Linux v3.11-9411-gc2d9572

This commit is contained in:
Josh Boyer 2013-09-11 21:05:23 -04:00
parent 5f27adc0d3
commit 356f0cab41
6 changed files with 59 additions and 134 deletions

View File

@ -329,6 +329,7 @@ CONFIG_BLK_DEV_BSG=y
CONFIG_BLK_DEV_BSGLIB=y
CONFIG_BLK_DEV_INTEGRITY=y
CONFIG_BLK_DEV_THROTTLING=y
# CONFIG_CMDLINE_PARSER is not set
#
@ -1333,7 +1334,7 @@ CONFIG_IXGBE_DCA=y
CONFIG_IXGBE_DCB=y
CONFIG_IXGBE_HWMON=y
CONFIG_IXGBE_PTP=y
CONFIG_I40E=m
# CONFIG_NET_VENDOR_I825XX is not set
CONFIG_NET_VENDOR_MARVELL=y
@ -2611,6 +2612,7 @@ CONFIG_RTC_DRV_PCF50633=m
CONFIG_RTC_DRV_DS3232=m
CONFIG_RTC_DRV_ISL12022=m
# CONFIG_RTC_DRV_HID_SENSOR_TIME is not set
# CONFIG_RTC_DRV_MOXART is not set
CONFIG_R3964=m
# CONFIG_APPLICOM is not set
@ -3831,6 +3833,7 @@ CONFIG_ECRYPT_FS=m
# CONFIG_ECRYPT_FS_MESSAGING is not set
CONFIG_HFS_FS=m
CONFIG_HFSPLUS_FS=m
# CONFIG_HFSPLUS_FS_POSIX_ACL is not set
CONFIG_BEFS_FS=m
# CONFIG_BEFS_DEBUG is not set
# CONFIG_BFS_FS is not set
@ -3969,6 +3972,7 @@ CONFIG_SUN_PARTITION=y
# CONFIG_SYSV68_PARTITION is not set
CONFIG_UNIXWARE_DISKLABEL=y
# CONFIG_ULTRIX_PARTITION is not set
# CONFIG_CMDLINE_PARTITION is not set
CONFIG_NLS=y
@ -4577,6 +4581,7 @@ CONFIG_MEMSTICK=m
# CONFIG_MEMSTICK_DEBUG is not set
# CONFIG_MEMSTICK_UNSAFE_RESUME is not set
CONFIG_MSPRO_BLOCK=m
# CONFIG_MS_BLOCK is not set
CONFIG_MEMSTICK_TIFM_MS=m
CONFIG_MEMSTICK_JMICRON_38X=m
CONFIG_MEMSTICK_R592=m

View File

@ -1,76 +0,0 @@
Allow threads other than the main thread to do introspection of files in
proc without relying on read permissions. proc_pid_follow_link() calls
proc_fd_access_allowed() which ultimately calls __ptrace_may_access().
Though this allows additional access to some proc files, we do not
believe that this has any unintended security implications. However it
probably needs to be looked at carefully.
The original problem was a thread of a process whose permissions were
111 couldn't open its own /proc/self/exe This was interfering with a
special purpose debugging tool. A simple reproducer is below.:
#include <pthread.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/types.h>
#define BUFSIZE 2048
void *thread_main(void *arg){
char *str=(char*)arg;
char buf[BUFSIZE];
ssize_t len=readlink("/proc/self/exe", buf, BUFSIZE);
if(len==-1)
printf("/proc/self/exe in %s: %s\n", str,sys_errlist[errno]);
else
printf("/proc/self/exe in %s: OK\n", str);
return 0;
}
int main(){
pthread_t thread;
int retval=pthread_create( &thread, NULL, thread_main, "thread");
if(retval!=0)
exit(1);
thread_main("main");
pthread_join(thread, NULL);
exit(0);
}
Signed-off-by: Ben Woodard <woodard@redhat.com>
Signed-off-by: Mark Grondona <mgrondona@llnl.gov>
---
kernel/ptrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index acbd284..347c4c7 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
diff -ruNp linux-3.8.4-103.fc17.noarch/kernel/ptrace.c linux-3.8.4-103.fc17.ptrace/kernel/ptrace.c
--- linux-3.8.4-103.fc17.noarch/kernel/ptrace.c 2013-02-18 17:58:34.000000000 -0600
+++ linux-3.8.4-103.fc17.ptrace/kernel/ptrace.c 2013-03-26 14:59:01.939396346 -0500
@@ -234,7 +234,7 @@ static int __ptrace_may_access(struct ta
*/
int dumpable = 0;
/* Don't let security modules deny introspection */
- if (task == current)
+ if (same_thread_group(task, current))
return 0;
rcu_read_lock();
tcred = __task_cred(task);
--
1.8.1.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

View File

@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level
%define rcrev 0
# The git snapshot level
%define gitrev 20
%define gitrev 21
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@ -749,9 +749,6 @@ Patch22000: weird-root-dentry-name-debug.patch
#selinux ptrace child permissions
Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
#rhbz 927469
Patch23006: fix-child-thread-introspection.patch
#CVE-2013-2147 rhbz 971242 971249
Patch25032: cve-2013-2147-ciss-info-leak.patch
@ -1476,9 +1473,6 @@ ApplyPatch criu-no-expert.patch
#rhbz 892811
ApplyPatch ath9k_rx_dma_stop_check.patch
#rhbz 927469
ApplyPatch fix-child-thread-introspection.patch
#CVE-2013-2147 rhbz 971242 971249
ApplyPatch cve-2013-2147-ciss-info-leak.patch
@ -2295,6 +2289,9 @@ fi
# ||----w |
# || ||
%changelog
* Thu Sep 12 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.12.0-0.rc0.git21.1
- Linux v3.11-9411-gc2d9572
* Wed Sep 11 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.12.0-0.rc0.git20.1
- Linux v3.11-9031-ga22a0fd

View File

@ -1,7 +1,7 @@
From abaac4978b6719e7ae12babb6be5e35184b61cde Mon Sep 17 00:00:00 2001
From 7712dc43315febf4bce07a4c549787cf5c60a428 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:07:13 +0100
Subject: [PATCH 01/14] KEYS: Load *.x509 files into kernel keyring
Subject: [PATCH 01/13] KEYS: Load *.x509 files into kernel keyring
Load all the files matching the pattern "*.x509" that are to be found in kernel
base source dir and base build dir into the module signing keyring.
@ -15,10 +15,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
2 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/kernel/Makefile b/kernel/Makefile
index 470839d..4a2ee4e 100644
index 35ef118..ab231ac 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -141,17 +141,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
@@ -142,17 +142,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
$(call if_changed,bc)
ifeq ($(CONFIG_MODULE_SIG),y)
@ -81,11 +81,10 @@ index 4a9a86d..6fe03c7 100644
1.8.3.1
From 2d6ac2896c3b4b48be96b7dbdfda1668609e35aa Mon Sep 17 00:00:00 2001
From d1bf7ed78a52477636cdcb5a1bff5b19352472f5 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:07:30 +0100
Subject: [PATCH 03/14] KEYS: Separate the kernel signature checking keyring
Subject: [PATCH 02/13] KEYS: Separate the kernel signature checking keyring
from module signing
Separate the kernel signature checking keyring from module signing so that it
@ -139,10 +138,10 @@ index 0000000..8dabc39
+
+#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/init/Kconfig b/init/Kconfig
index 247084b..6abf0e0 100644
index 18bd9e3..cf14d07 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1664,6 +1664,18 @@ config BASE_SMALL
@@ -1668,6 +1668,18 @@ config BASE_SMALL
default 0 if BASE_FULL
default 1 if !BASE_FULL
@ -160,8 +159,8 @@ index 247084b..6abf0e0 100644
+
menuconfig MODULES
bool "Enable loadable module support"
help
@@ -1736,6 +1748,7 @@ config MODULE_SRCVERSION_ALL
option modules
@@ -1741,6 +1753,7 @@ config MODULE_SRCVERSION_ALL
config MODULE_SIG
bool "Module signature verification"
depends on MODULES
@ -170,10 +169,10 @@ index 247084b..6abf0e0 100644
select CRYPTO
select ASYMMETRIC_KEY_TYPE
diff --git a/kernel/Makefile b/kernel/Makefile
index 7bd1565..68f7182 100644
index ab231ac..1262c6d 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -52,8 +52,9 @@ obj-$(CONFIG_SMP) += spinlock.o
@@ -53,8 +53,9 @@ obj-$(CONFIG_SMP) += spinlock.o
obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o
obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
obj-$(CONFIG_UID16) += uid16.o
@ -184,7 +183,7 @@ index 7bd1565..68f7182 100644
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_KEXEC) += kexec.o
@@ -140,13 +141,14 @@ targets += timeconst.h
@@ -141,13 +142,14 @@ targets += timeconst.h
$(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
$(call if_changed,bc)
@ -201,8 +200,8 @@ index 7bd1565..68f7182 100644
+ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
X509_CERTIFICATES := $(sort $(realpath $(X509_CERTIFICATES-y)))
@@ -162,10 +164,11 @@ $(shell rm $(obj)/.x509.list)
X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y))
@@ -163,10 +165,11 @@ $(shell rm $(obj)/.x509.list)
endif
endif
@ -216,7 +215,7 @@ index 7bd1565..68f7182 100644
targets += $(obj)/x509_certificate_list
$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
$(call if_changed,x509certs)
@@ -175,7 +178,9 @@ $(obj)/.x509.list:
@@ -176,7 +179,9 @@ $(obj)/.x509.list:
@echo $(X509_CERTIFICATES) >$@
clean-files := x509_certificate_list .x509.list
@ -245,7 +244,7 @@ index 6fe03c7..0000000
-GLOBAL(modsign_certificate_list_end)
diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
deleted file mode 100644
index 2b6e699..0000000
index 7cbd450..0000000
--- a/kernel/modsign_pubkey.c
+++ /dev/null
@@ -1,104 +0,0 @@
@ -269,14 +268,14 @@ index 2b6e699..0000000
-
-struct key *modsign_keyring;
-
-extern __initdata const u8 modsign_certificate_list[];
-extern __initdata const u8 modsign_certificate_list_end[];
-extern __initconst const u8 modsign_certificate_list[];
-extern __initconst const u8 modsign_certificate_list_end[];
-
-/*
- * We need to make sure ccache doesn't cache the .o file as it doesn't notice
- * if modsign.pub changes.
- */
-static __initdata const char annoy_ccache[] = __TIME__ "foo";
-static __initconst const char annoy_ccache[] = __TIME__ "foo";
-
-/*
- * Load the compiled-in keys
@ -404,7 +403,7 @@ index 0000000..5cffe86
+GLOBAL(system_certificate_list_end)
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
new file mode 100644
index 0000000..cd5cd3f
index 0000000..51c3514
--- /dev/null
+++ b/kernel/system_keyring.c
@@ -0,0 +1,103 @@
@ -431,8 +430,8 @@ index 0000000..cd5cd3f
+struct key *system_trusted_keyring;
+EXPORT_SYMBOL_GPL(system_trusted_keyring);
+
+extern __initdata const u8 system_certificate_list[];
+extern __initdata const u8 system_certificate_list_end[];
+extern __initconst const u8 system_certificate_list[];
+extern __initconst const u8 system_certificate_list_end[];
+
+/*
+ * Load the compiled-in keys
@ -515,10 +514,10 @@ index 0000000..cd5cd3f
1.8.3.1
From 6f90d07a776d7babf30a3322dafd66c8c25db681 Mon Sep 17 00:00:00 2001
From 209cfd7eda86173415d394a9ff868345197d7b3d Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:07:37 +0100
Subject: [PATCH 04/14] KEYS: Add a 'trusted' flag and a 'trusted only' flag
Subject: [PATCH 03/13] KEYS: Add a 'trusted' flag and a 'trusted only' flag
Add KEY_FLAG_TRUSTED to indicate that a key either comes from a trusted source
or had a cryptographic signature chain that led back to a trusted key the
@ -571,7 +570,7 @@ index 010dbb6..80d6774 100644
extern void key_revoke(struct key *key);
extern void key_invalidate(struct key *key);
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
index cd5cd3f..4ca7072 100644
index 51c3514..5296721 100644
--- a/kernel/system_keyring.c
+++ b/kernel/system_keyring.c
@@ -40,6 +40,7 @@ static __init int system_trusted_keyring_init(void)
@ -644,10 +643,10 @@ index f7cdea2..9b6f6e0 100644
1.8.3.1
From 559cc3ad765e1b443bc89965be9ef9ff3caabdcc Mon Sep 17 00:00:00 2001
From 6549cbca91abf561df8f501c763a8e7822936294 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:15:10 +0100
Subject: [PATCH 05/14] KEYS: Rename public key parameter name arrays
Subject: [PATCH 04/13] KEYS: Rename public key parameter name arrays
Rename the arrays of public key parameters (public key algorithm names, hash
algorithm names and ID type names) so that the array name ends in "_name".
@ -799,10 +798,10 @@ index 0034e36..0b6b870 100644
1.8.3.1
From a0aab2065bbdd0bc56ae6d7767e1df7c58b8997f Mon Sep 17 00:00:00 2001
From b2c8f8924f17c25209d8fe55f74b9d5830ad191c Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:15:18 +0100
Subject: [PATCH 06/14] KEYS: Move the algorithm pointer array from x509 to
Subject: [PATCH 05/13] KEYS: Move the algorithm pointer array from x509 to
public_key.c
Move the public-key algorithm pointer array from x509_public_key.c to
@ -881,10 +880,10 @@ index 619d570..46bde25 100644
1.8.3.1
From 7009b65ddc1d8bf62dc017795265b9cf331a4d70 Mon Sep 17 00:00:00 2001
From 760486c4376aab8cd8ce9c7d2ad67a19d713b119 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:15:24 +0100
Subject: [PATCH 07/14] KEYS: Store public key algo ID in public_key struct
Subject: [PATCH 06/13] KEYS: Store public key algo ID in public_key struct
Store public key algo ID in public_key struct for reference purposes. This
allows it to be removed from the x509_certificate struct and used to find a
@ -966,10 +965,10 @@ index 46bde25..05778df 100644
1.8.3.1
From cad6ff6b429f31611ccb231cfe6adcb69d891352 Mon Sep 17 00:00:00 2001
From 37688af0338d8c521ffefce187b03a5fbaefa423 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:15:30 +0100
Subject: [PATCH 08/14] KEYS: Split public_key_verify_signature() and make
Subject: [PATCH 07/13] KEYS: Split public_key_verify_signature() and make
available
Modify public_key_verify_signature() so that it now takes a public_key struct
@ -1082,10 +1081,10 @@ index fac574c..8cb2f70 100644
1.8.3.1
From 87854340605a64fcc54109ea415d9e54c45e8533 Mon Sep 17 00:00:00 2001
From 49763042e968f7342711ecf28e9465f6d77c0ddd Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:15:37 +0100
Subject: [PATCH 09/14] KEYS: Store public key algo ID in public_key_signature
Subject: [PATCH 08/13] KEYS: Store public key algo ID in public_key_signature
struct
Store public key algorithm ID in public_key_signature struct for reference
@ -1115,10 +1114,10 @@ index 05778df..b34fda4 100644
1.8.3.1
From ae4684a05d87123de310b69c616922dc993694ca Mon Sep 17 00:00:00 2001
From d759ad5c13364bc7dcd6dd66d1a63f29f3432f72 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:16:34 +0100
Subject: [PATCH 10/14] X.509: struct x509_certificate needs struct tm
Subject: [PATCH 09/13] X.509: struct x509_certificate needs struct tm
declaring
struct x509_certificate needs struct tm declaring by #inclusion of linux/time.h
@ -1147,10 +1146,10 @@ index e583ad0..2d01182 100644
1.8.3.1
From dacde6f44ebe5a5c89bd1a25b35b1b63c139b375 Mon Sep 17 00:00:00 2001
From 779ecd05627f895cfd6970dcfbd3ed35092f7510 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:18:02 +0100
Subject: [PATCH 11/14] X.509: Embed public_key_signature struct and create
Subject: [PATCH 10/13] X.509: Embed public_key_signature struct and create
filler function
Embed a public_key_signature struct in struct x509_certificate, eliminating
@ -1410,10 +1409,10 @@ index 8cb2f70..b7c81d8 100644
1.8.3.1
From 650fdcb141f65f3a03dc7eba1179c823fd1a3a54 Mon Sep 17 00:00:00 2001
From 81dc804bab8ac3703f237e74464054fae71c429e Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:18:15 +0100
Subject: [PATCH 12/14] X.509: Check the algorithm IDs obtained from parsing an
Subject: [PATCH 11/13] X.509: Check the algorithm IDs obtained from parsing an
X.509 certificate
Check that the algorithm IDs obtained from the ASN.1 parse by OID lookup
@ -1451,10 +1450,10 @@ index b7c81d8..eb368d4 100644
1.8.3.1
From 8671bdd55802c4b93b9205b6ecd02c7e351ac5c5 Mon Sep 17 00:00:00 2001
From 9d3c831f1409174fcda6a21ede05f3a3155b1671 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 30 Aug 2013 16:18:31 +0100
Subject: [PATCH 13/14] X.509: Handle certificates that lack an
Subject: [PATCH 12/13] X.509: Handle certificates that lack an
authorityKeyIdentifier field
Handle certificates that lack an authorityKeyIdentifier field by assuming
@ -1498,10 +1497,10 @@ index eb368d4..0f55e3b 100644
1.8.3.1
From e2d665556f4b60ce76e880a62f98c81622271e71 Mon Sep 17 00:00:00 2001
From 1a62a422d6b6e084ba88062d1d1f33e6a92dc35c Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 18 Jun 2013 17:40:44 +0100
Subject: [PATCH 14/14] X.509: Remove certificate date checks
Subject: [PATCH 13/13] X.509: Remove certificate date checks
Remove the certificate date checks that are performed when a certificate is
parsed. There are two checks: a valid from and a valid to. The first check is

View File

@ -321,8 +321,8 @@ index 4ca7072..b19cc6e 100644
+struct key *system_blacklist_keyring;
+#endif
extern __initdata const u8 system_certificate_list[];
extern __initdata const u8 system_certificate_list_end[];
extern __initconst const u8 system_certificate_list[];
extern __initconst const u8 system_certificate_list_end[];
@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
panic("Can't allocate system trusted keyring\n");

View File

@ -1,2 +1,2 @@
fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz
cc8ed4c576f297291c5667d6db5b0350 patch-3.11-git20.xz
e2a10577ed333409869fecf6e7c6f083 patch-3.11-git21.xz