diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-20 07:23:29 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-05-20 07:23:29 +0200 |
commit | 548bd774375743a155cc9259c321078039b1ca05 (patch) | |
tree | c23d9b3cf5680f7567249dfe8deb8fbf0bd17693 | |
parent | 363f9b90ebfbd8cb4811186724d7893148b5b6cf (diff) | |
parent | fe50f1157ad34d8bef154c7e061e07f1df3cb99d (diff) | |
download | kernel-548bd774375743a155cc9259c321078039b1ca05.tar.gz kernel-548bd774375743a155cc9259c321078039b1ca05.tar.xz kernel-548bd774375743a155cc9259c321078039b1ca05.zip |
Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.5.5-200.vanilla.knurd.1.fc23kernel-4.5.5-200.vanilla.knurd.1.fc22
-rw-r--r-- | KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch | 91 | ||||
-rw-r--r-- | KVM-MTRR-remove-MSR-0x2f8.patch | 49 | ||||
-rw-r--r-- | Makefile | 1 | ||||
-rw-r--r-- | Makefile.release | 1 | ||||
-rw-r--r-- | bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch | 46 | ||||
-rw-r--r-- | bpf-fix-refcnt-overflow.patch | 158 | ||||
-rw-r--r-- | config-debug | 2 | ||||
-rw-r--r-- | config-generic | 1 | ||||
-rw-r--r-- | config-nodebug | 2 | ||||
-rw-r--r-- | ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch | 40 | ||||
-rw-r--r-- | kernel.spec | 32 | ||||
-rw-r--r-- | net-fix-infoleak-in-llc.patch | 32 | ||||
-rw-r--r-- | net-fix-infoleak-in-rtnetlink.patch | 50 | ||||
-rw-r--r-- | sources | 2 |
14 files changed, 167 insertions, 340 deletions
diff --git a/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch b/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch new file mode 100644 index 000000000..957de0977 --- /dev/null +++ b/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch @@ -0,0 +1,91 @@ +From 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Tue, 23 Feb 2016 11:03:12 +0000 +Subject: [PATCH] KEYS: Fix ASN.1 indefinite length object parsing + +This fixes CVE-2016-0758. + +In the ASN.1 decoder, when the length field of an ASN.1 value is extracted, +it isn't validated against the remaining amount of data before being added +to the cursor. With a sufficiently large size indicated, the check: + + datalen - dp < 2 + +may then fail due to integer overflow. + +Fix this by checking the length indicated against the amount of remaining +data in both places a definite length is determined. + +Whilst we're at it, make the following changes: + + (1) Check the maximum size of extended length does not exceed the capacity + of the variable it's being stored in (len) rather than the type that + variable is assumed to be (size_t). + + (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the + integer 0. + + (3) To reduce confusion, move the initialisation of len outside of: + + for (len = 0; n > 0; n--) { + + since it doesn't have anything to do with the loop counter n. + +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +Acked-by: David Woodhouse <David.Woodhouse@intel.com> +Acked-by: Peter Jones <pjones@redhat.com> +--- + lib/asn1_decoder.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c +index 2b3f46c049d4..554522934c44 100644 +--- a/lib/asn1_decoder.c ++++ b/lib/asn1_decoder.c +@@ -74,7 +74,7 @@ next_tag: + + /* Extract a tag from the data */ + tag = data[dp++]; +- if (tag == 0) { ++ if (tag == ASN1_EOC) { + /* It appears to be an EOC. */ + if (data[dp++] != 0) + goto invalid_eoc; +@@ -96,10 +96,8 @@ next_tag: + + /* Extract the length */ + len = data[dp++]; +- if (len <= 0x7f) { +- dp += len; +- goto next_tag; +- } ++ if (len <= 0x7f) ++ goto check_length; + + if (unlikely(len == ASN1_INDEFINITE_LENGTH)) { + /* Indefinite length */ +@@ -110,14 +108,18 @@ next_tag: + } + + n = len - 0x80; +- if (unlikely(n > sizeof(size_t) - 1)) ++ if (unlikely(n > sizeof(len) - 1)) + goto length_too_long; + if (unlikely(n > datalen - dp)) + goto data_overrun_error; +- for (len = 0; n > 0; n--) { ++ len = 0; ++ for (; n > 0; n--) { + len <<= 8; + len |= data[dp++]; + } ++check_length: ++ if (len > datalen - dp) ++ goto data_overrun_error; + dp += len; + goto next_tag; + +-- +2.5.5 + diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch new file mode 100644 index 000000000..8066b2e8f --- /dev/null +++ b/KVM-MTRR-remove-MSR-0x2f8.patch @@ -0,0 +1,49 @@ +From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> +Date: Mon, 16 May 2016 09:45:35 -0400 +Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support +was introduced by 9ba075a664df ("KVM: MTRR support"). + +0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the +size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, +which made access to index 124 out of bounds. The surrounding code only +WARNs in this situation, thus the guest gained a limited read/write +access to struct kvm_arch_vcpu. + +0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR +MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 +was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was +not implemented in KVM, therefore 0x2f8 could never do anything useful +and getting rid of it is safe. + +This fixes CVE-2016-TBD. + +Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") +Cc: stable@vger.kernel.org +Reported-by: David Matlack <dmatlack@google.com> +Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> +--- + arch/x86/kvm/mtrr.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c +index 3f8c732117ec..c146f3c262c3 100644 +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) + case MSR_MTRRdefType: + case MSR_IA32_CR_PAT: + return true; +- case 0x2f8: +- return true; + } + return false; + } +-- +2.5.5 + @@ -37,6 +37,7 @@ debug: @perl -pi -e 's/# CONFIG_PROVE_RCU is not set/CONFIG_PROVE_RCU=y/' config-nodebug @perl -pi -e 's/# CONFIG_DEBUG_SPINLOCK is not set/CONFIG_DEBUG_SPINLOCK=y/' config-nodebug @perl -pi -e 's/# CONFIG_DEBUG_VM is not set/CONFIG_DEBUG_VM=y/' config-nodebug + @perl -pi -e 's/# CONFIG_DEBUG_VM_PGFLAGS is not set/CONFIG_DEBUG_VM_PGFLAGS=y/' config-nodebug @perl -pi -e 's/# CONFIG_FAULT_INJECTION is not set/CONFIG_FAULT_INJECTION=y/' config-nodebug @perl -pi -e 's/# CONFIG_FAILSLAB is not set/CONFIG_FAILSLAB=y/' config-nodebug @perl -pi -e 's/# CONFIG_FAIL_PAGE_ALLOC is not set/CONFIG_FAIL_PAGE_ALLOC=y/' config-nodebug diff --git a/Makefile.release b/Makefile.release index fcd90814f..da1a2fba3 100644 --- a/Makefile.release +++ b/Makefile.release @@ -17,6 +17,7 @@ config-release: @perl -pi -e 's/CONFIG_PROVE_RCU=y/# CONFIG_PROVE_RCU is not set/' config-nodebug @perl -pi -e 's/CONFIG_DEBUG_SPINLOCK=y/# CONFIG_DEBUG_SPINLOCK is not set/' config-nodebug @perl -pi -e 's/CONFIG_DEBUG_VM=y/# CONFIG_DEBUG_VM is not set/' config-nodebug + @perl -pi -e 's/CONFIG_DEBUG_VM_PGFLAGS=y/# CONFIG_DEBUG_VM_PGFLAGS is not set/' config-nodebug @perl -pi -e 's/CONFIG_FAULT_INJECTION=y/# CONFIG_FAULT_INJECTION is not set/' config-nodebug @perl -pi -e 's/CONFIG_FAILSLAB=y/# CONFIG_FAILSLAB is not set/' config-nodebug @perl -pi -e 's/CONFIG_FAIL_PAGE_ALLOC=y/# CONFIG_FAIL_PAGE_ALLOC is not set/' config-nodebug diff --git a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch b/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch deleted file mode 100644 index 3ba32bae7..000000000 --- a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001 -From: Jann Horn <jannh@google.com> -Date: Tue, 26 Apr 2016 22:26:26 +0200 -Subject: [PATCH] bpf: fix double-fdput in replace_map_fd_with_map_ptr() - -When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode -references a non-map file descriptor as a map file descriptor, the error -handling code called fdput() twice instead of once (in __bpf_map_get() and -in replace_map_fd_with_map_ptr()). If the file descriptor table of the -current task is shared, this causes f_count to be decremented too much, -allowing the struct file to be freed while it is still in use -(use-after-free). This can be exploited to gain root privileges by an -unprivileged user. - -This bug was introduced in -commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only -exploitable since -commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because -previously, CAP_SYS_ADMIN was required to reach the vulnerable code. - -(posted publicly according to request by maintainer) - -Signed-off-by: Jann Horn <jannh@google.com> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Acked-by: Alexei Starovoitov <ast@kernel.org> -Acked-by: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - kernel/bpf/verifier.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 618ef77c302a..db2574e7b8b0 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) - if (IS_ERR(map)) { - verbose("fd %d is not pointing to valid bpf_map\n", - insn->imm); -- fdput(f); - return PTR_ERR(map); - } - --- -2.5.5 - diff --git a/bpf-fix-refcnt-overflow.patch b/bpf-fix-refcnt-overflow.patch deleted file mode 100644 index 1143c8286..000000000 --- a/bpf-fix-refcnt-overflow.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 86db8dac9286f8397434184a6b442b6419e54ec0 Mon Sep 17 00:00:00 2001 -From: Alexei Starovoitov <ast@fb.com> -Date: Wed, 27 Apr 2016 18:56:20 -0700 -Subject: [PATCH] bpf: fix refcnt overflow - -On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK, -the malicious application may overflow 32-bit bpf program refcnt. -It's also possible to overflow map refcnt on 1Tb system. -Impose 32k hard limit which means that the same bpf program or -map cannot be shared by more than 32k processes. - -Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") -Reported-by: Jann Horn <jannh@google.com> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Acked-by: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - include/linux/bpf.h | 3 ++- - kernel/bpf/inode.c | 7 ++++--- - kernel/bpf/syscall.c | 24 ++++++++++++++++++++---- - kernel/bpf/verifier.c | 11 +++++++---- - 4 files changed, 33 insertions(+), 12 deletions(-) - -diff --git a/include/linux/bpf.h b/include/linux/bpf.h -index 83d1926c61e4..67bc2da5d233 100644 ---- a/include/linux/bpf.h -+++ b/include/linux/bpf.h -@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl); - void bpf_register_map_type(struct bpf_map_type_list *tl); - - struct bpf_prog *bpf_prog_get(u32 ufd); -+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog); - void bpf_prog_put(struct bpf_prog *prog); - void bpf_prog_put_rcu(struct bpf_prog *prog); - - struct bpf_map *bpf_map_get_with_uref(u32 ufd); - struct bpf_map *__bpf_map_get(struct fd f); --void bpf_map_inc(struct bpf_map *map, bool uref); -+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref); - void bpf_map_put_with_uref(struct bpf_map *map); - void bpf_map_put(struct bpf_map *map); - -diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c -index 5a8a797d50b7..d1a7646f79c5 100644 ---- a/kernel/bpf/inode.c -+++ b/kernel/bpf/inode.c -@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum bpf_type type) - { - switch (type) { - case BPF_TYPE_PROG: -- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt); -+ raw = bpf_prog_inc(raw); - break; - case BPF_TYPE_MAP: -- bpf_map_inc(raw, true); -+ raw = bpf_map_inc(raw, true); - break; - default: - WARN_ON_ONCE(1); -@@ -277,7 +277,8 @@ static void *bpf_obj_do_get(const struct filename *pathname, - goto out; - - raw = bpf_any_get(inode->i_private, *type); -- touch_atime(&path); -+ if (!IS_ERR(raw)) -+ touch_atime(&path); - - path_put(&path); - return raw; -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 3b39550d8485..4e32cc94edd9 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -181,11 +181,18 @@ struct bpf_map *__bpf_map_get(struct fd f) - return f.file->private_data; - } - --void bpf_map_inc(struct bpf_map *map, bool uref) -+/* prog's and map's refcnt limit */ -+#define BPF_MAX_REFCNT 32768 -+ -+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref) - { -- atomic_inc(&map->refcnt); -+ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) { -+ atomic_dec(&map->refcnt); -+ return ERR_PTR(-EBUSY); -+ } - if (uref) - atomic_inc(&map->usercnt); -+ return map; - } - - struct bpf_map *bpf_map_get_with_uref(u32 ufd) -@@ -197,7 +204,7 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd) - if (IS_ERR(map)) - return map; - -- bpf_map_inc(map, true); -+ map = bpf_map_inc(map, true); - fdput(f); - - return map; -@@ -580,6 +587,15 @@ static struct bpf_prog *__bpf_prog_get(struct fd f) - return f.file->private_data; - } - -+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog) -+{ -+ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) { -+ atomic_dec(&prog->aux->refcnt); -+ return ERR_PTR(-EBUSY); -+ } -+ return prog; -+} -+ - /* called by sockets/tracing/seccomp before attaching program to an event - * pairs with bpf_prog_put() - */ -@@ -592,7 +608,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd) - if (IS_ERR(prog)) - return prog; - -- atomic_inc(&prog->aux->refcnt); -+ prog = bpf_prog_inc(prog); - fdput(f); - - return prog; -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 2e7f7ab739e4..060e4c4c37ea 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2023,15 +2023,18 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) - return -E2BIG; - } - -- /* remember this map */ -- env->used_maps[env->used_map_cnt++] = map; -- - /* hold the map. If the program is rejected by verifier, - * the map will be released by release_maps() or it - * will be used by the valid program until it's unloaded - * and all maps are released in free_bpf_prog_info() - */ -- bpf_map_inc(map, false); -+ map = bpf_map_inc(map, false); -+ if (IS_ERR(map)) { -+ fdput(f); -+ return PTR_ERR(map); -+ } -+ env->used_maps[env->used_map_cnt++] = map; -+ - fdput(f); - next_insn: - insn++; --- -2.5.5 - diff --git a/config-debug b/config-debug index fc6505b48..c0b226889 100644 --- a/config-debug +++ b/config-debug @@ -128,3 +128,5 @@ CONFIG_EDAC_DEBUG=y CONFIG_SPI_DEBUG=y CONFIG_X86_DEBUG_STATIC_CPU_HAS=y + +CONFIG_DEBUG_VM_PGFLAGS=y diff --git a/config-generic b/config-generic index ccc53d89a..a62e247a8 100644 --- a/config-generic +++ b/config-generic @@ -4822,7 +4822,6 @@ CONFIG_DEBUG_BOOT_PARAMS=y CONFIG_DEBUG_VM=y # CONFIG_DEBUG_VM_VMACACHE is not set # CONFIG_DEBUG_VM_RB is not set # revisit this if performance isn't horrible -CONFIG_DEBUG_VM_PGFLAGS=y # CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set CONFIG_LOCKUP_DETECTOR=y # CONFIG_DEBUG_INFO_REDUCED is not set diff --git a/config-nodebug b/config-nodebug index c173637a2..c070f68cf 100644 --- a/config-nodebug +++ b/config-nodebug @@ -128,3 +128,5 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_SPI_DEBUG is not set # CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set + +# CONFIG_DEBUG_VM_PGFLAGS is not set diff --git a/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch b/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch deleted file mode 100644 index 9e4cf4e0e..000000000 --- a/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9f79323a0aebccb9915ab8f4b7dcf531578b9cf9 Mon Sep 17 00:00:00 2001 -From: Paolo Abeni <pabeni@redhat.com> -Date: Thu, 21 Apr 2016 20:23:31 -0400 -Subject: [PATCH] ipv4/fib: don't warn when primary address is missing if - in_dev is dead - -After commit fbd40ea0180a ("ipv4: Don't do expensive useless work -during inetdev destroy.") when deleting an interface, -fib_del_ifaddr() can be executed without any primary address -present on the dead interface. - -The above is safe, but triggers some "bug: prim == NULL" warnings. - -This commit avoids warning if the in_dev is dead - -Signed-off-by: Paolo Abeni <pabeni@redhat.com> ---- - net/ipv4/fib_frontend.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c -index 8a9246deccfe..63566ec54794 100644 ---- a/net/ipv4/fib_frontend.c -+++ b/net/ipv4/fib_frontend.c -@@ -904,7 +904,11 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) - if (ifa->ifa_flags & IFA_F_SECONDARY) { - prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask); - if (!prim) { -- pr_warn("%s: bug: prim == NULL\n", __func__); -+ /* if the device has been deleted, we don't perform -+ * address promotion -+ */ -+ if (!in_dev->dead) -+ pr_warn("%s: bug: prim == NULL\n", __func__); - return; - } - if (iprim && iprim != prim) { --- -2.5.5 - diff --git a/kernel.spec b/kernel.spec index c52549aae..46b0a1da1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -60,7 +60,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -654,9 +654,6 @@ Patch701: antenna_select.patch #rhbz 1302071 Patch702: x86-build-Build-compressed-x86-kernels-as-PIE.patch -# Follow on for CVE-2016-3156 -Patch703: ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch - # Stop splashing crap about broken firmware BGRT Patch704: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch @@ -666,14 +663,6 @@ Patch705: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch -#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321 -Patch707: net-fix-infoleak-in-llc.patch -Patch708: net-fix-infoleak-in-rtnetlink.patch - -#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311 -Patch711: bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch -Patch712: bpf-fix-refcnt-overflow.patch - #rhbz 1328633 Patch713: sp5100_tco-properly-check-for-new-register-layouts.patch @@ -682,6 +671,12 @@ Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch +#CVE-2016-0758 rhbz 1300257 1335386 +Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch + +#CVE-2016-3713 rhbz 1332139 1336410 +Patch718: KVM-MTRR-remove-MSR-0x2f8.patch + # END OF PATCH DEFINITIONS %endif @@ -2206,6 +2201,19 @@ fi # # %changelog +* Thu May 19 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.5.5-200 +- Linux v4.5.5 +- CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529) + +* Mon May 16 2016 Justin M. Forbes <jforbes@fedoraproject.org> +- Disable CONFIG_DEBUG_VM_PGFLAGS on non debug kernels (rhbz 1335173) + +* Mon May 16 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410) + +* Fri May 13 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-0758 pointer corruption in asn1 decoder (rhbz 1300257 1335386) + * Wed May 11 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.4-200 - Linux v4.5.4 diff --git a/net-fix-infoleak-in-llc.patch b/net-fix-infoleak-in-llc.patch deleted file mode 100644 index 38f0d506a..000000000 --- a/net-fix-infoleak-in-llc.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:35:05 -0400 -Subject: [PATCH 2/2] net: fix infoleak in llc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “info” has a total size of 12 bytes. Its last byte -is padding which is not initialized and leaked via “put_cmsg”. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/llc/af_llc.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index b3c52e3f689a..8ae3ed97d95c 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) - if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { - struct llc_pktinfo info; - -+ memset(&info, 0, sizeof(info)); - info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; - llc_pdu_decode_dsap(skb, &info.lpi_sap); - llc_pdu_decode_da(skb, info.lpi_mac); --- -2.5.5 - diff --git a/net-fix-infoleak-in-rtnetlink.patch b/net-fix-infoleak-in-rtnetlink.patch deleted file mode 100644 index 0da35108d..000000000 --- a/net-fix-infoleak-in-rtnetlink.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:46:24 -0400 -Subject: [PATCH 1/2] net: fix infoleak in rtnetlink -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “map” has a total size of 32 bytes. Its last 4 -bytes are padding generated by compiler. These padding bytes are -not initialized and sent out via “nla_put”. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/core/rtnetlink.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index a75f7e94b445..65763c29f845 100644 ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, - - static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev) - { -- struct rtnl_link_ifmap map = { -- .mem_start = dev->mem_start, -- .mem_end = dev->mem_end, -- .base_addr = dev->base_addr, -- .irq = dev->irq, -- .dma = dev->dma, -- .port = dev->if_port, -- }; -+ struct rtnl_link_ifmap map; -+ -+ memset(&map, 0, sizeof(map)); -+ map.mem_start = dev->mem_start; -+ map.mem_end = dev->mem_end; -+ map.base_addr = dev->base_addr; -+ map.irq = dev->irq; -+ map.dma = dev->dma; -+ map.port = dev->if_port; -+ - if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) - return -EMSGSIZE; - --- -2.5.5 - @@ -1,3 +1,3 @@ a60d48eee08ec0536d5efb17ca819aef linux-4.5.tar.xz 6f557fe90b800b615c85c2ca04da6154 perf-man-4.5.tar.gz -137460a1e32335e2eedc61fcfc2643fa patch-4.5.4.xz +fe89010925304f6f07713741f0c8e811 patch-4.5.5.xz |