diff options
| -rw-r--r-- | 0001-platform-x86-dell-laptop-Filter-out-spurious-keyboar.patch | 99 | ||||
| -rw-r--r-- | 0001-tools-lib-subcmd-pager.c-do-not-alias-select-params.patch | 44 | ||||
| -rw-r--r-- | CVE-2017-7645.patch | 180 | ||||
| -rw-r--r-- | KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch | 130 | ||||
| -rw-r--r-- | efi-Add-SHIM-and-image-security-database-GUID-defini.patch | 31 |
5 files changed, 0 insertions, 484 deletions
diff --git a/0001-platform-x86-dell-laptop-Filter-out-spurious-keyboar.patch b/0001-platform-x86-dell-laptop-Filter-out-spurious-keyboar.patch deleted file mode 100644 index 926487b3d..000000000 --- a/0001-platform-x86-dell-laptop-Filter-out-spurious-keyboar.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 714fe15daa07e7691c9731c88de71aa57f84b6c2 Mon Sep 17 00:00:00 2001 -From: Hans de Goede <hdegoede@redhat.com> -Date: Wed, 3 Jan 2018 11:13:54 +0100 -Subject: [PATCH] platform/x86: dell-laptop: Filter out spurious keyboard - backlight change events - -On some Dell XPS models WMI events of type 0x0000 reporting a keycode of -0xe00c get reported when the brightness of the LCD panel changes. - -This leads to us reporting false-positive kbd_led change events to -userspace which in turn leads to the kbd backlight OSD showing when it -should not. - -We already read the current keyboard backlight brightness value when -reporting events because the led_classdev_notify_brightness_hw_changed -API requires this. Compare this value to the last known value and filter -out duplicate events, fixing this. - -Note the fixed issue is esp. a problem on XPS models with an ambient light -sensor and automatic brightness adjustments turned on, this causes the kbd -backlight OSD to show all the time there. - -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1514969 -Signed-off-by: Hans de Goede <hdegoede@redhat.com> ---- - drivers/platform/x86/dell-laptop.c | 24 ++++++++++++++++++++++-- - 1 file changed, 22 insertions(+), 2 deletions(-) - -diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c -index cd4725e7e0b5..2ef3297a9efc 100644 ---- a/drivers/platform/x86/dell-laptop.c -+++ b/drivers/platform/x86/dell-laptop.c -@@ -1133,6 +1133,7 @@ static u8 kbd_previous_mode_bit; - - static bool kbd_led_present; - static DEFINE_MUTEX(kbd_led_mutex); -+static enum led_brightness kbd_led_level; - - /* - * NOTE: there are three ways to set the keyboard backlight level. -@@ -1947,6 +1948,7 @@ static enum led_brightness kbd_led_level_get(struct led_classdev *led_cdev) - static int kbd_led_level_set(struct led_classdev *led_cdev, - enum led_brightness value) - { -+ enum led_brightness new_value = value; - struct kbd_state state; - struct kbd_state new_state; - u16 num; -@@ -1976,6 +1978,9 @@ static int kbd_led_level_set(struct led_classdev *led_cdev, - } - - out: -+ if (ret == 0) -+ kbd_led_level = new_value; -+ - mutex_unlock(&kbd_led_mutex); - return ret; - } -@@ -2003,6 +2008,9 @@ static int __init kbd_led_init(struct device *dev) - if (kbd_led.max_brightness) - kbd_led.max_brightness--; - } -+ -+ kbd_led_level = kbd_led_level_get(NULL); -+ - ret = led_classdev_register(dev, &kbd_led); - if (ret) - kbd_led_present = false; -@@ -2027,13 +2035,25 @@ static void kbd_led_exit(void) - static int dell_laptop_notifier_call(struct notifier_block *nb, - unsigned long action, void *data) - { -+ bool changed = false; -+ enum led_brightness new_kbd_led_level; -+ - switch (action) { - case DELL_LAPTOP_KBD_BACKLIGHT_BRIGHTNESS_CHANGED: - if (!kbd_led_present) - break; - -- led_classdev_notify_brightness_hw_changed(&kbd_led, -- kbd_led_level_get(&kbd_led)); -+ mutex_lock(&kbd_led_mutex); -+ new_kbd_led_level = kbd_led_level_get(&kbd_led); -+ if (kbd_led_level != new_kbd_led_level) { -+ kbd_led_level = new_kbd_led_level; -+ changed = true; -+ } -+ mutex_unlock(&kbd_led_mutex); -+ -+ if (changed) -+ led_classdev_notify_brightness_hw_changed(&kbd_led, -+ kbd_led_level); - break; - } - --- -2.14.3 - diff --git a/0001-tools-lib-subcmd-pager.c-do-not-alias-select-params.patch b/0001-tools-lib-subcmd-pager.c-do-not-alias-select-params.patch deleted file mode 100644 index 37c0f041e..000000000 --- a/0001-tools-lib-subcmd-pager.c-do-not-alias-select-params.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 85721e6bfc5da3c8f7971c4acb1a0ad16fb2c16a Mon Sep 17 00:00:00 2001 -From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> -Date: Thu, 1 Feb 2018 13:29:38 +1100 -Subject: [PATCH] tools/lib/subcmd/pager.c: do not alias select() params - -Use a separate fd set for select()-s exception fds param to fix the -following gcc warning: - -pager.c:36:12: error: passing argument 2 to restrict-qualified - parameter aliases with argument 4 [-Werror=restrict] - select(1, &in, NULL, &in, NULL); - ^~~ ~~~ - -Link: http://lkml.kernel.org/r/20180101105626.7168-1-sergey.senozhatsky@gmail.com -Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> -Cc: Arnaldo Carvalho de Melo <acme@redhat.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> ---- - tools/lib/subcmd/pager.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/tools/lib/subcmd/pager.c b/tools/lib/subcmd/pager.c -index 5ba754d17952..9997a8805a82 100644 ---- a/tools/lib/subcmd/pager.c -+++ b/tools/lib/subcmd/pager.c -@@ -30,10 +30,13 @@ static void pager_preexec(void) - * have real input - */ - fd_set in; -+ fd_set exception; - - FD_ZERO(&in); -+ FD_ZERO(&exception); - FD_SET(0, &in); -- select(1, &in, NULL, &in, NULL); -+ FD_SET(0, &exception); -+ select(1, &in, NULL, &exception, NULL); - - setenv("LESS", "FRSX", 0); - } --- -2.14.3 - diff --git a/CVE-2017-7645.patch b/CVE-2017-7645.patch deleted file mode 100644 index 0be019cc3..000000000 --- a/CVE-2017-7645.patch +++ /dev/null @@ -1,180 +0,0 @@ -From: "J. Bruce Fields" <bfields@redhat.com> -Date: 2017-04-14 15:04:40 -Subject: [PATCH] nfsd: check for oversized NFSv2/v3 arguments - -A client can append random data to the end of an NFSv2 or NFSv3 RPC call -without our complaining; we'll just stop parsing at the end of the -expected data and ignore the rest. - -Encoded arguments and replies are stored together in an array of pages, -and if a call is too large it could leave inadequate space for the -reply. This is normally OK because NFS RPC's typically have either -short arguments and long replies (like READ) or long arguments and short -replies (like WRITE). But a client that sends an incorrectly long reply -can violate those assumptions. This was observed to cause crashes. - -So, insist that the argument not be any longer than we expect. - -Also, several operations increment rq_next_page in the decode routine -before checking the argument size, which can leave rq_next_page pointing -well past the end of the page array, causing trouble later in -svc_free_pages. - -As followup we may also want to rewrite the encoding routines to check -more carefully that they aren't running off the end of the page array. - -Reported-by: Tuomas Haanpää <thaan@synopsys.com> -Reported-by: Ari Kauppi <ari@synopsys.com> -Cc: stable@vger.kernel.org -Signed-off-by: J. Bruce Fields <bfields@redhat.com> ---- - fs/nfsd/nfs3xdr.c | 23 +++++++++++++++++------ - fs/nfsd/nfsxdr.c | 13 ++++++++++--- - include/linux/sunrpc/svc.h | 3 +-- - 3 files changed, 28 insertions(+), 11 deletions(-) - -diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c -index dba2ff8eaa68..be66bcadfaea 100644 ---- a/fs/nfsd/nfs3xdr.c -+++ b/fs/nfsd/nfs3xdr.c -@@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - if (!p) - return 0; - p = xdr_decode_hyper(p, &args->offset); -- - args->count = ntohl(*p++); -+ -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - len = min(args->count, max_blocksize); - - /* set up the kvec */ -@@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - v++; - } - args->vlen = v; -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -536,9 +539,11 @@ nfs3svc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, - p = decode_fh(p, &args->fh); - if (!p) - return 0; -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -564,10 +569,14 @@ nfs3svc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p, - args->verf = p; p += 2; - args->dircount = ~0; - args->count = ntohl(*p++); -+ -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - args->count = min_t(u32, args->count, PAGE_SIZE); - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -585,6 +594,9 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p, - args->dircount = ntohl(*p++); - args->count = ntohl(*p++); - -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - len = args->count = min(args->count, max_blocksize); - while (len > 0) { - struct page *p = *(rqstp->rq_next_page++); -@@ -592,8 +604,7 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p, - args->buffer = page_address(p); - len -= PAGE_SIZE; - } -- -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c -index 41b468a6a90f..79268369f7b3 100644 ---- a/fs/nfsd/nfsxdr.c -+++ b/fs/nfsd/nfsxdr.c -@@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - len = args->count = ntohl(*p++); - p++; /* totalcount - unused */ - -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2); - - /* set up somewhere to store response. -@@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - v++; - } - args->vlen = v; -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -360,9 +363,11 @@ nfssvc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, struct nfsd_readli - p = decode_fh(p, &args->fh); - if (!p) - return 0; -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -400,9 +405,11 @@ nfssvc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p, - args->cookie = ntohl(*p++); - args->count = ntohl(*p++); - args->count = min_t(u32, args->count, PAGE_SIZE); -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - /* -diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h -index e770abeed32d..6ef19cf658b4 100644 ---- a/include/linux/sunrpc/svc.h -+++ b/include/linux/sunrpc/svc.h -@@ -336,8 +336,7 @@ xdr_argsize_check(struct svc_rqst *rqstp, __be32 *p) - { - char *cp = (char *)p; - struct kvec *vec = &rqstp->rq_arg.head[0]; -- return cp >= (char*)vec->iov_base -- && cp <= (char*)vec->iov_base + vec->iov_len; -+ return cp == (char *)vec->iov_base + vec->iov_len; - } - - static inline int --- -2.9.3 - --- -To unsubscribe from this list: send the line "unsubscribe linux-nfs" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch b/KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch deleted file mode 100644 index af7478ee5..000000000 --- a/KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 7289bfaee2a42bdb56eecab0625907c045d080ba Mon Sep 17 00:00:00 2001 -From: Eric Biggers <ebiggers@google.com> -Date: Wed, 27 Sep 2017 12:50:41 -0700 -Subject: [PATCH] KEYS: don't let add_key() update an uninstantiated key - -Currently, add_key() will, when passed a key that already exists, call -the key's ->update() method. But this is heavily broken in the case -where the key is uninstantiated because it doesn't call -__key_instantiate_and_link(). Consequently, it doesn't do most of the -things that are supposed to happen when the key is instantiated, such as -setting KEY_FLAG_INSTANTIATED, clearing KEY_FLAG_USER_CONSTRUCT and -awakening tasks waiting on it, and incrementing key->user->nikeys. - -It also never takes key_construction_mutex, which means that -->instantiate() can run concurrently with ->update() on the same key. -In the case of the "user" and "logon" key types this causes a memory -leak, at best. Maybe even worse, the ->update() methods of the -"encrypted" and "trusted" key types actually just dereference a NULL -pointer when passed an uninstantiated key. - -Therefore, change find_key_to_update() to return NULL if the found key -is uninstantiated, so that add_key() replaces the key rather than -instantiating it. This seems to be better than fixing __key_update() to -call __key_instantiate_and_link(), since given all the bugs noted above -as well as that the existing behavior was undocumented and -keyctl_instantiate() is supposed to be used instead, I doubt anyone was -relying on the existing behavior. - -This patch only affects *uninstantiated* keys. For now we still allow a -negatively instantiated key to be updated (thereby positively -instantiating it), although that's broken too (the next patch fixes it) -and I'm not sure that anyone actually uses that functionality either. - -Here is a simple reproducer for the bug using the "encrypted" key type -(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug -pertained to more than just the "encrypted" key type: - - #include <stdlib.h> - #include <unistd.h> - #include <keyutils.h> - - int main(void) - { - int ringid = keyctl_join_session_keyring(NULL); - - if (fork()) { - for (;;) { - const char payload[] = "update user:foo 32"; - - usleep(rand() % 10000); - add_key("encrypted", "desc", payload, sizeof(payload), ringid); - keyctl_clear(ringid); - } - } else { - for (;;) - request_key("encrypted", "desc", "callout_info", ringid); - } - } - -It causes: - - BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 - IP: encrypted_update+0xb0/0x170 - PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0 - PREEMPT SMP - CPU: 0 PID: 340 Comm: reproduce Tainted: G D 4.14.0-rc1-00025-g428490e38b2e #796 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 - task: ffff8a467a39a340 task.stack: ffffb15c40770000 - RIP: 0010:encrypted_update+0xb0/0x170 - RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246 - RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000 - RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303 - RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17 - R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000 - R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f - FS: 00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0 - Call Trace: - key_create_or_update+0x2bc/0x460 - SyS_add_key+0x10c/0x1d0 - entry_SYSCALL_64_fastpath+0x1f/0xbe - RIP: 0033:0x7f5d7f211259 - RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 - RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259 - RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04 - RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004 - R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868 - R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000 - Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b - RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8 - CR2: 0000000000000018 - -Cc: <stable@vger.kernel.org> [v2.6.12+] -Signed-off-by: Eric Biggers <ebiggers@google.com> ---- - security/keys/keyring.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/security/keys/keyring.c b/security/keys/keyring.c -index 4fa82a8a9c0e..129a4175760b 100644 ---- a/security/keys/keyring.c -+++ b/security/keys/keyring.c -@@ -1056,8 +1056,8 @@ EXPORT_SYMBOL(keyring_restrict); - * caller must also hold a lock on the keyring semaphore. - * - * Returns a pointer to the found key with usage count incremented if -- * successful and returns NULL if not found. Revoked and invalidated keys are -- * skipped over. -+ * successful and returns NULL if not found. Revoked, invalidated, and -+ * uninstantiated keys are skipped over. (But negative keys are not!) - * - * If successful, the possession indicator is propagated from the keyring ref - * to the returned key reference. -@@ -1084,8 +1084,10 @@ key_ref_t find_key_to_update(key_ref_t keyring_ref, - - found: - key = keyring_ptr_to_key(object); -- if (key->flags & ((1 << KEY_FLAG_INVALIDATED) | -- (1 << KEY_FLAG_REVOKED))) { -+ if ((key->flags & ((1 << KEY_FLAG_INVALIDATED) | -+ (1 << KEY_FLAG_REVOKED) | -+ (1 << KEY_FLAG_INSTANTIATED))) != -+ (1 << KEY_FLAG_INSTANTIATED)) { - kleave(" = NULL [x]"); - return NULL; - } --- -2.13.6 - diff --git a/efi-Add-SHIM-and-image-security-database-GUID-defini.patch b/efi-Add-SHIM-and-image-security-database-GUID-defini.patch deleted file mode 100644 index 4d380ea76..000000000 --- a/efi-Add-SHIM-and-image-security-database-GUID-defini.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 3a9fe1504e08824d894bb3a804c6a313f5d1be8a Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Tue, 25 Oct 2016 12:54:11 -0400 -Subject: [PATCH 11/20] efi: Add SHIM and image security database GUID - definitions - -Add the definitions for shim and image security database, both of which -are used widely in various Linux distros. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - include/linux/efi.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 2d089487d2da..ce943d5accfd 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -592,6 +592,9 @@ void efi_native_runtime_setup(void); - #define EFI_MEMORY_ATTRIBUTES_TABLE_GUID EFI_GUID(0xdcfa911d, 0x26eb, 0x469f, 0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20) - #define EFI_CONSOLE_OUT_DEVICE_GUID EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4, 0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d) - -+#define EFI_IMAGE_SECURITY_DATABASE_GUID EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f) -+#define EFI_SHIM_LOCK_GUID EFI_GUID(0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23) -+ - /* - * This GUID is used to pass to the kernel proper the struct screen_info - * structure that was populated by the stub based on the GOP protocol instance --- -2.9.3 - |