From 5e10c473f431ad5b62671ce600b782b18136f2ee Mon Sep 17 00:00:00 2001 From: "GONG, Ruiqi" Date: Mon, 27 Feb 2023 12:08:04 +0000 Subject: [PATCH 1/4] selinux: further adjust init order for file_alloc_security hook hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DRJ1 CVE: NA ---------------------------------------- After backporting commit cfff75d8973a ("selinux: reorder hooks to make runtime disable less broken") to the 4.19 kernel of openEuler-1.0-LTS, another kernel panic was triggered by running the POC of the aforementioned commit: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 PGD 800000001840b067 P4D 800000001840b067 PUD 1840c067 PMD 0 Oops: 0002 [#1] SMP PTI CPU: 7 PID: 273 Comm: exe Tainted: G OE 4.19.90+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:selinux_file_open+0x49/0xf0 Code: 00 00 00 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 4c 89 e7 e8 a6 ec ff ff 49 8b 44 24 38 48 c7 c7 e0 a5 13 97 8b 40 1c <89> 45 08 e8 6f 80 ff ff ba 02 00 00 00 89 45 0c 8b 43 44 8b 73 40 RSP: 0018:ffffbb7300867ba0 EFLAGS: 00010246 RAX: 0000000000000003 RBX: ffff9dc301961400 RCX: 00000000000081ed RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffff9713a5e0 RBP: 0000000000000000 R08: 0000000000000001 R09: ffff9dc301fedcb0 R10: 0000000000000007 R11: 7fffffffffffffff R12: ffff9dc30204fd70 R13: 0000000000000000 R14: ffff9dc301961410 R15: ffffbb7300867c70 FS: 0000000000d258c0(0000) GS:ffff9dc33e9c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 00000000022bc000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? generic_permission+0x10a/0x190 security_file_open+0x26/0x90 do_dentry_open+0xd9/0x380 do_last+0x197/0x8d0 path_openat+0x89/0x280 do_filp_open+0x91/0x100 do_open_execat+0x79/0x180 __do_execve_file.isra.0+0x6dd/0x8b0 __x64_sys_execve+0x35/0x40 do_syscall_64+0x63/0x250 ? async_page_fault+0x8/0x30 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x49a5db Code: 41 89 01 eb da 66 2e 0f 1f 84 00 00 00 00 00 f7 d8 64 41 89 01 eb d6 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe7b1cebd8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b RAX: ffffffffffffffda RBX: 0000000000d27ee0 RCX: 000000000049a5db RDX: 0000000000d27f08 RSI: 0000000000d27ee0 RDI: 0000000000d27f48 RBP: 0000000000d27f48 R08: fefefefefefefeff R09: fefefeff666d686f R10: 0000000000d25b90 R11: 0000000000000246 R12: 0000000000d27f08 R13: 0000000000655894 R14: 0000000000d27f08 R15: 0000000000d26ed0 Modules linked in: e1000(OE) CR2: 0000000000000008 ---[ end trace e4eb884974c22e2d ]--- RIP: 0010:selinux_file_open+0x49/0xf0 Code: 00 00 00 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 4c 89 e7 e8 a6 ec ff ff 49 8b 44 24 38 48 c7 c7 e0 a5 13 97 8b 40 1c <89> 45 08 e8 6f 80 ff ff ba 02 00 00 00 89 45 0c 8b 43 44 8b 73 40 RSP: 0018:ffffbb7300867ba0 EFLAGS: 00010246 RAX: 0000000000000003 RBX: ffff9dc301961400 RCX: 00000000000081ed RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffff9713a5e0 RBP: 0000000000000000 R08: 0000000000000001 R09: ffff9dc301fedcb0 R10: 0000000000000007 R11: 7fffffffffffffff R12: ffff9dc30204fd70 R13: 0000000000000000 R14: ffff9dc301961410 R15: ffffbb7300867c70 FS: 0000000000d258c0(0000) GS:ffff9dc33e9c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 00000000022bc000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x14400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- The problem was caused by selinux_file_open() accessing a file's fsec being NULL, which indicated that the file_alloc_security hook should be deleted later (at least after the file_open hook) when disabling SELinux at runtime. Here I put it into the "allocating" part. Fixes: 87d41806ccde ("selinux: reorder hooks to make runtime disable less broken") Signed-off-by: GONG, Ruiqi Reviewed-by: Wang Weiyang Reviewed-by: Xiu Jianfeng Signed-off-by: Yongqiang Liu --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index cd26c1199353..85ac12d6b2f4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7040,7 +7040,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), LSM_HOOK_INIT(file_permission, selinux_file_permission), - LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), LSM_HOOK_INIT(file_free_security, selinux_file_free_security), LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), LSM_HOOK_INIT(mmap_file, selinux_mmap_file), @@ -7207,6 +7206,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), + LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), -- Gitee From 2a72e51db13a2463f1bf314fa164cc0e25965efa Mon Sep 17 00:00:00 2001 From: "GONG, Ruiqi" Date: Mon, 27 Feb 2023 12:08:05 +0000 Subject: [PATCH 2/4] selinux: further adjust init order for cred_* hooks hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DRJ1 CVE: NA ---------------------------------------- After backporting commit cfff75d8973a ("selinux: reorder hooks to make runtime disable less broken") to the 4.19 kernel of openEuler-1.0-LTS, various kernel panic problems were still triggered by running the POC of the aforementioned commit. Here's a case from selinux_file_alloc_security(): BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 PGD 8000000002273067 P4D 8000000002273067 PUD 225c067 PMD 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 299 Comm: exe Tainted: G OE 4.19.90+ #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:selinux_file_alloc_security+0x2a/0x50 Code: 0f 1f 44 00 00 55 be c0 80 60 00 53 48 89 fb 48 8b 3d c2 f3 98 01 65 48 8b 04 25 80 64 01 00 48 8b 80 b8 0a 00 00 48 8b 40 78 <8b> 68 04 e8 ce ce ee ff 48 85 c0 74 11 89 28 89 68 04 48 89 83 c0 RSP: 0018:ffffa3ff40967c48 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff94e881b6a600 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 00000000006080c0 RDI: ffff94e8811472c0 RBP: ffff94e881b6a600 R08: 0000000000000100 R09: 0000000000000000 R10: ffff94e881b6a600 R11: 0000000000000020 R12: ffff94e881b6a600 R13: 0000000000000041 R14: ffffa3ff40967d10 R15: ffff94e882202c80 FS: 00000000007d28c0(0000) GS:ffff94e8be800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000004 CR3: 0000000002862000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: security_file_alloc+0x22/0x40 __alloc_file+0x52/0x110 alloc_empty_file+0x41/0xb0 path_openat+0x43/0x280 do_filp_open+0x91/0x100 ? filemap_map_pages+0x424/0x460 ? do_fault+0x21b/0x4c0 do_open_execat+0x79/0x180 __do_execve_file.isra.0+0x6dd/0x8b0 __x64_sys_execve+0x35/0x40 do_syscall_64+0x63/0x250 ? async_page_fault+0x8/0x30 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x49a5db Code: 41 89 01 eb da 66 2e 0f 1f 84 00 00 00 00 00 f7 d8 64 41 89 01 eb d6 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffce51a0148 EFLAGS: 00000246 ORIG_RAX: 000000000000003b RAX: ffffffffffffffda RBX: 00000000007d4ee0 RCX: 000000000049a5db RDX: 00000000007d4f08 RSI: 00000000007d4ee0 RDI: 00000000007d4f48 RBP: 00000000007d4f48 R08: fefefefefefefeff R09: fefefeff666d686f R10: 00000000007d2b90 R11: 0000000000000246 R12: 00000000007d4f08 R13: 0000000000655894 R14: 00000000007d4f08 R15: 00000000007d3ed0 Modules linked in: e1000(OE) CR2: 0000000000000004 ---[ end trace 4a826955419bd28a ]--- RIP: 0010:selinux_file_alloc_security+0x2a/0x50 Code: 0f 1f 44 00 00 55 be c0 80 60 00 53 48 89 fb 48 8b 3d c2 f3 98 01 65 48 8b 04 25 80 64 01 00 48 8b 80 b8 0a 00 00 48 8b 40 78 <8b> 68 04 e8 ce ce ee ff 48 85 c0 74 11 89 28 89 68 04 48 89 83 c0 RSP: 0018:ffffa3ff40967c48 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff94e881b6a600 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 00000000006080c0 RDI: ffff94e8811472c0 RBP: ffff94e881b6a600 R08: 0000000000000100 R09: 0000000000000000 R10: ffff94e881b6a600 R11: 0000000000000020 R12: ffff94e881b6a600 R13: 0000000000000041 R14: ffffa3ff40967d10 R15: ffff94e882202c80 FS: 00000000007d28c0(0000) GS:ffff94e8be800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000004 CR3: 0000000002862000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x33400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- Another one from selinux_inode_alloc_security(): BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 PGD 8000000002187067 P4D 8000000002187067 PUD 2170067 PMD 0 Oops: 0000 [#1] SMP PTI CPU: 7 PID: 521 Comm: ping Tainted: G OE 4.19.90+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:selinux_inode_alloc_security+0x2a/0x80 Code: 0f 1f 44 00 00 55 be 40 80 60 00 53 48 89 fb 48 8b 3d 6a 0c 99 01 65 48 8b 04 25 80 64 01 00 48 8b 80 b8 0a 00 00 48 8b 40 78 <8b> 68 04 e8 6e e7 ee ff 48 85 c0 74 36 48 8d 50 08 c7 40 24 00 00 RSP: 0018:ffffbd7741077b08 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff95c48251e738 RCX: 0000000000000000 RDX: ffffffff85d11344 RSI: 0000000000608040 RDI: ffff95c481004380 RBP: ffff95c48251e738 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff95c48251e738 R13: ffff95c4822ac2c0 R14: ffffbd7741077dd0 R15: 0000000000000000 FS: 00000000018f08c0(0000) GS:ffff95c4be9c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000004 CR3: 00000000022dc000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: security_inode_alloc+0x2a/0x40 inode_init_always+0x1b9/0x1d0 alloc_inode+0x2f/0x90 new_inode_pseudo+0xd/0x60 new_inode+0x13/0x30 proc_pid_make_inode+0x18/0xb0 proc_pid_instantiate+0x1e/0x90 proc_pid_lookup+0x4e/0x80 proc_root_lookup+0x18/0x40 __lookup_slow+0x94/0x160 lookup_slow+0x36/0x50 walk_component+0x1c4/0x340 ? inode_permission+0x35/0x1a0 link_path_walk.part.0+0x1af/0x540 ? proc_ns_get_link+0xb0/0xb0 path_lookupat.isra.0+0x4e/0x230 filename_lookup+0xae/0x180 ? simple_attr_release+0x20/0x20 ? strncpy_from_user+0x47/0x160 do_readlinkat+0x5d/0x130 __x64_sys_readlink+0x1b/0x20 do_syscall_64+0x63/0x250 ? async_page_fault+0x8/0x30 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x5185e3 Code: 53 48 81 ec 00 10 00 00 48 83 0c 24 00 48 83 ec 08 ba 00 10 00 00 48 8d 3d f7 af 15 00 b8 59 00 00 00 48 89 e5 48 89 ee 0f 05 <3d> 00 f0 ff ff 77 5e 85 c0 7e 5a 0f b6 14 24 80 fa 5b 74 51 80 fa RSP: 002b:00007ffe7aa96960 EFLAGS: 00000206 ORIG_RAX: 0000000000000059 RAX: ffffffffffffffda RBX: 0000000000400770 RCX: 00000000005185e3 RDX: 0000000000001000 RSI: 00007ffe7aa96960 RDI: 00000000006735cd RBP: 00007ffe7aa96960 R08: 0000000000000003 R09: 00007ffe7aa97a64 R10: 0000000000671d9a R11: 0000000000000206 R12: 00007ffe7aa97b58 R13: 00007ffe7aa97b80 R14: 0000000000690018 R15: 0000000000000000 Modules linked in: e1000(OE) CR2: 0000000000000004 ---[ end trace a5121fc2d5201098 ]--- RIP: 0010:selinux_inode_alloc_security+0x2a/0x80 Code: 0f 1f 44 00 00 55 be 40 80 60 00 53 48 89 fb 48 8b 3d 6a 0c 99 01 65 48 8b 04 25 80 64 01 00 48 8b 80 b8 0a 00 00 48 8b 40 78 <8b> 68 04 e8 6e e7 ee ff 48 85 c0 74 36 48 8d 50 08 c7 40 24 00 00 RSP: 0018:ffffbd7741077b08 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff95c48251e738 RCX: 0000000000000000 RDX: ffffffff85d11344 RSI: 0000000000608040 RDI: ffff95c481004380 RBP: ffff95c48251e738 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff95c48251e738 R13: ffff95c4822ac2c0 R14: ffffbd7741077dd0 R15: 0000000000000000 FS: 00000000018f08c0(0000) GS:ffff95c4be9c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000004 CR3: 00000000022dc000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x3000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- These problems were all caused by accessing a credential's tsec being NULL. Given that many "allocating" hooks would access tsec as well (e.g. selinux_{key,bpf_{map,prog}}_alloc, selinux_ib_alloc_security etc), make a fourth block and move cred hooks of allocating tsec out there. Fixes: 87d41806ccde ("selinux: reorder hooks to make runtime disable less broken") Signed-off-by: GONG, Ruiqi Reviewed-by: Wang Weiyang Reviewed-by: Xiu Jianfeng Signed-off-by: Yongqiang Liu --- security/selinux/hooks.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 85ac12d6b2f4..3550ded07457 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7055,7 +7055,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_alloc, selinux_task_alloc), LSM_HOOK_INIT(cred_free, selinux_cred_free), - LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), @@ -7207,7 +7206,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), - LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), @@ -7232,6 +7230,12 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), #endif + + /* + * Hooks with tsec allocation should be kept until the really last + */ + LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), + LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), }; static __init int selinux_init(void) -- Gitee From 659039b1e0be01123f70747a791c02a07e83c6dc Mon Sep 17 00:00:00 2001 From: Zhong Jinghua Date: Mon, 27 Feb 2023 12:08:06 +0000 Subject: [PATCH 3/4] nbd: fix assignment error for first_minor in nbd_dev_add MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit hulk inclusion category: bugfix bugzilla: 188413, https://gitee.com/openeuler/kernel/issues/I6GWYG CVE: NA ---------------------------------------- A panic error is like below: nbd_genl_connect nbd_dev_add first_minor = index << part_shift; // index =-1 ... __device_add_disk blk_alloc_devt *devt = MKDEV(disk->major, disk->first_minor + part->partno); // part->partno = 0, first_minor = 11...110000 major is covered There, index < 0 will reassign an index, but here disk->first_minor is assigned -1 << part_shift. This causes to the creation of the device with the same major and minor device numbers each time the incoming index<0, and this will lead to creation of kobject failed: Warning: kobject_add_internal failed for 4095:1048544 with -EEXIST, don't try to register things with the same name in the same directory. Fix it by moving the first_minor assignment down to after getting the new index. Fixes: 01f7594e62e9 ("nbd: Fix use-after-free in blk_mq_free_rqs") Signed-off-by: Zhong Jinghua Reviewed-by: Yu Kuai Reviewed-by: Hou Tao Signed-off-by: Yongqiang Liu --- drivers/block/nbd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 8dbbd676d275..551b2f7da8ef 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1706,7 +1706,6 @@ static int nbd_dev_add(int index) struct gendisk *disk; struct request_queue *q; int err = -ENOMEM; - int first_minor = index << part_shift; nbd = kzalloc(sizeof(struct nbd_device), GFP_KERNEL); if (!nbd) @@ -1770,7 +1769,7 @@ static int nbd_dev_add(int index) refcount_set(&nbd->refs, 1); INIT_LIST_HEAD(&nbd->list); disk->major = NBD_MAJOR; - disk->first_minor = first_minor; + disk->first_minor = index << part_shift; disk->fops = &nbd_fops; disk->private_data = nbd; sprintf(disk->disk_name, "nbd%d", index); -- Gitee From 387bf44c2b6fd56e9b6f2dea442778133729e1bb Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Tue, 28 Feb 2023 03:30:58 +0000 Subject: [PATCH 4/4] net: mpls: fix stale pointer if allocation fails during device rename stable inclusion from stable-v4.19.273 commit aa07c86e43ed8780d610ecfb2ce13da326729201 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6HZHU CVE: CVE-2023-26545 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aa07c86e43ed8780d610ecfb2ce13da326729201 -------------------------------- commit fda6c89fe3d9aca073495a664e1d5aea28cd4377 upstream. lianhui reports that when MPLS fails to register the sysctl table under new location (during device rename) the old pointers won't get overwritten and may be freed again (double free). Handle this gracefully. The best option would be unregistering the MPLS from the device completely on failure, but unfortunately mpls_ifdown() can fail. So failing fully is also unreliable. Another option is to register the new table first then only remove old one if the new one succeeds. That requires more code, changes order of notifications and two tables may be visible at the same time. sysctl point is not used in the rest of the code - set to NULL on failures and skip unregister if already NULL. Reported-by: lianhui tang Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Zhengchao Shao Reviewed-by: Liu Jian Reviewed-by: Wang Weiyang Reviewed-by: Yue Haibing Signed-off-by: Yongqiang Liu --- net/mpls/af_mpls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c index 7623d9aec636..c7fd387baa61 100644 --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -1375,6 +1375,7 @@ static int mpls_dev_sysctl_register(struct net_device *dev, free: kfree(table); out: + mdev->sysctl = NULL; return -ENOBUFS; } @@ -1384,6 +1385,9 @@ static void mpls_dev_sysctl_unregister(struct net_device *dev, struct net *net = dev_net(dev); struct ctl_table *table; + if (!mdev->sysctl) + return; + table = mdev->sysctl->ctl_table_arg; unregister_net_sysctl_table(mdev->sysctl); kfree(table); -- Gitee