[PATCH] x86: apic: Fix parsing of lapic cmdline option

Including " lapic " in the kernel cmdline on an x86-64 kernel makes it panic while parsing early params -- e.g. with no user visible output. Fix this bug by ensuring arg is non-NULL before passing it to strncmp(). Signed-off-by: Mathias Krause Reported-by: PaX Team Cc: sta...@vger.

[PATCH 0/8] KVM: minor cleanups and optimizations

in a cache line together with data that gets written to. The latter should speed up the emulation of SSE register moves as the aligned variant of MOVDQ has lower latencies and higher throughput than the unaligned one. Regards, Mathias Krause (8): KVM: x86: minor size optimization KVM: x86

[PATCH 1/8] KVM: x86: minor size optimization

Some fields can be constified and/or made static to reduce code and data size. Numbers for a 32 bit build: textdata bss dec hex filename before: 3351 80 03431 d67 cpuid.o after: 3391 0 03391 d3f cpuid.o Signed-off-by: Mathias

[PATCH 4/8] KVM: x86: constify emulate_ops

We never change emulate_ops[] at runtime so it should be r/o. Signed-off-by: Mathias Krause --- arch/x86/include/asm/kvm_emulate.h |2 +- arch/x86/kvm/emulate.c | 22 +++--- arch/x86/kvm/x86.c |2 +- 3 files changed, 13 insertions(+), 13

[PATCH 5/8] KVM: x86: constify read_write_emulator_ops

We never change those, make them r/o. Signed-off-by: Mathias Krause --- arch/x86/kvm/x86.c |8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index f8b0148..79ac03c 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c

[PATCH 6/8] KVM: x86: more constification

Signed-off-by: Mathias Krause --- arch/x86/kvm/lapic.c |2 +- arch/x86/kvm/x86.c |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 18d149d..07ad628 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c

[PATCH 7/8] KVM: VMX: constify lookup tables

We use vmcs_field_to_offset_table[], kvm_vmx_segment_fields[] and kvm_vmx_exit_handlers[] as lookup tables only -- make them r/o. Signed-off-by: Mathias Krause --- arch/x86/kvm/vmx.c | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/arch/x86/kvm/vmx.c b/arch

[PATCH 8/8] KVM: SVM: constify lookup tables

We never modify direct_access_msrs[], msrpm_ranges[], svm_exit_handlers[] or x86_intercept_map[] at runtime. Mark them r/o. Signed-off-by: Mathias Krause Cc: Joerg Roedel --- arch/x86/kvm/svm.c |8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/svm.c b

[PATCH 2/8] KVM: x86 emulator: use aligned variants of SSE register ops

As the the compiler ensures that the memory operand is always aligned to a 16 byte memory location, use the aligned variant of MOVDQ for read_sse_reg() and write_sse_reg(). Signed-off-by: Mathias Krause --- arch/x86/kvm/emulate.c | 64 1 file

[PATCH 3/8] KVM: x86: mark opcode tables const

The opcode tables never change at runtime, therefor mark them const. Signed-off-by: Mathias Krause --- arch/x86/kvm/emulate.c | 40 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index

[PATCH 0/7] x86: fix sparse warnings

, Mathias Krause (7): x86: fix __user annotations in asm/sys_ia32.h x86, vdso: add __user annotation to VDSO32_SYMBOL x86: ia32_signal.c: add __user casts to fix sparse warnings x86, probe_roms: add missing __iomem annotation to pci_map_biosrom() x86, xsave: keep __user annotation in casts

[PATCH 3/7] x86: ia32_signal.c: add __user casts to fix sparse warnings

of expression ia32_signal.c:532:17: warning: cast removes address space of expression Signed-off-by: Mathias Krause --- arch/x86/ia32/ia32_signal.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c index

[PATCH 7/7] x86, iommu: use NULL instead of plain 0 for __IOMMU_INIT

IOMMU_INIT_POST and IOMMU_INIT_POST_FINISH pass the plain value 0 instead of NULL to __IOMMU_INIT. Fix this and make sparse happy by doing so. Signed-off-by: Mathias Krause --- arch/x86/include/asm/iommu_table.h |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86

[PATCH 4/7] x86, probe_roms: add missing __iomem annotation to pci_map_biosrom()

Stay in sync with the declaration and fix the corresponding sparse warnings. Cc: Dan Williams Signed-off-by: Mathias Krause --- arch/x86/kernel/probe_roms.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/probe_roms.c b/arch/x86/kernel/probe_roms.c index

[PATCH 1/7] x86: fix __user annotations in asm/sys_ia32.h

sparse warnings but missed that one. Cc: Jaswinder Singh Rajput Signed-off-by: Mathias Krause --- arch/x86/ia32/sys_ia32.c|2 +- arch/x86/include/asm/sys_ia32.h |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c

[PATCH 5/7] x86, xsave: keep __user annotation in casts

ce of expression xsave.c:135:15: warning: cast removes address space of expression xsave.c:135:15: warning: cast removes address space of expression xsave.c:135:15: warning: cast removes address space of expression Signed-off-by: Mathias Krause --- arch/x86/kernel/xsave.c |6 +++--- 1 file chang

[PATCH 6/7] x86, iommu: drop duplicate const in __IOMMU_INIT

It's redundant and makes sparse complain about it. Signed-off-by: Mathias Krause --- arch/x86/include/asm/iommu_table.h |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/include/asm/iommu_table.h b/arch/x86/include/asm/iommu_table.h index f229b13..bbf8fb2 1

[PATCH 2/7] x86, vdso: add __user annotation to VDSO32_SYMBOL

The address calculated by VDSO32_SYMBOL() is a pointer into userland. Add the __user annotation to fix related sparse warnings in its users. Signed-off-by: Mathias Krause --- arch/x86/include/asm/vdso.h |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/include

[PATCH] PCI: drop duplicate const in DECLARE_PCI_FIXUP_SECTION

It's redundant and makes sparse complain about it. Signed-off-by: Mathias Krause --- include/linux/pci.h |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/pci.h b/include/linux/pci.h index 5faa831..aee24a8 100644 --- a/include/linux/pci.h +++ b/include/

Re: [PATCH 2/8] KVM: x86 emulator: use aligned variants of SSE register ops

On Tue, Sep 4, 2012 at 2:13 PM, Avi Kivity wrote: > On 09/04/2012 03:09 PM, Avi Kivity wrote: >> On 08/30/2012 02:30 AM, Mathias Krause wrote: >>> As the the compiler ensures that the memory operand is always aligned >>> to a 16 byte memory location, >> >>

[PATCH] xfrm_user: return error pointer instead of NULL

escalation (execution of user code in kernel context) if the attacker has CAP_NET_ADMIN and is able to map address 0. Cc: sta...@vger.kernel.org Signed-off-by: Mathias Krause --- A test case can be provided on request. net/xfrm/xfrm_user.c |6 -- 1 file changed, 4 insertions(+), 2 deletions

[PATCH] xfrm_user: return error pointer instead of NULL #2

-off-by: Mathias Krause --- Note, this is a different, but similar issue as my previous patch with the almost same subject. I'm not aware of a way how to exploit this bug as the policy *should* always fit into the netlink buffer but better safe then sorry, so cc stable. net/xfrm/xfrm_u

Re: [PATCH 0/6] xfrm_user info leaks

On Fri, Sep 21, 2012 at 12:09 AM, David Miller wrote: > From: Mathias Krause > Date: Wed, 19 Sep 2012 23:33:37 +0200 > >> the following series fixes various info leaks in the xfrm netlink >> interface. As always, a test case can be supplied on request. >> >> Pat

Re: [PATCH] PCI: drop duplicate const in DECLARE_PCI_FIXUP_SECTION

On Sun, Sep 2, 2012 at 11:37 PM, Mathias Krause wrote: > It's redundant and makes sparse complain about it. > > Signed-off-by: Mathias Krause > --- > include/linux/pci.h |2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/linux/pci.h

Re: Linux 3.6-rc5

On Sun, Sep 09, 2012 at 12:19:58PM -0700, Herbert Xu wrote: > On Sun, Sep 09, 2012 at 11:13:02AM +0200, Romain Francoise wrote: > > Still seeing this BUG with -rc5, that I originally reported here: > > http://marc.info/?l=linux-crypto-vger&m=134653220530264&w=2 > > > > [ 26.362567] [

Re: Linux 3.6-rc5

On Sun, Sep 09, 2012 at 02:00:00PM -0700, Herbert Xu wrote: > On Sun, Sep 09, 2012 at 10:09:10PM +0200, Mathias Krause wrote: > > > > It happens with the C variants of SHA1 and AES, too. You can easily > > trigger the bug with Steffen's crconf[1]: > > > &g

Re: [ 35/95] dccp: check ccid before dereferencing

Hi Ben, On Mon, Sep 10, 2012 at 12:42 AM, Ben Hutchings wrote: > 3.2-stable review patch. If anyone has any objections, please let me know. No objections, but could you please consider including the following commits, too?: e862f1a atm: fix info leak in getsockopt(SO_ATMPVC) 3c0c5cf atm: f

Re: [ 35/95] dccp: check ccid before dereferencing

On Mon, Sep 10, 2012 at 8:47 AM, David Miller wrote: > From: Mathias Krause > Date: Mon, 10 Sep 2012 08:17:06 +0200 > >> Hi Ben, >> >> On Mon, Sep 10, 2012 at 12:42 AM, Ben Hutchings wrote: >>> 3.2-stable review patch. If anyone has any objections, please l

Re: Latest 3.6.6 are not compiling due tg3 network driver, hwmon_device_unregister

On Thu, Nov 15, 2012 at 07:22:20AM +, Nithin Sujir wrote: > > On Wed, 14 Nov 2012, Nithin Nayak Sujir wrote: > > > > > This was fixed by > > > > > > commit de0a41484c47d783dd4d442914815076aa2caac2 > > > Author: Paul Gortmaker > > > Date: Mon Oct 1 11:43:49 2012 -0400 > > > > > > tg3: un

[PATCH] module: don't modify argument of module_kallsyms_lookup_name()

gument and operate on a copy instead in case we need to split the string. Signed-off-by: Mathias Krause --- kernel/module.c |9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index cab4bce..5ce0784 100644 --- a/kernel/module.c ++

[PATCH v2] module: don't modify argument of module_kallsyms_lookup_name()

string in module_kallsyms_lookup_name(), modify find_module_all() instead to pass it the module name length. Signed-off-by: Mathias Krause --- v2: - don't use kstrdup(), pass the string length to find_module_all() as suggested by Rusty kernel/module.c | 15 +++ 1 file changed, 7 i

[PATCH v2] x86, mce: fix "braodcast" typo

Fix the typo in MCJ_IRQ_BRAODCAST. Signed-off-by: Mathias Krause --- arch/x86/include/asm/mce.h |2 +- arch/x86/kernel/cpu/mcheck/mce-inject.c |4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/x86/include/asm/mce.h b/arch/x86/include/asm/mce.h

Re: [PATCH v2] module: don't modify argument of module_kallsyms_lookup_name()

On 16 June 2013 04:35, Rusty Russell wrote: > Mathias Krause writes: >> If we pass a pointer to a const string in the form "module:symbol" >> module_kallsyms_lookup_name() will try to split the string at the colon, >> i.e., will try to modify r/o data. That

[PATCH] kprobes: handle empty/invalid input to debugfs "enabled" file

andling invalid/empty input as error returning -EINVAL. Cc: Ananth N Mavinakayanahalli Cc: Anil S Keshavamurthy Cc: "David S. Miller" Cc: Masami Hiramatsu Cc: Andrew Morton Signed-off-by: Mathias Krause --- kernel/kprobes.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/

[PATCH] debugfs: write_file_bool() - ensure strtobool() operates on valid data

In case, userland writes an empty string to a bool debugfs file, buf[] will still be uninitialized when being passed to strtobool() making the outcome of that function purely random. Fix this by always zero-terminating the buffer. Signed-off-by: Mathias Krause --- fs/debugfs/file.c |1 + 1

[PATCH] ARM: fix typo in is_gate_vma() macro

Commit a5463cd3 "ARM: make vectors page inaccessible from userspace" introduced a typo making arch_vma_name() always return "[vectors]". Fix up that regression (of the hush-hush security fix). Signed-off-by: Mathias Krause --- arch/arm/kernel/process.c |2 +- 1 file

Re: user ns: arbitrary module loading

On Sun, Mar 03, 2013 at 09:48:50AM -0800, Kees Cook wrote: > Several subsystems already have an implicit subsystem restriction > because they load with aliases. (e.g. binfmt-, net-pf=NNN, > snd-card-NNN, FOO-iosched, etc). This isn't the case for filesystems > and a few others, unfortunately: >

Re: [kernel-hardening] [PATCH 4/6] x86: kaslr: select random base offset

On Thu, Apr 25, 2013 at 11:54 PM, Kees Cook wrote: > Select a random location when CONFIG_RANDOMIZE_BASE is used, bounded > by CONFIG_RANDOMIZE_BASE_MAX_OFFSET. Sources of randomness currently > include RDRAND and RDTSC. > > Signed-off-by: Kees Cook > --- > arch/x86/Kconfig| 29

Re: [PATCH] xfrm_user: return error pointer instead of NULL

On Mon, Sep 17, 2012 at 9:16 AM, Steffen Klassert wrote: > On Thu, Sep 13, 2012 at 11:41:26PM +0200, Mathias Krause wrote: >> When dump_one_state() returns an error, e.g. because of a too small >> buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL >>

[PATCH 3/6] xfrm_user: fix info leak in copy_to_user_policy()

The memory reserved to dump the xfrm policy includes multiple padding bytes added by the compiler for alignment (padding bytes in struct xfrm_selector and struct xfrm_userpolicy_info). Add an explicit memset(0) before filling the buffer to avoid the heap info leak. Signed-off-by: Mathias Krause

[PATCH 6/6] xfrm_user: don't copy esn replay window twice for new states

The ESN replay window was already fully initialized in xfrm_alloc_replay_state_esn(). No need to copy it again. Cc: Steffen Klassert Signed-off-by: Mathias Krause --- net/xfrm/xfrm_user.c |9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/xfrm/xfrm_user.c b/net

[PATCH 5/6] xfrm_user: ensure user supplied esn replay window is valid

For state updates the full bitmap must be supplied. Cc: Steffen Klassert Cc: Martin Willi Signed-off-by: Mathias Krause --- net/xfrm/xfrm_user.c | 27 +-- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c in

[PATCH 0/6] xfrm_user info leaks

upper limit for the replay window size. But I'll leave implementing this to someone else. ;) Mathias Krause (6): xfrm_user: fix info leak in copy_to_user_auth() xfrm_user: fix info leak in copy_to_user_state() xfrm_user: fix info leak in copy_to_user_policy() xfrm_user: fix in

[PATCH 1/6] xfrm_user: fix info leak in copy_to_user_auth()

copy_to_user_auth() fails to initialize the remainder of alg_name and therefore discloses up to 54 bytes of heap memory via netlink to userland. Use strncpy() instead of strcpy() to fill the trailing bytes of alg_name with null bytes. Signed-off-by: Mathias Krause --- net/xfrm/xfrm_user.c

[PATCH 4/6] xfrm_user: fix info leak in copy_to_user_tmpl()

patch by Brad Spengler. Cc: Brad Spengler Signed-off-by: Mathias Krause --- net/xfrm/xfrm_user.c |1 + 1 file changed, 1 insertion(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 7511427..9f1e749 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1423,6

[PATCH 2/6] xfrm_user: fix info leak in copy_to_user_state()

The memory reserved to dump the xfrm state includes the padding bytes of struct xfrm_usersa_info added by the compiler for alignment (7 for amd64, 3 for i386). Add an explicit memset(0) before filling the buffer to avoid the info leak. Signed-off-by: Mathias Krause --- net/xfrm/xfrm_user.c

Re: [PATCH 5/6] xfrm_user: ensure user supplied esn replay window is valid

On Thu, Sep 20, 2012 at 12:38 AM, Ben Hutchings wrote: > On Wed, 2012-09-19 at 23:33 +0200, Mathias Krause wrote: >> The current code fails to ensure that the netlink message actually >> contains as many bytes as the header indicates. If a user creates a new >> state or up

[PATCH v2] xfrm_user: ensure user supplied esn replay window is valid

For state updates the full bitmap must be supplied. While at it, fix xfrm_replay_state_esn_len() to return size_t instead of int as it calculates a length and all users expect the return value to be positive. Cc: Steffen Klassert Cc: Martin Willi Cc: Ben Hutchings Signed-off-by: Mathias Kra

Re: [PATCH 5/6] xfrm_user: ensure user supplied esn replay window is valid

On Thu, Sep 20, 2012 at 8:12 AM, Mathias Krause wrote: > What still might happen is the overflow in xfrm_replay_state_esn_len() > resulting in a to small bitmap allocation for the requested replay > size. But that gets catched in xfrm_init_replay(). Little late, but > hey. Sorry, I m

Re: [PATCH 5/6] xfrm_user: ensure user supplied esn replay window is valid

On Thu, Sep 20, 2012 at 9:05 AM, Steffen Klassert wrote: > On Thu, Sep 20, 2012 at 08:12:11AM +0200, Mathias Krause wrote: >> On Thu, Sep 20, 2012 at 12:38 AM, Ben Hutchings >> wrote: >> > On Wed, 2012-09-19 at 23:33 +0200, Mathias Krause wrote: >> >>

[PATCH v3 5/7] xfrm_user: ensure user supplied esn replay window is valid

s a default replay window size of 64). Cc: Steffen Klassert Cc: Martin Willi Cc: Ben Hutchings Signed-off-by: Mathias Krause --- v3: - revert size_t change to xfrm_replay_state_esn_len() (requested by Steffen) - switch to int types for lengths (suggested by Ben) - implement 4096 packets limit for

[PATCH 10/14] llc: fix info leak via getsockname()

the socket is zapped to prevent the info leak. Also remove the unnecessary memset(0). We don't directly write to the memory pointed by uaddr but memcpy() a local structure at the end of the function that is properly initialized. Signed-off-by: Mathias Krause Cc: Arnaldo Carvalho de Melo --- n

[PATCH 12/14] dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO)

. Signed-off-by: Mathias Krause Cc: Gerrit Renker --- net/dccp/ccids/ccid3.c |1 + 1 file changed, 1 insertion(+) diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c index d65e987..119c043 100644 --- a/net/dccp/ccids/ccid3.c +++ b/net/dccp/ccids/ccid3.c @@ -535,6 +535,7 @@ static int

[PATCH 14/14] net: fix info leak in compat dev_ifconf()

(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause --- net/socket.c |1 + 1 file changed, 1 insertion(+) diff --git a/net/socket.c b/net/socket.c index dfe5b66..a5471f8 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2657,6 +2657,7 @@ static int dev_ifconf

[PATCH 06/14] Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)

uninitialized kernel heap memory. Allocate the memory using kzalloc() to fix this issue. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg --- net/bluetooth/rfcomm/tty.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth

[PATCH 13/14] ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)

__ip_vs_get_timeouts() to avoid the info leak. Signed-off-by: Mathias Krause Cc: Wensong Zhang Cc: Simon Horman Cc: Julian Anastasov --- net/netfilter/ipvs/ip_vs_ctl.c |1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 8dd..72bf32a

[PATCH 11/14] dccp: check ccid before dereferencing

ccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() might be called with a NULL ccid pointer leading to a NULL pointer dereference. This could lead to a privilege escalation if the attacker is able to map page 0 and prepare it with a fake ccid_ops pointer. Signed-off-by: Mathias Krause Cc

[PATCH 09/14] l2tp: fix info leak via getsockname()

The L2TP code for IPv6 fails to initialize the l2tp_unused member of struct sockaddr_l2tpip6 and that for leaks two bytes kernel stack via the getsockname() syscall. Initialize l2tp_unused with 0 to avoid the info leak. Signed-off-by: Mathias Krause Cc: James Chapman --- net/l2tp/l2tp_ip6.c

[PATCH 03/14] Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER)

The HCI code fails to initialize the two padding bytes of struct hci_ufilter before copying it to userland -- that for leaking two bytes kernel stack. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo

[PATCH 04/14] Bluetooth: HCI - Fix info leak via getsockname()

The HCI code fails to initialize the hci_channel member of struct sockaddr_hci and that for leaks two bytes kernel stack via the getsockname() syscall. Initialize hci_channel with 0 to avoid the info leak. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg

[PATCH 08/14] Bluetooth: L2CAP - Fix info leak via getsockname()

: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg --- net/bluetooth/l2cap_sock.c |1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index a4bb27e..df5ea9e 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth

[PATCH 07/14] Bluetooth: RFCOMM - Fix info leak via getsockname()

The RFCOMM code fails to initialize the trailing padding byte of struct sockaddr_rc added for alignment. It that for leaks one byte kernel stack via the getsockname() syscall. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause Cc: Marcel

[PATCH 05/14] Bluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY)

The RFCOMM code fails to initialize the key_size member of struct bt_security before copying it to userland -- that for leaking one byte kernel stack. Initialize key_size with 0 to avoid the info leak. Signed-off-by: Mathias Krause Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg

[PATCH 00/14] net: info leaks and other bugs

uest, test code for all (but one) of the issues can be provided. Regards, Mathias Mathias Krause (14): atm: fix info leak in getsockopt(SO_ATMPVC) atm: fix info leak via getsockname() Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER) Bluetooth: HCI - Fix info leak via g

[PATCH 01/14] atm: fix info leak in getsockopt(SO_ATMPVC)

The ATM code fails to initialize the two padding bytes of struct sockaddr_atmpvc inserted for alignment. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause --- net/atm/common.c |1 + 1 file changed, 1 insertion(+) diff --git a/net

[PATCH 02/14] atm: fix info leak via getsockname()

The ATM code fails to initialize the two padding bytes of struct sockaddr_atmpvc inserted for alignment. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause --- net/atm/pvc.c |1 + 1 file changed, 1 insertion(+) diff --git a/net/atm

[PATCH 1/2] isofs: avoid info leak on export

For type 1 the parent_offset member in struct isofs_fid gets copied uninitialized to userland. Fix this by initializing it to 0. Signed-off-by: Mathias Krause --- fs/isofs/export.c |1 + 1 file changed, 1 insertion(+) diff --git a/fs/isofs/export.c b/fs/isofs/export.c index aa4356d

[PATCH 0/2] Fix info leaks on export for udf and isofs

should be fixed. This info leak can be triggered locally by using the name_to_handle_at() syscall. Regards, Mathias Krause (2): isofs: avoid info leak on export udf: avoid info leak on export fs/isofs/export.c |1 + fs/udf/namei.c|1 + 2 files changed, 2 insertions

[PATCH 2/2] udf: avoid info leak on export

For type 0x51 the udf.parent_partref member in struct fid gets copied uninitialized to userland. Fix this by initializing it to 0. Signed-off-by: Mathias Krause --- fs/udf/namei.c |1 + 1 file changed, 1 insertion(+) diff --git a/fs/udf/namei.c b/fs/udf/namei.c index 1802417..c31deb3

Re: [tip:x86/urgent] x86/Sandy Bridge: reserve pages when integrated graphics is present

Hi Peter, Am 12.01.2013 um 00:00 schrieb Jesse Barnes : > On Fri, 11 Jan 2013 14:39:04 -0800 > tip-bot for Jesse Barnes wrote: > >> Commit-ID: a9acc5365dbda29f7be2884efb63771dc24bd815 >> Gitweb: >> http://git.kernel.org/tip/a9acc5365dbda29f7be2884efb63771dc24bd815 >> Author: Jesse Bar

[PATCH] printk: prevent userland from spoofing kernel messages

he truncation early. Fixes: 7ff9554bb578 ("printk: convert byte-buffer to variable-length...") Signed-off-by: Mathias Krause Cc: Greg Kroah-Hartman Cc: Petr Mladek Cc: Alex Elder Cc: Joe Perches Cc: Kay Sievers --- Might be worth to apply to stable, too. Don't know. Prior to co

Re: [PATCH v13 13/23] x86/asm/crypto: Create stack frames in aesni-intel_asm.S

On Do, Okt 01, 2015 at 08:29:50 -0500, Josh Poimboeuf wrote: > On Thu, Oct 01, 2015 at 08:10:26AM +0200, mini...@ld-linux.so wrote: > > On Tue, Sep 22, 2015 at 10:47:04AM -0500, Josh Poimboeuf wrote: > > > ENTRY(aesni_set_key) > > > + FRAME_BEGIN > > > #ifndef __x86_64__ > > > pushl KEYP > > >

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

t; + remove_wait_queue(&unix_sk(other)->peer_wait, > &u->wait); > unix_state_unlock(sk); > > unix_dgram_disconnected(sk, other); > @@ -2441,7 +2472,6 @@ static unsigned int unix_dgram_poll(struct f

Re: [PATCH] net: ipv6: xfrm6_state: remove VLA usage

On 9 March 2018 at 13:21, Andreas Christoforou wrote: > The kernel would like to have all stack VLA usage removed[1]. > > Signed-off-by: Andreas Christoforou > --- > net/ipv6/xfrm6_state.c | 8 +++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/net/ipv6/xfrm6_state.c b/ne

[PATCH] kallsyms: lower alignment on ARM

es for 32 bit builds or 256 bytes for 64 bit builds. Fix this by switching to '.balign' instead which is consistent across all architectures. Signed-off-by: Mathias Krause Cc: Catalin Marinas Cc: Will Deacon --- scripts/kallsyms.c | 4 ++-- 1 file changed, 2 insertions(+), 2 dele

[PATCH] vmlinux.lds.h: drop unused __vermagic

er current kernels nor modules contain a '__vermagic' section any more, so get rid of it. Signed-off-by: Mathias Krause Cc: Rusty Russell Cc: Jessica Yu --- include/asm-generic/vmlinux.lds.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-

tracing: user events UAF crash report

xpect it to either return a valid pointer or an error pointer, at least since commit 5264a2f4bb3b ("tracing: Fix a NULL vs IS_ERR() bug in event_subsystem_dir()"). Returning NULL will therefore fail the error condition check in the caller. Fix this by substituting the NULL return value

[PATCH] eventfs: Don't return NULL in eventfs_create_dir()

tfs: Test for ei->is_freed when accessing ei->dentry") Reviewed-by: Dan Carpenter Reviewed-by: Ajay Kaher Signed-off-by: Mathias Krause --- v2: send as a separate patch, picking up review tags from Dan and Ajay fs/tracefs/event_inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion

Re: tracing: user events UAF crash report

On 23.07.24 16:43, Steven Rostedt wrote: > On Fri, 19 Jul 2024 22:47:01 +0200 > Mathias Krause wrote: > >> Beside the obvious bug, I noticed the following (not fixing the issue, >> tho): >> >> diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c &g

[PATCH] eventfs: Use SRCU for freeing eventfs_inodes

lds Fixes: 43aa6f97c2d0 ("eventfs: Get rid of dentry pointers without refcounts") Signed-off-by: Mathias Krause --- fs/tracefs/event_inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c index a9c28a1d5dc8..01e99e98457d 100

Re: tracing: user events UAF crash report

On 25.07.24 19:16, Steven Rostedt wrote: > On Thu, 25 Jul 2024 13:10:21 -0400 > Steven Rostedt wrote: >> >> diff --git a/kernel/trace/trace_events_user.c >> b/kernel/trace/trace_events_user.c >> index 3a2b46847c8b..e9ed2826ff46 100644 >> --- a/kernel/trace/trace_events_user.c >> +++ b/kernel/trac

Re: tracing: user events UAF crash report

On 25.07.24 21:05, Steven Rostedt wrote: > On Thu, 25 Jul 2024 20:12:33 +0200 > Mathias Krause wrote: >>>> @@ -973,6 +975,11 @@ size_t copy_nofault(void *addr, size_t bytes, struct >>>> iov_iter *i) >>>> static struct list_head *user_event_get_

Re: tracing: user events UAF crash report

On 25.07.24 21:05, Steven Rostedt wrote: > Here's the proper fix: > > diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c > index 6ef29eba90ce..3a2d2ff1625b 100644 > --- a/kernel/trace/trace_events.c > +++ b/kernel/trace/trace_events.c > @@ -3140,8 +3140,10 @@ EXPORT_SYMBOL_GPL(

Re: tracing: user events UAF crash report

On 25.07.24 22:15, Steven Rostedt wrote: > On Thu, 25 Jul 2024 21:42:41 +0200 > Mathias Krause wrote: > >> Right. But the point is, that 'event_call' is really some '&user->call'. >> With 'user' being free'd memory, what gives? Der

Re: tracing: user events UAF crash report

On 26.07.24 01:06, Steven Rostedt wrote: > On Thu, 25 Jul 2024 23:32:30 +0200 > Mathias Krause wrote: > >> That was for a single run of >> tools/testing/selftests/user_events/ftrace_test with the read loop of >> /sys/kernel/tracing/events/user_events/__test_event/for

Re: [PATCH] tracing: Have format file honor EVENT_FILE_FL_FREED

event itself. Not the meta data to free. This would either cause a > memory leak (the meta data never was freed) or a crash as it could have > incorrectly freed the event itself. > > Link: > https://lore.kernel.org/all/20240719204701.1605950-1-mini...@grsecurity.net/ > > Cc: sta...@vger.ker

Re: [PATCH] tracing: Have format file honor EVENT_FILE_FL_FREED

On 26.07.24 16:52, Steven Rostedt wrote: > On Fri, 26 Jul 2024 12:16:16 +0200 > Mathias Krause wrote: > >>> >>> With KASAN memory checking, it would trigger a use-after-free bug. This was >>> >> >> The UAF bug is there even without KASAN. It

Re: [PATCH v3] tracing: Have format file honor EVENT_FILE_FL_FREED

ot;eventfs/tracing: Add callback for release of an >> eventfs_inode") >> Reported-by: Mathias Krause >> Tested-by: Mathias Krause > > Hi Mathias, > > I kept your "Tested-by" tag because you did test the part that fixes the > bug you reported. I j

[PATCH 1/2] tracefs: Fix inode allocation

Kaher Cc: Al Viro Fixes: ba37ff75e04b ("eventfs: Implement tracefs_inode_cache") Signed-off-by: Mathias Krause --- fs/tracefs/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c index 7c29f4afc23d..a9279810158c 100644 --- a/

[PATCH 0/2] tracefs: inode alloc/free related fixes

may also be the cause for what Ilkka is seeing[1]. Please apply! Thanks, Mathias [1] https://lore.kernel.org/all/cae4varezy+a2pvqjyjbfh8dwb4op7kuczg-e28h22xywob1...@mail.gmail.com/ Mathias Krause (2): tracefs: Fix inode allocation tracefs: Don't overlay 'struct inode'

[PATCH 2/2] tracefs: Don't overlay 'struct inode'

kgid_t i_gid; unsigned inti_flags; @@ -690,7 +691,6 @@ struct inode { u16 i_wb_frn_avg_time; u16 i_wb_frn_history; #endif - struct list_headi_lru; /* inode LRU list */ stru

Re: [PATCH 2/2] tracefs: Don't overlay 'struct inode'

On 07.08.24 15:35, Steven Rostedt wrote: > On Wed, 7 Aug 2024 13:51:39 +0200 > Mathias Krause wrote: > >> diff --git a/fs/tracefs/internal.h b/fs/tracefs/internal.h >> index f704d8348357..a7769857962a 100644 >> --- a/fs/tracefs/internal.h >> +++ b/fs/trac

Re: [PATCH 2/2] tracefs: Don't overlay 'struct inode'

On 07.08.24 15:44, Al Viro wrote: > On Wed, Aug 07, 2024 at 09:35:45AM -0400, Steven Rostedt wrote: > >> Perhaps: >> >> diff --git a/fs/tracefs/internal.h b/fs/tracefs/internal.h >> index f704d8348357..ab6d6c3d835d 100644 >> --- a/fs/tracefs/internal.h >> +++ b/fs/tracefs/internal.h >> @@ -10,12 +

Re: [PATCH 2/2] tracefs: Don't overlay 'struct inode'

On 07.08.24 17:49, Steven Rostedt wrote: > [...] > > So I could use destroy_inode() for the removing of the link list, and then > free_inode to free it. Something like: > > diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c > index 1028ab6d9a74..ae2cb2221acd 100644 > --- a/fs/tracefs/inode.c >

Re: [PATCH] x86/hyperv/vtl: Replace real_mode_header only under Hyper-V

On 08.09.23 17:02, Saurabh Singh Sengar wrote: > On Fri, Sep 08, 2023 at 12:26:10PM +0200, Mathias Krause wrote: >> Booting a CONFIG_HYPERV_VTL_MODE=y enabled kernel on bare metal or a >> non-Hyper-V hypervisor leads to serve memory corruption as > > FWIW, CONFIG_HYPERV_VTL

Re: [PATCH] perf: Ensure symbols for plugins are exported

On 18 April 2015 at 17:46, Jiri Olsa wrote: > On Fri, Apr 17, 2015 at 11:01:07PM +0200, Mathias Krause wrote: >> On 17 April 2015 at 17:34, Jiri Olsa wrote: >> > On Sun, Apr 12, 2015 at 06:00:51PM +0200, Mathias Krause wrote: >> >> When building perf with perl o

Re: [PATCH] perf: Ensure symbols for plugins are exported

On 17 April 2015 at 17:34, Jiri Olsa wrote: > On Sun, Apr 12, 2015 at 06:00:51PM +0200, Mathias Krause wrote: >> When building perf with perl or python support it implicitly gets linked >> with the -export-dynamic linker option through the additional linker >> flags, namely

[PATCH] perf: Ensure symbols for plugins are exported

valho de Melo Cc: Ingo Molnar Cc: Jiri Olsa Cc: Paul Mackerras Cc: Peter Zijlstra Signed-off-by: Mathias Krause --- This patch should go on top of tip.git#perf/core tools/perf/Makefile.perf |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/perf/Makefile.perf

[PATCH] ipmi: constify ACPI device ids

Constify the ACPI device ID array, it doesn't need to be writable at runtime. Signed-off-by: Mathias Krause --- drivers/char/ipmi/ipmi_ssif.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index 207689c

[PATCH] mfd: intel_soc_pmic: Constify ACPI device ids

Constify the ACPI device ID array, it doesn't need to be writable at runtime. Signed-off-by: Mathias Krause Cc: Yang, Bin Cc: Zhu, Lejun --- drivers/mfd/intel_soc_pmic_core.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mfd/intel_soc_pmic_core.c b/dr

  1   2   3   >