Linux v3.13.4
This commit is contained in:
Justin M. Forbes
parent
4316b894c8
commit
44e839d1f1
|
|
@ -1,116 +0,0 @@
|
|||
From 2172fa709ab32ca60e86179dc67d0857be8e2c98 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Date: Thu, 30 Jan 2014 11:26:59 -0500
|
||||
Subject: [PATCH] SELinux: Fix kernel BUG on empty security contexts.
|
||||
|
||||
Setting an empty security context (length=0) on a file will
|
||||
lead to incorrectly dereferencing the type and other fields
|
||||
of the security context structure, yielding a kernel BUG.
|
||||
As a zero-length security context is never valid, just reject
|
||||
all such security contexts whether coming from userspace
|
||||
via setxattr or coming from the filesystem upon a getxattr
|
||||
request by SELinux.
|
||||
|
||||
Setting a security context value (empty or otherwise) unknown to
|
||||
SELinux in the first place is only possible for a root process
|
||||
(CAP_MAC_ADMIN), and, if running SELinux in enforcing mode, only
|
||||
if the corresponding SELinux mac_admin permission is also granted
|
||||
to the domain by policy. In Fedora policies, this is only allowed for
|
||||
specific domains such as livecd for setting down security contexts
|
||||
that are not defined in the build host policy.
|
||||
|
||||
Reproducer:
|
||||
su
|
||||
setenforce 0
|
||||
touch foo
|
||||
setfattr -n security.selinux foo
|
||||
|
||||
Caveat:
|
||||
Relabeling or removing foo after doing the above may not be possible
|
||||
without booting with SELinux disabled. Any subsequent access to foo
|
||||
after doing the above will also trigger the BUG.
|
||||
|
||||
BUG output from Matthew Thode:
|
||||
[ 473.893141] ------------[ cut here ]------------
|
||||
[ 473.962110] kernel BUG at security/selinux/ss/services.c:654!
|
||||
[ 473.995314] invalid opcode: 0000 [#6] SMP
|
||||
[ 474.027196] Modules linked in:
|
||||
[ 474.058118] CPU: 0 PID: 8138 Comm: ls Tainted: G D I
|
||||
3.13.0-grsec #1
|
||||
[ 474.116637] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0
|
||||
07/29/10
|
||||
[ 474.149768] task: ffff8805f50cd010 ti: ffff8805f50cd488 task.ti:
|
||||
ffff8805f50cd488
|
||||
[ 474.183707] RIP: 0010:[<ffffffff814681c7>] [<ffffffff814681c7>]
|
||||
context_struct_compute_av+0xce/0x308
|
||||
[ 474.219954] RSP: 0018:ffff8805c0ac3c38 EFLAGS: 00010246
|
||||
[ 474.252253] RAX: 0000000000000000 RBX: ffff8805c0ac3d94 RCX:
|
||||
0000000000000100
|
||||
[ 474.287018] RDX: ffff8805e8aac000 RSI: 00000000ffffffff RDI:
|
||||
ffff8805e8aaa000
|
||||
[ 474.321199] RBP: ffff8805c0ac3cb8 R08: 0000000000000010 R09:
|
||||
0000000000000006
|
||||
[ 474.357446] R10: 0000000000000000 R11: ffff8805c567a000 R12:
|
||||
0000000000000006
|
||||
[ 474.419191] R13: ffff8805c2b74e88 R14: 00000000000001da R15:
|
||||
0000000000000000
|
||||
[ 474.453816] FS: 00007f2e75220800(0000) GS:ffff88061fc00000(0000)
|
||||
knlGS:0000000000000000
|
||||
[ 474.489254] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
[ 474.522215] CR2: 00007f2e74716090 CR3: 00000005c085e000 CR4:
|
||||
00000000000207f0
|
||||
[ 474.556058] Stack:
|
||||
[ 474.584325] ffff8805c0ac3c98 ffffffff811b549b ffff8805c0ac3c98
|
||||
ffff8805f1190a40
|
||||
[ 474.618913] ffff8805a6202f08 ffff8805c2b74e88 00068800d0464990
|
||||
ffff8805e8aac860
|
||||
[ 474.653955] ffff8805c0ac3cb8 000700068113833a ffff880606c75060
|
||||
ffff8805c0ac3d94
|
||||
[ 474.690461] Call Trace:
|
||||
[ 474.723779] [<ffffffff811b549b>] ? lookup_fast+0x1cd/0x22a
|
||||
[ 474.778049] [<ffffffff81468824>] security_compute_av+0xf4/0x20b
|
||||
[ 474.811398] [<ffffffff8196f419>] avc_compute_av+0x2a/0x179
|
||||
[ 474.843813] [<ffffffff8145727b>] avc_has_perm+0x45/0xf4
|
||||
[ 474.875694] [<ffffffff81457d0e>] inode_has_perm+0x2a/0x31
|
||||
[ 474.907370] [<ffffffff81457e76>] selinux_inode_getattr+0x3c/0x3e
|
||||
[ 474.938726] [<ffffffff81455cf6>] security_inode_getattr+0x1b/0x22
|
||||
[ 474.970036] [<ffffffff811b057d>] vfs_getattr+0x19/0x2d
|
||||
[ 475.000618] [<ffffffff811b05e5>] vfs_fstatat+0x54/0x91
|
||||
[ 475.030402] [<ffffffff811b063b>] vfs_lstat+0x19/0x1b
|
||||
[ 475.061097] [<ffffffff811b077e>] SyS_newlstat+0x15/0x30
|
||||
[ 475.094595] [<ffffffff8113c5c1>] ? __audit_syscall_entry+0xa1/0xc3
|
||||
[ 475.148405] [<ffffffff8197791e>] system_call_fastpath+0x16/0x1b
|
||||
[ 475.179201] Code: 00 48 85 c0 48 89 45 b8 75 02 0f 0b 48 8b 45 a0 48
|
||||
8b 3d 45 d0 b6 00 8b 40 08 89 c6 ff ce e8 d1 b0 06 00 48 85 c0 49 89 c7
|
||||
75 02 <0f> 0b 48 8b 45 b8 4c 8b 28 eb 1e 49 8d 7d 08 be 80 01 00 00 e8
|
||||
[ 475.255884] RIP [<ffffffff814681c7>]
|
||||
context_struct_compute_av+0xce/0x308
|
||||
[ 475.296120] RSP <ffff8805c0ac3c38>
|
||||
[ 475.328734] ---[ end trace f076482e9d754adc ]---
|
||||
|
||||
Reported-by: Matthew Thode <mthode@mthode.org>
|
||||
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
||||
---
|
||||
security/selinux/ss/services.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
|
||||
index fc5a63a..f1e46d7 100644
|
||||
--- a/security/selinux/ss/services.c
|
||||
+++ b/security/selinux/ss/services.c
|
||||
@@ -1232,6 +1232,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
|
||||
struct context context;
|
||||
int rc = 0;
|
||||
|
||||
+ /* An empty security context is never valid. */
|
||||
+ if (!scontext_len)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (!ss_initialized) {
|
||||
int i;
|
||||
|
||||
--
|
||||
1.8.5.3
|
||||
|
||||
17
kernel.spec
17
kernel.spec
|
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 3
|
||||
%define stable_update 4
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
|
@ -753,9 +753,6 @@ Patch25186: ath9k_htc-make-sta_rc_update-atomic-for-most-calls.patch
|
|||
#rhbz 950630
|
||||
Patch25187: xhci-fix-resume-issues-on-renesas-chips-in-samsung-laptops.patch
|
||||
|
||||
#CVE-2014-1874 rhbz 1062356 1062507
|
||||
Patch25188: SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
|
||||
|
||||
#rhbz 1031296
|
||||
Patch25189: tick-Clear-broadcast-pending-bit-when-switching-to-oneshot.patch
|
||||
|
||||
|
|
@ -766,9 +763,6 @@ Patch25195: cgroup-fixes.patch
|
|||
Patch25196: ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.patch
|
||||
Patch25197: ipv6-addrconf-revert-if_inet6ifa_flag-format.patch
|
||||
|
||||
#rhbz 1051918
|
||||
Patch25198: pinctrl-protect-pinctrl_list-add.patch
|
||||
|
||||
#CVE-2014-0069 rhbz 1064253 1062584
|
||||
Patch25200: cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch
|
||||
Patch25201: cifs-sanity-check-length-of-data-to-send-before-sending.patch
|
||||
|
|
@ -1475,9 +1469,6 @@ ApplyPatch ath9k_htc-make-sta_rc_update-atomic-for-most-calls.patch
|
|||
#rhbz 950630
|
||||
ApplyPatch xhci-fix-resume-issues-on-renesas-chips-in-samsung-laptops.patch
|
||||
|
||||
#CVE-2014-1874 rhbz 1062356 1062507
|
||||
ApplyPatch SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
|
||||
|
||||
#rhbz 1031296
|
||||
ApplyPatch tick-Clear-broadcast-pending-bit-when-switching-to-oneshot.patch
|
||||
|
||||
|
|
@ -1488,9 +1479,6 @@ ApplyPatch cgroup-fixes.patch
|
|||
ApplyPatch ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.patch
|
||||
ApplyPatch ipv6-addrconf-revert-if_inet6ifa_flag-format.patch
|
||||
|
||||
#rhbz 1051918
|
||||
ApplyPatch pinctrl-protect-pinctrl_list-add.patch
|
||||
|
||||
#CVE-2014-0069 rhbz 1064253 1062584
|
||||
ApplyPatch cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch
|
||||
ApplyPatch cifs-sanity-check-length-of-data-to-send-before-sending.patch
|
||||
|
|
@ -2311,6 +2299,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Thu Feb 20 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.13.4-100
|
||||
- Linux v3.13.4
|
||||
|
||||
* Tue Feb 18 2014 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Linux v3.13.3
|
||||
|
||||
|
|
|
|||
|
|
@ -8,11 +8,25 @@ after each final link. This includes vmlinux itself and vDSO images.
|
|||
|
||||
Signed-off-by: Roland McGrath <roland@redhat.com>
|
||||
|
||||
diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makefile
|
||||
index d8064af..04dcfe1 100644
|
||||
--- a/arch/arm64/kernel/vdso/Makefile
|
||||
+++ b/arch/arm64/kernel/vdso/Makefile
|
||||
@@ -48,7 +48,8 @@ $(obj-vdso): %.o: %.S
|
||||
|
||||
# Actual build commands
|
||||
quiet_cmd_vdsold = VDSOL $@
|
||||
- cmd_vdsold = $(CC) $(c_flags) -Wl,-n -Wl,-T $^ -o $@
|
||||
+ cmd_vdsold = $(CC) $(c_flags) -Wl,-n -Wl,-T $^ -o $@ \
|
||||
+ $(if $(AFTER_LINK),; $(AFTER_LINK))
|
||||
quiet_cmd_vdsoas = VDSOA $@
|
||||
cmd_vdsoas = $(CC) $(a_flags) -c -o $@ $<
|
||||
|
||||
diff --git a/arch/powerpc/kernel/vdso32/Makefile b/arch/powerpc/kernel/vdso32/Makefile
|
||||
index 9a7946c..28d6765 100644
|
||||
index 53e6c9b..e427844 100644
|
||||
--- a/arch/powerpc/kernel/vdso32/Makefile
|
||||
+++ b/arch/powerpc/kernel/vdso32/Makefile
|
||||
@@ -41,7 +41,8 @@ $(obj-vdso32): %.o: %.S
|
||||
@@ -43,7 +43,8 @@ $(obj-vdso32): %.o: %.S
|
||||
|
||||
# actual build commands
|
||||
quiet_cmd_vdso32ld = VDSO32L $@
|
||||
|
|
@ -23,7 +37,7 @@ index 9a7946c..28d6765 100644
|
|||
cmd_vdso32as = $(CROSS32CC) $(a_flags) -c -o $@ $<
|
||||
|
||||
diff --git a/arch/powerpc/kernel/vdso64/Makefile b/arch/powerpc/kernel/vdso64/Makefile
|
||||
index 8c500d8..d27737b 100644
|
||||
index effca94..713891a 100644
|
||||
--- a/arch/powerpc/kernel/vdso64/Makefile
|
||||
+++ b/arch/powerpc/kernel/vdso64/Makefile
|
||||
@@ -36,7 +36,8 @@ $(obj-vdso64): %.o: %.S
|
||||
|
|
@ -81,7 +95,7 @@ index fd14be1..1f3eb19 100644
|
|||
VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
|
||||
GCOV_PROFILE := n
|
||||
diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
|
||||
index cd9c6c6..3edf048 100644
|
||||
index 0149949..e307cda 100644
|
||||
--- a/scripts/link-vmlinux.sh
|
||||
+++ b/scripts/link-vmlinux.sh
|
||||
@@ -65,6 +65,10 @@ vmlinux_link()
|
||||
|
|
@ -95,6 +109,3 @@ index cd9c6c6..3edf048 100644
|
|||
}
|
||||
|
||||
|
||||
--
|
||||
1.7.7.6
|
||||
|
||||
|
|
|
|||
|
|
@ -1,38 +0,0 @@
|
|||
From 7b320cb1ed2dbd2c5f2a778197baf76fd6bf545a Mon Sep 17 00:00:00 2001
|
||||
From: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Date: Tue, 4 Feb 2014 09:07:09 +0100
|
||||
Subject: [PATCH] pinctrl: protect pinctrl_list add
|
||||
|
||||
We have few fedora bug reports about list corruption on pinctrl,
|
||||
for example:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1051918
|
||||
|
||||
Most likely corruption happen due lack of protection of pinctrl_list
|
||||
when adding new nodes to it. Patch corrects that.
|
||||
|
||||
Fixes: 42fed7ba44e ("pinctrl: move subsystem mutex to pinctrl_dev struct")
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Acked-by: Stephen Warren <swarren@nvidia.com>
|
||||
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
||||
---
|
||||
drivers/pinctrl/core.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
|
||||
index 5ee61a4..cab020a 100644
|
||||
--- a/drivers/pinctrl/core.c
|
||||
+++ b/drivers/pinctrl/core.c
|
||||
@@ -851,7 +851,9 @@ static struct pinctrl *create_pinctrl(struct device *dev)
|
||||
kref_init(&p->users);
|
||||
|
||||
/* Add the pinctrl handle to the global list */
|
||||
+ mutex_lock(&pinctrl_list_mutex);
|
||||
list_add_tail(&p->node, &pinctrl_list);
|
||||
+ mutex_unlock(&pinctrl_list_mutex);
|
||||
|
||||
return p;
|
||||
}
|
||||
--
|
||||
1.8.5.3
|
||||
|
||||
Loading…
Reference in New Issue