diff options
Diffstat (limited to 'freed-ora')
6 files changed, 183 insertions, 9 deletions
diff --git a/freed-ora/current/f26/0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch b/freed-ora/current/f26/0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch new file mode 100644 index 000000000..061ef5819 --- /dev/null +++ b/freed-ora/current/f26/0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch @@ -0,0 +1,44 @@ +From 297a6961ffb8ff4dc66c9fbf53b924bd1dda05d5 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun <weiyongjun1@huawei.com> +Date: Thu, 11 Jan 2018 11:21:51 +0000 +Subject: [PATCH] net: phy: mdio-bcm-unimac: fix potential NULL dereference in + unimac_mdio_probe() + +platform_get_resource() may fail and return NULL, so we should +better check it's return value to avoid a NULL pointer dereference +a bit later in the code. + +This is detected by Coccinelle semantic patch. + +@@ +expression pdev, res, n, t, e, e1, e2; +@@ + +res = platform_get_resource(pdev, t, n); ++ if (!res) ++ return -EINVAL; +... when != res == NULL +e = devm_ioremap(e1, res->start, e2); + +Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/phy/mdio-bcm-unimac.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/phy/mdio-bcm-unimac.c b/drivers/net/phy/mdio-bcm-unimac.c +index 08e0647b85e2..8d370667fa1b 100644 +--- a/drivers/net/phy/mdio-bcm-unimac.c ++++ b/drivers/net/phy/mdio-bcm-unimac.c +@@ -205,6 +205,8 @@ static int unimac_mdio_probe(struct platform_device *pdev) + return -ENOMEM; + + r = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!r) ++ return -EINVAL; + + /* Just ioremap, as this MDIO block is usually integrated into an + * Ethernet MAC controller register range +-- +2.14.3 + diff --git a/freed-ora/current/f26/0001-x86-MCE-Serialize-sysfs-changes.patch b/freed-ora/current/f26/0001-x86-MCE-Serialize-sysfs-changes.patch new file mode 100644 index 000000000..84c7b7fd3 --- /dev/null +++ b/freed-ora/current/f26/0001-x86-MCE-Serialize-sysfs-changes.patch @@ -0,0 +1,114 @@ +From b3b7c4795ccab5be71f080774c45bbbcc75c2aaf Mon Sep 17 00:00:00 2001 +From: Seunghun Han <kkamagui@gmail.com> +Date: Tue, 6 Mar 2018 15:21:43 +0100 +Subject: [PATCH] x86/MCE: Serialize sysfs changes + +The check_interval file in + + /sys/devices/system/machinecheck/machinecheck<cpu number> + +directory is a global timer value for MCE polling. If it is changed by one +CPU, mce_restart() broadcasts the event to other CPUs to delete and restart +the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the +mce_timer variable. + +If more than one CPU writes a specific value to the check_interval file +concurrently, mce_timer is not protected from such concurrent accesses and +all kinds of explosions happen. Since only root can write to those sysfs +variables, the issue is not a big deal security-wise. + +However, concurrent writes to these configuration variables is void of +reason so the proper thing to do is to serialize the access with a mutex. + +Boris: + + - Make store_int_with_restart() use device_store_ulong() to filter out + negative intervals + - Limit min interval to 1 second + - Correct locking + - Massage commit message + +Signed-off-by: Seunghun Han <kkamagui@gmail.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: Tony Luck <tony.luck@intel.com> +Cc: linux-edac <linux-edac@vger.kernel.org> +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com +--- + arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index b3323cab9139..466f47301334 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -56,6 +56,9 @@ + + static DEFINE_MUTEX(mce_log_mutex); + ++/* sysfs synchronization */ ++static DEFINE_MUTEX(mce_sysfs_mutex); ++ + #define CREATE_TRACE_POINTS + #include <trace/events/mce.h> + +@@ -2088,6 +2091,7 @@ static ssize_t set_ignore_ce(struct device *s, + if (kstrtou64(buf, 0, &new) < 0) + return -EINVAL; + ++ mutex_lock(&mce_sysfs_mutex); + if (mca_cfg.ignore_ce ^ !!new) { + if (new) { + /* disable ce features */ +@@ -2100,6 +2104,8 @@ static ssize_t set_ignore_ce(struct device *s, + on_each_cpu(mce_enable_ce, (void *)1, 1); + } + } ++ mutex_unlock(&mce_sysfs_mutex); ++ + return size; + } + +@@ -2112,6 +2118,7 @@ static ssize_t set_cmci_disabled(struct device *s, + if (kstrtou64(buf, 0, &new) < 0) + return -EINVAL; + ++ mutex_lock(&mce_sysfs_mutex); + if (mca_cfg.cmci_disabled ^ !!new) { + if (new) { + /* disable cmci */ +@@ -2123,6 +2130,8 @@ static ssize_t set_cmci_disabled(struct device *s, + on_each_cpu(mce_enable_ce, NULL, 1); + } + } ++ mutex_unlock(&mce_sysfs_mutex); ++ + return size; + } + +@@ -2130,8 +2139,19 @@ static ssize_t store_int_with_restart(struct device *s, + struct device_attribute *attr, + const char *buf, size_t size) + { +- ssize_t ret = device_store_int(s, attr, buf, size); ++ unsigned long old_check_interval = check_interval; ++ ssize_t ret = device_store_ulong(s, attr, buf, size); ++ ++ if (check_interval == old_check_interval) ++ return ret; ++ ++ if (check_interval < 1) ++ check_interval = 1; ++ ++ mutex_lock(&mce_sysfs_mutex); + mce_restart(); ++ mutex_unlock(&mce_sysfs_mutex); ++ + return ret; + } + +-- +2.14.3 + diff --git a/freed-ora/current/f26/kernel.spec b/freed-ora/current/f26/kernel.spec index b3cf68b9c..39e2f82a3 100644 --- a/freed-ora/current/f26/kernel.spec +++ b/freed-ora/current/f26/kernel.spec @@ -92,7 +92,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 9 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -684,6 +684,12 @@ Patch657: ipmi-fixes.patch # CVE-2018-7757 rhbz 1553361 1553363 Patch658: 0001-scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_event.patch +# CVE-2018-7995 rhbz 1553911 1553918 +Patch659: 0001-x86-MCE-Serialize-sysfs-changes.patch + +# CVE-2018-8043 rhbz 1554199 1554200 +Patch660: 0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch + # END OF PATCH DEFINITIONS %endif @@ -2043,10 +2049,20 @@ fi # # %changelog +* Tue Mar 13 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre +- GNU Linux-libre 4.15.9-gnu. + +* Mon Mar 12 2018 Laura Abbott <labbott@redhat.com> - 4.15.9-200 +- Linux v4.15.9 + +* Mon Mar 12 2018 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2018-7995 (rhbz 1553911 1553918) +- Fix CVE-2018-8043 (rhbz 1554199 1554200) + * Fri Mar 9 2018 Alexandre Oliva <lxoliva@fsfla.org> -libre - GNU Linux-libre 4.15.8-gnu. -* Fri Mar 09 2018 Laura Abbott <labbott@redhat.com> - 4.15.8-300 +* Fri Mar 09 2018 Laura Abbott <labbott@redhat.com> - 4.15.8-200 - Linux v4.15.8 * Thu Mar 08 2018 Justin M. Forbes <jforbes@fedoraproject.org> diff --git a/freed-ora/current/f26/patch-4.15-gnu-4.15.8-gnu.xz.sign b/freed-ora/current/f26/patch-4.15-gnu-4.15.8-gnu.xz.sign deleted file mode 100644 index 55524180d..000000000 --- a/freed-ora/current/f26/patch-4.15-gnu-4.15.8-gnu.xz.sign +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWqMl5QAKCRC8t8+Hfn1H -p5KTAJ40Gvbq9xSKuOIjCo3Sdr4x6A2PGwCgqdWec2rTLlkU6H3cMh6GPZgOMQQ= -=xlzu ------END PGP SIGNATURE----- diff --git a/freed-ora/current/f26/patch-4.15-gnu-4.15.9-gnu.xz.sign b/freed-ora/current/f26/patch-4.15-gnu-4.15.9-gnu.xz.sign new file mode 100644 index 000000000..5f9ba76fe --- /dev/null +++ b/freed-ora/current/f26/patch-4.15-gnu-4.15.9-gnu.xz.sign @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWqWujAAKCRC8t8+Hfn1H +p12iAJ9Jm+ekfjnw8h5FUlk1Bey9ni20OACgrOZ1QWFlffYD1C7iSeRYnVpQqlQ= +=nUnX +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f26/sources b/freed-ora/current/f26/sources index a2f2515d3..b7006188b 100644 --- a/freed-ora/current/f26/sources +++ b/freed-ora/current/f26/sources @@ -1,2 +1,2 @@ SHA512 (linux-libre-4.15-gnu.tar.xz) = a55cc663c6fb1e1cfa7905282b368b5d5888bc2398f0acf37e5bb9a232ded04fd566b1980e654da26aaec005332e458581495184d6bd4cec669181085d4d78a5 -SHA512 (patch-4.15-gnu-4.15.8-gnu.xz) = f718c7c825552921b2546589e3900dc82433a764b7981ebd22ec8eb3178ad3021fbf31b9030dc45681926bf522f4c3ce7c51fe60113cd5c707b42adf3efcaae6 +SHA512 (patch-4.15-gnu-4.15.9-gnu.xz) = 5b2ad5af70d432cf79eb11729ae39ed53e0b5b2a76688c35655c78538c1d0aa3852ad2c3244c2e0a4207d678919d806fa1903efdad6690e9679c9208d973bb73 |