rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v4.6.6

This commit is contained in:
Laura Abbott 2016-08-10 13:35:15 -07:00
parent d6256ebfe7
commit 1d48d18f7d
8 changed files with 5 additions and 307 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
View File

@ -1,33 +0,0 @@
From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:44:07 -0400
Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 6469bedda2f3..964f5ebf495e 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
if (tu->tread) {
struct snd_timer_tread tread;
+ memset(&tread, 0, sizeof(tread));
tread.event = SNDRV_TIMER_EVENT_EARLY;
tread.tstamp.tv_sec = 0;
tread.tstamp.tv_nsec = 0;
--
2.5.5

34
ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
View File

@ -1,34 +0,0 @@
From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:44:20 -0400
Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via
snd_timer_user_ccallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 964f5ebf495e..e98fa5feb731 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
tu->tstamp = *tstamp;
if ((tu->filter & (1 << event)) == 0 || !tu->tread)
return;
+ memset(&r1, 0, sizeof(r1));
r1.event = event;
r1.tstamp = *tstamp;
r1.val = resolution;
--
2.5.5

34
ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
View File

@ -1,34 +0,0 @@
From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:44:32 -0400
Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via
snd_timer_user_tinterrupt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/core/timer.c b/sound/core/timer.c
index e98fa5feb731..c69a27155433 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
}
if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
tu->last_resolution != resolution) {
+ memset(&r1, 0, sizeof(r1));
r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
r1.tstamp = tstamp;
r1.val = resolution;
--
2.5.5

40
airspy-fix-error-logic-during-device-register.patch
View File

@ -1,40 +0,0 @@
From 785ef73dba6e9fefd2e5dd24546e0efa8698e5cd Mon Sep 17 00:00:00 2001
From: James Patrick-Evans <james@jmp-e.com>
Date: Fri, 15 Jul 2016 12:40:45 -0300
Subject: [media] airspy: fix error logic during device register
This patch addresses CVE-2016-5400, a local DOS vulnerability caused by
a memory leak in the airspy usb device driver.
The vulnerability is triggered when more than 64 usb devices register
with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can
emulate 64 of these devices then through continual emulated
connect/disconnect of the 65th device, cause the kernel to run out of
RAM and crash the kernel.
The vulnerability exists in kernel versions from 3.17 to current 4.7.
The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Cc: stable@vger.kernel.org # Up to Kernel 3.17
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
index d807d58..19cd64c 100644
--- a/drivers/media/usb/airspy/airspy.c
+++ b/drivers/media/usb/airspy/airspy.c
@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
if (ret) {
dev_err(s->dev, "Failed to register as video device (%d)\n",
ret);
- goto err_unregister_v4l2_dev;
+ goto err_free_controls;
}
dev_info(s->dev, "Registered as %s\n",
video_device_node_name(&s->vdev));
--
cgit v0.10.2

19
kernel.spec
View File

@ -54,7 +54,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 5
%define stable_update 6
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@ -606,11 +606,6 @@ Patch641: disable-CONFIG_EXPERT-for-ZONE_DMA.patch
#CVE-2016-4482 rhbz 1332931 1332932
Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
#CVE-2016-4569 rhbz 1334643 1334645
Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
#CVE-2016-4440 rhbz 1337806 1337807
Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
@ -642,12 +637,6 @@ Patch815: 0015-drm-i915-gen9-Calculate-watermarks-during-atomic-che.patch
Patch816: 0016-drm-i915-gen9-Reject-display-updates-that-exceed-wm-.patch
Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch
#CVE-2016-6156 rhbz 1353490 1353491
Patch832: platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch
#rhbz 1346753
Patch834: qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch
#CVE-2016-5389 CVE-2016-5969 rhbz 1354708 1355615
Patch835: tcp-make-challenge-acks-less-predictable.patch
Patch839: tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
@ -656,9 +645,6 @@ Patch839: tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
Patch836: drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch
Patch837: drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch
#CVE-2016-5400 rhbz 1358184 1358186
Patch840: airspy-fix-error-logic-during-device-register.patch
#CVE-2016-6136 rhbz 1353533 1353534
Patch841: audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
@ -2191,6 +2177,9 @@ fi
#
#
%changelog
* Wed Aug 10 2016 Laura Abbott <labbott@fedoraproject.org> - 4.6.6-300
- Linux v4.6.6
* Mon Aug 08 2016 Josh Boyer <jwboyer@fedoraproject.org>
- Build CONFIG_POWERNV_CPUFREQ in on ppc64* (rhbz 1351346)

52
platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch
View File

@ -1,52 +0,0 @@
From 096cdc6f52225835ff503f987a0d68ef770bb78e Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 21 Jun 2016 16:58:46 +0300
Subject: [PATCH] platform/chrome: cros_ec_dev - double fetch bug in ioctl
We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure
that those values have not changed between the two copy_from_user()
calls. Otherwise it could lead to a buffer overflow.
Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value.
We should use the new smaller value so we don't copy too much data to
the user.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: a841178445bb ('mfd: cros_ec: Use a zero-length array for command data')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Gwendal Grignou <gwendal@chromium.org>
Cc: <stable@vger.kernel.org> # v4.2+
Signed-off-by: Olof Johansson <olof@lixom.net>
---
drivers/platform/chrome/cros_ec_dev.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c
index 6d8ee3b15872..8abd80dbcbed 100644
--- a/drivers/platform/chrome/cros_ec_dev.c
+++ b/drivers/platform/chrome/cros_ec_dev.c
@@ -151,13 +151,19 @@ static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
goto exit;
}
+ if (u_cmd.outsize != s_cmd->outsize ||
+ u_cmd.insize != s_cmd->insize) {
+ ret = -EINVAL;
+ goto exit;
+ }
+
s_cmd->command += ec->cmd_offset;
ret = cros_ec_cmd_xfer(ec->ec_dev, s_cmd);
/* Only copy data to userland if data was received. */
if (ret < 0)
goto exit;
- if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + u_cmd.insize))
+ if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + s_cmd->insize))
ret = -EFAULT;
exit:
kfree(s_cmd);
--
2.5.5

98
qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch
View File

@ -1,98 +0,0 @@
From 36d17a40c174c8b77386520ab2a430fea760dcc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bruno=20Pr=C3=83=C2=A9mont?= <bonbons@linux-vserver.org>
Date: Thu, 30 Jun 2016 17:00:32 +0200
Subject: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
pointer dereference when rsp->msix is NULL:
[ 5.622457] NULL pointer dereference at 0000000000000050
[ 5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
[ 5.622457] PGD 0
[ 5.622457] Oops: 0000 [#1] SMP
[ 5.622457] Modules linked in:
[ 5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
[ 5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
[ 5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
[ 5.622457] RIP: 0010:[<ffffffff8155e614>] [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
[ 5.622457] RSP: 0000:ffff8801afb03de8 EFLAGS: 00010002
[ 5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
[ 5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
[ 5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
[ 5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
[ 5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
[ 5.622457] FS: 0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
[ 5.622457] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
[ 5.622457] Stack:
[ 5.622457] ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
[ 5.622457] ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
[ 5.622457] ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
[ 5.622457] Call Trace:
[ 5.622457] <IRQ>
[ 5.622457] [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
[ 5.622457] [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
[ 5.622457] [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
[ 5.622457] [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
[ 5.622457] [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
[ 5.622457] [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
[ 5.622457] [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
[ 5.622457] [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
[ 5.622457] [<ffffffff8101a498>] handle_irq+0x18/0x30
[ 5.622457] [<ffffffff8101a276>] do_IRQ+0x46/0xd0
[ 5.622457] [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
[ 5.622457] <EOI>
[ 5.622457] [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
[ 5.622457] [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
[ 5.622457] [<ffffffff810c1b97>] default_idle_call+0x27/0x30
[ 5.622457] [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
[ 5.622457] [<ffffffff810324c6>] start_secondary+0x136/0x140
[ 5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
[ 5.622457] RIP [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
[ 5.622457] RSP <ffff8801afb03de8>
[ 5.622457] CR2: 0000000000000050
[ 5.622457] ---[ end trace fa2b19c25106d42b ]---
[ 5.622457] Kernel panic - not syncing: Fatal exception in interrupt
The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
(qla2xxx: Add irq affinity notification).
Only dereference rsp->msix when it has been set so the machine can boot
fine. Possibly rsp->msix is unset because:
[ 3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
[ 3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
[ 3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
[ 3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
[ 3.890145] scsi host0: qla2xxx
[ 3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
[ 3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
[ 5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
Acked-by: Quinn Tran <quinn.tran@qlogic.com>
CC: <stable@vger.kernel.org> # 4.5+
Fixes: cdb898c52d1dfad4b4800b83a58b3fe5d352edde
Signed-off-by: James Bottomley <jejb@linux.vnet.ibm.com>
---
drivers/scsi/qla2xxx/qla_isr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index 5649c200d37c..a92a62dea793 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
if (!vha->flags.online)
return;
- if (rsp->msix->cpuid != smp_processor_id()) {
+ if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
/* if kernel does not notify qla of IRQ's CPU change,
* then set it here.
*/
--
2.5.5

2
sources
View File

@ -1,3 +1,3 @@
d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz
fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz
ad32c9ec1c69a99811d160d6014f9b2d patch-4.6.5.xz
84f23eb772635b1348d3ea7c5bd67930 patch-4.6.6.xz