merge originkernel-4.19.16-250.vanilla.knurd.1.fc28

4 files changed, 179 insertions, 44 deletions

diff --git a/CVE-2019-3459-and-CVE-2019-3460.patch b/CVE-2019-3459-and-CVE-2019-3460.patch
new file mode 100644
index 000000000..c7fa62736
--- /dev/null
+++ b/CVE-2019-3459-and-CVE-2019-3460.patch
@@ -0,0 +1,167 @@
+From 20614b74e481f0c9f94032ae99f110d4647b65a6 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 10 Jan 2019 07:28:33 +0100
+Subject: [PATCH 1/2] Bluetooth: check message types in l2cap_get_conf_opt
+
+l2cap_get_conf_opt can handle a "default" message type, but it needs to
+be verified that it really is the correct type (CONF_EFS or CONF_RFC)
+before passing it back to the caller.  To do this we need to check the
+return value of this call now and handle the error correctly up the
+stack.
+
+Based on a patch from Ran Menscher.
+
+Reported-by: Ran Menscher <ran.menscher@karambasecurity.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index d17a4736e47c..a0ce6e8e5ef7 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -2979,6 +2979,10 @@ static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
+ 		break;
+ 
+ 	default:
++		/* Only CONF_EFS and CONF_RFC are allowed here */
++		if ((opt->type != L2CAP_CONF_EFS) &&
++		    (opt->type != L2CAP_CONF_RFC))
++			return -EPROTO;
+ 		*val = (unsigned long) opt->val;
+ 		break;
+ 	}
+@@ -3323,7 +3327,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
+ 	void *endptr = data + data_size;
+ 	void *req = chan->conf_req;
+ 	int len = chan->conf_len;
+-	int type, hint, olen;
++	int type, hint, olen, err;
+ 	unsigned long val;
+ 	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
+ 	struct l2cap_conf_efs efs;
+@@ -3335,7 +3339,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
+ 	BT_DBG("chan %p", chan);
+ 
+ 	while (len >= L2CAP_CONF_OPT_SIZE) {
+-		len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
++		err = l2cap_get_conf_opt(&req, &type, &olen, &val);
++		if (err < 0)
++			return err;
++		len -= err;
+ 
+ 		hint  = type & L2CAP_CONF_HINT;
+ 		type &= L2CAP_CONF_MASK;
+@@ -3538,7 +3545,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
+ 	struct l2cap_conf_req *req = data;
+ 	void *ptr = req->data;
+ 	void *endptr = data + size;
+-	int type, olen;
++	int type, olen, err;
+ 	unsigned long val;
+ 	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
+ 	struct l2cap_conf_efs efs;
+@@ -3546,7 +3553,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
+ 	BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
+ 
+ 	while (len >= L2CAP_CONF_OPT_SIZE) {
+-		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
++		err = l2cap_get_conf_opt(&rsp, &type, &olen, &val);
++		if (err < 0)
++			return err;
++		len -= err;
+ 
+ 		switch (type) {
+ 		case L2CAP_CONF_MTU:
+@@ -3706,7 +3716,7 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
+ 
+ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
+ {
+-	int type, olen;
++	int type, olen, err;
+ 	unsigned long val;
+ 	/* Use sane default values in case a misbehaving remote device
+ 	 * did not send an RFC or extended window size option.
+@@ -3726,7 +3736,10 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
+ 		return;
+ 
+ 	while (len >= L2CAP_CONF_OPT_SIZE) {
+-		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
++		err = l2cap_get_conf_opt(&rsp, &type, &olen, &val);
++		if (err < 0)
++			return;
++		len -= err;
+ 
+ 		switch (type) {
+ 		case L2CAP_CONF_RFC:
+-- 
+2.20.1
+
+From 50cd5314f5ffa264906f4986f414750d648c4ece Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 10 Jan 2019 07:29:17 +0100
+Subject: [PATCH 2/2] Bluetooth: check the buffer size for some messages before
+ parsing
+
+The L2CAP_CONF_EFS and L2CAP_CONF_RFC messages can be sent from
+userspace so their structure sizes need to be checked before parsing
+them.
+
+Based on a patch from Ran Menscher.
+
+Reported-by: Ran Menscher <ran.menscher@karambasecurity.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+---
+ net/bluetooth/l2cap_core.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index a0ce6e8e5ef7..d8d3cbdc0d29 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -3360,7 +3360,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
+ 			break;
+ 
+ 		case L2CAP_CONF_RFC:
+-			if (olen == sizeof(rfc))
++			if ((olen == sizeof(rfc)) &&
++			    (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(rfc)))
+ 				memcpy(&rfc, (void *) val, olen);
+ 			break;
+ 
+@@ -3370,7 +3371,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
+ 			break;
+ 
+ 		case L2CAP_CONF_EFS:
+-			if (olen == sizeof(efs)) {
++			if ((olen == sizeof(efs)) &&
++			    (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(efs))) {
+ 				remote_efs = 1;
+ 				memcpy(&efs, (void *) val, olen);
+ 			}
+@@ -3575,7 +3577,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
+ 			break;
+ 
+ 		case L2CAP_CONF_RFC:
+-			if (olen == sizeof(rfc))
++			if ((olen == sizeof(rfc)) &&
++			    (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(rfc)))
+ 				memcpy(&rfc, (void *)val, olen);
+ 
+ 			if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
+@@ -3595,7 +3598,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
+ 			break;
+ 
+ 		case L2CAP_CONF_EFS:
+-			if (olen == sizeof(efs)) {
++			if ((olen == sizeof(efs)) &&
++			    (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(efs))) {
+ 				memcpy(&efs, (void *)val, olen);
+ 
+ 				if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+-- 
+2.20.1
+
diff --git a/bcm283x-drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch b/bcm283x-drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch
deleted file mode 100644
index 5aa9668bc..000000000
--- a/bcm283x-drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From patchwork Tue Oct  9 13:24:46 2018
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: drm/vc4: Set ->is_yuv to false when num_planes == 1
-From: Boris Brezillon <boris.brezillon@bootlin.com>
-X-Patchwork-Id: 255528
-Message-Id: <20181009132446.21960-1-boris.brezillon@bootlin.com>
-To: David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
- dri-devel@lists.freedesktop.org, Eric Anholt <eric@anholt.net>
-Cc: Boris Brezillon <boris.brezillon@bootlin.com>, stable@vger.kernel.org
-Date: Tue,  9 Oct 2018 15:24:46 +0200
-
-When vc4_plane_state is duplicated ->is_yuv is left assigned to its
-previous value, and we never set it back to false when switching to
-a non-YUV format.
-
-Fix that by setting ->is_yuv to false in the 'num_planes == 1' branch
-of the vc4_plane_setup_clipping_and_scaling() function.
-
-Fixes: fc04023fafecf ("drm/vc4: Add support for YUV planes.")
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
-Reviewed-by: Eric Anholt <eric@anholt.net>
----
- drivers/gpu/drm/vc4/vc4_plane.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
-index d04b3c3246ba..60d5ad19cedd 100644
---- a/drivers/gpu/drm/vc4/vc4_plane.c
-+++ b/drivers/gpu/drm/vc4/vc4_plane.c
-@@ -321,6 +321,7 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state)
- 		if (vc4_state->is_unity)
- 			vc4_state->x_scaling[0] = VC4_SCALING_PPF;
- 	} else {
-+		vc4_state->is_yuv = false;
- 		vc4_state->x_scaling[1] = VC4_SCALING_NONE;
- 		vc4_state->y_scaling[1] = VC4_SCALING_NONE;
- 	}
diff --git a/kernel.spec b/kernel.spec
index 5b76953b4..a4b6f6879 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -58,7 +58,7 @@ Summary: The Linux kernel
 %define stable_rc 0
 
 # Do we have a -stable update to apply?
-%define stable_update 15
+%define stable_update 16
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -608,8 +608,6 @@ Patch306: arm-sdhci-esdhc-imx-fixes.patch
 
 Patch310: gpio-pxa-handle-corner-case-of-unprobed-device.patch
 
-Patch331: bcm283x-drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch
-
 # https://patchwork.kernel.org/patch/10686407/
 Patch332: raspberrypi-Fix-firmware-calls-with-large-buffers.patch
 
@@ -653,6 +651,9 @@ Patch517: 0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch
 # CVE-2019-3701 rhbz 1663729 1663730
 Patch518: CVE-2019-3701.patch
 
+# CVE-2019-3459 and CVE-2019-3460 rbhz 1663176 1663179 1665925
+Patch519: CVE-2019-3459-and-CVE-2019-3460.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1907,6 +1908,13 @@ fi
 #
 #
 %changelog
+* Wed Jan 16 2019 Jeremy Cline <jcline@redhat.com> - 4.19.16-200
+- Linux v4.19.16
+
+* Mon Jan 14 2019 Jeremy Cline <jcline@redhat.com> - 4.19.15-200
+- Linux v4.19.15
+- Fix CVE-2019-3459 and CVE-2019-3460 (rbhz 1663176 1663179 1665925)
+
 * Wed Jan 09 2019 Jeremy Cline <jcline@redhat.com> - 4.19.14-200
 - Linux v4.19.14
 
diff --git a/sources b/sources
index c6135fb7e..5749fd7cc 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-4.19.tar.xz) = ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4
-SHA512 (patch-4.19.15.xz) = f2f649d8d3951ea742d419037d1d712c853a6f2b1531bf00b88028ca36909838f93a6424d397461acc120ccbce993d41975ede7733f8d6640e209eb07655cc9f
+SHA512 (patch-4.19.16.xz) = 77c34c300cc9982fbc08eca0bde67b6b6a12eebda075e2c5791f364e6d7cabba2d6bb961da6c78973145eaa8ce095167e00084b91938a466c4474dfedbef7589