From 143f2f1410f4d0ac7fec5dc62d409c09a9c88ef7 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Sun, 30 Sep 2018 07:53:11 -0700 Subject: Linux v4.18.11 --- CVE-2018-14633.patch | 242 --------------------- ...-scaling-case-on-multi-planar-YUV-formats.patch | 88 -------- kernel.spec | 10 +- sources | 2 +- 4 files changed, 5 insertions(+), 337 deletions(-) delete mode 100644 CVE-2018-14633.patch delete mode 100644 drm-vc4-Fix-the-no-scaling-case-on-multi-planar-YUV-formats.patch diff --git a/CVE-2018-14633.patch b/CVE-2018-14633.patch deleted file mode 100644 index 731903bdb..000000000 --- a/CVE-2018-14633.patch +++ /dev/null @@ -1,242 +0,0 @@ -From 1816494330a83f2a064499d8ed2797045641f92c Mon Sep 17 00:00:00 2001 -From: Vincent Pelletier -Date: Sun, 9 Sep 2018 04:09:26 +0000 -Subject: scsi: target: iscsi: Use hex2bin instead of a re-implementation - -This change has the following effects, in order of descreasing importance: - -1) Prevent a stack buffer overflow - -2) Do not append an unnecessary NULL to an anyway binary buffer, which - is writing one byte past client_digest when caller is: - chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); - -The latter was found by KASAN (see below) when input value hes expected size -(32 hex chars), and further analysis revealed a stack buffer overflow can -happen when network-received value is longer, allowing an unauthenticated -remote attacker to smash up to 17 bytes after destination buffer (16 bytes -attacker-controlled and one null). As switching to hex2bin requires -specifying destination buffer length, and does not internally append any null, -it solves both issues. - -This addresses CVE-2018-14633. - -Beyond this: - -- Validate received value length and check hex2bin accepted the input, to log - this rejection reason instead of just failing authentication. - -- Only log received CHAP_R and CHAP_C values once they passed sanity checks. - -================================================================== -BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod] -Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021 - -CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G O 4.17.8kasan.sess.connops+ #2 -Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014 -Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod] -Call Trace: - dump_stack+0x71/0xac - print_address_description+0x65/0x22e - ? chap_string_to_hex+0x32/0x60 [iscsi_target_mod] - kasan_report.cold.6+0x241/0x2fd - chap_string_to_hex+0x32/0x60 [iscsi_target_mod] - chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod] - ? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod] - ? ftrace_caller_op_ptr+0xe/0xe - ? __orc_find+0x6f/0xc0 - ? unwind_next_frame+0x231/0x850 - ? kthread+0x1a0/0x1c0 - ? ret_from_fork+0x35/0x40 - ? ret_from_fork+0x35/0x40 - ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod] - ? deref_stack_reg+0xd0/0xd0 - ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod] - ? is_module_text_address+0xa/0x11 - ? kernel_text_address+0x4c/0x110 - ? __save_stack_trace+0x82/0x100 - ? ret_from_fork+0x35/0x40 - ? save_stack+0x8c/0xb0 - ? 0xffffffffc1660000 - ? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod] - ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod] - ? process_one_work+0x35c/0x640 - ? worker_thread+0x66/0x5d0 - ? kthread+0x1a0/0x1c0 - ? ret_from_fork+0x35/0x40 - ? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod] - ? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod] - chap_main_loop+0x172/0x570 [iscsi_target_mod] - ? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod] - ? rx_data+0xd6/0x120 [iscsi_target_mod] - ? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod] - ? cyc2ns_read_begin.part.2+0x90/0x90 - ? _raw_spin_lock_irqsave+0x25/0x50 - ? memcmp+0x45/0x70 - iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod] - ? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod] - ? del_timer+0xe0/0xe0 - ? memset+0x1f/0x40 - ? flush_sigqueue+0x29/0xd0 - iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod] - ? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod] - ? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod] - process_one_work+0x35c/0x640 - worker_thread+0x66/0x5d0 - ? flush_rcu_work+0x40/0x40 - kthread+0x1a0/0x1c0 - ? kthread_bind+0x30/0x30 - ret_from_fork+0x35/0x40 - -The buggy address belongs to the page: -page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 -flags: 0x17fffc000000000() -raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff -raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00 - ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00 ->ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00 - ^ - ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2 - ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 -================================================================== - -Signed-off-by: Vincent Pelletier -Reviewed-by: Mike Christie -Signed-off-by: Martin K. Petersen ---- - drivers/target/iscsi/iscsi_target_auth.c | 30 ++++++++++++++---------------- - 1 file changed, 14 insertions(+), 16 deletions(-) - -diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c -index 9518ffd8b8ba..6c3b4c022894 100644 ---- a/drivers/target/iscsi/iscsi_target_auth.c -+++ b/drivers/target/iscsi/iscsi_target_auth.c -@@ -26,18 +26,6 @@ - #include "iscsi_target_nego.h" - #include "iscsi_target_auth.h" - --static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len) --{ -- int j = DIV_ROUND_UP(len, 2), rc; -- -- rc = hex2bin(dst, src, j); -- if (rc < 0) -- pr_debug("CHAP string contains non hex digit symbols\n"); -- -- dst[j] = '\0'; -- return j; --} -- - static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len) - { - int i; -@@ -248,9 +236,16 @@ static int chap_server_compute_md5( - pr_err("Could not find CHAP_R.\n"); - goto out; - } -+ if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) { -+ pr_err("Malformed CHAP_R\n"); -+ goto out; -+ } -+ if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) { -+ pr_err("Malformed CHAP_R\n"); -+ goto out; -+ } - - pr_debug("[server] Got CHAP_R=%s\n", chap_r); -- chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); - - tfm = crypto_alloc_shash("md5", 0, 0); - if (IS_ERR(tfm)) { -@@ -349,9 +344,7 @@ static int chap_server_compute_md5( - pr_err("Could not find CHAP_C.\n"); - goto out; - } -- pr_debug("[server] Got CHAP_C=%s\n", challenge); -- challenge_len = chap_string_to_hex(challenge_binhex, challenge, -- strlen(challenge)); -+ challenge_len = DIV_ROUND_UP(strlen(challenge), 2); - if (!challenge_len) { - pr_err("Unable to convert incoming challenge\n"); - goto out; -@@ -360,6 +353,11 @@ static int chap_server_compute_md5( - pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); - goto out; - } -+ if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) { -+ pr_err("Malformed CHAP_C\n"); -+ goto out; -+ } -+ pr_debug("[server] Got CHAP_C=%s\n", challenge); - /* - * During mutual authentication, the CHAP_C generated by the - * initiator must not match the original CHAP_C generated by --- -cgit 1.2-0.3.lf.el7 - -From 8c39e2699f8acb2e29782a834e56306da24937fe Mon Sep 17 00:00:00 2001 -From: Vincent Pelletier -Date: Sun, 9 Sep 2018 04:09:27 +0000 -Subject: scsi: target: iscsi: Use bin2hex instead of a re-implementation - -Signed-off-by: Vincent Pelletier -Reviewed-by: Mike Christie -Signed-off-by: Martin K. Petersen ---- - drivers/target/iscsi/iscsi_target_auth.c | 15 +++------------ - 1 file changed, 3 insertions(+), 12 deletions(-) - -diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c -index 6c3b4c022894..4e680d753941 100644 ---- a/drivers/target/iscsi/iscsi_target_auth.c -+++ b/drivers/target/iscsi/iscsi_target_auth.c -@@ -26,15 +26,6 @@ - #include "iscsi_target_nego.h" - #include "iscsi_target_auth.h" - --static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len) --{ -- int i; -- -- for (i = 0; i < src_len; i++) { -- sprintf(&dst[i*2], "%02x", (int) src[i] & 0xff); -- } --} -- - static int chap_gen_challenge( - struct iscsi_conn *conn, - int caller, -@@ -50,7 +41,7 @@ static int chap_gen_challenge( - ret = get_random_bytes_wait(chap->challenge, CHAP_CHALLENGE_LENGTH); - if (unlikely(ret)) - return ret; -- chap_binaryhex_to_asciihex(challenge_asciihex, chap->challenge, -+ bin2hex(challenge_asciihex, chap->challenge, - CHAP_CHALLENGE_LENGTH); - /* - * Set CHAP_C, and copy the generated challenge into c_str. -@@ -289,7 +280,7 @@ static int chap_server_compute_md5( - goto out; - } - -- chap_binaryhex_to_asciihex(response, server_digest, MD5_SIGNATURE_SIZE); -+ bin2hex(response, server_digest, MD5_SIGNATURE_SIZE); - pr_debug("[server] MD5 Server Digest: %s\n", response); - - if (memcmp(server_digest, client_digest, MD5_SIGNATURE_SIZE) != 0) { -@@ -411,7 +402,7 @@ static int chap_server_compute_md5( - /* - * Convert response from binary hex to ascii hext. - */ -- chap_binaryhex_to_asciihex(response, digest, MD5_SIGNATURE_SIZE); -+ bin2hex(response, digest, MD5_SIGNATURE_SIZE); - *nr_out_len += sprintf(nr_out_ptr + *nr_out_len, "CHAP_R=0x%s", - response); - *nr_out_len += 1; --- -cgit 1.2-0.3.lf.el7 - diff --git a/drm-vc4-Fix-the-no-scaling-case-on-multi-planar-YUV-formats.patch b/drm-vc4-Fix-the-no-scaling-case-on-multi-planar-YUV-formats.patch deleted file mode 100644 index 195ced13b..000000000 --- a/drm-vc4-Fix-the-no-scaling-case-on-multi-planar-YUV-formats.patch +++ /dev/null @@ -1,88 +0,0 @@ -From patchwork Wed Jul 25 12:29:07 2018 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: drm/vc4: Fix the "no scaling" case on multi-planar YUV formats -From: Boris Brezillon -X-Patchwork-Id: 240917 -Message-Id: <20180725122907.13702-1-boris.brezillon@bootlin.com> -To: Eric Anholt -Cc: David Airlie , - Boris Brezillon , stable@vger.kernel.org, - dri-devel@lists.freedesktop.org -Date: Wed, 25 Jul 2018 14:29:07 +0200 - -When there's no scaling requested ->is_unity should be true no matter -the format. - -Also, when no scaling is requested and we have a multi-planar YUV -format, we should leave ->y_scaling[0] to VC4_SCALING_NONE and only -set ->x_scaling[0] to VC4_SCALING_PPF. - -Doing this fixes an hardly visible artifact (seen when using modetest -and a rather big overlay plane in YUV420). - -Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.") -Cc: -Signed-off-by: Boris Brezillon -Reviewed-by: Eric Anholt ---- - drivers/gpu/drm/vc4/vc4_plane.c | 25 ++++++++++++------------- - 1 file changed, 12 insertions(+), 13 deletions(-) - -diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c -index cfb50fedfa2b..a3275fa66b7b 100644 ---- a/drivers/gpu/drm/vc4/vc4_plane.c -+++ b/drivers/gpu/drm/vc4/vc4_plane.c -@@ -297,6 +297,9 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state) - vc4_state->y_scaling[0] = vc4_get_scaling_mode(vc4_state->src_h[0], - vc4_state->crtc_h); - -+ vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE && -+ vc4_state->y_scaling[0] == VC4_SCALING_NONE); -+ - if (num_planes > 1) { - vc4_state->is_yuv = true; - -@@ -312,24 +315,17 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state) - vc4_get_scaling_mode(vc4_state->src_h[1], - vc4_state->crtc_h); - -- /* YUV conversion requires that scaling be enabled, -- * even on a plane that's otherwise 1:1. Choose TPZ -- * for simplicity. -+ /* YUV conversion requires that horizontal scaling be enabled, -+ * even on a plane that's otherwise 1:1. Looks like only PPF -+ * works in that case, so let's pick that one. - */ -- if (vc4_state->x_scaling[0] == VC4_SCALING_NONE) -- vc4_state->x_scaling[0] = VC4_SCALING_TPZ; -- if (vc4_state->y_scaling[0] == VC4_SCALING_NONE) -- vc4_state->y_scaling[0] = VC4_SCALING_TPZ; -+ if (vc4_state->is_unity) -+ vc4_state->x_scaling[0] = VC4_SCALING_PPF; - } else { - vc4_state->x_scaling[1] = VC4_SCALING_NONE; - vc4_state->y_scaling[1] = VC4_SCALING_NONE; - } - -- vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE && -- vc4_state->y_scaling[0] == VC4_SCALING_NONE && -- vc4_state->x_scaling[1] == VC4_SCALING_NONE && -- vc4_state->y_scaling[1] == VC4_SCALING_NONE); -- - /* No configuring scaling on the cursor plane, since it gets - non-vblank-synced updates, and scaling requires requires - LBM changes which have to be vblank-synced. -@@ -672,7 +668,10 @@ static int vc4_plane_mode_set(struct drm_plane *plane, - vc4_dlist_write(vc4_state, SCALER_CSC2_ITR_R_601_5); - } - -- if (!vc4_state->is_unity) { -+ if (vc4_state->x_scaling[0] != VC4_SCALING_NONE || -+ vc4_state->x_scaling[1] != VC4_SCALING_NONE || -+ vc4_state->y_scaling[0] != VC4_SCALING_NONE || -+ vc4_state->y_scaling[1] != VC4_SCALING_NONE) { - /* LBM Base Address. */ - if (vc4_state->y_scaling[0] != VC4_SCALING_NONE || - vc4_state->y_scaling[1] != VC4_SCALING_NONE) { diff --git a/kernel.spec b/kernel.spec index 65fac6610..f1d26de74 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 10 +%define stable_update 11 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -601,8 +601,6 @@ Patch311: arm64-ZynqMP-firmware-clock-drivers-core.patch # Enabling Patches for the RPi3+ Patch330: bcm2837-enable-pmu.patch -# https://patchwork.freedesktop.org/patch/240917/ -Patch334: drm-vc4-Fix-the-no-scaling-case-on-multi-planar-YUV-formats.patch # Fix for AllWinner A64 Timer Errata, still not final # https://patchwork.kernel.org/patch/10392891/ @@ -626,9 +624,6 @@ Patch504: xsa270.patch Patch506: 0001-random-add-a-config-option-to-trust-the-CPU-s-hwrng.patch Patch507: 0001-random-make-CPU-trust-a-boot-parameter.patch -# CVE-2018-14633 rhbz 1626035 1632185 -Patch508: CVE-2018-14633.patch - # rhbz 1628394 Patch509: powerpc-ipv6.patch @@ -1881,6 +1876,9 @@ fi # # %changelog +* Sun Sep 30 2018 Laura Abbott - 4.18.11-200 +- Linux v4.18.11 + * Wed Sep 26 2018 Laura Abbott - 4.18.10-200 - Linux v4.18.10 diff --git a/sources b/sources index e56e0a5d9..37528b63e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-4.18.tar.xz) = 950eb85ac743b291afe9f21cd174d823e25f11883ee62cecfbfff8fe8c5672aae707654b1b8f29a133b1f2e3529e63b9f7fba4c45d6dacccc8000b3a9a9ae038 -SHA512 (patch-4.18.10.xz) = ff00f5b50921654494bf0cc290a82871bf3f053dc170abbde906499e3bffe1f368a94a6c09196ded618ae46fe2fa74e05b4e594f31ccc08a7071efa1e9ec4a68 +SHA512 (patch-4.18.11.xz) = a1cfab9c4fb7bec8da33fa95da0986ed7605ff9953fd425f5122978c462a6024886955827ce52a87f93312d5e17a4533606bbabf3e6ad6a5dd353d430db92e7e -- cgit From 5c244a715ca5a8508f848dcb17f3167c4f272ca9 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Mon, 1 Oct 2018 10:47:51 -0700 Subject: Fix for Intel Sensor Hub (rhbz 1634250) --- ...ish-hid-Enable-Sunrise-Point-H-ish-driver.patch | 128 +++++++++++++++++++++ kernel.spec | 6 + 2 files changed, 134 insertions(+) create mode 100644 HID-intel-ish-hid-Enable-Sunrise-Point-H-ish-driver.patch diff --git a/HID-intel-ish-hid-Enable-Sunrise-Point-H-ish-driver.patch b/HID-intel-ish-hid-Enable-Sunrise-Point-H-ish-driver.patch new file mode 100644 index 000000000..7057843a6 --- /dev/null +++ b/HID-intel-ish-hid-Enable-Sunrise-Point-H-ish-driver.patch @@ -0,0 +1,128 @@ +From patchwork Fri Aug 17 20:16:00 2018 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: Andreas Bosch +X-Patchwork-Id: 10569347 +Return-Path: +Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org + [172.30.200.125]) + by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E901E14BD + for ; + Fri, 17 Aug 2018 20:16:47 +0000 (UTC) +Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) + by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D84002BE82 + for ; + Fri, 17 Aug 2018 20:16:47 +0000 (UTC) +Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) + id C8F6E2BE8A; Fri, 17 Aug 2018 20:16:47 +0000 (UTC) +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + pdx-wl-mail.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, + MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham + version=3.3.1 +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6DBD32BE82 + for ; + Fri, 17 Aug 2018 20:16:47 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1725825AbeHQXV2 (ORCPT + ); + Fri, 17 Aug 2018 19:21:28 -0400 +Received: from mail-wr1-f67.google.com ([209.85.221.67]:32902 "EHLO + mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1726340AbeHQXVZ (ORCPT + ); + Fri, 17 Aug 2018 19:21:25 -0400 +Received: by mail-wr1-f67.google.com with SMTP id v90-v6so4880416wrc.0 + for ; + Fri, 17 Aug 2018 13:16:38 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=progandy-de.20150623.gappssmtp.com; s=20150623; + h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; + bh=IJ8EglotdUjsPKwO9B0Nmn/N9+EameltWUM77Dxy0M4=; + b=rt2hYKBNvjEXfrvbOuPP6QJ+KtXVW+4g54jRTTyzuiFqqE60M9kSFwnVvQaTHRtoUq + cH0uV9utBhoUsH2vVl0lUSUWZ/Hi/dPtBjIT3dbKIvIwbwb8lW73NpHbftVy9Y2G+aXc + SDy6R8DnjfcWOEmXG02pBnEOivsUhrnjRGUnjiPbhJXRpxo5S85ZCBWjVQeRRDgyS/Hq + xI/C8Kupmdlu8AnoQlSie1GoClanvZncA45wBGUcIje35FhwicTahs37ij4dOADrkdyC + BtJsqLCXgdVnIsI7xKxthlW1dT6hTm6J5M5sMYyQlOcHeyk0LtWhLui0W6Ic3Mtup4cA + C/wA== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:sender:from:to:cc:subject:date:message-id + :in-reply-to:references; + bh=IJ8EglotdUjsPKwO9B0Nmn/N9+EameltWUM77Dxy0M4=; + b=npuvfosGYdhu4I/kCuiJzBZZTOv5UN8fg69cS4ahQ2zvtqRKAgWSwDIaeJZeaxSHey + Vd2RWfK952o/Z/95sm+CvJ4o6FqNRHW7o4oiqPxoUN+ihfotfiMxGBxs08VPPj08tzOy + cigHD1fVZ2F+cJkQdj/FneSkwXWiy6CzHcqPLIytgv/l+HMixZbHTTUyOXbxJ1ySsjnm + qFXUAWA6zU6h67ulhIGCTWV42aMNBIpJ45vSJdQa02zvOU3zmFKkro57ns/IeQO80BwZ + ZeAH95swkPYydu/9KdDndUty2SyZWE/IWJp3YazyJpdwTd5oZdHzVisJDxRYVu+PHCT8 + 8N1A== +X-Gm-Message-State: AOUpUlE0RNAbVUi/LSvupC7WR6/r+kPBbA+k4Bx2tii6smtZdqTW6umO + 8IT5MRN5ae8CWhigs8hlXht+jA== +X-Google-Smtp-Source: + AA+uWPytoFgGk+AfiVYYdyHHaj0W645JTX4kXrozV+emI3TVthEIgCXHU02g61rjPAf+BcuhfF6rUw== +X-Received: by 2002:adf:ed41:: with SMTP id + u1-v6mr23695053wro.262.1534536997694; + Fri, 17 Aug 2018 13:16:37 -0700 (PDT) +Received: from pamobile.localdomain (p54A175A0.dip0.t-ipconnect.de. + [84.161.117.160]) + by smtp.gmail.com with ESMTPSA id + u9-v6sm3124789wrc.43.2018.08.17.13.16.36 + (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Fri, 17 Aug 2018 13:16:37 -0700 (PDT) +From: Andreas Bosch +Cc: Srinivas Pandruvada , + Jiri Kosina , + Benjamin Tissoires , + Even Xu , linux-input@vger.kernel.org, + linux-kernel@vger.kernel.org +Subject: [PATCH] HID: intel-ish-hid: Enable Sunrise Point-H ish driver +Date: Fri, 17 Aug 2018 22:16:00 +0200 +Message-Id: <20180817201614.11971-1-linux@progandy.de> +X-Mailer: git-send-email 2.18.0 +In-Reply-To: <23171b1a3740407eac5d5c22548ce107d8edde59.camel@linux.intel.com> +References: <23171b1a3740407eac5d5c22548ce107d8edde59.camel@linux.intel.com> +To: unlisted-recipients:; (no To-header on input) +Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +X-Virus-Scanned: ClamAV using ClamSMTP + +Added PCI ID for Sunrise Point-H ISH. + +Signed-off-by: Andreas Bosch +Acked-by: Srinivas Pandruvada +--- +I hope this patch arrives correctly. +--- + drivers/hid/intel-ish-hid/ipc/hw-ish.h | 1 + + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/intel-ish-hid/ipc/hw-ish.h b/drivers/hid/intel-ish-hid/ipc/hw-ish.h +index 97869b7410eb..da133716bed0 100644 +--- a/drivers/hid/intel-ish-hid/ipc/hw-ish.h ++++ b/drivers/hid/intel-ish-hid/ipc/hw-ish.h +@@ -29,6 +29,7 @@ + #define CNL_Ax_DEVICE_ID 0x9DFC + #define GLK_Ax_DEVICE_ID 0x31A2 + #define CNL_H_DEVICE_ID 0xA37C ++#define SPT_H_DEVICE_ID 0xA135 + + #define REVISION_ID_CHT_A0 0x6 + #define REVISION_ID_CHT_Ax_SI 0x0 +diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +index a2c53ea3b5ed..c7b8eb32b1ea 100644 +--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c ++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +@@ -38,6 +38,7 @@ static const struct pci_device_id ish_pci_tbl[] = { + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, CNL_Ax_DEVICE_ID)}, + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, GLK_Ax_DEVICE_ID)}, + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, CNL_H_DEVICE_ID)}, ++ {PCI_DEVICE(PCI_VENDOR_ID_INTEL, SPT_H_DEVICE_ID)}, + {0, } + }; + MODULE_DEVICE_TABLE(pci, ish_pci_tbl); diff --git a/kernel.spec b/kernel.spec index f1d26de74..067e5a858 100644 --- a/kernel.spec +++ b/kernel.spec @@ -627,6 +627,9 @@ Patch507: 0001-random-make-CPU-trust-a-boot-parameter.patch # rhbz 1628394 Patch509: powerpc-ipv6.patch +# rhbz 1634250 +Patch510: HID-intel-ish-hid-Enable-Sunrise-Point-H-ish-driver.patch + # END OF PATCH DEFINITIONS %endif @@ -1876,6 +1879,9 @@ fi # # %changelog +* Mon Oct 1 2018 Laura Abbott +- Fix for Intel Sensor Hub (rhbz 1634250) + * Sun Sep 30 2018 Laura Abbott - 4.18.11-200 - Linux v4.18.11 -- cgit From d54a0133267a72afe32ae562a7ec63e7423fa09f Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Mon, 1 Oct 2018 12:45:09 -0700 Subject: Disable CONFIG_CRYPTO_DEV_SP_PSP (rhbz 1608242) --- configs/fedora/generic/x86/x86_64/CONFIG_CRYPTO_DEV_SP_PSP | 2 +- kernel-x86_64-debug.config | 2 +- kernel-x86_64.config | 2 +- kernel.spec | 3 +++ 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/configs/fedora/generic/x86/x86_64/CONFIG_CRYPTO_DEV_SP_PSP b/configs/fedora/generic/x86/x86_64/CONFIG_CRYPTO_DEV_SP_PSP index 7b0c6490a..ee59b965f 100644 --- a/configs/fedora/generic/x86/x86_64/CONFIG_CRYPTO_DEV_SP_PSP +++ b/configs/fedora/generic/x86/x86_64/CONFIG_CRYPTO_DEV_SP_PSP @@ -1 +1 @@ -CONFIG_CRYPTO_DEV_SP_PSP=y +# CONFIG_CRYPTO_DEV_SP_PSP is not set diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index a3c92fb47..60372261d 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -976,7 +976,7 @@ CONFIG_CRYPTO_DEV_QAT_C62XVF=m CONFIG_CRYPTO_DEV_QAT_DH895xCC=m CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m # CONFIG_CRYPTO_DEV_SP_CCP is not set -CONFIG_CRYPTO_DEV_SP_PSP=y +# CONFIG_CRYPTO_DEV_SP_PSP is not set CONFIG_CRYPTO_DEV_VIRTIO=m CONFIG_CRYPTO_DH=y CONFIG_CRYPTO_DRBG_CTR=y diff --git a/kernel-x86_64.config b/kernel-x86_64.config index 8524bbd3d..0adf36f04 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -972,7 +972,7 @@ CONFIG_CRYPTO_DEV_QAT_C62XVF=m CONFIG_CRYPTO_DEV_QAT_DH895xCC=m CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m # CONFIG_CRYPTO_DEV_SP_CCP is not set -CONFIG_CRYPTO_DEV_SP_PSP=y +# CONFIG_CRYPTO_DEV_SP_PSP is not set CONFIG_CRYPTO_DEV_VIRTIO=m CONFIG_CRYPTO_DH=y CONFIG_CRYPTO_DRBG_CTR=y diff --git a/kernel.spec b/kernel.spec index 067e5a858..4b4af61c9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1879,6 +1879,9 @@ fi # # %changelog +* Mon Oct 01 2018 Laura Abbott +- Disable CONFIG_CRYPTO_DEV_SP_PSP (rhbz 1608242) + * Mon Oct 1 2018 Laura Abbott - Fix for Intel Sensor Hub (rhbz 1634250) -- cgit From 5826936f37b8ff3c6c786b2fec9a7696f920f85a Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 3 Oct 2018 07:55:15 -0500 Subject: Fix arm64 kvm priv escalation (rhbz 1635475 1635476) --- arm64_kvm_security.patch | 155 +++++++++++++++++++++++++++++++++++++++++++++++ kernel.spec | 6 ++ 2 files changed, 161 insertions(+) create mode 100644 arm64_kvm_security.patch diff --git a/arm64_kvm_security.patch b/arm64_kvm_security.patch new file mode 100644 index 000000000..71490d969 --- /dev/null +++ b/arm64_kvm_security.patch @@ -0,0 +1,155 @@ +From d26c25a9d19b5976b319af528886f89cf455692d Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Thu, 27 Sep 2018 16:53:21 +0100 +Subject: arm64: KVM: Tighten guest core register access from userspace + +From: Dave Martin + +commit d26c25a9d19b5976b319af528886f89cf455692d upstream. + +We currently allow userspace to access the core register file +in about any possible way, including straddling multiple +registers and doing unaligned accesses. + +This is not the expected use of the ABI, and nobody is actually +using it that way. Let's tighten it by explicitly checking +the size and alignment for each field of the register file. + +Cc: +Fixes: 2f4a07c5f9fe ("arm64: KVM: guest one-reg interface") +Reviewed-by: Christoffer Dall +Reviewed-by: Mark Rutland +Signed-off-by: Dave Martin +[maz: rewrote Dave's initial patch to be more easily backported] +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/guest.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +--- a/arch/arm64/kvm/guest.c ++++ b/arch/arm64/kvm/guest.c +@@ -57,6 +57,45 @@ static u64 core_reg_offset_from_id(u64 i + return id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_ARM_CORE); + } + ++static int validate_core_offset(const struct kvm_one_reg *reg) ++{ ++ u64 off = core_reg_offset_from_id(reg->id); ++ int size; ++ ++ switch (off) { ++ case KVM_REG_ARM_CORE_REG(regs.regs[0]) ... ++ KVM_REG_ARM_CORE_REG(regs.regs[30]): ++ case KVM_REG_ARM_CORE_REG(regs.sp): ++ case KVM_REG_ARM_CORE_REG(regs.pc): ++ case KVM_REG_ARM_CORE_REG(regs.pstate): ++ case KVM_REG_ARM_CORE_REG(sp_el1): ++ case KVM_REG_ARM_CORE_REG(elr_el1): ++ case KVM_REG_ARM_CORE_REG(spsr[0]) ... ++ KVM_REG_ARM_CORE_REG(spsr[KVM_NR_SPSR - 1]): ++ size = sizeof(__u64); ++ break; ++ ++ case KVM_REG_ARM_CORE_REG(fp_regs.vregs[0]) ... ++ KVM_REG_ARM_CORE_REG(fp_regs.vregs[31]): ++ size = sizeof(__uint128_t); ++ break; ++ ++ case KVM_REG_ARM_CORE_REG(fp_regs.fpsr): ++ case KVM_REG_ARM_CORE_REG(fp_regs.fpcr): ++ size = sizeof(__u32); ++ break; ++ ++ default: ++ return -EINVAL; ++ } ++ ++ if (KVM_REG_SIZE(reg->id) == size && ++ IS_ALIGNED(off, size / sizeof(__u32))) ++ return 0; ++ ++ return -EINVAL; ++} ++ + static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) + { + /* +@@ -76,6 +115,9 @@ static int get_core_reg(struct kvm_vcpu + (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs) + return -ENOENT; + ++ if (validate_core_offset(reg)) ++ return -EINVAL; ++ + if (copy_to_user(uaddr, ((u32 *)regs) + off, KVM_REG_SIZE(reg->id))) + return -EFAULT; + +@@ -98,6 +140,9 @@ static int set_core_reg(struct kvm_vcpu + (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs) + return -ENOENT; + ++ if (validate_core_offset(reg)) ++ return -EINVAL; ++ + if (KVM_REG_SIZE(reg->id) > sizeof(tmp)) + return -EINVAL; + +From 2a3f93459d689d990b3ecfbe782fec89b97d3279 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 27 Sep 2018 16:53:22 +0100 +Subject: arm64: KVM: Sanitize PSTATE.M when being set from userspace + +From: Marc Zyngier + +commit 2a3f93459d689d990b3ecfbe782fec89b97d3279 upstream. + +Not all execution modes are valid for a guest, and some of them +depend on what the HW actually supports. Let's verify that what +userspace provides is compatible with both the VM settings and +the HW capabilities. + +Cc: +Fixes: 0d854a60b1d7 ("arm64: KVM: enable initialization of a 32bit vcpu") +Reviewed-by: Christoffer Dall +Reviewed-by: Mark Rutland +Reviewed-by: Dave Martin +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/guest.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kvm/guest.c ++++ b/arch/arm64/kvm/guest.c +@@ -152,17 +152,25 @@ static int set_core_reg(struct kvm_vcpu + } + + if (off == KVM_REG_ARM_CORE_REG(regs.pstate)) { +- u32 mode = (*(u32 *)valp) & COMPAT_PSR_MODE_MASK; ++ u64 mode = (*(u64 *)valp) & COMPAT_PSR_MODE_MASK; + switch (mode) { + case COMPAT_PSR_MODE_USR: ++ if (!system_supports_32bit_el0()) ++ return -EINVAL; ++ break; + case COMPAT_PSR_MODE_FIQ: + case COMPAT_PSR_MODE_IRQ: + case COMPAT_PSR_MODE_SVC: + case COMPAT_PSR_MODE_ABT: + case COMPAT_PSR_MODE_UND: ++ if (!vcpu_el1_is_32bit(vcpu)) ++ return -EINVAL; ++ break; + case PSR_MODE_EL0t: + case PSR_MODE_EL1t: + case PSR_MODE_EL1h: ++ if (vcpu_el1_is_32bit(vcpu)) ++ return -EINVAL; + break; + default: + err = -EINVAL; diff --git a/kernel.spec b/kernel.spec index 4b4af61c9..fdc70fee8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -630,6 +630,9 @@ Patch509: powerpc-ipv6.patch # rhbz 1634250 Patch510: HID-intel-ish-hid-Enable-Sunrise-Point-H-ish-driver.patch +# rhbz 1635475 1635476 +Patch511: arm64_kvm_security.patch + # END OF PATCH DEFINITIONS %endif @@ -1879,6 +1882,9 @@ fi # # %changelog +* Wed Oct 03 2018 Justin M. Forbes +- Fix arm64 kvm priv escalation (rhbz 1635475 1635476) + * Mon Oct 01 2018 Laura Abbott - Disable CONFIG_CRYPTO_DEV_SP_PSP (rhbz 1608242) -- cgit