From db9309152e2b8b907dbc2a6242044c02fea60a83 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 27 Jan 2020 08:03:45 -0600 Subject: Linux v5.5 --- gitrev | 2 +- kernel.spec | 15 ++- ...uffer-overflows-at-parsing-bss-descriptor.patch | 120 --------------------- sources | 4 +- 4 files changed, 9 insertions(+), 132 deletions(-) delete mode 100644 libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch diff --git a/gitrev b/gitrev index ab6a5775f..f9213df22 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -6381b442836ea3c52eae630b10be8c27c7a17af2 +d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 diff --git a/kernel.spec b/kernel.spec index e07185616..080f23d37 100644 --- a/kernel.spec +++ b/kernel.spec @@ -27,7 +27,7 @@ Summary: The Linux kernel # For rawhide and/or a kernel built from an rc or git snapshot, # released_kernel should be 0. # For a stable, released kernel, released_kernel should be 1. -%global released_kernel 0 +%global released_kernel 1 %if 0%{?fedora} %define secure_boot_arch x86_64 @@ -86,7 +86,7 @@ Summary: The Linux kernel # base_sublevel is the kernel version we're starting with and patching # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base, # which yields a base_sublevel of 0. -%define base_sublevel 4 +%define base_sublevel 5 ## If this is a released kernel ## %if 0%{?released_kernel} @@ -105,9 +105,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%global rcrev 7 +%global rcrev 0 # The git snapshot level -%define gitrev 2 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 5.%{upstream_sublevel}.0 %endif @@ -857,10 +857,6 @@ Patch504: 0001-mm-kmemleak-skip-late_init-if-not-skip-disable.patch # https://lkml.org/lkml/2019/8/29/1772 Patch505: ARM-fix-__get_user_check-in-case-uaccess_-calls-are-not-inlined.patch -# CVE-2019-14896 rhbz 1774875 1776143 -# CVE-2019-14897 rhbz 1774879 1776146 -Patch526: libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch - # ALSA code from v5.6 (Intel ASoC Sound Open Firmware driver support) Patch527: alsa-5.6.patch @@ -2893,6 +2889,9 @@ fi # # %changelog +* Mon Jan 27 2020 Justin M. Forbes - 5.5.0-1 +- Linux v5.5 + * Fri Jan 24 2020 Justin M. Forbes - 5.5.0-0.rc7.git2.1 - Linux v5.5-rc7-62-g6381b442836e diff --git a/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch b/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch deleted file mode 100644 index e8c4c4b64..000000000 --- a/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch +++ /dev/null @@ -1,120 +0,0 @@ -From patchwork Fri Nov 22 05:29:17 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: huangwenabc@gmail.com -X-Patchwork-Id: 11257187 -X-Patchwork-Delegate: kvalo@adurom.com -Return-Path: -Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org - [172.30.200.123]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 032DA112B - for ; - Fri, 22 Nov 2019 05:29:36 +0000 (UTC) -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.kernel.org (Postfix) with ESMTP id D68A920707 - for ; - Fri, 22 Nov 2019 05:29:35 +0000 (UTC) -Authentication-Results: mail.kernel.org; - dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com - header.b="WaDUta6X" -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1726719AbfKVF3f (ORCPT - ); - Fri, 22 Nov 2019 00:29:35 -0500 -Received: from mail-pf1-f194.google.com ([209.85.210.194]:43041 "EHLO - mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1726529AbfKVF3e (ORCPT - ); - Fri, 22 Nov 2019 00:29:34 -0500 -Received: by mail-pf1-f194.google.com with SMTP id 3so2912048pfb.10 - for ; - Thu, 21 Nov 2019 21:29:34 -0800 (PST) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=gmail.com; s=20161025; - h=from:to:cc:subject:date:message-id; - bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=; - b=WaDUta6XODn4hzzqR0np+iPcfBChaSE05EpSM8UrALWvgf7x/9f0e8SMvgXTGXaN74 - Irmx+lKSr5piR/mhpfRO+HVN7bu7ukOSsxCxlNav6kvJn3SG/q0TV9VGoWEKM+8yISrK - Bc5MtndhyGLDrWQFgc5fSdMf+/79HC0AWnnavMoEKxnAti/HKBQnIPreGoLnrWIpbhXZ - EdU3ei0kxlwAUbNl8/FywUG2qzQeoeh5RranVfooFhbBQ0QfNtx3k3ARWrVdT9uV7QtX - pcpYtJsjn94TXL0llHTzpE182eTvmUrzxf89ubigJh+EYnryHC+HUHZoVtjYtbjidWoV - I0FQ== -X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=1e100.net; s=20161025; - h=x-gm-message-state:from:to:cc:subject:date:message-id; - bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=; - b=gNC3IOfmB1H65frnsn63mdzaxphxG6xvR0SHEIOJSaWI/Jx9VK+CfnGr+7pOQZ/Pyw - wORhpVi6EbFsE7mVKbjlJ7O96hk14FnUKSPVOhl9NH4xXBktd7sJc5Z36N3J6RRv9Cfc - gQWPy1otHKeNz1riMgHcbkaiKj3CANpJ6gaAE/R8EjWLXjS7Bw/vBgQSr5WnAVV27Ppw - Flrks3Qv8BGkRUCymKArD05r646Fx1ew/FI7oGyKQhxxWJPuv5RoVTGPbAC1unU+zjfN - 2XNdr1yKKfY4R5S8q49FeHsN5Mb+lmriUPdLPL062UzQ7x/pTzfh3rI9Lf92jMJiJ9/n - 9zPw== -X-Gm-Message-State: APjAAAVgSeSrlZfb2Ch2KXDFaNq6RLCJCvq40zW4toublIDi1zh7feyc - srNh0xN+iNrBCzEMbsxDKJS2IOoUYXc= -X-Google-Smtp-Source: - APXvYqwPwHZStvNKOZtUBWgPYiEFiNFqEQLMngqNoFN6jFqDKFjISduUPDUYh2y907mFwD+Qn6zs9w== -X-Received: by 2002:a63:7456:: with SMTP id - e22mr14245471pgn.314.1574400573682; - Thu, 21 Nov 2019 21:29:33 -0800 (PST) -Received: from localhost ([38.121.20.202]) - by smtp.gmail.com with ESMTPSA id - x192sm5658165pfd.96.2019.11.21.21.29.32 - (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); - Thu, 21 Nov 2019 21:29:32 -0800 (PST) -From: huangwenabc@gmail.com -To: linux-wireless@vger.kernel.org -Cc: linux-distros@vs.openwall.org, security@kernel.org, - libertas-dev@lists.infradead.org -Subject: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor -Date: Fri, 22 Nov 2019 13:29:17 +0800 -Message-Id: <20191122052917.11309-1-huangwenabc@gmail.com> -X-Mailer: git-send-email 2.17.1 -Sender: linux-wireless-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-wireless@vger.kernel.org - -From: Wen Huang - -add_ie_rates() copys rates without checking the length -in bss descriptor from remote AP.when victim connects to -remote attacker, this may trigger buffer overflow. -lbs_ibss_join_existing() copys rates without checking the length -in bss descriptor from remote IBSS node.when victim connects to -remote attacker, this may trigger buffer overflow. -Fix them by putting the length check before performing copy. - -This fix addresses CVE-2019-14896 and CVE-2019-14897. - -Signed-off-by: Wen Huang ---- - drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c -index 57edfada0..290280764 100644 ---- a/drivers/net/wireless/marvell/libertas/cfg.c -+++ b/drivers/net/wireless/marvell/libertas/cfg.c -@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates) - int hw, ap, ap_max = ie[1]; - u8 hw_rate; - -+ if (ap_max > MAX_RATES) { -+ lbs_deb_assoc("invalid rates\n"); -+ return tlv; -+ } - /* Advance past IE header */ - ie += 2; - -@@ -1777,6 +1781,10 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, - } else { - int hw, i; - u8 rates_max = rates_eid[1]; -+ if (rates_max > MAX_RATES) { -+ lbs_deb_join("invalid rates"); -+ goto out; -+ } - u8 *rates = cmd.bss.rates; - for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { - u8 hw_rate = lbs_rates[hw].bitrate / 5; diff --git a/sources b/sources index e533c7030..3df436dea 100644 --- a/sources +++ b/sources @@ -1,3 +1 @@ -SHA512 (linux-5.4.tar.xz) = 9f60f77e8ab972b9438ac648bed17551c8491d6585a5e85f694b2eaa4c623fbc61eb18419b2656b6795eac5deec0edaa04547fc6723fbda52256bd7f3486898f -SHA512 (patch-5.5-rc7.xz) = 201e1da9acb0a9dfea4aa2eda89453c390f2aec7fe5ebcc9a46ef6a44dc16aacc7eb75aada461fbf12102014eb8767c6a640ac2dcc441e9803a4942c0b83c5e8 -SHA512 (patch-5.5-rc7-git2.xz) = cf955e531c340c25bb8a52a80b299703e9645c039d1fa46968a41e8d90f7f165c949baf4021d2cd32a6c3c321c974b68d94b0d476b18db9ca7f6274b9982ddba +SHA512 (linux-5.5.tar.xz) = fa74fdabb5e63384a39e54da05b86a9ae9ea16179524b041fbbdffc7177e80b53600ae98d76be127ba216148f9dc55fe07ab20637e22c6d6030cb4aa09eb2f86 -- cgit