Linux v3.7.2
This commit is contained in:
Justin M. Forbes
parent
dc100f5f14
commit
08c8fb227b
|
|
@ -1,43 +0,0 @@
|
|||
From a5f86c3423428c8e28b6501d0e9c3929ca91f07d Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Cook <jeff@deserettechnology.com>
|
||||
Date: Fri, 9 Nov 2012 16:39:48 -0700
|
||||
Subject: [PATCH 2/2] Bluetooth: Add support for BCM20702A0 [0b05, 17b5]
|
||||
|
||||
Vendor-specific ID for BCM20702A0.
|
||||
Support for bluetooth over Asus Wi-Fi GO!, included with Asus P8Z77-V
|
||||
Deluxe.
|
||||
|
||||
T: Bus=07 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
|
||||
D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
|
||||
P: Vendor=0b05 ProdID=17b5 Rev=01.12
|
||||
S: Manufacturer=Broadcom Corp
|
||||
S: Product=BCM20702A0
|
||||
S: SerialNumber=94DBC98AC113
|
||||
C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA
|
||||
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
|
||||
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
|
||||
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
|
||||
I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Jeff Cook <jeff@deserettechnology.com>
|
||||
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
|
||||
---
|
||||
drivers/bluetooth/btusb.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
|
||||
index b167944..6dc44ff 100644
|
||||
--- a/drivers/bluetooth/btusb.c
|
||||
+++ b/drivers/bluetooth/btusb.c
|
||||
@@ -96,6 +96,7 @@ static struct usb_device_id btusb_table[] = {
|
||||
{ USB_DEVICE(0x0c10, 0x0000) },
|
||||
|
||||
/* Broadcom BCM20702A0 */
|
||||
+ { USB_DEVICE(0x0b05, 0x17b5) },
|
||||
{ USB_DEVICE(0x04ca, 0x2003) },
|
||||
{ USB_DEVICE(0x0489, 0xe042) },
|
||||
{ USB_DEVICE(0x413c, 0x8197) },
|
||||
--
|
||||
1.8.0
|
||||
|
||||
|
|
@ -45,7 +45,7 @@ CONFIG_FB_EFI=y
|
|||
CONFIG_INTEL_IOMMU=y
|
||||
CONFIG_DMAR_BROKEN_GFX_WA=y
|
||||
CONFIG_INTEL_IOMMU_FLOPPY_WA=y
|
||||
# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
|
||||
CONFIG_INTEL_IOMMU_DEFAULT_ON=y
|
||||
CONFIG_SCSI_ADVANSYS=m
|
||||
|
||||
CONFIG_SECCOMP=y
|
||||
|
|
|
|||
|
|
@ -1,118 +0,0 @@
|
|||
From 6752ab4cb863fc63ed85f1ca78a42235c09fad83 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Mon, 26 Nov 2012 09:07:50 -0500
|
||||
Subject: [PATCH 1/2] exec: do not leave bprm->interp on stack
|
||||
|
||||
If a series of scripts are executed, each triggering module loading via
|
||||
unprintable bytes in the script header, kernel stack contents can leak
|
||||
into the command line.
|
||||
|
||||
Normally execution of binfmt_script and binfmt_misc happens recursively.
|
||||
However, when modules are enabled, and unprintable bytes exist in the
|
||||
bprm->buf, execution will restart after attempting to load matching binfmt
|
||||
modules. Unfortunately, the logic in binfmt_script and binfmt_misc does
|
||||
not expect to get restarted. They leave bprm->interp pointing to their
|
||||
local stack. This means on restart bprm->interp is left pointing into
|
||||
unused stack memory which can then be copied into the userspace argv
|
||||
areas.
|
||||
|
||||
After additional study, it seems that both recursion and restart remains
|
||||
the desirable way to handle exec with scripts, misc, and modules. As
|
||||
such, we need to protect the changes to interp.
|
||||
|
||||
This changes the logic to require allocation for any changes to the
|
||||
bprm->interp. To avoid adding a new kmalloc to every exec, the default
|
||||
value is left as-is. Only when passing through binfmt_script or
|
||||
binfmt_misc does an allocation take place.
|
||||
|
||||
For a proof of concept, see DoTest.sh from:
|
||||
http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: halfdog <me@halfdog.net>
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
fs/binfmt_misc.c | 5 ++++-
|
||||
fs/binfmt_script.c | 4 +++-
|
||||
fs/exec.c | 15 +++++++++++++++
|
||||
include/linux/binfmts.h | 1 +
|
||||
4 files changed, 23 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
|
||||
index 790b3cd..772428d 100644
|
||||
--- a/fs/binfmt_misc.c
|
||||
+++ b/fs/binfmt_misc.c
|
||||
@@ -176,7 +176,10 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs)
|
||||
goto _error;
|
||||
bprm->argc ++;
|
||||
|
||||
- bprm->interp = iname; /* for binfmt_script */
|
||||
+ /* Update interp in case binfmt_script needs it. */
|
||||
+ retval = bprm_change_interp(iname, bprm);
|
||||
+ if (retval < 0)
|
||||
+ goto _error;
|
||||
|
||||
interp_file = open_exec (iname);
|
||||
retval = PTR_ERR (interp_file);
|
||||
diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
|
||||
index d3b8c1f..df49d48 100644
|
||||
--- a/fs/binfmt_script.c
|
||||
+++ b/fs/binfmt_script.c
|
||||
@@ -82,7 +82,9 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs)
|
||||
retval = copy_strings_kernel(1, &i_name, bprm);
|
||||
if (retval) return retval;
|
||||
bprm->argc++;
|
||||
- bprm->interp = interp;
|
||||
+ retval = bprm_change_interp(interp, bprm);
|
||||
+ if (retval < 0)
|
||||
+ return retval;
|
||||
|
||||
/*
|
||||
* OK, now restart the process with the interpreter's dentry.
|
||||
diff --git a/fs/exec.c b/fs/exec.c
|
||||
index 0039055..c6e6de4 100644
|
||||
--- a/fs/exec.c
|
||||
+++ b/fs/exec.c
|
||||
@@ -1175,9 +1175,24 @@ void free_bprm(struct linux_binprm *bprm)
|
||||
mutex_unlock(¤t->signal->cred_guard_mutex);
|
||||
abort_creds(bprm->cred);
|
||||
}
|
||||
+ /* If a binfmt changed the interp, free it. */
|
||||
+ if (bprm->interp != bprm->filename)
|
||||
+ kfree(bprm->interp);
|
||||
kfree(bprm);
|
||||
}
|
||||
|
||||
+int bprm_change_interp(char *interp, struct linux_binprm *bprm)
|
||||
+{
|
||||
+ /* If a binfmt changed the interp, free it first. */
|
||||
+ if (bprm->interp != bprm->filename)
|
||||
+ kfree(bprm->interp);
|
||||
+ bprm->interp = kstrdup(interp, GFP_KERNEL);
|
||||
+ if (!bprm->interp)
|
||||
+ return -ENOMEM;
|
||||
+ return 0;
|
||||
+}
|
||||
+EXPORT_SYMBOL(bprm_change_interp);
|
||||
+
|
||||
/*
|
||||
* install the new credentials for this executable
|
||||
*/
|
||||
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
|
||||
index cfcc6bf..de0628e 100644
|
||||
--- a/include/linux/binfmts.h
|
||||
+++ b/include/linux/binfmts.h
|
||||
@@ -114,6 +114,7 @@ extern int setup_arg_pages(struct linux_binprm * bprm,
|
||||
unsigned long stack_top,
|
||||
int executable_stack);
|
||||
extern int bprm_mm_init(struct linux_binprm *bprm);
|
||||
+extern int bprm_change_interp(char *interp, struct linux_binprm *bprm);
|
||||
extern int copy_strings_kernel(int argc, const char *const *argv,
|
||||
struct linux_binprm *bprm);
|
||||
extern int prepare_bprm_creds(struct linux_binprm *bprm);
|
||||
--
|
||||
1.8.0
|
||||
|
||||
16
kernel.spec
16
kernel.spec
|
|
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 5
|
||||
%global baserelease 201
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 1
|
||||
%define stable_update 2
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
|
@ -769,14 +769,10 @@ Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
|
|||
#rhbz 871078
|
||||
Patch22112: USB-report-submission-of-active-URBs.patch
|
||||
|
||||
#rhbz 874791
|
||||
Patch22125: Bluetooth-Add-support-for-BCM20702A0.patch
|
||||
|
||||
#rhbz 859485
|
||||
Patch21226: vt-Drop-K_OFF-for-VC_MUTE.patch
|
||||
|
||||
#rhbz CVE-2012-4530 868285 880147
|
||||
Patch21228: exec-do-not-leave-bprm-interp-on-stack.patch
|
||||
Patch21229: exec-use-eloop-for-max-recursion-depth.patch
|
||||
|
||||
#rhbz 851278
|
||||
|
|
@ -1504,14 +1500,10 @@ ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
|
|||
#rhbz 871078
|
||||
ApplyPatch USB-report-submission-of-active-URBs.patch
|
||||
|
||||
#rhbz 874791
|
||||
ApplyPatch Bluetooth-Add-support-for-BCM20702A0.patch
|
||||
|
||||
#rhbz 859485
|
||||
ApplyPatch vt-Drop-K_OFF-for-VC_MUTE.patch
|
||||
|
||||
#rhbz CVE-2012-4530 868285 880147
|
||||
ApplyPatch exec-do-not-leave-bprm-interp-on-stack.patch
|
||||
ApplyPatch exec-use-eloop-for-max-recursion-depth.patch
|
||||
|
||||
#rhbz 851278
|
||||
|
|
@ -2404,6 +2396,10 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Fri Jan 11 2013 Justin M. Forbes <jforbes@redhat.com> 3.7.1-1
|
||||
- Linux v3.7.2
|
||||
- Enable Intel IOMMU by default
|
||||
|
||||
* Thu Jan 10 2013 Dave Jones <davej@redhat.com>
|
||||
- Add audit-libs-devel to perf build-deps to enable trace command. (rhbz 892893)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue