Merge remote-tracking branch 'origin/f27' into f27-user-thl-vanilla-fedora

4 files changed, 205 insertions, 0 deletions

diff --git a/0001-xfs-More-robust-inode-extent-count-validation.patch b/0001-xfs-More-robust-inode-extent-count-validation.patch
index 767eb6fac..f24aa88d2 100644
--- a/0001-xfs-More-robust-inode-extent-count-validation.patch
+++ b/0001-xfs-More-robust-inode-extent-count-validation.patch
@@ -1,3 +1,85 @@
+From 7d71a671a2d900606d3a62ed5976d3b0feada3a6 Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Tue, 5 Jun 2018 10:06:44 -0700
+Subject: [PATCH] xfs: verify extent size hint is valid in inode verifier
+
+There are rules for vald extent size hints. We enforce them when
+applications set them, but fuzzers violate those rules and that
+screws us over.
+
+This results in alignment assertion failures when setting up
+allocations such as this in direct IO:
+
+XFS: Assertion failed: ap->length, file: fs/xfs/libxfs/xfs_bmap.c, line: 3432
+....
+Call Trace:
+ xfs_bmap_btalloc+0x415/0x910
+ xfs_bmapi_write+0x71c/0x12e0
+ xfs_iomap_write_direct+0x2a9/0x420
+ xfs_file_iomap_begin+0x4dc/0xa70
+ iomap_apply+0x43/0x100
+ iomap_file_buffered_write+0x62/0x90
+ xfs_file_buffered_aio_write+0xba/0x300
+ __vfs_write+0xd5/0x150
+ vfs_write+0xb6/0x180
+ ksys_write+0x45/0xa0
+ do_syscall_64+0x5a/0x180
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+And from xfs_db:
+
+core.extsize = 10380288
+
+Which is not an integer multiple of the block size, and so violates
+Rule #7 for setting extent size hints. Validate extent size hint
+rules in the inode verifier to catch this.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ fs/xfs/libxfs/xfs_inode_buf.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c
+index 1201107eabc6..1fe18555b451 100644
+--- a/fs/xfs/libxfs/xfs_inode_buf.c
++++ b/fs/xfs/libxfs/xfs_inode_buf.c
+@@ -397,6 +397,7 @@ xfs_dinode_verify(
+ 	xfs_ino_t		ino,
+ 	struct xfs_dinode	*dip)
+ {
++	xfs_failaddr_t		fa;
+ 	uint16_t		mode;
+ 	uint16_t		flags;
+ 	uint64_t		flags2;
+@@ -513,6 +514,12 @@ xfs_dinode_verify(
+ 			return __this_address;
+ 	}
+ 
++	/* extent size hint validation */
++	fa = xfs_inode_validate_extsize(mp, be32_to_cpu(dip->di_extsize),
++			mode, flags);
++	if (fa)
++		return fa;
++
+ 	/* only version 3 or greater inodes are extensively verified here */
+ 	if (dip->di_version < 3)
+ 		return NULL;
+@@ -521,7 +528,7 @@ xfs_dinode_verify(
+ 
+ 	/* don't allow reflink/cowextsize if we don't have reflink */
+ 	if ((flags2 & (XFS_DIFLAG2_REFLINK | XFS_DIFLAG2_COWEXTSIZE)) &&
+-            !xfs_sb_version_hasreflink(&mp->m_sb))
++	     !xfs_sb_version_hasreflink(&mp->m_sb))
+ 		return __this_address;
+ 
+ 	/* only regular files get reflink */
+-- 
+2.17.1
+
 From 23fcb3340d033d9f081e21e6c12c2db7eaa541d3 Mon Sep 17 00:00:00 2001
 From: Dave Chinner <dchinner@redhat.com>
 Date: Thu, 21 Jun 2018 23:25:57 -0700
diff --git a/Bluetooth-btusb-Add-additional-device-ID-for-RTL8822.patch b/Bluetooth-btusb-Add-additional-device-ID-for-RTL8822.patch
new file mode 100644
index 000000000..b16400135
--- /dev/null
+++ b/Bluetooth-btusb-Add-additional-device-ID-for-RTL8822.patch
@@ -0,0 +1,63 @@
+From 1cd2fabf4bdcf95eda6a1bcebc4a0a965509da36 Mon Sep 17 00:00:00 2001
+From: Artiom Vaskov <velemas@gmail.com>
+Date: Wed, 30 May 2018 11:23:00 +0300
+Subject: [PATCH] Bluetooth: btusb: Add additional device ID for RTL8822BE
+
+The Asus ROG GL702ZC laptop contains a Realtek RTL8822BE device with
+an associated BT chip using a USB ID of 13d3:3526. This ID is added
+to the driver.
+
+The /sys/kernel/debug/usb/devices portion for this device is:
+
+T:  Bus=01 Lev=01 Prnt=01 Port=09 Cnt=04 Dev#=  5 Spd=12   MxCh= 0
+D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
+P:  Vendor=13d3 ProdID=3526 Rev= 1.10
+S:  Manufacturer=Realtek
+S:  Product=Bluetooth Radio
+S:  SerialNumber=00e04c000001
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
+E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
+E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
+E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
+I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
+E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
+I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
+E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
+I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
+E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
+I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
+E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
+I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
+E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
+
+Signed-off-by: Artiom Vaskov <velemas@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 3a477b6b3ce6..f73a27ea28cc 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -384,6 +384,7 @@ static const struct usb_device_id blacklist_table[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK },
+ 
+ 	/* Additional Realtek 8822BE Bluetooth devices */
++	{ USB_DEVICE(0x13d3, 0x3526), .driver_info = BTUSB_REALTEK },
+ 	{ USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK },
+ 
+ 	/* Silicon Wave based devices */
+-- 
+2.17.1
+
diff --git a/CVE-2018-13405.patch b/CVE-2018-13405.patch
new file mode 100644
index 000000000..489e11f54
--- /dev/null
+++ b/CVE-2018-13405.patch
@@ -0,0 +1,47 @@
+From 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 3 Jul 2018 17:10:19 -0700
+Subject: [PATCH] Fix up non-directory creation in SGID directories
+
+sgid directories have special semantics, making newly created files in
+the directory belong to the group of the directory, and newly created
+subdirectories will also become sgid.  This is historically used for
+group-shared directories.
+
+But group directories writable by non-group members should not imply
+that such non-group members can magically join the group, so make sure
+to clear the sgid bit on non-directories for non-members (but remember
+that sgid without group execute means "mandatory locking", just to
+confuse things even more).
+
+Reported-by: Jann Horn <jannh@google.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ fs/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/inode.c b/fs/inode.c
+index 2c300e981796..8c86c809ca17 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1999,8 +1999,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
+ 	inode->i_uid = current_fsuid();
+ 	if (dir && dir->i_mode & S_ISGID) {
+ 		inode->i_gid = dir->i_gid;
++
++		/* Directories are special, and always inherit S_ISGID */
+ 		if (S_ISDIR(mode))
+ 			mode |= S_ISGID;
++		else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
++			 !in_group_p(inode->i_gid) &&
++			 !capable_wrt_inode_uidgid(dir, CAP_FSETID))
++			mode &= ~S_ISGID;
+ 	} else
+ 		inode->i_gid = current_fsgid();
+ 	inode->i_mode = mode;
+-- 
+2.17.1
+
diff --git a/kernel.spec b/kernel.spec
index 0d149aff5..639334111 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -663,6 +663,9 @@ Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch
 # rhbz 1591516
 Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch
 
+# rhbz 1599917
+Patch516: Bluetooth-btusb-Add-additional-device-ID-for-RTL8822.patch
+
 # rhbz 1572944
 Patch517: Revert-the-random-series-for-4.16.4.patch
 
@@ -682,6 +685,9 @@ Patch522: 0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch
 # CVE-2018-13095 rhbz 1597775 1597777
 Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch
 
+# CVE-2018-13405 rhbz 1599161 1599162
+Patch524: CVE-2018-13405.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1934,6 +1940,13 @@ fi
 #
 #
 %changelog
+* Wed Jul 11 2018 Jeremy Cline <jeremy@jcline.org>
+- Add device ID for RTL8822BE in the Asus ROG GL702ZC (rhbz 1599917)
+
+* Mon Jul 09 2018 Jeremy Cline <jcline@redhat.com> - 4.17.5-100
+- Linux v4.17.5
+- Fix CVE-2018-13405 (rhbz 1599161 1599162)
+
 * Thu Jul 05 2018 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2018-13053 (rhbz 1597747 1597748)
 - Fix CVE-2018-12896 (rhbz 1597759 1597760)