diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-24 07:52:43 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-24 07:52:43 +0200 |
commit | 6e0ff2ec8c1e2b43c167b73d87348d926eeab873 (patch) | |
tree | 769dc84a3849114b3d783c10d7176eb00022b4b0 | |
parent | 330729087d5d9b082d7b1d30ed57497ccb38ba0c (diff) | |
parent | 8f427dedef4e5cbd18d5557deaa812bfafc6c9f7 (diff) | |
download | kernel-6e0ff2ec8c1e2b43c167b73d87348d926eeab873.tar.gz kernel-6e0ff2ec8c1e2b43c167b73d87348d926eeab873.tar.xz kernel-6e0ff2ec8c1e2b43c167b73d87348d926eeab873.zip |
Merge remote-tracking branch 'origin/f22' into f22-user-thl-vanilla-fedorakernel-4.4.11-200.vanilla.knurd.1.fc22
-rw-r--r-- | KVM-MTRR-remove-MSR-0x2f8.patch | 49 | ||||
-rw-r--r-- | bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch | 46 | ||||
-rw-r--r-- | bpf-fix-refcnt-overflow.patch | 158 | ||||
-rw-r--r-- | ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch | 40 | ||||
-rw-r--r-- | kernel.spec | 49 | ||||
-rw-r--r-- | net-fix-infoleak-in-llc.patch | 32 | ||||
-rw-r--r-- | net-fix-infoleak-in-rtnetlink.patch | 50 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | tipc-check-nl-sock-before-parsing-nested-attributes.patch | 36 |
9 files changed, 112 insertions, 350 deletions
diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch new file mode 100644 index 000000000..8066b2e8f --- /dev/null +++ b/KVM-MTRR-remove-MSR-0x2f8.patch @@ -0,0 +1,49 @@ +From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> +Date: Mon, 16 May 2016 09:45:35 -0400 +Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support +was introduced by 9ba075a664df ("KVM: MTRR support"). + +0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the +size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, +which made access to index 124 out of bounds. The surrounding code only +WARNs in this situation, thus the guest gained a limited read/write +access to struct kvm_arch_vcpu. + +0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR +MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 +was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was +not implemented in KVM, therefore 0x2f8 could never do anything useful +and getting rid of it is safe. + +This fixes CVE-2016-TBD. + +Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") +Cc: stable@vger.kernel.org +Reported-by: David Matlack <dmatlack@google.com> +Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> +--- + arch/x86/kvm/mtrr.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c +index 3f8c732117ec..c146f3c262c3 100644 +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) + case MSR_MTRRdefType: + case MSR_IA32_CR_PAT: + return true; +- case 0x2f8: +- return true; + } + return false; + } +-- +2.5.5 + diff --git a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch b/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch deleted file mode 100644 index 3ba32bae7..000000000 --- a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001 -From: Jann Horn <jannh@google.com> -Date: Tue, 26 Apr 2016 22:26:26 +0200 -Subject: [PATCH] bpf: fix double-fdput in replace_map_fd_with_map_ptr() - -When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode -references a non-map file descriptor as a map file descriptor, the error -handling code called fdput() twice instead of once (in __bpf_map_get() and -in replace_map_fd_with_map_ptr()). If the file descriptor table of the -current task is shared, this causes f_count to be decremented too much, -allowing the struct file to be freed while it is still in use -(use-after-free). This can be exploited to gain root privileges by an -unprivileged user. - -This bug was introduced in -commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only -exploitable since -commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because -previously, CAP_SYS_ADMIN was required to reach the vulnerable code. - -(posted publicly according to request by maintainer) - -Signed-off-by: Jann Horn <jannh@google.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Acked-by: Alexei Starovoitov <ast@kernel.org> -Acked-by: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - kernel/bpf/verifier.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 618ef77c302a..db2574e7b8b0 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) - if (IS_ERR(map)) { - verbose("fd %d is not pointing to valid bpf_map\n", - insn->imm); -- fdput(f); - return PTR_ERR(map); - } - --- -2.5.5 - diff --git a/bpf-fix-refcnt-overflow.patch b/bpf-fix-refcnt-overflow.patch deleted file mode 100644 index 1143c8286..000000000 --- a/bpf-fix-refcnt-overflow.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 86db8dac9286f8397434184a6b442b6419e54ec0 Mon Sep 17 00:00:00 2001 -From: Alexei Starovoitov <ast@fb.com> -Date: Wed, 27 Apr 2016 18:56:20 -0700 -Subject: [PATCH] bpf: fix refcnt overflow - -On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK, -the malicious application may overflow 32-bit bpf program refcnt. -It's also possible to overflow map refcnt on 1Tb system. -Impose 32k hard limit which means that the same bpf program or -map cannot be shared by more than 32k processes. - -Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") -Reported-by: Jann Horn <jannh@google.com> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Acked-by: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - include/linux/bpf.h | 3 ++- - kernel/bpf/inode.c | 7 ++++--- - kernel/bpf/syscall.c | 24 ++++++++++++++++++++---- - kernel/bpf/verifier.c | 11 +++++++---- - 4 files changed, 33 insertions(+), 12 deletions(-) - -diff --git a/include/linux/bpf.h b/include/linux/bpf.h -index 83d1926c61e4..67bc2da5d233 100644 ---- a/include/linux/bpf.h -+++ b/include/linux/bpf.h -@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl); - void bpf_register_map_type(struct bpf_map_type_list *tl); - - struct bpf_prog *bpf_prog_get(u32 ufd); -+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog); - void bpf_prog_put(struct bpf_prog *prog); - void bpf_prog_put_rcu(struct bpf_prog *prog); - - struct bpf_map *bpf_map_get_with_uref(u32 ufd); - struct bpf_map *__bpf_map_get(struct fd f); --void bpf_map_inc(struct bpf_map *map, bool uref); -+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref); - void bpf_map_put_with_uref(struct bpf_map *map); - void bpf_map_put(struct bpf_map *map); - -diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c -index 5a8a797d50b7..d1a7646f79c5 100644 ---- a/kernel/bpf/inode.c -+++ b/kernel/bpf/inode.c -@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum bpf_type type) - { - switch (type) { - case BPF_TYPE_PROG: -- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt); -+ raw = bpf_prog_inc(raw); - break; - case BPF_TYPE_MAP: -- bpf_map_inc(raw, true); -+ raw = bpf_map_inc(raw, true); - break; - default: - WARN_ON_ONCE(1); -@@ -277,7 +277,8 @@ static void *bpf_obj_do_get(const struct filename *pathname, - goto out; - - raw = bpf_any_get(inode->i_private, *type); -- touch_atime(&path); -+ if (!IS_ERR(raw)) -+ touch_atime(&path); - - path_put(&path); - return raw; -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 3b39550d8485..4e32cc94edd9 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -181,11 +181,18 @@ struct bpf_map *__bpf_map_get(struct fd f) - return f.file->private_data; - } - --void bpf_map_inc(struct bpf_map *map, bool uref) -+/* prog's and map's refcnt limit */ -+#define BPF_MAX_REFCNT 32768 -+ -+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref) - { -- atomic_inc(&map->refcnt); -+ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) { -+ atomic_dec(&map->refcnt); -+ return ERR_PTR(-EBUSY); -+ } - if (uref) - atomic_inc(&map->usercnt); -+ return map; - } - - struct bpf_map *bpf_map_get_with_uref(u32 ufd) -@@ -197,7 +204,7 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd) - if (IS_ERR(map)) - return map; - -- bpf_map_inc(map, true); -+ map = bpf_map_inc(map, true); - fdput(f); - - return map; -@@ -580,6 +587,15 @@ static struct bpf_prog *__bpf_prog_get(struct fd f) - return f.file->private_data; - } - -+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog) -+{ -+ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) { -+ atomic_dec(&prog->aux->refcnt); -+ return ERR_PTR(-EBUSY); -+ } -+ return prog; -+} -+ - /* called by sockets/tracing/seccomp before attaching program to an event - * pairs with bpf_prog_put() - */ -@@ -592,7 +608,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd) - if (IS_ERR(prog)) - return prog; - -- atomic_inc(&prog->aux->refcnt); -+ prog = bpf_prog_inc(prog); - fdput(f); - - return prog; -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 2e7f7ab739e4..060e4c4c37ea 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2023,15 +2023,18 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) - return -E2BIG; - } - -- /* remember this map */ -- env->used_maps[env->used_map_cnt++] = map; -- - /* hold the map. If the program is rejected by verifier, - * the map will be released by release_maps() or it - * will be used by the valid program until it's unloaded - * and all maps are released in free_bpf_prog_info() - */ -- bpf_map_inc(map, false); -+ map = bpf_map_inc(map, false); -+ if (IS_ERR(map)) { -+ fdput(f); -+ return PTR_ERR(map); -+ } -+ env->used_maps[env->used_map_cnt++] = map; -+ - fdput(f); - next_insn: - insn++; --- -2.5.5 - diff --git a/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch b/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch deleted file mode 100644 index 9e4cf4e0e..000000000 --- a/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9f79323a0aebccb9915ab8f4b7dcf531578b9cf9 Mon Sep 17 00:00:00 2001 -From: Paolo Abeni <pabeni@redhat.com> -Date: Thu, 21 Apr 2016 20:23:31 -0400 -Subject: [PATCH] ipv4/fib: don't warn when primary address is missing if - in_dev is dead - -After commit fbd40ea0180a ("ipv4: Don't do expensive useless work -during inetdev destroy.") when deleting an interface, -fib_del_ifaddr() can be executed without any primary address -present on the dead interface. - -The above is safe, but triggers some "bug: prim == NULL" warnings. - -This commit avoids warning if the in_dev is dead - -Signed-off-by: Paolo Abeni <pabeni@redhat.com> ---- - net/ipv4/fib_frontend.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c -index 8a9246deccfe..63566ec54794 100644 ---- a/net/ipv4/fib_frontend.c -+++ b/net/ipv4/fib_frontend.c -@@ -904,7 +904,11 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) - if (ifa->ifa_flags & IFA_F_SECONDARY) { - prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask); - if (!prim) { -- pr_warn("%s: bug: prim == NULL\n", __func__); -+ /* if the device has been deleted, we don't perform -+ * address promotion -+ */ -+ if (!in_dev->dead) -+ pr_warn("%s: bug: prim == NULL\n", __func__); - return; - } - if (iprim && iprim != prim) { --- -2.5.5 - diff --git a/kernel.spec b/kernel.spec index 683f3187d..764f477c9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 10 +%define stable_update 11 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -652,23 +652,12 @@ Patch695: cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch #rhbz 1309487 Patch701: antenna_select.patch -# Follow on for CVE-2016-3156 -Patch702: ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch - # Stop splashing crap about broken firmware BGRT Patch704: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch705: USB-usbfs-fix-potential-infoleak-in-devio.patch -#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321 -Patch706: net-fix-infoleak-in-llc.patch -Patch707: net-fix-infoleak-in-rtnetlink.patch - -#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311 -Patch711: bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch -Patch712: bpf-fix-refcnt-overflow.patch - #CVE-2016-4569 rhbz 1334643 1334645 Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch @@ -677,6 +666,12 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch #CVE-2016-0758 rhbz 1300257 1335386 Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch +#CVE-2016-3713 rhbz 1332139 1336410 +Patch718: KVM-MTRR-remove-MSR-0x2f8.patch + +#CVE-2016-4951 rhbz 1338625 1338626 +Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch + # END OF PATCH DEFINITIONS %endif @@ -1377,20 +1372,9 @@ ApplyPatch cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch #rhbz 1309487 ApplyPatch antenna_select.patch -# Follow on for CVE-2016-3156 -ApplyPatch ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch - #CVE-2016-4482 rhbz 1332931 1332932 ApplyPatch USB-usbfs-fix-potential-infoleak-in-devio.patch -#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321 -ApplyPatch net-fix-infoleak-in-llc.patch -ApplyPatch net-fix-infoleak-in-rtnetlink.patch - -#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311 -ApplyPatch bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch -ApplyPatch bpf-fix-refcnt-overflow.patch - #CVE-2016-4569 rhbz 1334643 1334645 ApplyPatch ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch @@ -1399,6 +1383,12 @@ ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch #CVE-2016-0758 rhbz 1300257 1335386 ApplyPatch KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch +#CVE-2016-3713 rhbz 1332139 1336410 +ApplyPatch KVM-MTRR-remove-MSR-0x2f8.patch + +#CVE-2016-4951 rhbz 1338625 1338626 +ApplyPatch tipc-check-nl-sock-before-parsing-nested-attributes.patch + # END OF PATCH APPLICATIONS %endif @@ -2248,6 +2238,19 @@ fi # # %changelog +* Mon May 23 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.11-200 +- Linux v4.4.11 +- Actually apply one patch + +* Mon May 23 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4951 null ptr deref in tipc_nl_publ_dump (rhbz 1338625 1338626) + +* Thu May 19 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529) + +* Mon May 16 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410) + * Fri May 13 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.10-200 - Linux v4.4.10 diff --git a/net-fix-infoleak-in-llc.patch b/net-fix-infoleak-in-llc.patch deleted file mode 100644 index 38f0d506a..000000000 --- a/net-fix-infoleak-in-llc.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:35:05 -0400 -Subject: [PATCH 2/2] net: fix infoleak in llc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “info” has a total size of 12 bytes. Its last byte -is padding which is not initialized and leaked via “put_cmsg”. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/llc/af_llc.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index b3c52e3f689a..8ae3ed97d95c 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) - if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { - struct llc_pktinfo info; - -+ memset(&info, 0, sizeof(info)); - info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; - llc_pdu_decode_dsap(skb, &info.lpi_sap); - llc_pdu_decode_da(skb, info.lpi_mac); --- -2.5.5 - diff --git a/net-fix-infoleak-in-rtnetlink.patch b/net-fix-infoleak-in-rtnetlink.patch deleted file mode 100644 index 0da35108d..000000000 --- a/net-fix-infoleak-in-rtnetlink.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:46:24 -0400 -Subject: [PATCH 1/2] net: fix infoleak in rtnetlink -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “map” has a total size of 32 bytes. Its last 4 -bytes are padding generated by compiler. These padding bytes are -not initialized and sent out via “nla_put”. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/core/rtnetlink.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index a75f7e94b445..65763c29f845 100644 ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, - - static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev) - { -- struct rtnl_link_ifmap map = { -- .mem_start = dev->mem_start, -- .mem_end = dev->mem_end, -- .base_addr = dev->base_addr, -- .irq = dev->irq, -- .dma = dev->dma, -- .port = dev->if_port, -- }; -+ struct rtnl_link_ifmap map; -+ -+ memset(&map, 0, sizeof(map)); -+ map.mem_start = dev->mem_start; -+ map.mem_end = dev->mem_end; -+ map.base_addr = dev->base_addr; -+ map.irq = dev->irq; -+ map.dma = dev->dma; -+ map.port = dev->if_port; -+ - if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) - return -EMSGSIZE; - --- -2.5.5 - @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -1b9a296c0d0b778e8173299618f2d84f patch-4.4.10.xz +5c1d328f03aaafb9cf7fdc442468c348 patch-4.4.11.xz diff --git a/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/tipc-check-nl-sock-before-parsing-nested-attributes.patch new file mode 100644 index 000000000..09bfe1485 --- /dev/null +++ b/tipc-check-nl-sock-before-parsing-nested-attributes.patch @@ -0,0 +1,36 @@ +From 45e093ae2830cd1264677d47ff9a95a71f5d9f9c Mon Sep 17 00:00:00 2001 +From: Richard Alpe <richard.alpe@ericsson.com> +Date: Mon, 16 May 2016 11:14:54 +0200 +Subject: [PATCH] tipc: check nl sock before parsing nested attributes + +Make sure the socket for which the user is listing publication exists +before parsing the socket netlink attributes. + +Prior to this patch a call without any socket caused a NULL pointer +dereference in tipc_nl_publ_dump(). + +Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com> +Signed-off-by: Richard Alpe <richard.alpe@ericsson.com> +Acked-by: Jon Maloy <jon.maloy@ericsson.cm> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/tipc/socket.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 12628890c219..3b7a79991d55 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb) + if (err) + return err; + ++ if (!attrs[TIPC_NLA_SOCK]) ++ return -EINVAL; ++ + err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, + attrs[TIPC_NLA_SOCK], + tipc_nl_sock_policy); +-- +2.5.5 + |