Linux v4.3.4

2016-01-24 10:36:26 -05:00 · 2016-01-24 10:36:26 -05:00 · 47af8d1c51
parent 92c1f2edcf
commit 47af8d1c51
6 changed files with 6 additions and 2327 deletions
--- a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
+++ b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
@ -1,78 +0,0 @@
-From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Jan 2016 10:53:31 +0000
-Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring()
-
-This fixes CVE-2016-0728.
-
-If a thread is asked to join as a session keyring the keyring that's already
-set as its session, we leak a keyring reference.
-
-This can be tested with the following program:
-
-	#include <stddef.h>
-	#include <stdio.h>
-	#include <sys/types.h>
-	#include <keyutils.h>
-
-	int main(int argc, const char *argv[])
-	{
-		int i = 0;
-		key_serial_t serial;
-
-		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-				"leaked-keyring");
-		if (serial < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		if (keyctl(KEYCTL_SETPERM, serial,
-			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		for (i = 0; i < 100; i++) {
-			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-					"leaked-keyring");
-			if (serial < 0) {
-				perror("keyctl");
-				return -1;
-			}
-		}
-
-		return 0;
-	}
-
-If, after the program has run, there something like the following line in
-/proc/keys:
-
-3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
-
-with a usage count of 100 * the number of times the program has been run,
-then the kernel is malfunctioning.  If leaked-keyring has zero usages or
-has been garbage collected, then the problem is fixed.
-
-Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
-Signed-off-by: David Howells <dhowells@redhat.com>
-RH-bugzilla: 1298036
---
- security/keys/process_keys.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 43b4cddbf2b3..7877e5cd4e23 100644
--- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
- 		ret = PTR_ERR(keyring);
- 		goto error2;
- 	} else if (keyring == new->session_keyring) {
-+		key_put(keyring);
- 		ret = 0;
- 		goto error2;
- 	}
-- 
-2.5.0
-
--- a/KEYS-Fix-race-between-read-and-revoke.patch
+++ b/KEYS-Fix-race-between-read-and-revoke.patch
@ -1,108 +0,0 @@
-From f144220f72062ed5359e0211f130670c915a12dd Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 14 Dec 2015 10:36:31 -0500
-Subject: [PATCH] KEYS: Fix race between read and revoke
-
-There's a race between keyctl_read() and keyctl_revoke().  If the revoke
-happens between keyctl_read() checking the validity of a key and the key's
-semaphore being taken, then the key type read method will see a revoked key.
-
-This causes a problem for the user-defined key type because it assumes in
-its read method that there will always be a payload in a non-revoked key
-and doesn't check for a NULL pointer.
-
-Fix this by making keyctl_read() check the validity of a key after taking
-semaphore instead of before.
-
-This was discovered by a multithreaded test program generated by syzkaller
-(http://github.com/google/syzkaller).  Here's a cleaned up version:
-
-	#include <sys/types.h>
-	#include <keyutils.h>
-	#include <pthread.h>
-	void *thr0(void *arg)
-	{
-		key_serial_t key = (unsigned long)arg;
-		keyctl_revoke(key);
-		return 0;
-	}
-	void *thr1(void *arg)
-	{
-		key_serial_t key = (unsigned long)arg;
-		char buffer[16];
-		keyctl_read(key, buffer, 16);
-		return 0;
-	}
-	int main()
-	{
-		key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
-		pthread_t th[5];
-		pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
-		pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
-		pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
-		pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
-		pthread_join(th[0], 0);
-		pthread_join(th[1], 0);
-		pthread_join(th[2], 0);
-		pthread_join(th[3], 0);
-		return 0;
-	}
-
-Build as:
-
-	cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
-
-Run as:
-
-	while keyctl-race; do :; done
-
-as it may need several iterations to crash the kernel.  The crash can be
-summarised as:
-
-	BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
-	IP: [<ffffffff81279b08>] user_read+0x56/0xa3
-	...
-	Call Trace:
-	 [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
-	 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
-	 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
---
- security/keys/keyctl.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index fb111eafcb89..1c3872aeed14 100644
--- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -751,16 +751,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
- 
- 	/* the key is probably readable - now try to read it */
- can_read_key:
-	ret = key_validate(key);
-	if (ret == 0) {
-		ret = -EOPNOTSUPP;
-		if (key->type->read) {
-			/* read the data with the semaphore held (since we
-			 * might sleep) */
-			down_read(&key->sem);
-+	ret = -EOPNOTSUPP;
-+	if (key->type->read) {
-+		/* Read the data with the semaphore held (since we might sleep)
-+		 * to protect against the key being updated or revoked.
-+		 */
-+		down_read(&key->sem);
-+		ret = key_validate(key);
-+		if (ret == 0)
- 			ret = key->type->read(key, buffer, buflen);
-			up_read(&key->sem);
-		}
-+		up_read(&key->sem);
- 	}
- 
- error2:
-- 
-2.5.0
-
--- a/kernel.spec
+++ b/kernel.spec
@ -40,7 +40,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 303
+%global baserelease 300
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@ -52,7 +52,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}

 # Do we have a -stable update to apply?
-%define stable_update 3
+%define stable_update 4
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@ -631,11 +631,6 @@ Patch572: alua_fix.patch
 #CVE-XXXX-XXXX rhbz 1291329 1291332
 Patch574: ovl-fix-permission-checking-for-setattr.patch

-#CVE-2015-7550 rhbz 1291197 1291198
-Patch575: KEYS-Fix-race-between-read-and-revoke.patch
-
-Patch601: vrf-fix-memory-leak-on-registration.patch
-
 #CVE-2015-8709 rhbz 1295287 1295288
 Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch

@ -681,11 +676,6 @@ Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
 Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch
 Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch

-Patch633: net_43.mbox
-
-#CVE-2016-0728 rhbz 1296623 1297475
-Patch634: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
-
 #CVE-2013-4312 rhbz 1297813 1300216
 Patch636: unix-properly-account-for-FDs-passed-over-unix-socke.patch

@ -2144,6 +2134,9 @@ fi
 #
 # 
 %changelog
+* Sat Jan 23 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.4-300
+- Linux v4.3.4
+
 * Fri Jan 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - Fix backtrace from PNP conflict on Haswell-ULT (rhbz 1300955)

--- a/net_43.mbox
+++ b/net_43.mbox
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 58b35794eee3b6d52ce7be39357801e7  linux-4.3.tar.xz
 7c516c9528b9f9aac0136944b0200b7e  perf-man-4.3.tar.gz
-d3235b3640ae6ac1ab579171943fda4b  patch-4.3.3.xz
+5bbeeb57b8cff23e5c27430e60810d1b  patch-4.3.4.xz
--- a/vrf-fix-memory-leak-on-registration.patch
+++ b/vrf-fix-memory-leak-on-registration.patch
@ -1,42 +0,0 @@
-From 5780068e17af44a98d432d31448bb18a99ce64dc Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Tue, 15 Dec 2015 15:12:43 +0000
-Subject: [PATCH] vrf: Fix memory leak on registration failure in vrf_newlink()
-
-The backported version of commit 7f109f7cc371 ("vrf: fix double free
-and memory corruption on register_netdevice failure") incorrectly
-removed a kfree() from the failure path as well as the free_netdev().
-Add that back.
-
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
- drivers/net/vrf.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
-index c9e309c..6c25fd0 100644
--- a/drivers/net/vrf.c
-+++ b/drivers/net/vrf.c
-@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
- {
- 	struct net_vrf *vrf = netdev_priv(dev);
- 	struct net_vrf_dev *vrf_ptr;
-+	int err;
-
- 	if (!data || !data[IFLA_VRF_TABLE])
- 		return -EINVAL;
-@@ -598,7 +599,10 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev,
-
- 	rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
-
-	return register_netdev(dev);
-+	err = register_netdev(dev);
-+	if (err)
-+		kfree(vrf_ptr);
-+	return err;
- }
-
- static size_t vrf_nl_getsize(const struct net_device *dev)
-- 
-2.5.0
-