Linux v4.7.9 fixes CVE-2016-5195

2016-10-20 08:51:12 -05:00 · 2016-10-20 08:51:12 -05:00 · 2ade70cc51
parent b6e2c59ab9
commit 2ade70cc51
14 changed files with 456 additions and 28 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}

 # Do we have a -stable update to apply?
-%define stable_update 8
+%define stable_update 9
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@ -2167,6 +2167,10 @@ fi
 #
 # 
 %changelog
+* Thu Oct 20 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.7.9-200
+- Linux v4.7.9
+- CVE-2016-5195 (rhbz 1384344 1387080)
+
 * Tue Oct 18 2016 Peter Robinson <pbrobinson@fedoraproject.org>
 - Build in AXP20X_I2C (should fix rhbz 1352140)

--- a/scripts/add-changelog.sh
+++ b/scripts/add-changelog.sh
@ -0,0 +1,12 @@
+#!/bin/sh
+# Emulate the changelog part of rpmdev-bumpspec without the bumping of the
+# rev. Because Laura keeps typoing her name and the date.
+
+CURDATE=`date +"%a %b %d %Y"`
+PACKAGER=`rpmdev-packager`
+CHANGELOG="%changelog\n* $CURDATE $PACKAGER\n- $1\n"
+
+awk -v CHANGE="$CHANGELOG" '/%changelog/ {print CHANGE} \
+			!/%changelog/ { print $0 }' \
+			< kernel.spec > kernel.spec.tmp
+mv kernel.spec.tmp kernel.spec
--- a/scripts/check-patchlist.sh
+++ b/scripts/check-patchlist.sh
@ -0,0 +1,113 @@
+#! /bin/sh
+# This script was created in a effort to make patch management a bit easier.
+# It list all the patches in the current tree and identifies if they are
+# present in the kernel.spec, PatchList.txt, both files or neither.
+#
+# eg. ./check-patchlist.sh [optional flag]
+
+function usage(){
+    echo "List all the patches currently in the tree. It also helps identify"
+    echo "if the patch is present in kernel.spec or PatchList.txt.          "
+    echo "-h, --help                                                        "
+    echo "-t, --tracked       patches in both kernel.spec and PatchList.txt "
+    echo "-p, --patchlist     patches added to PatchList.txt.               "
+    echo "-s, --specfile      patches added to kernel.spec.                 "
+    echo "-n, --not-tracked   patches in the tree but not  in PatchList.txt "
+    echo "                     or kernel.spec                               "
+}
+
+BASEDIR=$(dirname "$( cd $(dirname $BASH_SOURCE[0]) && pwd)")
+pushd $BASEDIR > /dev/null
+
+function list_all(){
+    echo "===========Legend==========================="
+    echo ".   In kernel.spec                          "
+    echo "*   In PatchList.txt                        "
+    echo "+   In PatchList.txt & Kernel.spec          "
+    echo "-   Neither in PatchList.txt nor kernel.spec"
+    echo "============================================"
+    for patch in $(ls *.patch); do
+	if [ ! -z "$(grep $patch PatchList.txt)" ] && [ ! -z "$(grep $patch kernel.spec)" ]
+	then
+	    echo "+ ${patch}" # Patches in kernel.spec and PatchList.txt
+
+	elif [ ! -z "$(grep $patch PatchList.txt)" ] && [ -z "$(grep $patch kernel.spec)" ]
+	then
+	     echo "* ${patch}" # Patches in PatchList.txt but not in kernel.spec
+
+	elif [ -z "$(grep $patch PatchList.txt)" ] && [ ! -z "$(grep $patch kernel.spec)" ]
+	then
+	    echo ". ${patch}" # Patches in kernel.spec but not in PatchList.txt
+
+	else
+	    echo "- ${patch}" # Neither in PatchList.txt nor kernel.spec
+
+	fi
+    done
+}
+
+function list_present_not_added(){
+    for patch in $(ls *.patch); do
+	if [ -z "$(grep $patch PatchList.txt)" ] && [ -z "$(grep $patch kernel.spec)" ]
+	then
+	    echo $patch
+	fi
+    done
+}
+
+function list_present_added(){
+    for patch in $(ls *.patch); do
+	if [ ! -z "$(grep $patch PatchList.txt)" ] && [ ! -z "$(grep $patch kernel.spec)" ]
+	then
+	    echo $patch
+	fi
+    done
+}
+
+function list_patchList(){
+    for patch in $(ls *.patch); do
+	if [ ! -z "$(grep $patch PatchList.txt)" ] && [ -z "$(grep $patch kernel.spec)" ]
+	then
+	    echo $patch
+	fi
+    done
+
+}
+function list_specfile(){
+    for patch in $(ls *.patch); do
+	if [ -z "$(grep $patch PatchList.txt)" ] && [ ! -z "$(grep $patch kernel.spec)" ]
+	then
+	    echo $patch
+	fi
+    done
+}
+
+if [ -z "$@" ]; then
+    list_all
+else
+
+    for opt in "$@"; do
+	case $opt in
+	    -t|--tracked)
+		list_present_added
+		;;
+	    -s|--specfile)
+		list_specfile
+		;;
+	    -h|--help)
+		usage
+		;;
+	    -n|--not-added)
+		list_present_not_added
+		;;
+	    -p|--patchlist)
+		list_patchList
+		;;
+	    *)
+		usage
+		;;
+	esac
+    done
+fi
+
+popd > /dev/null
--- a/scripts/fast-build.sh
+++ b/scripts/fast-build.sh
@ -0,0 +1,13 @@
+#! /bin/sh
+# Description:
+#     rpmbuild combo to build the given architecture without
+#     debugging information, perf or tools.
+#
+# Sample usage:
+#     ./fast-build.sh x86_64 kernel-4.7.0-0.rc1.git1.2.fc25.src.rpm
+
+if [ -z "$1" ] || [ -z "$2" ]; then
+    echo "usage: $0 [ arch ] [ kernel-x.x.x.fcxx.src.rpm ] "
+fi
+
+rpmbuild --target $1 --without debug --without debuginfo --without perf --without tools --rebuild $2
--- a/scripts/fixup-bumpspec.sh
+++ b/scripts/fixup-bumpspec.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+# rpmdev-bumpspec 'helpfully' bumps the release which we don't always want.
+# This script fixes it up.
+
+RELEASE=`grep "%global baserelease" kernel.spec | cut -d ' ' -f 3`
+export RELEASE=$(($RELEASE-1))
+perl -p -i -e 's|%global baserelease.*|%global baserelease $ENV{'RELEASE'}|' kernel.spec
+TODAY=`date +"%a %b %d %Y"`
+awk -v DATE="$TODAY" 'START { marked = 0; } $0 ~ DATE { if (marked == 1) { print $0 } else {out=$1; for(i = 2; i <= NF - 2; i++) { out=out" "$i } print out; marked = 1;  } } $0 !~ DATE { print $0; }' < kernel.spec > kernel.spec.tmp
+mv kernel.spec.tmp kernel.spec
--- a/scripts/generate-git-snapshot.sh
+++ b/scripts/generate-git-snapshot.sh
@ -1,14 +1,26 @@
 #!/bin/sh
+# This script allows for the generation of a git snapshot between the upstream
+# git tree and the current tree.
 #
-# Set LINUX_GIT to point to an upstream Linux git tree in your .bashrc or wherever.
+# Prerequisites:
+#     Set LINUX_GIT to point to an upstream Linux git tree in your .bashrc
+#     or wherever.

-[ ! -d "$LINUX_GIT" ] && echo "error: set \$LINUX_GIT to point at upstream git tree" && exit 1
+# Look to see if LINUX_GIT is set in local .bashrc
+if [ -f ~/.bashrc  ]; then
+    source ~/.bashrc
+fi
+
+if [ ! -d "$LINUX_GIT" ]; then
+    echo "error: set \$LINUX_GIT to point at upstream git tree"
+    exit 1
+fi

 VER=$(grep patch sources | head -n1 | awk '{ print $2 }' | sed s/patch-// | sed s/-git.*// | sed s/.xz//)

 if [ -z "$VER" ] ;
 then
-	VER=$(grep linux sources | head -1 | awk '{ print $2 }' | sed s/linux-// | sed s/.tar.xz//)
+    VER=$(grep linux sources | head -1 | awk '{ print $2 }' | sed s/linux-// | sed s/.tar.xz//)
 fi

 OLDGIT=$(grep gitrev kernel.spec | head -n1 | sed s/%define\ gitrev\ //)
--- a/scripts/generate-perf-man.sh
+++ b/scripts/generate-perf-man.sh
@ -0,0 +1,54 @@
+#!/bin/sh
+# Small script to generate the perf-man tarball. The script relies on having
+# LINUX_GIT set in your local .bashrc. By default the script will use the
+# the kernel version of the upstream tree set in LINUX_GIT. Use --version=x.y
+# to set a specific version.
+
+# [Default] eg. ./scritps/generate-perf-man
+# eg. ./scripts/generate-perf-man --version=4.8
+function usage(){
+    echo
+    echo "Helps generate the perf-man tarball                              "
+    echo "-h, --help                                                       "
+    echo
+    echo "./generate-perf-man.sh   #Generates using upstream kernel version"
+    echo
+    echo "./generate-perf-man.sh --version=x.y  #Generate using x.y version"
+}
+
+if [ -f ~/.bashrc ]; then
+    source ~/.bashrc
+fi
+
+if [ ! -d "$LINUX_GIT" ]; then
+    echo "Error: \$LINUX_GIT is not set to the upstream git tree."
+    exit 1
+fi
+
+BASEDIR=$(dirname "$(cd $(dirname $BASH_SOURCE[0]) && pwd)")
+pushd "$LINUX_GIT" > /dev/null
+KERNEL_VERSION=$( awk '/^VERSION =/ {print $3}' Makefile )
+KERNEL_PATCHLEVEL=$( awk '/^PATCHLEVEL =/ {print $3}' Makefile )
+
+if [ ! -z "$@" ]; then
+    for opt in "$@"; do
+	case $opt in
+	    --version=*.*)
+		version="${opt#*=}"
+		KERNEL_VERSION=$( awk -F. '{print $1}' <<< $version )
+		KERNEL_PATCHLEVEL=$( awk -F. '{print $2}' <<< $version )
+		;;
+	    -h | --help)
+		usage
+		exit 0
+		;;
+	    *)
+		;;
+	esac
+    done
+fi
+cd tools/perf/Documentation/
+make
+tar -czvf $BASEDIR/perf-man-${KERNEL_VERSION}.${KERNEL_PATCHLEVEL}.tar.gz *.1
+make clean
+popd
--- a/scripts/grab-logs.sh
+++ b/scripts/grab-logs.sh
@ -1,16 +1,35 @@
 #!/bin/sh
+# Script helps download the build logs for the current tree.
+# The downloaded logs will be saved in a logs/ within the
+# tree.
+
+BASEDIR="$(dirname "$(cd $(dirname $BASH_SOURCE[0]) && pwd)")"
+pushd $BASEDIR > /dev/null

 VER=$(fedpkg verrel)
 ver=$(echo $VER | sed -e 's/-/ /g' | awk '{print $2}')
 rev=$(echo $VER | sed -e 's/-/ /g' | awk '{print $3}')

-if [ -d logs ]; then
-  DIR=logs/
+# keep logs in one place. If logs directory does not exist, make it.
+if [ -d "$BASEDIR/logs" ]; then
+  DIR="$BASEDIR/logs"
 else
-  DIR=./
+  mkdir "$BASEDIR/logs"
+  DIR="$BASEDIR/logs"
 fi

-wget -O $DIR/build-$VER-i686.log http://kojipkgs.fedoraproject.org/packages/kernel/$ver/$rev/data/logs/i686/build.log
-wget -O $DIR/build-$VER-x86-64.log http://kojipkgs.fedoraproject.org/packages/kernel/$ver/$rev/data/logs/x86_64/build.log
-wget -O $DIR/build-$VER-noarch.log http://kojipkgs.fedoraproject.org/packages/kernel/$ver/$rev/data/logs/noarch/build.log
+# Common architectures that have build logs.
+ARCHS[0]=i686
+ARCHS[1]=x86_64
+ARCHS[2]=noarch
+ARCHS[3]=armv7hl

+for arch in ${ARCHS[@]}; do
+    URL=http://kojipkgs.fedoraproject.org/packages/kernel/$ver/$rev/data/logs/$arch/build.log
+    # Only download logs if exist
+    wget --spider -q $URL
+    if [ $? -eq 0 ]; then
+	wget -O $DIR/build-$VER-$arch.log $URL
+    fi
+done
+popd > /dev/null
--- a/scripts/kernel-version.sh
+++ b/scripts/kernel-version.sh
@ -0,0 +1,8 @@
+VER=$(grep patch sources | head -n1 | awk '{ print $2 }' | sed s/patch-// | sed s/-git.*// | sed s/.xz//)
+
+if [ -z "$VER" ] ;
+then
+    VER=$(grep linux sources | head -1 | awk '{ print $2 }' | sed s/linux-// | sed s/.tar.xz//)
+fi
+
+
--- a/scripts/newpatch.sh
+++ b/scripts/newpatch.sh
@ -1,21 +1,42 @@
 #!/bin/sh
-# Easy application of new patches.
-# Always adds to the very end. (Bumps last patch nr by 100)
-# Parameters:
-# $1 - patch filename 
-# $2 - description

-OLD=$(grep ^Patch kernel.spec  | tail -n1 | awk '{ print $1 }' | sed s/Patch// | sed s/://)
-NEW=$(($OLD/100*100+100))
+# Facilitates the addition of a new patch to the source tree.
+# -- Moves patch to tree
+# -- Adds  patch to kernel.spec list of patches
+# -- Adds patch to git
+# -- change buildid macro to the name of the patch being added

-sed -i "/^Patch$OLD:\ /a#\ $2\nPatch$NEW:\ $1" kernel.spec
-
-LAST=$(grep ^ApplyPatch kernel.spec | tail -n1 | awk '{ print $2 }')
-
-sed -i "/^ApplyPatch $LAST/aApplyPatch $1" kernel.spec
-
-cvs add $1
-
-scripts/bumpspecfile.py kernel.spec "- $2"
-make clog
+# Base directory is relative to where the script is.
+BASEDIR="$(dirname "$(cd $(dirname $BASH_SOURCE[0]) && pwd)")"
+pushd $BASEDIR > /dev/null
+# Check for at least patch
+if [ "$#" -lt 1 ]; then
+    echo "usage: $0 [ /path/to/patch/ ] [ description ]"
+    exit 1
+fi
+PATCHDIR=$1
+DESC=$2
+PATCH="$(basename "$PATCHDIR")"
+# Kernel.spec file in the current tree
+SPECFILE="$BASEDIR/kernel.spec"
+# If adding patch from outside the source tree move it to the source tree
+if [ -z "$(ls | grep $PATCH)" ]; then
+    cp $PATCHDIR $BASEDIR/
+fi

+if [ ! -z "$(grep $PATCH $SPECFILE)" ]
+then
+    echo "$PATCH already in kernel.spec"
+    exit 1
+fi
+# ID number of the last patch in kernel.spec
+LPATCH_ID=$(grep ^Patch $SPECFILE | tail -n1 | awk '{ print $1 }' | sed s/Patch// | sed s/://)
+# ID of the next patch to be added to kernel.spec
+NPATCH_ID=$(($LPATCH_ID + 1 ))
+# Add patch with new id at the end of the list of patches
+sed -i "/^Patch$LPATCH_ID:\ /a#\ $DESC\nPatch$NPATCH_ID:\ $PATCH" $SPECFILE
+# Add it to git
+git add $PATCH
+BUILDID_PATCH="$(echo $PATCH | sed 's/\-/\_/g' )"
+sed -i "s/^.*define buildid .*$/%define buildid .$BUILDID_PATCH/" $SPECFILE
+popd > /dev/null
--- a/scripts/rawhide-rc.sh
+++ b/scripts/rawhide-rc.sh
@ -0,0 +1,36 @@
+#!/bin/sh
+# Generate a commit for a rawhide RC release
+
+source scripts/kernel-version.sh
+
+make release
+# fixup the release because rpmdev-bumpspec *sigh*
+scripts/fixup-bumpspec.sh
+fedpkg commit -c
+
+# Figure out what is our RC
+RC=`grep "%define rcrev" kernel.spec| cut -d ' ' -f 3`
+RC=$(($RC+1))
+BASE=`grep "%define base_sublevel" kernel.spec| cut -d ' ' -f 3`
+
+# Kill all patches
+awk '!/patch/ { print $0 }' < sources > sources.tmp
+mv sources.tmp sources
+
+# Grab the tarball
+if [ ! -f patch-4.$BASE-rc$RC.xz ]; then
+	wget https://cdn.kernel.org/pub/linux/kernel/v4.x/testing/patch-4.$BASE-rc$RC.xz
+	if [ ! $? -eq 0 ]; then
+		exit 1
+	fi
+	fedpkg upload patch-4.$BASE-rc$RC.xz
+fi
+
+# bump rcrev in the spec and set git snapshot to 0
+RC=$RC perl -p -i -e 's|%define rcrev.*|%global rcrev $ENV{'RC'}|' kernel.spec
+
+perl -p -i -e 's|%define gitrev.*|%define gitrev 0|' kernel.spec
+
+perl -p -i -e 's|%global baserelease.*|%global baserelease 0|' kernel.spec
+
+rpmdev-bumpspec -c "Linux v4.$BASE-rc$RC" kernel.spec
--- a/scripts/rawhide-snapshot.sh
+++ b/scripts/rawhide-snapshot.sh
@ -0,0 +1,59 @@
+#!/bin/sh
+# A coffeeproof rawhide script. You should be able to run this before the
+# coffee has kicked in and generate a good rawhide commit.
+#
+# - Updates the local Fedora tree to master and verifies that you are working
+#   off of the correct master
+# - Updates the upstream tree to the latest master.
+# - Generates a git snapshot via generate-git-snapshot.sh
+# - Clears out old git snapshots from the sources
+# - Uploads the new snapshot
+
+source scripts/kernel-version.sh
+
+git fetch origin
+if [ "$(git rev-parse origin/master)" != "$(git rev-parse HEAD)" ]; then
+	echo "I just did a git fetch and this branch does not match master"
+	echo "Re-check out this branch to work off of the latest master"
+	exit 1
+fi
+
+if [ ! -d "$LINUX_GIT" ]; then
+	echo "error: set \$LINUX_GIT to point at an upstream git tree"
+	exit 1
+fi
+
+git -C $LINUX_GIT pull
+if [ ! $? -eq 0 ]; then
+	echo "Git pull failed. Is your tree clean/correct?"
+	exit 1
+fi
+
+git -C $LINUX_GIT describe --tags HEAD | grep -q "\-g"
+if [ ! $? -eq 0 ]; then
+	echo "Trying to snapshot off of a tagged git."
+	echo "I don't think this is what you want"
+	exit 1
+fi
+
+if [ "$(git -C $LINUX_GIT rev-parse origin/master)" == `cat gitrev` ]; then
+	echo "Last snapshot commit matches current master. Nothing to do"
+	echo "\o/"
+	exit 0
+fi
+
+GIT=`grep "%define gitrev" kernel.spec | cut -d ' ' -f 3`
+if [ "$GIT" -eq 0 ]; then
+	make debug
+	./scripts/fixup-bumpspec.sh
+	fedpkg commit -c
+fi
+
+./scripts/generate-git-snapshot.sh
+
+#Nuke the old patch from the source
+awk '!/git/ { print $0 }' < sources > sources.tmp
+mv sources.tmp sources
+
+GIT=`grep "%define gitrev" kernel.spec | cut -d ' ' -f 3`
+fedpkg upload patch-$VER-git$GIT.xz
--- a/scripts/stable-update.sh
+++ b/scripts/stable-update.sh
@ -0,0 +1,67 @@
+#!/bin/sh
+#
+# Author: Laura Abbott <labbott@fedoraproject.org>
+#
+# Apply a stable patch update to the Fedora tree. This takes care of
+# - Downloading the patch from kernel.org
+# - Uploading the source file
+# - Removing old patch files
+# - Updating the spec file stable version
+# - Adding a proper changelog entry
+#
+# Based on steps from https://fedoraproject.org/wiki/Kernel/DayToDay#Stable_kernel_update
+#
+# Args: Stable version to update (e.g. 4.7.7, 4.8.1)
+
+if [ $# -lt 1 ]; then
+	echo "Need a version"
+	exit 1
+fi
+
+VERSION=`echo $1 | cut -d . -f 1`
+if [ -z $VERSION ]; then
+	echo "Malformed version $1"
+	exit 1
+fi
+PATCHLEVEL=`echo $1 | cut -d . -f 2`
+if [ -z $VERSION ]; then
+	echo "Malformed version $1"
+	exit 1
+fi
+SUBLEVEL=`echo $1 | cut -d . -f 3`
+if [ -z $VERSION ]; then
+	echo "Malformed version $1"
+	exit 1
+fi
+
+if [ ! -f patch-$1.xz ]; then
+	wget https://cdn.kernel.org/pub/linux/kernel/v4.x/patch-$1.xz
+	if [ ! $? -eq 0 ]; then
+		echo "Download fail"
+		exit 1
+	fi
+fi
+
+grep $1 sources &> /dev/null
+if [ ! $? -eq 0 ]; then
+	fedpkg upload patch-$1.xz
+
+	# Cryptic awk: search for the previous patch level (if one exists) and
+	# remove it from the source file
+	awk -v VER=$VERSION.$PATCHLEVEL.$((SUBLEVEL-1)) '$0 !~ VER { print $0; }' < sources > sources.tmp
+	mv sources.tmp sources
+fi
+
+# Update the stable level
+awk -v STABLE=$SUBLEVEL '/%define stable_update/ \
+			{ print "%define stable_update " STABLE } \
+			!/%define stable_update/ { print $0 }' \
+			< kernel.spec > kernel.spec.tmp
+mv kernel.spec.tmp kernel.spec
+
+# Reset the base release for use with rpmdev-bumpspec
+BASERELEASE=`cat kernel.spec | grep "%global baserelease" | cut -d ' ' -f 3 | head -c 1`00
+BASERELEASE=$(($BASERELEASE-1))
+BASERELEASE=$BASERELEASE perl -p -i -e 's|%global baserelease.*|%global baserelease $ENV{'BASERELEASE'}|' kernel.spec
+
+rpmdev-bumpspec -c "Linux v$1" kernel.spec
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 5276563eb1f39a048e4a8a887408c031  linux-4.7.tar.xz
 fe259c02c75eec61d1aa4b1211f3c853  perf-man-4.7.tar.gz
-106560e20e26ef3225dac71539fe3531  patch-4.7.8.xz
+28f6b3a4bf77710cbffbee17afcf7ae2  patch-4.7.9.xz