diff options
author | Justin M. Forbes <jforbes@redhat.com> | 2016-06-01 16:00:10 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@redhat.com> | 2016-06-01 16:00:10 -0500 |
commit | 60b0ac6b6a50bf6ff4a2e1ce32353679dac45f91 (patch) | |
tree | d636065fa410573c0e6de6b24e2d67bc612069c7 | |
parent | c2d53823de43e5903a3e2b17d9f1758fe6251174 (diff) | |
download | kernel-60b0ac6b6a50bf6ff4a2e1ce32353679dac45f91.tar.gz kernel-60b0ac6b6a50bf6ff4a2e1ce32353679dac45f91.tar.xz kernel-60b0ac6b6a50bf6ff4a2e1ce32353679dac45f91.zip |
Linux v4.5.6
-rw-r--r-- | KVM-MTRR-remove-MSR-0x2f8.patch | 49 | ||||
-rw-r--r-- | kernel.spec | 13 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | sp5100_tco-properly-check-for-new-register-layouts.patch | 75 |
4 files changed, 6 insertions, 133 deletions
diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch deleted file mode 100644 index 8066b2e8f..000000000 --- a/KVM-MTRR-remove-MSR-0x2f8.patch +++ /dev/null @@ -1,49 +0,0 @@ -From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> -Date: Mon, 16 May 2016 09:45:35 -0400 -Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support -was introduced by 9ba075a664df ("KVM: MTRR support"). - -0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the -size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, -which made access to index 124 out of bounds. The surrounding code only -WARNs in this situation, thus the guest gained a limited read/write -access to struct kvm_arch_vcpu. - -0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR -MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 -was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was -not implemented in KVM, therefore 0x2f8 could never do anything useful -and getting rid of it is safe. - -This fixes CVE-2016-TBD. - -Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") -Cc: stable@vger.kernel.org -Reported-by: David Matlack <dmatlack@google.com> -Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> ---- - arch/x86/kvm/mtrr.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c -index 3f8c732117ec..c146f3c262c3 100644 ---- a/arch/x86/kvm/mtrr.c -+++ b/arch/x86/kvm/mtrr.c -@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) - case MSR_MTRRdefType: - case MSR_IA32_CR_PAT: - return true; -- case 0x2f8: -- return true; - } - return false; - } --- -2.5.5 - diff --git a/kernel.spec b/kernel.spec index 804877219..146193324 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -644,9 +644,6 @@ Patch705: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch -#rhbz 1328633 -Patch713: sp5100_tco-properly-check-for-new-register-layouts.patch - #CVE-2016-4569 rhbz 1334643 1334645 Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch @@ -655,9 +652,6 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch #CVE-2016-0758 rhbz 1300257 1335386 Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch -#CVE-2016-3713 rhbz 1332139 1336410 -Patch718: KVM-MTRR-remove-MSR-0x2f8.patch - #CVE-2016-4440 rhbz 1337806 1337807 Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch @@ -2181,6 +2175,9 @@ fi # # %changelog +* Wed Jun 01 2016 Justin M. Forbes <jforbes@fedoraproject.org> 4.5.6-200 +- Linux v4.5.6 + * Mon May 23 2016 Josh Boyer <jwboyer@fedoraproject.org> - CVE-2016-4951 null ptr deref in tipc_nl_publ_dump (rhbz 1338625 1338626) @@ -1,3 +1,3 @@ a60d48eee08ec0536d5efb17ca819aef linux-4.5.tar.xz 6f557fe90b800b615c85c2ca04da6154 perf-man-4.5.tar.gz -fe89010925304f6f07713741f0c8e811 patch-4.5.5.xz +165ea1f74c34d264f11be8c25d97635b patch-4.5.6.xz diff --git a/sp5100_tco-properly-check-for-new-register-layouts.patch b/sp5100_tco-properly-check-for-new-register-layouts.patch deleted file mode 100644 index 83c86d151..000000000 --- a/sp5100_tco-properly-check-for-new-register-layouts.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 5896a59895689db447e888c1714022bbb9526ede Mon Sep 17 00:00:00 2001 -From: Lucas Stach <dev@lynxeye.de> -Date: Tue, 3 May 2016 19:15:58 +0200 -Subject: [PATCH] sp5100_tco: properly check for new register layouts - -Commits 190aa4304de6 (Add AMD Mullins platform support) and -cca118fa2a0a94 (Add AMD Carrizo platform support) enabled the -driver on a lot more devices, but the following commit missed -a single location in the code when checking if the SB800 register -offsets should be used. This leads to the wrong register being -written which in turn causes ACPI to go haywire. - -Fix this by introducing a helper function to check for the new -register layout and use this consistently. - -https://bugzilla.kernel.org/show_bug.cgi?id=114201 -https://bugzilla.redhat.com/show_bug.cgi?id=1329910 -Fixes: bdecfcdb5461 (sp5100_tco: fix the device check for SB800 -and later chipsets) -Cc: stable@vger.kernel.org (4.5+) -Signed-off-by: Lucas Stach <dev@lynxeye.de> ---- - drivers/watchdog/sp5100_tco.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/drivers/watchdog/sp5100_tco.c b/drivers/watchdog/sp5100_tco.c -index 6467b91..028618c 100644 ---- a/drivers/watchdog/sp5100_tco.c -+++ b/drivers/watchdog/sp5100_tco.c -@@ -73,6 +73,13 @@ MODULE_PARM_DESC(nowayout, "Watchdog cannot be stopped once started." - /* - * Some TCO specific functions - */ -+ -+static bool tco_has_sp5100_reg_layout(struct pci_dev *dev) -+{ -+ return dev->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && -+ dev->revision < 0x40; -+} -+ - static void tco_timer_start(void) - { - u32 val; -@@ -129,7 +136,7 @@ static void tco_timer_enable(void) - { - int val; - -- if (sp5100_tco_pci->revision >= 0x40) { -+ if (!tco_has_sp5100_reg_layout(sp5100_tco_pci)) { - /* For SB800 or later */ - /* Set the Watchdog timer resolution to 1 sec */ - outb(SB800_PM_WATCHDOG_CONFIG, SB800_IO_PM_INDEX_REG); -@@ -342,8 +349,7 @@ static unsigned char sp5100_tco_setupdevice(void) - /* - * Determine type of southbridge chipset. - */ -- if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && -- sp5100_tco_pci->revision < 0x40) { -+ if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) { - dev_name = SP5100_DEVNAME; - index_reg = SP5100_IO_PM_INDEX_REG; - data_reg = SP5100_IO_PM_DATA_REG; -@@ -388,8 +394,7 @@ static unsigned char sp5100_tco_setupdevice(void) - * Secondly, Find the watchdog timer MMIO address - * from SBResource_MMIO register. - */ -- if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS && -- sp5100_tco_pci->revision < 0x40) { -+ if (tco_has_sp5100_reg_layout(sp5100_tco_pci)) { - /* Read SBResource_MMIO from PCI config(PCI_Reg: 9Ch) */ - pci_read_config_dword(sp5100_tco_pci, - SP5100_SB_RESOURCE_MMIO_BASE, &val); --- -2.7.4 - |