From 50bf5b3b3def0070e6e16dbffbdcf53dbc3cd6d0 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 5 Jun 2020 12:29:55 +0200 Subject: [PATCH] kernel/relay.c: handle alloc_percpu returning NULL in relay_open (CVE-2019-19462) --- debian/changelog | 2 + ...andle-alloc_percpu-returning-NULL-in.patch | 71 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 74 insertions(+) create mode 100644 debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch diff --git a/debian/changelog b/debian/changelog index e969253ab..13ca538b3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,8 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium * netlabel: cope with NULL catmap (CVE-2020-10711) * fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (CVE-2020-10732) + * kernel/relay.c: handle alloc_percpu returning NULL in relay_open + (CVE-2019-19462) -- Salvatore Bonaccorso Thu, 28 May 2020 23:02:30 +0200 diff --git a/debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch b/debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch new file mode 100644 index 000000000..0772ccfbe --- /dev/null +++ b/debian/patches/bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch @@ -0,0 +1,71 @@ +From: Daniel Axtens +Date: Thu, 4 Jun 2020 16:51:27 -0700 +Subject: kernel/relay.c: handle alloc_percpu returning NULL in relay_open +Origin: https://git.kernel.org/linus/54e200ab40fc14c863bcc80a51e20b7906608fce +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19462 + +alloc_percpu() may return NULL, which means chan->buf may be set to NULL. +In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an +invalid pointer: + + BUG: Unable to handle kernel data access at 0x7dae0000 + Faulting instruction address: 0xc0000000003f3fec + ... + NIP relay_open+0x29c/0x600 + LR relay_open+0x270/0x600 + Call Trace: + relay_open+0x264/0x600 (unreliable) + __blk_trace_setup+0x254/0x600 + blk_trace_setup+0x68/0xa0 + sg_ioctl+0x7bc/0x2e80 + do_vfs_ioctl+0x13c/0x1300 + ksys_ioctl+0x94/0x130 + sys_ioctl+0x48/0xb0 + system_call+0x5c/0x68 + +Check if alloc_percpu returns NULL. + +This was found by syzkaller both on x86 and powerpc, and the reproducer +it found on powerpc is capable of hitting the issue as an unprivileged +user. + +Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") +Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com +Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com +Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com +Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com +Signed-off-by: Daniel Axtens +Signed-off-by: Andrew Morton +Reviewed-by: Michael Ellerman +Reviewed-by: Andrew Donnellan +Acked-by: David Rientjes +Cc: Akash Goel +Cc: Andrew Donnellan +Cc: Guenter Roeck +Cc: Salvatore Bonaccorso +Cc: [4.10+] +Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net +Signed-off-by: Linus Torvalds +--- + kernel/relay.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/relay.c b/kernel/relay.c +index 90c7a002436d..dc82705e1cff 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -581,6 +581,11 @@ struct rchan *relay_open(const char *base_filename, + return NULL; + + chan->buf = alloc_percpu(struct rchan_buf *); ++ if (!chan->buf) { ++ kfree(chan); ++ return NULL; ++ } ++ + chan->version = RELAYFS_CHANNEL_VERSION; + chan->n_subbufs = n_subbufs; + chan->subbuf_size = subbuf_size; +-- +2.27.0.rc0 + diff --git a/debian/patches/series b/debian/patches/series index 10d611c8a..3f23eca11 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -308,5 +308,6 @@ bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch bugfix/all/netlabel-cope-with-NULL-catmap.patch bugfix/all/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch +bugfix/all/kernel-relay.c-handle-alloc_percpu-returning-NULL-in.patch # ABI maintenance