kernel/relay.c: handle alloc_percpu returning NULL in relay_open (CVE-2019-19462)

2020-06-05 12:29:55 +02:00 · 2020-06-05 12:29:55 +02:00 · 50bf5b3b3d
parent 7fc7c96d6e
commit 50bf5b3b3d
3 changed files with 74 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -12,6 +12,8 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
  * netlabel: cope with NULL catmap (CVE-2020-10711)
  * fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
    (CVE-2020-10732)
+  * kernel/relay.c: handle alloc_percpu returning NULL in relay_open
+    (CVE-2019-19462)

 -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 28 May 2020 23:02:30 +0200

--- a/debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch
+++ b/debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch
@ -0,0 +1,71 @@
+From: Daniel Axtens <dja@axtens.net>
+Date: Thu, 4 Jun 2020 16:51:27 -0700
+Subject: kernel/relay.c: handle alloc_percpu returning NULL in relay_open
+Origin: https://git.kernel.org/linus/54e200ab40fc14c863bcc80a51e20b7906608fce
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19462
+
+alloc_percpu() may return NULL, which means chan->buf may be set to NULL.
+In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an
+invalid pointer:
+
+  BUG: Unable to handle kernel data access at 0x7dae0000
+  Faulting instruction address: 0xc0000000003f3fec
+  ...
+  NIP relay_open+0x29c/0x600
+  LR relay_open+0x270/0x600
+  Call Trace:
+     relay_open+0x264/0x600 (unreliable)
+     __blk_trace_setup+0x254/0x600
+     blk_trace_setup+0x68/0xa0
+     sg_ioctl+0x7bc/0x2e80
+     do_vfs_ioctl+0x13c/0x1300
+     ksys_ioctl+0x94/0x130
+     sys_ioctl+0x48/0xb0
+     system_call+0x5c/0x68
+
+Check if alloc_percpu returns NULL.
+
+This was found by syzkaller both on x86 and powerpc, and the reproducer
+it found on powerpc is capable of hitting the issue as an unprivileged
+user.
+
+Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers")
+Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com
+Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com
+Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com
+Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Cc: Akash Goel <akash.goel@intel.com>
+Cc: Andrew Donnellan <ajd@linux.ibm.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: Salvatore Bonaccorso <carnil@debian.org>
+Cc: <stable@vger.kernel.org>	[4.10+]
+Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ kernel/relay.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/relay.c b/kernel/relay.c
+index 90c7a002436d..dc82705e1cff 100644
+--- a/kernel/relay.c
+++ b/kernel/relay.c
+@@ -581,6 +581,11 @@ struct rchan *relay_open(const char *base_filename,
+ 		return NULL;
+ 
+ 	chan->buf = alloc_percpu(struct rchan_buf *);
+	if (!chan->buf) {
+		kfree(chan);
+		return NULL;
+	}
+
+ 	chan->version = RELAYFS_CHANNEL_VERSION;
+ 	chan->n_subbufs = n_subbufs;
+ 	chan->subbuf_size = subbuf_size;
+-- 
+2.27.0.rc0
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -308,5 +308,6 @@ bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
 bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
 bugfix/all/netlabel-cope-with-NULL-catmap.patch
 bugfix/all/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch
+bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch

 # ABI maintenance