Linux v3.18.5
This commit is contained in:
Justin M. Forbes
parent
f046ab9c33
commit
99ae61bcfe
|
|
@ -1,43 +0,0 @@
|
|||
From: Sasha Levin <sasha.levin () oracle ! com>
|
||||
Date: Mon, 29 Dec 2014 14:39:01 -0500
|
||||
Subject: [PATCH] KEYS: close race between key lookup and freeing
|
||||
|
||||
When a key is being garbage collected, it's key->user would get put before
|
||||
the ->destroy() callback is called, where the key is removed from it's
|
||||
respective tracking structures.
|
||||
|
||||
This leaves a key hanging in a semi-invalid state which leaves a window open
|
||||
for a different task to try an access key->user. An example is
|
||||
find_keyring_by_name() which would dereference key->user for a key that is
|
||||
in the process of being garbage collected (where key->user was freed but
|
||||
->destroy() wasn't called yet - so it's still present in the linked list).
|
||||
|
||||
This would cause either a panic, or corrupt memory.
|
||||
|
||||
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
---
|
||||
security/keys/gc.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/security/keys/gc.c b/security/keys/gc.c
|
||||
index 9609a7f0faea..c7952375ac53 100644
|
||||
--- a/security/keys/gc.c
|
||||
+++ b/security/keys/gc.c
|
||||
@@ -148,12 +148,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
|
||||
if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
|
||||
atomic_dec(&key->user->nikeys);
|
||||
|
||||
- key_user_put(key->user);
|
||||
-
|
||||
/* now throw away the key memory */
|
||||
if (key->type->destroy)
|
||||
key->type->destroy(key);
|
||||
|
||||
+ key_user_put(key->user);
|
||||
+
|
||||
kfree(key->description);
|
||||
|
||||
#ifdef KEY_DEBUGGING
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
|
@ -1,81 +0,0 @@
|
|||
From: Nadav Amit <namit@cs.technion.ac.il>
|
||||
Date: Thu, 1 Jan 2015 23:11:11 +0200
|
||||
Subject: [PATCH] KVM: x86: SYSENTER emulation is broken
|
||||
|
||||
SYSENTER emulation is broken in several ways:
|
||||
1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
|
||||
2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
|
||||
still be set without causing #GP).
|
||||
3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
|
||||
legacy-mode.
|
||||
4. There is some unneeded code.
|
||||
|
||||
Fix it.
|
||||
|
||||
Cc: stable@vger.linux.org
|
||||
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/emulate.c | 27 ++++++++-------------------
|
||||
1 file changed, 8 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
|
||||
index 22e7ed9e6d8e..ac640d47c28d 100644
|
||||
--- a/arch/x86/kvm/emulate.c
|
||||
+++ b/arch/x86/kvm/emulate.c
|
||||
@@ -2345,7 +2345,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
|
||||
* Not recognized on AMD in compat mode (but is recognized in legacy
|
||||
* mode).
|
||||
*/
|
||||
- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
|
||||
+ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
|
||||
&& !vendor_intel(ctxt))
|
||||
return emulate_ud(ctxt);
|
||||
|
||||
@@ -2358,25 +2358,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
|
||||
setup_syscalls_segments(ctxt, &cs, &ss);
|
||||
|
||||
ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
|
||||
- switch (ctxt->mode) {
|
||||
- case X86EMUL_MODE_PROT32:
|
||||
- if ((msr_data & 0xfffc) == 0x0)
|
||||
- return emulate_gp(ctxt, 0);
|
||||
- break;
|
||||
- case X86EMUL_MODE_PROT64:
|
||||
- if (msr_data == 0x0)
|
||||
- return emulate_gp(ctxt, 0);
|
||||
- break;
|
||||
- default:
|
||||
- break;
|
||||
- }
|
||||
+ if ((msr_data & 0xfffc) == 0x0)
|
||||
+ return emulate_gp(ctxt, 0);
|
||||
|
||||
ctxt->eflags &= ~(EFLG_VM | EFLG_IF);
|
||||
- cs_sel = (u16)msr_data;
|
||||
- cs_sel &= ~SELECTOR_RPL_MASK;
|
||||
+ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
|
||||
ss_sel = cs_sel + 8;
|
||||
- ss_sel &= ~SELECTOR_RPL_MASK;
|
||||
- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
|
||||
+ if (efer & EFER_LMA) {
|
||||
cs.d = 0;
|
||||
cs.l = 1;
|
||||
}
|
||||
@@ -2385,10 +2373,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
|
||||
ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
|
||||
|
||||
ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
|
||||
- ctxt->_eip = msr_data;
|
||||
+ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
|
||||
|
||||
ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
|
||||
- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
|
||||
+ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
|
||||
+ (u32)msr_data;
|
||||
|
||||
return X86EMUL_CONTINUE;
|
||||
}
|
||||
--
|
||||
2.1.0
|
||||
|
||||
20
kernel.spec
20
kernel.spec
|
|
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 201
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 4
|
||||
%define stable_update 5
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
|
@ -615,9 +615,6 @@ Patch26101: powerpc-powernv-force-all-CPUs-to-be-bootable.patch
|
|||
#rhbz 1163927
|
||||
Patch26121: Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch
|
||||
|
||||
#CVE-2014-9529 rhbz 1179813 1179853
|
||||
Patch26124: KEYS-close-race-between-key-lookup-and-freeing.patch
|
||||
|
||||
#rhbz 1124119
|
||||
Patch26126: uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
|
||||
Patch26127: uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch
|
||||
|
|
@ -636,10 +633,6 @@ Patch30000: kernel-arm64.patch
|
|||
# Fix for big-endian arches, already upstream
|
||||
Patch30001: mpssd-x86-only.patch
|
||||
|
||||
#CVE-2015-0239 rhbz 1186448 1186453
|
||||
Patch30004: KVM-x86-SYSENTER-emulation-is-broken.patch
|
||||
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1363,9 +1356,6 @@ ApplyPatch powerpc-powernv-force-all-CPUs-to-be-bootable.patch
|
|||
#rhbz 1163927
|
||||
ApplyPatch Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch
|
||||
|
||||
#CVE-2014-9529 rhbz 1179813 1179853
|
||||
ApplyPatch KEYS-close-race-between-key-lookup-and-freeing.patch
|
||||
|
||||
#rhbz 1124119
|
||||
ApplyPatch uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
|
||||
ApplyPatch uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch
|
||||
|
|
@ -1381,9 +1371,6 @@ ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-Sa.patch
|
|||
# Fix for big-endian arches, already upstream
|
||||
ApplyPatch mpssd-x86-only.patch
|
||||
|
||||
#CVE-2015-0239 rhbz 1186448 1186453
|
||||
ApplyPatch KVM-x86-SYSENTER-emulation-is-broken.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
|
|
@ -2254,6 +2241,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Fri Jan 30 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.18.5-100
|
||||
- Linux v3.18.5
|
||||
|
||||
* Thu Jan 29 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Backport patch from Rob Clark to toggle i915 state machine checks
|
||||
- Disable i915 state checks
|
||||
|
|
|
|||
Loading…
Reference in New Issue