Linux v4.14.8

Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch

@@ -1,50 +0,0 @@
-From patchwork Tue Dec 12 19:28:38 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 8bit
-Subject: Revert "exec: avoid RLIMIT_STACK races with prlimit()"
-From: Kees Cook <keescook@chromium.org>
-X-Patchwork-Id: 10108209
-Message-Id: <20171212192838.GA14592@beast>
-To: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Laura Abbott <labbott@redhat.com>,
- =?utf-8?B?VG9tw6HFoQ==?= Trnka <trnka@scm.com>,
- linux-kernel@vger.kernel.org
-Date: Tue, 12 Dec 2017 11:28:38 -0800
-
-This reverts commit 04e35f4495dd560db30c25efca4eecae8ec8c375.
-
-SELinux runs with secureexec for all non-"noatsecure" domain transitions,
-which means lots of processes end up hitting the stack hard-limit change
-that was introduced in order to fix a race with prlimit(). That race fix
-will need to be redesigned.
-
-Reported-by: Laura Abbott <labbott@redhat.com>
-Reported-by: Tomáš Trnka <trnka@scm.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Kees Cook <keescook@chromium.org>
----
- fs/exec.c | 7 +------
- 1 file changed, 1 insertion(+), 6 deletions(-)
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 6be2aa0ab26f..1d6243d9f2b6 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1340,15 +1340,10 @@ void setup_new_exec(struct linux_binprm * bprm)
- 		 * avoid bad behavior from the prior rlimits. This has to
- 		 * happen before arch_pick_mmap_layout(), which examines
- 		 * RLIMIT_STACK, but after the point of no return to avoid
--		 * races from other threads changing the limits. This also
--		 * must be protected from races with prlimit() calls.
-+		 * needing to clean up the change on failure.
- 		 */
--		task_lock(current->group_leader);
- 		if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
- 			current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
--		if (current->signal->rlim[RLIMIT_STACK].rlim_max > _STK_LIM)
--			current->signal->rlim[RLIMIT_STACK].rlim_max = _STK_LIM;
--		task_unlock(current->group_leader);
- 	}
- 
- 	arch_pick_mmap_layout(current->mm);

USB-core-prevent-malicious-bNumInterfaces-overflow.patch

@@ -1,48 +0,0 @@
-From 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Tue, 12 Dec 2017 14:25:13 -0500
-Subject: [PATCH] USB: core: prevent malicious bNumInterfaces overflow
-
-A malicious USB device with crafted descriptors can cause the kernel
-to access unallocated memory by setting the bNumInterfaces value too
-high in a configuration descriptor.  Although the value is adjusted
-during parsing, this adjustment is skipped in one of the error return
-paths.
-
-This patch prevents the problem by setting bNumInterfaces to 0
-initially.  The existing code already sets it to the proper value
-after parsing is complete.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/config.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
-index 55b198ba629b..78e92d29f8d9 100644
---- a/drivers/usb/core/config.c
-+++ b/drivers/usb/core/config.c
-@@ -555,6 +555,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
- 	unsigned iad_num = 0;
- 
- 	memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
-+	nintf = nintf_orig = config->desc.bNumInterfaces;
-+	config->desc.bNumInterfaces = 0;	// Adjusted later
-+
- 	if (config->desc.bDescriptorType != USB_DT_CONFIG ||
- 	    config->desc.bLength < USB_DT_CONFIG_SIZE ||
- 	    config->desc.bLength > size) {
-@@ -568,7 +571,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
- 	buffer += config->desc.bLength;
- 	size -= config->desc.bLength;
- 
--	nintf = nintf_orig = config->desc.bNumInterfaces;
- 	if (nintf > USB_MAXINTERFACES) {
- 		dev_warn(ddev, "config %d has too many interfaces: %d, "
- 		    "using maximum allowed: %d\n",
--- 
-2.14.3
-

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 7
+%define stable_update 8
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -616,13 +616,6 @@ Patch335: arm-exynos-fix-usb3.patch
 # rbhz 1519591 1520764
 Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
 
-# rhbz 1525474 1525476
-Patch501: USB-core-prevent-malicious-bNumInterfaces-overflow.patch
-
-# https://patchwork.kernel.org/patch/10108209/
-# https://marc.info/?l=linux-kernel&m=151307686618795
-Patch502: Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch
-
 # CVE-2017-17449
 # rhbz 1525762 1525763
 Patch503: netlink-Add-netns-check-on-taps.patch
@@ -2243,6 +2236,9 @@ fi
 #
 #
 %changelog
+* Wed Dec 20 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.8-200
+- Linux v4.14.8
+
 * Wed Dec 20 2017 Jeremy Cline <jeremy@jcline.org>
 - Backport fix e1000_check_for_copper_link_ich8lan return value
 

sources

@@ -1,3 +1,3 @@
 SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
-SHA512 (patch-4.14.7.xz) = 7a0aa00af73fbac34a0f96ebbd977688275538f8f2f3e0ba32ac3f9eb0d02498dd75d4d6481cfdd1236d45616231dd376a453ce8c04663ceaeb5ccc553996251
+SHA512 (patch-4.14.8.xz) = 62aa92e671cfc9265cf1690e0d64058dfa779400074cd909161d4e49f5313f58c1303ad301cecdbb64ee85d653f0bcb42fa609f25827289aad3bc94561d94390