diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2018-07-11 17:44:09 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2018-07-11 17:44:09 +0200 |
commit | 9effa9a512a4497cf107d27628ea6569666d8b93 (patch) | |
tree | 1beaadfab344a924a4a6cf796d1966890dd9aa18 | |
parent | ad3864c8e05c8583ffb00f45dec0eca74975560e (diff) | |
parent | 807bacdbd367dec620b68b575564a918c938b1b6 (diff) | |
download | kernel-9effa9a512a4497cf107d27628ea6569666d8b93.tar.gz kernel-9effa9a512a4497cf107d27628ea6569666d8b93.tar.xz kernel-9effa9a512a4497cf107d27628ea6569666d8b93.zip |
Merge remote-tracking branch 'origin/f28' into f28-user-thl-vanilla-fedora
-rw-r--r-- | 0001-xfs-More-robust-inode-extent-count-validation.patch | 82 | ||||
-rw-r--r-- | Bluetooth-btusb-Add-additional-device-ID-for-RTL8822.patch | 63 | ||||
-rw-r--r-- | CVE-2018-13405.patch | 47 | ||||
-rw-r--r-- | kernel.spec | 13 |
4 files changed, 205 insertions, 0 deletions
diff --git a/0001-xfs-More-robust-inode-extent-count-validation.patch b/0001-xfs-More-robust-inode-extent-count-validation.patch index 767eb6fac..f24aa88d2 100644 --- a/0001-xfs-More-robust-inode-extent-count-validation.patch +++ b/0001-xfs-More-robust-inode-extent-count-validation.patch @@ -1,3 +1,85 @@ +From 7d71a671a2d900606d3a62ed5976d3b0feada3a6 Mon Sep 17 00:00:00 2001 +From: Dave Chinner <dchinner@redhat.com> +Date: Tue, 5 Jun 2018 10:06:44 -0700 +Subject: [PATCH] xfs: verify extent size hint is valid in inode verifier + +There are rules for vald extent size hints. We enforce them when +applications set them, but fuzzers violate those rules and that +screws us over. + +This results in alignment assertion failures when setting up +allocations such as this in direct IO: + +XFS: Assertion failed: ap->length, file: fs/xfs/libxfs/xfs_bmap.c, line: 3432 +.... +Call Trace: + xfs_bmap_btalloc+0x415/0x910 + xfs_bmapi_write+0x71c/0x12e0 + xfs_iomap_write_direct+0x2a9/0x420 + xfs_file_iomap_begin+0x4dc/0xa70 + iomap_apply+0x43/0x100 + iomap_file_buffered_write+0x62/0x90 + xfs_file_buffered_aio_write+0xba/0x300 + __vfs_write+0xd5/0x150 + vfs_write+0xb6/0x180 + ksys_write+0x45/0xa0 + do_syscall_64+0x5a/0x180 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +And from xfs_db: + +core.extsize = 10380288 + +Which is not an integer multiple of the block size, and so violates +Rule #7 for setting extent size hints. Validate extent size hint +rules in the inode verifier to catch this. + +Signed-off-by: Dave Chinner <dchinner@redhat.com> +Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com> +Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> +Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + fs/xfs/libxfs/xfs_inode_buf.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c +index 1201107eabc6..1fe18555b451 100644 +--- a/fs/xfs/libxfs/xfs_inode_buf.c ++++ b/fs/xfs/libxfs/xfs_inode_buf.c +@@ -397,6 +397,7 @@ xfs_dinode_verify( + xfs_ino_t ino, + struct xfs_dinode *dip) + { ++ xfs_failaddr_t fa; + uint16_t mode; + uint16_t flags; + uint64_t flags2; +@@ -513,6 +514,12 @@ xfs_dinode_verify( + return __this_address; + } + ++ /* extent size hint validation */ ++ fa = xfs_inode_validate_extsize(mp, be32_to_cpu(dip->di_extsize), ++ mode, flags); ++ if (fa) ++ return fa; ++ + /* only version 3 or greater inodes are extensively verified here */ + if (dip->di_version < 3) + return NULL; +@@ -521,7 +528,7 @@ xfs_dinode_verify( + + /* don't allow reflink/cowextsize if we don't have reflink */ + if ((flags2 & (XFS_DIFLAG2_REFLINK | XFS_DIFLAG2_COWEXTSIZE)) && +- !xfs_sb_version_hasreflink(&mp->m_sb)) ++ !xfs_sb_version_hasreflink(&mp->m_sb)) + return __this_address; + + /* only regular files get reflink */ +-- +2.17.1 + From 23fcb3340d033d9f081e21e6c12c2db7eaa541d3 Mon Sep 17 00:00:00 2001 From: Dave Chinner <dchinner@redhat.com> Date: Thu, 21 Jun 2018 23:25:57 -0700 diff --git a/Bluetooth-btusb-Add-additional-device-ID-for-RTL8822.patch b/Bluetooth-btusb-Add-additional-device-ID-for-RTL8822.patch new file mode 100644 index 000000000..b16400135 --- /dev/null +++ b/Bluetooth-btusb-Add-additional-device-ID-for-RTL8822.patch @@ -0,0 +1,63 @@ +From 1cd2fabf4bdcf95eda6a1bcebc4a0a965509da36 Mon Sep 17 00:00:00 2001 +From: Artiom Vaskov <velemas@gmail.com> +Date: Wed, 30 May 2018 11:23:00 +0300 +Subject: [PATCH] Bluetooth: btusb: Add additional device ID for RTL8822BE + +The Asus ROG GL702ZC laptop contains a Realtek RTL8822BE device with +an associated BT chip using a USB ID of 13d3:3526. This ID is added +to the driver. + +The /sys/kernel/debug/usb/devices portion for this device is: + +T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=04 Dev#= 5 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=13d3 ProdID=3526 Rev= 1.10 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Artiom Vaskov <velemas@gmail.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 3a477b6b3ce6..f73a27ea28cc 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -384,6 +384,7 @@ static const struct usb_device_id blacklist_table[] = { + { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK }, + + /* Additional Realtek 8822BE Bluetooth devices */ ++ { USB_DEVICE(0x13d3, 0x3526), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK }, + + /* Silicon Wave based devices */ +-- +2.17.1 + diff --git a/CVE-2018-13405.patch b/CVE-2018-13405.patch new file mode 100644 index 000000000..489e11f54 --- /dev/null +++ b/CVE-2018-13405.patch @@ -0,0 +1,47 @@ +From 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Tue, 3 Jul 2018 17:10:19 -0700 +Subject: [PATCH] Fix up non-directory creation in SGID directories + +sgid directories have special semantics, making newly created files in +the directory belong to the group of the directory, and newly created +subdirectories will also become sgid. This is historically used for +group-shared directories. + +But group directories writable by non-group members should not imply +that such non-group members can magically join the group, so make sure +to clear the sgid bit on non-directories for non-members (but remember +that sgid without group execute means "mandatory locking", just to +confuse things even more). + +Reported-by: Jann Horn <jannh@google.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + fs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/inode.c b/fs/inode.c +index 2c300e981796..8c86c809ca17 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -1999,8 +1999,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, + inode->i_uid = current_fsuid(); + if (dir && dir->i_mode & S_ISGID) { + inode->i_gid = dir->i_gid; ++ ++ /* Directories are special, and always inherit S_ISGID */ + if (S_ISDIR(mode)) + mode |= S_ISGID; ++ else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && ++ !in_group_p(inode->i_gid) && ++ !capable_wrt_inode_uidgid(dir, CAP_FSETID)) ++ mode &= ~S_ISGID; + } else + inode->i_gid = current_fsgid(); + inode->i_mode = mode; +-- +2.17.1 + diff --git a/kernel.spec b/kernel.spec index 27d0ad631..97d833378 100644 --- a/kernel.spec +++ b/kernel.spec @@ -663,6 +663,9 @@ Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch # rhbz 1591516 Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch +# rhbz 1599917 +Patch516: Bluetooth-btusb-Add-additional-device-ID-for-RTL8822.patch + # rhbz 1572944 Patch517: Revert-the-random-series-for-4.16.4.patch @@ -682,6 +685,9 @@ Patch522: 0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch # CVE-2018-13095 rhbz 1597775 1597777 Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch +# CVE-2018-13405 rhbz 1599161 1599162 +Patch524: CVE-2018-13405.patch + # END OF PATCH DEFINITIONS %endif @@ -1934,6 +1940,13 @@ fi # # %changelog +* Wed Jul 11 2018 Jeremy Cline <jeremy@jcline.org> +- Add device ID for RTL8822BE in the Asus ROG GL702ZC (rhbz 1599917) + +* Mon Jul 09 2018 Jeremy Cline <jcline@redhat.com> - 4.17.5-200 +- Linux v4.17.5 +- Fix CVE-2018-13405 (rhbz 1599161 1599162) + * Thu Jul 05 2018 Justin M. Forbes <jforbes@fedoraproject.org> - Fix CVE-2018-13053 (rhbz 1597747 1597748) - Fix CVE-2018-12896 (rhbz 1597759 1597760) |