summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch49
-rw-r--r--kernel.spec11
-rw-r--r--net-packet-fix-overflow-in-tpacket_rcv.patch59
-rw-r--r--sources2
4 files changed, 5 insertions, 116 deletions
diff --git a/0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch b/0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch
deleted file mode 100644
index 771f4396e..000000000
--- a/0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From f4020438fab05364018c91f7e02ebdd192085933 Mon Sep 17 00:00:00 2001
-From: Eric Sandeen <sandeen@redhat.com>
-Date: Wed, 26 Aug 2020 14:11:58 -0700
-Subject: [PATCH] xfs: fix boundary test in xfs_attr_shortform_verify
-
-The boundary test for the fixed-offset parts of xfs_attr_sf_entry in
-xfs_attr_shortform_verify is off by one, because the variable array
-at the end is defined as nameval[1] not nameval[].
-Hence we need to subtract 1 from the calculation.
-
-This can be shown by:
-
-# touch file
-# setfattr -n root.a file
-
-and verifications will fail when it's written to disk.
-
-This only matters for a last attribute which has a single-byte name
-and no value, otherwise the combination of namelen & valuelen will
-push endp further out and this test won't fail.
-
-Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")
-Signed-off-by: Eric Sandeen <sandeen@redhat.com>
-Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
-Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
----
- fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
-index 8623c815164a..383b08f2ac61 100644
---- a/fs/xfs/libxfs/xfs_attr_leaf.c
-+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
-@@ -1036,8 +1036,10 @@ xfs_attr_shortform_verify(
- * struct xfs_attr_sf_entry has a variable length.
- * Check the fixed-offset parts of the structure are
- * within the data buffer.
-+ * xfs_attr_sf_entry is defined with a 1-byte variable
-+ * array at the end, so we must subtract that off.
- */
-- if (((char *)sfep + sizeof(*sfep)) >= endp)
-+ if (((char *)sfep + sizeof(*sfep) - 1) >= endp)
- return __this_address;
-
- /* Don't allow names with known bad length. */
---
-2.26.2
-
diff --git a/kernel.spec b/kernel.spec
index fdb7a16b5..0e256b9d6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
-%define stable_update 7
+%define stable_update 8
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@@ -867,12 +867,6 @@ Patch105: 0001-platform-x86-thinkpad_acpi-lap-or-desk-mode-interfac.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1874117
Patch107: 0001-drivers-perf-xgene_pmu-Fix-uninitialized-resource-st.patch
-# CVE-2020-14385 rhbz 1874800 1874811
-Patch108: 0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch
-
-# CVE-2020-14386 rhbz 1875699 1876349
-Patch109: net-packet-fix-overflow-in-tpacket_rcv.patch
-
Patch110: memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch
# END OF PATCH DEFINITIONS
@@ -2979,6 +2973,9 @@ fi
#
#
%changelog
+* Wed Sep 9 13:39:47 CDT 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.8-300
+- Linux v5.8.8
+
* Mon Sep 07 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.7-300
- Linux v5.8.7
- Fix CVE-2020-14386 (rhbz 1875699 1876349)
diff --git a/net-packet-fix-overflow-in-tpacket_rcv.patch b/net-packet-fix-overflow-in-tpacket_rcv.patch
deleted file mode 100644
index 6c6868f5c..000000000
--- a/net-packet-fix-overflow-in-tpacket_rcv.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 00c393ea14d12a4ef490a6aedf0fa6bfc2bfe8c3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 3 Sep 2020 21:05:28 -0700
-Subject: net/packet: fix overflow in tpacket_rcv
-
-From: Or Cohen <orcohen@paloaltonetworks.com>
-
-[ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ]
-
-Using tp_reserve to calculate netoff can overflow as
-tp_reserve is unsigned int and netoff is unsigned short.
-
-This may lead to macoff receving a smaller value then
-sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
-is set, an out-of-bounds write will occur when
-calling virtio_net_hdr_from_skb.
-
-The bug is fixed by converting netoff to unsigned int
-and checking if it exceeds USHRT_MAX.
-
-This addresses CVE-2020-14386
-
-Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
-Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/packet/af_packet.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 301f41d4929bd..82f7802983797 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -2170,7 +2170,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
- int skb_len = skb->len;
- unsigned int snaplen, res;
- unsigned long status = TP_STATUS_USER;
-- unsigned short macoff, netoff, hdrlen;
-+ unsigned short macoff, hdrlen;
-+ unsigned int netoff;
- struct sk_buff *copy_skb = NULL;
- struct timespec64 ts;
- __u32 ts_status;
-@@ -2239,6 +2240,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
- }
- macoff = netoff - maclen;
- }
-+ if (netoff > USHRT_MAX) {
-+ atomic_inc(&po->tp_drops);
-+ goto drop_n_restore;
-+ }
- if (po->tp_version <= TPACKET_V2) {
- if (macoff + snaplen > po->rx_ring.frame_size) {
- if (po->copy_thresh &&
---
-2.25.1
-
diff --git a/sources b/sources
index ef20ca39c..c9721b9ce 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (linux-5.8.tar.xz) = 19c8694bda4533464877e2d976aca95f48c2c40c11efcc1dce0ca91cc5f9826110e277c7de2a49ff99af8ae1c76e275b7c463abf71fbf410956d63066dc4ee53
-SHA512 (patch-5.8.7.xz) = f637d548e9b0419f7c65807d25c9d7547c956b211b680f6b13fd7cae636c3f3f4ef688bdaefb17956ab8290faf41420d76caf57f573a448f93e3267a620ffbf2
+SHA512 (patch-5.8.8.xz) = daf14cdff3a101ef25bb701513b07752f399a92e0e61d839cbf2d85234f55ead50ee524eeeb85aa6f22044bcd0ecdbf877b96ac721c62c372a960909a5582fb7