diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2018-01-17 10:33:02 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2018-01-17 10:33:02 +0100 |
commit | d2596a9f90769fab95cb4e9670b3b57c832af7d9 (patch) | |
tree | 74fef0d549358d7cd7f97a058d2b7f27bf165712 | |
parent | 73bc821b586c900691803325660fb31e3a92dacc (diff) | |
parent | d667ebc96e1833ef478b7769028a9a2074efbd7a (diff) | |
download | kernel-d2596a9f90769fab95cb4e9670b3b57c832af7d9.tar.gz kernel-d2596a9f90769fab95cb4e9670b3b57c832af7d9.tar.xz kernel-d2596a9f90769fab95cb4e9670b3b57c832af7d9.zip |
Merge remote-tracking branch 'origin/f26' into f26-user-thl-vanilla-fedora
-rw-r--r-- | 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch | 6 | ||||
-rw-r--r-- | 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch | 117 | ||||
-rw-r--r-- | 0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch | 6 | ||||
-rw-r--r-- | RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch | 33 | ||||
-rw-r--r-- | RDS-null-pointer-dereference-in-rds_atomic_free_op.patch | 31 | ||||
-rw-r--r-- | kernel.spec | 16 | ||||
-rw-r--r-- | loop-fix-concurrent-lo_open-lo_release.patch | 55 |
7 files changed, 198 insertions, 66 deletions
diff --git a/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch b/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch index 27d8c5c3d..6e8a2e039 100644 --- a/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch +++ b/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch @@ -1,4 +1,4 @@ -From 493bdbfeefb1a4174aab92ee15eb55234e0f45e8 Mon Sep 17 00:00:00 2001 +From 3ce5852ec6add45a28fe1706e9163351940e905c Mon Sep 17 00:00:00 2001 From: Peter Jones <pjones@redhat.com> Date: Mon, 2 Oct 2017 18:25:29 -0400 Subject: [PATCH 1/3] Make get_cert_list() not complain about cert lists that @@ -10,7 +10,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com> 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/certs/load_uefi.c b/certs/load_uefi.c -index 3d88459..9ef34c4 100644 +index 3d884598601..9ef34c44fd1 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -35,8 +35,8 @@ static __init bool uefi_check_ignore_db(void) @@ -105,5 +105,5 @@ index 3d88459..9ef34c4 100644 dbx, dbxsize, get_handler_for_dbx); -- -2.13.6 +2.15.0 diff --git a/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch b/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch index af09e77e0..0844550b6 100644 --- a/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch +++ b/0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch @@ -1,4 +1,4 @@ -From a51d670818754ba7e3c289e14b09cf54e0435162 Mon Sep 17 00:00:00 2001 +From c8218e9b3c38fcd36a2d06eec09952a0c6cee9e0 Mon Sep 17 00:00:00 2001 From: Peter Jones <pjones@redhat.com> Date: Mon, 2 Oct 2017 18:22:13 -0400 Subject: [PATCH 2/3] Add efi_status_to_str() and rework efi_status_to_err(). @@ -9,12 +9,33 @@ list of errors. Signed-off-by: Peter Jones <pjones@redhat.com> --- - drivers/firmware/efi/efi.c | 124 +++++++++++++++++++++++++++++++++------------ include/linux/efi.h | 3 ++ - 2 files changed, 96 insertions(+), 31 deletions(-) + drivers/firmware/efi/efi.c | 122 ++++++++++++++++++++++++++++++++++----------- + 2 files changed, 95 insertions(+), 30 deletions(-) +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 18b16bf5ce1..436b3c93c3d 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -42,6 +42,8 @@ + #define EFI_ABORTED (21 | (1UL << (BITS_PER_LONG-1))) + #define EFI_SECURITY_VIOLATION (26 | (1UL << (BITS_PER_LONG-1))) + ++#define EFI_IS_ERROR(x) ((x) & (1UL << (BITS_PER_LONG-1))) ++ + typedef unsigned long efi_status_t; + typedef u8 efi_bool_t; + typedef u16 efi_char16_t; /* UNICODE character */ +@@ -1183,6 +1185,7 @@ static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} + #endif + + extern int efi_status_to_err(efi_status_t status); ++extern const char *efi_status_to_str(efi_status_t status); + + /* + * Variable Attributes diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c -index f70febf..588377b 100644 +index 557a47829d0..e8f9c7d84e9 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -31,6 +31,7 @@ @@ -25,20 +46,20 @@ index f70febf..588377b 100644 #include <asm/early_ioremap.h> -@@ -864,40 +865,101 @@ int efi_mem_type(unsigned long phys_addr) +@@ -865,40 +866,101 @@ int efi_mem_type(unsigned long phys_addr) } #endif +struct efi_error_code { + efi_status_t status; + int errno; -+ char *description; ++ const char *description; +}; + -+static struct efi_error_code efi_error_codes[] = { ++static const struct efi_error_code efi_error_codes[] = { + { EFI_SUCCESS, 0, "Success"}, +#if 0 -+ { EFI_LOAD_ERROR, "Load Error"}, ++ { EFI_LOAD_ERROR, -EPICK_AN_ERRNO, "Load Error"}, +#endif + { EFI_INVALID_PARAMETER, -EINVAL, "Invalid Parameter"}, + { EFI_UNSUPPORTED, -ENOSYS, "Unsupported"}, @@ -49,40 +70,40 @@ index f70febf..588377b 100644 + { EFI_WRITE_PROTECTED, -EROFS, "Write Protected"}, + { EFI_OUT_OF_RESOURCES, -ENOMEM, "Out of Resources"}, +#if 0 -+ { EFI_VOLUME_CORRUPTED, "Volume Corrupt"}, -+ { EFI_VOLUME_FULL, "Volume Full"}, -+ { EFI_NO_MEDIA, "No Media"}, -+ { EFI_MEDIA_CHANGED, "Media changed"}, ++ { EFI_VOLUME_CORRUPTED, -EPICK_AN_ERRNO, "Volume Corrupt"}, ++ { EFI_VOLUME_FULL, -EPICK_AN_ERRNO, "Volume Full"}, ++ { EFI_NO_MEDIA, -EPICK_AN_ERRNO, "No Media"}, ++ { EFI_MEDIA_CHANGED, -EPICK_AN_ERRNO, "Media changed"}, +#endif + { EFI_NOT_FOUND, -ENOENT, "Not Found"}, +#if 0 -+ { EFI_ACCESS_DENIED, "Access Denied"}, -+ { EFI_NO_RESPONSE, "No Response"}, -+ { EFI_NO_MAPPING, "No mapping"}, -+ { EFI_TIMEOUT, "Time out"}, -+ { EFI_NOT_STARTED, "Not started"}, -+ { EFI_ALREADY_STARTED, "Already started"}, ++ { EFI_ACCESS_DENIED, -EPICK_AN_ERRNO, "Access Denied"}, ++ { EFI_NO_RESPONSE, -EPICK_AN_ERRNO, "No Response"}, ++ { EFI_NO_MAPPING, -EPICK_AN_ERRNO, "No mapping"}, ++ { EFI_TIMEOUT, -EPICK_AN_ERRNO, "Time out"}, ++ { EFI_NOT_STARTED, -EPICK_AN_ERRNO, "Not started"}, ++ { EFI_ALREADY_STARTED, -EPICK_AN_ERRNO, "Already started"}, +#endif + { EFI_ABORTED, -EINTR, "Aborted"}, +#if 0 -+ { EFI_ICMP_ERROR, "ICMP Error"}, -+ { EFI_TFTP_ERROR, "TFTP Error"}, -+ { EFI_PROTOCOL_ERROR, "Protocol Error"}, -+ { EFI_INCOMPATIBLE_VERSION, "Incompatible Version"}, ++ { EFI_ICMP_ERROR, -EPICK_AN_ERRNO, "ICMP Error"}, ++ { EFI_TFTP_ERROR, -EPICK_AN_ERRNO, "TFTP Error"}, ++ { EFI_PROTOCOL_ERROR, -EPICK_AN_ERRNO, "Protocol Error"}, ++ { EFI_INCOMPATIBLE_VERSION, -EPICK_AN_ERRNO, "Incompatible Version"}, +#endif + { EFI_SECURITY_VIOLATION, -EACCES, "Security Policy Violation"}, +#if 0 -+ { EFI_CRC_ERROR, "CRC Error"}, -+ { EFI_END_OF_MEDIA, "End of Media"}, -+ { EFI_END_OF_FILE, "End of File"}, -+ { EFI_INVALID_LANGUAGE, "Invalid Languages"}, -+ { EFI_COMPROMISED_DATA, "Compromised Data"}, ++ { EFI_CRC_ERROR, -EPICK_AN_ERRNO, "CRC Error"}, ++ { EFI_END_OF_MEDIA, -EPICK_AN_ERRNO, "End of Media"}, ++ { EFI_END_OF_FILE, -EPICK_AN_ERRNO, "End of File"}, ++ { EFI_INVALID_LANGUAGE, -EPICK_AN_ERRNO, "Invalid Languages"}, ++ { EFI_COMPROMISED_DATA, -EPICK_AN_ERRNO, "Compromised Data"}, + + // warnings -+ { EFI_WARN_UNKOWN_GLYPH, "Warning Unknown Glyph"}, -+ { EFI_WARN_DELETE_FAILURE, "Warning Delete Failure"}, -+ { EFI_WARN_WRITE_FAILURE, "Warning Write Failure"}, -+ { EFI_WARN_BUFFER_TOO_SMALL, "Warning Buffer Too Small"}, ++ { EFI_WARN_UNKOWN_GLYPH, -EPICK_AN_ERRNO, "Warning Unknown Glyph"}, ++ { EFI_WARN_DELETE_FAILURE, -EPICK_AN_ERRNO, "Warning Delete Failure"}, ++ { EFI_WARN_WRITE_FAILURE, -EPICK_AN_ERRNO, "Warning Write Failure"}, ++ { EFI_WARN_BUFFER_TOO_SMALL, -EPICK_AN_ERRNO, "Warning Buffer Too Small"}, +#endif +}; + @@ -102,7 +123,9 @@ index f70febf..588377b 100644 int efi_status_to_err(efi_status_t status) { - int err; -- ++ struct efi_error_code *found; ++ size_t num = sizeof(efi_error_codes) / sizeof(struct efi_error_code); + - switch (status) { - case EFI_SUCCESS: - err = 0; @@ -131,10 +154,6 @@ index f70febf..588377b 100644 - default: - err = -EINVAL; - } -+ struct efi_error_code *found; -+ size_t num = sizeof(efi_error_codes) / sizeof(struct efi_error_code); - -- return err; + found = bsearch((void *)(uintptr_t)status, efi_error_codes, + sizeof(struct efi_error_code), num, + efi_status_cmp_bsearch); @@ -142,7 +161,8 @@ index f70febf..588377b 100644 + return -EINVAL; + return found->errno; +} -+ + +- return err; +const char * +efi_status_to_str(efi_status_t status) +{ @@ -158,27 +178,6 @@ index f70febf..588377b 100644 } bool efi_is_table_address(unsigned long phys_addr) -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 946cd01..2b4421f 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -41,6 +41,8 @@ - #define EFI_ABORTED (21 | (1UL << (BITS_PER_LONG-1))) - #define EFI_SECURITY_VIOLATION (26 | (1UL << (BITS_PER_LONG-1))) - -+#define EFI_IS_ERROR(x) ((x) & (1UL << (BITS_PER_LONG-1))) -+ - typedef unsigned long efi_status_t; - typedef u8 efi_bool_t; - typedef u16 efi_char16_t; /* UNICODE character */ -@@ -1171,6 +1173,7 @@ static inline bool efi_is_table_address(unsigned long phys_addr) - #endif - - extern int efi_status_to_err(efi_status_t status); -+extern const char *efi_status_to_str(efi_status_t status); - - /* - * Variable Attributes -- -2.13.6 +2.15.0 diff --git a/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch b/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch index c67a54379..abb313a29 100644 --- a/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch +++ b/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch @@ -1,4 +1,4 @@ -From 690315729dd1cc6ea85551af0c61aa08a62a93f4 Mon Sep 17 00:00:00 2001 +From 520e902d864930e2d4f329983d9ae9781a24231f Mon Sep 17 00:00:00 2001 From: Peter Jones <pjones@redhat.com> Date: Mon, 2 Oct 2017 18:18:30 -0400 Subject: [PATCH 3/3] Make get_cert_list() use efi_status_to_str() to print @@ -10,7 +10,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com> 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/certs/load_uefi.c b/certs/load_uefi.c -index 9ef34c4..13a2826 100644 +index 9ef34c44fd1..13a2826715d 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -51,7 +51,8 @@ static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid, @@ -34,5 +34,5 @@ index 9ef34c4..13a2826 100644 } -- -2.13.6 +2.15.0 diff --git a/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch b/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch new file mode 100644 index 000000000..fae1ffe53 --- /dev/null +++ b/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch @@ -0,0 +1,33 @@ +From c095508770aebf1b9218e77026e48345d719b17c Mon Sep 17 00:00:00 2001 +From: Mohamed Ghannam <simo.ghannam@gmail.com> +Date: Tue, 2 Jan 2018 19:44:34 +0000 +Subject: [PATCH] RDS: Heap OOB write in rds_message_alloc_sgs() + +When args->nr_local is 0, nr_pages gets also 0 due some size +calculation via rds_rm_size(), which is later used to allocate +pages for DMA, this bug produces a heap Out-Of-Bound write access +to a specific memory region. + +Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/rds/rdma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/rds/rdma.c b/net/rds/rdma.c +index bc2f1e0977d6..94729d9da437 100644 +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args) + + local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr; + ++ if (args->nr_local == 0) ++ return -EINVAL; ++ + /* figure out the number of pages in the vector */ + for (i = 0; i < args->nr_local; i++) { + if (copy_from_user(&vec, &local_vec[i], +-- +2.15.1 + diff --git a/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch b/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch new file mode 100644 index 000000000..4317a1cf5 --- /dev/null +++ b/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch @@ -0,0 +1,31 @@ +From 7d11f77f84b27cef452cee332f4e469503084737 Mon Sep 17 00:00:00 2001 +From: Mohamed Ghannam <simo.ghannam@gmail.com> +Date: Wed, 3 Jan 2018 21:06:06 +0000 +Subject: [PATCH] RDS: null pointer dereference in rds_atomic_free_op + +set rm->atomic.op_active to 0 when rds_pin_pages() fails +or the user supplied address is invalid, +this prevents a NULL pointer usage in rds_atomic_free_op() + +Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> +Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/rds/rdma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/rds/rdma.c b/net/rds/rdma.c +index 94729d9da437..634cfcb7bba6 100644 +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -877,6 +877,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm, + err: + if (page) + put_page(page); ++ rm->atomic.op_active = 0; + kfree(rm->atomic.op_notifier); + + return ret; +-- +2.15.1 + diff --git a/kernel.spec b/kernel.spec index 9988ee7d9..9b52f6d8f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -577,7 +577,7 @@ Patch205: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch Patch206: MODSIGN-Support-not-importing-certs-from-db.patch -# still secureboot, rhbz#1497559 +# bz 1497559 - Make kernel MODSIGN code not error on missing variables Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch Patch209: 0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch @@ -650,6 +650,15 @@ Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch # https://patchwork.kernel.org/patch/10104349/ Patch506: e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch +# CVE-2018-5344 rhbz 1533909 1533911 +Patch507: loop-fix-concurrent-lo_open-lo_release.patch + +# CVE-2018-5332 rhbz 1533890 1533895 +Patch508: RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch + +# CVE-2018-5333 rhbz 1533891 1533895 +Patch509: RDS-null-pointer-dereference-in-rds_atomic_free_op.patch + # 550-600 Meltdown and Spectre Fixes Patch550: prevent-bounds-check-bypass-via-speculative-execution.patch Patch551: 0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch @@ -2270,6 +2279,11 @@ fi # # %changelog +* Fri Jan 12 2018 Jeremy Cline <jeremy@jcline.org> +- Fix for CVE-2018-5344 (rhbz 1533909 1533911) +- Fix for CVE-2018-5332 (rhbz 1533890 1533895) +- Fix for CVE-2018-5333 (rhbz 1533891 1533895) + * Wed Jan 10 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.13-200 - Linux v4.14.13 - Iniital retpoline fixes for Spectre v2 diff --git a/loop-fix-concurrent-lo_open-lo_release.patch b/loop-fix-concurrent-lo_open-lo_release.patch new file mode 100644 index 000000000..37131a702 --- /dev/null +++ b/loop-fix-concurrent-lo_open-lo_release.patch @@ -0,0 +1,55 @@ +From ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Fri, 5 Jan 2018 16:26:00 -0800 +Subject: [PATCH] loop: fix concurrent lo_open/lo_release +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +范龙飞 reports that KASAN can report a use-after-free in __lock_acquire. +The reason is due to insufficient serialization in lo_release(), which +will continue to use the loop device even after it has decremented the +lo_refcnt to zero. + +In the meantime, another process can come in, open the loop device +again as it is being shut down. Confusion ensues. + +Reported-by: 范龙飞 <long7573@126.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +--- + drivers/block/loop.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index bc8e61506968..d5fe720cf149 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1581,9 +1581,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode) + return err; + } + +-static void lo_release(struct gendisk *disk, fmode_t mode) ++static void __lo_release(struct loop_device *lo) + { +- struct loop_device *lo = disk->private_data; + int err; + + if (atomic_dec_return(&lo->lo_refcnt)) +@@ -1610,6 +1609,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode) + mutex_unlock(&lo->lo_ctl_mutex); + } + ++static void lo_release(struct gendisk *disk, fmode_t mode) ++{ ++ mutex_lock(&loop_index_mutex); ++ __lo_release(disk->private_data); ++ mutex_unlock(&loop_index_mutex); ++} ++ + static const struct block_device_operations lo_fops = { + .owner = THIS_MODULE, + .open = lo_open, +-- +2.15.1 + |