From 5f2ca358553e87d7ab8585f100ba943f334201e0 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Tue, 7 Jan 2020 16:06:58 +0000 Subject: Arm64 regression fix - rhbz 1788624 --- ...rt-support-for-execute-only-user-mappings.patch | 119 +++++++++++++++++++++ kernel.spec | 3 + 2 files changed, 122 insertions(+) create mode 100644 arm64-revert-support-for-execute-only-user-mappings.patch diff --git a/arm64-revert-support-for-execute-only-user-mappings.patch b/arm64-revert-support-for-execute-only-user-mappings.patch new file mode 100644 index 000000000..8ca23e6c9 --- /dev/null +++ b/arm64-revert-support-for-execute-only-user-mappings.patch @@ -0,0 +1,119 @@ +From 24cecc37746393432d994c0dbc251fb9ac7c5d72 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Mon, 6 Jan 2020 14:35:39 +0000 +Subject: arm64: Revert support for execute-only user mappings + +The ARMv8 64-bit architecture supports execute-only user permissions by +clearing the PTE_USER and PTE_UXN bits, practically making it a mostly +privileged mapping but from which user running at EL0 can still execute. + +The downside, however, is that the kernel at EL1 inadvertently reading +such mapping would not trip over the PAN (privileged access never) +protection. + +Revert the relevant bits from commit cab15ce604e5 ("arm64: Introduce +execute-only page access permissions") so that PROT_EXEC implies +PROT_READ (and therefore PTE_USER) until the architecture gains proper +support for execute-only user mappings. + +Fixes: cab15ce604e5 ("arm64: Introduce execute-only page access permissions") +Cc: # 4.9.x- +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Linus Torvalds +--- + arch/arm64/include/asm/pgtable-prot.h | 5 ++--- + arch/arm64/include/asm/pgtable.h | 10 +++------- + arch/arm64/mm/fault.c | 2 +- + mm/mmap.c | 6 ------ + 4 files changed, 6 insertions(+), 17 deletions(-) + +diff --git a/arch/arm64/include/asm/pgtable-prot.h b/arch/arm64/include/asm/pgtable-prot.h +index 8dc6c5c..baf52ba 100644 +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -85,13 +85,12 @@ + #define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE) + #define PAGE_READONLY __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN) + #define PAGE_READONLY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN) +-#define PAGE_EXECONLY __pgprot(_PAGE_DEFAULT | PTE_RDONLY | PTE_NG | PTE_PXN) + + #define __P000 PAGE_NONE + #define __P001 PAGE_READONLY + #define __P010 PAGE_READONLY + #define __P011 PAGE_READONLY +-#define __P100 PAGE_EXECONLY ++#define __P100 PAGE_READONLY_EXEC + #define __P101 PAGE_READONLY_EXEC + #define __P110 PAGE_READONLY_EXEC + #define __P111 PAGE_READONLY_EXEC +@@ -100,7 +99,7 @@ + #define __S001 PAGE_READONLY + #define __S010 PAGE_SHARED + #define __S011 PAGE_SHARED +-#define __S100 PAGE_EXECONLY ++#define __S100 PAGE_READONLY_EXEC + #define __S101 PAGE_READONLY_EXEC + #define __S110 PAGE_SHARED_EXEC + #define __S111 PAGE_SHARED_EXEC +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index 5d15b47..cd5de0e 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -96,12 +96,8 @@ extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)]; + #define pte_dirty(pte) (pte_sw_dirty(pte) || pte_hw_dirty(pte)) + + #define pte_valid(pte) (!!(pte_val(pte) & PTE_VALID)) +-/* +- * Execute-only user mappings do not have the PTE_USER bit set. All valid +- * kernel mappings have the PTE_UXN bit set. +- */ + #define pte_valid_not_user(pte) \ +- ((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN)) ++ ((pte_val(pte) & (PTE_VALID | PTE_USER)) == PTE_VALID) + #define pte_valid_young(pte) \ + ((pte_val(pte) & (PTE_VALID | PTE_AF)) == (PTE_VALID | PTE_AF)) + #define pte_valid_user(pte) \ +@@ -117,8 +113,8 @@ extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)]; + + /* + * p??_access_permitted() is true for valid user mappings (subject to the +- * write permission check) other than user execute-only which do not have the +- * PTE_USER bit set. PROT_NONE mappings do not have the PTE_VALID bit set. ++ * write permission check). PROT_NONE mappings do not have the PTE_VALID bit ++ * set. + */ + #define pte_access_permitted(pte, write) \ + (pte_valid_user(pte) && (!(write) || pte_write(pte))) +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index 077b02a..85566d3 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -445,7 +445,7 @@ static int __kprobes do_page_fault(unsigned long addr, unsigned int esr, + const struct fault_info *inf; + struct mm_struct *mm = current->mm; + vm_fault_t fault, major = 0; +- unsigned long vm_flags = VM_READ | VM_WRITE; ++ unsigned long vm_flags = VM_READ | VM_WRITE | VM_EXEC; + unsigned int mm_flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE; + + if (kprobe_page_fault(regs, esr)) +diff --git a/mm/mmap.c b/mm/mmap.c +index 9c64852..71e4ffc 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -90,12 +90,6 @@ static void unmap_region(struct mm_struct *mm, + * MAP_PRIVATE r: (no) no r: (yes) yes r: (no) yes r: (no) yes + * w: (no) no w: (no) no w: (copy) copy w: (no) no + * x: (no) no x: (no) yes x: (no) yes x: (yes) yes +- * +- * On arm64, PROT_EXEC has the following behaviour for both MAP_SHARED and +- * MAP_PRIVATE: +- * r: (no) no +- * w: (no) no +- * x: (yes) yes + */ + pgprot_t protection_map[16] __ro_after_init = { + __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111, +-- +cgit v1.1 diff --git a/kernel.spec b/kernel.spec index 7eb2bf36f..b9efdcfa1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -598,6 +598,9 @@ Patch531: 0001-crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch # CVE-2019-18809 rhbz 1777449 1777451 Patch532: 0001-media-usb-fix-memory-leak-in-af9005_identify_state.patch +# Arm64 regression fix - rhbz 1788624 +Patch533: arm64-revert-support-for-execute-only-user-mappings.patch + # ALSA code from v5.5 (Intel ASoC Sound Open Firmware driver support) Patch600: alsa-5.5.patch -- cgit From e8cf17592dac7f6ca5b9f91988d7bfa0baba1047 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Wed, 8 Jan 2020 13:01:30 -0500 Subject: Fix for tpm usercopy (rhbz 1788653) --- kernel.spec | 6 ++ ...ive-priv--response_len-in-tpm_common_read.patch | 89 ++++++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 tpm-handle-negative-priv--response_len-in-tpm_common_read.patch diff --git a/kernel.spec b/kernel.spec index b9efdcfa1..439435bfe 100644 --- a/kernel.spec +++ b/kernel.spec @@ -614,6 +614,9 @@ Patch609: 0002-drm-nouveau-Fix-drm-core-using-atomic-code-paths-on-.patch # rhbz 1781288 Patch610: 0001-tracing-Do-not-create-directories-if-lockdown-is-in-.patch +# rhbz 1788653 +Patch611: tpm-handle-negative-priv--response_len-in-tpm_common_read.patch + # END OF PATCH DEFINITIONS %endif @@ -1851,6 +1854,9 @@ fi # # %changelog +* Mon Jan 06 2020 Laura Abbott +- Fix for tpm usercopy (rhbz 1788653) + * Mon Jan 06 2020 Hans de Goede - Make the MFD Intel LPSS driver builtin, some devices require this to be available early during boot (rhbz#1787997) diff --git a/tpm-handle-negative-priv--response_len-in-tpm_common_read.patch b/tpm-handle-negative-priv--response_len-in-tpm_common_read.patch new file mode 100644 index 000000000..40df117ff --- /dev/null +++ b/tpm-handle-negative-priv--response_len-in-tpm_common_read.patch @@ -0,0 +1,89 @@ +From patchwork Tue Jan 7 22:04:48 2020 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: Tadeusz Struk +X-Patchwork-Id: 1176682 +Return-Path: +Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) + by smtp.lore.kernel.org (Postfix) with ESMTP id 5846CC3F68F + for ; Tue, 7 Jan 2020 22:04:42 +0000 (UTC) +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.kernel.org (Postfix) with ESMTP id 207982073D + for ; Tue, 7 Jan 2020 22:04:42 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1727451AbgAGWEl (ORCPT + ); + Tue, 7 Jan 2020 17:04:41 -0500 +Received: from mga11.intel.com ([192.55.52.93]:40523 "EHLO mga11.intel.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1727080AbgAGWEk (ORCPT ); + Tue, 7 Jan 2020 17:04:40 -0500 +X-Amp-Result: SKIPPED(no attachment in message) +X-Amp-File-Uploaded: False +Received: from fmsmga007.fm.intel.com ([10.253.24.52]) + by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; + 07 Jan 2020 14:04:40 -0800 +X-ExtLoop1: 1 +X-IronPort-AV: E=Sophos;i="5.69,407,1571727600"; + d="scan'208";a="217317989" +Received: from tstruk-mobl1.jf.intel.com (HELO [127.0.1.1]) ([10.7.196.67]) + by fmsmga007.fm.intel.com with ESMTP; 07 Jan 2020 14:04:39 -0800 +Subject: [PATCH] tpm: handle negative priv->response_len in tpm_common_read +From: Tadeusz Struk +To: jarkko.sakkinen@linux.intel.com +Cc: keescook@chromium.org, tadeusz.struk@intel.com, + linux-kernel@vger.kernel.org, stable@vger.kernel.org, + linux-integrity@vger.kernel.org, labbott@redhat.com +Date: Tue, 07 Jan 2020 14:04:48 -0800 +Message-ID: <157843468820.24718.10808226634364669421.stgit@tstruk-mobl1> +In-Reply-To: +References: +User-Agent: StGit/0.17.1-dirty +MIME-Version: 1.0 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org + +The priv->responce_length can hold the size of an response or +an negative error code, and the tpm_common_read() needs to handle +both cases correctly. Changed the type of responce_length to +signed and accounted for negative value in tpm_common_read() + +Cc: stable@vger.kernel.org +Fixes: d23d12484307 ("tpm: fix invalid locking in NONBLOCKING mode") +Reported-by: Laura Abbott +Signed-off-by: Tadeusz Struk +Reviewed-by: Jarkko Sakkinen +--- + drivers/char/tpm/tpm-dev-common.c | 2 +- + drivers/char/tpm/tpm-dev.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c +index b23b0b999232..87f449340202 100644 +--- a/drivers/char/tpm/tpm-dev-common.c ++++ b/drivers/char/tpm/tpm-dev-common.c +@@ -130,7 +130,7 @@ ssize_t tpm_common_read(struct file *file, char __user *buf, + priv->response_read = true; + + ret_size = min_t(ssize_t, size, priv->response_length); +- if (!ret_size) { ++ if (ret_size <= 0) { + priv->response_length = 0; + goto out; + } +diff --git a/drivers/char/tpm/tpm-dev.h b/drivers/char/tpm/tpm-dev.h +index 1089fc0bb290..f3742bcc73e3 100644 +--- a/drivers/char/tpm/tpm-dev.h ++++ b/drivers/char/tpm/tpm-dev.h +@@ -14,7 +14,7 @@ struct file_priv { + struct work_struct timeout_work; + struct work_struct async_work; + wait_queue_head_t async_wait; +- size_t response_length; ++ ssize_t response_length; + bool response_read; + bool command_enqueued; + -- cgit