diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2020-09-10 06:02:22 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2020-09-10 06:02:22 +0200 |
commit | 012f1b53e6260bc6f1036f886131045c51d3ebe9 (patch) | |
tree | e01961868a56ad05f8bf3da81762ca2747255fe1 | |
parent | 6e66c52798646a64f30cd3ea93ca4a68db3f55d3 (diff) | |
parent | e5d0bcfb4f035e95ea01786301e9b379a3c11fe4 (diff) | |
download | kernel-012f1b53e6260bc6f1036f886131045c51d3ebe9.tar.gz kernel-012f1b53e6260bc6f1036f886131045c51d3ebe9.tar.xz kernel-012f1b53e6260bc6f1036f886131045c51d3ebe9.zip |
Merge remote-tracking branch 'origin/f31' into f31-user-thl-vanilla-fedora
-rw-r--r-- | 0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch | 49 | ||||
-rw-r--r-- | kernel.spec | 9 | ||||
-rw-r--r-- | net-packet-fix-overflow-in-tpacket_rcv.patch | 59 |
3 files changed, 3 insertions, 114 deletions
diff --git a/0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch b/0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch deleted file mode 100644 index 771f4396e..000000000 --- a/0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f4020438fab05364018c91f7e02ebdd192085933 Mon Sep 17 00:00:00 2001 -From: Eric Sandeen <sandeen@redhat.com> -Date: Wed, 26 Aug 2020 14:11:58 -0700 -Subject: [PATCH] xfs: fix boundary test in xfs_attr_shortform_verify - -The boundary test for the fixed-offset parts of xfs_attr_sf_entry in -xfs_attr_shortform_verify is off by one, because the variable array -at the end is defined as nameval[1] not nameval[]. -Hence we need to subtract 1 from the calculation. - -This can be shown by: - -# touch file -# setfattr -n root.a file - -and verifications will fail when it's written to disk. - -This only matters for a last attribute which has a single-byte name -and no value, otherwise the combination of namelen & valuelen will -push endp further out and this test won't fail. - -Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs") -Signed-off-by: Eric Sandeen <sandeen@redhat.com> -Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> -Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> -Reviewed-by: Christoph Hellwig <hch@lst.de> ---- - fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c -index 8623c815164a..383b08f2ac61 100644 ---- a/fs/xfs/libxfs/xfs_attr_leaf.c -+++ b/fs/xfs/libxfs/xfs_attr_leaf.c -@@ -1036,8 +1036,10 @@ xfs_attr_shortform_verify( - * struct xfs_attr_sf_entry has a variable length. - * Check the fixed-offset parts of the structure are - * within the data buffer. -+ * xfs_attr_sf_entry is defined with a 1-byte variable -+ * array at the end, so we must subtract that off. - */ -- if (((char *)sfep + sizeof(*sfep)) >= endp) -+ if (((char *)sfep + sizeof(*sfep) - 1) >= endp) - return __this_address; - - /* Don't allow names with known bad length. */ --- -2.26.2 - diff --git a/kernel.spec b/kernel.spec index 0e10c048a..6fe10c651 100644 --- a/kernel.spec +++ b/kernel.spec @@ -886,12 +886,6 @@ Patch105: 0001-platform-x86-thinkpad_acpi-lap-or-desk-mode-interfac.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1874117 Patch107: 0001-drivers-perf-xgene_pmu-Fix-uninitialized-resource-st.patch -# CVE-2020-14385 rhbz 1874800 1874811 -Patch108: 0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch - -# CVE-2020-14386 rhbz 1875699 1876349 -Patch109: net-packet-fix-overflow-in-tpacket_rcv.patch - Patch110: memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch # END OF PATCH DEFINITIONS @@ -3001,6 +2995,9 @@ fi # # %changelog +* Wed Sep 9 13:40:09 CDT 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.8-100 +- Linux v5.8.8 + * Mon Sep 07 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.7-100 - Linux v5.8.7 - Fix CVE-2020-14386 (rhbz 1875699 1876349) diff --git a/net-packet-fix-overflow-in-tpacket_rcv.patch b/net-packet-fix-overflow-in-tpacket_rcv.patch deleted file mode 100644 index 6c6868f5c..000000000 --- a/net-packet-fix-overflow-in-tpacket_rcv.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 00c393ea14d12a4ef490a6aedf0fa6bfc2bfe8c3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin <sashal@kernel.org> -Date: Thu, 3 Sep 2020 21:05:28 -0700 -Subject: net/packet: fix overflow in tpacket_rcv - -From: Or Cohen <orcohen@paloaltonetworks.com> - -[ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ] - -Using tp_reserve to calculate netoff can overflow as -tp_reserve is unsigned int and netoff is unsigned short. - -This may lead to macoff receving a smaller value then -sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr -is set, an out-of-bounds write will occur when -calling virtio_net_hdr_from_skb. - -The bug is fixed by converting netoff to unsigned int -and checking if it exceeds USHRT_MAX. - -This addresses CVE-2020-14386 - -Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") -Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com> -Signed-off-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Sasha Levin <sashal@kernel.org> ---- - net/packet/af_packet.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 301f41d4929bd..82f7802983797 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -2170,7 +2170,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, - int skb_len = skb->len; - unsigned int snaplen, res; - unsigned long status = TP_STATUS_USER; -- unsigned short macoff, netoff, hdrlen; -+ unsigned short macoff, hdrlen; -+ unsigned int netoff; - struct sk_buff *copy_skb = NULL; - struct timespec64 ts; - __u32 ts_status; -@@ -2239,6 +2240,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, - } - macoff = netoff - maclen; - } -+ if (netoff > USHRT_MAX) { -+ atomic_inc(&po->tp_drops); -+ goto drop_n_restore; -+ } - if (po->tp_version <= TPACKET_V2) { - if (macoff + snaplen > po->rx_ring.frame_size) { - if (po->copy_thresh && --- -2.25.1 - |