2022-10-16 06:50:13

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 0/4] 5.4.219-rc1 review

This is the start of the stable review cycle for the 5.4.219 release.
There are 4 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.219-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <[email protected]>
Linux 5.4.219-rc1

Johannes Berg <[email protected]>
wifi: mac80211: fix MBSSID parsing use-after-free

Johannes Berg <[email protected]>
wifi: mac80211: don't parse mbssid in assoc response

Johannes Berg <[email protected]>
mac80211: mlme: find auth challenge directly

Sasha Levin <[email protected]>
Revert "fs: check FMODE_LSEEK to control internal pipe splicing"


-------------

Diffstat:

Makefile | 4 ++--
fs/splice.c | 10 ++++++----
net/mac80211/ieee80211_i.h | 4 ++--
net/mac80211/mlme.c | 21 +++++++++++++--------
net/mac80211/scan.c | 2 ++
net/mac80211/util.c | 11 ++++++-----
6 files changed, 31 insertions(+), 21 deletions(-)



2022-10-16 06:59:29

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 1/4] Revert "fs: check FMODE_LSEEK to control internal pipe splicing"

This reverts commit fd0a6e99b61e6c08fa5cf585d54fd956f70c73a6.

Which was upstream commit 97ef77c52b789ec1411d360ed99dca1efe4b2c81.

The commit is missing dependencies and breaks NFS tests, remove it for
now.

Reported-by: Saeed Mirzamohammadi <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/splice.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/fs/splice.c b/fs/splice.c
index ae5623244d5e..e509239d7e06 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -895,15 +895,17 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
{
struct pipe_inode_info *pipe;
long ret, bytes;
+ umode_t i_mode;
size_t len;
int i, flags, more;

/*
- * We require the input to be seekable, as we don't want to randomly
- * drop data for eg socket -> socket splicing. Use the piped splicing
- * for that!
+ * We require the input being a regular file, as we don't want to
+ * randomly drop data for eg socket -> socket splicing. Use the
+ * piped splicing for that!
*/
- if (unlikely(!(in->f_mode & FMODE_LSEEK)))
+ i_mode = file_inode(in)->i_mode;
+ if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode)))
return -EINVAL;

/*
--
2.35.1



2022-10-16 07:00:25

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 4/4] wifi: mac80211: fix MBSSID parsing use-after-free

From: Johannes Berg <[email protected]>

Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream.
This is a different version of the commit, changed to store
the non-transmitted profile in the elems, and freeing it in
the few places where it's relevant, since that is only the
case when the last argument for parsing (the non-tx BSSID)
is non-NULL.

When we parse a multi-BSSID element, we might point some
element pointers into the allocated nontransmitted_profile.
However, we free this before returning, causing UAF when the
relevant pointers in the parsed elements are accessed.

Fix this by not allocating the scratch buffer separately but
as part of the returned structure instead, that way, there
are no lifetime issues with it.

The scratch buffer introduction as part of the returned data
here is taken from MLO feature work done by Ilan.

This fixes CVE-2022-42719.

Fixes: 5023b14cf4df ("mac80211: support profile split between elements")
Co-developed-by: Ilan Peer <[email protected]>
Signed-off-by: Ilan Peer <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/mac80211/ieee80211_i.h | 2 ++
net/mac80211/mlme.c | 6 +++++-
net/mac80211/scan.c | 2 ++
net/mac80211/util.c | 7 ++++++-
4 files changed, 15 insertions(+), 2 deletions(-)

--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1519,6 +1519,8 @@ struct ieee802_11_elems {
u8 country_elem_len;
u8 bssid_index_len;

+ void *nontx_profile;
+
/* whether a parse error occurred while retrieving these elements */
bool parse_error;
};
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3299,6 +3299,7 @@ static bool ieee80211_assoc_success(stru
sdata_info(sdata,
"AP bug: VHT operation missing from AssocResp\n");
}
+ kfree(bss_elems.nontx_profile);
}

/*
@@ -3883,6 +3884,7 @@ static void ieee80211_rx_mgmt_beacon(str
ifmgd->assoc_data->timeout = jiffies;
ifmgd->assoc_data->timeout_started = true;
run_again(sdata, ifmgd->assoc_data->timeout);
+ kfree(elems.nontx_profile);
return;
}

@@ -4050,7 +4052,7 @@ static void ieee80211_rx_mgmt_beacon(str
ieee80211_report_disconnect(sdata, deauth_buf,
sizeof(deauth_buf), true,
WLAN_REASON_DEAUTH_LEAVING);
- return;
+ goto free;
}

if (sta && elems.opmode_notif)
@@ -4065,6 +4067,8 @@ static void ieee80211_rx_mgmt_beacon(str
elems.cisco_dtpc_elem);

ieee80211_bss_info_change_notify(sdata, changed);
+free:
+ kfree(elems.nontx_profile);
}

void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -216,6 +216,8 @@ ieee80211_bss_info_update(struct ieee802
rx_status, beacon);
}

+ kfree(elems.nontx_profile);
+
return bss;
}

--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1363,6 +1363,11 @@ u32 ieee802_11_parse_elems_crc(const u8
cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
nontransmitted_profile,
nontransmitted_profile_len);
+ if (!nontransmitted_profile_len) {
+ nontransmitted_profile_len = 0;
+ kfree(nontransmitted_profile);
+ nontransmitted_profile = NULL;
+ }
}

crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter,
@@ -1392,7 +1397,7 @@ u32 ieee802_11_parse_elems_crc(const u8
offsetofend(struct ieee80211_bssid_index, dtim_count))
elems->dtim_count = elems->bssid_index->dtim_count;

- kfree(nontransmitted_profile);
+ elems->nontx_profile = nontransmitted_profile;

return crc;
}


2022-10-16 07:08:02

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 5.4 3/4] wifi: mac80211: dont parse mbssid in assoc response

From: Johannes Berg <[email protected]>

This is simply not valid and simplifies the next commit.
I'll make a separate patch for this in the current main
tree as well.

Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/mac80211/mlme.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3224,7 +3224,7 @@ static bool ieee80211_assoc_success(stru

pos = mgmt->u.assoc_resp.variable;
ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
- mgmt->bssid, assoc_data->bss->bssid);
+ mgmt->bssid, NULL);

if (!elems.supp_rates) {
sdata_info(sdata, "no SuppRates element in AssocResp\n");
@@ -3576,7 +3576,7 @@ static void ieee80211_rx_mgmt_assoc_resp

pos = mgmt->u.assoc_resp.variable;
ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
- mgmt->bssid, assoc_data->bss->bssid);
+ mgmt->bssid, NULL);

if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
elems.timeout_int &&


2022-10-16 19:54:23

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 5.4 0/4] 5.4.219-rc1 review

On Sun, Oct 16, 2022 at 08:46:22AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.219 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
>

Build results:
total: 161 pass: 161 fail: 0
Qemu test results:
total: 447 pass: 447 fail: 0

Tested-by: Guenter Roeck <[email protected]>

Guenter

2022-10-17 07:43:22

by Naresh Kamboju

[permalink] [raw]
Subject: Re: [PATCH 5.4 0/4] 5.4.219-rc1 review

On Sun, 16 Oct 2022 at 12:16, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 5.4.219 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.219-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h


Results from Linaro's test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <[email protected]>

## Build
* kernel: 5.4.219-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-5.4.y
* git commit: 5a1de46f7e7462992a5dd980fe8d06ea57b4ad17
* git describe: v5.4.218-5-g5a1de46f7e74
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.4.y/build/v5.4.218-5-g5a1de46f7e74

## No Test Regressions (compared to v5.4.217-39-g34b618a713e7)

## No Metric Regressions (compared to v5.4.217-39-g34b618a713e7)

## No Test Fixes (compared to v5.4.217-39-g34b618a713e7)

## No Metric Fixes (compared to v5.4.217-39-g34b618a713e7)

## Test result summary
total: 99448, pass: 84788, fail: 1219, skip: 12965, xfail: 476

## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 334 total, 334 passed, 0 failed
* arm64: 64 total, 59 passed, 5 failed
* i386: 31 total, 29 passed, 2 failed
* mips: 56 total, 56 passed, 0 failed
* parisc: 12 total, 12 passed, 0 failed
* powerpc: 63 total, 63 passed, 0 failed
* riscv: 27 total, 26 passed, 1 failed
* s390: 15 total, 15 passed, 0 failed
* sh: 24 total, 24 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x86_64: 57 total, 55 passed, 2 failed

## Test suites summary
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-arm64/arm64.btitest.bti_c_func
* kselftest-arm64/arm64.btitest.bti_j_func
* kselftest-arm64/arm64.btitest.bti_jc_func
* kselftest-arm64/arm64.btitest.bti_none_func
* kselftest-arm64/arm64.btitest.nohint_func
* kselftest-arm64/arm64.btitest.paciasp_func
* kselftest-arm64/arm64.nobtitest.bti_c_func
* kselftest-arm64/arm64.nobtitest.bti_j_func
* kselftest-arm64/arm64.nobtitest.bti_jc_func
* kselftest-arm64/arm64.nobtitest.bti_none_func
* kselftest-arm64/arm64.nobtitest.nohint_func
* kselftest-arm64/arm64.nobtitest.paciasp_func
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-drivers-dma-buf
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-filesystems-binderfs
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-net-forwarding
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-cap_bounds
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-filecaps
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-fsx
* ltp-hugetlb
* ltp-io
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-open-posix-tests
* ltp-pty
* ltp-sched
* ltp-securebits
* ltp-syscalls
* ltp-tracing
* network-basic-tests
* packetdrill
* perf
* perf/Zstd-perf.data-compression
* rcutorture
* v4l2-compliance
* vdso

--
Linaro LKFT
https://lkft.linaro.org

2022-10-17 09:14:50

by Sudip Mukherjee

[permalink] [raw]
Subject: Re: [PATCH 5.4 0/4] 5.4.219-rc1 review

Hi Greg,

On Sun, Oct 16, 2022 at 08:46:22AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.219 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.

Build test (gcc version 11.3.1 20220925):
mips: 65 configs -> no failure
arm: 106 configs -> no failure
arm64: 2 configs -> no failure
x86_64: 4 configs -> no failure
alpha allmodconfig -> no failure
powerpc allmodconfig -> no failure
riscv allmodconfig -> no failure
s390 allmodconfig -> no failure
xtensa allmodconfig -> no failure


Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]

[1]. https://openqa.qa.codethink.co.uk/tests/2009


Tested-by: Sudip Mukherjee <[email protected]>

--
Regards
Sudip

2022-10-17 18:24:01

by Florian Fainelli

[permalink] [raw]
Subject: Re: [PATCH 5.4 0/4] 5.4.219-rc1 review

On 10/15/22 23:46, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.219 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.219-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

On ARCH_BRCMSTB, using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:

Tested-by: Florian Fainelli <[email protected]>
--
Florian

2022-10-17 18:39:07

by Shuah Khan

[permalink] [raw]
Subject: Re: [PATCH 5.4 0/4] 5.4.219-rc1 review

On 10/16/22 00:46, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.219 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.219-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <[email protected]>

thanks,
-- Shuah