From 813bda51224f9d9b0889ab6f91eebbbd98d2645a Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 19 Sep 2016 09:38:18 -0500 Subject: CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331) --- ...ffer-overflow-in-archmsr_iop_message_xfer.patch | 41 ++++++++++++++++++++++ kernel.spec | 6 ++++ 2 files changed, 47 insertions(+) create mode 100644 arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch diff --git a/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch new file mode 100644 index 000000000..81ed8814d --- /dev/null +++ b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch @@ -0,0 +1,41 @@ +From: Dan Carpenter +Date: 2016-09-15 13:44:56 +Subject: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer() + +We need to put an upper bound on "user_len" so the memcpy() doesn't +overflow. + +Reported-by: Marco Grassi +Signed-off-by: Dan Carpenter +Reviewed-by: Tomas Henzl + +diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c +index 7640498..110eca9 100644 +--- a/drivers/scsi/arcmsr/arcmsr_hba.c ++++ b/drivers/scsi/arcmsr/arcmsr_hba.c +@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, + } + case ARCMSR_MESSAGE_WRITE_WQBUFFER: { + unsigned char *ver_addr; +- int32_t user_len, cnt2end; ++ uint32_t user_len; ++ int32_t cnt2end; + uint8_t *pQbuffer, *ptmpuserbuffer; + ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); + if (!ver_addr) { +@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, + } + ptmpuserbuffer = ver_addr; + user_len = pcmdmessagefld->cmdmessage.Length; ++ if (user_len > ARCMSR_API_DATA_BUFLEN) { ++ retvalue = ARCMSR_MESSAGE_FAIL; ++ kfree(ver_addr); ++ goto message_out; ++ } + memcpy(ptmpuserbuffer, + pcmdmessagefld->messagedatabuffer, user_len); + spin_lock_irqsave(&acb->wqbuffer_lock, flags); +-- +To unsubscribe from this list: send the line "unsubscribe linux-scsi" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index 824168ce2..26b71cfda 100644 --- a/kernel.spec +++ b/kernel.spec @@ -642,6 +642,9 @@ Patch863: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch #ongoing complaint, full discussion delayed until ksummit/plumbers Patch864: 0001-iio-Use-event-header-from-kernel-tree.patch +#CVE-2016-7425 rhbz 1377330 1377331 +Patch865: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch + # END OF PATCH DEFINITIONS %endif @@ -2164,6 +2167,9 @@ fi # # %changelog +* Mon Sep 19 2016 Justin M. Forbes +- CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331) + * Thu Sep 15 2016 Laura Abbott - 4.7.4-100 - Linux v4.7.4 -- cgit From 5100d1e5a75bf3b00025f8f34d80b1ec74cc89c1 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Mon, 26 Sep 2016 08:11:36 -0700 Subject: Linux v4.7.5 --- 0001-OOM-detection-regressions-since-4.7.patch | 121 --------------------- ...dp-fix-poll-issue-with-zero-sized-packets.patch | 73 ------------- kernel.spec | 11 +- sources | 2 +- 4 files changed, 5 insertions(+), 202 deletions(-) delete mode 100644 0001-OOM-detection-regressions-since-4.7.patch delete mode 100644 0001-udp-fix-poll-issue-with-zero-sized-packets.patch diff --git a/0001-OOM-detection-regressions-since-4.7.patch b/0001-OOM-detection-regressions-since-4.7.patch deleted file mode 100644 index 4616c7f87..000000000 --- a/0001-OOM-detection-regressions-since-4.7.patch +++ /dev/null @@ -1,121 +0,0 @@ -From a7f80308bac4013728e33e2bcb9b60eee78f60fb Mon Sep 17 00:00:00 2001 -From: Michal Hocko -Date: Mon, 22 Aug 2016 11:32:49 +0200 -Subject: [PATCH] OOM detection regressions since 4.7 - -Hi, -there have been multiple reports [1][2][3][4][5] about pre-mature OOM -killer invocations since 4.7 which contains oom detection rework. All of -them were for order-2 (kernel stack) alloaction requests failing because -of a high fragmentation and compaction failing to make any forward -progress. While investigating this we have found out that the compaction -just gives up too early. Vlastimil has been working on compaction -improvement for quite some time and his series [6] is already sitting -in mmotm tree. This already helps a lot because it drops some heuristics -which are more aimed at lower latencies for high orders rather than -reliability. Joonsoo has then identified further problem with too many -blocks being marked as unmovable [7] and Vlastimil has prepared a patch -on top of his series [8] which is also in the mmotm tree now. - -That being said, the regression is real and should be fixed for 4.7 -stable users. [6][8] was reported to help and ooms are no longer -reproducible. I know we are quite late (rc3) in 4.8 but I would vote -for mergeing those patches and have them in 4.8. For 4.7 I would go -with a partial revert of the detection rework for high order requests -(see patch below). This patch is really trivial. If those compaction -improvements are just too large for 4.8 then we can use the same patch -as for 4.7 stable for now and revert it in 4.9 after compaction changes -are merged. - -Thoughts? - -[1] http://lkml.kernel.org/r/20160731051121.GB307@x4 -[2] http://lkml.kernel.org/r/201608120901.41463.a.miskiewicz@gmail.com -[3] http://lkml.kernel.org/r/20160801192620.GD31957@dhcp22.suse.cz -[4] https://lists.opensuse.org/opensuse-kernel/2016-08/msg00021.html -[5] https://bugzilla.opensuse.org/show_bug.cgi?id=994066 -[6] http://lkml.kernel.org/r/20160810091226.6709-1-vbabka@suse.cz -[7] http://lkml.kernel.org/r/20160816031222.GC16913@js1304-P5Q-DELUXE -[8] http://lkml.kernel.org/r/f7a9ea9d-bb88-bfd6-e340-3a933559305a@suse.cz ---- - mm/page_alloc.c | 50 ++------------------------------------------------ - 1 file changed, 2 insertions(+), 48 deletions(-) - -diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 8b3e134..6e35419 100644 ---- a/mm/page_alloc.c -+++ b/mm/page_alloc.c -@@ -3254,53 +3254,6 @@ __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order, - return NULL; - } - --static inline bool --should_compact_retry(struct alloc_context *ac, int order, int alloc_flags, -- enum compact_result compact_result, enum migrate_mode *migrate_mode, -- int compaction_retries) --{ -- int max_retries = MAX_COMPACT_RETRIES; -- -- if (!order) -- return false; -- -- /* -- * compaction considers all the zone as desperately out of memory -- * so it doesn't really make much sense to retry except when the -- * failure could be caused by weak migration mode. -- */ -- if (compaction_failed(compact_result)) { -- if (*migrate_mode == MIGRATE_ASYNC) { -- *migrate_mode = MIGRATE_SYNC_LIGHT; -- return true; -- } -- return false; -- } -- -- /* -- * make sure the compaction wasn't deferred or didn't bail out early -- * due to locks contention before we declare that we should give up. -- * But do not retry if the given zonelist is not suitable for -- * compaction. -- */ -- if (compaction_withdrawn(compact_result)) -- return compaction_zonelist_suitable(ac, order, alloc_flags); -- -- /* -- * !costly requests are much more important than __GFP_REPEAT -- * costly ones because they are de facto nofail and invoke OOM -- * killer to move on while costly can fail and users are ready -- * to cope with that. 1/4 retries is rather arbitrary but we -- * would need much more detailed feedback from compaction to -- * make a better decision. -- */ -- if (order > PAGE_ALLOC_COSTLY_ORDER) -- max_retries /= 4; -- if (compaction_retries <= max_retries) -- return true; -- -- return false; --} - #else - static inline struct page * - __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order, -@@ -3311,6 +3264,8 @@ __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order, - return NULL; - } - -+#endif /* CONFIG_COMPACTION */ -+ - static inline bool - should_compact_retry(struct alloc_context *ac, unsigned int order, int alloc_flags, - enum compact_result compact_result, -@@ -3337,7 +3292,6 @@ should_compact_retry(struct alloc_context *ac, unsigned int order, int alloc_fla - } - return false; - } --#endif /* CONFIG_COMPACTION */ - - /* Perform direct synchronous page reclaim */ - static int --- -2.7.4 - diff --git a/0001-udp-fix-poll-issue-with-zero-sized-packets.patch b/0001-udp-fix-poll-issue-with-zero-sized-packets.patch deleted file mode 100644 index f5edf2340..000000000 --- a/0001-udp-fix-poll-issue-with-zero-sized-packets.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 9f30f83eb6347afa6b1d1df1065608c2b4485e2b Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Tue, 23 Aug 2016 13:59:33 -0700 -Subject: [PATCH] udp: fix poll() issue with zero sized packets - -Laura tracked poll() [and friends] regression caused by commit -e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") - -udp_poll() needs to know if there is a valid packet in receive queue, -even if its payload length is 0. - -Change first_packet_length() to return an signed int, and use -1 -as the indication of an empty queue. - -Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") -Reported-by: Laura Abbott -Signed-off-by: Eric Dumazet -Tested-by: Laura Abbott ---- - net/ipv4/udp.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index e61f7cd..00d18c5 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -1182,13 +1182,13 @@ out: - * @sk: socket - * - * Drops all bad checksum frames, until a valid one is found. -- * Returns the length of found skb, or 0 if none is found. -+ * Returns the length of found skb, or -1 if none is found. - */ --static unsigned int first_packet_length(struct sock *sk) -+static int first_packet_length(struct sock *sk) - { - struct sk_buff_head list_kill, *rcvq = &sk->sk_receive_queue; - struct sk_buff *skb; -- unsigned int res; -+ int res; - - __skb_queue_head_init(&list_kill); - -@@ -1203,7 +1203,7 @@ static unsigned int first_packet_length(struct sock *sk) - __skb_unlink(skb, rcvq); - __skb_queue_tail(&list_kill, skb); - } -- res = skb ? skb->len : 0; -+ res = skb ? skb->len : -1; - spin_unlock_bh(&rcvq->lock); - - if (!skb_queue_empty(&list_kill)) { -@@ -1232,7 +1232,7 @@ int udp_ioctl(struct sock *sk, int cmd, unsigned long arg) - - case SIOCINQ: - { -- unsigned int amount = first_packet_length(sk); -+ int amount = max_t(int, 0, first_packet_length(sk)); - - return put_user(amount, (int __user *)arg); - } -@@ -2184,7 +2184,7 @@ unsigned int udp_poll(struct file *file, struct socket *sock, poll_table *wait) - - /* Check for false positives due to checksum errors */ - if ((mask & POLLRDNORM) && !(file->f_flags & O_NONBLOCK) && -- !(sk->sk_shutdown & RCV_SHUTDOWN) && !first_packet_length(sk)) -+ !(sk->sk_shutdown & RCV_SHUTDOWN) && first_packet_length(sk) == -1) - mask &= ~(POLLIN | POLLRDNORM); - - return mask; --- -2.7.4 - diff --git a/kernel.spec b/kernel.spec index 26b71cfda..5b0d7715d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -621,15 +621,9 @@ Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch #rhbz 1353558 Patch844: 0001-selinux-Only-apply-bounds-checking-to-source-types.patch -#rhbz 1365940 -Patch856: 0001-udp-fix-poll-issue-with-zero-sized-packets.patch - #rhbz 13700161 Patch857: kernel-panic-TPROXY-vanilla-4.7.1.patch -# lkml.kernel.org/r/<20160822093249.GA14916@dhcp22.suse.cz> -Patch858: 0001-OOM-detection-regressions-since-4.7.patch - #rhbz 1360688 Patch859: rc-core-fix-repeat-events.patch @@ -2167,6 +2161,9 @@ fi # # %changelog +* Mon Sep 26 2016 Laura Abbott - 4.7.5-100 +- Linux v4.7.5 + * Mon Sep 19 2016 Justin M. Forbes - CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331) diff --git a/sources b/sources index 9c36889c8..ef9fc81bd 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 5276563eb1f39a048e4a8a887408c031 linux-4.7.tar.xz fe259c02c75eec61d1aa4b1211f3c853 perf-man-4.7.tar.gz -150cff5d90bd90217848974269a770ee patch-4.7.4.xz +c5f3473be15411f7b02f36b7f52cc9d1 patch-4.7.5.xz -- cgit