Release linux (4.19.98-1+deb10u1).

-----BEGIN PGP SIGNATURE----- iQKmBAABCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6maCdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EBtYP/1W8Y1dU9kCrJyK3Nz+HFwEKoe/ha1+t vcjf4E1TOSUh30eaKaD6GVBp7iCK/tGDBxyfUerDltmilVRDt7f9mE/4CFt3e26y S4DtsI5paoL1O/1uqbpG+53E5TPDw7CCJNkZ22/vjK++YzToaOjJIsTtZnHNNYwd nMYtGqhn95NiZ//nNsV4wgSF9vXIgWuWvAEY80KdmfBYUVicUz8HyZB9Q5ErH1e7 /Fi9n7U/0F+PgcZSyLhS9vwlMY36HuuemYYMBzN48J2xL/73ttwoe0MU4Aieu1yX iVMsrVc/X5JWjHiSpsrExCYvHrRXG9v4kWMOs+piD1yFi7oxD/fNy+043jJqmyOV hu+3RX6BkNrw1jhLzDRYbOTz8Z09BXrUnXhyWLD5Z1ZgM1K5tQV0vCsiZBqyBHTK owSVaOSDxHWTa9zSmIDTMPN6ljaQML2G1lF6F+AUKg4hqqjydlikgpJGSmjfs3Pd YN2I9rfCpSuovYIUQXl38g4yLZC5onhEzLqFBBfxHJClND/nf27HARs6c0f72RlU 6aHrPgZpj2JPE/r1PoUej4lyhIbFzdJIOf2b26ZUvQC+sMUsxE0SonpFQqjDZggJ cAqM5p80gbR8zGtBStwGGo0QljHdHbrzbnYfNQC/uGph0uYTvL+6BscUzO+RnYmx 9hKy2cqOWLez =akKy -----END PGP SIGNATURE----- Merge tag 'debian/4.19.98-1+deb10u1' into buster Release linux (4.19.98-1+deb10u1).
2020-04-28 23:07:38 +02:00 · 2020-04-28 23:07:38 +02:00 · c977ce99a1
parent f142b431b1 f6cd3dfc5b
commit c977ce99a1
3 changed files with 154 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,10 @@
+linux (4.19.118-2) UNRELEASED; urgency=medium
+
+  * Merge changes from 4.19.67-2+deb10u2 to include all security fixes from
+    DSA 4667-1.
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 28 Apr 2020 23:05:34 +0200
+
 linux (4.19.118-1) buster; urgency=medium

  * New upstream stable update:
@ -1842,6 +1849,20 @@ linux (4.19.118-1) buster; urgency=medium

 -- Ben Hutchings <benh@debian.org>  Sun, 26 Apr 2020 14:04:11 +0100

+linux (4.19.98-1+deb10u1) buster-security; urgency=high
+
+  * [x86] KVM: nVMX: Don't emulate instructions in guest mode (CVE-2020-2732)
+  * do_last(): fetch directory ->i_mode and ->i_uid before it's too late
+    (CVE-2020-8428)
+  * vfs: fix do_last() regression
+  * vhost: Check docket sk_family instead of call getname (CVE-2020-10942)
+  * mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
+    (CVE-2020-11565)
+  * [s390x] mm: fix page table upgrade vs 2ndary address mode accesses
+    (CVE-2020-11884)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 27 Apr 2020 07:05:39 +0200
+
 linux (4.19.98-1) buster; urgency=medium

  * New upstream stable update:
--- a/debian/patches/bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch
+++ b/debian/patches/bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch
@ -0,0 +1,132 @@
+From 54324ebc2ae2c404f1fe97050af832f0a031287e Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Wed, 15 Apr 2020 15:21:01 +0200
+Subject: [PATCH] s390/mm: fix page table upgrade vs 2ndary address mode
+ accesses
+
+A page table upgrade in a kernel section that uses secondary address
+mode will mess up the kernel instructions as follows:
+
+Consider the following scenario: two threads are sharing memory.
+On CPU1 thread 1 does e.g. strnlen_user().  That gets to
+        old_fs = enable_sacf_uaccess();
+        len = strnlen_user_srst(src, size);
+and
+                "   la    %2,0(%1)\n"
+                "   la    %3,0(%0,%1)\n"
+                "   slgr  %0,%0\n"
+                "   sacf  256\n"
+                "0: srst  %3,%2\n"
+in strnlen_user_srst().  At that point we are in secondary space mode,
+control register 1 points to kernel page table and instruction fetching
+happens via c1, rather than usual c13.  Interrupts are not disabled, for
+obvious reasons.
+
+On CPU2 thread 2 does MAP_FIXED mmap(), forcing the upgrade of page table
+from 3-level to e.g. 4-level one.  We'd allocated new top-level table,
+set it up and now we hit this:
+                notify = 1;
+                spin_unlock_bh(&mm->page_table_lock);
+        }
+        if (notify)
+                on_each_cpu(__crst_table_upgrade, mm, 0);
+OK, we need to actually change over to use of new page table and we
+need that to happen in all threads that are currently running.  Which
+happens to include the thread 1.  IPI is delivered and we have
+static void __crst_table_upgrade(void *arg)
+{
+        struct mm_struct *mm = arg;
+
+        if (current->active_mm == mm)
+                set_user_asce(mm);
+        __tlb_flush_local();
+}
+run on CPU1.  That does
+static inline void set_user_asce(struct mm_struct *mm)
+{
+        S390_lowcore.user_asce = mm->context.asce;
+OK, user page table address updated...
+        __ctl_load(S390_lowcore.user_asce, 1, 1);
+... and control register 1 set to it.
+        clear_cpu_flag(CIF_ASCE_PRIMARY);
+}
+
+IPI is run in home space mode, so it's fine - insns are fetched
+using c13, which always points to kernel page table.  But as soon
+as we return from the interrupt, previous PSW is restored, putting
+CPU1 back into secondary space mode, at which point we no longer
+get the kernel instructions from the kernel mapping.
+
+The fix is to only fixup the control registers that are currently in use
+for user processes during the page table update.  We must also disable
+interrupts in enable_sacf_uaccess to synchronize the cr and
+thread.mm_segment updates against the on_each-cpu.
+
+Fixes: 0aaba41b58bc ("s390: remove all code using the access register mode")
+Cc: stable@vger.kernel.org # 4.15+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+References: CVE-2020-11884
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+---
+ arch/s390/lib/uaccess.c |  4 ++++
+ arch/s390/mm/pgalloc.c  | 16 ++++++++++++++--
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/lib/uaccess.c b/arch/s390/lib/uaccess.c
+index c4f8039a35e8..0267405ab7c6 100644
+--- a/arch/s390/lib/uaccess.c
+++ b/arch/s390/lib/uaccess.c
+@@ -64,10 +64,13 @@ mm_segment_t enable_sacf_uaccess(void)
+ {
+ 	mm_segment_t old_fs;
+ 	unsigned long asce, cr;
+	unsigned long flags;
+ 
+ 	old_fs = current->thread.mm_segment;
+ 	if (old_fs & 1)
+ 		return old_fs;
+	/* protect against a concurrent page table upgrade */
+	local_irq_save(flags);
+ 	current->thread.mm_segment |= 1;
+ 	asce = S390_lowcore.kernel_asce;
+ 	if (likely(old_fs == USER_DS)) {
+@@ -83,6 +86,7 @@ mm_segment_t enable_sacf_uaccess(void)
+ 		__ctl_load(asce, 7, 7);
+ 		set_cpu_flag(CIF_ASCE_SECONDARY);
+ 	}
+	local_irq_restore(flags);
+ 	return old_fs;
+ }
+ EXPORT_SYMBOL(enable_sacf_uaccess);
+diff --git a/arch/s390/mm/pgalloc.c b/arch/s390/mm/pgalloc.c
+index 498c98a312f4..fff169d64711 100644
+--- a/arch/s390/mm/pgalloc.c
+++ b/arch/s390/mm/pgalloc.c
+@@ -70,8 +70,20 @@ static void __crst_table_upgrade(void *arg)
+ {
+ 	struct mm_struct *mm = arg;
+ 
+-	if (current->active_mm == mm)
+-		set_user_asce(mm);
+	/* we must change all active ASCEs to avoid the creation of new TLBs */
+	if (current->active_mm == mm) {
+		S390_lowcore.user_asce = mm->context.asce;
+		if (current->thread.mm_segment == USER_DS) {
+			__ctl_load(S390_lowcore.user_asce, 1, 1);
+			/* Mark user-ASCE present in CR1 */
+			clear_cpu_flag(CIF_ASCE_PRIMARY);
+		}
+		if (current->thread.mm_segment == USER_DS_SACF) {
+			__ctl_load(S390_lowcore.user_asce, 7, 7);
+			/* enable_sacf_uaccess does all or nothing */
+			WARN_ON(!test_cpu_flag(CIF_ASCE_SECONDARY));
+		}
+	}
+ 	__tlb_flush_local();
+ }
+ 
+-- 
+2.25.2
+
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -299,5 +299,6 @@ bugfix/all/net-ipv6-add-net-argument-to-ip6_dst_lookup_flow.patch
 bugfix/all/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch
 bugfix/all/blktrace-protect-q-blk_trace-with-rcu.patch
 bugfix/all/blktrace-fix-dereference-after-null-check.patch
+bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch

 # ABI maintenance