diff options
-rw-r--r-- | ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch | 33 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch | 34 | ||||
-rw-r--r-- | ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch | 34 | ||||
-rw-r--r-- | airspy-fix-error-logic-during-device-register.patch | 40 | ||||
-rw-r--r-- | config-powerpc64-generic | 2 | ||||
-rw-r--r-- | kernel.spec | 22 | ||||
-rw-r--r-- | platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch | 52 | ||||
-rw-r--r-- | qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch | 98 | ||||
-rw-r--r-- | sources | 2 |
9 files changed, 9 insertions, 308 deletions
diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch deleted file mode 100644 index 3eb8bf183..000000000 --- a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:44:07 -0400 -Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “tread” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/core/timer.c b/sound/core/timer.c -index 6469bedda2f3..964f5ebf495e 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file, - if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { - if (tu->tread) { - struct snd_timer_tread tread; -+ memset(&tread, 0, sizeof(tread)); - tread.event = SNDRV_TIMER_EVENT_EARLY; - tread.tstamp.tv_sec = 0; - tread.tstamp.tv_nsec = 0; --- -2.5.5 - diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch deleted file mode 100644 index e6f46f8a8..000000000 --- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch +++ /dev/null @@ -1,34 +0,0 @@ -From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:44:20 -0400 -Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via - snd_timer_user_ccallback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “r1” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/core/timer.c b/sound/core/timer.c -index 964f5ebf495e..e98fa5feb731 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, - tu->tstamp = *tstamp; - if ((tu->filter & (1 << event)) == 0 || !tu->tread) - return; -+ memset(&r1, 0, sizeof(r1)); - r1.event = event; - r1.tstamp = *tstamp; - r1.val = resolution; --- -2.5.5 - diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch deleted file mode 100644 index 7851c55a2..000000000 --- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001 -From: Kangjie Lu <kangjielu@gmail.com> -Date: Tue, 3 May 2016 16:44:32 -0400 -Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via - snd_timer_user_tinterrupt -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “r1” has a total size of 32 bytes. Its field -“event” and “val” both contain 4 bytes padding. These 8 bytes -padding bytes are sent to user without being initialized. - -Signed-off-by: Kangjie Lu <kjlu@gatech.edu> -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - sound/core/timer.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sound/core/timer.c b/sound/core/timer.c -index e98fa5feb731..c69a27155433 100644 ---- a/sound/core/timer.c -+++ b/sound/core/timer.c -@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, - } - if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && - tu->last_resolution != resolution) { -+ memset(&r1, 0, sizeof(r1)); - r1.event = SNDRV_TIMER_EVENT_RESOLUTION; - r1.tstamp = tstamp; - r1.val = resolution; --- -2.5.5 - diff --git a/airspy-fix-error-logic-during-device-register.patch b/airspy-fix-error-logic-during-device-register.patch deleted file mode 100644 index 575090d9d..000000000 --- a/airspy-fix-error-logic-during-device-register.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 785ef73dba6e9fefd2e5dd24546e0efa8698e5cd Mon Sep 17 00:00:00 2001 -From: James Patrick-Evans <james@jmp-e.com> -Date: Fri, 15 Jul 2016 12:40:45 -0300 -Subject: [media] airspy: fix error logic during device register - -This patch addresses CVE-2016-5400, a local DOS vulnerability caused by -a memory leak in the airspy usb device driver. - -The vulnerability is triggered when more than 64 usb devices register -with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can -emulate 64 of these devices then through continual emulated -connect/disconnect of the 65th device, cause the kernel to run out of -RAM and crash the kernel. - -The vulnerability exists in kernel versions from 3.17 to current 4.7. - -The memory leak is caused by the probe function of the airspy driver -mishandeling errors and not freeing the corresponding control structures -when an error occours registering the device to v4l2 core. - -Signed-off-by: James Patrick-Evans <james@jmp-e.com> -Cc: stable@vger.kernel.org # Up to Kernel 3.17 -Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> - -diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c -index d807d58..19cd64c 100644 ---- a/drivers/media/usb/airspy/airspy.c -+++ b/drivers/media/usb/airspy/airspy.c -@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf, - if (ret) { - dev_err(s->dev, "Failed to register as video device (%d)\n", - ret); -- goto err_unregister_v4l2_dev; -+ goto err_free_controls; - } - dev_info(s->dev, "Registered as %s\n", - video_device_node_name(&s->vdev)); --- -cgit v0.10.2 - diff --git a/config-powerpc64-generic b/config-powerpc64-generic index de387d570..ca5fea962 100644 --- a/config-powerpc64-generic +++ b/config-powerpc64-generic @@ -113,7 +113,7 @@ CONFIG_I2C_OPAL=m CONFIG_RTC_DRV_OPAL=m CONFIG_SENSORS_IBMPOWERNV=y CONFIG_HW_RANDOM_POWERNV=m -CONFIG_POWERNV_CPUFREQ=m +CONFIG_POWERNV_CPUFREQ=y CONFIG_IPMI_POWERNV=m CONFIG_RTAS_FLASH=y CONFIG_OPAL_PRD=m diff --git a/kernel.spec b/kernel.spec index f07deea5d..f9d7782d7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -60,7 +60,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -624,11 +624,6 @@ Patch641: disable-CONFIG_EXPERT-for-ZONE_DMA.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch -#CVE-2016-4569 rhbz 1334643 1334645 -Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch -Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch -Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch - #CVE-2016-4440 rhbz 1337806 1337807 Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch @@ -660,12 +655,6 @@ Patch815: 0015-drm-i915-gen9-Calculate-watermarks-during-atomic-che.patch Patch816: 0016-drm-i915-gen9-Reject-display-updates-that-exceed-wm-.patch Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch -#CVE-2016-6156 rhbz 1353490 1353491 -Patch832: platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch - -#rhbz 1346753 -Patch834: qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch - #CVE-2016-5389 CVE-2016-5969 rhbz 1354708 1355615 Patch835: tcp-make-challenge-acks-less-predictable.patch Patch839: tcp-enable-per-socket-rate-limiting-of-all-challenge.patch @@ -675,9 +664,6 @@ Patch836: drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch Patch837: drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch Patch838: Revert-ALSA-hda-remove-controller-dependency-on-i915.patch -#CVE-2016-5400 rhbz 1358184 1358186 -Patch840: airspy-fix-error-logic-during-device-register.patch - #CVE-2016-6136 rhbz 1353533 1353534 Patch841: audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch @@ -2208,6 +2194,12 @@ fi # # %changelog +* Wed Aug 10 2016 Laura Abbott <labbott@fedoraproject.org> - 4.6.6-200 +- Linux v4.6.6 + +* Mon Aug 08 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Build CONFIG_POWERNV_CPUFREQ in on ppc64* (rhbz 1351346) + * Thu Jul 28 2016 Josh Boyer <jwboyer@fedoraproject.org> - CVE-2016-5412 powerpc: kvm: Infinite loop in HV mode (rhbz 1349916 1361040) diff --git a/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch b/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch deleted file mode 100644 index a685ff697..000000000 --- a/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 096cdc6f52225835ff503f987a0d68ef770bb78e Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Tue, 21 Jun 2016 16:58:46 +0300 -Subject: [PATCH] platform/chrome: cros_ec_dev - double fetch bug in ioctl - -We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure -that those values have not changed between the two copy_from_user() -calls. Otherwise it could lead to a buffer overflow. - -Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value. -We should use the new smaller value so we don't copy too much data to -the user. - -Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> -Fixes: a841178445bb ('mfd: cros_ec: Use a zero-length array for command data') -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Tested-by: Gwendal Grignou <gwendal@chromium.org> -Cc: <stable@vger.kernel.org> # v4.2+ -Signed-off-by: Olof Johansson <olof@lixom.net> ---- - drivers/platform/chrome/cros_ec_dev.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c -index 6d8ee3b15872..8abd80dbcbed 100644 ---- a/drivers/platform/chrome/cros_ec_dev.c -+++ b/drivers/platform/chrome/cros_ec_dev.c -@@ -151,13 +151,19 @@ static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg) - goto exit; - } - -+ if (u_cmd.outsize != s_cmd->outsize || -+ u_cmd.insize != s_cmd->insize) { -+ ret = -EINVAL; -+ goto exit; -+ } -+ - s_cmd->command += ec->cmd_offset; - ret = cros_ec_cmd_xfer(ec->ec_dev, s_cmd); - /* Only copy data to userland if data was received. */ - if (ret < 0) - goto exit; - -- if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + u_cmd.insize)) -+ if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + s_cmd->insize)) - ret = -EFAULT; - exit: - kfree(s_cmd); --- -2.5.5 - diff --git a/qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch b/qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch deleted file mode 100644 index 4e50a65e2..000000000 --- a/qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 36d17a40c174c8b77386520ab2a430fea760dcc3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bruno=20Pr=C3=83=C2=A9mont?= <bonbons@linux-vserver.org> -Date: Thu, 30 Jun 2016 17:00:32 +0200 -Subject: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL -pointer dereference when rsp->msix is NULL: - -[ 5.622457] NULL pointer dereference at 0000000000000050 -[ 5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0 -[ 5.622457] PGD 0 -[ 5.622457] Oops: 0000 [#1] SMP -[ 5.622457] Modules linked in: -[ 5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1 -[ 5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011 -[ 5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000 -[ 5.622457] RIP: 0010:[<ffffffff8155e614>] [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0 -[ 5.622457] RSP: 0000:ffff8801afb03de8 EFLAGS: 00010002 -[ 5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff -[ 5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0 -[ 5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000 -[ 5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8 -[ 5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013 -[ 5.622457] FS: 0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000 -[ 5.622457] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0 -[ 5.622457] Stack: -[ 5.622457] ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002 -[ 5.622457] ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002 -[ 5.622457] ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032 -[ 5.622457] Call Trace: -[ 5.622457] <IRQ> -[ 5.622457] [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80 -[ 5.622457] [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60 -[ 5.622457] [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240 -[ 5.622457] [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0 -[ 5.622457] [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200 -[ 5.622457] [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100 -[ 5.622457] [<ffffffff810c8a77>] handle_irq_event+0x27/0x50 -[ 5.622457] [<ffffffff810cb965>] handle_edge_irq+0x65/0x140 -[ 5.622457] [<ffffffff8101a498>] handle_irq+0x18/0x30 -[ 5.622457] [<ffffffff8101a276>] do_IRQ+0x46/0xd0 -[ 5.622457] [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f -[ 5.622457] <EOI> -[ 5.622457] [<ffffffff81020d38>] ? mwait_idle+0x68/0x80 -[ 5.622457] [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10 -[ 5.622457] [<ffffffff810c1b97>] default_idle_call+0x27/0x30 -[ 5.622457] [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230 -[ 5.622457] [<ffffffff810324c6>] start_secondary+0x136/0x140 -[ 5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00 -[ 5.622457] RIP [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0 -[ 5.622457] RSP <ffff8801afb03de8> -[ 5.622457] CR2: 0000000000000050 -[ 5.622457] ---[ end trace fa2b19c25106d42b ]--- -[ 5.622457] Kernel panic - not syncing: Fatal exception in interrupt - -The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde -(qla2xxx: Add irq affinity notification). - -Only dereference rsp->msix when it has been set so the machine can boot -fine. Possibly rsp->msix is unset because: -[ 3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k. -[ 3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000. -[ 3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3). -[ 3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258. -[ 3.890145] scsi host0: qla2xxx -[ 3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA. -[ 3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496). -[ 5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps). - -Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org> -Acked-by: Quinn Tran <quinn.tran@qlogic.com> -CC: <stable@vger.kernel.org> # 4.5+ -Fixes: cdb898c52d1dfad4b4800b83a58b3fe5d352edde -Signed-off-by: James Bottomley <jejb@linux.vnet.ibm.com> ---- - drivers/scsi/qla2xxx/qla_isr.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c -index 5649c200d37c..a92a62dea793 100644 ---- a/drivers/scsi/qla2xxx/qla_isr.c -+++ b/drivers/scsi/qla2xxx/qla_isr.c -@@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, - if (!vha->flags.online) - return; - -- if (rsp->msix->cpuid != smp_processor_id()) { -+ if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) { - /* if kernel does not notify qla of IRQ's CPU change, - * then set it here. - */ --- -2.5.5 - @@ -1,3 +1,3 @@ d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz -ad32c9ec1c69a99811d160d6014f9b2d patch-4.6.5.xz +84f23eb772635b1348d3ea7c5bd67930 patch-4.6.6.xz |