Linux v4.14.8
This commit is contained in:
parent
9f4545c739
commit
1034158e62
|
@ -1,50 +0,0 @@
|
|||
From patchwork Tue Dec 12 19:28:38 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Subject: Revert "exec: avoid RLIMIT_STACK races with prlimit()"
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
X-Patchwork-Id: 10108209
|
||||
Message-Id: <20171212192838.GA14592@beast>
|
||||
To: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Laura Abbott <labbott@redhat.com>,
|
||||
=?utf-8?B?VG9tw6HFoQ==?= Trnka <trnka@scm.com>,
|
||||
linux-kernel@vger.kernel.org
|
||||
Date: Tue, 12 Dec 2017 11:28:38 -0800
|
||||
|
||||
This reverts commit 04e35f4495dd560db30c25efca4eecae8ec8c375.
|
||||
|
||||
SELinux runs with secureexec for all non-"noatsecure" domain transitions,
|
||||
which means lots of processes end up hitting the stack hard-limit change
|
||||
that was introduced in order to fix a race with prlimit(). That race fix
|
||||
will need to be redesigned.
|
||||
|
||||
Reported-by: Laura Abbott <labbott@redhat.com>
|
||||
Reported-by: Tomáš Trnka <trnka@scm.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
---
|
||||
fs/exec.c | 7 +------
|
||||
1 file changed, 1 insertion(+), 6 deletions(-)
|
||||
|
||||
diff --git a/fs/exec.c b/fs/exec.c
|
||||
index 6be2aa0ab26f..1d6243d9f2b6 100644
|
||||
--- a/fs/exec.c
|
||||
+++ b/fs/exec.c
|
||||
@@ -1340,15 +1340,10 @@ void setup_new_exec(struct linux_binprm * bprm)
|
||||
* avoid bad behavior from the prior rlimits. This has to
|
||||
* happen before arch_pick_mmap_layout(), which examines
|
||||
* RLIMIT_STACK, but after the point of no return to avoid
|
||||
- * races from other threads changing the limits. This also
|
||||
- * must be protected from races with prlimit() calls.
|
||||
+ * needing to clean up the change on failure.
|
||||
*/
|
||||
- task_lock(current->group_leader);
|
||||
if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
|
||||
current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
|
||||
- if (current->signal->rlim[RLIMIT_STACK].rlim_max > _STK_LIM)
|
||||
- current->signal->rlim[RLIMIT_STACK].rlim_max = _STK_LIM;
|
||||
- task_unlock(current->group_leader);
|
||||
}
|
||||
|
||||
arch_pick_mmap_layout(current->mm);
|
|
@ -1,48 +0,0 @@
|
|||
From 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Stern <stern@rowland.harvard.edu>
|
||||
Date: Tue, 12 Dec 2017 14:25:13 -0500
|
||||
Subject: [PATCH] USB: core: prevent malicious bNumInterfaces overflow
|
||||
|
||||
A malicious USB device with crafted descriptors can cause the kernel
|
||||
to access unallocated memory by setting the bNumInterfaces value too
|
||||
high in a configuration descriptor. Although the value is adjusted
|
||||
during parsing, this adjustment is skipped in one of the error return
|
||||
paths.
|
||||
|
||||
This patch prevents the problem by setting bNumInterfaces to 0
|
||||
initially. The existing code already sets it to the proper value
|
||||
after parsing is complete.
|
||||
|
||||
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
CC: <stable@vger.kernel.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/usb/core/config.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
|
||||
index 55b198ba629b..78e92d29f8d9 100644
|
||||
--- a/drivers/usb/core/config.c
|
||||
+++ b/drivers/usb/core/config.c
|
||||
@@ -555,6 +555,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
|
||||
unsigned iad_num = 0;
|
||||
|
||||
memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
|
||||
+ nintf = nintf_orig = config->desc.bNumInterfaces;
|
||||
+ config->desc.bNumInterfaces = 0; // Adjusted later
|
||||
+
|
||||
if (config->desc.bDescriptorType != USB_DT_CONFIG ||
|
||||
config->desc.bLength < USB_DT_CONFIG_SIZE ||
|
||||
config->desc.bLength > size) {
|
||||
@@ -568,7 +571,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
|
||||
buffer += config->desc.bLength;
|
||||
size -= config->desc.bLength;
|
||||
|
||||
- nintf = nintf_orig = config->desc.bNumInterfaces;
|
||||
if (nintf > USB_MAXINTERFACES) {
|
||||
dev_warn(ddev, "config %d has too many interfaces: %d, "
|
||||
"using maximum allowed: %d\n",
|
||||
--
|
||||
2.14.3
|
||||
|
12
kernel.spec
12
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 7
|
||||
%define stable_update 8
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -616,13 +616,6 @@ Patch335: arm-exynos-fix-usb3.patch
|
|||
# rbhz 1519591 1520764
|
||||
Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
|
||||
|
||||
# rhbz 1525474 1525476
|
||||
Patch501: USB-core-prevent-malicious-bNumInterfaces-overflow.patch
|
||||
|
||||
# https://patchwork.kernel.org/patch/10108209/
|
||||
# https://marc.info/?l=linux-kernel&m=151307686618795
|
||||
Patch502: Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch
|
||||
|
||||
# CVE-2017-17449
|
||||
# rhbz 1525762 1525763
|
||||
Patch503: netlink-Add-netns-check-on-taps.patch
|
||||
|
@ -2243,6 +2236,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Dec 20 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.8-200
|
||||
- Linux v4.14.8
|
||||
|
||||
* Wed Dec 20 2017 Jeremy Cline <jeremy@jcline.org>
|
||||
- Backport fix e1000_check_for_copper_link_ich8lan return value
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
|
||||
SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
|
||||
SHA512 (patch-4.14.7.xz) = 7a0aa00af73fbac34a0f96ebbd977688275538f8f2f3e0ba32ac3f9eb0d02498dd75d4d6481cfdd1236d45616231dd376a453ce8c04663ceaeb5ccc553996251
|
||||
SHA512 (patch-4.14.8.xz) = 62aa92e671cfc9265cf1690e0d64058dfa779400074cd909161d4e49f5313f58c1303ad301cecdbb64ee85d653f0bcb42fa609f25827289aad3bc94561d94390
|
||||
|
|
Loading…
Reference in New Issue