diff options
| -rw-r--r-- | kernel.spec | 11 | ||||
| -rw-r--r-- | sources | 2 | ||||
| -rw-r--r-- | xfs-underflow-bug-in-xfs_attrlist_by_handle.patch | 149 |
3 files changed, 5 insertions, 157 deletions
diff --git a/kernel.spec b/kernel.spec index e0c07e86f..490afeca9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 3 # The git snapshot level -%define gitrev 2 +%define gitrev 3 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -703,9 +703,6 @@ Patch25128: dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch #rhbz 1000439 Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch -#CVE-2013-6382 rhbz 1033603 1034670 -Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch - #rhbz 1033965 Patch25169: 0001-Revert-selinux-consider-filesystem-subtype-in-polici.patch @@ -1395,9 +1392,6 @@ ApplyPatch dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch #rhbz 1000439 ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch -#CVE-2013-6382 rhbz 1033603 1034670 -ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch - #rhbz 1033965 ApplyPatch 0001-Revert-selinux-consider-filesystem-subtype-in-polici.patch @@ -2230,6 +2224,9 @@ fi # ||----w | # || || %changelog +* Thu Dec 12 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc3.git3.1 +- Linux v3.13-rc3-249-g2208f65 + * Thu Dec 12 2013 Josh Boyer <jwboyer@fedoraproject.org> - CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071) - CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099) @@ -1,3 +1,3 @@ cc6ee608854e0da4b64f6c1ff8b6398c linux-3.12.tar.xz be2604350d32ab4967f9773920de1ec8 patch-3.13-rc3.xz -0bae6992c2ba067632626e45723f79a0 patch-3.13-rc3-git2.xz +e730cb827aaf252cf2a016ebafe4f6ef patch-3.13-rc3-git3.xz diff --git a/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch b/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch deleted file mode 100644 index 6c7f60dd9..000000000 --- a/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch +++ /dev/null @@ -1,149 +0,0 @@ -Bugzilla: 1033603 -Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654 - -Path: news.gmane.org!not-for-mail -From: Dan Carpenter <dan.carpenter@oracle.com> -Newsgroups: gmane.comp.file-systems.xfs.general -Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle() -Date: Thu, 31 Oct 2013 21:00:10 +0300 -Lines: 43 -Approved: news@gmane.org -Message-ID: <20131031180010.GA24839@longonot.mountain> -References: <20131025144452.GA28451@ngolde.de> -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: text/plain; charset="us-ascii" -Content-Transfer-Encoding: 7bit -X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC) -Cc: Fabian Yamaguchi <fabs@goesec.de>, security@kernel.org, - Alex Elder <elder@kernel.org>, Nico Golde <nico@ngolde.de>, xfs@oss.sgi.com -To: Ben Myers <bpm@sgi.com> -Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013 -Return-path: <xfs-bounces@oss.sgi.com> -Envelope-to: sgi-linux-xfs@gmane.org -Original-Received: from oss.sgi.com ([192.48.182.195]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from <xfs-bounces@oss.sgi.com>) - id 1Vbwag-0001Ow-Sv - for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100 -Original-Received: from oss.sgi.com (localhost [IPv6:::1]) - by oss.sgi.com (Postfix) with ESMTP id DB14A7F85; - Thu, 31 Oct 2013 13:03:28 -0500 (CDT) -X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com -X-Spam-Level: -X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY - autolearn=ham version=3.3.1 -X-Original-To: xfs@oss.sgi.com -Delivered-To: xfs@oss.sgi.com -Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111]) - by oss.sgi.com (Postfix) with ESMTP id A0ED87F83 - for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 13:03:27 -0500 (CDT) -Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11]) - by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B - for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 11:03:24 -0700 (PDT) -X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ -Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by - cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1 - cipher=AES256-SHA bits=256 verify=NO); - Thu, 31 Oct 2013 11:03:20 -0700 (PDT) -X-Barracuda-Envelope-From: dan.carpenter@oracle.com -X-Barracuda-Apparent-Source-IP: 156.151.31.81 -Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) - by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with - ESMTP id r9VI3AZn009606 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Thu, 31 Oct 2013 18:03:11 GMT -Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) - by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id - r9VI39qG016923 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); - Thu, 31 Oct 2013 18:03:10 GMT -Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) - by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id - r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT -Original-Received: from longonot.mountain (/105.160.144.228) - by default (Oracle Beehive Gateway v4.0) - with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700 -X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle() -Content-Disposition: inline -In-Reply-To: <20131025144452.GA28451@ngolde.de> -User-Agent: Mutt/1.5.21 (2010-09-15) -X-Source-IP: acsinet22.oracle.com [141.146.126.238] -X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81] -X-Barracuda-Start-Time: 1383242600 -X-Barracuda-Encrypted: AES256-SHA -X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi -X-Virus-Scanned: by bsmtpd at sgi.com -X-Barracuda-BRTS-Status: 1 -X-Barracuda-Spam-Score: 0.00 -X-Barracuda-Spam-Status: No, - SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0 - QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY -X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937 - Rule breakdown below - pts rule name description - ---- ---------------------- - -------------------------------------------------- - 0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay - lines -X-BeenThere: xfs@oss.sgi.com -X-Mailman-Version: 2.1.14 -Precedence: list -List-Id: XFS Filesystem from SGI <xfs.oss.sgi.com> -List-Unsubscribe: <http://oss.sgi.com/mailman/options/xfs>, - <mailto:xfs-request@oss.sgi.com?subject=unsubscribe> -List-Archive: <http://oss.sgi.com/pipermail/xfs> -List-Post: <mailto:xfs@oss.sgi.com> -List-Help: <mailto:xfs-request@oss.sgi.com?subject=help> -List-Subscribe: <http://oss.sgi.com/mailman/listinfo/xfs>, - <mailto:xfs-request@oss.sgi.com?subject=subscribe> -Errors-To: xfs-bounces@oss.sgi.com -Original-Sender: xfs-bounces@oss.sgi.com -Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654 -Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.xfs.general/57654> - -If we allocate less than sizeof(struct attrlist) then we end up -corrupting memory or doing a ZERO_PTR_SIZE dereference. - -This can only be triggered with CAP_SYS_ADMIN. - -Reported-by: Nico Golde <nico@ngolde.de> -Reported-by: Fabian Yamaguchi <fabs@goesec.de> -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> - -diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c -index 4d61340..33ad9a7 100644 ---- a/fs/xfs/xfs_ioctl.c -+++ b/fs/xfs/xfs_ioctl.c -@@ -442,7 +442,8 @@ xfs_attrlist_by_handle( - return -XFS_ERROR(EPERM); - if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t))) - return -XFS_ERROR(EFAULT); -- if (al_hreq.buflen > XATTR_LIST_MAX) -+ if (al_hreq.buflen < sizeof(struct attrlist) || -+ al_hreq.buflen > XATTR_LIST_MAX) - return -XFS_ERROR(EINVAL); - - /* -diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c -index e8fb123..a7992f8 100644 ---- a/fs/xfs/xfs_ioctl32.c -+++ b/fs/xfs/xfs_ioctl32.c -@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle( - if (copy_from_user(&al_hreq, arg, - sizeof(compat_xfs_fsop_attrlist_handlereq_t))) - return -XFS_ERROR(EFAULT); -- if (al_hreq.buflen > XATTR_LIST_MAX) -+ if (al_hreq.buflen < sizeof(struct attrlist) || -+ al_hreq.buflen > XATTR_LIST_MAX) - return -XFS_ERROR(EINVAL); - - /* - -_______________________________________________ -xfs mailing list -xfs@oss.sgi.com -http://oss.sgi.com/mailman/listinfo/xfs - |