add patch that should fix kernel crashes occurring since 6.6.3

scheduled for inclusion in 6.6.5. crashes may be present or may not be
present depending on struct randomization seed.

diff --git a/kernel.spec b/kernel.spec
index 98b6615eefd499efe6582a1001423939544a2ae2..247b3dcd302351e8c9731fdad221cbeced1f0506 100644 (file)
--- a/kernel.spec
+++ b/kernel.spec
@@ -210,6 +210,8 @@ Patch8002:  atheros-disallow-retrain-nongen1-pcie.patch
 Patch8004:     ath-regd.patch
 Patch8005:     rkvdec-hevc.patch
 
+Patch9000:     neighbour-randomize-layout-crash.patch
+
 # Do not remove this line, please. It is easier for me to uncomment two lines, then patch
 # kernel.spec every time.
 #Patch50000:   kernel-usb_reset.patch
@@ -661,6 +663,8 @@ cd linux-%{basever}
 %patch8005 -p1
 %endif
 
+%patch9000 -p1
+
 %if %{with rt}
 %patch500 -p1
 rm -f localversion-rt

diff --git a/neighbour-randomize-layout-crash.patch b/neighbour-randomize-layout-crash.patch
new file mode 100644 (file)
index 0000000..1650e8c
--- /dev/null
+++ b/neighbour-randomize-layout-crash.patch
@@ -0,0 +1,50 @@
+From 6ebf707e10dee4d186e46e414fe6d923e60e1aae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Nov 2023 15:33:58 -0600
+Subject: neighbour: Fix __randomize_layout crash in struct neighbour
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 45b3fae4675dc1d4ee2d7aefa19d85ee4f891377 ]
+
+Previously, one-element and zero-length arrays were treated as true
+flexible arrays, even though they are actually "fake" flex arrays.
+The __randomize_layout would leave them untouched at the end of the
+struct, similarly to proper C99 flex-array members.
+
+However, this approach changed with commit 1ee60356c2dc ("gcc-plugins:
+randstruct: Only warn about true flexible arrays"). Now, only C99
+flexible-array members will remain untouched at the end of the struct,
+while one-element and zero-length arrays will be subject to randomization.
+
+Fix a `__randomize_layout` crash in `struct neighbour` by transforming
+zero-length array `primary_key` into a proper C99 flexible-array member.
+
+Fixes: 1ee60356c2dc ("gcc-plugins: randstruct: Only warn about true flexible arrays")
+Closes: https://lore.kernel.org/linux-hardening/20231124102458.GB1503258@e124191.cambridge.arm.com/
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Tested-by: Joey Gouly <joey.gouly@arm.com>
+Link: https://lore.kernel.org/r/ZWJoRsJGnCPdJ3+2@work
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/neighbour.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/neighbour.h b/include/net/neighbour.h
+index 07022bb0d44d4..0d28172193fa6 100644
+--- a/include/net/neighbour.h
++++ b/include/net/neighbour.h
+@@ -162,7 +162,7 @@ struct neighbour {
+       struct rcu_head         rcu;
+       struct net_device       *dev;
+       netdevice_tracker       dev_tracker;
+-      u8                      primary_key[0];
++      u8                      primary_key[];
+ } __randomize_layout;
+ 
+ struct neigh_ops {
+-- 
+2.42.0
+