From 0f8450abed9d01fe80b83408401c4f1b523d8d69 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 14 Jan 2019 11:07:47 -0500 Subject: Linux v4.19.15 --- CVE-2019-3459-and-CVE-2019-3460.patch | 167 +++++++++++++++++++++ ...vc4-set-is_yuv-to-false-when-num_planes-1.patch | 40 ----- kernel.spec | 11 +- sources | 2 +- 4 files changed, 176 insertions(+), 44 deletions(-) create mode 100644 CVE-2019-3459-and-CVE-2019-3460.patch delete mode 100644 bcm283x-drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch diff --git a/CVE-2019-3459-and-CVE-2019-3460.patch b/CVE-2019-3459-and-CVE-2019-3460.patch new file mode 100644 index 000000000..c7fa62736 --- /dev/null +++ b/CVE-2019-3459-and-CVE-2019-3460.patch @@ -0,0 +1,167 @@ +From 20614b74e481f0c9f94032ae99f110d4647b65a6 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 10 Jan 2019 07:28:33 +0100 +Subject: [PATCH 1/2] Bluetooth: check message types in l2cap_get_conf_opt + +l2cap_get_conf_opt can handle a "default" message type, but it needs to +be verified that it really is the correct type (CONF_EFS or CONF_RFC) +before passing it back to the caller. To do this we need to check the +return value of this call now and handle the error correctly up the +stack. + +Based on a patch from Ran Menscher. + +Reported-by: Ran Menscher +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jeremy Cline +--- + net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index d17a4736e47c..a0ce6e8e5ef7 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -2979,6 +2979,10 @@ static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, + break; + + default: ++ /* Only CONF_EFS and CONF_RFC are allowed here */ ++ if ((opt->type != L2CAP_CONF_EFS) && ++ (opt->type != L2CAP_CONF_RFC)) ++ return -EPROTO; + *val = (unsigned long) opt->val; + break; + } +@@ -3323,7 +3327,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + void *endptr = data + data_size; + void *req = chan->conf_req; + int len = chan->conf_len; +- int type, hint, olen; ++ int type, hint, olen, err; + unsigned long val; + struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; + struct l2cap_conf_efs efs; +@@ -3335,7 +3339,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + BT_DBG("chan %p", chan); + + while (len >= L2CAP_CONF_OPT_SIZE) { +- len -= l2cap_get_conf_opt(&req, &type, &olen, &val); ++ err = l2cap_get_conf_opt(&req, &type, &olen, &val); ++ if (err < 0) ++ return err; ++ len -= err; + + hint = type & L2CAP_CONF_HINT; + type &= L2CAP_CONF_MASK; +@@ -3538,7 +3545,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, + struct l2cap_conf_req *req = data; + void *ptr = req->data; + void *endptr = data + size; +- int type, olen; ++ int type, olen, err; + unsigned long val; + struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; + struct l2cap_conf_efs efs; +@@ -3546,7 +3553,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, + BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data); + + while (len >= L2CAP_CONF_OPT_SIZE) { +- len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); ++ err = l2cap_get_conf_opt(&rsp, &type, &olen, &val); ++ if (err < 0) ++ return err; ++ len -= err; + + switch (type) { + case L2CAP_CONF_MTU: +@@ -3706,7 +3716,7 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan) + + static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) + { +- int type, olen; ++ int type, olen, err; + unsigned long val; + /* Use sane default values in case a misbehaving remote device + * did not send an RFC or extended window size option. +@@ -3726,7 +3736,10 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) + return; + + while (len >= L2CAP_CONF_OPT_SIZE) { +- len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); ++ err = l2cap_get_conf_opt(&rsp, &type, &olen, &val); ++ if (err < 0) ++ return; ++ len -= err; + + switch (type) { + case L2CAP_CONF_RFC: +-- +2.20.1 + +From 50cd5314f5ffa264906f4986f414750d648c4ece Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 10 Jan 2019 07:29:17 +0100 +Subject: [PATCH 2/2] Bluetooth: check the buffer size for some messages before + parsing + +The L2CAP_CONF_EFS and L2CAP_CONF_RFC messages can be sent from +userspace so their structure sizes need to be checked before parsing +them. + +Based on a patch from Ran Menscher. + +Reported-by: Ran Menscher +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jeremy Cline +--- + net/bluetooth/l2cap_core.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index a0ce6e8e5ef7..d8d3cbdc0d29 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3360,7 +3360,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + break; + + case L2CAP_CONF_RFC: +- if (olen == sizeof(rfc)) ++ if ((olen == sizeof(rfc)) && ++ (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(rfc))) + memcpy(&rfc, (void *) val, olen); + break; + +@@ -3370,7 +3371,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + break; + + case L2CAP_CONF_EFS: +- if (olen == sizeof(efs)) { ++ if ((olen == sizeof(efs)) && ++ (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(efs))) { + remote_efs = 1; + memcpy(&efs, (void *) val, olen); + } +@@ -3575,7 +3577,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, + break; + + case L2CAP_CONF_RFC: +- if (olen == sizeof(rfc)) ++ if ((olen == sizeof(rfc)) && ++ (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(rfc))) + memcpy(&rfc, (void *)val, olen); + + if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && +@@ -3595,7 +3598,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, + break; + + case L2CAP_CONF_EFS: +- if (olen == sizeof(efs)) { ++ if ((olen == sizeof(efs)) && ++ (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(efs))) { + memcpy(&efs, (void *)val, olen); + + if (chan->local_stype != L2CAP_SERV_NOTRAFIC && +-- +2.20.1 + diff --git a/bcm283x-drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch b/bcm283x-drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch deleted file mode 100644 index 5aa9668bc..000000000 --- a/bcm283x-drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch +++ /dev/null @@ -1,40 +0,0 @@ -From patchwork Tue Oct 9 13:24:46 2018 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: drm/vc4: Set ->is_yuv to false when num_planes == 1 -From: Boris Brezillon -X-Patchwork-Id: 255528 -Message-Id: <20181009132446.21960-1-boris.brezillon@bootlin.com> -To: David Airlie , Daniel Vetter , - dri-devel@lists.freedesktop.org, Eric Anholt -Cc: Boris Brezillon , stable@vger.kernel.org -Date: Tue, 9 Oct 2018 15:24:46 +0200 - -When vc4_plane_state is duplicated ->is_yuv is left assigned to its -previous value, and we never set it back to false when switching to -a non-YUV format. - -Fix that by setting ->is_yuv to false in the 'num_planes == 1' branch -of the vc4_plane_setup_clipping_and_scaling() function. - -Fixes: fc04023fafecf ("drm/vc4: Add support for YUV planes.") -Cc: -Signed-off-by: Boris Brezillon -Reviewed-by: Eric Anholt ---- - drivers/gpu/drm/vc4/vc4_plane.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c -index d04b3c3246ba..60d5ad19cedd 100644 ---- a/drivers/gpu/drm/vc4/vc4_plane.c -+++ b/drivers/gpu/drm/vc4/vc4_plane.c -@@ -321,6 +321,7 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state) - if (vc4_state->is_unity) - vc4_state->x_scaling[0] = VC4_SCALING_PPF; - } else { -+ vc4_state->is_yuv = false; - vc4_state->x_scaling[1] = VC4_SCALING_NONE; - vc4_state->y_scaling[1] = VC4_SCALING_NONE; - } diff --git a/kernel.spec b/kernel.spec index 6fab00aa1..68efeba5b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 14 +%define stable_update 15 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -590,8 +590,6 @@ Patch311: gpio-pxa-handle-corner-case-of-unprobed-device.patch Patch330: bcm2835-cpufreq-add-CPU-frequency-control-driver.patch -Patch331: bcm283x-drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch - # https://patchwork.kernel.org/patch/10686407/ Patch332: raspberrypi-Fix-firmware-calls-with-large-buffers.patch @@ -641,6 +639,9 @@ Patch517: 0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch # CVE-2019-3701 rhbz 1663729 1663730 Patch518: CVE-2019-3701.patch +# CVE-2019-3459 and CVE-2019-3460 rbhz 1663176 1663179 1665925 +Patch519: CVE-2019-3459-and-CVE-2019-3460.patch + # END OF PATCH DEFINITIONS %endif @@ -1902,6 +1903,10 @@ fi # # %changelog +* Mon Jan 14 2019 Jeremy Cline - 4.19.15-300 +- Linux v4.19.15 +- Fix CVE-2019-3459 and CVE-2019-3460 (rbhz 1663176 1663179 1665925) + * Wed Jan 09 2019 Jeremy Cline - 4.19.14-300 - Linux v4.19.14 diff --git a/sources b/sources index 50619ea8b..c6135fb7e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-4.19.tar.xz) = ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4 -SHA512 (patch-4.19.14.xz) = e94ae7235b689aac03cb8bf47f9ed004fd9ae97b6c9d65297c4ef8c2ef33372af148a1e3be49db47cd2911b1d5afcac8115952e607370ae85df4ddcd1caf15ca +SHA512 (patch-4.19.15.xz) = f2f649d8d3951ea742d419037d1d712c853a6f2b1531bf00b88028ca36909838f93a6424d397461acc120ccbce993d41975ede7733f8d6640e209eb07655cc9f -- cgit