diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-14 07:20:46 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-14 07:20:46 +0200 |
commit | f4837bc59b039d61f29c2588f872857a7b7edd6d (patch) | |
tree | 3912e96f509c25717f351d3ee941571a1da410ad | |
parent | 42a6f69432b85dbc22d1fc474f91426efa08f9a4 (diff) | |
parent | 6b8dfd16b6b23067a5f66320709f8f3a8e79c5dc (diff) | |
download | kernel-f4837bc59b039d61f29c2588f872857a7b7edd6d.tar.gz kernel-f4837bc59b039d61f29c2588f872857a7b7edd6d.tar.xz kernel-f4837bc59b039d61f29c2588f872857a7b7edd6d.zip |
Merge remote-tracking branch 'origin/master'kernel-4.6.0-0.rc7.git3.1.vanilla.knurd.1.fc25
-rw-r--r-- | ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch | 33 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch | 34 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch | 34 | ||||
-rw-r--r-- | config-arm-generic | 2 | ||||
-rw-r--r-- | config-armv7-generic | 21 | ||||
-rw-r--r-- | config-generic | 1 | ||||
-rw-r--r-- | config-x86-generic | 4 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | kernel.spec | 26 | ||||
-rw-r--r-- | net-fix-infoleak-in-llc.patch | 32 | ||||
-rw-r--r-- | net-fix-infoleak-in-rtnetlink.patch | 50 | ||||
-rw-r--r-- | sources | 1 |
12 files changed, 147 insertions, 93 deletions
diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch new file mode 100644 index 000000000..3eb8bf183 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch @@ -0,0 +1,33 @@ +From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:07 -0400 +Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “tread” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 6469bedda2f3..964f5ebf495e 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file, + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { + if (tu->tread) { + struct snd_timer_tread tread; ++ memset(&tread, 0, sizeof(tread)); + tread.event = SNDRV_TIMER_EVENT_EARLY; + tread.tstamp.tv_sec = 0; + tread.tstamp.tv_nsec = 0; +-- +2.5.5 + diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch new file mode 100644 index 000000000..e6f46f8a8 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch @@ -0,0 +1,34 @@ +From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:20 -0400 +Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via + snd_timer_user_ccallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 964f5ebf495e..e98fa5feb731 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, + tu->tstamp = *tstamp; + if ((tu->filter & (1 << event)) == 0 || !tu->tread) + return; ++ memset(&r1, 0, sizeof(r1)); + r1.event = event; + r1.tstamp = *tstamp; + r1.val = resolution; +-- +2.5.5 + diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch new file mode 100644 index 000000000..7851c55a2 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch @@ -0,0 +1,34 @@ +From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Tue, 3 May 2016 16:44:32 -0400 +Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via + snd_timer_user_tinterrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index e98fa5feb731..c69a27155433 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, + } + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && + tu->last_resolution != resolution) { ++ memset(&r1, 0, sizeof(r1)); + r1.event = SNDRV_TIMER_EVENT_RESOLUTION; + r1.tstamp = tstamp; + r1.val = resolution; +-- +2.5.5 + diff --git a/config-arm-generic b/config-arm-generic index 98a76fabc..5b03071db 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -198,7 +198,7 @@ CONFIG_OF_NET=y CONFIG_OF_OVERLAY=y CONFIG_OF_PCI_IRQ=m CONFIG_OF_PCI=m -# CONFIG_PCI_HOST_GENERIC is not set +CONFIG_PCI_HOST_GENERIC=y # CONFIG_PCIE_IPROC is not set CONFIG_OF_RESERVED_MEM=y CONFIG_OF_RESOLVE=y diff --git a/config-armv7-generic b/config-armv7-generic index 474409d9b..ed26d946e 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -52,6 +52,7 @@ CONFIG_CPU_SW_DOMAIN_PAN=y # CONFIG_DEBUG_ALIGN_RODATA is not set # Platforms enabled/disabled globally on ARMv7 +CONFIG_ARCH_BCM=y CONFIG_ARCH_BCM2835=y CONFIG_ARCH_EXYNOS=y CONFIG_ARCH_HIGHBANK=y @@ -60,7 +61,21 @@ CONFIG_ARCH_TEGRA=y CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA=y CONFIG_ARCH_VIRT=y # CONFIG_ARCH_ARTPEC is not set -# CONFIG_ARCH_BCM is not set +# CONFIG_ARCH_BCM_CYGNUS is not set +# CONFIG_ARCH_BCM_NSP is not set +# CONFIG_ARCH_BCM_5301X is not set +# CONFIG_ARCH_BCM_281XX is not set +# CONFIG_ARCH_BCM_21664 is not set +# CONFIG_ARCH_BCM_63XX is not set +# CONFIG_ARCH_BRCMSTB is not set +# CONFIG_ARCH_BERLIN is not set +# CONFIG_ARCH_BCM_CYGNUS is not set +# CONFIG_ARCH_BCM_NSP is not set +# CONFIG_ARCH_BCM_5301X is not set +# CONFIG_ARCH_BCM_281XX is not set +# CONFIG_ARCH_BCM_21664 is not set +# CONFIG_ARCH_BCM_63XX is not set +# CONFIG_ARCH_BRCMSTB is not set # CONFIG_ARCH_BERLIN is not set # CONFIG_ARCH_HI3xxx is not set # CONFIG_ARCH_HISI is not set @@ -151,7 +166,6 @@ CONFIG_LSM_MMAP_MIN_ADDR=32768 CONFIG_XZ_DEC_ARM=y -CONFIG_PCI_HOST_GENERIC=y # CONFIG_PCI_LAYERSCAPE is not set # Do NOT enable this, it breaks stuff and makes things go slow # CONFIG_UACCESS_WITH_MEMCPY is not set @@ -239,9 +253,10 @@ CONFIG_NVMEM_SUNXI_SID=m # BCM 283x CONFIG_SERIAL_AMBA_PL011=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y +CONFIG_SERIAL_8250_BCM2835AUX=y CONFIG_DMA_BCM2835=m -CONFIG_MMC_SDHCI_IPROC=m # CONFIG_MMC_SDHCI_BCM2835 is not set +CONFIG_MMC_SDHCI_IPROC=m CONFIG_BCM2835_MBOX=m CONFIG_PWM_BCM2835=m CONFIG_HW_RANDOM_BCM2835=m diff --git a/config-generic b/config-generic index 4a5879d23..6e2c632f9 100644 --- a/config-generic +++ b/config-generic @@ -1707,6 +1707,7 @@ CONFIG_MLX4_INFINIBAND=m CONFIG_MLX5_CORE=m CONFIG_MLX5_CORE_EN=y CONFIG_MLX5_CORE_EN_DCB=y +CONFIG_MLX5_CORE_EN_VXLAN=y CONFIG_MLX5_INFINIBAND=m CONFIG_MLXSW_CORE=m CONFIG_MLXSW_CORE_HWMON=y diff --git a/config-x86-generic b/config-x86-generic index d21a99f58..06ddcd1a0 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -317,8 +317,8 @@ CONFIG_INPUT_XEN_KBDDEV_FRONTEND=m CONFIG_XEN_SELFBALLOONING=y CONFIG_XEN_PCIDEV_BACKEND=m CONFIG_XEN_ACPI_PROCESSOR=m -# CONFIG_XEN_SCSI_FRONTEND is not set -# CONFIG_XEN_SCSI_BACKEND is not set +CONFIG_XEN_SCSI_FRONTEND=m +CONFIG_XEN_SCSI_BACKEND=m CONFIG_XEN_SYMS=y CONFIG_SPI=y @@ -1 +1 @@ -9caa7e78481f17fb6ff77dfaca774998e7440430 +a2ccb68b1e6add42c0bf3ade73cd11c98d32b890 diff --git a/kernel.spec b/kernel.spec index d6c2a20b0..137735890 100644 --- a/kernel.spec +++ b/kernel.spec @@ -77,7 +77,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 7 # The git snapshot level -%define gitrev 0 +%define gitrev 3 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -631,9 +631,10 @@ Patch701: antenna_select.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch -#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321 -Patch707: net-fix-infoleak-in-llc.patch -Patch708: net-fix-infoleak-in-rtnetlink.patch +#CVE-2016-4569 rhbz 1334643 1334645 +Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch +Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch +Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch # END OF PATCH DEFINITIONS @@ -2163,6 +2164,23 @@ fi # # %changelog +* Fri May 13 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git3.1 +- Linux v4.6-rc7-116-ga2ccb68b1e6a + +* Thu May 12 2016 Peter Robinson <pbrobinson@fedoraproject.org> +- Some minor ARMv7 platform fixes from F-24 +- Enable PCI_HOST_GENERIC for all ARM arches (Jeremy Linton) + +* Wed May 11 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git2.1 +- Linux v4.6-rc7-55-gc5114626f33b + +* Tue May 10 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git1.1 +- Linux v4.6-rc7-45-g2d0bd9534c8d + +* Tue May 10 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Enable XEN SCSI front and backend (rhbz 1334512) +- CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645) + * Mon May 09 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git0.1 - Linux v4.6-rc7 diff --git a/net-fix-infoleak-in-llc.patch b/net-fix-infoleak-in-llc.patch deleted file mode 100644 index 38f0d506a..000000000 --- a/net-fix-infoleak-in-llc.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:35:05 -0400 -Subject: [PATCH 2/2] net: fix infoleak in llc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “info” has a total size of 12 bytes. Its last byte -is padding which is not initialized and leaked via “put_cmsg”. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/llc/af_llc.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index b3c52e3f689a..8ae3ed97d95c 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) - if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { - struct llc_pktinfo info; - -+ memset(&info, 0, sizeof(info)); - info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; - llc_pdu_decode_dsap(skb, &info.lpi_sap); - llc_pdu_decode_da(skb, info.lpi_mac); --- -2.5.5 - diff --git a/net-fix-infoleak-in-rtnetlink.patch b/net-fix-infoleak-in-rtnetlink.patch deleted file mode 100644 index 0da35108d..000000000 --- a/net-fix-infoleak-in-rtnetlink.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:46:24 -0400 -Subject: [PATCH 1/2] net: fix infoleak in rtnetlink -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “map” has a total size of 32 bytes. Its last 4 -bytes are padding generated by compiler. These padding bytes are -not initialized and sent out via “nla_put”. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/core/rtnetlink.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index a75f7e94b445..65763c29f845 100644 ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, - - static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev) - { -- struct rtnl_link_ifmap map = { -- .mem_start = dev->mem_start, -- .mem_end = dev->mem_end, -- .base_addr = dev->base_addr, -- .irq = dev->irq, -- .dma = dev->dma, -- .port = dev->if_port, -- }; -+ struct rtnl_link_ifmap map; -+ -+ memset(&map, 0, sizeof(map)); -+ map.mem_start = dev->mem_start; -+ map.mem_end = dev->mem_end; -+ map.base_addr = dev->base_addr; -+ map.irq = dev->irq; -+ map.dma = dev->dma; -+ map.port = dev->if_port; -+ - if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) - return -EMSGSIZE; - --- -2.5.5 - @@ -1,3 +1,4 @@ a60d48eee08ec0536d5efb17ca819aef linux-4.5.tar.xz 6f557fe90b800b615c85c2ca04da6154 perf-man-4.5.tar.gz 2089df8a0f142e2a1cdcaca0f133e47d patch-4.6-rc7.xz +bf56da06679952234c9a2f31d2d259c8 patch-4.6-rc7-git3.xz |