diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-01-09 18:07:31 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-01-09 18:07:31 +0100 |
commit | 6595a4430eddb123bc5aeaf2cfedb8c2d44db633 (patch) | |
tree | cd03412ad6232e077a54325724c2efbd181fa778 | |
parent | 2315f2e6397b70e48aab260fc79f32a0ccdd497f (diff) | |
parent | f2af597e82d61de36dbd650aeec30923997e5154 (diff) | |
download | kernel-6595a4430eddb123bc5aeaf2cfedb8c2d44db633.tar.gz kernel-6595a4430eddb123bc5aeaf2cfedb8c2d44db633.tar.xz kernel-6595a4430eddb123bc5aeaf2cfedb8c2d44db633.zip |
merge origin
-rw-r--r-- | 0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch | 45 | ||||
-rw-r--r-- | CVE-2019-3701.patch | 42 | ||||
-rw-r--r-- | kernel.spec | 15 |
3 files changed, 102 insertions, 0 deletions
diff --git a/0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch b/0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch new file mode 100644 index 000000000..b91e6f158 --- /dev/null +++ b/0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch @@ -0,0 +1,45 @@ +From 70ecdd3d8b36cd2bb960bc4e7ae047fbb94c031b Mon Sep 17 00:00:00 2001 +From: "Cho, Yu-Chen" <acho@suse.com> +Date: Tue, 2 Oct 2018 17:57:04 +0800 +Subject: [PATCH] Bluetooth: btsdio: Do not bind to non-removable BCM43430 + +BCM43430 devices soldered onto the PCB (non-removable) +use an UART connection for bluetooth. +But also advertise btsdio support on their 3th sdio function. + +Signed-off-by: Cho, Yu-Chen <acho@suse.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +--- + drivers/bluetooth/btsdio.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c +index 20142bc77554..282d1af1d3ba 100644 +--- a/drivers/bluetooth/btsdio.c ++++ b/drivers/bluetooth/btsdio.c +@@ -293,13 +293,17 @@ static int btsdio_probe(struct sdio_func *func, + tuple = tuple->next; + } + +- /* BCM43341 devices soldered onto the PCB (non-removable) use an +- * uart connection for bluetooth, ignore the BT SDIO interface. ++ /* Broadcom devices soldered onto the PCB (non-removable) use an ++ * UART connection for Bluetooth, ignore the BT SDIO interface. + */ + if (func->vendor == SDIO_VENDOR_ID_BROADCOM && +- func->device == SDIO_DEVICE_ID_BROADCOM_43341 && +- !mmc_card_is_removable(func->card->host)) +- return -ENODEV; ++ !mmc_card_is_removable(func->card->host)) { ++ switch (func->device) { ++ case SDIO_DEVICE_ID_BROADCOM_43341: ++ case SDIO_DEVICE_ID_BROADCOM_43430: ++ return -ENODEV; ++ } ++ } + + data = devm_kzalloc(&func->dev, sizeof(*data), GFP_KERNEL); + if (!data) +-- +2.20.1 + diff --git a/CVE-2019-3701.patch b/CVE-2019-3701.patch new file mode 100644 index 000000000..06ee36a63 --- /dev/null +++ b/CVE-2019-3701.patch @@ -0,0 +1,42 @@ +From linux-netdev Thu Jan 03 12:26:34 2019 +From: Oliver Hartkopp <socketcan () hartkopp ! net> +Date: Thu, 03 Jan 2019 12:26:34 +0000 +To: linux-netdev +Subject: [PATCH] can: gw: ensure DLC boundaries after CAN frame modification +Message-Id: <20190103122634.2530-1-socketcan () hartkopp ! net> +X-MARC-Message: https://marc.info/?l=linux-netdev&m=154651842302479 + +The CAN frame modification rules allow bitwise logical operations which can +be also applied to the can_dlc field. Ensure the manipulation result to +maintain the can_dlc boundaries so that the CAN drivers do not accidently +write arbitrary content beyond the data registers in the CAN controllers +I/O mem when processing can-gw manipulated outgoing frames. When passing these +frames to user space this issue did not have any effect to the kernel or any +leaked data as we always strictly copy sizeof(struct can_frame) bytes. + +Reported-by: Muyu Yu <ieatmuttonchuan@gmail.com> +Reported-by: Marcus Meissner <meissner@suse.de> +Tested-by: Muyu Yu <ieatmuttonchuan@gmail.com> +Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> +Cc: linux-stable <stable@vger.kernel.org> # >= v3.2 +--- + net/can/gw.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/can/gw.c b/net/can/gw.c +index faa3da88a127..9000d9b8a133 100644 +--- a/net/can/gw.c ++++ b/net/can/gw.c +@@ -418,6 +418,10 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data) + + /* check for checksum updates when the CAN frame has been modified */ + if (modidx) { ++ /* ensure DLC boundaries after the different mods */ ++ if (cf->can_dlc > 8) ++ cf->can_dlc = 8; ++ + if (gwj->mod.csumfunc.crc8) + (*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8); + +-- +2.19.2 diff --git a/kernel.spec b/kernel.spec index bf906be1f..3b41f01d5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -652,6 +652,12 @@ Patch510: iio-accel-kxcjk1013-Add-more-hardware-ids.patch # rhbz 1645070 patch queued upstream for merging into 4.21 Patch516: asus-fx503-keyb.patch +# rhbz 1661961 patch merged upstream in 4.20 +Patch517: 0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch + +# CVE-2019-3701 rhbz 1663729 1663730 +Patch518: CVE-2019-3701.patch + # END OF PATCH DEFINITIONS %endif @@ -1916,6 +1922,15 @@ fi # # %changelog +* Wed Jan 09 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2019-3701 (rhbz 1663729 1663730) + +* Mon Jan 7 2019 Hans de Goede <hdegoede@redhat.com> +- Add patch to fix bluetooth on RPI 3B+ registering twice (rhbz#1661961) + +* Sat Dec 29 2018 Jeremy Cline <jcline@redhat.com> - 4.19.13-300 +- Linux v4.19.13 + * Thu Dec 27 2018 Hans de Goede <hdegoede@redhat.com> - Set CONFIG_REALTEK_PHY=y to workaround realtek ethernet issues (rhbz 1650984) |