CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)
This commit is contained in:
Josh Boyer
parent
ae3c9b8089
commit
19bd16235d
|
|
@ -9,7 +9,7 @@ Patch for disconnect issues with storage attached to a
|
|||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
|
||||
index b649fef2e35d..fb89290710ad 100644
|
||||
index 2246954d7df3..dbd69b7eae92 100644
|
||||
--- a/drivers/usb/core/hub.c
|
||||
+++ b/drivers/usb/core/hub.c
|
||||
@@ -5023,6 +5023,13 @@ static void hub_event(struct work_struct *work)
|
||||
|
|
|
|||
|
|
@ -215,7 +215,7 @@ index 387fa7d05c98..4b07e30b3279 100644
|
|||
int unregister_sysrq_key(int key, struct sysrq_key_op *op);
|
||||
struct sysrq_key_op *__sysrq_get_key_op(int key);
|
||||
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
|
||||
index 379650b984f8..070f29fefdc2 100644
|
||||
index 6ffdc96059a0..2f8f814ae94c 100644
|
||||
--- a/kernel/debug/kdb/kdb_main.c
|
||||
+++ b/kernel/debug/kdb/kdb_main.c
|
||||
@@ -1924,7 +1924,7 @@ static int kdb_sr(int argc, const char **argv)
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ Cc: stable@vger.kernel.org
|
|||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
|
||||
index 086240cd29c3..b2c68213696a 100644
|
||||
index fe1678c4ff89..99e9d879a460 100644
|
||||
--- a/drivers/bluetooth/ath3k.c
|
||||
+++ b/drivers/bluetooth/ath3k.c
|
||||
@@ -65,6 +65,7 @@ static const struct usb_device_id ath3k_table[] = {
|
||||
|
|
@ -55,10 +55,10 @@ index 086240cd29c3..b2c68213696a 100644
|
|||
{ USB_DEVICE(0x0CF3, 0x3002) },
|
||||
{ USB_DEVICE(0x0CF3, 0xE019) },
|
||||
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
|
||||
index 091c813df8e9..79e344f9e681 100644
|
||||
index f0e2f721c8ce..d8b5b37aa1bd 100644
|
||||
--- a/drivers/bluetooth/btusb.c
|
||||
+++ b/drivers/bluetooth/btusb.c
|
||||
@@ -142,6 +142,7 @@ static const struct usb_device_id blacklist_table[] = {
|
||||
@@ -150,6 +150,7 @@ static const struct usb_device_id blacklist_table[] = {
|
||||
/* Atheros 3011 with sflash firmware */
|
||||
{ USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
|
||||
{ USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ Signed-off-by: Josh Stone <jistone@redhat.com>
|
|||
2 files changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 0b3f8a1b3715..ffac1ebfc6b9 100644
|
||||
index 62b333802a0e..7d683b59afa4 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -704,7 +704,11 @@ KBUILD_CFLAGS += -fomit-frame-pointer
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
|||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
index 4991a1664773..096ddbe4c4b3 100644
|
||||
index db880bf46135..c931ec7201c0 100644
|
||||
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
@@ -102,6 +102,27 @@
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
|||
1 file changed, 39 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
index 6cc25ed912ee..754b96c5dbb1 100644
|
||||
index 2c6248d9a9ef..ec755eeb78ee 100644
|
||||
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
@@ -81,6 +81,13 @@
|
||||
|
|
@ -25,7 +25,7 @@ index 6cc25ed912ee..754b96c5dbb1 100644
|
|||
uart0_pins: pinmux_uart0_pins {
|
||||
pinctrl-single,pins = <
|
||||
0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */
|
||||
@@ -217,6 +224,38 @@
|
||||
@@ -218,6 +225,38 @@
|
||||
reg = <0x24>;
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
|
|||
1 file changed, 130 insertions(+)
|
||||
|
||||
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
index 754b96c5dbb1..4991a1664773 100644
|
||||
index ec755eeb78ee..db880bf46135 100644
|
||||
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
|
||||
@@ -95,6 +95,13 @@
|
||||
|
|
@ -74,7 +74,7 @@ index 754b96c5dbb1..4991a1664773 100644
|
|||
&usb {
|
||||
status = "okay";
|
||||
};
|
||||
@@ -258,6 +299,56 @@
|
||||
@@ -259,6 +300,56 @@
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -131,7 +131,7 @@ index 754b96c5dbb1..4991a1664773 100644
|
|||
/include/ "tps65217.dtsi"
|
||||
|
||||
&tps {
|
||||
@@ -339,3 +430,42 @@
|
||||
@@ -340,3 +431,42 @@
|
||||
cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>;
|
||||
cd-inverted;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -645,6 +645,9 @@ Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
|
|||
#rhbz 1190947
|
||||
Patch26141: Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
|
||||
|
||||
#CVE-2015-2042 rhbz 1195355 1199365
|
||||
Patch26143: net-rds-use-correct-size-for-max-unacked-packets-and.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1395,6 +1398,9 @@ ApplyPatch Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
|
|||
#rhbz 1185519
|
||||
ApplyPatch NFS-fix-clp-cl_revoked-list-deletion-causing-softloc.patch
|
||||
|
||||
#CVE-2015-2042 rhbz 1195355 1199365
|
||||
ApplyPatch net-rds-use-correct-size-for-max-unacked-packets-and.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
|
|
@ -2265,6 +2271,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Tue Mar 10 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)
|
||||
|
||||
* Mon Mar 09 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.18.9-200
|
||||
- Linux v3.18.9
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,40 @@
|
|||
From: Sasha Levin <sasha.levin@oracle.com>
|
||||
Date: Tue, 3 Feb 2015 08:55:58 -0500
|
||||
Subject: [PATCH] net: rds: use correct size for max unacked packets and bytes
|
||||
|
||||
Max unacked packets/bytes is an int while sizeof(long) was used in the
|
||||
sysctl table.
|
||||
|
||||
This means that when they were getting read we'd also leak kernel memory
|
||||
to userspace along with the timeout values.
|
||||
|
||||
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/rds/sysctl.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c
|
||||
index c3b0cd43eb56..c173f69e1479 100644
|
||||
--- a/net/rds/sysctl.c
|
||||
+++ b/net/rds/sysctl.c
|
||||
@@ -71,14 +71,14 @@ static struct ctl_table rds_sysctl_rds_table[] = {
|
||||
{
|
||||
.procname = "max_unacked_packets",
|
||||
.data = &rds_sysctl_max_unacked_packets,
|
||||
- .maxlen = sizeof(unsigned long),
|
||||
+ .maxlen = sizeof(int),
|
||||
.mode = 0644,
|
||||
.proc_handler = proc_dointvec,
|
||||
},
|
||||
{
|
||||
.procname = "max_unacked_bytes",
|
||||
.data = &rds_sysctl_max_unacked_bytes,
|
||||
- .maxlen = sizeof(unsigned long),
|
||||
+ .maxlen = sizeof(int),
|
||||
.mode = 0644,
|
||||
.proc_handler = proc_dointvec,
|
||||
},
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
|
@ -14,10 +14,10 @@ Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
|
||||
index ff765d8e1a09..864290243e46 100644
|
||||
index ce364a41842a..477de0a9e1ee 100644
|
||||
--- a/drivers/platform/x86/samsung-laptop.c
|
||||
+++ b/drivers/platform/x86/samsung-laptop.c
|
||||
@@ -1578,6 +1578,16 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
|
||||
@@ -1583,6 +1583,16 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
|
||||
},
|
||||
.driver_data = &samsung_np740u3e,
|
||||
},
|
||||
|
|
|
|||
Loading…
Reference in New Issue