diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-04-12 07:03:40 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-04-12 07:03:40 -0500 |
commit | 30c5e4f52c5d470cf6dc1584d9f0d3429ca608d6 (patch) | |
tree | 19e4a3218d5a69f6580c3baedcf950ed7ff83a1c | |
parent | b13dddecaf96c23ca81a1bddf442be4ab44e2bea (diff) | |
download | kernel-30c5e4f52c5d470cf6dc1584d9f0d3429ca608d6.tar.gz kernel-30c5e4f52c5d470cf6dc1584d9f0d3429ca608d6.tar.xz kernel-30c5e4f52c5d470cf6dc1584d9f0d3429ca608d6.zip |
Linux v4.10.10
-rw-r--r-- | 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch | 65 | ||||
-rw-r--r-- | kernel.spec | 15 | ||||
-rw-r--r-- | kvm-fix-page-struct-leak-in-handle_vmon.patch | 49 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch | 33 |
5 files changed, 6 insertions, 158 deletions
diff --git a/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch b/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch deleted file mode 100644 index d682dcc42..000000000 --- a/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch +++ /dev/null @@ -1,65 +0,0 @@ -From cc66afea58f858ff6da7f79b8a595a67bbb4f9a9 Mon Sep 17 00:00:00 2001 -From: Andi Kleen <ak@linux.intel.com> -Date: Mon, 27 Mar 2017 11:32:59 +0200 -Subject: [PATCH] x86/mce: Don't print MCEs when mcelog is active - -Since: - - cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers") - -all MCEs are printed even when mcelog is running. Fix the regression to -not print to dmesg when mcelog is running as it is a consumer too. - -Signed-off-by: Andi Kleen <ak@linux.intel.com> -[ Massage commit message. ] -Signed-off-by: Borislav Petkov <bp@suse.de> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Tony Luck <tony.luck@intel.com> -Cc: linux-edac <linux-edac@vger.kernel.org> -Cc: stable@vger.kernel.org # 4.10.. -Fixes: cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers") -Link: http://lkml.kernel.org/r/20170327093304.10683-2-bp@alien8.de -Signed-off-by: Ingo Molnar <mingo@kernel.org> - -Signed-off-by: Ingo Molnar <mingo@kernel.org> ---- - arch/x86/kernel/cpu/mcheck/mce.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c -index 8e9725c..5accfbd 100644 ---- a/arch/x86/kernel/cpu/mcheck/mce.c -+++ b/arch/x86/kernel/cpu/mcheck/mce.c -@@ -54,6 +54,8 @@ - - static DEFINE_MUTEX(mce_chrdev_read_mutex); - -+static int mce_chrdev_open_count; /* #times opened */ -+ - #define mce_log_get_idx_check(p) \ - ({ \ - RCU_LOCKDEP_WARN(!rcu_read_lock_sched_held() && \ -@@ -598,6 +600,10 @@ static int mce_default_notifier(struct notifier_block *nb, unsigned long val, - if (atomic_read(&num_notifiers) > 2) - return NOTIFY_DONE; - -+ /* Don't print when mcelog is running */ -+ if (mce_chrdev_open_count > 0) -+ return NOTIFY_DONE; -+ - __print_mce(m); - - return NOTIFY_DONE; -@@ -1828,7 +1834,6 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c) - */ - - static DEFINE_SPINLOCK(mce_chrdev_state_lock); --static int mce_chrdev_open_count; /* #times opened */ - static int mce_chrdev_open_exclu; /* already open exclusive? */ - - static int mce_chrdev_open(struct inode *inode, struct file *file) --- -2.9.3 - diff --git a/kernel.spec b/kernel.spec index babc8e9d1..b231b59ff 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -599,18 +599,9 @@ Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch # selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch -#CVE-2017-2596 rhbz 1417812 1417813 -Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch - -#CVE-2017-7261 rhbz 1435719 1435740 -Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch - #CVE-2017-7277 rhbz 1436629 1436661 Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch -# rhbz 1438316 -Patch859: 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch - # CVE-2017-2671 rhbz 1436649 1436663 Patch860: 0001-ping-implement-proper-locking.patch @@ -2197,6 +2188,10 @@ fi # # %changelog +* Wed Apr 12 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.10-200 +- Linux v4.10.10 +- CVE-2017-7616 (rhbz 1441088 1441093) + * Tue Apr 11 2017 Justin M. Forbes <jforbes@fedoraproject.org> - Fix CVE-2017-7618 (rhbz 1441095 1441093) - Fix CVE-2017-7308 (rhbz 1437404 1437406) diff --git a/kvm-fix-page-struct-leak-in-handle_vmon.patch b/kvm-fix-page-struct-leak-in-handle_vmon.patch deleted file mode 100644 index b29bcea03..000000000 --- a/kvm-fix-page-struct-leak-in-handle_vmon.patch +++ /dev/null @@ -1,49 +0,0 @@ -From patchwork Tue Jan 24 10:56:21 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: kvm: fix page struct leak in handle_vmon -From: Paolo Bonzini <pbonzini@redhat.com> -X-Patchwork-Id: 9534885 -Message-Id: <1485255381-18069-1-git-send-email-pbonzini@redhat.com> -To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org -Cc: dvyukov@google.com -Date: Tue, 24 Jan 2017 11:56:21 +0100 - -handle_vmon gets a reference on VMXON region page, -but does not release it. Release the reference. - -Found by syzkaller; based on a patch by Dmitry. - -Reported-by: Dmitry Vyukov <dvyukov@google.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Reviewed-by: David Hildenbrand <david@redhat.com> ---- - arch/x86/kvm/vmx.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 42cc3d6f4d20..0f7345035210 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -7085,13 +7085,18 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason, - } - - page = nested_get_page(vcpu, vmptr); -- if (page == NULL || -- *(u32 *)kmap(page) != VMCS12_REVISION) { -+ if (page == NULL) { - nested_vmx_failInvalid(vcpu); -+ return kvm_skip_emulated_instruction(vcpu); -+ } -+ if (*(u32 *)kmap(page) != VMCS12_REVISION) { - kunmap(page); -+ nested_release_page_clean(page); -+ nested_vmx_failInvalid(vcpu); - return kvm_skip_emulated_instruction(vcpu); - } - kunmap(page); -+ nested_release_page_clean(page); - vmx->nested.vmxon_ptr = vmptr; - break; - case EXIT_REASON_VMCLEAR: @@ -1,3 +1,3 @@ SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8 -SHA512 (patch-4.10.9.xz) = 867cdcf1e6ceee58dec7eb913e119dcaa75255cef1ad2dd9eb0eead6a918a202e3b6656770422d547a7758236a8589c70d49fa4045de867b77a04480f97c242d +SHA512 (patch-4.10.10.xz) = 264d156d7a3b1f3b3a80a7a9dc9a358b5cd582d8d894c482f3c9eb5af4eca64439720d5b9b141ae57f7845dfab59563497faae8e6fb666aeec86aab6b8df904a diff --git a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch deleted file mode 100644 index 1ede96c60..000000000 --- a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Vladis Dronov <vdronov@redhat.com> -Subject: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl() -Date: 2017-03-24 15:37:10 - -In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a -user-controlled value which is not checked for zero. It is used in -a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR -is dereferenced which leads to a GPF and possibly to a kernel panic. -Add the check for zero to avoid this. - -Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719 -Signed-off-by: Vladis Dronov <vdronov@redhat.com> ---- - drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -index b445ce9..42840cc 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, - for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) - num_sizes += req->mip_levels[i]; - -- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * -- DRM_VMW_MAX_MIP_LEVELS) -+ if (num_sizes <= 0 || -+ num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS) - return -EINVAL; - - size = vmw_user_surface_size + 128 + --- -2.9.3 |