diff options
| author | Alexandre Oliva <lxoliva@fsfla.org> | 2015-11-16 22:43:32 +0000 |
|---|---|---|
| committer | Alexandre Oliva <lxoliva@fsfla.org> | 2015-11-16 22:43:32 +0000 |
| commit | be43ffc15c54f7f8b7a9a2f81401be6e29edb0d5 (patch) | |
| tree | 80b38a037838a46a989337b2ba285cbc76c70b75 | |
| parent | 33b6d36cd5bc228a5a8c310d7e28f93093e48716 (diff) | |
| download | linux-libre-raptor-be43ffc15c54f7f8b7a9a2f81401be6e29edb0d5.tar.gz linux-libre-raptor-be43ffc15c54f7f8b7a9a2f81401be6e29edb0d5.zip | |
4.1.13-100.fc21.gnu
10 files changed, 492 insertions, 107 deletions
diff --git a/freed-ora/current/f21/KVM-svm-unconditionally-intercept-DB.patch b/freed-ora/current/f21/KVM-svm-unconditionally-intercept-DB.patch new file mode 100644 index 000000000..021af4ccb --- /dev/null +++ b/freed-ora/current/f21/KVM-svm-unconditionally-intercept-DB.patch @@ -0,0 +1,80 @@ +From 48bb9bb210c6c2f185d891e3e7a401d849409f84 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue, 10 Nov 2015 13:22:53 +0100 +Subject: [PATCH 2/2] KVM: svm: unconditionally intercept #DB + +This is needed to avoid the possibility that the guest triggers +an infinite stream of #DB exceptions (CVE-2015-8104). + +VMX is not affected: because it does not save DR6 in the VMCS, +it already intercepts #DB unconditionally. + +Reported-by: Jan Beulich <jbeulich@suse.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + arch/x86/kvm/svm.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 7203b3cc71b5..184e50b3c35a 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1111,6 +1111,7 @@ static void init_vmcb(struct vcpu_svm *svm) + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); + set_exception_intercept(svm, AC_VECTOR); ++ set_exception_intercept(svm, DB_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1645,20 +1646,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, + mark_dirty(svm->vmcb, VMCB_SEG); + } + +-static void update_db_bp_intercept(struct kvm_vcpu *vcpu) ++static void update_bp_intercept(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); + +- clr_exception_intercept(svm, DB_VECTOR); + clr_exception_intercept(svm, BP_VECTOR); + +- if (svm->nmi_singlestep) +- set_exception_intercept(svm, DB_VECTOR); +- + if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { +- if (vcpu->guest_debug & +- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) +- set_exception_intercept(svm, DB_VECTOR); + if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) + set_exception_intercept(svm, BP_VECTOR); + } else +@@ -1764,7 +1758,6 @@ static int db_interception(struct vcpu_svm *svm) + if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) + svm->vmcb->save.rflags &= + ~(X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(&svm->vcpu); + } + + if (svm->vcpu.guest_debug & +@@ -3753,7 +3746,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu) + */ + svm->nmi_singlestep = true; + svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(vcpu); + } + + static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) +@@ -4379,7 +4371,7 @@ static struct kvm_x86_ops svm_x86_ops = { + .vcpu_load = svm_vcpu_load, + .vcpu_put = svm_vcpu_put, + +- .update_db_bp_intercept = update_db_bp_intercept, ++ .update_db_bp_intercept = update_bp_intercept, + .get_msr = svm_get_msr, + .set_msr = svm_set_msr, + .get_segment_base = svm_get_segment_base, +-- +2.4.3 + diff --git a/freed-ora/current/f21/KVM-x86-work-around-infinite-loop-in-microcode-when-.patch b/freed-ora/current/f21/KVM-x86-work-around-infinite-loop-in-microcode-when-.patch new file mode 100644 index 000000000..013af11e1 --- /dev/null +++ b/freed-ora/current/f21/KVM-x86-work-around-infinite-loop-in-microcode-when-.patch @@ -0,0 +1,92 @@ +From adceca1789584fe567828afb7246bd35a8549e94 Mon Sep 17 00:00:00 2001 +From: Eric Northup <digitaleric@google.com> +Date: Tue, 10 Nov 2015 13:22:52 +0100 +Subject: [PATCH 1/2] KVM: x86: work around infinite loop in microcode when #AC + is delivered + +It was found that a guest can DoS a host by triggering an infinite +stream of "alignment check" (#AC) exceptions. This causes the +microcode to enter an infinite loop where the core never receives +another interrupt. The host kernel panics pretty quickly due to the +effects (CVE-2015-5307). + +Signed-off-by: Eric Northup <digitaleric@google.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + arch/x86/include/uapi/asm/svm.h | 1 + + arch/x86/kvm/svm.c | 8 ++++++++ + arch/x86/kvm/vmx.c | 5 ++++- + 3 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h +index b5d7640abc5d..8a4add8e4639 100644 +--- a/arch/x86/include/uapi/asm/svm.h ++++ b/arch/x86/include/uapi/asm/svm.h +@@ -100,6 +100,7 @@ + { SVM_EXIT_EXCP_BASE + UD_VECTOR, "UD excp" }, \ + { SVM_EXIT_EXCP_BASE + PF_VECTOR, "PF excp" }, \ + { SVM_EXIT_EXCP_BASE + NM_VECTOR, "NM excp" }, \ ++ { SVM_EXIT_EXCP_BASE + AC_VECTOR, "AC excp" }, \ + { SVM_EXIT_EXCP_BASE + MC_VECTOR, "MC excp" }, \ + { SVM_EXIT_INTR, "interrupt" }, \ + { SVM_EXIT_NMI, "nmi" }, \ +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index f2c8e4917688..7203b3cc71b5 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1110,6 +1110,7 @@ static void init_vmcb(struct vcpu_svm *svm) + set_exception_intercept(svm, PF_VECTOR); + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); ++ set_exception_intercept(svm, AC_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1798,6 +1799,12 @@ static int ud_interception(struct vcpu_svm *svm) + return 1; + } + ++static int ac_interception(struct vcpu_svm *svm) ++{ ++ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0); ++ return 1; ++} ++ + static void svm_fpu_activate(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -3362,6 +3369,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = { + [SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception, + [SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception, + [SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception, ++ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception, + [SVM_EXIT_INTR] = intr_interception, + [SVM_EXIT_NMI] = nmi_interception, + [SVM_EXIT_SMI] = nop_on_interception, +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 5eb56ed77c1f..106aa940d3c0 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1631,7 +1631,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu) + u32 eb; + + eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) | +- (1u << NM_VECTOR) | (1u << DB_VECTOR); ++ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR); + if ((vcpu->guest_debug & + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) == + (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) +@@ -5266,6 +5266,9 @@ static int handle_exception(struct kvm_vcpu *vcpu) + return handle_rmode_exception(vcpu, ex_no, error_code); + + switch (ex_no) { ++ case AC_VECTOR: ++ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code); ++ return 1; + case DB_VECTOR: + dr6 = vmcs_readl(EXIT_QUALIFICATION); + if (!(vcpu->guest_debug & +-- +2.4.3 + diff --git a/freed-ora/current/f21/RDS-fix-race-condition-when-sending-a-message-on-unb.patch b/freed-ora/current/f21/RDS-fix-race-condition-when-sending-a-message-on-unb.patch new file mode 100644 index 000000000..8a44c84d3 --- /dev/null +++ b/freed-ora/current/f21/RDS-fix-race-condition-when-sending-a-message-on-unb.patch @@ -0,0 +1,77 @@ +From 09dca584f0b6b3bb4fc5f13a388274cd76b69f18 Mon Sep 17 00:00:00 2001 +From: Quentin Casasnovas <quentin.casasnovas@oracle.com> +Date: Fri, 16 Oct 2015 17:11:42 +0200 +Subject: [PATCH] RDS: fix race condition when sending a message on unbound + socket. + +Sasha's found a NULL pointer dereference in the RDS connection code when +sending a message to an apparently unbound socket. The problem is caused +by the code checking if the socket is bound in rds_sendmsg(), which checks +the rs_bound_addr field without taking a lock on the socket. This opens a +race where rs_bound_addr is temporarily set but where the transport is not +in rds_bind(), leading to a NULL pointer dereference when trying to +dereference 'trans' in __rds_conn_create(). + +Vegard wrote a reproducer for this issue, so kindly ask him to share if +you're interested. + +I cannot reproduce the NULL pointer dereference using Vegard's reproducer +with this patch, whereas I could without. + +Complete earlier incomplete fix to CVE-2015-6937: + + 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection") + +Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> +Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com> +Reviewed-by: Sasha Levin <sasha.levin@oracle.com> +Cc: Vegard Nossum <vegard.nossum@oracle.com> +Cc: Sasha Levin <sasha.levin@oracle.com> +Cc: Chien Yen <chien.yen@oracle.com> +Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com> +Cc: David S. Miller <davem@davemloft.net> +Cc: stable@vger.kernel.org +--- + net/rds/connection.c | 6 ------ + net/rds/send.c | 4 +++- + 2 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/net/rds/connection.c b/net/rds/connection.c +index 9d66705f9d41..da6da57e5f36 100644 +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -187,12 +187,6 @@ new_conn: + } + } + +- if (trans == NULL) { +- kmem_cache_free(rds_conn_slab, conn); +- conn = ERR_PTR(-ENODEV); +- goto out; +- } +- + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); +diff --git a/net/rds/send.c b/net/rds/send.c +index e9430f537f9c..7b30c0f3180d 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -986,11 +986,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len) + release_sock(sk); + } + +- /* racing with another thread binding seems ok here */ ++ lock_sock(sk); + if (daddr == 0 || rs->rs_bound_addr == 0) { ++ release_sock(sk); + ret = -ENOTCONN; /* XXX not a great errno */ + goto out; + } ++ release_sock(sk); + + /* size of rm including all sgs */ + ret = rds_rm_size(msg, payload_len); +-- +2.4.3 + diff --git a/freed-ora/current/f21/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch b/freed-ora/current/f21/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch new file mode 100644 index 000000000..cf8b5a829 --- /dev/null +++ b/freed-ora/current/f21/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch @@ -0,0 +1,40 @@ +From 59f271755df42fce6d38ebdf5b7502666b1e0c36 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sun, 1 Nov 2015 16:21:24 +0000 +Subject: [PATCH 1/2] isdn_ppp: Add checks for allocation failure in + isdn_ppp_open() + +Compile-tested only. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/isdn/i4l/isdn_ppp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c +index c4198fa490bf..86f9abebcb72 100644 +--- a/drivers/isdn/i4l/isdn_ppp.c ++++ b/drivers/isdn/i4l/isdn_ppp.c +@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file) + is->compflags = 0; + + is->reset = isdn_ppp_ccp_reset_alloc(is); ++ if (!is->reset) ++ return -ENOMEM; + + is->lp = NULL; + is->mp_seqno = 0; /* MP sequence number */ +@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file) + * VJ header compression init + */ + is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ ++ if (!is->slcomp) { ++ isdn_ppp_ccp_reset_free(is); ++ return -ENOMEM; ++ } + #endif + #ifdef CONFIG_IPPP_FILTER + is->pass_filter = NULL; +-- +2.4.3 + diff --git a/freed-ora/current/f21/kernel.spec b/freed-ora/current/f21/kernel.spec index adb709b31..cb9d10ca1 100644 --- a/freed-ora/current/f21/kernel.spec +++ b/freed-ora/current/f21/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 101 +%global baserelease 100 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -58,9 +58,9 @@ Summary: The Linux kernel %define basegnu -gnu%{?librev} # To be inserted between "patch" and "-2.6.". -#define stablelibre -4.0%{?stablegnux} -#define rcrevlibre -4.0%{?rcrevgnux} -#define gitrevlibre -4.0%{?gitrevgnux} +%define stablelibre -4.1%{?stablegnux} +#define rcrevlibre -4.1%{?rcrevgnux} +#define gitrevlibre -4.1%{?gitrevgnux} %if 0%{?stablelibre:1} %define stablegnu -gnu%{?librev} @@ -92,7 +92,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 12 +%define stable_update 13 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -424,7 +424,7 @@ BuildRequires: net-tools, hostname, bc BuildRequires: sparse %endif %if %{with_perf} -BuildRequires: elfutils-devel zlib-devel binutils-devel newt-devel python-devel perl(ExtUtils::Embed) bison flex +BuildRequires: elfutils-devel zlib-devel binutils-devel newt-devel python-devel perl(ExtUtils::Embed) bison flex xz-devel BuildRequires: audit-libs-devel %ifnarch s390 s390x %{arm} BuildRequires: numactl-devel @@ -698,10 +698,8 @@ Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch #CVE-2015-6937 rhbz 1263139 1263140 Patch523: RDS-verify-the-underlying-transport-exists-before-cr.patch - -#rhbz 1265978 -Patch536: si2168-Bounds-check-firmware.patch -Patch537: si2157-Bounds-check-firmware.patch +#CVE-2015-7990 rhbz 1276437 1276438 +Patch524: RDS-fix-race-condition-when-sending-a-message-on-unb.patch #CVE-2015-5156 rhbz 1243852 1266515 Patch539: virtio-net-drop-NETIF_F_FRAGLIST.patch @@ -710,6 +708,16 @@ Patch539: virtio-net-drop-NETIF_F_FRAGLIST.patch Patch540: 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch Patch541: 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch +#CVE-2015-7799 rhbz 1271134 1271135 +Patch543: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch +Patch544: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch + +#CVE-2015-5307 rhbz 1277172 1279688 +Patch550: KVM-x86-work-around-infinite-loop-in-microcode-when-.patch + +#CVE-2015-8104 rhbz 1278496 1279691 +Patch551: KVM-svm-unconditionally-intercept-DB.patch + # END OF PATCH DEFINITIONS %endif @@ -1262,7 +1270,7 @@ if [ ! -d kernel-%{kversion}%{?dist}/vanilla-%{vanillaversion} ]; then fi -perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?stablegnux}/" vanilla-%{kversion}/Makefile +perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = %{?stablegnux}/" vanilla-%{kversion}/Makefile %if "%{kversion}" != "%{vanillaversion}" @@ -1285,7 +1293,7 @@ perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?stablegnux}/" vanilla-%{kversi # (non-released_kernel case only) %if 0%{?rcrev} %if "%{?stablelibre}" != "%{?rcrevlibre}" - perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?rcrevgnux}/" Makefile + perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = %{?rcrevgnux}/" Makefile %endif ApplyPatch patch%{?rcrevlibre}-4.%{upstream_sublevel}-rc%{rcrev}%{?rcrevgnu}.xz %if 0%{?gitrev} @@ -1295,7 +1303,7 @@ perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?stablegnux}/" vanilla-%{kversi %else # pre-{base_sublevel+1}-rc1 case %if "%{?stablelibre}" != "%{?gitrevlibre}" - perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?gitrevgnux}/" Makefile + perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = %{?gitrevgnux}/" Makefile %endif %if 0%{?gitrev} ApplyPatch patch%{?gitrevlibre}-4.%{base_sublevel}-git%{gitrev}%{?gitrevgnu}.xz @@ -1557,10 +1565,8 @@ ApplyPatch drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch #CVE-2015-6937 rhbz 1263139 1263140 ApplyPatch RDS-verify-the-underlying-transport-exists-before-cr.patch - -#rhbz 1265978 -ApplyPatch si2168-Bounds-check-firmware.patch -ApplyPatch si2157-Bounds-check-firmware.patch +#CVE-2015-7990 rhbz 1276437 1276438 +ApplyPatch RDS-fix-race-condition-when-sending-a-message-on-unb.patch #CVE-2015-5156 rhbz 1243852 1266515 ApplyPatch virtio-net-drop-NETIF_F_FRAGLIST.patch @@ -1569,6 +1575,16 @@ ApplyPatch virtio-net-drop-NETIF_F_FRAGLIST.patch ApplyPatch 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch ApplyPatch 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch +#CVE-2015-7799 rhbz 1271134 1271135 +ApplyPatch isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch +ApplyPatch ppp-slip-Validate-VJ-compression-slot-parameters-com.patch + +#CVE-2015-5307 rhbz 1277172 1279688 +ApplyPatch KVM-x86-work-around-infinite-loop-in-microcode-when-.patch + +#CVE-2015-8104 rhbz 1278496 1279691 +ApplyPatch KVM-svm-unconditionally-intercept-DB.patch + # END OF PATCH APPLICATIONS %endif @@ -2441,6 +2457,29 @@ fi # ||----w | # || || %changelog +* Tue Nov 10 2015 Alexandre Oliva <lxoliva@fsfla.org> -libre +- GNU Linux-libre 4.1.13-gnu. + +* Tue Nov 10 2015 Josh Boyer <jwboyer@fedoraproject.org> +- Linux v4.1.13 +- CVE-2015-8104 kvm: DoS infinite loop in microcode DB exception (rhbz 1278496 1279691) +- CVE-2015-5307 kvm: DoS infinite loop in microcode AC exception (rhbz 1277172 1279688) + +* Thu Nov 05 2015 Josh Boyer <jwboyer@fedoraproject.org> +- Fix backlight regression on older radeon devices (rhbz 1278407) + +* Tue Nov 03 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-7799 slip:crash when using PPP char dev driver (rhbz 1271134 1271135) + +* Tue Nov 03 2015 Justin M. Forbes <jforbes@fedoraproject.org> +- Add xz-devel builreq for perf (rhbz 1167457) + +* Mon Nov 02 2015 Laura Abbott <labbott@fedoraproject.org> +- Add spurious wakeup quirk for LynxPoint-LP controllers (rhbz 1257131) + +* Thu Oct 29 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-7099 RDS: race condition on unbound socket null deref (rhbz 1276437 1276438) + * Tue Oct 27 2015 Peter Robinson <pbrobinson@fedoraproject.org> - 4.1.12-101 - CMA memory patch to fix aarch64 builder lockups diff --git a/freed-ora/current/f21/patch-4.1-gnu-4.1.13-gnu.xz.sign b/freed-ora/current/f21/patch-4.1-gnu-4.1.13-gnu.xz.sign new file mode 100644 index 000000000..093d5dc9d --- /dev/null +++ b/freed-ora/current/f21/patch-4.1-gnu-4.1.13-gnu.xz.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iEYEABECAAYFAlZCRCMACgkQvLfPh359R6dV5QCePB4XfPvZoPWk9yRwvGsrY00M +OqwAn0IFkSNfHcNcPKHKpqpNzFANNPmM +=SISa +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f21/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch b/freed-ora/current/f21/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch new file mode 100644 index 000000000..eac5aa7de --- /dev/null +++ b/freed-ora/current/f21/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch @@ -0,0 +1,139 @@ +From a8bc90052f18348718412cebf7b569da95bad264 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sun, 1 Nov 2015 16:22:53 +0000 +Subject: [PATCH 2/2] ppp, slip: Validate VJ compression slot parameters + completely +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently slhc_init() treats out-of-range values of rslots and tslots +as equivalent to 0, except that if tslots is too large it will +dereference a null pointer (CVE-2015-7799). + +Add a range-check at the top of the function and make it return an +ERR_PTR() on error instead of NULL. Change the callers accordingly. + +Compile-tested only. + +Reported-by: 郭永刚 <guoyonggang@360.cn> +References: http://article.gmane.org/gmane.comp.security.oss.general/17908 +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/isdn/i4l/isdn_ppp.c | 10 ++++------ + drivers/net/ppp/ppp_generic.c | 6 ++---- + drivers/net/slip/slhc.c | 12 ++++++++---- + drivers/net/slip/slip.c | 2 +- + 4 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c +index 86f9abebcb72..9c1e8adaf4fc 100644 +--- a/drivers/isdn/i4l/isdn_ppp.c ++++ b/drivers/isdn/i4l/isdn_ppp.c +@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file) + * VJ header compression init + */ + is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ +- if (!is->slcomp) { ++ if (IS_ERR(is->slcomp)) { + isdn_ppp_ccp_reset_free(is); +- return -ENOMEM; ++ return PTR_ERR(is->slcomp); + } + #endif + #ifdef CONFIG_IPPP_FILTER +@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg) + is->maxcid = val; + #ifdef CONFIG_ISDN_PPP_VJ + sltmp = slhc_init(16, val); +- if (!sltmp) { +- printk(KERN_ERR "ippp, can't realloc slhc struct\n"); +- return -ENOMEM; +- } ++ if (IS_ERR(sltmp)) ++ return PTR_ERR(sltmp); + if (is->slcomp) + slhc_free(is->slcomp); + is->slcomp = sltmp; +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index ed00446759b2..9a863c6a6a33 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + val &= 0xffff; + } + vj = slhc_init(val2+1, val+1); +- if (!vj) { +- netdev_err(ppp->dev, +- "PPP: no memory (VJ compressor)\n"); +- err = -ENOMEM; ++ if (IS_ERR(vj)) { ++ err = PTR_ERR(vj); + break; + } + ppp_lock(ppp); +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c +index 079f7adfcde5..27ed25252aac 100644 +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp); + static unsigned char * put16(unsigned char *cp, unsigned short x); + static unsigned short pull16(unsigned char **cpp); + +-/* Initialize compression data structure ++/* Allocate compression data structure + * slots must be in range 0 to 255 (zero meaning no compression) ++ * Returns pointer to structure or ERR_PTR() on error. + */ + struct slcompress * + slhc_init(int rslots, int tslots) +@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots) + register struct cstate *ts; + struct slcompress *comp; + ++ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255) ++ return ERR_PTR(-EINVAL); ++ + comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL); + if (! comp) + goto out_fail; + +- if ( rslots > 0 && rslots < 256 ) { ++ if (rslots > 0) { + size_t rsize = rslots * sizeof(struct cstate); + comp->rstate = kzalloc(rsize, GFP_KERNEL); + if (! comp->rstate) +@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots) + comp->rslot_limit = rslots - 1; + } + +- if ( tslots > 0 && tslots < 256 ) { ++ if (tslots > 0) { + size_t tsize = tslots * sizeof(struct cstate); + comp->tstate = kzalloc(tsize, GFP_KERNEL); + if (! comp->tstate) +@@ -141,7 +145,7 @@ out_free2: + out_free: + kfree(comp); + out_fail: +- return NULL; ++ return ERR_PTR(-ENOMEM); + } + + +diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c +index 05387b1e2e95..a17d86a57734 100644 +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu) + if (cbuff == NULL) + goto err_exit; + slcomp = slhc_init(16, 16); +- if (slcomp == NULL) ++ if (IS_ERR(slcomp)) + goto err_exit; + #endif + spin_lock_bh(&sl->lock); +-- +2.4.3 + diff --git a/freed-ora/current/f21/si2157-Bounds-check-firmware.patch b/freed-ora/current/f21/si2157-Bounds-check-firmware.patch deleted file mode 100644 index 284006160..000000000 --- a/freed-ora/current/f21/si2157-Bounds-check-firmware.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 526fbce5b0e44c67a97c57656b3be9911f0a9b9b Mon Sep 17 00:00:00 2001 -From: Laura Abbott <labbott@fedoraproject.org> -Date: Tue, 29 Sep 2015 16:59:20 -0700 -Subject: [PATCH 2/2] si2157: Bounds check firmware -To: Antti Palosaari <crope@iki.fi> -To: Mauro Carvalho Chehab <mchehab@osg.samsung.com> -Cc: Olli Salonen <olli.salonen@iki.fi> -Cc: linux-media@vger.kernel.org -Cc: linux-kernel@vger.kernel.org - -When reading the firmware and sending commands, the length -must be bounds checked to avoid overrunning the size of the command -buffer and smashing the stack if the firmware is not in the -expected format. Add the proper check. - -Cc: stable@kernel.org -Signed-off-by: Laura Abbott <labbott@fedoraproject.org> ---- - drivers/media/tuners/si2157.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c -index 5073821..ce157ed 100644 ---- a/drivers/media/tuners/si2157.c -+++ b/drivers/media/tuners/si2157.c -@@ -166,6 +166,10 @@ static int si2157_init(struct dvb_frontend *fe) - - for (remaining = fw->size; remaining > 0; remaining -= 17) { - len = fw->data[fw->size - remaining]; -+ if (len > SI2157_ARGLEN) { -+ dev_err(&client->dev, "Bad firmware length\n"); -+ goto err_release_firmware; -+ } - memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); - cmd.wlen = len; - cmd.rlen = 1; --- -2.4.3 - diff --git a/freed-ora/current/f21/si2168-Bounds-check-firmware.patch b/freed-ora/current/f21/si2168-Bounds-check-firmware.patch deleted file mode 100644 index e9c5bcc50..000000000 --- a/freed-ora/current/f21/si2168-Bounds-check-firmware.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 43018528944fa4965a4048fee91d76b47dcaf60e Mon Sep 17 00:00:00 2001 -From: Laura Abbott <labbott@fedoraproject.org> -Date: Mon, 28 Sep 2015 14:10:34 -0700 -Subject: [PATCH 1/2] si2168: Bounds check firmware -To: Antti Palosaari <crope@iki.fi> -To: Mauro Carvalho Chehab <mchehab@osg.samsung.com> -Cc: Olli Salonen <olli.salonen@iki.fi> -Cc: linux-media@vger.kernel.org -Cc: linux-kernel@vger.kernel.org -Cc: Stuart Auchterlonie <sauchter@redhat.com> - - -When reading the firmware and sending commands, the length must -be bounds checked to avoid overrunning the size of the command -buffer and smashing the stack if the firmware is not in the expected -format: - -si2168 11-0064: found a 'Silicon Labs Si2168-B40' -si2168 11-0064: downloading firmware from file 'dvb-demod-si2168-b40-01.fw' -si2168 11-0064: firmware download failed -95 -Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa085708f - -Add the proper check. - -Cc: stable@kernel.org -Reported-by: Stuart Auchterlonie <sauchter@redhat.com> -Reviewed-by: Antti Palosaari <crope@iki.fi> -Signed-off-by: Laura Abbott <labbott@fedoraproject.org> ---- - drivers/media/dvb-frontends/si2168.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c -index 81788c5..821a8f4 100644 ---- a/drivers/media/dvb-frontends/si2168.c -+++ b/drivers/media/dvb-frontends/si2168.c -@@ -502,6 +502,10 @@ static int si2168_init(struct dvb_frontend *fe) - /* firmware is in the new format */ - for (remaining = fw->size; remaining > 0; remaining -= 17) { - len = fw->data[fw->size - remaining]; -+ if (len > SI2168_ARGLEN) { -+ ret = -EINVAL; -+ break; -+ } - memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); - cmd.wlen = len; - cmd.rlen = 1; --- -2.4.3 - diff --git a/freed-ora/current/f21/sources b/freed-ora/current/f21/sources index 3d9be9b68..a17148d11 100644 --- a/freed-ora/current/f21/sources +++ b/freed-ora/current/f21/sources @@ -1,3 +1,3 @@ c50583c12a3477cb002024e8efd435cf linux-libre-4.1-gnu.tar.xz 5b4d0e18c713a479a7b4c1aa53a7432b perf-man-4.1.tar.gz -e790ae84e0109a3d95cc617be448171b patch-4.1.12.xz +4d4a6b0e23d4adda999ccf4e7572dd65 patch-4.1-gnu-4.1.13-gnu.xz |
