From a39d8a39a434c35c13e05733a0d81b6356640acf Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Mon, 10 Apr 2017 10:55:52 -0700 Subject: Re-add fix for cxusb DMA on stack (rhbz 1439613) --- ...Use-a-dma-capable-buffer-also-for-reading.patch | 63 ++++++++++++++++++++++ kernel.spec | 6 +++ 2 files changed, 69 insertions(+) create mode 100644 1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch diff --git a/1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch b/1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch new file mode 100644 index 000000000..a3dec80d2 --- /dev/null +++ b/1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch @@ -0,0 +1,63 @@ +From patchwork Sun Feb 5 14:57:59 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Subject: [1/2,media] cxusb: Use a dma capable buffer also for reading +From: =?utf-8?q?Stefan_Br=C3=BCns?= +X-Patchwork-Id: 39207 +Message-Id: +To: +Cc: , Mauro Carvalho Chehab , + Michael Krufky , + =?UTF-8?q?Stefan=20Br=C3=BCns?= +Date: Sun, 5 Feb 2017 15:57:59 +0100 + +Commit 17ce039b4e54 ("[media] cxusb: don't do DMA on stack") +added a kmalloc'ed bounce buffer for writes, but missed to do the same +for reads. As the read only happens after the write is finished, we can +reuse the same buffer. + +As dvb_usb_generic_rw handles a read length of 0 by itself, avoid calling +it using the dvb_usb_generic_read wrapper function. + +Signed-off-by: Stefan BrĂ¼ns +--- + drivers/media/usb/dvb-usb/cxusb.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c +index 9b8c82d94b3f..8f28a63597bd 100644 +--- a/drivers/media/usb/dvb-usb/cxusb.c ++++ b/drivers/media/usb/dvb-usb/cxusb.c +@@ -59,23 +59,24 @@ static int cxusb_ctrl_msg(struct dvb_usb_device *d, + u8 cmd, u8 *wbuf, int wlen, u8 *rbuf, int rlen) + { + struct cxusb_state *st = d->priv; +- int ret, wo; ++ int ret; + + if (1 + wlen > MAX_XFER_SIZE) { + warn("i2c wr: len=%d is too big!\n", wlen); + return -EOPNOTSUPP; + } + +- wo = (rbuf == NULL || rlen == 0); /* write-only */ ++ if (rlen > MAX_XFER_SIZE) { ++ warn("i2c rd: len=%d is too big!\n", rlen); ++ return -EOPNOTSUPP; ++ } + + mutex_lock(&d->data_mutex); + st->data[0] = cmd; + memcpy(&st->data[1], wbuf, wlen); +- if (wo) +- ret = dvb_usb_generic_write(d, st->data, 1 + wlen); +- else +- ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, +- rbuf, rlen, 0); ++ ret = dvb_usb_generic_rw(d, st->data, 1 + wlen, st->data, rlen, 0); ++ if (!ret && rbuf && rlen) ++ memcpy(rbuf, st->data, rlen); + + mutex_unlock(&d->data_mutex); + return ret; diff --git a/kernel.spec b/kernel.spec index a2b276a90..37662c98f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -616,6 +616,9 @@ Patch860: 0001-ping-implement-proper-locking.patch Patch861: 0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch +#rhbz 1439613 +Patch862: 1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch + # END OF PATCH DEFINITIONS %endif @@ -2185,6 +2188,9 @@ fi # # %changelog +* Mon Apr 10 2017 Laura Abbott +- Re-add fix for cxusb DMA on stack (rhbz 1439613) + * Mon Apr 10 2017 Justin M. Forbes - 4.10.9-200 - Linux v4.10.9 -- cgit From 78568f86d42e207004b1af06a44b6f986c6ce300 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Tue, 11 Apr 2017 09:17:23 -0700 Subject: Fix for openshift networking (rhbz 1441310) --- kernel.spec | 6 ++++++ rhbz_1441310.patch | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 rhbz_1441310.patch diff --git a/kernel.spec b/kernel.spec index 37662c98f..e67894dc0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -619,6 +619,9 @@ Patch861: 0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch #rhbz 1439613 Patch862: 1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch +#rhbz 1441310 +Patch863: rhbz_1441310.patch + # END OF PATCH DEFINITIONS %endif @@ -2188,6 +2191,9 @@ fi # # %changelog +* Tue Apr 11 2017 Laura Abbott +- Fix for openshift networking (rhbz 1441310) + * Mon Apr 10 2017 Laura Abbott - Re-add fix for cxusb DMA on stack (rhbz 1439613) diff --git a/rhbz_1441310.patch b/rhbz_1441310.patch new file mode 100644 index 000000000..63a404ec6 --- /dev/null +++ b/rhbz_1441310.patch @@ -0,0 +1,37 @@ +From 425df17ce3a26d98f76e2b6b0af2acf4aeb0b026 Mon Sep 17 00:00:00 2001 +From: Jarno Rajahalme +Date: Tue, 14 Feb 2017 21:16:28 -0800 +Subject: openvswitch: Set internal device max mtu to ETH_MAX_MTU. + +Commit 91572088e3fd ("net: use core MTU range checking in core net +infra") changed the openvswitch internal device to use the core net +infra for controlling the MTU range, but failed to actually set the +max_mtu as described in the commit message, which now defaults to +ETH_DATA_LEN. + +This patch fixes this by setting max_mtu to ETH_MAX_MTU after +ether_setup() call. + +Fixes: 91572088e3fd ("net: use core MTU range checking in core net infra") +Signed-off-by: Jarno Rajahalme +Signed-off-by: David S. Miller +--- + net/openvswitch/vport-internal_dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c +index 09141a1..89193a6 100644 +--- a/net/openvswitch/vport-internal_dev.c ++++ b/net/openvswitch/vport-internal_dev.c +@@ -149,6 +149,8 @@ static void do_setup(struct net_device *netdev) + { + ether_setup(netdev); + ++ netdev->max_mtu = ETH_MAX_MTU; ++ + netdev->netdev_ops = &internal_dev_netdev_ops; + + netdev->priv_flags &= ~IFF_TX_SKB_SHARING; +-- +cgit v1.1 + -- cgit From b13dddecaf96c23ca81a1bddf442be4ab44e2bea Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 11 Apr 2017 15:12:54 -0500 Subject: Fix CVE-2017-7308 and CVE-2017-7618 --- CVE-2017-7308.patch | 107 +++++++++++++++++ CVE-2017-7618.patch | 254 +++++++++++++++++++++++++++++++++++++++ baseconfig/arm/CONFIG_HAMRADIO | 1 - kernel-aarch64-debug.config | 2 +- kernel-aarch64.config | 2 +- kernel-armv7hl-debug.config | 2 +- kernel-armv7hl-lpae-debug.config | 2 +- kernel-armv7hl-lpae.config | 2 +- kernel-armv7hl.config | 2 +- kernel.spec | 11 ++ 10 files changed, 378 insertions(+), 7 deletions(-) create mode 100644 CVE-2017-7308.patch create mode 100644 CVE-2017-7618.patch delete mode 100644 baseconfig/arm/CONFIG_HAMRADIO diff --git a/CVE-2017-7308.patch b/CVE-2017-7308.patch new file mode 100644 index 000000000..c257f9564 --- /dev/null +++ b/CVE-2017-7308.patch @@ -0,0 +1,107 @@ +From 2b6867c2ce76c596676bec7d2d525af525fdc6e2 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 29 Mar 2017 16:11:20 +0200 +Subject: [PATCH] net/packet: fix overflow in check for priv area size + +Subtracting tp_sizeof_priv from tp_block_size and casting to int +to check whether one is less then the other doesn't always work +(both of them are unsigned ints). + +Compare them as is instead. + +Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as +it can overflow inside BLK_PLUS_PRIV otherwise. + +Signed-off-by: Andrey Konovalov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/packet/af_packet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index a0dbe7c..2323ee3 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4193,8 +4193,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + if (unlikely(!PAGE_ALIGNED(req->tp_block_size))) + goto out; + if (po->tp_version >= TPACKET_V3 && +- (int)(req->tp_block_size - +- BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0) ++ req->tp_block_size <= ++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv)) + goto out; + if (unlikely(req->tp_frame_size < po->tp_hdrlen + + po->tp_reserve)) +-- +2.9.3 + +From 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 29 Mar 2017 16:11:21 +0200 +Subject: [PATCH] net/packet: fix overflow in check for tp_frame_nr + +When calculating rb->frames_per_block * req->tp_block_nr the result +can overflow. + +Add a check that tp_block_size * tp_block_nr <= UINT_MAX. + +Since frames_per_block <= tp_block_size, the expression would +never overflow. + +Signed-off-by: Andrey Konovalov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/packet/af_packet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 2323ee3..3ac286e 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4205,6 +4205,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + rb->frames_per_block = req->tp_block_size / req->tp_frame_size; + if (unlikely(rb->frames_per_block == 0)) + goto out; ++ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr)) ++ goto out; + if (unlikely((rb->frames_per_block * req->tp_block_nr) != + req->tp_frame_nr)) + goto out; +-- +2.9.3 + +From bcc5364bdcfe131e6379363f089e7b4108d35b70 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 29 Mar 2017 16:11:22 +0200 +Subject: [PATCH] net/packet: fix overflow in check for tp_reserve + +When calculating po->tp_hdrlen + po->tp_reserve the result can overflow. + +Fix by checking that tp_reserve <= INT_MAX on assign. + +Signed-off-by: Andrey Konovalov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/packet/af_packet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 3ac286e..8489bef 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3665,6 +3665,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; ++ if (val > INT_MAX) ++ return -EINVAL; + po->tp_reserve = val; + return 0; + } +-- +2.9.3 + diff --git a/CVE-2017-7618.patch b/CVE-2017-7618.patch new file mode 100644 index 000000000..4e06b1d9a --- /dev/null +++ b/CVE-2017-7618.patch @@ -0,0 +1,254 @@ +From: Herbert Xu +Date: 2017-04-10 9:27:57 +Subject: [PATCH v2] crypto: ahash - Fix EINPROGRESS notification callback + +On Mon, Apr 10, 2017 at 11:21:27AM +0200, Sabrina Dubroca wrote: +> +> > Cc: +> +> Should that be stable@vger.kernel.org? + +Oops :) + +> > Reported-by: Sabrina Dubroca +> > Signed-off-by: Herbert Xu +> +> The definition of ahash_request_flags() was missing, so I added: +> +> static inline u32 ahash_request_flags(struct ahash_request *req) +> { +> return req->base.flags; +> } +> +> And with this, my tests seem fine. +> +> Tested-by: Sabrina Dubroca +> Could also you change the 'Reported-by:' to that email address? + +OK, here is v2. + +---8<--- +The ahash API modifies the request's callback function in order +to clean up after itself in some corner cases (unaligned final +and missing finup). + +When the request is complete ahash will restore the original +callback and everything is fine. However, when the request gets +an EBUSY on a full queue, an EINPROGRESS callback is made while +the request is still ongoing. + +In this case the ahash API will incorrectly call its own callback. + +This patch fixes the problem by creating a temporary request +object on the stack which is used to relay EINPROGRESS back to +the original completion function. + +This patch also adds code to preserve the original flags value. + +Fixes: ab6bf4e5e5e4 ("crypto: hash - Fix the pointer voodoo in...") +Cc: +Reported-by: Sabrina Dubroca +Tested-by: Sabrina Dubroca +Signed-off-by: Herbert Xu + +diff --git a/crypto/ahash.c b/crypto/ahash.c +index e58c497..1810feb 100644 +--- a/crypto/ahash.c ++++ b/crypto/ahash.c +@@ -32,6 +32,7 @@ struct ahash_request_priv { + crypto_completion_t complete; + void *data; + u8 *result; ++ u32 flags; + void *ubuf[] CRYPTO_MINALIGN_ATTR; + }; + +@@ -253,6 +254,8 @@ static int ahash_save_req(struct ahash_request *req, crypto_completion_t cplt) + priv->result = req->result; + priv->complete = req->base.complete; + priv->data = req->base.data; ++ priv->flags = req->base.flags; ++ + /* + * WARNING: We do not backup req->priv here! The req->priv + * is for internal use of the Crypto API and the +@@ -267,38 +270,44 @@ static int ahash_save_req(struct ahash_request *req, crypto_completion_t cplt) + return 0; + } + +-static void ahash_restore_req(struct ahash_request *req) ++static void ahash_restore_req(struct ahash_request *req, int err) + { + struct ahash_request_priv *priv = req->priv; + ++ if (!err) ++ memcpy(priv->result, req->result, ++ crypto_ahash_digestsize(crypto_ahash_reqtfm(req))); ++ + /* Restore the original crypto request. */ + req->result = priv->result; +- req->base.complete = priv->complete; +- req->base.data = priv->data; ++ ++ ahash_request_set_callback(req, priv->flags, ++ priv->complete, priv->data); + req->priv = NULL; + + /* Free the req->priv.priv from the ADJUSTED request. */ + kzfree(priv); + } + +-static void ahash_op_unaligned_finish(struct ahash_request *req, int err) ++static void ahash_notify_einprogress(struct ahash_request *req) + { + struct ahash_request_priv *priv = req->priv; ++ struct crypto_async_request oreq; + +- if (err == -EINPROGRESS) +- return; ++ oreq.data = priv->data; + +- if (!err) +- memcpy(priv->result, req->result, +- crypto_ahash_digestsize(crypto_ahash_reqtfm(req))); +- +- ahash_restore_req(req); ++ priv->complete(&oreq, -EINPROGRESS); + } + + static void ahash_op_unaligned_done(struct crypto_async_request *req, int err) + { + struct ahash_request *areq = req->data; + ++ if (err == -EINPROGRESS) { ++ ahash_notify_einprogress(areq); ++ return; ++ } ++ + /* + * Restore the original request, see ahash_op_unaligned() for what + * goes where. +@@ -309,7 +318,7 @@ static void ahash_op_unaligned_done(struct crypto_async_request *req, int err) + */ + + /* First copy req->result into req->priv.result */ +- ahash_op_unaligned_finish(areq, err); ++ ahash_restore_req(areq, err); + + /* Complete the ORIGINAL request. */ + areq->base.complete(&areq->base, err); +@@ -325,7 +334,12 @@ static int ahash_op_unaligned(struct ahash_request *req, + return err; + + err = op(req); +- ahash_op_unaligned_finish(req, err); ++ if (err == -EINPROGRESS || ++ (err == -EBUSY && (ahash_request_flags(req) & ++ CRYPTO_TFM_REQ_MAY_BACKLOG))) ++ return err; ++ ++ ahash_restore_req(req, err); + + return err; + } +@@ -360,25 +374,14 @@ int crypto_ahash_digest(struct ahash_request *req) + } + EXPORT_SYMBOL_GPL(crypto_ahash_digest); + +-static void ahash_def_finup_finish2(struct ahash_request *req, int err) ++static void ahash_def_finup_done2(struct crypto_async_request *req, int err) + { +- struct ahash_request_priv *priv = req->priv; ++ struct ahash_request *areq = req->data; + + if (err == -EINPROGRESS) + return; + +- if (!err) +- memcpy(priv->result, req->result, +- crypto_ahash_digestsize(crypto_ahash_reqtfm(req))); +- +- ahash_restore_req(req); +-} +- +-static void ahash_def_finup_done2(struct crypto_async_request *req, int err) +-{ +- struct ahash_request *areq = req->data; +- +- ahash_def_finup_finish2(areq, err); ++ ahash_restore_req(areq, err); + + areq->base.complete(&areq->base, err); + } +@@ -389,11 +392,15 @@ static int ahash_def_finup_finish1(struct ahash_request *req, int err) + goto out; + + req->base.complete = ahash_def_finup_done2; +- req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; ++ + err = crypto_ahash_reqtfm(req)->final(req); ++ if (err == -EINPROGRESS || ++ (err == -EBUSY && (ahash_request_flags(req) & ++ CRYPTO_TFM_REQ_MAY_BACKLOG))) ++ return err; + + out: +- ahash_def_finup_finish2(req, err); ++ ahash_restore_req(req, err); + return err; + } + +@@ -401,7 +408,16 @@ static void ahash_def_finup_done1(struct crypto_async_request *req, int err) + { + struct ahash_request *areq = req->data; + ++ if (err == -EINPROGRESS) { ++ ahash_notify_einprogress(areq); ++ return; ++ } ++ ++ areq->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; ++ + err = ahash_def_finup_finish1(areq, err); ++ if (areq->priv) ++ return; + + areq->base.complete(&areq->base, err); + } +@@ -416,6 +432,11 @@ static int ahash_def_finup(struct ahash_request *req) + return err; + + err = tfm->update(req); ++ if (err == -EINPROGRESS || ++ (err == -EBUSY && (ahash_request_flags(req) & ++ CRYPTO_TFM_REQ_MAY_BACKLOG))) ++ return err; ++ + return ahash_def_finup_finish1(req, err); + } + +diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h +index 1d4f365..f6d9af3e 100644 +--- a/include/crypto/internal/hash.h ++++ b/include/crypto/internal/hash.h +@@ -166,6 +166,16 @@ static inline struct ahash_instance *ahash_alloc_instance( + return crypto_alloc_instance2(name, alg, ahash_instance_headroom()); + } + ++static inline void ahash_request_complete(struct ahash_request *req, int err) ++{ ++ req->base.complete(&req->base, err); ++} ++ ++static inline u32 ahash_request_flags(struct ahash_request *req) ++{ ++ return req->base.flags; ++} ++ + static inline struct crypto_ahash *crypto_spawn_ahash( + struct crypto_ahash_spawn *spawn) + { +-- +Email: Herbert Xu +Home Page: http://gondor.apana.org.au/~herbert/ +PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt diff --git a/baseconfig/arm/CONFIG_HAMRADIO b/baseconfig/arm/CONFIG_HAMRADIO deleted file mode 100644 index 477ae40db..000000000 --- a/baseconfig/arm/CONFIG_HAMRADIO +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_HAMRADIO is not set diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index 819c50e8a..7f084c7c2 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -1707,7 +1707,7 @@ CONFIG_GREENASIA_FF=y # CONFIG_GS_FPGABOOT is not set CONFIG_GTP=m CONFIG_HAMACHI=m -# CONFIG_HAMRADIO is not set +CONFIG_HAMRADIO=y CONFIG_HANGCHECK_TIMER=m CONFIG_HAPPYMEAL=m CONFIG_HARDENED_USERCOPY=y diff --git a/kernel-aarch64.config b/kernel-aarch64.config index a47228fd8..8af5c11d0 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -1690,7 +1690,7 @@ CONFIG_GREENASIA_FF=y # CONFIG_GS_FPGABOOT is not set CONFIG_GTP=m CONFIG_HAMACHI=m -# CONFIG_HAMRADIO is not set +CONFIG_HAMRADIO=y CONFIG_HANGCHECK_TIMER=m CONFIG_HAPPYMEAL=m CONFIG_HARDENED_USERCOPY=y diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index ffadf9aea..12c8a4f20 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -1865,7 +1865,7 @@ CONFIG_GREENASIA_FF=y CONFIG_GS_FPGABOOT=m CONFIG_GTP=m CONFIG_HAMACHI=m -# CONFIG_HAMRADIO is not set +CONFIG_HAMRADIO=y CONFIG_HANGCHECK_TIMER=m CONFIG_HAPPYMEAL=m CONFIG_HARDENED_USERCOPY=y diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index dc6d68dcc..04c6d88f1 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -1774,7 +1774,7 @@ CONFIG_GREENASIA_FF=y # CONFIG_GS_FPGABOOT is not set CONFIG_GTP=m CONFIG_HAMACHI=m -# CONFIG_HAMRADIO is not set +CONFIG_HAMRADIO=y CONFIG_HANGCHECK_TIMER=m CONFIG_HAPPYMEAL=m CONFIG_HARDENED_USERCOPY=y diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index 1d2fa42ef..493546405 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -1758,7 +1758,7 @@ CONFIG_GREENASIA_FF=y # CONFIG_GS_FPGABOOT is not set CONFIG_GTP=m CONFIG_HAMACHI=m -# CONFIG_HAMRADIO is not set +CONFIG_HAMRADIO=y CONFIG_HANGCHECK_TIMER=m CONFIG_HAPPYMEAL=m CONFIG_HARDENED_USERCOPY=y diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index 1aa3356e9..ca72b40df 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -1849,7 +1849,7 @@ CONFIG_GREENASIA_FF=y CONFIG_GS_FPGABOOT=m CONFIG_GTP=m CONFIG_HAMACHI=m -# CONFIG_HAMRADIO is not set +CONFIG_HAMRADIO=y CONFIG_HANGCHECK_TIMER=m CONFIG_HAPPYMEAL=m CONFIG_HARDENED_USERCOPY=y diff --git a/kernel.spec b/kernel.spec index e67894dc0..babc8e9d1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -622,6 +622,12 @@ Patch862: 1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch #rhbz 1441310 Patch863: rhbz_1441310.patch +# CVE-2017-7618.patch rhbz 1441095 1441093 +Patch865: CVE-2017-7618.patch + +# CVE-2017-7308 rhbz 1437404 1437406 +Patch866: CVE-2017-7308.patch + # END OF PATCH DEFINITIONS %endif @@ -2191,6 +2197,11 @@ fi # # %changelog +* Tue Apr 11 2017 Justin M. Forbes +- Fix CVE-2017-7618 (rhbz 1441095 1441093) +- Fix CVE-2017-7308 (rhbz 1437404 1437406) +- Turn on CONFIG_HAMRADIO for arm (rhbz 1425990) + * Tue Apr 11 2017 Laura Abbott - Fix for openshift networking (rhbz 1441310) -- cgit From 30c5e4f52c5d470cf6dc1584d9f0d3429ca608d6 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 12 Apr 2017 07:03:40 -0500 Subject: Linux v4.10.10 --- ...ce-Don-t-print-MCEs-when-mcelog-is-active.patch | 65 ---------------------- kernel.spec | 15 ++--- kvm-fix-page-struct-leak-in-handle_vmon.patch | 49 ---------------- sources | 2 +- ...k-that-number-of-mip-levels-is-above-zero.patch | 33 ----------- 5 files changed, 6 insertions(+), 158 deletions(-) delete mode 100644 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch delete mode 100644 kvm-fix-page-struct-leak-in-handle_vmon.patch delete mode 100644 vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch diff --git a/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch b/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch deleted file mode 100644 index d682dcc42..000000000 --- a/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch +++ /dev/null @@ -1,65 +0,0 @@ -From cc66afea58f858ff6da7f79b8a595a67bbb4f9a9 Mon Sep 17 00:00:00 2001 -From: Andi Kleen -Date: Mon, 27 Mar 2017 11:32:59 +0200 -Subject: [PATCH] x86/mce: Don't print MCEs when mcelog is active - -Since: - - cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers") - -all MCEs are printed even when mcelog is running. Fix the regression to -not print to dmesg when mcelog is running as it is a consumer too. - -Signed-off-by: Andi Kleen -[ Massage commit message. ] -Signed-off-by: Borislav Petkov -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: Tony Luck -Cc: linux-edac -Cc: stable@vger.kernel.org # 4.10.. -Fixes: cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers") -Link: http://lkml.kernel.org/r/20170327093304.10683-2-bp@alien8.de -Signed-off-by: Ingo Molnar - -Signed-off-by: Ingo Molnar ---- - arch/x86/kernel/cpu/mcheck/mce.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c -index 8e9725c..5accfbd 100644 ---- a/arch/x86/kernel/cpu/mcheck/mce.c -+++ b/arch/x86/kernel/cpu/mcheck/mce.c -@@ -54,6 +54,8 @@ - - static DEFINE_MUTEX(mce_chrdev_read_mutex); - -+static int mce_chrdev_open_count; /* #times opened */ -+ - #define mce_log_get_idx_check(p) \ - ({ \ - RCU_LOCKDEP_WARN(!rcu_read_lock_sched_held() && \ -@@ -598,6 +600,10 @@ static int mce_default_notifier(struct notifier_block *nb, unsigned long val, - if (atomic_read(&num_notifiers) > 2) - return NOTIFY_DONE; - -+ /* Don't print when mcelog is running */ -+ if (mce_chrdev_open_count > 0) -+ return NOTIFY_DONE; -+ - __print_mce(m); - - return NOTIFY_DONE; -@@ -1828,7 +1834,6 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c) - */ - - static DEFINE_SPINLOCK(mce_chrdev_state_lock); --static int mce_chrdev_open_count; /* #times opened */ - static int mce_chrdev_open_exclu; /* already open exclusive? */ - - static int mce_chrdev_open(struct inode *inode, struct file *file) --- -2.9.3 - diff --git a/kernel.spec b/kernel.spec index babc8e9d1..b231b59ff 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -599,18 +599,9 @@ Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch # selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch -#CVE-2017-2596 rhbz 1417812 1417813 -Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch - -#CVE-2017-7261 rhbz 1435719 1435740 -Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch - #CVE-2017-7277 rhbz 1436629 1436661 Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch -# rhbz 1438316 -Patch859: 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch - # CVE-2017-2671 rhbz 1436649 1436663 Patch860: 0001-ping-implement-proper-locking.patch @@ -2197,6 +2188,10 @@ fi # # %changelog +* Wed Apr 12 2017 Justin M. Forbes - 4.10.10-200 +- Linux v4.10.10 +- CVE-2017-7616 (rhbz 1441088 1441093) + * Tue Apr 11 2017 Justin M. Forbes - Fix CVE-2017-7618 (rhbz 1441095 1441093) - Fix CVE-2017-7308 (rhbz 1437404 1437406) diff --git a/kvm-fix-page-struct-leak-in-handle_vmon.patch b/kvm-fix-page-struct-leak-in-handle_vmon.patch deleted file mode 100644 index b29bcea03..000000000 --- a/kvm-fix-page-struct-leak-in-handle_vmon.patch +++ /dev/null @@ -1,49 +0,0 @@ -From patchwork Tue Jan 24 10:56:21 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: kvm: fix page struct leak in handle_vmon -From: Paolo Bonzini -X-Patchwork-Id: 9534885 -Message-Id: <1485255381-18069-1-git-send-email-pbonzini@redhat.com> -To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org -Cc: dvyukov@google.com -Date: Tue, 24 Jan 2017 11:56:21 +0100 - -handle_vmon gets a reference on VMXON region page, -but does not release it. Release the reference. - -Found by syzkaller; based on a patch by Dmitry. - -Reported-by: Dmitry Vyukov -Signed-off-by: Paolo Bonzini -Reviewed-by: David Hildenbrand ---- - arch/x86/kvm/vmx.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 42cc3d6f4d20..0f7345035210 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -7085,13 +7085,18 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason, - } - - page = nested_get_page(vcpu, vmptr); -- if (page == NULL || -- *(u32 *)kmap(page) != VMCS12_REVISION) { -+ if (page == NULL) { - nested_vmx_failInvalid(vcpu); -+ return kvm_skip_emulated_instruction(vcpu); -+ } -+ if (*(u32 *)kmap(page) != VMCS12_REVISION) { - kunmap(page); -+ nested_release_page_clean(page); -+ nested_vmx_failInvalid(vcpu); - return kvm_skip_emulated_instruction(vcpu); - } - kunmap(page); -+ nested_release_page_clean(page); - vmx->nested.vmxon_ptr = vmptr; - break; - case EXIT_REASON_VMCLEAR: diff --git a/sources b/sources index e6820718f..3e1d074ac 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8 -SHA512 (patch-4.10.9.xz) = 867cdcf1e6ceee58dec7eb913e119dcaa75255cef1ad2dd9eb0eead6a918a202e3b6656770422d547a7758236a8589c70d49fa4045de867b77a04480f97c242d +SHA512 (patch-4.10.10.xz) = 264d156d7a3b1f3b3a80a7a9dc9a358b5cd582d8d894c482f3c9eb5af4eca64439720d5b9b141ae57f7845dfab59563497faae8e6fb666aeec86aab6b8df904a diff --git a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch deleted file mode 100644 index 1ede96c60..000000000 --- a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Vladis Dronov -Subject: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl() -Date: 2017-03-24 15:37:10 - -In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a -user-controlled value which is not checked for zero. It is used in -a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR -is dereferenced which leads to a GPF and possibly to a kernel panic. -Add the check for zero to avoid this. - -Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719 -Signed-off-by: Vladis Dronov ---- - drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -index b445ce9..42840cc 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, - for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) - num_sizes += req->mip_levels[i]; - -- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * -- DRM_VMW_MAX_MIP_LEVELS) -+ if (num_sizes <= 0 || -+ num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS) - return -EINVAL; - - size = vmw_user_surface_size + 128 + --- -2.9.3 -- cgit