diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-10-15 07:15:04 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-10-15 07:15:04 -0500 |
commit | 58458becebba229bf430b9f4645b0d81aca4d8ff (patch) | |
tree | 02de19fa71b34eed31bfe1abc908ad040124ac92 | |
parent | 09bf7b1b2d75d2f579340d65241e5f337b5fc8bf (diff) | |
download | kernel-58458becebba229bf430b9f4645b0d81aca4d8ff.tar.gz kernel-58458becebba229bf430b9f4645b0d81aca4d8ff.tar.xz kernel-58458becebba229bf430b9f4645b0d81aca4d8ff.zip |
Linux 4.18.14
-rw-r--r-- | kernel.spec | 8 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | xsa270.patch | 55 |
3 files changed, 5 insertions, 60 deletions
diff --git a/kernel.spec b/kernel.spec index d4dc75f42..eac1813e9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 13 +%define stable_update 14 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -665,9 +665,6 @@ Patch528: 0008-console-dummycon-export-dummycon_-un-register_output.patch Patch529: 0009-fbcon-Only-defer-console-takeover-if-the-current-con.patch Patch530: 0010-fbcon-Do-not-takeover-the-console-from-atomic-contex.patch -# CVE-2018-15471 rhbz 1610555 1618414 -Patch531: xsa270.patch - # rhbz 1572944 Patch533: 0001-random-add-a-config-option-to-trust-the-CPU-s-hwrng.patch Patch534: 0001-random-make-CPU-trust-a-boot-parameter.patch @@ -1934,6 +1931,9 @@ fi # # %changelog +* Mon Oct 15 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.18.14-300 +- Linux v4.18.14 + * Fri Oct 12 2018 Peter Robinson <pbrobinson@fedoraproject.org> - Rebase device specific NVRAM files on brcm WiFi devices to latest @@ -1,2 +1,2 @@ SHA512 (linux-4.18.tar.xz) = 950eb85ac743b291afe9f21cd174d823e25f11883ee62cecfbfff8fe8c5672aae707654b1b8f29a133b1f2e3529e63b9f7fba4c45d6dacccc8000b3a9a9ae038 -SHA512 (patch-4.18.13.xz) = 169c232c1799eae10b5fa399fc2cb0567536681e8e17f59fe0c489c6186d368261ba45baf1b6f71a0d111895cbf4a44d93f7ee3e20d4842b699f75f5372c8d38 +SHA512 (patch-4.18.14.xz) = 1bfcb475dad5100496e3f47989cd84d476631e87725df9bd22c462d87415199d4dfc30fe22772531bb21ede96c40187c3ee79fa64e61ec3503f743aba723d744 diff --git a/xsa270.patch b/xsa270.patch deleted file mode 100644 index 867896f9d..000000000 --- a/xsa270.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Jan Beulich <jbeulich@suse.com> -Subject: xen-netback: fix input validation in xenvif_set_hash_mapping() - -Both len and off are frontend specified values, so we need to make -sure there's no overflow when adding the two for the bounds check. We -also want to avoid undefined behavior and hence use off to index into -->hash.mapping[] only after bounds checking. This at the same time -allows to take care of not applying off twice for the bounds checking -against vif->num_queues. - -It is also insufficient to bounds check copy_op.len, as this is len -truncated to 16 bits. - -This is XSA-270. - -Reported-by: Felix Wilhelm <fwilhelm@google.com> -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Reviewed-by: Paul Durrant <paul.durrant@citrix.com> -Tested-by: Paul Durrant <paul.durrant@citrix.com> ---- -The bounds checking against vif->num_queues also occurs too early afaict -(it should be done after the grant copy). I have patches ready as public -follow-ups for both this and the (at least latent) issue of the mapping -array crossing a page boundary. - ---- a/drivers/net/xen-netback/hash.c -+++ b/drivers/net/xen-netback/hash.c -@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct - u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len, - u32 off) - { -- u32 *mapping = &vif->hash.mapping[off]; -+ u32 *mapping = vif->hash.mapping; - struct gnttab_copy copy_op = { - .source.u.ref = gref, - .source.domid = vif->domid, -- .dest.u.gmfn = virt_to_gfn(mapping), - .dest.domid = DOMID_SELF, -- .dest.offset = xen_offset_in_page(mapping), -- .len = len * sizeof(u32), -+ .len = len * sizeof(*mapping), - .flags = GNTCOPY_source_gref - }; - -- if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE) -+ if ((off + len < off) || (off + len > vif->hash.size) || -+ len > XEN_PAGE_SIZE / sizeof(*mapping)) - return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; - -+ copy_op.dest.u.gmfn = virt_to_gfn(mapping + off); -+ copy_op.dest.offset = xen_offset_in_page(mapping + off); -+ - while (len-- != 0) - if (mapping[off++] >= vif->num_queues) - return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; |