Linux v5.2.17

5 files changed, 5 insertions, 307 deletions

diff --git a/kernel.spec b/kernel.spec
index 3520009a7..e860a472a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -56,7 +56,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 16
+%define stable_update 17
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -583,16 +583,6 @@ Patch508: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
 # rhbz 1732045
 Patch511: 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch
 
-# CVE-2019-14814 CVE-2019-14815 CVE-2019-14816
-# rhbz 1744130 1744137 1744149 1746566 1746567 
-Patch514: mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch
-
-# CVE-2019-15505 rhbz 1746732 1746734
-Patch516: technisat-usb2-break-out-of-loop-at-end-of-buffer.patch
-
-# CVE-2019-14821 rhbz 1746708 1753596
-Patch517: kvm-coalesced_mmio-add-bounds-checking.patch
-
 # rhbz 1753099
 Patch518: dwc3-fix.patch
 
@@ -1833,6 +1823,9 @@ fi
 #
 #
 %changelog
+* Mon Sep 23 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.17-200
+- Linux v5.2.17
+
 * Thu Sep 19 2019 Laura Abbott <labbott@redhat.com>
 - Fix for dwc3 (rhbz 1753099)
 
diff --git a/kvm-coalesced_mmio-add-bounds-checking.patch b/kvm-coalesced_mmio-add-bounds-checking.patch
deleted file mode 100644
index ddd2568f9..000000000
--- a/kvm-coalesced_mmio-add-bounds-checking.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From b60fe990c6b07ef6d4df67bc0530c7c90a62623a Mon Sep 17 00:00:00 2001
-From: Matt Delco <delco@chromium.org>
-Date: Mon, 16 Sep 2019 14:16:54 -0700
-Subject: KVM: coalesced_mmio: add bounds checking
-
-The first/last indexes are typically shared with a user app.
-The app can change the 'last' index that the kernel uses
-to store the next result.  This change sanity checks the index
-before using it for writing to a potentially arbitrary address.
-
-This fixes CVE-2019-14821.
-
-Cc: stable@vger.kernel.org
-Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
-Signed-off-by: Matt Delco <delco@chromium.org>
-Signed-off-by: Jim Mattson <jmattson@google.com>
-Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
-[Use READ_ONCE. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- virt/kvm/coalesced_mmio.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
-index 5294abb3f178..8ffd07e2a160 100644
---- a/virt/kvm/coalesced_mmio.c
-+++ b/virt/kvm/coalesced_mmio.c
-@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev,
- 	return 1;
- }
- 
--static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
-+static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
- {
- 	struct kvm_coalesced_mmio_ring *ring;
- 	unsigned avail;
-@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
- 	 * there is always one unused entry in the buffer
- 	 */
- 	ring = dev->kvm->coalesced_mmio_ring;
--	avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
-+	avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
- 	if (avail == 0) {
- 		/* full */
- 		return 0;
-@@ -67,25 +67,28 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu,
- {
- 	struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
- 	struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
-+	__u32 insert;
- 
- 	if (!coalesced_mmio_in_range(dev, addr, len))
- 		return -EOPNOTSUPP;
- 
- 	spin_lock(&dev->kvm->ring_lock);
- 
--	if (!coalesced_mmio_has_room(dev)) {
-+	insert = READ_ONCE(ring->last);
-+	if (!coalesced_mmio_has_room(dev, insert) ||
-+	    insert >= KVM_COALESCED_MMIO_MAX) {
- 		spin_unlock(&dev->kvm->ring_lock);
- 		return -EOPNOTSUPP;
- 	}
- 
- 	/* copy data in first free entry of the ring */
- 
--	ring->coalesced_mmio[ring->last].phys_addr = addr;
--	ring->coalesced_mmio[ring->last].len = len;
--	memcpy(ring->coalesced_mmio[ring->last].data, val, len);
--	ring->coalesced_mmio[ring->last].pio = dev->zone.pio;
-+	ring->coalesced_mmio[insert].phys_addr = addr;
-+	ring->coalesced_mmio[insert].len = len;
-+	memcpy(ring->coalesced_mmio[insert].data, val, len);
-+	ring->coalesced_mmio[insert].pio = dev->zone.pio;
- 	smp_wmb();
--	ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
-+	ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
- 	spin_unlock(&dev->kvm->ring_lock);
- 	return 0;
- }
--- 
-cgit 1.2-0.3.lf.el7
-
diff --git a/mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch b/mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch
deleted file mode 100644
index 6d0bef3eb..000000000
--- a/mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-From patchwork Wed Aug 28 02:07:51 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: huangwenabc@gmail.com
-X-Patchwork-Id: 11117681
-X-Patchwork-Delegate: kvalo@adurom.com
-Return-Path: <SRS0=YfBD=WY=vger.kernel.org=linux-wireless-owner@kernel.org>
-Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
- [172.30.200.123])
-	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9686413B1
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed, 28 Aug 2019 02:08:25 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.kernel.org (Postfix) with ESMTP id 70EC820679
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed, 28 Aug 2019 02:08:25 +0000 (UTC)
-Authentication-Results: mail.kernel.org;
-	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
- header.b="IA7BwRJC"
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1726178AbfH1CIY (ORCPT
-        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
-        Tue, 27 Aug 2019 22:08:24 -0400
-Received: from mail-pg1-f195.google.com ([209.85.215.195]:41425 "EHLO
-        mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
-        with ESMTP id S1726096AbfH1CIY (ORCPT
-        <rfc822;linux-wireless@vger.kernel.org>);
-        Tue, 27 Aug 2019 22:08:24 -0400
-Received: by mail-pg1-f195.google.com with SMTP id x15so498545pgg.8
-        for <linux-wireless@vger.kernel.org>;
- Tue, 27 Aug 2019 19:08:23 -0700 (PDT)
-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
-        d=gmail.com; s=20161025;
-        h=from:to:cc:subject:date:message-id;
-        bh=zF/rdCcsl+Dpf6pR2o3pkaHSiAFxtHTEr8wwdACI24s=;
-        b=IA7BwRJCgc0gGOw5C7lZohfbL4xQenMqPwKog/a6322QW1ZCJo9+YA44hqHGeXCCET
-         NzgcdXikIEmDh9azkSiFIxncYWnKwJsXdUBhCP5nDp2GciRXS2NQ65JtbqagrheD4lVf
-         +Pb00xgDSgKWQYTcqwSA2yYT9narnQxKODABGmtA6gwCWCG+SvqcZk1ekpnyXQocS6vh
-         L4PoCWF3BnZkp235hrtOyzso68sDkVNJz6ZDJG47SIGi//SqblL8+W5L0VdodxWNIeOu
-         V0anGG8f/Doy0MOpkTorfiducAsLMgfQi1lDZvmLLVd/YWR2IdlSkGuUlYYSPRh3iRQj
-         YnnA==
-X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
-        d=1e100.net; s=20161025;
-        h=x-gm-message-state:from:to:cc:subject:date:message-id;
-        bh=zF/rdCcsl+Dpf6pR2o3pkaHSiAFxtHTEr8wwdACI24s=;
-        b=ceinhwS780P1iDieuukVIn2k6b1mW5L9RUW5Cf1wgXUoym0eeHIjHVxJDyte535qY3
-         CmHO4Q8viRG4ycIifiJTtKzn7mp0QMeWcG7RpgoAXfZb1XBaj3FXDJjBXyNqvfB23VVm
-         Zb+siWZHFloiDp+3ZXmTCt24f0/gTWglkCVEa3ZfuE+YCjsiIvct8Srqi+lNeoam6Le7
-         w3SlkLkHqr9G3GSN1Rt9Yf0hCymRFlkBbZvnVSLdOTveygH1WdYVD2huLvriEbKL8i6k
-         SMCb8fXq8mXURblOh+3S7/gmLpaBK7zUi3JpGLnVo5jEH8uIhhxLrJXjoHC9eXTHpO+2
-         MpOQ==
-X-Gm-Message-State: APjAAAXQVDCD0oVuK0PpIHqp2Jm0L7G6KsvCQ6CgnO4uaNG9QmRxWN+8
-        M58+vc7TzkG1sr6shISyFwdcfGBkfjM=
-X-Google-Smtp-Source: 
- APXvYqyECYmkfkZ/6i0IjVBxhjaFZfVQ8xU9tke4CVSodxqtntgjXHLzr6BDXwVULEb6EBySirWb5w==
-X-Received: by 2002:a62:cec4:: with SMTP id y187mr1893773pfg.84.1566958103164;
-        Tue, 27 Aug 2019 19:08:23 -0700 (PDT)
-Received: from localhost ([67.218.142.97])
-        by smtp.gmail.com with ESMTPSA id m34sm467149pje.5.2019.08.27.19.08.21
-        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
-        Tue, 27 Aug 2019 19:08:22 -0700 (PDT)
-From: huangwenabc@gmail.com
-To: linux-wireless@vger.kernel.org
-Cc: amitkarwar@gmail.com, nishants@marvell.com, gbhat@marvell.com,
-        huxinming820@gmail.com, solar@openwall.com, greg@kroah.com,
-        kvalo@codeaurora.org, sashal@kernel.org, mrehak@redhat.com
-Subject: [PATCH] mwifiex: Fix three heap overflow at parsing element in
- cfg80211_ap_settings
-Date: Wed, 28 Aug 2019 10:07:51 +0800
-Message-Id: <20190828020751.13625-1-huangwenabc@gmail.com>
-X-Mailer: git-send-email 2.17.1
-Sender: linux-wireless-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-wireless.vger.kernel.org>
-X-Mailing-List: linux-wireless@vger.kernel.org
-
-From: Wen Huang <huangwenabc@gmail.com>
-
-mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and 
-mwifiex_set_wmm_params() call memcpy() without checking
-the destination size.Since the source is given from 
-user-space, this may trigger a heap buffer overflow.
-
-Fix them by putting the length check before performing memcpy().
-
-This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816.
-
-Signed-off-by: Wen Huang <huangwenabc@gmail.com>
-Acked-by: Ganapathi Bhat <gbhat@marvell.comg>
----
- drivers/net/wireless/marvell/mwifiex/ie.c      | 3 +++
- drivers/net/wireless/marvell/mwifiex/uap_cmd.c | 9 ++++++++-
- 2 files changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c
-index 653d347a9..580387f9f 100644
---- a/drivers/net/wireless/marvell/mwifiex/ie.c
-+++ b/drivers/net/wireless/marvell/mwifiex/ie.c
-@@ -241,6 +241,9 @@ static int mwifiex_update_vs_ie(const u8 *ies, int ies_len,
- 		}
- 
- 		vs_ie = (struct ieee_types_header *)vendor_ie;
-+		if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 >
-+			IEEE_MAX_IE_SIZE)
-+			return -EINVAL;
- 		memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length),
- 		       vs_ie, vs_ie->len + 2);
- 		le16_unaligned_add_cpu(&ie->ie_length, vs_ie->len + 2);
-diff --git a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
-index 18f7d9bf3..0939a8c8f 100644
---- a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
-+++ b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
-@@ -265,6 +265,8 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg,
- 
- 	rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len);
- 	if (rate_ie) {
-+		if (rate_ie->len > MWIFIEX_SUPPORTED_RATES)
-+			return;
- 		memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len);
- 		rate_len = rate_ie->len;
- 	}
-@@ -272,8 +274,11 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg,
- 	rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
- 					   params->beacon.tail,
- 					   params->beacon.tail_len);
--	if (rate_ie)
-+	if (rate_ie) {
-+		if (rate_ie->len > MWIFIEX_SUPPORTED_RATES - rate_len)
-+			return;
- 		memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len);
-+	}
- 
- 	return;
- }
-@@ -391,6 +396,8 @@ mwifiex_set_wmm_params(struct mwifiex_private *priv,
- 					    params->beacon.tail_len);
- 	if (vendor_ie) {
- 		wmm_ie = vendor_ie;
-+		if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info))
-+			return;
- 		memcpy(&bss_cfg->wmm_info, wmm_ie +
- 		       sizeof(struct ieee_types_header), *(wmm_ie + 1));
- 		priv->wmm_enabled = 1;
diff --git a/sources b/sources
index 05e75beef..27a399c5f 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-5.2.tar.xz) = 5a28f8a34c4e0470617f5638b7112e6252109b78f23b1eed484a228530970c7ef5c130d6e5a09cf25ea2f6a0329602dcc1ec66ce893182e15b27d99bd228789c
-SHA512 (patch-5.2.16.xz) = e9f1157b46c953256883b3deeb5377bcf51ec0ee73e353b843353dfa178e913d0bea7c1dc94d3096612361bed47103d3665951439845c5d9934dbe9224512f54
+SHA512 (patch-5.2.17.xz) = 1bfc7d89fffcbae7c60feacdcebfa28470f766667bdfb0f1e580abe493b71943ed3adc4d738883d52f872debe28ae544e91db3a93ae27740452e3af13f206bec
diff --git a/technisat-usb2-break-out-of-loop-at-end-of-buffer.patch b/technisat-usb2-break-out-of-loop-at-end-of-buffer.patch
deleted file mode 100644
index 0330080d4..000000000
--- a/technisat-usb2-break-out-of-loop-at-end-of-buffer.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 0c4df39e504bf925ab666132ac3c98d6cbbe380b Mon Sep 17 00:00:00 2001
-From: Sean Young <sean@mess.org>
-Date: Wed, 3 Jul 2019 10:52:39 -0400
-Subject: media: technisat-usb2: break out of loop at end of buffer
-
-Ensure we do not access the buffer beyond the end if no 0xff byte
-is encountered.
-
-Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com
-Signed-off-by: Sean Young <sean@mess.org>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
-diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
-index c659e18..676d233 100644
---- a/drivers/media/usb/dvb-usb/technisat-usb2.c
-+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
-@@ -608,10 +608,9 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a)
- static int technisat_usb2_get_ir(struct dvb_usb_device *d)
- {
- 	struct technisat_usb2_state *state = d->priv;
--	u8 *buf = state->buf;
--	u8 *b;
--	int ret;
- 	struct ir_raw_event ev;
-+	u8 *buf = state->buf;
-+	int i, ret;
- 
- 	buf[0] = GET_IR_DATA_VENDOR_REQUEST;
- 	buf[1] = 0x08;
-@@ -647,26 +646,25 @@ unlock:
- 		return 0; /* no key pressed */
- 
- 	/* decoding */
--	b = buf+1;
- 
- #if 0
- 	deb_rc("RC: %d ", ret);
--	debug_dump(b, ret, deb_rc);
-+	debug_dump(buf + 1, ret, deb_rc);
- #endif
- 
- 	ev.pulse = 0;
--	while (1) {
--		ev.pulse = !ev.pulse;
--		ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
--		ir_raw_event_store(d->rc_dev, &ev);
--
--		b++;
--		if (*b == 0xff) {
-+	for (i = 1; i < ARRAY_SIZE(state->buf); i++) {
-+		if (buf[i] == 0xff) {
- 			ev.pulse = 0;
- 			ev.duration = 888888*2;
- 			ir_raw_event_store(d->rc_dev, &ev);
- 			break;
- 		}
-+
-+		ev.pulse = !ev.pulse;
-+		ev.duration = (buf[i] * FIRMWARE_CLOCK_DIVISOR *
-+			       FIRMWARE_CLOCK_TICK) / 1000;
-+		ir_raw_event_store(d->rc_dev, &ev);
- 	}
- 
- 	ir_raw_event_handle(d->rc_dev);
--- 
-cgit v0.10.2
-