3.9.9-201.fc18.gnu

5 files changed, 268 insertions, 2 deletions

diff --git a/freed-ora/current/f18/HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch b/freed-ora/current/f18/HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
new file mode 100644
index 000000000..6913eb520
--- /dev/null
+++ b/freed-ora/current/f18/HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
@@ -0,0 +1,98 @@
+From 3685c18e17f12438d0a83331c1b6a5b00fade7a1 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Tue, 02 Jul 2013 16:10:09 +0000
+Subject: HID: kye: Add report fixup for Genius Gila Gaming mouse
+
+Genius Gila Gaming Mouse presents an obviously wrong report descriptor.
+the Consumer control (report ID 3) is the following:
+0x05, 0x0c,                    // Usage Page (Consumer Devices)       105
+0x09, 0x01,                    // Usage (Consumer Control)            107
+0xa1, 0x01,                    // Collection (Application)            109
+0x85, 0x03,                    //   Report ID (3)                     111
+0x19, 0x00,                    //   Usage Minimum (0)                 113
+0x2a, 0xff, 0x7f,              //   Usage Maximum (32767)             115
+0x15, 0x00,                    //   Logical Minimum (0)               118
+0x26, 0xff, 0x7f,              //   Logical Maximum (32767)           120
+0x75, 0x10,                    //   Report Size (16)                  123
+0x95, 0x03,                    //   Report Count (3)                  125
+0x81, 0x00,                    //   Input (Data,Arr,Abs)              127
+0x75, 0x08,                    //   Report Size (8)                   129
+0x95, 0x01,                    //   Report Count (1)                  131
+0x81, 0x01,                    //   Input (Cnst,Arr,Abs)              133
+0xc0,                          // End Collection                      135
+
+So the first input whithin this report has a count of 3 but a usage range
+of 32768. So this value is obviously wrong as it should not be greater than
+the report count.
+
+Fixes:
+https://bugzilla.redhat.com/show_bug.cgi?id=959721
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 8f616bd..27aa7c7 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1589,6 +1589,7 @@ static const struct hid_device_id hid_have_special_driver[] = {
+ 	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ION, USB_DEVICE_ID_ICADE) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KEYTOUCH, USB_DEVICE_ID_KEYTOUCH_IEC) },
++	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) },
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 3da75dd..b2b692e 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -474,6 +474,7 @@
+ 
+ #define USB_VENDOR_ID_KYE		0x0458
+ #define USB_DEVICE_ID_KYE_ERGO_525V	0x0087
++#define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE	0x0138
+ #define USB_DEVICE_ID_KYE_GPEN_560	0x5003
+ #define USB_DEVICE_ID_KYE_EASYPEN_I405X	0x5010
+ #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X	0x5011
+diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
+index 6af90db..1e2ee2aa 100644
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -314,6 +314,25 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 			*rsize = sizeof(easypen_m610x_rdesc_fixed);
+ 		}
+ 		break;
++	case USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE:
++		/*
++		 * the fixup that need to be done:
++		 *   - change Usage Maximum in the Comsumer Control
++		 *     (report ID 3) to a reasonable value
++		 */
++		if (*rsize >= 135 &&
++			/* Usage Page (Consumer Devices) */
++			rdesc[104] == 0x05 && rdesc[105] == 0x0c &&
++			/* Usage (Consumer Control) */
++			rdesc[106] == 0x09 && rdesc[107] == 0x01 &&
++			/*   Usage Maximum > 12287 */
++			rdesc[114] == 0x2a && rdesc[116] > 0x2f) {
++			hid_info(hdev,
++				 "fixing up Genius Gila Gaming Mouse "
++				 "report descriptor\n");
++			rdesc[116] = 0x2f;
++		}
++		break;
+ 	}
+ 	return rdesc;
+ }
+@@ -407,6 +426,8 @@ static const struct hid_device_id kye_devices[] = {
+ 				USB_DEVICE_ID_KYE_MOUSEPEN_I608X) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE,
+ 				USB_DEVICE_ID_KYE_EASYPEN_M610X) },
++	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE,
++				USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) },
+ 	{ }
+ };
+ MODULE_DEVICE_TABLE(hid, kye_devices);
+--
+cgit v0.9.2
diff --git a/freed-ora/current/f18/bridge-timer-fix.patch b/freed-ora/current/f18/bridge-timer-fix.patch
new file mode 100644
index 000000000..888a6f009
--- /dev/null
+++ b/freed-ora/current/f18/bridge-timer-fix.patch
@@ -0,0 +1,13 @@
+diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
+index d6448e3..aadb596 100644
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -269,7 +269,7 @@ static void br_multicast_del_pg(struct net_bridge *br,
+ 		del_timer(&p->timer);
+ 		call_rcu_bh(&p->rcu, br_multicast_free_pg);
+ 
+-		if (!mp->ports && !mp->mglist &&
++		if (!mp->ports && !mp->mglist && mp->timer_armed &&
+ 		    netif_running(br->dev))
+ 			mod_timer(&mp->timer, jiffies);
+ 
diff --git a/freed-ora/current/f18/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch b/freed-ora/current/f18/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
new file mode 100644
index 000000000..8f6c41d28
--- /dev/null
+++ b/freed-ora/current/f18/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
@@ -0,0 +1,52 @@
+From a963a37d384d71ad43b3e9e79d68d42fbe0901f3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 26 Jun 2013 04:15:07 -0700
+Subject: [PATCH] ipv6: ip6_sk_dst_check() must not assume ipv6 dst
+
+It's possible to use AF_INET6 sockets and to connect to an IPv4
+destination. After this, socket dst cache is a pointer to a rtable,
+not rt6_info.
+
+ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
+various corruptions/crashes can happen.
+
+Dave Jones can reproduce immediate crash with
+trinity -q -l off -n -c sendmsg -c connect
+
+With help from Hannes Frederic Sowa
+
+Reported-by: Dave Jones <davej@redhat.com>
+Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/ip6_output.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 95703ba..d5d20cd 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -821,11 +821,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
+ 					  const struct flowi6 *fl6)
+ {
+ 	struct ipv6_pinfo *np = inet6_sk(sk);
+-	struct rt6_info *rt = (struct rt6_info *)dst;
++	struct rt6_info *rt;
+ 
+ 	if (!dst)
+ 		goto out;
+ 
++	if (dst->ops->family != AF_INET6) {
++		dst_release(dst);
++		return NULL;
++	}
++
++	rt = (struct rt6_info *)dst;
+ 	/* Yes, checking route validity in not connected
+ 	 * case is not very simple. Take into account,
+ 	 * that we do not support routing by source, TOS,
+-- 
+1.8.2.1
+
diff --git a/freed-ora/current/f18/kernel.spec b/freed-ora/current/f18/kernel.spec
index 62a86b3fc..a9356f64e 100644
--- a/freed-ora/current/f18/kernel.spec
+++ b/freed-ora/current/f18/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 200
+%global baserelease 201
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -845,6 +845,8 @@ Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch
 #rhbz 880035
 Patch25053: bridge-only-expire-the-mdb-entry-when-query-is-received.patch
 Patch25054: bridge-send-query-as-soon-as-leave-is-received.patch
+#rhbz 980254
+Patch25061: bridge-timer-fix.patch
 
 #rhbz 977558
 Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch
@@ -859,6 +861,15 @@ Patch25058: af_key-fix-info-leaks-in-notify-messages.patch
 #CVE-2013-1059 rhbz 977356 980341
 Patch25059: ceph-fix.patch
 
+#CVE-2013-2232 rhbz 981552 981564
+Patch25060: ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
+
+#rhbz 976789 980643
+Patch25062: vhost-net-fix-use-after-free-in-vhost_net_flush.patch
+
+#rhbz 959721
+Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1644,6 +1655,7 @@ ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch
 #rhbz 880035
 ApplyPatch bridge-only-expire-the-mdb-entry-when-query-is-received.patch
 ApplyPatch bridge-send-query-as-soon-as-leave-is-received.patch
+ApplyPatch bridge-timer-fix.patch
 
 #rhbz 977558
 ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch
@@ -1658,6 +1670,15 @@ ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch
 #CVE-2013-1059 rhbz 977356 980341
 ApplyPatch ceph-fix.patch
 
+#CVE-2013-2232 rhbz 981552 981564
+ApplyPatch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
+
+#rhbz 976789 980643
+ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch
+
+#rhbz 959721
+ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2514,7 +2535,13 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
-* Sun Jul  7 2013 Alexandre Oliva <lxoliva@fsfla.org> -libre
+* Fri Jul 05 2013 Josh Boyer <jwboyer@redhat.com>
+- Add report fixup for Genius Gila mouse from Benjamin Tissoires (rhbz 959721)
+- Add vhost-net use-after-free fix (rhbz 976789 980643)
+- Add fix for timer issue in bridge code (rhbz 980254)
+- CVE-2013-2232 ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg (rhbz 981552 981564)
+
+* Wed Jul  3 2013 Alexandre Oliva <lxoliva@fsfla.org> -libre Sun Jul  7
 - GNU Linux-libre 3.9.9-gnu.
 
 * Wed Jul 03 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.9-200
diff --git a/freed-ora/current/f18/vhost-net-fix-use-after-free-in-vhost_net_flush.patch b/freed-ora/current/f18/vhost-net-fix-use-after-free-in-vhost_net_flush.patch
new file mode 100644
index 000000000..f9a6a7b9f
--- /dev/null
+++ b/freed-ora/current/f18/vhost-net-fix-use-after-free-in-vhost_net_flush.patch
@@ -0,0 +1,76 @@
+From 0c9d7f6ea817d5328a09a78e901b16e1836ca4d7 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Tue, 25 Jun 2013 17:29:46 +0300
+Subject: [PATCH] vhost-net: fix use-after-free in vhost_net_flush
+
+vhost_net_ubuf_put_and_wait has a confusing name:
+it will actually also free it's argument.
+Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
+    "vhost-net: flush outstanding DMAs on memory change"
+vhost_net_flush tries to use the argument after passing it
+to vhost_net_ubuf_put_and_wait, this results
+in use after free.
+To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
+add an new API for callers that want to free ubufs.
+
+Acked-by: Asias He <asias@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+---
+ drivers/vhost/net.c   | 4 ++--
+ drivers/vhost/vhost.c | 5 +++++
+ drivers/vhost/vhost.h | 1 +
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index dfff647..d8d4f57 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -857,7 +857,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
+ 	mutex_unlock(&vq->mutex);
+ 
+ 	if (oldubufs) {
+-		vhost_ubuf_put_and_wait(oldubufs);
++		vhost_ubuf_put_wait_and_free(oldubufs);
+ 		mutex_lock(&vq->mutex);
+ 		vhost_zerocopy_signal_used(n, vq);
+ 		mutex_unlock(&vq->mutex);
+@@ -875,7 +875,7 @@ err_used:
+ 	rcu_assign_pointer(vq->private_data, oldsock);
+ 	vhost_net_enable_vq(n, vq);
+ 	if (ubufs)
+-		vhost_ubuf_put_and_wait(ubufs);
++		vhost_ubuf_put_wait_and_free(ubufs);
+ err_ubufs:
+ 	fput(sock->file);
+ err_vq:
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 9759249..ff53c9e 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1581,5 +1581,10 @@ void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *ubufs)
+ {
+ 	kref_put(&ubufs->kref, vhost_zerocopy_done_signal);
+ 	wait_event(ubufs->wait, !atomic_read(&ubufs->kref.refcount));
++}
++
++void vhost_ubuf_put_wait_and_free(struct vhost_ubuf_ref *ubufs)
++{
++	vhost_ubuf_put_and_wait(ubufs);
+ 	kfree(ubufs);
+ }
+diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
+index 17261e2..dd63b35 100644
+--- a/drivers/vhost/vhost.h
++++ b/drivers/vhost/vhost.h
+@@ -63,6 +63,7 @@ struct vhost_ubuf_ref {
+ struct vhost_ubuf_ref *vhost_ubuf_alloc(struct vhost_virtqueue *, bool zcopy);
+ void vhost_ubuf_put(struct vhost_ubuf_ref *);
+ void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *);
++void vhost_ubuf_put_wait_and_free(struct vhost_ubuf_ref *);
+ 
+ struct ubuf_info;
+ 
+-- 
+1.8.2.1
+