diff options
Diffstat (limited to 'freed-ora/current')
11 files changed, 375 insertions, 476 deletions
diff --git a/freed-ora/current/f23/0001-ipv6-Avoid-creating-RTF_CACHE-from-a-rt-that-is-not-.patch b/freed-ora/current/f23/0001-ipv6-Avoid-creating-RTF_CACHE-from-a-rt-that-is-not-.patch deleted file mode 100644 index 3390024d2..000000000 --- a/freed-ora/current/f23/0001-ipv6-Avoid-creating-RTF_CACHE-from-a-rt-that-is-not-.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 0d3f6d297bfb7af24d0508460fdb3d1ec4903fa3 Mon Sep 17 00:00:00 2001 -From: Martin KaFai Lau <kafai@fb.com> -Date: Wed, 11 Nov 2015 11:51:06 -0800 -Subject: [PATCH] ipv6: Avoid creating RTF_CACHE from a rt that is not managed - by fib6 tree - -The original bug report: -https://bugzilla.redhat.com/show_bug.cgi?id=1272571 - -The setup has a IPv4 GRE tunnel running in a IPSec. The bug -happens when ndisc starts sending router solicitation at the gre -interface. The simplified oops stack is like: - -__lock_acquire+0x1b2/0x1c30 -lock_acquire+0xb9/0x140 -_raw_write_lock_bh+0x3f/0x50 -__ip6_ins_rt+0x2e/0x60 -ip6_ins_rt+0x49/0x50 -~~~~~~~~ -__ip6_rt_update_pmtu.part.54+0x145/0x250 -ip6_rt_update_pmtu+0x2e/0x40 -~~~~~~~~ -ip_tunnel_xmit+0x1f1/0xf40 -__gre_xmit+0x7a/0x90 -ipgre_xmit+0x15a/0x220 -dev_hard_start_xmit+0x2bd/0x480 -__dev_queue_xmit+0x696/0x730 -dev_queue_xmit+0x10/0x20 -neigh_direct_output+0x11/0x20 -ip6_finish_output2+0x21f/0x770 -ip6_finish_output+0xa7/0x1d0 -ip6_output+0x56/0x190 -~~~~~~~~ -ndisc_send_skb+0x1d9/0x400 -ndisc_send_rs+0x88/0xc0 -~~~~~~~~ - -The rt passed to ip6_rt_update_pmtu() is created by -icmp6_dst_alloc() and it is not managed by the fib6 tree, -so its rt6i_table == NULL. When __ip6_rt_update_pmtu() creates -a RTF_CACHE clone, the newly created clone also has rt6i_table == NULL -and it causes the ip6_ins_rt() oops. - -During pmtu update, we only want to create a RTF_CACHE clone -from a rt which is currently managed (or owned) by the -fib6 tree. It means either rt->rt6i_node != NULL or -rt is a RTF_PCPU clone. - -It is worth to note that rt6i_table may not be NULL even it is -not (yet) managed by the fib6 tree (e.g. addrconf_dst_alloc()). -Hence, rt6i_node is a better check instead of rt6i_table. - -Fixes: 45e4fd26683c ("ipv6: Only create RTF_CACHE routes after encountering pmtu") -Signed-off-by: Martin KaFai Lau <kafai@fb.com> -Reported-by: Chris Siebenmann <cks-rhbugzilla@cs.toronto.edu> -Cc: Chris Siebenmann <cks-rhbugzilla@cs.toronto.edu> -Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv6/route.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index c8bc9b4..74907c5 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -1322,6 +1322,12 @@ static void rt6_do_update_pmtu(struct rt6_info *rt, u32 mtu) - rt6_update_expires(rt, net->ipv6.sysctl.ip6_rt_mtu_expires); - } - -+static bool rt6_cache_allowed_for_pmtu(const struct rt6_info *rt) -+{ -+ return !(rt->rt6i_flags & RTF_CACHE) && -+ (rt->rt6i_flags & RTF_PCPU || rt->rt6i_node); -+} -+ - static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk, - const struct ipv6hdr *iph, u32 mtu) - { -@@ -1335,7 +1341,7 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk, - if (mtu >= dst_mtu(dst)) - return; - -- if (rt6->rt6i_flags & RTF_CACHE) { -+ if (!rt6_cache_allowed_for_pmtu(rt6)) { - rt6_do_update_pmtu(rt6, mtu); - } else { - const struct in6_addr *daddr, *saddr; --- -2.5.0 - diff --git a/freed-ora/current/f23/Btrfs-fix-truncation-of-compressed-and-inlined-exten.patch b/freed-ora/current/f23/Btrfs-fix-truncation-of-compressed-and-inlined-exten.patch deleted file mode 100644 index 1212966ef..000000000 --- a/freed-ora/current/f23/Btrfs-fix-truncation-of-compressed-and-inlined-exten.patch +++ /dev/null @@ -1,288 +0,0 @@ -From 0305cd5f7fca85dae392b9ba85b116896eb7c1c7 Mon Sep 17 00:00:00 2001 -From: Filipe Manana <fdmanana@suse.com> -Date: Fri, 16 Oct 2015 12:34:25 +0100 -Subject: [PATCH] Btrfs: fix truncation of compressed and inlined extents - -When truncating a file to a smaller size which consists of an inline -extent that is compressed, we did not discard (or made unusable) the -data between the new file size and the old file size, wasting metadata -space and allowing for the truncated data to be leaked and the data -corruption/loss mentioned below. -We were also not correctly decrementing the number of bytes used by the -inode, we were setting it to zero, giving a wrong report for callers of -the stat(2) syscall. The fsck tool also reported an error about a mismatch -between the nbytes of the file versus the real space used by the file. - -Now because we weren't discarding the truncated region of the file, it -was possible for a caller of the clone ioctl to actually read the data -that was truncated, allowing for a security breach without requiring root -access to the system, using only standard filesystem operations. The -scenario is the following: - - 1) User A creates a file which consists of an inline and compressed - extent with a size of 2000 bytes - the file is not accessible to - any other users (no read, write or execution permission for anyone - else); - - 2) The user truncates the file to a size of 1000 bytes; - - 3) User A makes the file world readable; - - 4) User B creates a file consisting of an inline extent of 2000 bytes; - - 5) User B issues a clone operation from user A's file into its own - file (using a length argument of 0, clone the whole range); - - 6) User B now gets to see the 1000 bytes that user A truncated from - its file before it made its file world readbale. User B also lost - the bytes in the range [1000, 2000[ bytes from its own file, but - that might be ok if his/her intention was reading stale data from - user A that was never supposed to be public. - -Note that this contrasts with the case where we truncate a file from 2000 -bytes to 1000 bytes and then truncate it back from 1000 to 2000 bytes. In -this case reading any byte from the range [1000, 2000[ will return a value -of 0x00, instead of the original data. - -This problem exists since the clone ioctl was added and happens both with -and without my recent data loss and file corruption fixes for the clone -ioctl (patch "Btrfs: fix file corruption and data loss after cloning -inline extents"). - -So fix this by truncating the compressed inline extents as we do for the -non-compressed case, which involves decompressing, if the data isn't already -in the page cache, compressing the truncated version of the extent, writing -the compressed content into the inline extent and then truncate it. - -The following test case for fstests reproduces the problem. In order for -the test to pass both this fix and my previous fix for the clone ioctl -that forbids cloning a smaller inline extent into a larger one, -which is titled "Btrfs: fix file corruption and data loss after cloning -inline extents", are needed. Without that other fix the test fails in a -different way that does not leak the truncated data, instead part of -destination file gets replaced with zeroes (because the destination file -has a larger inline extent than the source). - - seq=`basename $0` - seqres=$RESULT_DIR/$seq - echo "QA output created by $seq" - tmp=/tmp/$$ - status=1 # failure is the default! - trap "_cleanup; exit \$status" 0 1 2 3 15 - - _cleanup() - { - rm -f $tmp.* - } - - # get standard environment, filters and checks - . ./common/rc - . ./common/filter - - # real QA test starts here - _need_to_be_root - _supported_fs btrfs - _supported_os Linux - _require_scratch - _require_cloner - - rm -f $seqres.full - - _scratch_mkfs >>$seqres.full 2>&1 - _scratch_mount "-o compress" - - # Create our test files. File foo is going to be the source of a clone operation - # and consists of a single inline extent with an uncompressed size of 512 bytes, - # while file bar consists of a single inline extent with an uncompressed size of - # 256 bytes. For our test's purpose, it's important that file bar has an inline - # extent with a size smaller than foo's inline extent. - $XFS_IO_PROG -f -c "pwrite -S 0xa1 0 128" \ - -c "pwrite -S 0x2a 128 384" \ - $SCRATCH_MNT/foo | _filter_xfs_io - $XFS_IO_PROG -f -c "pwrite -S 0xbb 0 256" $SCRATCH_MNT/bar | _filter_xfs_io - - # Now durably persist all metadata and data. We do this to make sure that we get - # on disk an inline extent with a size of 512 bytes for file foo. - sync - - # Now truncate our file foo to a smaller size. Because it consists of a - # compressed and inline extent, btrfs did not shrink the inline extent to the - # new size (if the extent was not compressed, btrfs would shrink it to 128 - # bytes), it only updates the inode's i_size to 128 bytes. - $XFS_IO_PROG -c "truncate 128" $SCRATCH_MNT/foo - - # Now clone foo's inline extent into bar. - # This clone operation should fail with errno EOPNOTSUPP because the source - # file consists only of an inline extent and the file's size is smaller than - # the inline extent of the destination (128 bytes < 256 bytes). However the - # clone ioctl was not prepared to deal with a file that has a size smaller - # than the size of its inline extent (something that happens only for compressed - # inline extents), resulting in copying the full inline extent from the source - # file into the destination file. - # - # Note that btrfs' clone operation for inline extents consists of removing the - # inline extent from the destination inode and copy the inline extent from the - # source inode into the destination inode, meaning that if the destination - # inode's inline extent is larger (N bytes) than the source inode's inline - # extent (M bytes), some bytes (N - M bytes) will be lost from the destination - # file. Btrfs could copy the source inline extent's data into the destination's - # inline extent so that we would not lose any data, but that's currently not - # done due to the complexity that would be needed to deal with such cases - # (specially when one or both extents are compressed), returning EOPNOTSUPP, as - # it's normally not a very common case to clone very small files (only case - # where we get inline extents) and copying inline extents does not save any - # space (unlike for normal, non-inlined extents). - $CLONER_PROG -s 0 -d 0 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar - - # Now because the above clone operation used to succeed, and due to foo's inline - # extent not being shinked by the truncate operation, our file bar got the whole - # inline extent copied from foo, making us lose the last 128 bytes from bar - # which got replaced by the bytes in range [128, 256[ from foo before foo was - # truncated - in other words, data loss from bar and being able to read old and - # stale data from foo that should not be possible to read anymore through normal - # filesystem operations. Contrast with the case where we truncate a file from a - # size N to a smaller size M, truncate it back to size N and then read the range - # [M, N[, we should always get the value 0x00 for all the bytes in that range. - - # We expected the clone operation to fail with errno EOPNOTSUPP and therefore - # not modify our file's bar data/metadata. So its content should be 256 bytes - # long with all bytes having the value 0xbb. - # - # Without the btrfs bug fix, the clone operation succeeded and resulted in - # leaking truncated data from foo, the bytes that belonged to its range - # [128, 256[, and losing data from bar in that same range. So reading the - # file gave us the following content: - # - # 0000000 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 - # * - # 0000200 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a - # * - # 0000400 - echo "File bar's content after the clone operation:" - od -t x1 $SCRATCH_MNT/bar - - # Also because the foo's inline extent was not shrunk by the truncate - # operation, btrfs' fsck, which is run by the fstests framework everytime a - # test completes, failed reporting the following error: - # - # root 5 inode 257 errors 400, nbytes wrong - - status=0 - exit - -Cc: stable@vger.kernel.org -Signed-off-by: Filipe Manana <fdmanana@suse.com> ---- - fs/btrfs/inode.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 68 insertions(+), 14 deletions(-) - -diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c -index 208db4e835f0..cbb4286490a1 100644 ---- a/fs/btrfs/inode.c -+++ b/fs/btrfs/inode.c -@@ -4217,6 +4217,47 @@ static int truncate_space_check(struct btrfs_trans_handle *trans, - - } - -+static int truncate_inline_extent(struct inode *inode, -+ struct btrfs_path *path, -+ struct btrfs_key *found_key, -+ const u64 item_end, -+ const u64 new_size) -+{ -+ struct extent_buffer *leaf = path->nodes[0]; -+ int slot = path->slots[0]; -+ struct btrfs_file_extent_item *fi; -+ u32 size = (u32)(new_size - found_key->offset); -+ struct btrfs_root *root = BTRFS_I(inode)->root; -+ -+ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item); -+ -+ if (btrfs_file_extent_compression(leaf, fi) != BTRFS_COMPRESS_NONE) { -+ loff_t offset = new_size; -+ loff_t page_end = ALIGN(offset, PAGE_CACHE_SIZE); -+ -+ /* -+ * Zero out the remaining of the last page of our inline extent, -+ * instead of directly truncating our inline extent here - that -+ * would be much more complex (decompressing all the data, then -+ * compressing the truncated data, which might be bigger than -+ * the size of the inline extent, resize the extent, etc). -+ * We release the path because to get the page we might need to -+ * read the extent item from disk (data not in the page cache). -+ */ -+ btrfs_release_path(path); -+ return btrfs_truncate_page(inode, offset, page_end - offset, 0); -+ } -+ -+ btrfs_set_file_extent_ram_bytes(leaf, fi, size); -+ size = btrfs_file_extent_calc_inline_size(size); -+ btrfs_truncate_item(root, path, size, 1); -+ -+ if (test_bit(BTRFS_ROOT_REF_COWS, &root->state)) -+ inode_sub_bytes(inode, item_end + 1 - new_size); -+ -+ return 0; -+} -+ - /* - * this can truncate away extent items, csum items and directory items. - * It starts at a high offset and removes keys until it can't find -@@ -4411,27 +4452,40 @@ search_again: - * special encodings - */ - if (!del_item && -- btrfs_file_extent_compression(leaf, fi) == 0 && - btrfs_file_extent_encryption(leaf, fi) == 0 && - btrfs_file_extent_other_encoding(leaf, fi) == 0) { -- u32 size = new_size - found_key.offset; -- -- if (test_bit(BTRFS_ROOT_REF_COWS, &root->state)) -- inode_sub_bytes(inode, item_end + 1 - -- new_size); - - /* -- * update the ram bytes to properly reflect -- * the new size of our item -+ * Need to release path in order to truncate a -+ * compressed extent. So delete any accumulated -+ * extent items so far. - */ -- btrfs_set_file_extent_ram_bytes(leaf, fi, size); -- size = -- btrfs_file_extent_calc_inline_size(size); -- btrfs_truncate_item(root, path, size, 1); -+ if (btrfs_file_extent_compression(leaf, fi) != -+ BTRFS_COMPRESS_NONE && pending_del_nr) { -+ err = btrfs_del_items(trans, root, path, -+ pending_del_slot, -+ pending_del_nr); -+ if (err) { -+ btrfs_abort_transaction(trans, -+ root, -+ err); -+ goto error; -+ } -+ pending_del_nr = 0; -+ } -+ -+ err = truncate_inline_extent(inode, path, -+ &found_key, -+ item_end, -+ new_size); -+ if (err) { -+ btrfs_abort_transaction(trans, -+ root, err); -+ goto error; -+ } - } else if (test_bit(BTRFS_ROOT_REF_COWS, - &root->state)) { -- inode_sub_bytes(inode, item_end + 1 - -- found_key.offset); -+ inode_sub_bytes(inode, item_end + 1 - new_size); - } - } - delete: --- -2.5.0 - diff --git a/freed-ora/current/f23/KEYS-Fix-race-between-read-and-revoke.patch b/freed-ora/current/f23/KEYS-Fix-race-between-read-and-revoke.patch new file mode 100644 index 000000000..df0d9376b --- /dev/null +++ b/freed-ora/current/f23/KEYS-Fix-race-between-read-and-revoke.patch @@ -0,0 +1,108 @@ +From f144220f72062ed5359e0211f130670c915a12dd Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Mon, 14 Dec 2015 10:36:31 -0500 +Subject: [PATCH] KEYS: Fix race between read and revoke + +There's a race between keyctl_read() and keyctl_revoke(). If the revoke +happens between keyctl_read() checking the validity of a key and the key's +semaphore being taken, then the key type read method will see a revoked key. + +This causes a problem for the user-defined key type because it assumes in +its read method that there will always be a payload in a non-revoked key +and doesn't check for a NULL pointer. + +Fix this by making keyctl_read() check the validity of a key after taking +semaphore instead of before. + +This was discovered by a multithreaded test program generated by syzkaller +(http://github.com/google/syzkaller). Here's a cleaned up version: + + #include <sys/types.h> + #include <keyutils.h> + #include <pthread.h> + void *thr0(void *arg) + { + key_serial_t key = (unsigned long)arg; + keyctl_revoke(key); + return 0; + } + void *thr1(void *arg) + { + key_serial_t key = (unsigned long)arg; + char buffer[16]; + keyctl_read(key, buffer, 16); + return 0; + } + int main() + { + key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); + pthread_t th[5]; + pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); + pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); + pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); + pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); + pthread_join(th[0], 0); + pthread_join(th[1], 0); + pthread_join(th[2], 0); + pthread_join(th[3], 0); + return 0; + } + +Build as: + + cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread + +Run as: + + while keyctl-race; do :; done + +as it may need several iterations to crash the kernel. The crash can be +summarised as: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 + IP: [<ffffffff81279b08>] user_read+0x56/0xa3 + ... + Call Trace: + [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7 + [<ffffffff81277815>] SyS_keyctl+0x83/0xe0 + [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f + +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + security/keys/keyctl.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index fb111eafcb89..1c3872aeed14 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -751,16 +751,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + + /* the key is probably readable - now try to read it */ + can_read_key: +- ret = key_validate(key); +- if (ret == 0) { +- ret = -EOPNOTSUPP; +- if (key->type->read) { +- /* read the data with the semaphore held (since we +- * might sleep) */ +- down_read(&key->sem); ++ ret = -EOPNOTSUPP; ++ if (key->type->read) { ++ /* Read the data with the semaphore held (since we might sleep) ++ * to protect against the key being updated or revoked. ++ */ ++ down_read(&key->sem); ++ ret = key_validate(key); ++ if (ret == 0) + ret = key->type->read(key, buffer, buflen); +- up_read(&key->sem); +- } ++ up_read(&key->sem); + } + + error2: +-- +2.5.0 + diff --git a/freed-ora/current/f23/RDS-fix-race-condition-when-sending-a-message-on-unb.patch b/freed-ora/current/f23/RDS-fix-race-condition-when-sending-a-message-on-unb.patch deleted file mode 100644 index 8a44c84d3..000000000 --- a/freed-ora/current/f23/RDS-fix-race-condition-when-sending-a-message-on-unb.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 09dca584f0b6b3bb4fc5f13a388274cd76b69f18 Mon Sep 17 00:00:00 2001 -From: Quentin Casasnovas <quentin.casasnovas@oracle.com> -Date: Fri, 16 Oct 2015 17:11:42 +0200 -Subject: [PATCH] RDS: fix race condition when sending a message on unbound - socket. - -Sasha's found a NULL pointer dereference in the RDS connection code when -sending a message to an apparently unbound socket. The problem is caused -by the code checking if the socket is bound in rds_sendmsg(), which checks -the rs_bound_addr field without taking a lock on the socket. This opens a -race where rs_bound_addr is temporarily set but where the transport is not -in rds_bind(), leading to a NULL pointer dereference when trying to -dereference 'trans' in __rds_conn_create(). - -Vegard wrote a reproducer for this issue, so kindly ask him to share if -you're interested. - -I cannot reproduce the NULL pointer dereference using Vegard's reproducer -with this patch, whereas I could without. - -Complete earlier incomplete fix to CVE-2015-6937: - - 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection") - -Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> -Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com> -Reviewed-by: Sasha Levin <sasha.levin@oracle.com> -Cc: Vegard Nossum <vegard.nossum@oracle.com> -Cc: Sasha Levin <sasha.levin@oracle.com> -Cc: Chien Yen <chien.yen@oracle.com> -Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com> -Cc: David S. Miller <davem@davemloft.net> -Cc: stable@vger.kernel.org ---- - net/rds/connection.c | 6 ------ - net/rds/send.c | 4 +++- - 2 files changed, 3 insertions(+), 7 deletions(-) - -diff --git a/net/rds/connection.c b/net/rds/connection.c -index 9d66705f9d41..da6da57e5f36 100644 ---- a/net/rds/connection.c -+++ b/net/rds/connection.c -@@ -187,12 +187,6 @@ new_conn: - } - } - -- if (trans == NULL) { -- kmem_cache_free(rds_conn_slab, conn); -- conn = ERR_PTR(-ENODEV); -- goto out; -- } -- - conn->c_trans = trans; - - ret = trans->conn_alloc(conn, gfp); -diff --git a/net/rds/send.c b/net/rds/send.c -index e9430f537f9c..7b30c0f3180d 100644 ---- a/net/rds/send.c -+++ b/net/rds/send.c -@@ -986,11 +986,13 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len) - release_sock(sk); - } - -- /* racing with another thread binding seems ok here */ -+ lock_sock(sk); - if (daddr == 0 || rs->rs_bound_addr == 0) { -+ release_sock(sk); - ret = -ENOTCONN; /* XXX not a great errno */ - goto out; - } -+ release_sock(sk); - - /* size of rm including all sgs */ - ret = rds_rm_size(msg, payload_len); --- -2.4.3 - diff --git a/freed-ora/current/f23/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch b/freed-ora/current/f23/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch new file mode 100644 index 000000000..16788f756 --- /dev/null +++ b/freed-ora/current/f23/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch @@ -0,0 +1,40 @@ +From 14b627c610f93c2700f9a3825ac10c35d51acfe4 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Mon, 7 Dec 2015 13:50:38 -0500 +Subject: [PATCH] ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill + dmi list + +One of the newest ideapad models also lacks a physical hw rfkill switch, +and trying to read the hw rfkill switch through the ideapad module +causes it to always reported blocking breaking wifi. + +Fix it by adding this model to the DMI list. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1286293 +Cc: stable@vger.kernel.org +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + drivers/platform/x86/ideapad-laptop.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c +index a313dfc0245f..d28db0e793df 100644 +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -865,6 +865,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = { + }, + }, + { ++ .ident = "Lenovo ideapad Y700-17ISK", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-17ISK"), ++ }, ++ }, ++ { + .ident = "Lenovo Yoga 2 11 / 13 / Pro", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +-- +2.5.0 + diff --git a/freed-ora/current/f23/kernel.spec b/freed-ora/current/f23/kernel.spec index be3a4a4a9..6be46bd54 100644 --- a/freed-ora/current/f23/kernel.spec +++ b/freed-ora/current/f23/kernel.spec @@ -90,7 +90,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 7 +%define stable_update 8 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -656,9 +656,6 @@ Patch513: nv46-Change-mc-subdev-oclass-from-nv44-to-nv4c.patch Patch517: vmwgfx-Rework-device-initialization.patch Patch518: drm-vmwgfx-Allow-dropped-masters-render-node-like-ac.patch -#CVE-2015-7990 rhbz 1276437 1276438 -Patch524: RDS-fix-race-condition-when-sending-a-message-on-unb.patch - #rhbz 1272172 Patch540: 0001-KEYS-Fix-crash-when-attempt-to-garbage-collect-an-un.patch Patch541: 0002-KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch @@ -681,17 +678,11 @@ Patch556: netfilter-ipset-Fix-extension-alignment.patch Patch557: netfilter-ipset-Fix-hash-type-expiration.patch Patch558: netfilter-ipset-Fix-hash-type-expire-release-empty-h.patch -#rhbz 1272571 -Patch559: 0001-ipv6-Avoid-creating-RTF_CACHE-from-a-rt-that-is-not-.patch - #rhbz 1278688 Patch560: 0001-KVM-x86-build-kvm_userspace_memory_region-in-x86_set.patch Patch561: 0002-KVM-x86-map-unmap-private-slots-in-__x86_set_memory_.patch Patch562: 0003-KVM-x86-fix-previous-commit-for-32-bit.patch -#CVE-2015-8374 rhbz 1286261 1286262 -Patch565: Btrfs-fix-truncation-of-compressed-and-inlined-exten.patch - #rhbz 1284059 Patch566: KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch @@ -704,6 +695,18 @@ Patch568: Input-aiptek-fix-crash-on-detecting-device-without-e.patch #rhbz 1287819 Patch570: HID-multitouch-enable-palm-rejection-if-device-imple.patch +#rhbz 1286293 +Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch + +#CVE-XXXX-XXXX rhbz 1291329 1291332 +Patch574: ovl-fix-permission-checking-for-setattr.patch + +#CVE-2015-7550 rhbz 1291197 1291198 +Patch575: KEYS-Fix-race-between-read-and-revoke.patch + +#CVE-2015-8543 rhbz 1290475 1290477 +Patch576: net-add-validation-for-the-socket-syscall-protocol-a.patch + # END OF PATCH DEFINITIONS %endif @@ -2245,10 +2248,29 @@ fi # # %changelog -* Fri Dec 11 2015 Alexandre Oliva <lxoliva@fsfla.org> -libre +* Fri Dec 18 2015 Alexandre Oliva <lxoliva@fsfla.org> -libre +- GNU Linux-libre 4.2.8-gnu. + +* Tue Dec 15 2015 Justin Forbes <jforbes@fedoraproject.org> - 4.2.8-300 +- Linux v4.2.8 + +* Tue Dec 15 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8543 ipv6: DoS via NULL pointer dereference (rhbz 1290475 1290477) + +* Mon Dec 14 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-7550 Race between read and revoke keys (rhbz 1291197 1291198) +- CVE-XXXX-XXXX permission bypass on overlayfs (rhbz 1291329 1291332) + +* Fri Dec 11 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2013-7446 unix sockects use after free (rhbz 1282688 1282712) + +* Thu Dec 10 2015 Josh Boyer <jwboyer@fedoraproject.org> +- Fix rfkill issues on ideapad Y700-17ISK (rhbz 1286293) + +* Wed Dec 9 2015 Alexandre Oliva <lxoliva@fsfla.org> -libre Fri Dec 11 - GNU Linux-libre 4.2.7-gnu. -* Wed Dec 09 2015 <jmforbes@fedoraproject.org> - 4.2.7-300 +* Wed Dec 09 2015 Justin Forbes <jforbes@fedoraproject.org> - 4.2.7-300 - Linux v4.2.7 * Thu Dec 03 2015 Josh Boyer <jwboyer@fedoraproject.org> diff --git a/freed-ora/current/f23/net-add-validation-for-the-socket-syscall-protocol-a.patch b/freed-ora/current/f23/net-add-validation-for-the-socket-syscall-protocol-a.patch new file mode 100644 index 000000000..ce387ea42 --- /dev/null +++ b/freed-ora/current/f23/net-add-validation-for-the-socket-syscall-protocol-a.patch @@ -0,0 +1,139 @@ +From 4da7dc22c91ad2c3144cb1d0d96e9611bc86da47 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa <hannes@stressinduktion.org> +Date: Mon, 14 Dec 2015 22:03:39 +0100 +Subject: [PATCH] net: add validation for the socket syscall protocol argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +郭永刚 reported that one could simply crash the kernel as root by +using a simple program: + + int socket_fd; + struct sockaddr_in addr; + addr.sin_port = 0; + addr.sin_addr.s_addr = INADDR_ANY; + addr.sin_family = 10; + + socket_fd = socket(10,3,0x40000000); + connect(socket_fd , &addr,16); + +AF_INET, AF_INET6 sockets actually only support 8-bit protocol +identifiers. inet_sock's skc_protocol field thus is sized accordingly, +thus larger protocol identifiers simply cut off the higher bits and +store a zero in the protocol fields. + +This could lead to e.g. NULL function pointer because as a result of +the cut off inet_num is zero and we call down to inet_autobind, which +is NULL for raw sockets. + +kernel: Call Trace: +kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70 +kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80 +kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110 +kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80 +kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200 +kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10 +kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89 + +I found no particular commit which introduced this problem. + +CVE: CVE-2015-8543 +Cc: Cong Wang <cwang@twopensource.com> +Reported-by: 郭永刚 <guoyonggang@360.cn> +Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/net/sock.h | 1 + + net/ax25/af_ax25.c | 3 +++ + net/decnet/af_decnet.c | 3 +++ + net/ipv4/af_inet.c | 3 +++ + net/ipv6/af_inet6.c | 3 +++ + net/irda/af_irda.c | 3 +++ + 6 files changed, 16 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 52d27ee924f4..2fa1fc00e8cb 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -403,6 +403,7 @@ struct sock { + sk_no_check_rx : 1, + sk_userlocks : 4, + sk_protocol : 8, ++#define SK_PROTOCOL_MAX U8_MAX + sk_type : 16; + kmemcheck_bitfield_end(flags); + int sk_wmem_queued; +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index ae3a47f9d1d5..fbd0acf80b13 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + ax25_cb *ax25; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index eebf5ac8ce18..13d6b1a6e0fc 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol, + { + struct sock *sk; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 11c4ca13ec3b..5c5db6636704 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + sock->state = SS_UNCONNECTED; + + /* Look for the requested type/protocol pair. */ +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 8ec0df75f1c4..9f5137cd604e 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + /* Look for the requested type/protocol pair. */ + lookup_protocol: + err = -ESOCKTNOSUPPORT; +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index e6aa48b5395c..923abd6b3064 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + struct irda_sock *self; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (net != &init_net) + return -EAFNOSUPPORT; + +-- +2.5.0 + diff --git a/freed-ora/current/f23/ovl-fix-permission-checking-for-setattr.patch b/freed-ora/current/f23/ovl-fix-permission-checking-for-setattr.patch new file mode 100644 index 000000000..167ecda99 --- /dev/null +++ b/freed-ora/current/f23/ovl-fix-permission-checking-for-setattr.patch @@ -0,0 +1,46 @@ +From acff81ec2c79492b180fade3c2894425cd35a545 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi <miklos@szeredi.hu> +Date: Fri, 4 Dec 2015 19:18:48 +0100 +Subject: [PATCH] ovl: fix permission checking for setattr + +[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr() +away - instead of "copy verbatim with metadata" + "chmod/chown/utimes" +(with the former being always safe and the latter failing in case of +insufficient permissions) it tries to combine these two. Note that copyup +itself will have to do ->setattr() anyway; _that_ is where the elevated +capabilities are right. Having these two ->setattr() (one to set verbatim +copy of metadata, another to do what overlayfs ->setattr() had been asked +to do in the first place) combined is where it breaks. + +Signed-off-by: Miklos Szeredi <miklos@szeredi.hu> +Cc: <stable@vger.kernel.org> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +--- + fs/overlayfs/inode.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c +index ec0c2a050043..961284936917 100644 +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr) + if (err) + goto out; + +- upperdentry = ovl_dentry_upper(dentry); +- if (upperdentry) { ++ err = ovl_copy_up(dentry); ++ if (!err) { ++ upperdentry = ovl_dentry_upper(dentry); ++ + mutex_lock(&upperdentry->d_inode->i_mutex); + err = notify_change(upperdentry, attr, NULL); + mutex_unlock(&upperdentry->d_inode->i_mutex); +- } else { +- err = ovl_copy_up_last(dentry, attr, false); + } + ovl_drop_write(dentry); + out: +-- +2.5.0 + diff --git a/freed-ora/current/f23/patch-4.2-gnu-4.2.7-gnu.xz.sign b/freed-ora/current/f23/patch-4.2-gnu-4.2.7-gnu.xz.sign deleted file mode 100644 index 980201c93..000000000 --- a/freed-ora/current/f23/patch-4.2-gnu-4.2.7-gnu.xz.sign +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2 - -iEYEABECAAYFAlZo4qYACgkQvLfPh359R6dVsgCdGpyhy2S/eqm2pRRE3OX9UYTg -9uMAn3yhpP2eBxZyGc9PeXV5YJIVY+tl -=WDTn ------END PGP SIGNATURE----- diff --git a/freed-ora/current/f23/patch-4.2-gnu-4.2.8-gnu.xz.sign b/freed-ora/current/f23/patch-4.2-gnu-4.2.8-gnu.xz.sign new file mode 100644 index 000000000..02cdc521c --- /dev/null +++ b/freed-ora/current/f23/patch-4.2-gnu-4.2.8-gnu.xz.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iEYEABECAAYFAlZxDsMACgkQvLfPh359R6dVvwCgjh0YvLly2b/IWqU92mdOAhHy +JtYAoI4hAQ5nltobHygwjxBGf0r7f3zM +=KEX0 +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f23/sources b/freed-ora/current/f23/sources index 3cafe5248..65159fb74 100644 --- a/freed-ora/current/f23/sources +++ b/freed-ora/current/f23/sources @@ -1,3 +1,3 @@ a3202589b12b27d936631cbe80cbb1cc linux-libre-4.2-gnu.tar.xz 4c964bfba54d65b5b54cc898baddecad perf-man-4.2.tar.gz -d6b3e30f609337301e43b677ae2ba433 patch-4.2-gnu-4.2.7-gnu.xz +4ad6a6f3a6b2b9cc67fd163e3a69cacd patch-4.2-gnu-4.2.8-gnu.xz |
