4.1.10-200.fc22.gnu

7 files changed, 443 insertions, 2 deletions

diff --git a/freed-ora/current/f22/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch b/freed-ora/current/f22/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
new file mode 100644
index 000000000..8a53a43ce
--- /dev/null
+++ b/freed-ora/current/f22/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
@@ -0,0 +1,117 @@
+From b9a532277938798b53178d5a66af6e2915cb27cf Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 30 Sep 2015 12:48:40 -0400
+Subject: [PATCH] Initialize msg/shm IPC objects before doing ipc_addid()
+
+As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
+having initialized the IPC object state.  Yes, we initialize the IPC
+object in a locked state, but with all the lockless RCU lookup work,
+that IPC object lock no longer means that the state cannot be seen.
+
+We already did this for the IPC semaphore code (see commit e8577d1f0329:
+"ipc/sem.c: fully initialize sem_array before making it visible") but we
+clearly forgot about msg and shm.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: Davidlohr Bueso <dbueso@suse.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ ipc/msg.c  | 14 +++++++-------
+ ipc/shm.c  | 13 +++++++------
+ ipc/util.c |  8 ++++----
+ 3 files changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/ipc/msg.c b/ipc/msg.c
+index 66c4f567eb73..1471db9a7e61 100644
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
+ 		return retval;
+ 	}
+ 
+-	/* ipc_addid() locks msq upon success. */
+-	id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
+-	if (id < 0) {
+-		ipc_rcu_putref(msq, msg_rcu_free);
+-		return id;
+-	}
+-
+ 	msq->q_stime = msq->q_rtime = 0;
+ 	msq->q_ctime = get_seconds();
+ 	msq->q_cbytes = msq->q_qnum = 0;
+@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
+ 	INIT_LIST_HEAD(&msq->q_receivers);
+ 	INIT_LIST_HEAD(&msq->q_senders);
+ 
++	/* ipc_addid() locks msq upon success. */
++	id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
++	if (id < 0) {
++		ipc_rcu_putref(msq, msg_rcu_free);
++		return id;
++	}
++
+ 	ipc_unlock_object(&msq->q_perm);
+ 	rcu_read_unlock();
+ 
+diff --git a/ipc/shm.c b/ipc/shm.c
+index 222131e8e38f..41787276e141 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -551,12 +551,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
+ 	if (IS_ERR(file))
+ 		goto no_file;
+ 
+-	id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
+-	if (id < 0) {
+-		error = id;
+-		goto no_id;
+-	}
+-
+ 	shp->shm_cprid = task_tgid_vnr(current);
+ 	shp->shm_lprid = 0;
+ 	shp->shm_atim = shp->shm_dtim = 0;
+@@ -565,6 +559,13 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
+ 	shp->shm_nattch = 0;
+ 	shp->shm_file = file;
+ 	shp->shm_creator = current;
++
++	id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
++	if (id < 0) {
++		error = id;
++		goto no_id;
++	}
++
+ 	list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
+ 
+ 	/*
+diff --git a/ipc/util.c b/ipc/util.c
+index be4230020a1f..0f401d94b7c6 100644
+--- a/ipc/util.c
++++ b/ipc/util.c
+@@ -237,6 +237,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
+ 	rcu_read_lock();
+ 	spin_lock(&new->lock);
+ 
++	current_euid_egid(&euid, &egid);
++	new->cuid = new->uid = euid;
++	new->gid = new->cgid = egid;
++
+ 	id = idr_alloc(&ids->ipcs_idr, new,
+ 		       (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
+ 		       GFP_NOWAIT);
+@@ -249,10 +253,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
+ 
+ 	ids->in_use++;
+ 
+-	current_euid_egid(&euid, &egid);
+-	new->cuid = new->uid = euid;
+-	new->gid = new->cgid = egid;
+-
+ 	if (next_id < 0) {
+ 		new->seq = ids->seq++;
+ 		if (ids->seq > IPCID_SEQ_MAX)
+-- 
+2.4.3
+
diff --git a/freed-ora/current/f22/dcache-Handle-escaped-paths-in-prepend_path.patch b/freed-ora/current/f22/dcache-Handle-escaped-paths-in-prepend_path.patch
new file mode 100644
index 000000000..e09e9e444
--- /dev/null
+++ b/freed-ora/current/f22/dcache-Handle-escaped-paths-in-prepend_path.patch
@@ -0,0 +1,65 @@
+From 0e9ff3b71d0b2866f8f4ce408043f3f06792aad3 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 15 Aug 2015 13:36:12 -0500
+Subject: [PATCH 1/2] dcache: Handle escaped paths in prepend_path
+
+commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.
+
+A rename can result in a dentry that by walking up d_parent
+will never reach it's mnt_root.  For lack of a better term
+I call this an escaped path.
+
+prepend_path is called by four different functions __d_path,
+d_absolute_path, d_path, and getcwd.
+
+__d_path only wants to see paths are connected to the root it passes
+in.  So __d_path needs prepend_path to return an error.
+
+d_absolute_path similarly wants to see paths that are connected to
+some root.  Escaped paths are not connected to any mnt_root so
+d_absolute_path needs prepend_path to return an error greater
+than 1.  So escaped paths will be treated like paths on lazily
+unmounted mounts.
+
+getcwd needs to prepend "(unreachable)" so getcwd also needs
+prepend_path to return an error.
+
+d_path is the interesting hold out.  d_path just wants to print
+something, and does not care about the weird cases.  Which raises
+the question what should be printed?
+
+Given that <escaped_path>/<anything> should result in -ENOENT I
+believe it is desirable for escaped paths to be printed as empty
+paths.  As there are not really any meaninful path components when
+considered from the perspective of a mount tree.
+
+So tweak prepend_path to return an empty path with an new error
+code of 3 when it encounters an escaped path.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+---
+ fs/dcache.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/dcache.c b/fs/dcache.c
+index 5d03eb0ec0ac..2e8ddc1d09e9 100644
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2923,6 +2923,13 @@ restart:
+ 
+ 		if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
+ 			struct mount *parent = ACCESS_ONCE(mnt->mnt_parent);
++			/* Escaped? */
++			if (dentry != vfsmnt->mnt_root) {
++				bptr = *buffer;
++				blen = *buflen;
++				error = 3;
++				break;
++			}
+ 			/* Global root? */
+ 			if (mnt != parent) {
+ 				dentry = ACCESS_ONCE(mnt->mnt_mountpoint);
+-- 
+2.4.3
+
diff --git a/freed-ora/current/f22/inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch b/freed-ora/current/f22/inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
new file mode 100644
index 000000000..b6c9f34dc
--- /dev/null
+++ b/freed-ora/current/f22/inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
@@ -0,0 +1,40 @@
+From 05676fe53c9f26fe703c57b14bdd0807e23cc33b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 13 Aug 2015 15:44:51 -0700
+Subject: [PATCH 1/2] inet: fix potential deadlock in reqsk_queue_unlink()
+
+When replacing del_timer() with del_timer_sync(), I introduced
+a deadlock condition :
+
+reqsk_queue_unlink() is called from inet_csk_reqsk_queue_drop()
+
+inet_csk_reqsk_queue_drop() can be called from many contexts,
+one being the timer handler itself (reqsk_timer_handler()).
+
+In this case, del_timer_sync() loops forever.
+
+Simple fix is to test if timer is pending.
+
+Fixes: 2235f2ac75fd ("inet: fix races with reqsk timers")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv4/inet_connection_sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index b27fc401c6a9..e664706b350c 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -584,7 +584,7 @@ static bool reqsk_queue_unlink(struct request_sock_queue *queue,
+ 	}
+ 
+ 	spin_unlock(&queue->syn_wait_lock);
+-	if (del_timer_sync(&req->rsk_timer))
++	if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer))
+ 		reqsk_put(req);
+ 	return found;
+ }
+-- 
+2.4.3
+
diff --git a/freed-ora/current/f22/inet-fix-race-in-reqsk_queue_unlink.patch b/freed-ora/current/f22/inet-fix-race-in-reqsk_queue_unlink.patch
new file mode 100644
index 000000000..c5c766990
--- /dev/null
+++ b/freed-ora/current/f22/inet-fix-race-in-reqsk_queue_unlink.patch
@@ -0,0 +1,63 @@
+From 8f6a05588928ef61e751ca3cb008b9847fb6b83d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 1 Oct 2015 05:39:26 -0700
+Subject: [PATCH] inet: fix race in reqsk_queue_unlink()
+
+reqsk_timer_handler() tests if icsk_accept_queue.listen_opt
+is NULL at its beginning.
+
+By the time it calls inet_csk_reqsk_queue_drop() and
+reqsk_queue_unlink(), listener might have been closed and
+inet_csk_listen_stop() had called reqsk_queue_yank_acceptq()
+which sets icsk_accept_queue.listen_opt to NULL
+
+We therefore need to correctly check listen_opt being NULL
+after holding syn_wait_lock for proper synchronization.
+
+Fixes: fa76ce7328b2 ("inet: get rid of central tcp/dccp listener timer")
+Fixes: b357a364c57c ("inet: fix possible panic in reqsk_queue_unlink()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+---
+ net/ipv4/inet_connection_sock.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index e664706b350c..37c8b45af44b 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -568,21 +568,22 @@ EXPORT_SYMBOL(inet_rtx_syn_ack);
+ static bool reqsk_queue_unlink(struct request_sock_queue *queue,
+ 			       struct request_sock *req)
+ {
+-	struct listen_sock *lopt = queue->listen_opt;
+ 	struct request_sock **prev;
++	struct listen_sock *lopt;
+ 	bool found = false;
+ 
+ 	spin_lock(&queue->syn_wait_lock);
+-
+-	for (prev = &lopt->syn_table[req->rsk_hash]; *prev != NULL;
+-	     prev = &(*prev)->dl_next) {
+-		if (*prev == req) {
+-			*prev = req->dl_next;
+-			found = true;
+-			break;
++	lopt = queue->listen_opt;
++	if (lopt) {
++		for (prev = &lopt->syn_table[req->rsk_hash]; *prev != NULL;
++		     prev = &(*prev)->dl_next) {
++			if (*prev == req) {
++				*prev = req->dl_next;
++				found = true;
++				break;
++			}
+ 		}
+ 	}
+-
+ 	spin_unlock(&queue->syn_wait_lock);
+ 	if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer))
+ 		reqsk_put(req);
+-- 
+2.4.3
+
diff --git a/freed-ora/current/f22/kernel.spec b/freed-ora/current/f22/kernel.spec
index 054611bbb..4c3e5e84c 100644
--- a/freed-ora/current/f22/kernel.spec
+++ b/freed-ora/current/f22/kernel.spec
@@ -90,7 +90,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 9
+%define stable_update 10
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -701,6 +701,17 @@ Patch526: 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch
 #CVE-2015-5257 rhbz 1265607 1265612
 Patch527: USB-whiteheat-fix-potential-null-deref-at-probe.patch
 
+#CVE-2015-2925 rhbz 1209367 1209373
+Patch528: dcache-Handle-escaped-paths-in-prepend_path.patch
+Patch529: vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
+
+#CVE-2015-7613 rhbz 1268270 1268273
+Patch532: Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
+
+#rhbz 1266691
+Patch534: inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
+Patch535: inet-fix-race-in-reqsk_queue_unlink.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1557,6 +1568,17 @@ ApplyPatch 0001-x86-cpu-cacheinfo-Fix-teardown-path.patch
 #CVE-2015-5257 rhbz 1265607 1265612
 ApplyPatch USB-whiteheat-fix-potential-null-deref-at-probe.patch
 
+#CVE-2015-2925 rhbz 1209367 1209373
+ApplyPatch dcache-Handle-escaped-paths-in-prepend_path.patch
+ApplyPatch vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
+
+#CVE-2015-7613 rhbz 1268270 1268273
+ApplyPatch Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
+
+#rhbz 1266691
+ApplyPatch inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
+ApplyPatch inet-fix-race-in-reqsk_queue_unlink.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2420,6 +2442,19 @@ fi
 #
 # 
 %changelog
+* Mon Oct  5 2015 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.1.10-gnu.
+
+* Mon Oct 05 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.1.10-200
+- Linxu v4.1.10
+- Add patch to fix soft lockups in network stack (rhbz 1266691)
+
+* Fri Oct 02 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-7613 Unauthorized access to IPC via SysV shm (rhbz 1268270 1268273)
+
+* Thu Oct 01 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-2925 Don't allow bind mount escape (rhbz 1209367 1209373)
+
 * Wed Sep 30 2015 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.1.9-gnu.
 
diff --git a/freed-ora/current/f22/sources b/freed-ora/current/f22/sources
index 1bd34d73f..e4548ef40 100644
--- a/freed-ora/current/f22/sources
+++ b/freed-ora/current/f22/sources
@@ -1,3 +1,3 @@
 c50583c12a3477cb002024e8efd435cf  linux-libre-4.1-gnu.tar.xz
 5b4d0e18c713a479a7b4c1aa53a7432b  perf-man-4.1.tar.gz
-8e94d47fb46f0fc5962c65dd1ed0e79c  patch-4.1.9.xz
+599cb082ef44d8fb76ad8fd49d1b50fc  patch-4.1.10.xz
diff --git a/freed-ora/current/f22/vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch b/freed-ora/current/f22/vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
new file mode 100644
index 000000000..e30296372
--- /dev/null
+++ b/freed-ora/current/f22/vfs-Test-for-and-handle-paths-that-are-unreachable-f.patch
@@ -0,0 +1,121 @@
+From 74038ebc44da6e3f9c918f2525f9111e10c8efc2 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 15 Aug 2015 20:27:13 -0500
+Subject: [PATCH 2/2] vfs: Test for and handle paths that are unreachable from
+ their mnt_root
+
+commit 397d425dc26da728396e66d392d5dcb8dac30c37 upstream.
+
+In rare cases a directory can be renamed out from under a bind mount.
+In those cases without special handling it becomes possible to walk up
+the directory tree to the root dentry of the filesystem and down
+from the root dentry to every other file or directory on the filesystem.
+
+Like division by zero .. from an unconnected path can not be given
+a useful semantic as there is no predicting at which path component
+the code will realize it is unconnected.  We certainly can not match
+the current behavior as the current behavior is a security hole.
+
+Therefore when encounting .. when following an unconnected path
+return -ENOENT.
+
+- Add a function path_connected to verify path->dentry is reachable
+  from path->mnt.mnt_root.  AKA to validate that rename did not do
+  something nasty to the bind mount.
+
+  To avoid races path_connected must be called after following a path
+  component to it's next path component.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+---
+ fs/namei.c | 31 ++++++++++++++++++++++++++++---
+ 1 file changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/fs/namei.c b/fs/namei.c
+index fe30d3be43a8..acdab610521b 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -505,6 +505,24 @@ struct nameidata {
+ 	char *saved_names[MAX_NESTED_LINKS + 1];
+ };
+ 
++/**
++ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
++ * @path: nameidate to verify
++ *
++ * Rename can sometimes move a file or directory outside of a bind
++ * mount, path_connected allows those cases to be detected.
++ */
++static bool path_connected(const struct path *path)
++{
++	struct vfsmount *mnt = path->mnt;
++
++	/* Only bind mounts can have disconnected paths */
++	if (mnt->mnt_root == mnt->mnt_sb->s_root)
++		return true;
++
++	return is_subdir(path->dentry, mnt->mnt_root);
++}
++
+ /*
+  * Path walking has 2 modes, rcu-walk and ref-walk (see
+  * Documentation/filesystems/path-lookup.txt).  In situations when we can't
+@@ -1194,6 +1212,8 @@ static int follow_dotdot_rcu(struct nameidata *nd)
+ 				goto failed;
+ 			nd->path.dentry = parent;
+ 			nd->seq = seq;
++			if (unlikely(!path_connected(&nd->path)))
++				goto failed;
+ 			break;
+ 		}
+ 		if (!follow_up_rcu(&nd->path))
+@@ -1290,7 +1310,7 @@ static void follow_mount(struct path *path)
+ 	}
+ }
+ 
+-static void follow_dotdot(struct nameidata *nd)
++static int follow_dotdot(struct nameidata *nd)
+ {
+ 	if (!nd->root.mnt)
+ 		set_root(nd);
+@@ -1306,6 +1326,10 @@ static void follow_dotdot(struct nameidata *nd)
+ 			/* rare case of legitimate dget_parent()... */
+ 			nd->path.dentry = dget_parent(nd->path.dentry);
+ 			dput(old);
++			if (unlikely(!path_connected(&nd->path))) {
++				path_put(&nd->path);
++				return -ENOENT;
++			}
+ 			break;
+ 		}
+ 		if (!follow_up(&nd->path))
+@@ -1313,6 +1337,7 @@ static void follow_dotdot(struct nameidata *nd)
+ 	}
+ 	follow_mount(&nd->path);
+ 	nd->inode = nd->path.dentry->d_inode;
++	return 0;
+ }
+ 
+ /*
+@@ -1541,7 +1566,7 @@ static inline int handle_dots(struct nameidata *nd, int type)
+ 			if (follow_dotdot_rcu(nd))
+ 				return -ECHILD;
+ 		} else
+-			follow_dotdot(nd);
++			return follow_dotdot(nd);
+ 	}
+ 	return 0;
+ }
+@@ -2290,7 +2315,7 @@ mountpoint_last(struct nameidata *nd, struct path *path)
+ 	if (unlikely(nd->last_type != LAST_NORM)) {
+ 		error = handle_dots(nd, nd->last_type);
+ 		if (error)
+-			goto out;
++			return error;
+ 		dentry = dget(nd->path.dentry);
+ 		goto done;
+ 	}
+-- 
+2.4.3
+