diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-06-09 15:27:57 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-06-09 15:27:57 +0200 |
commit | b3baae65308f18df27cc18f467d3d5b88529e91d (patch) | |
tree | a7b6842b225b185471bf83b3aadb03e10953f4eb | |
parent | bdf44c785806b56c6da268d38fa7adee81ccd7ab (diff) | |
parent | 6beb21eb200e9d513f908f0348940bcdd5925270 (diff) | |
download | kernel-b3baae65308f18df27cc18f467d3d5b88529e91d.tar.gz kernel-b3baae65308f18df27cc18f467d3d5b88529e91d.tar.xz kernel-b3baae65308f18df27cc18f467d3d5b88529e91d.zip |
Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora
-rw-r--r-- | efi-lockdown.patch | 57 | ||||
-rw-r--r-- | kernel.spec | 19 | ||||
-rw-r--r-- | neighbor-Reset-gc_entries-counter-if-new-entry-is-re.patch | 41 | ||||
-rw-r--r-- | powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch | 34 | ||||
-rw-r--r-- | scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch | 43 |
5 files changed, 194 insertions, 0 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index fab50ef1a..f87488893 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -1794,3 +1794,60 @@ index 122797023bdb..f8f1cdb74a4f 100644 -- 2.21.0 +From patchwork Wed Nov 21 12:05:10 2018 +Date: Wed, 21 Nov 2018 13:05:10 +0100 +From: Vasily Gorbik <gor@linux.ibm.com> +Subject: [PATCH next-lockdown 1/1] debugfs: avoid EPERM when no open file + operation defined + +With "debugfs: Restrict debugfs when the kernel is locked down" +return code "r" is unconditionally set to -EPERM, which stays like that +until function return if no "open" file operation defined, effectivelly +resulting in "Operation not permitted" for all such files despite kernel +lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled. + +In particular this breaks 2 debugfs files on s390: +/sys/kernel/debug/s390_hypfs/diag_304 +/sys/kernel/debug/s390_hypfs/diag_204 + +To address that set EPERM return code only when debugfs_is_locked_down +returns true. + +Fixes: 3fc322605158 ("debugfs: Restrict debugfs when the kernel is locked down") +Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> +--- + fs/debugfs/file.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c +index 51cb894c21f2..89c86faaa02a 100644 +--- a/fs/debugfs/file.c ++++ b/fs/debugfs/file.c +@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp) + + real_fops = debugfs_real_fops(filp); + +- r = -EPERM; +- if (debugfs_is_locked_down(inode, filp, real_fops)) ++ if (debugfs_is_locked_down(inode, filp, real_fops)) { ++ r = -EPERM; + goto out; ++ } + + real_fops = fops_get(real_fops); + if (!real_fops) { +@@ -296,9 +297,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) + return r == -EIO ? -ENOENT : r; + + real_fops = debugfs_real_fops(filp); +- r = -EPERM; +- if (debugfs_is_locked_down(inode, filp, real_fops)) ++ if (debugfs_is_locked_down(inode, filp, real_fops)) { ++ r = -EPERM; + goto out; ++ } + + real_fops = fops_get(real_fops); + if (!real_fops) { +-- +2.21.0 diff --git a/kernel.spec b/kernel.spec index 5fe887fee..aee08a3a1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -632,6 +632,15 @@ Patch534: clk-sunxi-fix-a-missing-check-bug-in-sunxi_divs_clk_setup.patch # CVE-2019-12454 rhbz 1716996 1717003 Patch535: wcd9335-fix-a-incorrect-use-of-kstrndup.patch +# CVE-2019-12456 rhbz 1717182 1717183 +Patch536: scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch + +# rhbz 1708717 +Patch537: neighbor-Reset-gc_entries-counter-if-new-entry-is-re.patch + +# CVE-2019-12614 rhbz 1718176 1718185 +Patch538: powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch + # END OF PATCH DEFINITIONS %endif @@ -1873,6 +1882,16 @@ fi # # %changelog +* Fri Jun 07 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2019-12614 (rhbz 1718176 1718185) + +* Thu Jun 06 2019 Jeremy Cline <jcline@redhat.com> +- Fix incorrect permission denied with lock down off (rhbz 1658675) +- Fix an issue with the IPv6 neighbor table (rhbz 1708717) + +* Wed Jun 05 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2019-12456 (rhbz 1717182 1717183) + * Tue Jun 04 2019 Jeremy Cline <jcline@redhat.com> - 5.1.7-300 - Linux v5.1.7 - Fix CVE-2019-12455 (rhbz 1716990 1717003) diff --git a/neighbor-Reset-gc_entries-counter-if-new-entry-is-re.patch b/neighbor-Reset-gc_entries-counter-if-new-entry-is-re.patch new file mode 100644 index 000000000..6c4b078b5 --- /dev/null +++ b/neighbor-Reset-gc_entries-counter-if-new-entry-is-re.patch @@ -0,0 +1,41 @@ +From 51b840ae99c70e03ff463e3d98d4fcac2e31344c Mon Sep 17 00:00:00 2001 +From: David Ahern <dsahern@gmail.com> +Date: Wed, 1 May 2019 18:08:34 -0700 +Subject: [PATCH] neighbor: Reset gc_entries counter if new entry is released + before insert + +Ian and Alan both reported seeing overflows after upgrades to 5.x kernels: + neighbour: arp_cache: neighbor table overflow! + +Alan's mpls script helped get to the bottom of this bug. When a new entry +is created the gc_entries counter is bumped in neigh_alloc to check if a +new one is allowed to be created. ___neigh_create then searches for an +existing entry before inserting the just allocated one. If an entry +already exists, the new one is dropped in favor of the existing one. In +this case the cleanup path needs to drop the gc_entries counter. There +is no memory leak, only a counter leak. + +Fixes: 58956317c8d ("neighbor: Improve garbage collection") +Reported-by: Ian Kumlien <ian.kumlien@gmail.com> +Reported-by: Alan Maguire <alan.maguire@oracle.com> +Signed-off-by: David Ahern <dsahern@gmail.com> +--- + net/core/neighbour.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 30f6fd8f68e0..aff051e5521d 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -663,6 +663,8 @@ static struct neighbour *___neigh_create(struct neigh_table *tbl, + out_tbl_unlock: + write_unlock_bh(&tbl->lock); + out_neigh_release: ++ if (!exempt_from_gc) ++ atomic_dec(&tbl->gc_entries); + neigh_release(n); + goto out; + } +-- +2.21.0 + diff --git a/powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch b/powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch new file mode 100644 index 000000000..d4d14b8f9 --- /dev/null +++ b/powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch @@ -0,0 +1,34 @@ +From efa9ace68e487ddd29c2b4d6dd23242158f1f607 Mon Sep 17 00:00:00 2001 +From: Gen Zhang <blackgod016574@gmail.com> +Date: Sun, 26 May 2019 10:42:40 +0800 +Subject: powerpc/pseries/dlpar: Fix a missing check in + dlpar_parse_cc_property() + +In dlpar_parse_cc_property(), 'prop->name' is allocated by kstrdup(). +kstrdup() may return NULL, so it should be checked and handle error. +And prop should be freed if 'prop->name' is NULL. + +Signed-off-by: Gen Zhang <blackgod016574@gmail.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +--- + arch/powerpc/platforms/pseries/dlpar.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c +index 17958043e7f7..c852024044bb 100644 +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -61,6 +61,10 @@ static struct property *dlpar_parse_cc_property(struct cc_workarea *ccwa) + + name = (char *)ccwa + be32_to_cpu(ccwa->name_offset); + prop->name = kstrdup(name, GFP_KERNEL); ++ if (!prop->name) { ++ dlpar_free_cc_property(prop); ++ return NULL; ++ } + + prop->length = be32_to_cpu(ccwa->prop_length); + value = (char *)ccwa + be32_to_cpu(ccwa->prop_offset); +-- +cgit 1.2-0.3.lf.el7 + diff --git a/scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch b/scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch new file mode 100644 index 000000000..7e282fe11 --- /dev/null +++ b/scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch @@ -0,0 +1,43 @@ +From 86e5aca7fa2927060839f3e3b40c8bd65a7e8d1e Mon Sep 17 00:00:00 2001 +From: Gen Zhang <blackgod016574@gmail.com> +Date: Thu, 30 May 2019 09:10:30 +0800 +Subject: scsi: mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main() + +In _ctl_ioctl_main(), 'ioctl_header' is fetched the first time from +userspace. 'ioctl_header.ioc_number' is then checked. The legal result is +saved to 'ioc'. Then, in condition MPT3COMMAND, the whole struct is fetched +again from the userspace. Then _ctl_do_mpt_command() is called, 'ioc' and +'karg' as inputs. + +However, a malicious user can change the 'ioc_number' between the two +fetches, which will cause a potential security issues. Moreover, a +malicious user can provide a valid 'ioc_number' to pass the check in first +fetch, and then modify it in the second fetch. + +To fix this, we need to recheck the 'ioc_number' in the second fetch. + +Signed-off-by: Gen Zhang <blackgod016574@gmail.com> +Acked-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +--- + drivers/scsi/mpt3sas/mpt3sas_ctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +index b2bb47c14d35..5181c03e82a6 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +@@ -2319,6 +2319,10 @@ _ctl_ioctl_main(struct file *file, unsigned int cmd, void __user *arg, + break; + } + ++ if (karg.hdr.ioc_number != ioctl_header.ioc_number) { ++ ret = -EINVAL; ++ break; ++ } + if (_IOC_SIZE(cmd) == sizeof(struct mpt3_ioctl_command)) { + uarg = arg; + ret = _ctl_do_mpt_command(ioc, karg, &uarg->mf); +-- +cgit 1.2-0.3.lf.el7 + |