diff options
| author | P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> | 2024-08-11 00:12:39 +0300 |
|---|---|---|
| committer | P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> | 2024-08-11 00:12:39 +0300 |
| commit | 848b831c34ae28e7b8132834656ad59dc6b51a87 (patch) | |
| tree | 0b18a326840e661d88333ec9aee349709f3596c1 /meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-34256.patch | |
| parent | b4e4c3191df9ed4a6d560517b61e70cb9b3a6108 (diff) | |
| download | openbmc-848b831c34ae28e7b8132834656ad59dc6b51a87.tar.xz | |
Update to internal 1-1.20update
Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-34256.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-34256.patch | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-34256.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-34256.patch new file mode 100644 index 000000000..60dc63406 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-34256.patch @@ -0,0 +1,99 @@ +From 4f04351888a83e595571de672e0a4a8b74f4fb31 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus <tudor.ambarus@linaro.org> +Date: Thu, 4 May 2023 12:15:25 +0000 +Subject: ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum + +When modifying the block device while it is mounted by the filesystem, +syzbot reported the following: + +BUG: KASAN: slab-out-of-bounds in crc16+0x206/0x280 lib/crc16.c:58 +Read of size 1 at addr ffff888075f5c0a8 by task syz-executor.2/15586 + +CPU: 1 PID: 15586 Comm: syz-executor.2 Not tainted 6.2.0-rc5-syzkaller-00205-gc96618275234 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 +Call Trace: + <TASK> + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:306 + print_report+0x107/0x1f0 mm/kasan/report.c:417 + kasan_report+0xcd/0x100 mm/kasan/report.c:517 + crc16+0x206/0x280 lib/crc16.c:58 + ext4_group_desc_csum+0x81b/0xb20 fs/ext4/super.c:3187 + ext4_group_desc_csum_set+0x195/0x230 fs/ext4/super.c:3210 + ext4_mb_clear_bb fs/ext4/mballoc.c:6027 [inline] + ext4_free_blocks+0x191a/0x2810 fs/ext4/mballoc.c:6173 + ext4_remove_blocks fs/ext4/extents.c:2527 [inline] + ext4_ext_rm_leaf fs/ext4/extents.c:2710 [inline] + ext4_ext_remove_space+0x24ef/0x46a0 fs/ext4/extents.c:2958 + ext4_ext_truncate+0x177/0x220 fs/ext4/extents.c:4416 + ext4_truncate+0xa6a/0xea0 fs/ext4/inode.c:4342 + ext4_setattr+0x10c8/0x1930 fs/ext4/inode.c:5622 + notify_change+0xe50/0x1100 fs/attr.c:482 + do_truncate+0x200/0x2f0 fs/open.c:65 + handle_truncate fs/namei.c:3216 [inline] + do_open fs/namei.c:3561 [inline] + path_openat+0x272b/0x2dd0 fs/namei.c:3714 + do_filp_open+0x264/0x4f0 fs/namei.c:3741 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f72f8a8c0c9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f72f97e3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 +RAX: ffffffffffffffda RBX: 00007f72f8bac050 RCX: 00007f72f8a8c0c9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000280 +RBP: 00007f72f8ae7ae9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffd165348bf R14: 00007f72f97e3300 R15: 0000000000022000 + +Replace + le16_to_cpu(sbi->s_es->s_desc_size) +with + sbi->s_desc_size + +It reduces ext4's compiled text size, and makes the code more efficient +(we remove an extra indirect reference and a potential byte +swap on big endian systems), and there is no downside. It also avoids the +potential KASAN / syzkaller failure, as a bonus. + +Reported-by: syzbot+fc51227e7100c9294894@syzkaller.appspotmail.com +Reported-by: syzbot+8785e41224a3afd04321@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=70d28d11ab14bd7938f3e088365252aa923cff42 +Link: https://syzkaller.appspot.com/bug?id=b85721b38583ecc6b5e72ff524c67302abbc30f3 +Link: https://lore.kernel.org/all/000000000000ece18705f3b20934@google.com/ +Fixes: 717d50e4971b ("Ext4: Uninitialized Block Groups") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org> +Link: https://lore.kernel.org/r/20230504121525.3275886-1-tudor.ambarus@linaro.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + fs/ext4/super.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 4037c8611c02e..425b95a7a0ab6 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3240,11 +3240,9 @@ static __le16 ext4_group_desc_csum(struct super_block *sb, __u32 block_group, + crc = crc16(crc, (__u8 *)gdp, offset); + offset += sizeof(gdp->bg_checksum); /* skip checksum */ + /* for checksum of struct ext4_group_desc do the rest...*/ +- if (ext4_has_feature_64bit(sb) && +- offset < le16_to_cpu(sbi->s_es->s_desc_size)) ++ if (ext4_has_feature_64bit(sb) && offset < sbi->s_desc_size) + crc = crc16(crc, (__u8 *)gdp + offset, +- le16_to_cpu(sbi->s_es->s_desc_size) - +- offset); ++ sbi->s_desc_size - offset); + + out: + return cpu_to_le16(crc); +-- +cgit 1.2.3-korg + |