From 3cf17272168212b6e8369c7a58e25b26624d87f9 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Mon, 14 Nov 2022 20:16:30 +0100 Subject: [PATCH] backport a few fixes-fixes Signed-off-by: Thomas Lamprecht --- ...or-block-being-out-of-directory-size.patch | 37 +++++++++++++++++ ...ct-drm_gem_shmem_get_sg_table-error-.patch | 36 +++++++++++++++++ ...les-relax-NFTA_SET_ELEM_KEY_END-set-.patch | 40 +++++++++++++++++++ 3 files changed, 113 insertions(+) create mode 100644 patches/kernel/0028-ext4-fix-check-for-block-being-out-of-directory-size.patch create mode 100644 patches/kernel/0029-drm-virtio-Correct-drm_gem_shmem_get_sg_table-error-.patch create mode 100644 patches/kernel/0030-netfilter-nf_tables-relax-NFTA_SET_ELEM_KEY_END-set-.patch diff --git a/patches/kernel/0028-ext4-fix-check-for-block-being-out-of-directory-size.patch b/patches/kernel/0028-ext4-fix-check-for-block-being-out-of-directory-size.patch new file mode 100644 index 0000000..e9dc9c9 --- /dev/null +++ b/patches/kernel/0028-ext4-fix-check-for-block-being-out-of-directory-size.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 22 Aug 2022 13:48:32 +0200 +Subject: [PATCH] ext4: fix check for block being out of directory size + +commit 61a1d87a324ad5e3ed27c6699dfc93218fcf3201 upstream. + +The check in __ext4_read_dirblock() for block being outside of directory +size was wrong because it compared block number against directory size +in bytes. Fix it. + +Fixes: 65f8ea4cd57d ("ext4: check if directory block is within i_size") +CVE: CVE-2022-1184 +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Reviewed-by: Lukas Czerner +Link: https://lore.kernel.org/r/20220822114832.1482-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Thomas Lamprecht +--- + fs/ext4/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 7d3ec39121f7..86ee0e0eef67 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -126,7 +126,7 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode, + struct ext4_dir_entry *dirent; + int is_dx_block = 0; + +- if (block >= inode->i_size) { ++ if (block >= inode->i_size >> inode->i_blkbits) { + ext4_error_inode(inode, func, line, block, + "Attempting to read directory block (%u) that is past i_size (%llu)", + block, inode->i_size); diff --git a/patches/kernel/0029-drm-virtio-Correct-drm_gem_shmem_get_sg_table-error-.patch b/patches/kernel/0029-drm-virtio-Correct-drm_gem_shmem_get_sg_table-error-.patch new file mode 100644 index 0000000..ba40121 --- /dev/null +++ b/patches/kernel/0029-drm-virtio-Correct-drm_gem_shmem_get_sg_table-error-.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 Jun 2022 23:07:18 +0300 +Subject: [PATCH] drm/virtio: Correct drm_gem_shmem_get_sg_table() error + handling + +[ Upstream commit 64b88afbd92fbf434759d1896a7cf705e1c00e79 ] + +Previous commit fixed checking of the ERR_PTR value returned by +drm_gem_shmem_get_sg_table(), but it missed to zero out the shmem->pages, +which will crash virtio_gpu_cleanup_object(). Add the missing zeroing of +the shmem->pages. + +Fixes: c24968734abf ("drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init") +Reviewed-by: Emil Velikov +Signed-off-by: Dmitry Osipenko +Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-2-dmitry.osipenko@collabora.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +Signed-off-by: Thomas Lamprecht +--- + drivers/gpu/drm/virtio/virtgpu_object.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_object.c b/drivers/gpu/drm/virtio/virtgpu_object.c +index 9af9f355e0a7..826ba2222062 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_object.c ++++ b/drivers/gpu/drm/virtio/virtgpu_object.c +@@ -169,6 +169,7 @@ static int virtio_gpu_object_shmem_init(struct virtio_gpu_device *vgdev, + shmem->pages = drm_gem_shmem_get_sg_table(&bo->base); + if (IS_ERR(shmem->pages)) { + drm_gem_shmem_unpin(&bo->base); ++ shmem->pages = NULL; + return PTR_ERR(shmem->pages); + } + diff --git a/patches/kernel/0030-netfilter-nf_tables-relax-NFTA_SET_ELEM_KEY_END-set-.patch b/patches/kernel/0030-netfilter-nf_tables-relax-NFTA_SET_ELEM_KEY_END-set-.patch new file mode 100644 index 0000000..9f62524 --- /dev/null +++ b/patches/kernel/0030-netfilter-nf_tables-relax-NFTA_SET_ELEM_KEY_END-set-.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 17 Oct 2022 14:12:58 +0200 +Subject: [PATCH] netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags + requirements + +[ Upstream commit 96df8360dbb435cc69f7c3c8db44bf8b1c24cd7b ] + +Otherwise EINVAL is bogusly reported to userspace when deleting a set +element. NFTA_SET_ELEM_KEY_END does not need to be set in case of: + +- insertion: if not present, start key is used as end key. +- deletion: only start key needs to be specified, end key is ignored. + +Hence, relax the sanity check. + +Fixes: 88cccd908d51 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Thomas Lamprecht +--- + net/netfilter/nf_tables_api.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 460ad341d160..f7a5b8414423 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5720,8 +5720,9 @@ static bool nft_setelem_valid_key_end(const struct nft_set *set, + (NFT_SET_CONCAT | NFT_SET_INTERVAL)) { + if (flags & NFT_SET_ELEM_INTERVAL_END) + return false; +- if (!nla[NFTA_SET_ELEM_KEY_END] && +- !(flags & NFT_SET_ELEM_CATCHALL)) ++ ++ if (nla[NFTA_SET_ELEM_KEY_END] && ++ flags & NFT_SET_ELEM_CATCHALL) + return false; + } else { + if (nla[NFTA_SET_ELEM_KEY_END])