diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2018-05-30 08:32:04 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2018-05-30 08:32:04 +0200 |
commit | f3e29be1d9d424170a3d4a286f4e23d1ed1634f2 (patch) | |
tree | c80fa31cb5c0d7502aeec704a002bcf52790f898 | |
parent | 39e3aee01e28250ecd9d4b8fc5be3fc15a2126e5 (diff) | |
parent | 7cbd09983ea552a3bc0ad50abd68423a35ac15dd (diff) | |
download | kernel-f3e29be1d9d424170a3d4a286f4e23d1ed1634f2.tar.gz kernel-f3e29be1d9d424170a3d4a286f4e23d1ed1634f2.tar.xz kernel-f3e29be1d9d424170a3d4a286f4e23d1ed1634f2.zip |
Merge remote-tracking branch 'origin/f27' into f27-user-thl-vanilla-fedora
-rw-r--r-- | arm-crypto-sunxi-ss-Add-MODULE_ALIAS-to-sun4i-ss.patch | 28 | ||||
-rw-r--r-- | ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch | 70 | ||||
-rw-r--r-- | kernel.spec | 10 |
3 files changed, 76 insertions, 32 deletions
diff --git a/arm-crypto-sunxi-ss-Add-MODULE_ALIAS-to-sun4i-ss.patch b/arm-crypto-sunxi-ss-Add-MODULE_ALIAS-to-sun4i-ss.patch deleted file mode 100644 index 45941edd0..000000000 --- a/arm-crypto-sunxi-ss-Add-MODULE_ALIAS-to-sun4i-ss.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 7a2e67bfa5316e267e782477ec880e2464fd682a Mon Sep 17 00:00:00 2001 -From: Peter Robinson <pbrobinson@gmail.com> -Date: Sun, 11 Feb 2018 21:28:41 +0000 -Subject: [PATCH] crypto: sunxi-ss: Add MODULE_ALIAS to sun4i-ss - -The MODULE_ALIAS is required to enable the sun4i-ss driver to load -automatically when built at a module. Tested on a Cubietruck. - -Signed-off-by: Peter Robinson <pbrobinson@gmail.com> ---- - drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-core.c b/drivers/crypto/sunxi-ss/sun4i-ss-core.c -index 1547cbe13dc2..a81d89b3b7d8 100644 ---- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c -+++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c -@@ -451,6 +451,7 @@ static struct platform_driver sun4i_ss_driver = { - - module_platform_driver(sun4i_ss_driver); - -+MODULE_ALIAS("platform:sun4i-ss"); - MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator"); - MODULE_LICENSE("GPL"); - MODULE_AUTHOR("Corentin LABBE <clabbe.montjoie@gmail.com>"); --- -2.14.3 - diff --git a/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch b/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch new file mode 100644 index 000000000..6befea749 --- /dev/null +++ b/ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch @@ -0,0 +1,70 @@ +From e787b36fc8d972fa762ddc91062812c26e0331c0 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Wed, 23 May 2018 11:31:03 -0400 +Subject: [PATCH] ext4: correctly handle a zero-length xattr with a non-zero + e_value_offs + +Ext4 will always create ext4 extended attributes which do not have a +value (where e_value_size is zero) with e_value_offs set to zero. In +most places e_value_offs will not be used in a substantive way if +e_value_size is zero. + +There was one exception to this, which is in ext4_xattr_set_entry(), +where if there is a maliciously crafted file system where there is an +extended attribute with e_value_offs is non-zero and e_value_size is +0, the attempt to remove this xattr will result in a negative value +getting passed to memmove, leading to the following sadness: + +[ 41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) +[ 44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000 +[ 44.538733] IP: __memmove+0x81/0x1a0 +[ 44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1 +[ 44.538793] Oops: 0003 [#1] SMP PTI +[ 44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1 + ... +[ 44.539475] Call Trace: +[ 44.539832] ext4_xattr_set_entry+0x9e7/0xf80 + ... +[ 44.539972] ext4_xattr_block_set+0x212/0xea0 + ... +[ 44.540041] ext4_xattr_set_handle+0x514/0x610 +[ 44.540065] ext4_xattr_set+0x7f/0x120 +[ 44.540090] __vfs_removexattr+0x4d/0x60 +[ 44.540112] vfs_removexattr+0x75/0xe0 +[ 44.540132] removexattr+0x4d/0x80 + ... +[ 44.540279] path_removexattr+0x91/0xb0 +[ 44.540300] SyS_removexattr+0xf/0x20 +[ 44.540322] do_syscall_64+0x71/0x120 +[ 44.540344] entry_SYSCALL_64_after_hwframe+0x21/0x86 + +https://bugzilla.kernel.org/show_bug.cgi?id=199347 + +This addresses CVE-2018-10840. + +Reported-by: "Xu, Wen" <wen.xu@gatech.edu> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Andreas Dilger <adilger@dilger.ca> +Cc: stable@kernel.org +Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication") +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + fs/ext4/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index 499cb4b1fbd2..fc4ced59c565 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1688,7 +1688,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, + + /* No failures allowed past this point. */ + +- if (!s->not_found && here->e_value_offs) { ++ if (!s->not_found && here->e_value_size && here->e_value_offs) { + /* Remove the old value. */ + void *first_val = s->base + min_offs; + size_t offs = le16_to_cpu(here->e_value_offs); +-- +2.17.0 + diff --git a/kernel.spec b/kernel.spec index 92509b8ff..2de3f03e0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -604,9 +604,6 @@ Patch306: wcn36xx-Fix-firmware-crash-due-to-corrupted-buffer-address.patch # https://patchwork.kernel.org/patch/10245303/ Patch307: wcn36xx-reduce-verbosity-of-drivers-messages.patch -# https://www.spinics.net/lists/arm-kernel/msg632925.html -Patch308: arm-crypto-sunxi-ss-Add-MODULE_ALIAS-to-sun4i-ss.patch - # Fix USB on the RPi https://patchwork.kernel.org/patch/9879371/ Patch309: bcm283x-dma-mapping-skip-USB-devices-when-configuring-DMA-during-probe.patch @@ -689,6 +686,9 @@ Patch511: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch # https://www.spinics.net/lists/linux-acpi/msg82405.html Patch512: mailbox-ACPI-erroneous-error-message-when-parsing-ACPI.patch +# CVE-2018-10840 rhbz 1582346 1582348 +Patch513: ext4-correctly-handle-a-zero-length-xattr-with-a-non.patch + # END OF PATCH DEFINITIONS %endif @@ -1945,7 +1945,9 @@ fi # # %changelog -* Fri May 25 2018 Jeremy Cline <jeremy@jcline.org> +* Fri May 25 2018 Jeremy Cline <jcline@redhat.com> - 4.16.12-200 +- Linux v4.16.12 +- Fix CVE-2018-10840 (rhbz 1582346 1582348) - Fix for incorrect error message about parsing PCCT (rhbz 1435837) * Tue May 22 2018 Jeremy Cline <jcline@redhat.com> - 4.16.11-200 |