patches: 4.9: update patches

Change-Id: Ie93454d396f0aad95c5a1df3ff0453c560fff43d

Author: BeYkeRYkt

patches/4.9/CVE-2019-2054_1.patch

@@ -0,0 +1,59 @@
+From c13dcfc3c4fa0ac8a40da64c30ba57dc14eb8096 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <[email protected]>
+Date: Thu, 28 Jan 2016 15:11:21 -0800
+Subject: [PATCH] UPSTREAM: x86/syscalls: Refactor syscalltbl.sh
+
+This splits out the code to emit a syscall line.
+
+Signed-off-by: Andy Lutomirski <[email protected]>
+Cc: Andy Lutomirski <[email protected]>
+Cc: Borislav Petkov <[email protected]>
+Cc: Brian Gerst <[email protected]>
+Cc: Denys Vlasenko <[email protected]>
+Cc: Frederic Weisbecker <[email protected]>
+Cc: H. Peter Anvin <[email protected]>
+Cc: Linus Torvalds <[email protected]>
+Cc: Peter Zijlstra <[email protected]>
+Cc: Thomas Gleixner <[email protected]>
+Link: http://lkml.kernel.org/r/1bfcbba991f5cfaa9291ff950a593daa972a205f.1454022279.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <[email protected]>
+(cherry picked from commit fba324744bfd2a7948a7710d7a021d76dafb9b67)
+
+Bug: 119769499
+Change-Id: Ie36f49882c4c3a69d87288795e4525353bb05ec5
+Signed-off-by: Greg Hackmann <[email protected]>
+---
+ arch/x86/syscalls/syscalltbl.sh | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/syscalls/syscalltbl.sh b/arch/x86/syscalls/syscalltbl.sh
+index 0e7f8ec071e76..167965ee742e0 100644
+--- a/arch/x86/syscalls/syscalltbl.sh
++++ b/arch/x86/syscalls/syscalltbl.sh
+@@ -3,13 +3,21 @@
+ in="$1"
+ out="$2"
+ 
++emit() {
++    abi="$1"
++    nr="$2"
++    entry="$3"
++    compat="$4"
++    if [ -n "$compat" ]; then
++	echo "__SYSCALL_${abi}($nr, $entry, $compat)"
++    elif [ -n "$entry" ]; then
++	echo "__SYSCALL_${abi}($nr, $entry, $entry)"
++    fi
++}
++
+ grep '^[0-9]' "$in" | sort -n | (
+     while read nr abi name entry compat; do
+ 	abi=`echo "$abi" | tr '[a-z]' '[A-Z]'`
+-	if [ -n "$compat" ]; then
+-	    echo "__SYSCALL_${abi}($nr, $entry, $compat)"
+-	elif [ -n "$entry" ]; then
+-	    echo "__SYSCALL_${abi}($nr, $entry, $entry)"
+-	fi
++	emit "$abi" "$nr" "$entry" "$compat"
+     done
+ ) > "$out"

patches/4.9/CVE-2019-2054_10.patch

@@ -0,0 +1,75 @@
+From 7734d5abc327e9ea93bb37d74e4f6161d109a739 Mon Sep 17 00:00:00 2001
+From: Kees Cook <[email protected]>
+Date: Thu, 9 Jun 2016 12:36:50 -0700
+Subject: [PATCH] BACKPORT: x86/ptrace: run seccomp after ptrace
+
+This moves seccomp after ptrace on x86 to that seccomp can catch changes
+made by ptrace. Emulation should skip the rest of processing too.
+
+We can get rid of test_thread_flag because there's no longer any
+opportunity for seccomp to mess with ptrace state before invoking
+ptrace.
+
+Suggested-by: Andy Lutomirski <[email protected]>
+Signed-off-by: Kees Cook <[email protected]>
+Cc: [email protected]
+Cc: Andy Lutomirski <[email protected]>
+(cherry picked from commit 93e35efb8de45393cf61ed07f7b407629bf698ea)
+
+Bug: 119769499
+Change-Id: Ia8e6f9a314b8ab36abee47082e49c66fcf201433
+[[email protected]: apply entry/common.c changes to kernel/ptrace.c]
+Signed-off-by: Greg Hackmann <[email protected]>
+---
+ arch/x86/kernel/ptrace.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
+index cf7fa7db1bbc0..883fe73cf2a45 100644
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -1464,6 +1464,7 @@ long syscall_trace_enter(struct pt_regs *regs)
+ 	u32 arch = is_ia32_task() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64;
+ 
+ 	unsigned long ret = 0;
++	bool emulated = false;
+ 	u32 work;
+ 
+ 	BUG_ON(regs != task_pt_regs(current));
+@@ -1490,11 +1491,19 @@ long syscall_trace_enter(struct pt_regs *regs)
+ 	if (work & _TIF_SINGLESTEP)
+ 		regs->flags |= X86_EFLAGS_TF;
+ 
++	if (unlikely(work & _TIF_SYSCALL_EMU))
++		emulated = true;
++
++	if ((emulated || (work & _TIF_SYSCALL_TRACE)) &&
++	    tracehook_report_syscall_entry(regs))
++		return -1L;
++
++	if (emulated)
++		return -1L;
++
+ #ifdef CONFIG_SECCOMP
+ 	/*
+-	 * Do seccomp first -- it should minimize exposure of other
+-	 * code, and keeping seccomp fast is probably more valuable
+-	 * than the rest of this.
++	 * Do seccomp after ptrace, to catch any tracer changes.
+ 	 */
+ 	if (work & _TIF_SECCOMP) {
+ 		struct seccomp_data sd;
+@@ -1527,13 +1536,6 @@ long syscall_trace_enter(struct pt_regs *regs)
+ 	}
+ #endif
+ 
+-	if (unlikely(work & _TIF_SYSCALL_EMU))
+-		ret = -1L;
+-
+-	if ((ret || test_thread_flag(TIF_SYSCALL_TRACE)) &&
+-	    tracehook_report_syscall_entry(regs))
+-		ret = -1L;
+-
+ 	if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
+ 		trace_sys_enter(regs, regs->orig_ax);
+ 

patches/4.9/CVE-2019-2054_11.patch

@@ -0,0 +1,48 @@
+From bac2f2dde8af50c477b580743deb688db25e9e63 Mon Sep 17 00:00:00 2001
+From: Kees Cook <[email protected]>
+Date: Thu, 2 Jun 2016 12:16:31 -0700
+Subject: [PATCH] UPSTREAM: arm/ptrace: run seccomp after ptrace
+
+Close the hole where ptrace can change a syscall out from under seccomp.
+
+Signed-off-by: Kees Cook <[email protected]>
+Cc: Russell King <[email protected]>
+Cc: [email protected]
+(cherry picked from commit 0f3912fd934cdfd03d93f2dc6f064099795bf638)
+
+Bug: 119769499
+Change-Id: Id82e4137207db42a8af31b2745581c53eaaf1f89
+Signed-off-by: Greg Hackmann <[email protected]>
+---
+ arch/arm/kernel/ptrace.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
+index 1027d3b545416..ce131ed5939d5 100644
+--- a/arch/arm/kernel/ptrace.c
++++ b/arch/arm/kernel/ptrace.c
+@@ -932,18 +932,19 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
+ {
+ 	current_thread_info()->syscall = scno;
+ 
+-	/* Do the secure computing check first; failures should be fast. */
++	if (test_thread_flag(TIF_SYSCALL_TRACE))
++		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
++
++	/* Do seccomp after ptrace; syscall may have changed. */
+ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
+ 	if (secure_computing(NULL) == -1)
+ 		return -1;
+ #else
+ 	/* XXX: remove this once OABI gets fixed */
+-	secure_computing_strict(scno);
++	secure_computing_strict(current_thread_info()->syscall);
+ #endif
+ 
+-	if (test_thread_flag(TIF_SYSCALL_TRACE))
+-		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
+-
++	/* Tracer or seccomp may have changed syscall. */
+ 	scno = current_thread_info()->syscall;
+ 
+ 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))

patches/4.9/CVE-2019-2054_12.patch

@@ -0,0 +1,43 @@
+From 357104de527aae243188951399e1c2f72bf9bc81 Mon Sep 17 00:00:00 2001
+From: Kees Cook <[email protected]>
+Date: Thu, 2 Jun 2016 12:28:52 -0700
+Subject: [PATCH] UPSTREAM: arm64/ptrace: run seccomp after ptrace
+
+Close the hole where ptrace can change a syscall out from under seccomp.
+
+Signed-off-by: Kees Cook <[email protected]>
+Cc: Catalin Marinas <[email protected]>
+Cc: Will Deacon <[email protected]>
+Cc: Mark Rutland <[email protected]>
+Cc: [email protected]
+(cherry picked from commit a5cd110cb8369d6b37ef5ccfe56b3fa1338c9615)
+
+Bug: 119769499
+Change-Id: I9fd3e8e6d38122866df434b2676bf7ba0e808e32
+Signed-off-by: Greg Hackmann <[email protected]>
+---
+ arch/arm64/kernel/ptrace.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
+index 4fe7eb2cd9ee0..acc808c9e29d4 100644
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1151,13 +1151,13 @@ static void tracehook_report_syscall(struct pt_regs *regs,
+ 
+ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+ {
+-	/* Do the secure computing check first; failures should be fast. */
+-	if (secure_computing(NULL) == -1)
+-		return -1;
+-
+ 	if (test_thread_flag(TIF_SYSCALL_TRACE))
+ 		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
+ 
++	/* Do the secure computing after ptrace; failures should be fast. */
++	if (secure_computing(NULL) == -1)
++		return -1;
++
+ 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
+ 		trace_sys_enter(regs, regs->syscallno);
+ 

patches/4.9/CVE-2019-2054_13.patch

@@ -0,0 +1,73 @@
+From cebcb3bb8361857c498bfb80df7f2d7228ba95a1 Mon Sep 17 00:00:00 2001
+From: Kees Cook <[email protected]>
+Date: Wed, 10 Aug 2016 16:28:09 -0700
+Subject: [PATCH] UPSTREAM: seccomp: Fix tracer exit notifications during fatal
+ signals
+
+This fixes a ptrace vs fatal pending signals bug as manifested in
+seccomp now that seccomp was reordered to happen after ptrace. The
+short version is that seccomp should not attempt to call do_exit()
+while fatal signals are pending under a tracer. The existing code was
+trying to be as defensively paranoid as possible, but it now ends up
+confusing ptrace. Instead, the syscall can just be skipped (which solves
+the original concern that the do_exit() was addressing) and normal signal
+handling, tracer notification, and process death can happen.
+
+Paraphrasing from the original bug report:
+
+If a tracee task is in a PTRACE_EVENT_SECCOMP trap, or has been resumed
+after such a trap but not yet been scheduled, and another task in the
+thread-group calls exit_group(), then the tracee task exits without the
+ptracer receiving a PTRACE_EVENT_EXIT notification. Test case here:
+https://gist.github.com/khuey/3c43ac247c72cef8c956ca73281c9be7
+
+The bug happens because when __seccomp_filter() detects
+fatal_signal_pending(), it calls do_exit() without dequeuing the fatal
+signal. When do_exit() sends the PTRACE_EVENT_EXIT notification and
+that task is descheduled, __schedule() notices that there is a fatal
+signal pending and changes its state from TASK_TRACED to TASK_RUNNING.
+That prevents the ptracer's waitpid() from returning the ptrace event.
+A more detailed analysis is here:
+https://github.com/mozilla/rr/issues/1762#issuecomment-237396255.
+
+Reported-by: Robert O'Callahan <[email protected]>
+Reported-by: Kyle Huey <[email protected]>
+Tested-by: Kyle Huey <[email protected]>
+Fixes: 93e35efb8de4 ("x86/ptrace: run seccomp after ptrace")
+Signed-off-by: Kees Cook <[email protected]>
+Acked-by: Oleg Nesterov <[email protected]>
+Acked-by: James Morris <[email protected]>
+(cherry picked from commit 485a252a5559b45d7df04c819ec91177c62c270b)
+
+Bug: 119769499
+Change-Id: I444e69093e88d58587b4d5c4f2d777985591c32d
+Signed-off-by: Greg Hackmann <[email protected]>
+---
+ kernel/seccomp.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
+index 98b48c2793a26..99bb8734fc88d 100644
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -650,12 +650,16 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
+ 		ptrace_event(PTRACE_EVENT_SECCOMP, data);
+ 		/*
+ 		 * The delivery of a fatal signal during event
+-		 * notification may silently skip tracer notification.
+-		 * Terminating the task now avoids executing a system
+-		 * call that may not be intended.
++		 * notification may silently skip tracer notification,
++		 * which could leave us with a potentially unmodified
++		 * syscall that the tracer would have liked to have
++		 * changed. Since the process is about to die, we just
++		 * force the syscall to be skipped and let the signal
++		 * kill the process and correctly handle any tracer exit
++		 * notifications.
+ 		 */
+ 		if (fatal_signal_pending(current))
+-			do_exit(SIGSYS);
++			goto skip;
+ 		/* Check if the tracer forced the syscall to be skipped. */
+ 		this_syscall = syscall_get_nr(current, task_pt_regs(current));
+ 		if (this_syscall < 0)