4.15.9-300.fc27.gnu

13 files changed, 188 insertions, 15 deletions

diff --git a/freed-ora/current/f27/0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch b/freed-ora/current/f27/0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch
new file mode 100644
index 000000000..061ef5819
--- /dev/null
+++ b/freed-ora/current/f27/0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch
@@ -0,0 +1,44 @@
+From 297a6961ffb8ff4dc66c9fbf53b924bd1dda05d5 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Thu, 11 Jan 2018 11:21:51 +0000
+Subject: [PATCH] net: phy: mdio-bcm-unimac: fix potential NULL dereference in
+ unimac_mdio_probe()
+
+platform_get_resource() may fail and return NULL, so we should
+better check it's return value to avoid a NULL pointer dereference
+a bit later in the code.
+
+This is detected by Coccinelle semantic patch.
+
+@@
+expression pdev, res, n, t, e, e1, e2;
+@@
+
+res = platform_get_resource(pdev, t, n);
++ if (!res)
++   return -EINVAL;
+... when != res == NULL
+e = devm_ioremap(e1, res->start, e2);
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/phy/mdio-bcm-unimac.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/phy/mdio-bcm-unimac.c b/drivers/net/phy/mdio-bcm-unimac.c
+index 08e0647b85e2..8d370667fa1b 100644
+--- a/drivers/net/phy/mdio-bcm-unimac.c
++++ b/drivers/net/phy/mdio-bcm-unimac.c
+@@ -205,6 +205,8 @@ static int unimac_mdio_probe(struct platform_device *pdev)
+ 		return -ENOMEM;
+
+ 	r = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++	if (!r)
++		return -EINVAL;
+
+ 	/* Just ioremap, as this MDIO block is usually integrated into an
+ 	 * Ethernet MAC controller register range
+-- 
+2.14.3
+
diff --git a/freed-ora/current/f27/0001-x86-MCE-Serialize-sysfs-changes.patch b/freed-ora/current/f27/0001-x86-MCE-Serialize-sysfs-changes.patch
new file mode 100644
index 000000000..84c7b7fd3
--- /dev/null
+++ b/freed-ora/current/f27/0001-x86-MCE-Serialize-sysfs-changes.patch
@@ -0,0 +1,114 @@
+From b3b7c4795ccab5be71f080774c45bbbcc75c2aaf Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 6 Mar 2018 15:21:43 +0100
+Subject: [PATCH] x86/MCE: Serialize sysfs changes
+
+The check_interval file in
+
+  /sys/devices/system/machinecheck/machinecheck<cpu number>
+
+directory is a global timer value for MCE polling. If it is changed by one
+CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
+the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
+mce_timer variable.
+
+If more than one CPU writes a specific value to the check_interval file
+concurrently, mce_timer is not protected from such concurrent accesses and
+all kinds of explosions happen. Since only root can write to those sysfs
+variables, the issue is not a big deal security-wise.
+
+However, concurrent writes to these configuration variables is void of
+reason so the proper thing to do is to serialize the access with a mutex.
+
+Boris:
+
+ - Make store_int_with_restart() use device_store_ulong() to filter out
+   negative intervals
+ - Limit min interval to 1 second
+ - Correct locking
+ - Massage commit message
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
+index b3323cab9139..466f47301334 100644
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -56,6 +56,9 @@
+
+ static DEFINE_MUTEX(mce_log_mutex);
+
++/* sysfs synchronization */
++static DEFINE_MUTEX(mce_sysfs_mutex);
++
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/mce.h>
+
+@@ -2088,6 +2091,7 @@ static ssize_t set_ignore_ce(struct device *s,
+ 	if (kstrtou64(buf, 0, &new) < 0)
+ 		return -EINVAL;
+
++	mutex_lock(&mce_sysfs_mutex);
+ 	if (mca_cfg.ignore_ce ^ !!new) {
+ 		if (new) {
+ 			/* disable ce features */
+@@ -2100,6 +2104,8 @@ static ssize_t set_ignore_ce(struct device *s,
+ 			on_each_cpu(mce_enable_ce, (void *)1, 1);
+ 		}
+ 	}
++	mutex_unlock(&mce_sysfs_mutex);
++
+ 	return size;
+ }
+
+@@ -2112,6 +2118,7 @@ static ssize_t set_cmci_disabled(struct device *s,
+ 	if (kstrtou64(buf, 0, &new) < 0)
+ 		return -EINVAL;
+
++	mutex_lock(&mce_sysfs_mutex);
+ 	if (mca_cfg.cmci_disabled ^ !!new) {
+ 		if (new) {
+ 			/* disable cmci */
+@@ -2123,6 +2130,8 @@ static ssize_t set_cmci_disabled(struct device *s,
+ 			on_each_cpu(mce_enable_ce, NULL, 1);
+ 		}
+ 	}
++	mutex_unlock(&mce_sysfs_mutex);
++
+ 	return size;
+ }
+
+@@ -2130,8 +2139,19 @@ static ssize_t store_int_with_restart(struct device *s,
+ 				      struct device_attribute *attr,
+ 				      const char *buf, size_t size)
+ {
+-	ssize_t ret = device_store_int(s, attr, buf, size);
++	unsigned long old_check_interval = check_interval;
++	ssize_t ret = device_store_ulong(s, attr, buf, size);
++
++	if (check_interval == old_check_interval)
++		return ret;
++
++	if (check_interval < 1)
++		check_interval = 1;
++
++	mutex_lock(&mce_sysfs_mutex);
+ 	mce_restart();
++	mutex_unlock(&mce_sysfs_mutex);
++
+ 	return ret;
+ }
+
+-- 
+2.14.3
+
diff --git a/freed-ora/current/f27/baseconfig/arm/CONFIG_SATA_SIL24 b/freed-ora/current/f27/baseconfig/arm/CONFIG_SATA_SIL24
deleted file mode 100644
index 7526a06a0..000000000
--- a/freed-ora/current/f27/baseconfig/arm/CONFIG_SATA_SIL24
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_SATA_SIL24 is not set
diff --git a/freed-ora/current/f27/kernel-aarch64-debug.config b/freed-ora/current/f27/kernel-aarch64-debug.config
index b1d2ad56d..548ab9830 100644
--- a/freed-ora/current/f27/kernel-aarch64-debug.config
+++ b/freed-ora/current/f27/kernel-aarch64-debug.config
@@ -4673,7 +4673,7 @@ CONFIG_SATA_MV=m
 CONFIG_SATA_PMP=y
 # CONFIG_SATA_PROMISE is not set
 # CONFIG_SATA_QSTOR is not set
-# CONFIG_SATA_SIL24 is not set
+CONFIG_SATA_SIL24=m
 # CONFIG_SATA_SIL is not set
 # CONFIG_SATA_SIS is not set
 # CONFIG_SATA_SVW is not set
diff --git a/freed-ora/current/f27/kernel-aarch64.config b/freed-ora/current/f27/kernel-aarch64.config
index abd349850..979968070 100644
--- a/freed-ora/current/f27/kernel-aarch64.config
+++ b/freed-ora/current/f27/kernel-aarch64.config
@@ -4651,7 +4651,7 @@ CONFIG_SATA_MV=m
 CONFIG_SATA_PMP=y
 # CONFIG_SATA_PROMISE is not set
 # CONFIG_SATA_QSTOR is not set
-# CONFIG_SATA_SIL24 is not set
+CONFIG_SATA_SIL24=m
 # CONFIG_SATA_SIL is not set
 # CONFIG_SATA_SIS is not set
 # CONFIG_SATA_SVW is not set
diff --git a/freed-ora/current/f27/kernel-armv7hl-debug.config b/freed-ora/current/f27/kernel-armv7hl-debug.config
index 8e0c97e58..4251779cd 100644
--- a/freed-ora/current/f27/kernel-armv7hl-debug.config
+++ b/freed-ora/current/f27/kernel-armv7hl-debug.config
@@ -5028,7 +5028,7 @@ CONFIG_SATA_MV=m
 CONFIG_SATA_PMP=y
 # CONFIG_SATA_PROMISE is not set
 # CONFIG_SATA_QSTOR is not set
-# CONFIG_SATA_SIL24 is not set
+CONFIG_SATA_SIL24=m
 # CONFIG_SATA_SIL is not set
 # CONFIG_SATA_SIS is not set
 # CONFIG_SATA_SVW is not set
diff --git a/freed-ora/current/f27/kernel-armv7hl-lpae-debug.config b/freed-ora/current/f27/kernel-armv7hl-lpae-debug.config
index 6c38c0d3d..ebc6bf87a 100644
--- a/freed-ora/current/f27/kernel-armv7hl-lpae-debug.config
+++ b/freed-ora/current/f27/kernel-armv7hl-lpae-debug.config
@@ -4721,7 +4721,7 @@ CONFIG_SATA_MV=m
 CONFIG_SATA_PMP=y
 # CONFIG_SATA_PROMISE is not set
 # CONFIG_SATA_QSTOR is not set
-# CONFIG_SATA_SIL24 is not set
+CONFIG_SATA_SIL24=m
 # CONFIG_SATA_SIL is not set
 # CONFIG_SATA_SIS is not set
 # CONFIG_SATA_SVW is not set
diff --git a/freed-ora/current/f27/kernel-armv7hl-lpae.config b/freed-ora/current/f27/kernel-armv7hl-lpae.config
index d3ba41dde..e2ef7a02b 100644
--- a/freed-ora/current/f27/kernel-armv7hl-lpae.config
+++ b/freed-ora/current/f27/kernel-armv7hl-lpae.config
@@ -4699,7 +4699,7 @@ CONFIG_SATA_MV=m
 CONFIG_SATA_PMP=y
 # CONFIG_SATA_PROMISE is not set
 # CONFIG_SATA_QSTOR is not set
-# CONFIG_SATA_SIL24 is not set
+CONFIG_SATA_SIL24=m
 # CONFIG_SATA_SIL is not set
 # CONFIG_SATA_SIS is not set
 # CONFIG_SATA_SVW is not set
diff --git a/freed-ora/current/f27/kernel-armv7hl.config b/freed-ora/current/f27/kernel-armv7hl.config
index dd031cb8e..b6756abce 100644
--- a/freed-ora/current/f27/kernel-armv7hl.config
+++ b/freed-ora/current/f27/kernel-armv7hl.config
@@ -5006,7 +5006,7 @@ CONFIG_SATA_MV=m
 CONFIG_SATA_PMP=y
 # CONFIG_SATA_PROMISE is not set
 # CONFIG_SATA_QSTOR is not set
-# CONFIG_SATA_SIL24 is not set
+CONFIG_SATA_SIL24=m
 # CONFIG_SATA_SIL is not set
 # CONFIG_SATA_SIS is not set
 # CONFIG_SATA_SVW is not set
diff --git a/freed-ora/current/f27/kernel.spec b/freed-ora/current/f27/kernel.spec
index aa13f3dbe..dc07fb1b6 100644
--- a/freed-ora/current/f27/kernel.spec
+++ b/freed-ora/current/f27/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 8
+%define stable_update 9
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -707,6 +707,12 @@ Patch657: ipmi-fixes.patch
 # CVE-2018-7757 rhbz 1553361 1553363
 Patch658: 0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch
 
+# CVE-2018-7995 rhbz 1553911 1553918
+Patch659: 0001-x86-MCE-Serialize-sysfs-changes.patch
+
+# CVE-2018-8043 rhbz 1554199 1554200
+Patch660: 0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2046,6 +2052,16 @@ fi
 #
 #
 %changelog
+* Tue Mar 13 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.15.9-gnu.
+
+* Mon Mar 12 2018 Laura Abbott <labbott@redhat.com> - 4.15.9-300
+- Linux v4.15.9
+
+* Mon Mar 12 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2018-7995 (rhbz 1553911 1553918)
+- Fix CVE-2018-8043 (rhbz 1554199 1554200)
+
 * Fri Mar  9 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.15.8-gnu.
 
diff --git a/freed-ora/current/f27/patch-4.15-gnu-4.15.8-gnu.xz.sign b/freed-ora/current/f27/patch-4.15-gnu-4.15.8-gnu.xz.sign
deleted file mode 100644
index 55524180d..000000000
--- a/freed-ora/current/f27/patch-4.15-gnu-4.15.8-gnu.xz.sign
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWqMl5QAKCRC8t8+Hfn1H
-p5KTAJ40Gvbq9xSKuOIjCo3Sdr4x6A2PGwCgqdWec2rTLlkU6H3cMh6GPZgOMQQ=
-=xlzu
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f27/patch-4.15-gnu-4.15.9-gnu.xz.sign b/freed-ora/current/f27/patch-4.15-gnu-4.15.9-gnu.xz.sign
new file mode 100644
index 000000000..5f9ba76fe
--- /dev/null
+++ b/freed-ora/current/f27/patch-4.15-gnu-4.15.9-gnu.xz.sign
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWqWujAAKCRC8t8+Hfn1H
+p12iAJ9Jm+ekfjnw8h5FUlk1Bey9ni20OACgrOZ1QWFlffYD1C7iSeRYnVpQqlQ=
+=nUnX
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f27/sources b/freed-ora/current/f27/sources
index a2f2515d3..b7006188b 100644
--- a/freed-ora/current/f27/sources
+++ b/freed-ora/current/f27/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-libre-4.15-gnu.tar.xz) = a55cc663c6fb1e1cfa7905282b368b5d5888bc2398f0acf37e5bb9a232ded04fd566b1980e654da26aaec005332e458581495184d6bd4cec669181085d4d78a5
-SHA512 (patch-4.15-gnu-4.15.8-gnu.xz) = f718c7c825552921b2546589e3900dc82433a764b7981ebd22ec8eb3178ad3021fbf31b9030dc45681926bf522f4c3ce7c51fe60113cd5c707b42adf3efcaae6
+SHA512 (patch-4.15-gnu-4.15.9-gnu.xz) = 5b2ad5af70d432cf79eb11729ae39ed53e0b5b2a76688c35655c78538c1d0aa3852ad2c3244c2e0a4207d678919d806fa1903efdad6690e9679c9208d973bb73