Linux v4.6.6
This commit is contained in:
parent
d6256ebfe7
commit
1d48d18f7d
|
@ -1,33 +0,0 @@
|
|||
From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001
|
||||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:44:07 -0400
|
||||
Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The stack object “tread” has a total size of 32 bytes. Its field
|
||||
“event” and “val” both contain 4 bytes padding. These 8 bytes
|
||||
padding bytes are sent to user without being initialized.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/timer.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/sound/core/timer.c b/sound/core/timer.c
|
||||
index 6469bedda2f3..964f5ebf495e 100644
|
||||
--- a/sound/core/timer.c
|
||||
+++ b/sound/core/timer.c
|
||||
@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
|
||||
if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
|
||||
if (tu->tread) {
|
||||
struct snd_timer_tread tread;
|
||||
+ memset(&tread, 0, sizeof(tread));
|
||||
tread.event = SNDRV_TIMER_EVENT_EARLY;
|
||||
tread.tstamp.tv_sec = 0;
|
||||
tread.tstamp.tv_nsec = 0;
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001
|
||||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:44:20 -0400
|
||||
Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via
|
||||
snd_timer_user_ccallback
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The stack object “r1” has a total size of 32 bytes. Its field
|
||||
“event” and “val” both contain 4 bytes padding. These 8 bytes
|
||||
padding bytes are sent to user without being initialized.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/timer.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/sound/core/timer.c b/sound/core/timer.c
|
||||
index 964f5ebf495e..e98fa5feb731 100644
|
||||
--- a/sound/core/timer.c
|
||||
+++ b/sound/core/timer.c
|
||||
@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
|
||||
tu->tstamp = *tstamp;
|
||||
if ((tu->filter & (1 << event)) == 0 || !tu->tread)
|
||||
return;
|
||||
+ memset(&r1, 0, sizeof(r1));
|
||||
r1.event = event;
|
||||
r1.tstamp = *tstamp;
|
||||
r1.val = resolution;
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001
|
||||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:44:32 -0400
|
||||
Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via
|
||||
snd_timer_user_tinterrupt
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The stack object “r1” has a total size of 32 bytes. Its field
|
||||
“event” and “val” both contain 4 bytes padding. These 8 bytes
|
||||
padding bytes are sent to user without being initialized.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/timer.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/sound/core/timer.c b/sound/core/timer.c
|
||||
index e98fa5feb731..c69a27155433 100644
|
||||
--- a/sound/core/timer.c
|
||||
+++ b/sound/core/timer.c
|
||||
@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
|
||||
}
|
||||
if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
|
||||
tu->last_resolution != resolution) {
|
||||
+ memset(&r1, 0, sizeof(r1));
|
||||
r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
|
||||
r1.tstamp = tstamp;
|
||||
r1.val = resolution;
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
From 785ef73dba6e9fefd2e5dd24546e0efa8698e5cd Mon Sep 17 00:00:00 2001
|
||||
From: James Patrick-Evans <james@jmp-e.com>
|
||||
Date: Fri, 15 Jul 2016 12:40:45 -0300
|
||||
Subject: [media] airspy: fix error logic during device register
|
||||
|
||||
This patch addresses CVE-2016-5400, a local DOS vulnerability caused by
|
||||
a memory leak in the airspy usb device driver.
|
||||
|
||||
The vulnerability is triggered when more than 64 usb devices register
|
||||
with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can
|
||||
emulate 64 of these devices then through continual emulated
|
||||
connect/disconnect of the 65th device, cause the kernel to run out of
|
||||
RAM and crash the kernel.
|
||||
|
||||
The vulnerability exists in kernel versions from 3.17 to current 4.7.
|
||||
|
||||
The memory leak is caused by the probe function of the airspy driver
|
||||
mishandeling errors and not freeing the corresponding control structures
|
||||
when an error occours registering the device to v4l2 core.
|
||||
|
||||
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
|
||||
Cc: stable@vger.kernel.org # Up to Kernel 3.17
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
||||
|
||||
diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
|
||||
index d807d58..19cd64c 100644
|
||||
--- a/drivers/media/usb/airspy/airspy.c
|
||||
+++ b/drivers/media/usb/airspy/airspy.c
|
||||
@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
|
||||
if (ret) {
|
||||
dev_err(s->dev, "Failed to register as video device (%d)\n",
|
||||
ret);
|
||||
- goto err_unregister_v4l2_dev;
|
||||
+ goto err_free_controls;
|
||||
}
|
||||
dev_info(s->dev, "Registered as %s\n",
|
||||
video_device_node_name(&s->vdev));
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
19
kernel.spec
19
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 5
|
||||
%define stable_update 6
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -606,11 +606,6 @@ Patch641: disable-CONFIG_EXPERT-for-ZONE_DMA.patch
|
|||
#CVE-2016-4482 rhbz 1332931 1332932
|
||||
Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
|
||||
|
||||
#CVE-2016-4569 rhbz 1334643 1334645
|
||||
Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
|
||||
Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
|
||||
Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
|
||||
|
||||
#CVE-2016-4440 rhbz 1337806 1337807
|
||||
Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
|
||||
|
||||
|
@ -642,12 +637,6 @@ Patch815: 0015-drm-i915-gen9-Calculate-watermarks-during-atomic-che.patch
|
|||
Patch816: 0016-drm-i915-gen9-Reject-display-updates-that-exceed-wm-.patch
|
||||
Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch
|
||||
|
||||
#CVE-2016-6156 rhbz 1353490 1353491
|
||||
Patch832: platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch
|
||||
|
||||
#rhbz 1346753
|
||||
Patch834: qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch
|
||||
|
||||
#CVE-2016-5389 CVE-2016-5969 rhbz 1354708 1355615
|
||||
Patch835: tcp-make-challenge-acks-less-predictable.patch
|
||||
Patch839: tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
|
||||
|
@ -656,9 +645,6 @@ Patch839: tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
|
|||
Patch836: drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch
|
||||
Patch837: drm-i915-Acquire-audio-powerwell-for-HD-Audio-regist.patch
|
||||
|
||||
#CVE-2016-5400 rhbz 1358184 1358186
|
||||
Patch840: airspy-fix-error-logic-during-device-register.patch
|
||||
|
||||
#CVE-2016-6136 rhbz 1353533 1353534
|
||||
Patch841: audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
|
||||
|
||||
|
@ -2191,6 +2177,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Aug 10 2016 Laura Abbott <labbott@fedoraproject.org> - 4.6.6-300
|
||||
- Linux v4.6.6
|
||||
|
||||
* Mon Aug 08 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Build CONFIG_POWERNV_CPUFREQ in on ppc64* (rhbz 1351346)
|
||||
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
From 096cdc6f52225835ff503f987a0d68ef770bb78e Mon Sep 17 00:00:00 2001
|
||||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Tue, 21 Jun 2016 16:58:46 +0300
|
||||
Subject: [PATCH] platform/chrome: cros_ec_dev - double fetch bug in ioctl
|
||||
|
||||
We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure
|
||||
that those values have not changed between the two copy_from_user()
|
||||
calls. Otherwise it could lead to a buffer overflow.
|
||||
|
||||
Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value.
|
||||
We should use the new smaller value so we don't copy too much data to
|
||||
the user.
|
||||
|
||||
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
|
||||
Fixes: a841178445bb ('mfd: cros_ec: Use a zero-length array for command data')
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Reviewed-by: Kees Cook <keescook@chromium.org>
|
||||
Tested-by: Gwendal Grignou <gwendal@chromium.org>
|
||||
Cc: <stable@vger.kernel.org> # v4.2+
|
||||
Signed-off-by: Olof Johansson <olof@lixom.net>
|
||||
---
|
||||
drivers/platform/chrome/cros_ec_dev.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c
|
||||
index 6d8ee3b15872..8abd80dbcbed 100644
|
||||
--- a/drivers/platform/chrome/cros_ec_dev.c
|
||||
+++ b/drivers/platform/chrome/cros_ec_dev.c
|
||||
@@ -151,13 +151,19 @@ static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
|
||||
goto exit;
|
||||
}
|
||||
|
||||
+ if (u_cmd.outsize != s_cmd->outsize ||
|
||||
+ u_cmd.insize != s_cmd->insize) {
|
||||
+ ret = -EINVAL;
|
||||
+ goto exit;
|
||||
+ }
|
||||
+
|
||||
s_cmd->command += ec->cmd_offset;
|
||||
ret = cros_ec_cmd_xfer(ec->ec_dev, s_cmd);
|
||||
/* Only copy data to userland if data was received. */
|
||||
if (ret < 0)
|
||||
goto exit;
|
||||
|
||||
- if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + u_cmd.insize))
|
||||
+ if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + s_cmd->insize))
|
||||
ret = -EFAULT;
|
||||
exit:
|
||||
kfree(s_cmd);
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,98 +0,0 @@
|
|||
From 36d17a40c174c8b77386520ab2a430fea760dcc3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Bruno=20Pr=C3=83=C2=A9mont?= <bonbons@linux-vserver.org>
|
||||
Date: Thu, 30 Jun 2016 17:00:32 +0200
|
||||
Subject: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
|
||||
pointer dereference when rsp->msix is NULL:
|
||||
|
||||
[ 5.622457] NULL pointer dereference at 0000000000000050
|
||||
[ 5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
|
||||
[ 5.622457] PGD 0
|
||||
[ 5.622457] Oops: 0000 [#1] SMP
|
||||
[ 5.622457] Modules linked in:
|
||||
[ 5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
|
||||
[ 5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
|
||||
[ 5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
|
||||
[ 5.622457] RIP: 0010:[<ffffffff8155e614>] [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
|
||||
[ 5.622457] RSP: 0000:ffff8801afb03de8 EFLAGS: 00010002
|
||||
[ 5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
|
||||
[ 5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
|
||||
[ 5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
|
||||
[ 5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
|
||||
[ 5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
|
||||
[ 5.622457] FS: 0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
|
||||
[ 5.622457] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
[ 5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
|
||||
[ 5.622457] Stack:
|
||||
[ 5.622457] ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
|
||||
[ 5.622457] ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
|
||||
[ 5.622457] ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
|
||||
[ 5.622457] Call Trace:
|
||||
[ 5.622457] <IRQ>
|
||||
[ 5.622457] [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
|
||||
[ 5.622457] [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
|
||||
[ 5.622457] [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
|
||||
[ 5.622457] [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
|
||||
[ 5.622457] [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
|
||||
[ 5.622457] [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
|
||||
[ 5.622457] [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
|
||||
[ 5.622457] [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
|
||||
[ 5.622457] [<ffffffff8101a498>] handle_irq+0x18/0x30
|
||||
[ 5.622457] [<ffffffff8101a276>] do_IRQ+0x46/0xd0
|
||||
[ 5.622457] [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
|
||||
[ 5.622457] <EOI>
|
||||
[ 5.622457] [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
|
||||
[ 5.622457] [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
|
||||
[ 5.622457] [<ffffffff810c1b97>] default_idle_call+0x27/0x30
|
||||
[ 5.622457] [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
|
||||
[ 5.622457] [<ffffffff810324c6>] start_secondary+0x136/0x140
|
||||
[ 5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
|
||||
[ 5.622457] RIP [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
|
||||
[ 5.622457] RSP <ffff8801afb03de8>
|
||||
[ 5.622457] CR2: 0000000000000050
|
||||
[ 5.622457] ---[ end trace fa2b19c25106d42b ]---
|
||||
[ 5.622457] Kernel panic - not syncing: Fatal exception in interrupt
|
||||
|
||||
The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
|
||||
(qla2xxx: Add irq affinity notification).
|
||||
|
||||
Only dereference rsp->msix when it has been set so the machine can boot
|
||||
fine. Possibly rsp->msix is unset because:
|
||||
[ 3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
|
||||
[ 3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
|
||||
[ 3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
|
||||
[ 3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
|
||||
[ 3.890145] scsi host0: qla2xxx
|
||||
[ 3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
|
||||
[ 3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
|
||||
[ 5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
|
||||
|
||||
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
|
||||
Acked-by: Quinn Tran <quinn.tran@qlogic.com>
|
||||
CC: <stable@vger.kernel.org> # 4.5+
|
||||
Fixes: cdb898c52d1dfad4b4800b83a58b3fe5d352edde
|
||||
Signed-off-by: James Bottomley <jejb@linux.vnet.ibm.com>
|
||||
---
|
||||
drivers/scsi/qla2xxx/qla_isr.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
|
||||
index 5649c200d37c..a92a62dea793 100644
|
||||
--- a/drivers/scsi/qla2xxx/qla_isr.c
|
||||
+++ b/drivers/scsi/qla2xxx/qla_isr.c
|
||||
@@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
|
||||
if (!vha->flags.online)
|
||||
return;
|
||||
|
||||
- if (rsp->msix->cpuid != smp_processor_id()) {
|
||||
+ if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
|
||||
/* if kernel does not notify qla of IRQ's CPU change,
|
||||
* then set it here.
|
||||
*/
|
||||
--
|
||||
2.5.5
|
||||
|
Loading…
Reference in New Issue