diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-05-31 19:37:02 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-05-31 19:37:02 +0200 |
commit | 876c5ae8a1b8580c3d550b1cf80bfebeae3c4265 (patch) | |
tree | 82f826b056bd691a52b5578eed6d3b3dab5653c0 | |
parent | e99d7a1ef2fd21db19da096a6675343b6d7a2a15 (diff) | |
parent | 3074ed2654b76680777291ee552ff1ee53dcc8f6 (diff) | |
download | kernel-876c5ae8a1b8580c3d550b1cf80bfebeae3c4265.tar.gz kernel-876c5ae8a1b8580c3d550b1cf80bfebeae3c4265.tar.xz kernel-876c5ae8a1b8580c3d550b1cf80bfebeae3c4265.zip |
Merge remote-tracking branch 'origin/f29' into f29-user-thl-vanilla-fedora
-rw-r--r-- | 0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch | 105 | ||||
-rw-r--r-- | 0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch | 33 | ||||
-rw-r--r-- | configs/fedora/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_1463225 | 1 | ||||
-rw-r--r-- | kernel-aarch64-debug.config | 1 | ||||
-rw-r--r-- | kernel-aarch64.config | 1 | ||||
-rw-r--r-- | kernel.spec | 9 |
6 files changed, 6 insertions, 144 deletions
diff --git a/0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch b/0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch deleted file mode 100644 index 0f2eacbc9..000000000 --- a/0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch +++ /dev/null @@ -1,105 +0,0 @@ -From a4176ec356c73a46c07c181c6d04039fafa34a9f Mon Sep 17 00:00:00 2001 -From: Arend van Spriel <arend.vanspriel@broadcom.com> -Date: Thu, 14 Feb 2019 13:43:48 +0100 -Subject: [PATCH] brcmfmac: add subtype check for event handling in data path - -For USB there is no separate channel being used to pass events -from firmware to the host driver and as such are passed over the -data path. In order to detect mock event messages an additional -check is needed on event subtype. This check is added conditionally -using unlikely() keyword. - -Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> -Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> -Reviewed-by: Franky Lin <franky.lin@broadcom.com> -Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> ---- - .../wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++-- - .../wireless/broadcom/brcm80211/brcmfmac/fweh.h | 16 ++++++++++++---- - .../broadcom/brcm80211/brcmfmac/msgbuf.c | 2 +- - 3 files changed, 16 insertions(+), 7 deletions(-) - -diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -index e772c0845638..a368ba6e7344 100644 ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -519,7 +519,8 @@ void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_event) - } else { - /* Process special event packets */ - if (handle_event) -- brcmf_fweh_process_skb(ifp->drvr, skb); -+ brcmf_fweh_process_skb(ifp->drvr, skb, -+ BCMILCP_SUBTYPE_VENDOR_LONG); - - brcmf_netif_rx(ifp, skb); - } -@@ -536,7 +537,7 @@ void brcmf_rx_event(struct device *dev, struct sk_buff *skb) - if (brcmf_rx_hdrpull(drvr, skb, &ifp)) - return; - -- brcmf_fweh_process_skb(ifp->drvr, skb); -+ brcmf_fweh_process_skb(ifp->drvr, skb, 0); - brcmu_pkt_buf_free_skb(skb); - } - -diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h -index 31f3e8e83a21..7027243db17e 100644 ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h -@@ -211,7 +211,7 @@ enum brcmf_fweh_event_code { - */ - #define BRCM_OUI "\x00\x10\x18" - #define BCMILCP_BCM_SUBTYPE_EVENT 1 -- -+#define BCMILCP_SUBTYPE_VENDOR_LONG 32769 - - /** - * struct brcm_ethhdr - broadcom specific ether header. -@@ -334,10 +334,10 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, - void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing); - - static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr, -- struct sk_buff *skb) -+ struct sk_buff *skb, u16 stype) - { - struct brcmf_event *event_packet; -- u16 usr_stype; -+ u16 subtype, usr_stype; - - /* only process events when protocol matches */ - if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL)) -@@ -346,8 +346,16 @@ static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr, - if ((skb->len + ETH_HLEN) < sizeof(*event_packet)) - return; - -- /* check for BRCM oui match */ - event_packet = (struct brcmf_event *)skb_mac_header(skb); -+ -+ /* check subtype if needed */ -+ if (unlikely(stype)) { -+ subtype = get_unaligned_be16(&event_packet->hdr.subtype); -+ if (subtype != stype) -+ return; -+ } -+ -+ /* check for BRCM oui match */ - if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0], - sizeof(event_packet->hdr.oui))) - return; -diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c -index 4e8397a0cbc8..ee922b052561 100644 ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c -@@ -1116,7 +1116,7 @@ static void brcmf_msgbuf_process_event(struct brcmf_msgbuf *msgbuf, void *buf) - - skb->protocol = eth_type_trans(skb, ifp->ndev); - -- brcmf_fweh_process_skb(ifp->drvr, skb); -+ brcmf_fweh_process_skb(ifp->drvr, skb, 0); - - exit: - brcmu_pkt_buf_free_skb(skb); --- -2.20.1 - diff --git a/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch b/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch deleted file mode 100644 index 23d43d725..000000000 --- a/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 1b5e2423164b3670e8bc9174e4762d297990deff Mon Sep 17 00:00:00 2001 -From: Arend van Spriel <arend.vanspriel@broadcom.com> -Date: Thu, 14 Feb 2019 13:43:47 +0100 -Subject: [PATCH] brcmfmac: assure SSID length from firmware is limited - -The SSID length as received from firmware should not exceed -IEEE80211_MAX_SSID_LEN as that would result in heap overflow. - -Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> -Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> -Reviewed-by: Franky Lin <franky.lin@broadcom.com> -Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> ---- - drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -index b5e291ed9496..012275fc3bf7 100644 ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -@@ -3507,6 +3507,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e, - } - - netinfo = brcmf_get_netinfo_array(pfn_result); -+ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN) -+ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN; - memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len); - cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len; - cfg->wowl.nd->n_channels = 1; --- -2.20.1 - diff --git a/configs/fedora/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_1463225 b/configs/fedora/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_1463225 new file mode 100644 index 000000000..3e0b01e04 --- /dev/null +++ b/configs/fedora/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_1463225 @@ -0,0 +1 @@ +CONFIG_ARM64_ERRATUM_1463225=y diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index 581b418c3..290802969 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -282,6 +282,7 @@ CONFIG_ARM64_ERRATUM_1024718=y CONFIG_ARM64_ERRATUM_1165522=y CONFIG_ARM64_ERRATUM_1188873=y CONFIG_ARM64_ERRATUM_1286807=y +CONFIG_ARM64_ERRATUM_1463225=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/kernel-aarch64.config b/kernel-aarch64.config index 06ff18b97..0105b898b 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -282,6 +282,7 @@ CONFIG_ARM64_ERRATUM_1024718=y CONFIG_ARM64_ERRATUM_1165522=y CONFIG_ARM64_ERRATUM_1188873=y CONFIG_ARM64_ERRATUM_1286807=y +CONFIG_ARM64_ERRATUM_1463225=y CONFIG_ARM64_ERRATUM_819472=y CONFIG_ARM64_ERRATUM_824069=y CONFIG_ARM64_ERRATUM_826319=y diff --git a/kernel.spec b/kernel.spec index 1197d621c..f6a0e3a96 100644 --- a/kernel.spec +++ b/kernel.spec @@ -620,12 +620,6 @@ Patch513: 0001-virt-vbox-Implement-passing-requestor-info-to-the-ho.patch # rhbz 1683382 Patch515: nfsv4.1-avoid-false-retries.patch -# CVE-2019-9500 rhbz 1701224 1701226 -Patch518: 0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch - -# CVE-2019-9503 rhbz 1701842 1701843 -Patch520: 0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch - # https://bugzilla.redhat.com/show_bug.cgi?id=1701096 Patch521: 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch Patch522: 0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch @@ -1914,6 +1908,9 @@ fi # # %changelog +* Fri May 31 2019 Laura Abbott <labbott@redhat.com> - 5.0.20-200 +- Linux v5.0.20 + * Tue May 28 2019 Laura Abbott <labbott@redhat.com> - 5.0.19-200 - Linux v5.0.19 |