Linux v4.13.16

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 15
+%define stable_update 16
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -666,8 +666,8 @@ Patch337: arm64-aw64-devices.patch
 # CVE-2017-7477 rhbz 1445207 1445208
 Patch502: CVE-2017-7477.patch
 
-# CVE-2017-15115 rhbz 1513346 1513345
-Patch503: sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
+# CVE-2017-16644 rhbz 1516273 1516274
+Patch503: media-hdpvr-Fix-an-error-handling-path-in-hdpvr_probe.patch
 
 # 600 - Patches for improved Bay and Cherry Trail device support
 # Below patches are submitted upstream, awaiting review / merging
@@ -2277,6 +2277,13 @@ fi
 #
 #
 %changelog
+* Mon Nov 27 2017 Jeremy Cline <jeremy@jcline.org> - 4.13.16-300
+- Linux v4.13.16
+- Fix CVE-2017-16649 (rhbz 1516267 1516274)
+- Fix CVE-2017-16650 (rhbz 1516265 1516274)
+- Fix CVE-2017-16644 (rhbz 1516273 1516274)
+- Fix CVE-2017-16647 (rhbz 1516270 1516274)
+
 * Tue Nov 21 2017 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix cursor issues with QXL (rhbz 1507931)
 

media-hdpvr-Fix-an-error-handling-path-in-hdpvr_probe.patch

@@ -0,0 +1,106 @@
+From patchwork Fri Sep 22 13:07:06 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [media] hdpvr: Fix an error handling path in hdpvr_probe()
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+X-Patchwork-Id: 9966135
+Message-Id: <b5c06a8e071d38fc4b4df20b7f9c8fb25d5408fe.1506085151.git.arvind.yadav.cs@gmail.com>
+To: andreyknvl@google.com, hverkuil@xs4all.nl, mchehab@kernel.org,
+ laurent.pinchart@ideasonboard.com, dvyukov@google.com,
+ kcc@google.com, syzkaller@googlegroups.com
+Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
+Date: Fri, 22 Sep 2017 18:37:06 +0530
+
+Here, hdpvr_register_videodev() is responsible for setup and
+register a video device. Also defining and initializing a worker.
+hdpvr_register_videodev() is calling by hdpvr_probe at last.
+So No need to flash any work here.
+Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+---
+ drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c
+index dbe29c6..1e8cbaf 100644
+--- a/drivers/media/usb/hdpvr/hdpvr-core.c
++++ b/drivers/media/usb/hdpvr/hdpvr-core.c
+@@ -292,7 +292,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+ 	/* register v4l2_device early so it can be used for printks */
+ 	if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
+ 		dev_err(&interface->dev, "v4l2_device_register failed\n");
+-		goto error;
++		goto error_free_dev;
+ 	}
+ 
+ 	mutex_init(&dev->io_mutex);
+@@ -301,7 +301,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+ 	dev->usbc_buf = kmalloc(64, GFP_KERNEL);
+ 	if (!dev->usbc_buf) {
+ 		v4l2_err(&dev->v4l2_dev, "Out of memory\n");
+-		goto error;
++		goto error_v4l2_unregister;
+ 	}
+ 
+ 	init_waitqueue_head(&dev->wait_buffer);
+@@ -339,13 +339,13 @@ static int hdpvr_probe(struct usb_interface *interface,
+ 	}
+ 	if (!dev->bulk_in_endpointAddr) {
+ 		v4l2_err(&dev->v4l2_dev, "Could not find bulk-in endpoint\n");
+-		goto error;
++		goto error_put_usb;
+ 	}
+ 
+ 	/* init the device */
+ 	if (hdpvr_device_init(dev)) {
+ 		v4l2_err(&dev->v4l2_dev, "device init failed\n");
+-		goto error;
++		goto error_put_usb;
+ 	}
+ 
+ 	mutex_lock(&dev->io_mutex);
+@@ -353,7 +353,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+ 		mutex_unlock(&dev->io_mutex);
+ 		v4l2_err(&dev->v4l2_dev,
+ 			 "allocating transfer buffers failed\n");
+-		goto error;
++		goto error_put_usb;
+ 	}
+ 	mutex_unlock(&dev->io_mutex);
+ 
+@@ -361,7 +361,7 @@ static int hdpvr_probe(struct usb_interface *interface,
+ 	retval = hdpvr_register_i2c_adapter(dev);
+ 	if (retval < 0) {
+ 		v4l2_err(&dev->v4l2_dev, "i2c adapter register failed\n");
+-		goto error;
++		goto error_free_buffers;
+ 	}
+ 
+ 	client = hdpvr_register_ir_rx_i2c(dev);
+@@ -394,13 +394,17 @@ static int hdpvr_probe(struct usb_interface *interface,
+ reg_fail:
+ #if IS_ENABLED(CONFIG_I2C)
+ 	i2c_del_adapter(&dev->i2c_adapter);
++error_free_buffers:
+ #endif
++	hdpvr_free_buffers(dev);
++error_put_usb:
++	usb_put_dev(dev->udev);
++	kfree(dev->usbc_buf);
++error_v4l2_unregister:
++	v4l2_device_unregister(&dev->v4l2_dev);
++error_free_dev:
++	kfree(dev);
+ error:
+-	if (dev) {
+-		flush_work(&dev->worker);
+-		/* this frees allocated memory */
+-		hdpvr_delete(dev);
+-	}
+ 	return retval;
+ }
+ 

sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch

@@ -1,62 +0,0 @@
-From df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 Mon Sep 17 00:00:00 2001
-From: Xin Long <lucien.xin@gmail.com>
-Date: Tue, 17 Oct 2017 23:26:10 +0800
-Subject: sctp: do not peel off an assoc from one netns to another one
-
-Now when peeling off an association to the sock in another netns, all
-transports in this assoc are not to be rehashed and keep use the old
-key in hashtable.
-
-As a transport uses sk->net as the hash key to insert into hashtable,
-it would miss removing these transports from hashtable due to the new
-netns when closing the sock and all transports are being freeed, then
-later an use-after-free issue could be caused when looking up an asoc
-and dereferencing those transports.
-
-This is a very old issue since very beginning, ChunYu found it with
-syzkaller fuzz testing with this series:
-
-  socket$inet6_sctp()
-  bind$inet6()
-  sendto$inet6()
-  unshare(0x40000000)
-  getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
-  getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
-
-This patch is to block this call when peeling one assoc off from one
-netns to another one, so that the netns of all transport would not
-go out-sync with the key in hashtable.
-
-Note that this patch didn't fix it by rehashing transports, as it's
-difficult to handle the situation when the tuple is already in use
-in the new netns. Besides, no one would like to peel off one assoc
-to another netns, considering ipaddrs, ifaces, etc. are usually
-different.
-
-Reported-by: ChunYu Wang <chunwang@redhat.com>
-Signed-off-by: Xin Long <lucien.xin@gmail.com>
-Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Acked-by: Neil Horman <nhorman@tuxdriver.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/socket.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index d4730ad..17841ab 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
- 	struct socket *sock;
- 	int err = 0;
- 
-+	/* Do not peel off from one netns to another one. */
-+	if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
-+		return -EINVAL;
-+
- 	if (!asoc)
- 		return -EINVAL;
- 
--- 
-cgit v1.1
-

sources

@@ -1,3 +1,3 @@
 SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2
 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03
-SHA512 (patch-4.13.15.xz) = 54e1d3b526984efe90a5c759b35ac849ac65525c977b3982ef32b0fbb83e73f1fca92d73c3ffb1f23643d9f72a3083eeb4edb54768b105138722434811f622c4
+SHA512 (patch-4.13.16.xz) = 6d9e6593477fb7aa663e6b9cdccb1d30df8d3bb3721b93afa9ddefce539d267bee062809dd6c50135ba113cf5220ef4b2799f25eca73c791ff59f4480189d211