(a)zx2c4.com>
mips: use fallback for random_get_entropy() instead of just c0 random
Jason A. Donenfeld <Jason(a)zx2c4.com>
riscv: use fallback for random_get_entropy() instead of zero
Jason A. Donenfeld <Jason(a)zx2c4.com>
m68k: use fallback for random_get_entropy() instead of zero
Jason A. Donenfeld <Jason(a)zx2c4.com>
timekeeping: Add raw clock fallback for random_get_entropy()
Jason A. Donenfeld <Jason(a)zx2c4.com>
powerpc: define get_cycles macro for arch-override
Jason A. Donenfeld <Jason(a)zx2c4.com>
alpha: define get_cycles macro for arch-override
Jason A. Donenfeld <Jason(a)zx2c4.com>
parisc: define get_cycles macro for arch-override
Jason A. Donenfeld <Jason(a)zx2c4.com>
s390: define get_cycles macro for arch-override
Jason A. Donenfeld <Jason(a)zx2c4.com>
ia64: define get_cycles macro for arch-override
Jason A. Donenfeld <Jason(a)zx2c4.com>
init: call time_init() before rand_initialize()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: fix sysctl documentation nits
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: document crng_fast_key_erasure() destination possibility
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: make random_get_entropy() return an unsigned long
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: allow partial reads if later user copies fail
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: check for signals every PAGE_SIZE chunk of /dev/[u]random
Jann Horn <jannh(a)google.com>
random: check for signal_pending() outside of need_resched() check
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: do not allow user to keep crng key around on stack
Jan Varho <jan.varho(a)gmail.com>
random: do not split fast init input in add_hwgenerator_randomness()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: mix build-time latent entropy into pool at init
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: re-add removed comment about get_random_{u32,u64} reseeding
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: treat bootloader trust toggle the same way as cpu trust toggle
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: skip fast_init if hwrng provides large chunk of entropy
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: check for signal and try earlier when generating entropy
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: reseed more often immediately after booting
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: make consistent usage of crng_ready()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use SipHash as interrupt entropy accumulator
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: replace custom notifier chain with standard one
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: don't let 644 read-only sysctls be written to
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: give sysctl_random_min_urandom_seed a more sensible value
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: do crng pre-init loading in worker rather than irq
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: unify cycles_t and jiffies usage and types
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: cleanup UUID handling
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: only wake up writers after zap if threshold was passed
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: round-robin registers as ulong, not u32
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: clear fast pool, crng, and batches in cpuhp bring up
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: pull add_hwgenerator_randomness() declaration into random.h
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: check for crng_init == 0 in add_device_randomness()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: unify early init crng load accounting
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: do not take pool spinlock at boot
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: defer fast pool mixing to worker
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: rewrite header introductory comment
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: group sysctl functions
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: group userspace read/write functions
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: group entropy collection functions
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: group entropy extraction functions
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: group crng functions
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: group initialization wait functions
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove whitespace and reorder includes
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove useless header comment
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: introduce drain_entropy() helper to declutter crng_reseed()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: deobfuscate irq u32/u64 contributions
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: add proper SPDX header
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove unused tracepoints
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove ifdef'd out interrupt bench
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: tie batched entropy generation to base_crng generation
Dominik Brodowski <linux(a)dominikbrodowski.net>
random: fix locking for crng_init in crng_reseed()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: zero buffer after reading entropy from userspace
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove outdated INT_MAX >> 6 check in urandom_read()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: make more consistent use of integer types
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use hash function for crng_slow_load()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use simpler fast key erasure flow on per-cpu keys
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: absorb fast pool into input pool after fast load
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: do not xor RDRAND when writing into /dev/random
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: ensure early RDSEED goes through mixer on init
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: inline leaves of rand_initialize()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: get rid of secondary crngs
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use RDSEED instead of RDRAND in entropy extraction
Dominik Brodowski <linux(a)dominikbrodowski.net>
random: fix locking in crng_fast_load()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove batched entropy locking
Eric Biggers <ebiggers(a)google.com>
random: remove use_input_pool parameter from crng_reseed()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: make credit_entropy_bits() always safe
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: always wake up entropy writers after extraction
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use linear min-entropy accumulation crediting
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: simplify entropy debiting
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use computational hash for entropy extraction
Dominik Brodowski <linux(a)dominikbrodowski.net>
random: only call crng_finalize_init() for primary_crng
Dominik Brodowski <linux(a)dominikbrodowski.net>
random: access primary_pool directly rather than through pointer
Dominik Brodowski <linux(a)dominikbrodowski.net>
random: continually use hwgenerator randomness
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: simplify arithmetic function flow in account()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: selectively clang-format where it makes sense
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: access input_pool_data directly rather than through pointer
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: cleanup fractional entropy shift constants
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: prepend remaining pool constants with POOL_
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: de-duplicate INPUT_POOL constants
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove unused OUTPUT_POOL constants
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: rather than entropy_store abstraction, use global
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove unused extract_entropy() reserved argument
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: remove incomplete last_data logic
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: cleanup integer types
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: cleanup poolinfo abstraction
Schspa Shi <schspa(a)gmail.com>
random: fix typo in comments
Jann Horn <jannh(a)google.com>
random: don't reset crng_init_cnt on urandom_read()
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: avoid superfluous call to RDRAND in CRNG extraction
Dominik Brodowski <linux(a)dominikbrodowski.net>
random: early initialization of ChaCha constants
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use IS_ENABLED(CONFIG_NUMA) instead of ifdefs
Dominik Brodowski <linux(a)dominikbrodowski.net>
random: harmonize "crng init done" messages
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: mix bootloader randomness into pool
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: do not re-init if crng_reseed completes before primary init
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: do not sign extend bytes for rotation when mixing
Jason A. Donenfeld <Jason(a)zx2c4.com>
random: use BLAKE2s instead of SHA1 in extraction
Sebastian Andrzej Siewior <bigeasy(a)linutronix.de>
random: remove unused irq_flags argument from add_interrupt_randomness()
Mark Brown <broonie(a)kernel.org>
random: document add_hwgenerator_randomness() with other input functions
Jason A. Donenfeld <Jason(a)zx2c4.com>
lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
Jason A. Donenfeld <Jason(a)zx2c4.com>
lib/crypto: sha1: re-roll loops to reduce code size
Jason A. Donenfeld <Jason(a)zx2c4.com>
lib/crypto: blake2s: move hmac construction into wireguard
Jason A. Donenfeld <Jason(a)zx2c4.com>
lib/crypto: blake2s: include as built-in
Eric Biggers <ebiggers(a)google.com>
crypto: blake2s - include <linux/bug.h> instead of <asm/bug.h>
Eric Biggers <ebiggers(a)google.com>
crypto: blake2s - adjust include guard naming
Eric Biggers <ebiggers(a)google.com>
crypto: blake2s - add comment for blake2s_state fields
Eric Biggers <ebiggers(a)google.com>
crypto: blake2s - optimize blake2s initialization
Eric Biggers <ebiggers(a)google.com>
crypto: blake2s - share the "shash" API boilerplate code
Eric Biggers <ebiggers(a)google.com>
crypto: blake2s - move update and final logic to internal/blake2s.h
Eric Biggers <ebiggers(a)google.com>
crypto: blake2s - remove unneeded includes
Eric Biggers <ebiggers(a)google.com>
crypto: x86/blake2s - define shash_alg structs using macros
Eric Biggers <ebiggers(a)google.com>
crypto: blake2s - define shash_alg structs using macros
Herbert Xu <herbert(a)gondor.apana.org.au>
crypto: lib/blake2s - Move selftest prototype into header file
Jason A. Donenfeld <Jason(a)zx2c4.com>
MAINTAINERS: add git tree for random.c
Jason A. Donenfeld <Jason(a)zx2c4.com>
MAINTAINERS: co-maintain random.c
Eric Biggers <ebiggers(a)google.com>
random: remove dead code left over from blocking pool
Ard Biesheuvel <ardb(a)kernel.org>
random: avoid arch_get_random_seed_long() when collecting IRQ randomness
Lorenzo Pieralisi <lorenzo.pieralisi(a)arm.com>
ACPI: sysfs: Fix BERT error region memory mapping
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
ACPI: sysfs: Make sparse happy about address space in use
Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
media: vim2m: initialize the media device earlier
Sakari Ailus <sakari.ailus(a)linux.intel.com>
media: vim2m: Register video device after setting up internals
Willy Tarreau <w(a)1wt.eu>
secure_seq: use the 64 bits of the siphash for port offset calculation
Eric Dumazet <edumazet(a)google.com>
tcp: change source port randomizarion at connect() time
Paolo Bonzini <pbonzini(a)redhat.com>
KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID
Vitaly Kuznetsov <vkuznets(a)redhat.com>
KVM: x86: Properly handle APF vs disabled LAPIC situation
Denis Efremov (Oracle) <efremov(a)linux.com>
staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan()
Daniel Thompson <daniel.thompson(a)linaro.org>
lockdown: also lock down previous kgdb use
-------------
Diffstat:
Documentation/admin-guide/kernel-parameters.txt | 6 +
Documentation/admin-guide/sysctl/kernel.rst | 22 +-
MAINTAINERS | 2 +
Makefile | 4 +-
arch/alpha/include/asm/timex.h | 1 +
arch/arm/include/asm/timex.h | 1 +
arch/ia64/include/asm/timex.h | 1 +
arch/m68k/include/asm/timex.h | 2 +-
arch/mips/include/asm/timex.h | 17 +-
arch/nios2/include/asm/timex.h | 3 +
arch/parisc/include/asm/timex.h | 3 +-
arch/powerpc/include/asm/timex.h | 1 +
arch/riscv/include/asm/timex.h | 2 +-
arch/s390/include/asm/timex.h | 1 +
arch/sparc/include/asm/timex_32.h | 4 +-
arch/um/include/asm/timex.h | 9 +-
arch/x86/crypto/Makefile | 4 +-
arch/x86/crypto/blake2s-glue.c | 166 +-
arch/x86/crypto/blake2s-shash.c | 77 +
arch/x86/include/asm/timex.h | 9 +
arch/x86/include/asm/tsc.h | 7 +-
arch/x86/kernel/cpu/mshyperv.c | 2 +-
arch/x86/kvm/lapic.c | 6 +
arch/x86/kvm/mmu/mmu.c | 6 +-
arch/x86/kvm/x86.c | 2 +-
arch/xtensa/include/asm/timex.h | 6 +-
crypto/Kconfig | 3 +-
crypto/blake2s_generic.c | 158 +-
crypto/drbg.c | 17 +-
drivers/acpi/sysfs.c | 23 +-
drivers/char/Kconfig | 3 +-
drivers/char/hw_random/core.c | 1 +
drivers/char/random.c | 3035 +++++++++--------------
drivers/hv/vmbus_drv.c | 2 +-
drivers/media/test-drivers/vim2m.c | 22 +-
drivers/net/Kconfig | 1 -
drivers/net/wireguard/noise.c | 45 +-
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 +-
include/crypto/blake2s.h | 66 +-
include/crypto/chacha.h | 15 +-
include/crypto/drbg.h | 2 +-
include/crypto/internal/blake2s.h | 123 +-
include/linux/cpuhotplug.h | 2 +
include/linux/hw_random.h | 2 -
include/linux/mm.h | 1 +
include/linux/prandom.h | 23 +-
include/linux/random.h | 100 +-
include/linux/security.h | 2 +
include/linux/siphash.h | 28 +
include/linux/timex.h | 10 +-
include/net/inet_hashtables.h | 2 +-
include/net/secure_seq.h | 4 +-
include/trace/events/random.h | 330 ---
init/main.c | 13 +-
kernel/cpu.c | 11 +
kernel/debug/debug_core.c | 24 +
kernel/debug/kdb/kdb_main.c | 62 +-
kernel/irq/handle.c | 2 +-
kernel/time/timekeeping.c | 15 +
lib/Kconfig.debug | 3 +-
lib/crypto/Kconfig | 23 +-
lib/crypto/Makefile | 9 +-
lib/crypto/blake2s-generic.c | 6 +-
lib/crypto/blake2s-selftest.c | 33 +-
lib/crypto/blake2s.c | 81 +-
lib/random32.c | 16 +-
lib/sha1.c | 95 +-
lib/siphash.c | 32 +-
lib/vsprintf.c | 10 +-
mm/util.c | 32 +
net/core/secure_seq.c | 4 +-
net/ipv4/inet_hashtables.c | 28 +-
net/ipv6/inet6_hashtables.c | 4 +-
security/security.c | 2 +
sound/pci/ctxfi/ctatc.c | 2 +
sound/pci/ctxfi/cthardware.h | 3 +-
76 files changed, 1865 insertions(+), 3035 deletions(-)
The patch titled
Subject: x86/kexec: fix memory leak of elf header buffer
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
x86-kexec-fix-memory-leak-of-elf-header-buffer.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Baoquan He <bhe(a)redhat.com>
Subject: x86/kexec: fix memory leak of elf header buffer
Date: Wed, 23 Feb 2022 19:32:24 +0800
This is reported by kmemleak detector:
unreferenced object 0xffffc900002a9000 (size 4096):
comm "kexec", pid 14950, jiffies 4295110793 (age 373.951s)
hex dump (first 32 bytes):
7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............
04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..>.............
backtrace:
[<0000000016a8ef9f>] __vmalloc_node_range+0x101/0x170
[<000000002b66b6c0>] __vmalloc_node+0xb4/0x160
[<00000000ad40107d>] crash_prepare_elf64_headers+0x8e/0xcd0
[<0000000019afff23>] crash_load_segments+0x260/0x470
[<0000000019ebe95c>] bzImage64_load+0x814/0xad0
[<0000000093e16b05>] arch_kexec_kernel_image_load+0x1be/0x2a0
[<000000009ef2fc88>] kimage_file_alloc_init+0x2ec/0x5a0
[<0000000038f5a97a>] __do_sys_kexec_file_load+0x28d/0x530
[<0000000087c19992>] do_syscall_64+0x3b/0x90
[<0000000066e063a4>] entry_SYSCALL_64_after_hwframe+0x44/0xae
In crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to
store elf headers. While it's not freed back to system correctly when
kdump kernel is reloaded or unloaded. Then memory leak is caused. Fix it
by introducing x86 specific function arch_kimage_file_post_load_cleanup(),
and freeing the buffer there.
And also remove the incorrect elf header buffer freeing code. Before
calling arch specific kexec_file loading function, the image instance has
been initialized. So 'image->elf_headers' must be NULL. It doesn't make
sense to free the elf header buffer in the place.
Three different people have reported three bugs about the memory leak on
x86_64 inside Redhat.
Link: https://lkml.kernel.org/r/20220223113225.63106-2-bhe@redhat.com
Signed-off-by: Baoquan He <bhe(a)redhat.com>
Acked-by: Dave Young <dyoung(a)redhat.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
arch/x86/kernel/machine_kexec_64.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/machine_kexec_64.c~x86-kexec-fix-memory-leak-of-elf-header-buffer
+++ a/arch/x86/kernel/machine_kexec_64.c
@@ -376,9 +376,6 @@ void machine_kexec(struct kimage *image)
#ifdef CONFIG_KEXEC_FILE
void *arch_kexec_kernel_image_load(struct kimage *image)
{
- vfree(image->elf_headers);
- image->elf_headers = NULL;
-
if (!image->fops || !image->fops->load)
return ERR_PTR(-ENOEXEC);
@@ -514,6 +511,15 @@ overflow:
(int)ELF64_R_TYPE(rel[i].r_info), value);
return -ENOEXEC;
}
+
+int arch_kimage_file_post_load_cleanup(struct kimage *image)
+{
+ vfree(image->elf_headers);
+ image->elf_headers = NULL;
+ image->elf_headers_sz = 0;
+
+ return kexec_image_post_load_cleanup_default(image);
+}
#endif /* CONFIG_KEXEC_FILE */
static int
_
Patches currently in -mm which might be from bhe(a)redhat.com are
x86-kexec-fix-memory-leak-of-elf-header-buffer.patch
The patch titled
Subject: mm/memremap: fix missing call to untrack_pfn() in pagemap_range()
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
mm-memremap-fix-missing-call-to-untrack_pfn-in-pagemap_range.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche…
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: Miaohe Lin <linmiaohe(a)huawei.com>
Subject: mm/memremap: fix missing call to untrack_pfn() in pagemap_range()
Date: Tue, 31 May 2022 20:26:43 +0800
We forget to call untrack_pfn() to pair with track_pfn_remap() when range
is not allowed to hotplug. Fix it by jump err_kasan.
Link: https://lkml.kernel.org/r/20220531122643.25249-1-linmiaohe@huawei.com
Fixes: bca3feaa0764 ("mm/memory_hotplug: prevalidate the address range being added with platform")
Signed-off-by: Miaohe Lin <linmiaohe(a)huawei.com>
Reviewed-by: David Hildenbrand <david(a)redhat.com>
Acked-by: Muchun Song <songmuchun(a)bytedance.com>
Cc: Anshuman Khandual <anshuman.khandual(a)arm.com>
Cc: Oscar Salvador <osalvador(a)suse.de>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/memremap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/memremap.c~mm-memremap-fix-missing-call-to-untrack_pfn-in-pagemap_range
+++ a/mm/memremap.c
@@ -214,7 +214,7 @@ static int pagemap_range(struct dev_page
if (!mhp_range_allowed(range->start, range_len(range), !is_private)) {
error = -EINVAL;
- goto err_pfn_remap;
+ goto err_kasan;
}
mem_hotplug_begin();
_
Patches currently in -mm which might be from linmiaohe(a)huawei.com are
maintainers-add-maintainer-information-for-z3fold.patch
mm-memremap-fix-missing-call-to-untrack_pfn-in-pagemap_range.patch
mm-shmemc-clean-up-comment-of-shmem_swapin_folio.patch
mm-reduce-the-rcu-lock-duration.patch
mm-migration-remove-unneeded-lock-page-and-pagemovable-check.patch
mm-migration-return-errno-when-isolate_huge_page-failed.patch
mm-migration-fix-potential-pte_unmap-on-an-not-mapped-pte.patch
Dzień dobry,
czy interesują Państwo regały magazynowe, które pozwolą odpowiednio zagospodarować i całościowo wykorzystać przestrzeń hali?
Kontaktuję się ponieważ mogę zaproponować Państwu wytrzymałe i stabilne regały, szafy oraz pojemniki, a także skrzyniopalety i kontenery samowyładowcze.
Jeżeli zależy Państwu na bezpiecznym i wygodnym składowaniu towarów, produktów i półfabrykatów, nasze rozwiązania zagwarantują firmie efektywne wykorzystanie dostępnej przestrzeni.
Ze swojej strony zapewniamy transport oraz długoletnią gwarancję.
Czy byliby Państwo zainteresowani wstępną wyceną?
Pozdrawiam
Marek Pozyrewski