Linux v4.8.14

4 files changed, 8 insertions, 104 deletions

diff --git a/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch b/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
deleted file mode 100644
index 8c3795439..000000000
--- a/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From a0ac402cfcdc904f9772e1762b3fda112dcc56a0 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Tue, 6 Dec 2016 16:18:14 -0800
-Subject: [PATCH] Don't feed anything but regular iovec's to
- blk_rq_map_user_iov
-
-In theory we could map other things, but there's a reason that function
-is called "user_iov".  Using anything else (like splice can do) just
-confuses it.
-
-Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
-Cc: Al Viro <viro@ZenIV.linux.org.uk>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- block/blk-map.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/block/blk-map.c b/block/blk-map.c
-index b8657fa..27fd8d92 100644
---- a/block/blk-map.c
-+++ b/block/blk-map.c
-@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
- 	struct iov_iter i;
- 	int ret;
-
-+	if (!iter_is_iovec(iter))
-+		goto fail;
-+
- 	if (map_data)
- 		copy = true;
- 	else if (iov_iter_alignment(iter) & align)
-@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
-
- unmap_rq:
- 	__blk_rq_unmap_user(bio);
-+fail:
- 	rq->bio = NULL;
- 	return -EINVAL;
- }
--- 
-2.9.3
-
diff --git a/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch b/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
deleted file mode 100644
index 6d5771ccd..000000000
--- a/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 2 Dec 2016 09:44:53 -0800
-Subject: [PATCH] net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
-
-CAP_NET_ADMIN users should not be allowed to set negative
-sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
-corruptions, crashes, OOM...
-
-Note that before commit 82981930125a ("net: cleanups in
-sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
-and SO_RCVBUF were vulnerable.
-
-This needs to be backported to all known linux kernels.
-
-Again, many thanks to syzkaller team for discovering this gem.
-
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/core/sock.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/core/sock.c b/net/core/sock.c
-index 5e3ca41..00a074d 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
- 		val = min_t(u32, val, sysctl_wmem_max);
- set_sndbuf:
- 		sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
--		sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
-+		sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
- 		/* Wake up sending tasks if we upped the value. */
- 		sk->sk_write_space(sk);
- 		break;
-@@ -751,7 +751,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
- 		 * returning the value we actually used in getsockopt
- 		 * is the most desirable behavior.
- 		 */
--		sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
-+		sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
- 		break;
-
- 	case SO_RCVBUFFORCE:
--- 
-2.9.3
-
diff --git a/kernel.spec b/kernel.spec
index acd7f443f..a0e695967 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 13
+%define stable_update 14
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -645,15 +645,6 @@ Patch855: 0001-platform-x86-ideapad-laptop-Add-Lenovo-Yoga-910-13IK.patch
 # CVE-2016-9755 rhbz 1400904 1400905
 Patch856: 0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
 
-# CVE-2016-8655 rhbz 1400019 1401820
-Patch857: 0001-packet-fix-race-condition-in-packet_set_ring.patch
-
-# CVE-2016-9793 rhbz 1402013 1402014
-Patch858: 0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
-
-# CVE-2016-9576 rhbz 1403145 1403146
-Patch859: 0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
-
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2190,6 +2181,10 @@ fi
 #
 #
 %changelog
+* Mon Dec 12 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.14-300
+- Linux v4.8.14
+- CVE-2016-8399 Fix out OOB stack read in memcpy_fromiovec (rhbz 1403833 1403834)
+
 * Fri Dec 09 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.13-300
 - Linux v4.8.13
 - CVE-2016-9576 fix use after free in SCSI generic device interface (rhbz 1403145 1403146)
diff --git a/sources b/sources
index b175e7f81..d4c3127d3 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-c1af0afbd3df35c1ccdc7a5118cd2d07  linux-4.8.tar.xz
-0dad03f586e835d538d3e0d2cbdb9a28  perf-man-4.8.tar.gz
-bc208ac66340464839ee61a4621d9384  patch-4.8.13.xz
+SHA512 (linux-4.8.tar.xz) = a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358
+SHA512 (perf-man-4.8.tar.gz) = 1e9707f1e11808178c1953d4f46e1789a138e9aca7bec89af7a6e209cd91e5301bc582db72cf889baa31dcba8cd3d3b1ceb4e8999ac1544ef17d513e861f2b59
+SHA512 (patch-4.8.14.xz) = 374b849aac6736f3a8d7afd224d51a5f4bab5c0fefaa8738982bae7188687149b7775e53878efe25466b4c0d40769b284e8af55c1d3bae500bccdbf565c0453a