diff options
| -rw-r--r-- | freed-ora/current/master/config-generic | 8 | ||||
| -rw-r--r-- | freed-ora/current/master/config-nodebug | 112 | ||||
| -rw-r--r-- | freed-ora/current/master/config-powerpc64 | 2 | ||||
| -rw-r--r-- | freed-ora/current/master/config-powerpc64p7 | 2 | ||||
| -rw-r--r-- | freed-ora/current/master/config-x86-generic | 2 | ||||
| -rwxr-xr-x | freed-ora/current/master/deblob-main | 11 | ||||
| -rw-r--r-- | freed-ora/current/master/exec-do-not-leave-bprm-interp-on-stack.patch | 118 | ||||
| -rw-r--r-- | freed-ora/current/master/exec-use-eloop-for-max-recursion-depth.patch | 144 | ||||
| -rw-r--r-- | freed-ora/current/master/kernel.spec | 33 | ||||
| -rw-r--r-- | freed-ora/current/master/patch-3.6-gnu-3.7-rc6-gnu.xz | bin | 10531060 -> 0 bytes | |||
| -rw-r--r-- | freed-ora/current/master/patch-3.6-gnu-3.7-rc6-gnu.xz.sign | 7 | ||||
| -rw-r--r-- | freed-ora/current/master/patch-3.6-gnu-3.7-rc7-gnu.xz.sign | 7 | ||||
| -rw-r--r-- | freed-ora/current/master/patch-3.7-rc6-git4.xz | bin | 45072 -> 0 bytes | |||
| -rw-r--r-- | freed-ora/current/master/sources | 3 |
14 files changed, 365 insertions, 84 deletions
diff --git a/freed-ora/current/master/config-generic b/freed-ora/current/master/config-generic index f079eb084..a60e6094d 100644 --- a/freed-ora/current/master/config-generic +++ b/freed-ora/current/master/config-generic @@ -1513,13 +1513,13 @@ CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -CONFIG_B43_DEBUG=y +# CONFIG_B43_DEBUG is not set CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -CONFIG_B43LEGACY_DEBUG=y +# CONFIG_B43LEGACY_DEBUG is not set CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -3112,7 +3112,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -CONFIG_USB_UAS=m +# CONFIG_USB_UAS is not set # @@ -4078,7 +4078,7 @@ CONFIG_IBMASR=m CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -CONFIG_PM_TEST_SUSPEND=y +# CONFIG_PM_TEST_SUSPEND is not set CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set diff --git a/freed-ora/current/master/config-nodebug b/freed-ora/current/master/config-nodebug index b52b784e9..c471b853e 100644 --- a/freed-ora/current/master/config-nodebug +++ b/freed-ora/current/master/config-nodebug @@ -2,111 +2,111 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -CONFIG_DEBUG_ATOMIC_SLEEP=y - -CONFIG_DEBUG_MUTEXES=y -CONFIG_DEBUG_RT_MUTEXES=y -CONFIG_DEBUG_LOCK_ALLOC=y -CONFIG_PROVE_LOCKING=y -CONFIG_DEBUG_SPINLOCK=y -CONFIG_PROVE_RCU=y +# CONFIG_DEBUG_ATOMIC_SLEEP is not set + +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_PROVE_RCU is not set # CONFIG_PROVE_RCU_REPEATEDLY is not set -CONFIG_DEBUG_PER_CPU_MAPS=y +# CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_CPUMASK_OFFSTACK=y -CONFIG_CPU_NOTIFIER_ERROR_INJECT=m +# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set -CONFIG_FAULT_INJECTION=y -CONFIG_FAILSLAB=y -CONFIG_FAIL_PAGE_ALLOC=y -CONFIG_FAIL_MAKE_REQUEST=y -CONFIG_FAULT_INJECTION_DEBUG_FS=y -CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y -CONFIG_FAIL_IO_TIMEOUT=y -CONFIG_FAIL_MMC_REQUEST=y +# CONFIG_FAULT_INJECTION is not set +# CONFIG_FAILSLAB is not set +# CONFIG_FAIL_PAGE_ALLOC is not set +# CONFIG_FAIL_MAKE_REQUEST is not set +# CONFIG_FAULT_INJECTION_DEBUG_FS is not set +# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set +# CONFIG_FAIL_IO_TIMEOUT is not set +# CONFIG_FAIL_MMC_REQUEST is not set -CONFIG_SLUB_DEBUG_ON=y +# CONFIG_SLUB_DEBUG_ON is not set -CONFIG_LOCK_STAT=y +# CONFIG_LOCK_STAT is not set -CONFIG_DEBUG_STACK_USAGE=y +# CONFIG_DEBUG_STACK_USAGE is not set -CONFIG_ACPI_DEBUG=y +# CONFIG_ACPI_DEBUG is not set # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -CONFIG_DEBUG_SG=y +# CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_PAGEALLOC is not set -CONFIG_DEBUG_WRITECOUNT=y -CONFIG_DEBUG_OBJECTS=y +# CONFIG_DEBUG_WRITECOUNT is not set +# CONFIG_DEBUG_OBJECTS is not set # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -CONFIG_DEBUG_OBJECTS_FREE=y -CONFIG_DEBUG_OBJECTS_TIMERS=y -CONFIG_DEBUG_OBJECTS_RCU_HEAD=y +# CONFIG_DEBUG_OBJECTS_FREE is not set +# CONFIG_DEBUG_OBJECTS_TIMERS is not set +# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -CONFIG_X86_PTDUMP=y +# CONFIG_X86_PTDUMP is not set -CONFIG_CAN_DEBUG_DEVICES=y +# CONFIG_CAN_DEBUG_DEVICES is not set -CONFIG_MODULE_FORCE_UNLOAD=y +# CONFIG_MODULE_FORCE_UNLOAD is not set -CONFIG_SYSCTL_SYSCALL_CHECK=y +# CONFIG_SYSCTL_SYSCALL_CHECK is not set -CONFIG_DEBUG_NOTIFIERS=y +# CONFIG_DEBUG_NOTIFIERS is not set -CONFIG_DMA_API_DEBUG=y +# CONFIG_DMA_API_DEBUG is not set -CONFIG_MMIOTRACE=y +# CONFIG_MMIOTRACE is not set -CONFIG_DEBUG_CREDENTIALS=y +# CONFIG_DEBUG_CREDENTIALS is not set # off in both production debug and nodebug builds, # on in rawhide nodebug builds -CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set -CONFIG_EXT4_DEBUG=y +# CONFIG_EXT4_DEBUG is not set -CONFIG_DEBUG_PERF_USE_VMALLOC=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set -CONFIG_JBD2_DEBUG=y +# CONFIG_JBD2_DEBUG is not set -CONFIG_NFSD_FAULT_INJECTION=y +# CONFIG_NFSD_FAULT_INJECTION is not set -CONFIG_DEBUG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set -CONFIG_DRBD_FAULT_INJECTION=y +# CONFIG_DRBD_FAULT_INJECTION is not set -CONFIG_ATH_DEBUG=y -CONFIG_CARL9170_DEBUGFS=y -CONFIG_IWLWIFI_DEVICE_TRACING=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_CARL9170_DEBUGFS is not set +# CONFIG_IWLWIFI_DEVICE_TRACING is not set -CONFIG_DEBUG_OBJECTS_WORK=y +# CONFIG_DEBUG_OBJECTS_WORK is not set -CONFIG_DMADEVICES_DEBUG=y -CONFIG_DMADEVICES_VDEBUG=y +# CONFIG_DMADEVICES_DEBUG is not set +# CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y -CONFIG_CEPH_LIB_PRETTYDEBUG=y -CONFIG_QUOTA_DEBUG=y +# CONFIG_CEPH_LIB_PRETTYDEBUG is not set +# CONFIG_QUOTA_DEBUG is not set CONFIG_PCI_DEFAULT_USE_CRS=y CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y -CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y -CONFIG_TEST_LIST_SORT=y +# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set +# CONFIG_TEST_LIST_SORT is not set -CONFIG_DETECT_HUNG_TASK=y +# CONFIG_DETECT_HUNG_TASK is not set CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y +# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set -CONFIG_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y diff --git a/freed-ora/current/master/config-powerpc64 b/freed-ora/current/master/config-powerpc64 index f5a4898d4..7c0477cf1 100644 --- a/freed-ora/current/master/config-powerpc64 +++ b/freed-ora/current/master/config-powerpc64 @@ -164,6 +164,8 @@ CONFIG_PPC_ICSWX=y CONFIG_IO_EVENT_IRQ=y CONFIG_HW_RANDOM_AMD=m +CONFIG_UIO_PDRV=m + CONFIG_HW_RANDOM_PSERIES=m CONFIG_CRYPTO_DEV_NX=y CONFIG_CRYPTO_842=m diff --git a/freed-ora/current/master/config-powerpc64p7 b/freed-ora/current/master/config-powerpc64p7 index 38ae0683c..9a8289588 100644 --- a/freed-ora/current/master/config-powerpc64p7 +++ b/freed-ora/current/master/config-powerpc64p7 @@ -155,6 +155,8 @@ CONFIG_PPC_ICSWX=y CONFIG_IO_EVENT_IRQ=y CONFIG_HW_RANDOM_AMD=m +CONFIG_UIO_PDRV=m + CONFIG_HW_RANDOM_PSERIES=m CONFIG_CRYPTO_DEV_NX=y CONFIG_CRYPTO_842=m diff --git a/freed-ora/current/master/config-x86-generic b/freed-ora/current/master/config-x86-generic index 1716194e5..2bcd498eb 100644 --- a/freed-ora/current/master/config-x86-generic +++ b/freed-ora/current/master/config-x86-generic @@ -320,7 +320,7 @@ CONFIG_STRICT_DEVMEM=y # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -CONFIG_MAXSMP=y +# CONFIG_MAXSMP is not set CONFIG_HP_ILO=m diff --git a/freed-ora/current/master/deblob-main b/freed-ora/current/master/deblob-main index 63d0c9325..3a85cdc96 100755 --- a/freed-ora/current/master/deblob-main +++ b/freed-ora/current/master/deblob-main @@ -271,35 +271,35 @@ xdelta3 -e -9 -S djw -s linux-$kver.tar linux-libre-$kver-$gnu.tar linux-libre-$ echo Creating xdelta between linux-$kver.tar and linux-libre-$kver-$gnu.tar xdelta delta -0 linux-$kver.tar linux-libre-$kver-$gnu.tar linux-libre-$kver-$gnu.xdelta || : # xdelta returns nonzero on success +cleanup="linux-libre-$kver-$gnu.tar linux-libre-$kver-$gnu.vcdiff linux-libre-$kver-$gnu.xdelta" + echo Compressing binary deltas and linux-libre-$kver-$gnu.tar rm -f linux-$kver.tar if test -f linux-libre-$kver-$gnu.vcdiff; then bzip2 -k9 linux-libre-$kver-$gnu.vcdiff xz -k9 linux-libre-$kver-$gnu.vcdiff || : lzip -k9 linux-libre-$kver-$gnu.vcdiff || : - rm -f linux-libre-$kver-$gnu.vcdiff fi if test -f linux-libre-$kver-$gnu.xdelta; then bzip2 -k9 linux-libre-$kver-$gnu.xdelta xz -k9 linux-libre-$kver-$gnu.xdelta || : lzip -k9 linux-libre-$kver-$gnu.xdelta || : - rm -f linux-libre-$kver-$gnu.xdelta fi bzip2 -k9 linux-libre-$kver-$gnu.tar xz -k9 linux-libre-$kver-$gnu.tar || : lzip -k9 linux-libre-$kver-$gnu.tar || : -cleanup=linux-libre-$kver-$gnu.tar - echo Done except for signing, feel free to interrupt for f in \ linux-libre-$kver-$gnu.tar \ linux-libre-$kver-$gnu.tar.bz2 \ linux-libre-$kver-$gnu.tar.xz \ linux-libre-$kver-$gnu.tar.lz \ + linux-libre-$kver-$gnu.vcdiff \ linux-libre-$kver-$gnu.vcdiff.bz2 \ linux-libre-$kver-$gnu.vcdiff.xz \ linux-libre-$kver-$gnu.vcdiff.lz \ + linux-libre-$kver-$gnu.xdelta \ linux-libre-$kver-$gnu.xdelta.bz2 \ linux-libre-$kver-$gnu.xdelta.xz \ linux-libre-$kver-$gnu.xdelta.lz \ @@ -310,8 +310,7 @@ for f in \ fi done -rm -f linux-libre-$kver-$gnu.tar - +rm -f $cleanup cleanup= trap 'status=$?; (exit $status); exit' 0 1 2 15 diff --git a/freed-ora/current/master/exec-do-not-leave-bprm-interp-on-stack.patch b/freed-ora/current/master/exec-do-not-leave-bprm-interp-on-stack.patch new file mode 100644 index 000000000..5198824ed --- /dev/null +++ b/freed-ora/current/master/exec-do-not-leave-bprm-interp-on-stack.patch @@ -0,0 +1,118 @@ +From 6752ab4cb863fc63ed85f1ca78a42235c09fad83 Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Mon, 26 Nov 2012 09:07:50 -0500 +Subject: [PATCH 1/2] exec: do not leave bprm->interp on stack + +If a series of scripts are executed, each triggering module loading via +unprintable bytes in the script header, kernel stack contents can leak +into the command line. + +Normally execution of binfmt_script and binfmt_misc happens recursively. +However, when modules are enabled, and unprintable bytes exist in the +bprm->buf, execution will restart after attempting to load matching binfmt +modules. Unfortunately, the logic in binfmt_script and binfmt_misc does +not expect to get restarted. They leave bprm->interp pointing to their +local stack. This means on restart bprm->interp is left pointing into +unused stack memory which can then be copied into the userspace argv +areas. + +After additional study, it seems that both recursion and restart remains +the desirable way to handle exec with scripts, misc, and modules. As +such, we need to protect the changes to interp. + +This changes the logic to require allocation for any changes to the +bprm->interp. To avoid adding a new kmalloc to every exec, the default +value is left as-is. Only when passing through binfmt_script or +binfmt_misc does an allocation take place. + +For a proof of concept, see DoTest.sh from: +http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: halfdog <me@halfdog.net> +Cc: P J P <ppandit@redhat.com> +Cc: Alexander Viro <viro@zeniv.linux.org.uk> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +--- + fs/binfmt_misc.c | 5 ++++- + fs/binfmt_script.c | 4 +++- + fs/exec.c | 15 +++++++++++++++ + include/linux/binfmts.h | 1 + + 4 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index 790b3cd..772428d 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -176,7 +176,10 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) + goto _error; + bprm->argc ++; + +- bprm->interp = iname; /* for binfmt_script */ ++ /* Update interp in case binfmt_script needs it. */ ++ retval = bprm_change_interp(iname, bprm); ++ if (retval < 0) ++ goto _error; + + interp_file = open_exec (iname); + retval = PTR_ERR (interp_file); +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index d3b8c1f..df49d48 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -82,7 +82,9 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs) + retval = copy_strings_kernel(1, &i_name, bprm); + if (retval) return retval; + bprm->argc++; +- bprm->interp = interp; ++ retval = bprm_change_interp(interp, bprm); ++ if (retval < 0) ++ return retval; + + /* + * OK, now restart the process with the interpreter's dentry. +diff --git a/fs/exec.c b/fs/exec.c +index 0039055..c6e6de4 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1175,9 +1175,24 @@ void free_bprm(struct linux_binprm *bprm) + mutex_unlock(¤t->signal->cred_guard_mutex); + abort_creds(bprm->cred); + } ++ /* If a binfmt changed the interp, free it. */ ++ if (bprm->interp != bprm->filename) ++ kfree(bprm->interp); + kfree(bprm); + } + ++int bprm_change_interp(char *interp, struct linux_binprm *bprm) ++{ ++ /* If a binfmt changed the interp, free it first. */ ++ if (bprm->interp != bprm->filename) ++ kfree(bprm->interp); ++ bprm->interp = kstrdup(interp, GFP_KERNEL); ++ if (!bprm->interp) ++ return -ENOMEM; ++ return 0; ++} ++EXPORT_SYMBOL(bprm_change_interp); ++ + /* + * install the new credentials for this executable + */ +diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h +index cfcc6bf..de0628e 100644 +--- a/include/linux/binfmts.h ++++ b/include/linux/binfmts.h +@@ -114,6 +114,7 @@ extern int setup_arg_pages(struct linux_binprm * bprm, + unsigned long stack_top, + int executable_stack); + extern int bprm_mm_init(struct linux_binprm *bprm); ++extern int bprm_change_interp(char *interp, struct linux_binprm *bprm); + extern int copy_strings_kernel(int argc, const char *const *argv, + struct linux_binprm *bprm); + extern int prepare_bprm_creds(struct linux_binprm *bprm); +-- +1.8.0 + diff --git a/freed-ora/current/master/exec-use-eloop-for-max-recursion-depth.patch b/freed-ora/current/master/exec-use-eloop-for-max-recursion-depth.patch new file mode 100644 index 000000000..a3c48884f --- /dev/null +++ b/freed-ora/current/master/exec-use-eloop-for-max-recursion-depth.patch @@ -0,0 +1,144 @@ +From ba1b23d05259e31d30a78017cdfbc010dcb08aa6 Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Mon, 26 Nov 2012 09:02:11 -0500 +Subject: [PATCH 2/2] exec: use -ELOOP for max recursion depth + +To avoid an explosion of request_module calls on a chain of abusive +scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon +as maximum recursion depth is hit, the error will fail all the way back +up the chain, aborting immediately. + +This also has the side-effect of stopping the user's shell from attempting +to reexecute the top-level file as a shell script. As seen in the +dash source: + + if (cmd != path_bshell && errno == ENOEXEC) { + *argv-- = cmd; + *argv = cmd = path_bshell; + goto repeat; + } + +The above logic was designed for running scripts automatically that lacked +the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC, +things continue to behave as the shell expects. + +Additionally, when tracking recursion, the binfmt handlers should not be +involved. The recursion being tracked is the depth of calls through +search_binary_handler(), so that function should be exclusively responsible +for tracking the depth. + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: halfdog <me@halfdog.net> +Cc: P J P <ppandit@redhat.com> +Cc: Alexander Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +--- + fs/binfmt_em86.c | 1 - + fs/binfmt_misc.c | 6 ------ + fs/binfmt_script.c | 4 +--- + fs/exec.c | 10 +++++----- + include/linux/binfmts.h | 2 -- + 5 files changed, 6 insertions(+), 17 deletions(-) + +diff --git a/fs/binfmt_em86.c b/fs/binfmt_em86.c +index 2790c7e..575796a 100644 +--- a/fs/binfmt_em86.c ++++ b/fs/binfmt_em86.c +@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm *bprm,struct pt_regs *regs) + return -ENOEXEC; + } + +- bprm->recursion_depth++; /* Well, the bang-shell is implicit... */ + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index 772428d..f0f1a06 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -117,10 +117,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) + if (!enabled) + goto _ret; + +- retval = -ENOEXEC; +- if (bprm->recursion_depth > BINPRM_MAX_RECURSION) +- goto _ret; +- + /* to keep locking time low, we copy the interpreter string */ + read_lock(&entries_lock); + fmt = check_file(bprm); +@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) + if (retval < 0) + goto _error; + +- bprm->recursion_depth++; +- + retval = search_binary_handler (bprm, regs); + if (retval < 0) + goto _error; +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index df49d48..8ae4be1 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -22,15 +22,13 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs) + char interp[BINPRM_BUF_SIZE]; + int retval; + +- if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') || +- (bprm->recursion_depth > BINPRM_MAX_RECURSION)) ++ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!')) + return -ENOEXEC; + /* + * This section does the #! interpretation. + * Sorta complicated, but hopefully it will work. -TYT + */ + +- bprm->recursion_depth++; + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; +diff --git a/fs/exec.c b/fs/exec.c +index c6e6de4..85c1f9e 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1371,6 +1371,10 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + struct linux_binfmt *fmt; + pid_t old_pid, old_vpid; + ++ /* This allows 4 levels of binfmt rewrites before failing hard. */ ++ if (depth > 5) ++ return -ELOOP; ++ + retval = security_bprm_check(bprm); + if (retval) + return retval; +@@ -1395,12 +1399,8 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + if (!try_module_get(fmt->module)) + continue; + read_unlock(&binfmt_lock); ++ bprm->recursion_depth = depth + 1; + retval = fn(bprm, regs); +- /* +- * Restore the depth counter to its starting value +- * in this call, so we don't have to rely on every +- * load_binary function to restore it on return. +- */ + bprm->recursion_depth = depth; + if (retval >= 0) { + if (depth == 0) { +diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h +index de0628e..54135f6 100644 +--- a/include/linux/binfmts.h ++++ b/include/linux/binfmts.h +@@ -54,8 +54,6 @@ struct linux_binprm { + #define BINPRM_FLAGS_EXECFD_BIT 1 + #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT) + +-#define BINPRM_MAX_RECURSION 4 +- + /* Function parameter for binfmt->coredump */ + struct coredump_params { + siginfo_t *siginfo; +-- +1.8.0 + diff --git a/freed-ora/current/master/kernel.spec b/freed-ora/current/master/kernel.spec index b5b246654..0eecd0d90 100644 --- a/freed-ora/current/master/kernel.spec +++ b/freed-ora/current/master/kernel.spec @@ -131,9 +131,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 6 +%define rcrev 7 # The git snapshot level -%define gitrev 4 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -203,7 +203,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -216,7 +216,7 @@ Summary: The Linux kernel %define doc_build_fail true %endif -%define rawhide_skip_docs 1 +%define rawhide_skip_docs 0 %if 0%{?rawhide_skip_docs} %define with_doc 0 %define doc_build_fail true @@ -589,9 +589,6 @@ BuildRequires: sparse >= 0.4.1 %if %{with_perf} BuildRequires: elfutils-devel zlib-devel binutils-devel newt-devel python-devel perl(ExtUtils::Embed) bison BuildRequires: audit-libs-devel -%ifnarch s390 s390x -BuildRequires: libunwind-devel -%endif %endif %if %{with_tools} BuildRequires: pciutils-devel gettext @@ -831,6 +828,10 @@ Patch22125: Bluetooth-Add-support-for-BCM20702A0.patch #rhbz 859485 Patch21226: vt-Drop-K_OFF-for-VC_MUTE.patch +#rhbz CVE-2012-4530 868285 880147 +Patch21228: exec-do-not-leave-bprm-interp-on-stack.patch +Patch21229: exec-use-eloop-for-max-recursion-depth.patch + # END OF PATCH DEFINITIONS %endif @@ -1607,6 +1608,10 @@ ApplyPatch Bluetooth-Add-support-for-BCM20702A0.patch #rhbz 859485 ApplyPatch vt-Drop-K_OFF-for-VC_MUTE.patch +#rhbz CVE-2012-4530 868285 880147 +ApplyPatch exec-do-not-leave-bprm-interp-on-stack.patch +ApplyPatch exec-use-eloop-for-max-recursion-depth.patch + # END OF PATCH APPLICATIONS %endif @@ -1981,7 +1986,7 @@ BuildKernel %make_target %kernel_image smp %endif %global perf_make \ - make %{?_smp_mflags} -C tools/perf -s V=1 WERROR=0 HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} + make %{?_smp_mflags} -C tools/perf -s V=1 WERROR=0 NO_LIBUNWIND=1 HAVE_CPLUS_DEMANGLE=1 prefix=%{_prefix} %if %{with_perf} # perf %{perf_make} all @@ -2485,6 +2490,18 @@ fi # ||----w | # || || %changelog +* Tue Nov 27 2012 Alexandre Oliva <lxoliva@fsfla.org> -libre +- GNU Linux-libre 3.7-rc7-gnu + +* Mon Nov 26 2012 Josh Boyer <jwboyer@redhat.com> - 3.7.0-0.rc7.git0.1 +- Linux v3.7-rc7 +- Disable debugging options. + +* Mon Nov 26 2012 Josh Boyer <jwboyer@redhat.com> +- Enable CONFIG_UIO_PDRV on ppc64 (rhbz 878180) +- Disable perf libunwind support. Revisit in 3.8 when elf-utils has unwind +- CVE-2012-4530: stack disclosure binfmt_script load_script (rhbz 868285 880147) + * Mon Nov 26 2012 Alexandre Oliva <lxoliva@fsfla.org> -libre - GNU Linux-libre 3.7-rc6-gnu diff --git a/freed-ora/current/master/patch-3.6-gnu-3.7-rc6-gnu.xz b/freed-ora/current/master/patch-3.6-gnu-3.7-rc6-gnu.xz Binary files differdeleted file mode 100644 index 27f4cf327..000000000 --- a/freed-ora/current/master/patch-3.6-gnu-3.7-rc6-gnu.xz +++ /dev/null diff --git a/freed-ora/current/master/patch-3.6-gnu-3.7-rc6-gnu.xz.sign b/freed-ora/current/master/patch-3.6-gnu-3.7-rc6-gnu.xz.sign deleted file mode 100644 index 45cd2674f..000000000 --- a/freed-ora/current/master/patch-3.6-gnu-3.7-rc6-gnu.xz.sign +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.18 (GNU/Linux) - -iEYEABECAAYFAlC0MEYACgkQvLfPh359R6eNWQCdEbRTm1uJmC/tdArNsTvP0jYd -AywAn1kq2CKdeInSI29DhKyZJZpmMwDb -=tm7j ------END PGP SIGNATURE----- diff --git a/freed-ora/current/master/patch-3.6-gnu-3.7-rc7-gnu.xz.sign b/freed-ora/current/master/patch-3.6-gnu-3.7-rc7-gnu.xz.sign new file mode 100644 index 000000000..bb11b8116 --- /dev/null +++ b/freed-ora/current/master/patch-3.6-gnu-3.7-rc7-gnu.xz.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.18 (GNU/Linux) + +iEYEABECAAYFAlC03qUACgkQvLfPh359R6dlegCggsc1jTyiGfPL8l7z899NX5yK +IlAAnRjUWvndPOLFx0FnOvB/23DeOMct +=eFWA +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/master/patch-3.7-rc6-git4.xz b/freed-ora/current/master/patch-3.7-rc6-git4.xz Binary files differdeleted file mode 100644 index 9dc1fa1b0..000000000 --- a/freed-ora/current/master/patch-3.7-rc6-git4.xz +++ /dev/null diff --git a/freed-ora/current/master/sources b/freed-ora/current/master/sources index 14616a6d9..57156594e 100644 --- a/freed-ora/current/master/sources +++ b/freed-ora/current/master/sources @@ -1,3 +1,2 @@ a2312edd0265b5b07bd4b50afae2b380 linux-libre-3.6-gnu.tar.xz -2a1ca1954292cc048d54643ecbce84f4 patch-3.6-gnu-3.7-rc6-gnu.xz -3c55ad6c91d5461e0778867c1c2e4b84 patch-3.7-rc6-git4.xz +6fe955e3dca54068c6aee5cf3a9b5e76 patch-3.6-gnu-3.7-rc7-gnu.xz |
