openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
linux/drivers
History
Mathias Krause f1ce3986ba nitro_enclaves: Fix stale file descriptors on failed usercopy 
A failing usercopy of the slot uid will lead to a stale entry in the
file descriptor table as put_unused_fd() won't release it. This enables
userland to refer to a dangling 'file' object through that still valid
file descriptor, leading to all kinds of use-after-free exploitation
scenarios.

Exchanging put_unused_fd() for close_fd(), ksys_close() or alike won't
solve the underlying issue, as the file descriptor might have been
replaced in the meantime, e.g. via userland calling close() on it
(leading to a NULL pointer dereference in the error handling code as
'fget(enclave_fd)' will return a NULL pointer) or by dup2()'ing a
completely different file object to that very file descriptor, leading
to the same situation: a dangling file descriptor pointing to a freed
object -- just in this case to a file object of user's choosing.

Generally speaking, after the call to fd_install() the file descriptor
is live and userland is free to do whatever with it. We cannot rely on
it to still refer to our enclave object afterwards. In fact, by abusing
userfaultfd() userland can hit the condition without any racing and
abuse the error handling in the nitro code as it pleases.

To fix the above issues, defer the call to fd_install() until all
possible errors are handled. In this case it's just the usercopy, so do
it directly in ne_create_vm_ioctl() itself.

Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Andra Paraschiv <andraprs@amazon.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210429165941.27020-2-andraprs@amazon.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2021-04-29 19:06:49 +02:00
..
accessibility speakup: i18n: Switch to kmemdup_nul() in spk_msg_set() 2021-04-10 10:58:50 +02:00
acpi ACPI: processor: Fix build when CONFIG_ACPI_PROCESSOR=m 2021-04-07 19:02:43 +02:00
amba
android binder: tell userspace to dump current backtrace when detected oneway spamming 2021-04-10 10:52:04 +02:00
ata
atm The usual updates from the irq departement: 2021-04-26 09:43:16 -07:00
auxdisplay auxdisplay: Remove in_interrupt() usage. 2021-03-16 16:32:40 +01:00
base driver core: Fix locking bug in deferred_probe_timeout_work_func() 2021-04-05 09:14:18 +02:00
bcma
block xen-blkfront: Fix 'physical' typos 2021-04-23 09:43:42 +02:00
bluetooth Bluetooth: btusb: Revert Fix the autosuspend enable and disable 2021-04-09 09:08:02 -07:00
bus Char/Misc driver updates for 5.13-rc1 2021-04-26 11:03:17 -07:00
cdrom
char Char/Misc driver updates for 5.13-rc1 2021-04-26 11:03:17 -07:00
clk clk: fixed: fix double free in resource managed fixed-factor clock 2021-04-07 16:01:25 -07:00
clocksource hyperv-next for 5.13 2021-04-26 10:44:16 -07:00
connector
counter counter: stm32-timer-cnt: fix ceiling miss-alignment with reload register 2021-03-06 16:48:09 +00:00
cpufreq cpufreq: Fix scaling_{available,boost}_frequencies_show() comments 2021-03-26 17:43:48 +01:00
cpuidle
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2021-04-26 08:51:23 -07:00
cxl cxl/mem: Fix memory device capacity probing 2021-04-16 18:21:56 -07:00
dax dax: avoid -Wempty-body warnings 2021-03-22 09:20:06 -07:00
dca
devfreq Merge branches 'pm-devfreq' and 'pm-tools' 2021-02-15 17:02:04 +01:00
dio
dma dmaengine: idxd: fix wq cleanup of WQCFG registers 2021-04-12 22:08:39 +05:30
dma-buf dma-fence: allow signaling drivers to set fence timestamp 2021-02-24 21:05:28 +05:30
edac Merge branch 'edac-misc' into edac-updates-for-v5.12 2021-02-15 10:06:58 +01:00
eisa
extcon extcon: qcom-spmi: Add support for VBUS detection 2021-04-08 13:10:16 +09:00
firewire The usual updates from the irq departement: 2021-04-26 09:43:16 -07:00
firmware Char/Misc driver updates for 5.13-rc1 2021-04-26 11:03:17 -07:00
fpga fpga: dfl: pci: add DID for D5005 PAC cards 2021-04-05 17:46:56 -07:00
fsi
gnss
gpio gpio fixes for v5.12 2021-04-23 10:19:19 -07:00
gpu The usual updates from the irq departement: 2021-04-26 09:43:16 -07:00
greybus greybus: es2: fix kernel-doc warnings 2021-04-16 07:26:50 +02:00
hid HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices 2021-03-16 15:41:20 +01:00
hsi
hv drivers: hv: Create a consistent pattern for checking Hyper-V hypercall status 2021-04-21 09:49:19 +00:00
hwmon Devicetree updates for v5.12: 2021-02-22 10:05:12 -08:00
hwspinlock hwspinlock: omap: Add support for K3 AM64x SoCs 2021-02-09 11:36:50 -06:00
hwtracing coresight: etm-perf: Fix define build issue when built as module 2021-04-16 09:34:57 +02:00
i2c i2c: mv64xxx: Fix random system lock caused by runtime PM 2021-04-15 22:13:19 +02:00
i3c I3C for 5.12 2021-02-22 09:52:55 -08:00
ide ide-5.11-2021-02-28 2021-02-28 15:48:25 -08:00
idle
iio First set of IIO and counter fixes for the 5.12 cycle 2021-03-15 16:34:39 +01:00
infiniband RDMA/addr: Be strict with gid size 2021-04-08 16:14:56 -03:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2021-04-15 10:23:44 -07:00
interconnect interconnect changes for 5.13 2021-04-15 11:06:46 +02:00
iommu iommu/tegra-smmu: Make tegra_smmu_probe_device() to handle all IOMMU phandles 2021-03-18 11:31:12 +01:00
ipack ipack: Handle a driver without remove callback 2021-02-09 09:48:23 +01:00
irqchip irqchip updates for Linux 5.13 2021-04-24 21:18:44 +02:00
isdn isdn: capi: fix mismatched prototypes 2021-03-22 16:51:11 -07:00
leds treewide: change my e-mail address, fix my name 2021-04-09 14:54:23 -07:00
lightnvm lightnvm: pblk: Replace guid_copy() with export_guid()/import_guid() 2021-02-14 21:27:24 -07:00
macintosh
mailbox treewide: change my e-mail address, fix my name 2021-04-09 14:54:23 -07:00
mcb
md dm verity fec: fix misaligned RS roots IO 2021-04-14 14:28:29 -04:00
media module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
memory Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
memstick
message
mfd platform-drivers-x86 for v5.13-1 2021-04-26 10:58:33 -07:00
misc Char/Misc driver updates for 5.13-rc1 2021-04-26 11:03:17 -07:00
mmc mmc: meson-gx: replace WARN_ONCE with dev_warn_once about scatterlist size alignment in block mode 2021-04-19 09:49:27 +02:00
most drivers: most: use LIST_HEAD() for list_head 2021-04-02 16:26:03 +02:00
mtd This pull request contains the following bug fix for MTD: 2021-04-13 14:01:34 -07:00
mux mux: gpio: Simplify code by using dev_err_probe() 2021-04-02 16:28:53 +02:00
net The usual updates from the irq departement: 2021-04-26 09:43:16 -07:00
nfc Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
ntb NTB: Add support for EPF PCI Non-Transparent Bridge 2021-02-23 14:12:53 -06:00
nubus
nvdimm libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC 2021-04-09 21:56:01 -07:00
nvme nvmet-tcp: fix kmap leak when data digest in use 2021-03-18 05:39:18 +01:00
nvmem nvmem: qfprom: Add support for fuse blowing on sc7280 2021-04-02 16:28:10 +02:00
of Devicetree fixes for v5.12, take 2: 2021-04-09 13:01:48 -07:00
opp opp: Don't drop extra references to OPPs accidentally 2021-03-12 09:26:52 +05:30
parisc
parport module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
pci hyperv-next for 5.13 2021-04-26 10:44:16 -07:00
pcmcia Merge branch 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux 2021-02-26 13:54:43 -08:00
perf perf/arm_pmu_platform: Clean up with dev_printk 2021-03-30 11:41:50 +01:00
phy phy: Revert "phy: ti: j721e-wiz: add missing of_node_put" 2021-04-16 07:27:37 +02:00
pinctrl pinctrl: core: Show pin numbers for the controllers with base = 0 2021-04-22 02:13:42 +02:00
platform platform/x86: gigabyte-wmi: add support for B550M AORUS PRO-P 2021-04-23 19:18:35 +02:00
pnp
power
powercap powercap/drivers/dtpm: Add the experimental label to the option description 2021-03-01 17:43:29 +01:00
pps pps: clients: gpio: Rearrange optional stuff in pps_gpio_setup() 2021-03-24 08:26:32 +01:00
ps3
ptp ptp_qoriq: fix overflow in ptp_qoriq_adjfine() u64 calcalation 2021-03-24 12:10:03 -07:00
pwm pwm: Changes for v5.12-rc1 2021-02-25 12:23:49 -08:00
rapidio
ras RAS/CEC: Correct ce_add_elem()'s returned values 2021-04-07 11:52:26 +02:00
regulator regulator: bd9571mwv: Convert device attribute to sysfs_emit() 2021-03-15 15:42:12 +00:00
remoteproc remoteproc: pru: Fix firmware loading crashes on K3 SoCs 2021-03-17 14:15:07 -05:00
reset RISC-V Patches for the 5.12 Merge Window 2021-02-26 10:28:35 -08:00
rpmsg
rtc Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2021-02-27 08:07:12 -08:00
s390 module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
sbus module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
scsi SCSI fixes on 20210417 2021-04-17 20:25:33 -07:00
sh The usual updates from the irq departement: 2021-04-26 09:43:16 -07:00
siox
slimbus
soc ARM SoC fixes for v5.12, part 2 2021-04-18 13:23:26 -07:00
soundwire soundwire: intel_init: test link->cdns 2021-04-06 10:26:44 +05:30
spi spi: cadence: set cqspi to the driver_data field of struct device 2021-03-11 13:32:32 +00:00
spmi spmi: spmi-pmic-arb: Fix hw_irq overflow 2021-02-12 12:26:46 +01:00
ssb
staging staging: rtl8192e: Change state information from u16 to u8 2021-03-23 13:32:40 +01:00
target scsi: target: iscsi: Fix zero tag inside a trace event 2021-04-05 23:09:37 -04:00
tc
tee module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
thermal thermal/core: Add NULL pointer check before using cooling device stats 2021-03-17 09:55:58 +01:00
thunderbolt thunderbolt: Fix off by one in tb_port_find_retimer() 2021-03-30 13:38:10 +03:00
tty Serial driver fix for 5.12-rc6 2021-04-03 10:00:53 -07:00
uio uio: uio_dfl: add userspace i/o driver for DFL bus 2021-03-28 14:58:18 +02:00
usb usbip: synchronize event handler with sysfs code paths 2021-04-05 09:05:42 +02:00
vdpa vdpa/mlx5: Set err = -ENOMEM in case dma_map_sg_attrs fails 2021-04-22 18:15:31 -04:00
vfio vfio/pci: Add missing range check in vfio_pci_mmap 2021-04-13 08:29:16 -06:00
vhost vhost-vdpa: protect concurrent access to vhost device iotlb 2021-04-22 18:15:31 -04:00
video Char/Misc driver updates for 5.13-rc1 2021-04-26 11:03:17 -07:00
virt nitro_enclaves: Fix stale file descriptors on failed usercopy 2021-04-29 19:06:49 +02:00
virtio virtio: fixes, cleanups 2021-03-18 11:20:35 -07:00
visorbus
vlynq
vme vme: make remove callback return void 2021-02-09 12:15:07 +01:00
w1 w1: ds28e17: Use module_w1_family to simplify the code 2021-04-10 10:58:21 +02:00
watchdog treewide: change my e-mail address, fix my name 2021-04-09 14:54:23 -07:00
xen xen: branch for v5.13-rc1 2021-04-26 10:37:45 -07:00
zorro
Kconfig cxl/mem: Introduce a driver for CXL-2.0-Type-3 endpoints 2021-02-16 20:36:38 -08:00
Makefile Simple Firmware Interface (SFI) support removal for v5.12-rc1 2021-02-24 10:35:29 -08:00