[packages/kernel] add patch that should fix kernel crashes occurring since 6.6.3

atler atler at pld-linux.org
Mon Dec 4 11:13:03 CET 2023


commit c586acb46b1b5fd4516369e49b789bda25615f94
Author: Jan Palus <atler at pld-linux.org>
Date:   Mon Dec 4 10:02:39 2023 +0100

    add patch that should fix kernel crashes occurring since 6.6.3
    
    scheduled for inclusion in 6.6.5. crashes may be present or may not be
    present depending on struct randomization seed.

 kernel.spec                            |  4 +++
 neighbour-randomize-layout-crash.patch | 50 ++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
---
diff --git a/kernel.spec b/kernel.spec
index 98b6615e..247b3dcd 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -210,6 +210,8 @@ Patch8002:	atheros-disallow-retrain-nongen1-pcie.patch
 Patch8004:	ath-regd.patch
 Patch8005:	rkvdec-hevc.patch
 
+Patch9000:	neighbour-randomize-layout-crash.patch
+
 # Do not remove this line, please. It is easier for me to uncomment two lines, then patch
 # kernel.spec every time.
 #Patch50000:	kernel-usb_reset.patch
@@ -661,6 +663,8 @@ cd linux-%{basever}
 %patch8005 -p1
 %endif
 
+%patch9000 -p1
+
 %if %{with rt}
 %patch500 -p1
 rm -f localversion-rt
diff --git a/neighbour-randomize-layout-crash.patch b/neighbour-randomize-layout-crash.patch
new file mode 100644
index 00000000..1650e8c2
--- /dev/null
+++ b/neighbour-randomize-layout-crash.patch
@@ -0,0 +1,50 @@
+From 6ebf707e10dee4d186e46e414fe6d923e60e1aae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal at kernel.org>
+Date: Sat, 25 Nov 2023 15:33:58 -0600
+Subject: neighbour: Fix __randomize_layout crash in struct neighbour
+
+From: Gustavo A. R. Silva <gustavoars at kernel.org>
+
+[ Upstream commit 45b3fae4675dc1d4ee2d7aefa19d85ee4f891377 ]
+
+Previously, one-element and zero-length arrays were treated as true
+flexible arrays, even though they are actually "fake" flex arrays.
+The __randomize_layout would leave them untouched at the end of the
+struct, similarly to proper C99 flex-array members.
+
+However, this approach changed with commit 1ee60356c2dc ("gcc-plugins:
+randstruct: Only warn about true flexible arrays"). Now, only C99
+flexible-array members will remain untouched at the end of the struct,
+while one-element and zero-length arrays will be subject to randomization.
+
+Fix a `__randomize_layout` crash in `struct neighbour` by transforming
+zero-length array `primary_key` into a proper C99 flexible-array member.
+
+Fixes: 1ee60356c2dc ("gcc-plugins: randstruct: Only warn about true flexible arrays")
+Closes: https://lore.kernel.org/linux-hardening/20231124102458.GB1503258@e124191.cambridge.arm.com/
+Signed-off-by: Gustavo A. R. Silva <gustavoars at kernel.org>
+Reviewed-by: Kees Cook <keescook at chromium.org>
+Tested-by: Joey Gouly <joey.gouly at arm.com>
+Link: https://lore.kernel.org/r/ZWJoRsJGnCPdJ3+2@work
+Signed-off-by: Paolo Abeni <pabeni at redhat.com>
+Signed-off-by: Sasha Levin <sashal at kernel.org>
+---
+ include/net/neighbour.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/neighbour.h b/include/net/neighbour.h
+index 07022bb0d44d4..0d28172193fa6 100644
+--- a/include/net/neighbour.h
++++ b/include/net/neighbour.h
+@@ -162,7 +162,7 @@ struct neighbour {
+ 	struct rcu_head		rcu;
+ 	struct net_device	*dev;
+ 	netdevice_tracker	dev_tracker;
+-	u8			primary_key[0];
++	u8			primary_key[];
+ } __randomize_layout;
+ 
+ struct neigh_ops {
+-- 
+2.42.0
+
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/c586acb46b1b5fd4516369e49b789bda25615f94



More information about the pld-cvs-commit mailing list