diff options
| -rw-r--r-- | config-arm-generic | 5 | ||||
| -rw-r--r-- | config-arm64 | 4 | ||||
| -rw-r--r-- | config-armv7 | 1 | ||||
| -rw-r--r-- | config-generic | 1 | ||||
| -rw-r--r-- | gitrev | 2 | ||||
| -rw-r--r-- | kernel.spec | 21 | ||||
| -rw-r--r-- | rds-fix-an-infoleak-in-rds_inc_info_copy.txt | 31 | ||||
| -rw-r--r-- | sources | 1 | ||||
| -rw-r--r-- | tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch | 32 |
9 files changed, 91 insertions, 7 deletions
diff --git a/config-arm-generic b/config-arm-generic index 6995e1e70..eae9b5087 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -57,7 +57,6 @@ CONFIG_ARM_GIC=y CONFIG_ARM_GIC_V2M=y CONFIG_ARM_GIC_V3=y CONFIG_ARM_GIC_V3_ITS=y -# CONFIG_HISILICON_IRQ_MBIGEN is not set CONFIG_ARM_GLOBAL_TIMER=y CONFIG_ARM_SMMU=y CONFIG_MMC_ARMMMCI=y @@ -70,6 +69,8 @@ CONFIG_PL330_DMA=m CONFIG_GPIO_PL061=y CONFIG_USB_ISP1760=m CONFIG_ARM_PL172_MPMC=m +CONFIG_DRM_HDLCD=m +# CONFIG_DRM_HDLCD_SHOW_UNDERRUN is not set # HW crypto and rng CONFIG_ARM_CRYPTO=y @@ -588,7 +589,6 @@ CONFIG_NET_VENDOR_MELLANOX=y # drm # CONFIG_DRM_VMWGFX is not set -# CONFIG_DRM_HDLCD is not set # CONFIG_IMX_IPUV3_CORE is not set # CONFIG_DEBUG_SET_MODULE_RONX is not set @@ -607,6 +607,7 @@ CONFIG_CHECKPOINT_RESTORE=y # CONFIG_PINCTRL_SUNRISEPOINT is not set # CONFIG_HW_RANDOM_HISI is not set +# CONFIG_HISILICON_IRQ_MBIGEN is not set # CONFIG_QRTR is not set # This Xilinx option is now built for arm64 as well as ARM diff --git a/config-arm64 b/config-arm64 index de487b2e8..0d33b00ce 100644 --- a/config-arm64 +++ b/config-arm64 @@ -154,7 +154,8 @@ CONFIG_REGULATOR_HI655X=m CONFIG_PHY_HI6220_USB=m CONFIG_COMMON_RESET_HI6220=m CONFIG_HI6220_MBOX=m -# CONFIG_RESET_HISI is not set +CONFIG_RESET_HISI=y +CONFIG_MFD_HI655X_PMIC=m CONFIG_DRM_HISI_KIRIN=m CONFIG_HISI_KIRIN_DW_DSI=m @@ -175,7 +176,6 @@ CONFIG_NET_VENDOR_ALLWINNER=y # CONFIG_SERIO_SUN4I_PS2 is not set CONFIG_SUNXI_WATCHDOG=m CONFIG_MFD_SUN6I_PRCM=y -# CONFIG_MFD_HI655X_PMIC is not set CONFIG_IR_SUNXI=m CONFIG_MMC_SUNXI=m CONFIG_RTC_DRV_SUN6I=m diff --git a/config-armv7 b/config-armv7 index 7a8e0538b..5a749ac0a 100644 --- a/config-armv7 +++ b/config-armv7 @@ -363,6 +363,7 @@ CONFIG_SOC_IMX7D=y CONFIG_ARM_IMX6Q_CPUFREQ=m CONFIG_POWER_RESET_IMX=y CONFIG_PCI_IMX6=y +CONFIG_IMX_GPCV2=y CONFIG_IMX_THERMAL=m CONFIG_IMX_SDMA=m CONFIG_IMX_DMA=m diff --git a/config-generic b/config-generic index 6911aed7a..5b6bb8d45 100644 --- a/config-generic +++ b/config-generic @@ -3317,7 +3317,6 @@ CONFIG_RTC_DRV_PCF85063=m # CONFIG_RTC_DRV_HID_SENSOR_TIME is not set # CONFIG_RTC_DRV_MOXART is not set # CONFIG_RTC_DRV_ISL12057 is not set -# CONFIG_RTC_DRV_XGENE is not set # CONFIG_RTC_DRV_ABB5ZES3 is not set # CONFIG_RTC_DRV_ZYNQMP is not set # CONFIG_RTC_DRV_RV8803 is not set @@ -1 +1 @@ -4340fa55298d17049e71c7a34e04647379c269f3 +c8ae067f2635be0f8c7e5db1bb74b757d623e05b diff --git a/kernel.spec b/kernel.spec index cd4a7aecc..01151aa40 100644 --- a/kernel.spec +++ b/kernel.spec @@ -77,7 +77,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 2 # The git snapshot level -%define gitrev 0 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -622,6 +622,12 @@ Patch641: disable-CONFIG_EXPERT-for-ZONE_DMA.patch #CVE-2016-3134 rhbz 1317383 1317384 Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch +#CVE-2016-5243 rhbz 1343338 1343335 +Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch + +#CVE-2016-5244 rhbz 1343338 1343337 +Patch722: rds-fix-an-infoleak-in-rds_inc_info_copy.txt + # END OF PATCH DEFINITIONS %endif @@ -2150,6 +2156,19 @@ fi # # %changelog +* Wed Jun 08 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc2.git2.1 +- Linux v4.7-rc2-20-gc8ae067 + +* Wed Jun 8 2016 Peter Robinson <pbrobinson@fedoraproject.org> +- Minor ARM/aarch64 config updates + +* Tue Jun 07 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc2.git1.1 +- Linux v4.7-rc2-4-g3613a62 + +* Tue Jun 07 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-5244 info leak in rds (rhbz 1343338 1343337) +- CVE-2016-5243 info leak in tipc (rhbz 1343338 1343335) + * Mon Jun 06 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc2.git0.1 - Linux v4.7-rc2 - Disable debugging options. diff --git a/rds-fix-an-infoleak-in-rds_inc_info_copy.txt b/rds-fix-an-infoleak-in-rds_inc_info_copy.txt new file mode 100644 index 000000000..a9b1e49fe --- /dev/null +++ b/rds-fix-an-infoleak-in-rds_inc_info_copy.txt @@ -0,0 +1,31 @@ +From 4116def2337991b39919f3b448326e21c40e0dbb Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Thu, 2 Jun 2016 04:11:20 -0400 +Subject: rds: fix an infoleak in rds_inc_info_copy + +The last field "flags" of object "minfo" is not initialized. +Copying this object out may leak kernel stack data. +Assign 0 to it to avoid leak. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/rds/recv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/rds/recv.c b/net/rds/recv.c +index c0be1ec..8413f6c 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -561,5 +561,7 @@ void rds_inc_info_copy(struct rds_incoming *inc, + minfo.fport = inc->i_hdr.h_dport; + } + ++ minfo.flags = 0; ++ + rds_info_copy(iter, &minfo, sizeof(minfo)); + } +-- +cgit v0.12 + @@ -1,3 +1,4 @@ d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz 7c23235807e3c4d86b9c7ea5aef47068 patch-4.7-rc2.xz +2111426c71c1cca6a68ec16335186536 patch-4.7-rc2-git2.xz diff --git a/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch b/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch new file mode 100644 index 000000000..9cd7c09a3 --- /dev/null +++ b/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch @@ -0,0 +1,32 @@ +From 5d2be1422e02ccd697ccfcd45c85b4a26e6178e2 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu <kangjielu@gmail.com> +Date: Thu, 2 Jun 2016 04:04:56 -0400 +Subject: tipc: fix an infoleak in tipc_nl_compat_link_dump + +link_info.str is a char array of size 60. Memory after the NULL +byte is not initialized. Sending the whole object out can cause +a leak. + +Signed-off-by: Kangjie Lu <kjlu@gatech.edu> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/tipc/netlink_compat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index f795b1d..3ad9fab 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -604,7 +604,8 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, + + link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); + link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); +- strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME])); ++ nla_strlcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]), ++ TIPC_MAX_LINK_NAME); + + return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO, + &link_info, sizeof(link_info)); +-- +cgit v0.12 + |