diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-14 07:20:26 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-14 07:20:26 +0200 |
commit | 330729087d5d9b082d7b1d30ed57497ccb38ba0c (patch) | |
tree | 95d3fdd824148a51b51ef3bef6e37882c7f33cda | |
parent | 02f3c66fa79b3a567c61f6c795a54c0d752f62c7 (diff) | |
parent | 06df19e33338a28c09b490b516b154301c315522 (diff) | |
download | kernel-330729087d5d9b082d7b1d30ed57497ccb38ba0c.tar.gz kernel-330729087d5d9b082d7b1d30ed57497ccb38ba0c.tar.xz kernel-330729087d5d9b082d7b1d30ed57497ccb38ba0c.zip |
Merge remote-tracking branch 'origin/f22' into f22-user-thl-vanilla-fedorakernel-4.4.10-200.vanilla.knurd.1.fc22
-rw-r--r-- | 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch | 169 | ||||
-rw-r--r-- | 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch | 37 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch | 33 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch | 34 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch | 34 | ||||
-rw-r--r-- | KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch | 91 | ||||
-rw-r--r-- | bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch | 46 | ||||
-rw-r--r-- | bpf-fix-refcnt-overflow.patch | 158 | ||||
-rw-r--r-- | kernel.spec | 51 | ||||
-rw-r--r-- | propogate_mnt-Handle-the-first-propogated-copy-being.patch | 146 | ||||
-rw-r--r-- | sources | 2 |
11 files changed, 433 insertions, 368 deletions
diff --git a/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch b/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch deleted file mode 100644 index a76603900..000000000 --- a/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch +++ /dev/null @@ -1,169 +0,0 @@ -From a21211672c9a1d730a39aa65d4a5b3414700adfb Mon Sep 17 00:00:00 2001 -From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> -Date: Wed, 23 Mar 2016 21:07:39 -0700 -Subject: [PATCH] ACPI / processor: Request native thermal interrupt handling - via _OSC - -There are several reports of freeze on enabling HWP (Hardware PStates) -feature on Skylake-based systems by the Intel P-states driver. The root -cause is identified as the HWP interrupts causing BIOS code to freeze. - -HWP interrupts use the thermal LVT which can be handled by Linux -natively, but on the affected Skylake-based systems SMM will respond -to it by default. This is a problem for several reasons: - - On the affected systems the SMM thermal LVT handler is broken (it - will crash when invoked) and a BIOS update is necessary to fix it. - - With thermal interrupt handled in SMM we lose all of the reporting - features of the arch/x86/kernel/cpu/mcheck/therm_throt driver. - - Some thermal drivers like x86-package-temp depend on the thermal - threshold interrupts signaled via the thermal LVT. - - The HWP interrupts are useful for debugging and tuning - performance (if the kernel can handle them). -The native handling of thermal interrupts needs to be enabled -because of that. - -This requires some way to tell SMM that the OS can handle thermal -interrupts. That can be done by using _OSC/_PDC in processor -scope very early during ACPI initialization. - -The meaning of _OSC/_PDC bit 12 in processor scope is whether or -not the OS supports native handling of interrupts for Collaborative -Processor Performance Control (CPPC) notifications. Since on -HWP-capable systems CPPC is a firmware interface to HWP, setting -this bit effectively tells the firmware that the OS will handle -thermal interrupts natively going forward. - -For details on _OSC/_PDC refer to: -http://www.intel.com/content/www/us/en/standards/processor-vendor-specific-acpi-specification.html - -To implement the _OSC/_PDC handshake as described, introduce a new -function, acpi_early_processor_osc(), that walks the ACPI -namespace looking for ACPI processor objects and invokes _OSC for -them with bit 12 in the capabilities buffer set and terminates the -namespace walk on the first success. - -Also modify intel_thermal_interrupt() to clear HWP status bits in -the HWP_STATUS MSR to acknowledge HWP interrupts (which prevents -them from firing continuously). - -Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> -[ rjw: Subject & changelog, function rename ] -Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> ---- - arch/x86/kernel/cpu/mcheck/therm_throt.c | 3 ++ - drivers/acpi/acpi_processor.c | 52 ++++++++++++++++++++++++++++++++ - drivers/acpi/bus.c | 3 ++ - drivers/acpi/internal.h | 6 ++++ - 4 files changed, 64 insertions(+) - -diff --git a/arch/x86/kernel/cpu/mcheck/therm_throt.c b/arch/x86/kernel/cpu/mcheck/therm_throt.c -index 2c5aaf8..0553858 100644 ---- a/arch/x86/kernel/cpu/mcheck/therm_throt.c -+++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c -@@ -385,6 +385,9 @@ static void intel_thermal_interrupt(void) - { - __u64 msr_val; - -+ if (static_cpu_has(X86_FEATURE_HWP)) -+ wrmsrl_safe(MSR_HWP_STATUS, 0); -+ - rdmsrl(MSR_IA32_THERM_STATUS, msr_val); - - /* Check for violation of core thermal thresholds*/ -diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c -index b5e54f2..0d92d0f 100644 ---- a/drivers/acpi/acpi_processor.c -+++ b/drivers/acpi/acpi_processor.c -@@ -491,6 +491,58 @@ static void acpi_processor_remove(struct acpi_device *device) - } - #endif /* CONFIG_ACPI_HOTPLUG_CPU */ - -+#ifdef CONFIG_X86 -+static bool acpi_hwp_native_thermal_lvt_set; -+static acpi_status __init acpi_hwp_native_thermal_lvt_osc(acpi_handle handle, -+ u32 lvl, -+ void *context, -+ void **rv) -+{ -+ u8 sb_uuid_str[] = "4077A616-290C-47BE-9EBD-D87058713953"; -+ u32 capbuf[2]; -+ struct acpi_osc_context osc_context = { -+ .uuid_str = sb_uuid_str, -+ .rev = 1, -+ .cap.length = 8, -+ .cap.pointer = capbuf, -+ }; -+ -+ if (acpi_hwp_native_thermal_lvt_set) -+ return AE_CTRL_TERMINATE; -+ -+ capbuf[0] = 0x0000; -+ capbuf[1] = 0x1000; /* set bit 12 */ -+ -+ if (ACPI_SUCCESS(acpi_run_osc(handle, &osc_context))) { -+ if (osc_context.ret.pointer && osc_context.ret.length > 1) { -+ u32 *capbuf_ret = osc_context.ret.pointer; -+ -+ if (capbuf_ret[1] & 0x1000) { -+ acpi_handle_info(handle, -+ "_OSC native thermal LVT Acked\n"); -+ acpi_hwp_native_thermal_lvt_set = true; -+ } -+ } -+ kfree(osc_context.ret.pointer); -+ } -+ -+ return AE_OK; -+} -+ -+void __init acpi_early_processor_osc(void) -+{ -+ if (boot_cpu_has(X86_FEATURE_HWP)) { -+ acpi_walk_namespace(ACPI_TYPE_PROCESSOR, ACPI_ROOT_OBJECT, -+ ACPI_UINT32_MAX, -+ acpi_hwp_native_thermal_lvt_osc, -+ NULL, NULL, NULL); -+ acpi_get_devices(ACPI_PROCESSOR_DEVICE_HID, -+ acpi_hwp_native_thermal_lvt_osc, -+ NULL, NULL); -+ } -+} -+#endif -+ - /* - * The following ACPI IDs are known to be suitable for representing as - * processor devices. -diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c -index 891c42d..f9081b7 100644 ---- a/drivers/acpi/bus.c -+++ b/drivers/acpi/bus.c -@@ -1005,6 +1005,9 @@ static int __init acpi_bus_init(void) - goto error1; - } - -+ /* Set capability bits for _OSC under processor scope */ -+ acpi_early_processor_osc(); -+ - /* - * _OSC method may exist in module level code, - * so it must be run after ACPI_FULL_INITIALIZATION -diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h -index 1e6833a..6f41c73 100644 ---- a/drivers/acpi/internal.h -+++ b/drivers/acpi/internal.h -@@ -138,6 +138,12 @@ void acpi_early_processor_set_pdc(void); - static inline void acpi_early_processor_set_pdc(void) {} - #endif - -+#ifdef CONFIG_X86 -+void acpi_early_processor_osc(void); -+#else -+static inline void acpi_early_processor_osc(void) {} -+#endif -+ - /* -------------------------------------------------------------------------- - Embedded Controller - -------------------------------------------------------------------------- */ --- -2.5.5 - diff --git a/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch b/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch deleted file mode 100644 index d26c5d52d..000000000 --- a/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 88fd0f33c3cc5aa6a26f56902241941ac717e9f8 Mon Sep 17 00:00:00 2001 -From: Peter Robinson <pbrobinson@gmail.com> -Date: Wed, 27 Apr 2016 13:44:05 +0100 -Subject: [PATCH] gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading - ---- - drivers/gpu/ipu-v3/ipu-common.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c -index e00db3f..abb98c7 100644 ---- a/drivers/gpu/ipu-v3/ipu-common.c -+++ b/drivers/gpu/ipu-v3/ipu-common.c -@@ -1068,7 +1068,6 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base) - goto err_register; - } - -- pdev->dev.of_node = of_node; - pdev->dev.parent = dev; - - ret = platform_device_add_data(pdev, ®->pdata, -@@ -1079,6 +1078,12 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base) - platform_device_put(pdev); - goto err_register; - } -+ -+ /* -+ * Set of_node only after calling platform_device_add. Otherwise -+ * the platform:imx-ipuv3-crtc modalias won't be used. -+ */ -+ pdev->dev.of_node = of_node; - } - - return 0; --- -2.7.4 - diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch new file mode 100644 index 000000000..3eb8bf183 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch @@ -0,0 +1,33 @@ +From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:07 -0400 +Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “tread” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 6469bedda2f3..964f5ebf495e 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file, + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { + if (tu->tread) { + struct snd_timer_tread tread; ++ memset(&tread, 0, sizeof(tread)); + tread.event = SNDRV_TIMER_EVENT_EARLY; + tread.tstamp.tv_sec = 0; + tread.tstamp.tv_nsec = 0; +-- +2.5.5 + diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch new file mode 100644 index 000000000..e6f46f8a8 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch @@ -0,0 +1,34 @@ +From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:20 -0400 +Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via + snd_timer_user_ccallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 964f5ebf495e..e98fa5feb731 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, + tu->tstamp = *tstamp; + if ((tu->filter & (1 << event)) == 0 || !tu->tread) + return; ++ memset(&r1, 0, sizeof(r1)); + r1.event = event; + r1.tstamp = *tstamp; + r1.val = resolution; +-- +2.5.5 + diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch new file mode 100644 index 000000000..7851c55a2 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch @@ -0,0 +1,34 @@ +From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:32 -0400 +Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via + snd_timer_user_tinterrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index e98fa5feb731..c69a27155433 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, + } + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && + tu->last_resolution != resolution) { ++ memset(&r1, 0, sizeof(r1)); + r1.event = SNDRV_TIMER_EVENT_RESOLUTION; + r1.tstamp = tstamp; + r1.val = resolution; +-- +2.5.5 + diff --git a/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch b/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch new file mode 100644 index 000000000..957de0977 --- /dev/null +++ b/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch @@ -0,0 +1,91 @@ +From 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Tue, 23 Feb 2016 11:03:12 +0000 +Subject: [PATCH] KEYS: Fix ASN.1 indefinite length object parsing + +This fixes CVE-2016-0758. + +In the ASN.1 decoder, when the length field of an ASN.1 value is extracted, +it isn't validated against the remaining amount of data before being added +to the cursor. With a sufficiently large size indicated, the check: + + datalen - dp < 2 + +may then fail due to integer overflow. + +Fix this by checking the length indicated against the amount of remaining +data in both places a definite length is determined. + +Whilst we're at it, make the following changes: + + (1) Check the maximum size of extended length does not exceed the capacity + of the variable it's being stored in (len) rather than the type that + variable is assumed to be (size_t). + + (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the + integer 0. + + (3) To reduce confusion, move the initialisation of len outside of: + + for (len = 0; n > 0; n--) { + + since it doesn't have anything to do with the loop counter n. + +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +Acked-by: David Woodhouse <David.Woodhouse@intel.com> +Acked-by: Peter Jones <pjones@redhat.com> +--- + lib/asn1_decoder.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c +index 2b3f46c049d4..554522934c44 100644 +--- a/lib/asn1_decoder.c ++++ b/lib/asn1_decoder.c +@@ -74,7 +74,7 @@ next_tag: + + /* Extract a tag from the data */ + tag = data[dp++]; +- if (tag == 0) { ++ if (tag == ASN1_EOC) { + /* It appears to be an EOC. */ + if (data[dp++] != 0) + goto invalid_eoc; +@@ -96,10 +96,8 @@ next_tag: + + /* Extract the length */ + len = data[dp++]; +- if (len <= 0x7f) { +- dp += len; +- goto next_tag; +- } ++ if (len <= 0x7f) ++ goto check_length; + + if (unlikely(len == ASN1_INDEFINITE_LENGTH)) { + /* Indefinite length */ +@@ -110,14 +108,18 @@ next_tag: + } + + n = len - 0x80; +- if (unlikely(n > sizeof(size_t) - 1)) ++ if (unlikely(n > sizeof(len) - 1)) + goto length_too_long; + if (unlikely(n > datalen - dp)) + goto data_overrun_error; +- for (len = 0; n > 0; n--) { ++ len = 0; ++ for (; n > 0; n--) { + len <<= 8; + len |= data[dp++]; + } ++check_length: ++ if (len > datalen - dp) ++ goto data_overrun_error; + dp += len; + goto next_tag; + +-- +2.5.5 + diff --git a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch b/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch new file mode 100644 index 000000000..3ba32bae7 --- /dev/null +++ b/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch @@ -0,0 +1,46 @@ +From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001 +From: Jann Horn <jannh@google.com> +Date: Tue, 26 Apr 2016 22:26:26 +0200 +Subject: [PATCH] bpf: fix double-fdput in replace_map_fd_with_map_ptr() + +When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode +references a non-map file descriptor as a map file descriptor, the error +handling code called fdput() twice instead of once (in __bpf_map_get() and +in replace_map_fd_with_map_ptr()). If the file descriptor table of the +current task is shared, this causes f_count to be decremented too much, +allowing the struct file to be freed while it is still in use +(use-after-free). This can be exploited to gain root privileges by an +unprivileged user. + +This bug was introduced in +commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only +exploitable since +commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because +previously, CAP_SYS_ADMIN was required to reach the vulnerable code. + +(posted publicly according to request by maintainer) + +Signed-off-by: Jann Horn <jannh@google.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Acked-by: Alexei Starovoitov <ast@kernel.org> +Acked-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + kernel/bpf/verifier.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 618ef77c302a..db2574e7b8b0 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) + if (IS_ERR(map)) { + verbose("fd %d is not pointing to valid bpf_map\n", + insn->imm); +- fdput(f); + return PTR_ERR(map); + } + +-- +2.5.5 + diff --git a/bpf-fix-refcnt-overflow.patch b/bpf-fix-refcnt-overflow.patch new file mode 100644 index 000000000..1143c8286 --- /dev/null +++ b/bpf-fix-refcnt-overflow.patch @@ -0,0 +1,158 @@ +From 86db8dac9286f8397434184a6b442b6419e54ec0 Mon Sep 17 00:00:00 2001 +From: Alexei Starovoitov <ast@fb.com> +Date: Wed, 27 Apr 2016 18:56:20 -0700 +Subject: [PATCH] bpf: fix refcnt overflow + +On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK, +the malicious application may overflow 32-bit bpf program refcnt. +It's also possible to overflow map refcnt on 1Tb system. +Impose 32k hard limit which means that the same bpf program or +map cannot be shared by more than 32k processes. + +Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Alexei Starovoitov <ast@kernel.org> +Acked-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/linux/bpf.h | 3 ++- + kernel/bpf/inode.c | 7 ++++--- + kernel/bpf/syscall.c | 24 ++++++++++++++++++++---- + kernel/bpf/verifier.c | 11 +++++++---- + 4 files changed, 33 insertions(+), 12 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 83d1926c61e4..67bc2da5d233 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl); + void bpf_register_map_type(struct bpf_map_type_list *tl); + + struct bpf_prog *bpf_prog_get(u32 ufd); ++struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog); + void bpf_prog_put(struct bpf_prog *prog); + void bpf_prog_put_rcu(struct bpf_prog *prog); + + struct bpf_map *bpf_map_get_with_uref(u32 ufd); + struct bpf_map *__bpf_map_get(struct fd f); +-void bpf_map_inc(struct bpf_map *map, bool uref); ++struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref); + void bpf_map_put_with_uref(struct bpf_map *map); + void bpf_map_put(struct bpf_map *map); + +diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c +index 5a8a797d50b7..d1a7646f79c5 100644 +--- a/kernel/bpf/inode.c ++++ b/kernel/bpf/inode.c +@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum bpf_type type) + { + switch (type) { + case BPF_TYPE_PROG: +- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt); ++ raw = bpf_prog_inc(raw); + break; + case BPF_TYPE_MAP: +- bpf_map_inc(raw, true); ++ raw = bpf_map_inc(raw, true); + break; + default: + WARN_ON_ONCE(1); +@@ -277,7 +277,8 @@ static void *bpf_obj_do_get(const struct filename *pathname, + goto out; + + raw = bpf_any_get(inode->i_private, *type); +- touch_atime(&path); ++ if (!IS_ERR(raw)) ++ touch_atime(&path); + + path_put(&path); + return raw; +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 3b39550d8485..4e32cc94edd9 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -181,11 +181,18 @@ struct bpf_map *__bpf_map_get(struct fd f) + return f.file->private_data; + } + +-void bpf_map_inc(struct bpf_map *map, bool uref) ++/* prog's and map's refcnt limit */ ++#define BPF_MAX_REFCNT 32768 ++ ++struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref) + { +- atomic_inc(&map->refcnt); ++ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) { ++ atomic_dec(&map->refcnt); ++ return ERR_PTR(-EBUSY); ++ } + if (uref) + atomic_inc(&map->usercnt); ++ return map; + } + + struct bpf_map *bpf_map_get_with_uref(u32 ufd) +@@ -197,7 +204,7 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd) + if (IS_ERR(map)) + return map; + +- bpf_map_inc(map, true); ++ map = bpf_map_inc(map, true); + fdput(f); + + return map; +@@ -580,6 +587,15 @@ static struct bpf_prog *__bpf_prog_get(struct fd f) + return f.file->private_data; + } + ++struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog) ++{ ++ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) { ++ atomic_dec(&prog->aux->refcnt); ++ return ERR_PTR(-EBUSY); ++ } ++ return prog; ++} ++ + /* called by sockets/tracing/seccomp before attaching program to an event + * pairs with bpf_prog_put() + */ +@@ -592,7 +608,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd) + if (IS_ERR(prog)) + return prog; + +- atomic_inc(&prog->aux->refcnt); ++ prog = bpf_prog_inc(prog); + fdput(f); + + return prog; +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 2e7f7ab739e4..060e4c4c37ea 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2023,15 +2023,18 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) + return -E2BIG; + } + +- /* remember this map */ +- env->used_maps[env->used_map_cnt++] = map; +- + /* hold the map. If the program is rejected by verifier, + * the map will be released by release_maps() or it + * will be used by the valid program until it's unloaded + * and all maps are released in free_bpf_prog_info() + */ +- bpf_map_inc(map, false); ++ map = bpf_map_inc(map, false); ++ if (IS_ERR(map)) { ++ fdput(f); ++ return PTR_ERR(map); ++ } ++ env->used_maps[env->used_map_cnt++] = map; ++ + fdput(f); + next_insn: + insn++; +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index 4134f18c9..683f3187d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -521,8 +521,6 @@ Patch05: kbuild-AFTER_LINK.patch Patch451: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch -Patch452: 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch - Patch454: arm64-avoid-needing-console-to-enable-serial-console.patch Patch456: arm64-acpi-drop-expert-patch.patch @@ -651,9 +649,6 @@ Patch690: x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch #CVE-2016-3951 rhbz 1324782 1324815 Patch695: cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch -#rhbz 1309980 -Patch698: 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch - #rhbz 1309487 Patch701: antenna_select.patch @@ -670,8 +665,17 @@ Patch705: USB-usbfs-fix-potential-infoleak-in-devio.patch Patch706: net-fix-infoleak-in-llc.patch Patch707: net-fix-infoleak-in-rtnetlink.patch -#CVE-2016-xxxx rhbz 1333712 1333713 -Patch708: propogate_mnt-Handle-the-first-propogated-copy-being.patch +#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311 +Patch711: bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch +Patch712: bpf-fix-refcnt-overflow.patch + +#CVE-2016-4569 rhbz 1334643 1334645 +Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch +Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch +Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch + +#CVE-2016-0758 rhbz 1300257 1335386 +Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch # END OF PATCH DEFINITIONS %endif @@ -1246,8 +1250,6 @@ ApplyPatch arm64-avoid-needing-console-to-enable-serial-console.patch ApplyPatch arm64-acpi-drop-expert-patch.patch -ApplyPatch 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch - ApplyPatch ARM-tegra-usb-no-reset.patch ApplyPatch mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch @@ -1372,9 +1374,6 @@ ApplyPatch x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch #CVE-2016-3951 rhbz 1324782 1324815 ApplyPatch cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch -#rhbz 1309980 -ApplyPatch 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch - #rhbz 1309487 ApplyPatch antenna_select.patch @@ -1388,8 +1387,17 @@ ApplyPatch USB-usbfs-fix-potential-infoleak-in-devio.patch ApplyPatch net-fix-infoleak-in-llc.patch ApplyPatch net-fix-infoleak-in-rtnetlink.patch -#CVE-2016-xxxx rhbz 1333712 1333713 -ApplyPatch propogate_mnt-Handle-the-first-propogated-copy-being.patch +#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311 +ApplyPatch bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch +ApplyPatch bpf-fix-refcnt-overflow.patch + +#CVE-2016-4569 rhbz 1334643 1334645 +ApplyPatch ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch +ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch +ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch + +#CVE-2016-0758 rhbz 1300257 1335386 +ApplyPatch KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch # END OF PATCH APPLICATIONS @@ -2240,6 +2248,19 @@ fi # # %changelog +* Fri May 13 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.10-200 +- Linux v4.4.10 + +* Fri May 13 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-0758 pointer corruption in asn1 decoder (rhbz 1300257 1335386) + +* Tue May 10 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645) + +* Mon May 09 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4557 bpf: Use after free vulnerability via double fdput + CVE-2016-4558 bpf: refcnt overflow (rhbz 1334307 1334303 1334311) + * Fri May 06 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.9-200 - Linux v4.4.9 diff --git a/propogate_mnt-Handle-the-first-propogated-copy-being.patch b/propogate_mnt-Handle-the-first-propogated-copy-being.patch deleted file mode 100644 index b3ae53c5a..000000000 --- a/propogate_mnt-Handle-the-first-propogated-copy-being.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 27844237d77df76c816034a78178b23c070eef88 Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" <ebiederm@xmission.com> -Date: Thu, 5 May 2016 09:29:29 -0500 -Subject: [PATCH] propogate_mnt: Handle the first propogated copy being a slave - -When the first propgated copy was a slave the following oops would result: -> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 -> IP: [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0 -> PGD bacd4067 PUD bac66067 PMD 0 -> Oops: 0000 [#1] SMP -> Modules linked in: -> CPU: 1 PID: 824 Comm: mount Not tainted 4.6.0-rc5userns+ #1523 -> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 -> task: ffff8800bb0a8000 ti: ffff8800bac3c000 task.ti: ffff8800bac3c000 -> RIP: 0010:[<ffffffff811fba4e>] [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0 -> RSP: 0018:ffff8800bac3fd38 EFLAGS: 00010283 -> RAX: 0000000000000000 RBX: ffff8800bb77ec00 RCX: 0000000000000010 -> RDX: 0000000000000000 RSI: ffff8800bb58c000 RDI: ffff8800bb58c480 -> RBP: ffff8800bac3fd48 R08: 0000000000000001 R09: 0000000000000000 -> R10: 0000000000001ca1 R11: 0000000000001c9d R12: 0000000000000000 -> R13: ffff8800ba713800 R14: ffff8800bac3fda0 R15: ffff8800bb77ec00 -> FS: 00007f3c0cd9b7e0(0000) GS:ffff8800bfb00000(0000) knlGS:0000000000000000 -> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -> CR2: 0000000000000010 CR3: 00000000bb79d000 CR4: 00000000000006e0 -> Stack: -> ffff8800bb77ec00 0000000000000000 ffff8800bac3fd88 ffffffff811fbf85 -> ffff8800bac3fd98 ffff8800bb77f080 ffff8800ba713800 ffff8800bb262b40 -> 0000000000000000 0000000000000000 ffff8800bac3fdd8 ffffffff811f1da0 -> Call Trace: -> [<ffffffff811fbf85>] propagate_mnt+0x105/0x140 -> [<ffffffff811f1da0>] attach_recursive_mnt+0x120/0x1e0 -> [<ffffffff811f1ec3>] graft_tree+0x63/0x70 -> [<ffffffff811f1f6b>] do_add_mount+0x9b/0x100 -> [<ffffffff811f2c1a>] do_mount+0x2aa/0xdf0 -> [<ffffffff8117efbe>] ? strndup_user+0x4e/0x70 -> [<ffffffff811f3a45>] SyS_mount+0x75/0xc0 -> [<ffffffff8100242b>] do_syscall_64+0x4b/0xa0 -> [<ffffffff81988f3c>] entry_SYSCALL64_slow_path+0x25/0x25 -> Code: 00 00 75 ec 48 89 0d 02 22 22 01 8b 89 10 01 00 00 48 89 05 fd 21 22 01 39 8e 10 01 00 00 0f 84 e0 00 00 00 48 8b 80 d8 00 00 00 <48> 8b 50 10 48 89 05 df 21 22 01 48 89 15 d0 21 22 01 8b 53 30 -> RIP [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0 -> RSP <ffff8800bac3fd38> -> CR2: 0000000000000010 -> ---[ end trace 2725ecd95164f217 ]--- - -This oops happens with the namespace_sem held and can be triggered by -non-root users. An all around not pleasant experience. - -To avoid this scenario when finding the appropriate source mount to -copy stop the walk up the mnt_master chain when the first source mount -is encountered. - -Further rewrite the walk up the last_source mnt_master chain so that -it is clear what is going on. - -The reason why the first source mount is special is that it it's -mnt_parent is not a mount in the dest_mnt propagation tree, and as -such termination conditions based up on the dest_mnt mount propgation -tree do not make sense. - -To avoid other kinds of confusion last_dest is not changed when -computing last_source. last_dest is only used once in propagate_one -and that is above the point of the code being modified, so changing -the global variable is meaningless and confusing. - -Cc: stable@vger.kernel.org -fixes: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 ("smarter propagate_mnt()") -Reported-by: Tycho Andersen <tycho.andersen@canonical.com> -Reviewed-by: Seth Forshee <seth.forshee@canonical.com> -Tested-by: Seth Forshee <seth.forshee@canonical.com> -Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> - -Backported-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - fs/pnode.c | 32 ++++++++++++++++++++------------ - 1 file changed, 20 insertions(+), 12 deletions(-) - -diff --git a/fs/pnode.c b/fs/pnode.c -index 6367e1e435c6..e7705149d430 100644 ---- a/fs/pnode.c -+++ b/fs/pnode.c -@@ -198,10 +198,15 @@ static struct mount *next_group(struct mount *m, struct mount *origin) - - /* all accesses are serialized by namespace_sem */ - static struct user_namespace *user_ns; --static struct mount *last_dest, *last_source, *dest_master; -+static struct mount *last_dest, *first_source, *last_source, *dest_master; - static struct mountpoint *mp; - static struct hlist_head *list; - -+static inline bool peers(struct mount *m1, struct mount *m2) -+{ -+ return m1->mnt_group_id == m2->mnt_group_id && m1->mnt_group_id; -+} -+ - static int propagate_one(struct mount *m) - { - struct mount *child; -@@ -212,24 +217,26 @@ static int propagate_one(struct mount *m) - /* skip if mountpoint isn't covered by it */ - if (!is_subdir(mp->m_dentry, m->mnt.mnt_root)) - return 0; -- if (m->mnt_group_id == last_dest->mnt_group_id) { -+ if (peers(m,last_dest)) { - type = CL_MAKE_SHARED; - } else { - struct mount *n, *p; -+ bool done; - for (n = m; ; n = p) { - p = n->mnt_master; -- if (p == dest_master || IS_MNT_MARKED(p)) { -- while (last_dest->mnt_master != p) { -- last_source = last_source->mnt_master; -- last_dest = last_source->mnt_parent; -- } -- if (n->mnt_group_id != last_dest->mnt_group_id) { -- last_source = last_source->mnt_master; -- last_dest = last_source->mnt_parent; -- } -+ if (p == dest_master || IS_MNT_MARKED(p)) - break; -- } - } -+ do { -+ struct mount *parent = last_source->mnt_parent; -+ if (last_source == first_source) -+ break; -+ done = parent->mnt_master == p; -+ if (done && peers(n, parent)) -+ break; -+ last_source = last_source->mnt_master; -+ } while (!done); -+ - type = CL_SLAVE; - /* beginning of peer group among the slaves? */ - if (IS_MNT_SHARED(m)) -@@ -281,6 +288,7 @@ int propagate_mnt(struct mount *dest_mnt, struct mountpoint *dest_mp, - */ - user_ns = current->nsproxy->mnt_ns->user_ns; - last_dest = dest_mnt; -+ first_source = source_mnt; - last_source = source_mnt; - mp = dest_mp; - list = tree_list; --- -2.5.5 - @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -b0c445b438e7563f2e33dba9edc926eb patch-4.4.9.xz +1b9a296c0d0b778e8173299618f2d84f patch-4.4.10.xz |