Linux v3.18.9
This commit is contained in:
parent
ac91ae055e
commit
ae3c9b8089
|
@ -1,46 +0,0 @@
|
|||
From 1079a4c2288cf33c13d2c6ca3e07d4039b1f39f0 Mon Sep 17 00:00:00 2001
|
||||
From: John Stultz <john.stultz@linaro.org>
|
||||
Date: Mon, 2 Feb 2015 10:57:56 -0800
|
||||
Subject: [PATCH] ntp: Fixup adjtimex freq validation on 32bit systems
|
||||
|
||||
Additional validation of adjtimex freq values to avoid
|
||||
potential multiplication overflows were added in commit
|
||||
5e5aeb4367b (time: adjtimex: Validate the ADJ_FREQUENCY values)
|
||||
|
||||
Unfortunately the patch used LONG_MAX/MIN instead of
|
||||
LLONG_MAX/MIN, which was fine on 64bit systems, but caused
|
||||
false positives on 32bit systems resulting in most direct
|
||||
frequency adjustments to fail w/ EINVAL.
|
||||
|
||||
ntpd only does driect frequency adjustments at startup,
|
||||
so the issue was not easily observed there, but other sync
|
||||
applications like ptpd and chrony were more effected by
|
||||
the bug.
|
||||
|
||||
Cc: Sasha Levin <sasha.levin@oracle.com>
|
||||
Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Reported-by: George Joseph <george.joseph@fairview5.com>
|
||||
Signed-off-by: John Stultz <john.stultz@linaro.org>
|
||||
---
|
||||
kernel/time/ntp.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
|
||||
index 28bf91c..242774d 100644
|
||||
--- a/kernel/time/ntp.c
|
||||
+++ b/kernel/time/ntp.c
|
||||
@@ -634,9 +634,9 @@ int ntp_validate_timex(struct timex *txc)
|
||||
return -EPERM;
|
||||
|
||||
if (txc->modes & ADJ_FREQUENCY) {
|
||||
- if (LONG_MIN / PPM_SCALE > txc->freq)
|
||||
+ if (LLONG_MIN / PPM_SCALE > txc->freq)
|
||||
return -EINVAL;
|
||||
- if (LONG_MAX / PPM_SCALE < txc->freq)
|
||||
+ if (LLONG_MAX / PPM_SCALE < txc->freq)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
--
|
||||
1.9.1
|
||||
|
|
@ -1,104 +0,0 @@
|
|||
From: Hector Marco-Gisbert <hecmargi@upv.es>
|
||||
Date: Sat, 14 Feb 2015 09:33:50 -0800
|
||||
Subject: [PATCH] ASLR: fix stack randomization on 64-bit systems
|
||||
|
||||
The issue is that the stack for processes is not properly randomized on 64 bit
|
||||
architectures due to an integer overflow.
|
||||
|
||||
The affected function is randomize_stack_top() in file "fs/binfmt_elf.c":
|
||||
|
||||
static unsigned long randomize_stack_top(unsigned long stack_top)
|
||||
{
|
||||
unsigned int random_variable = 0;
|
||||
|
||||
if ((current->flags & PF_RANDOMIZE) &&
|
||||
!(current->personality & ADDR_NO_RANDOMIZE)) {
|
||||
random_variable = get_random_int() & STACK_RND_MASK;
|
||||
random_variable <<= PAGE_SHIFT;
|
||||
}
|
||||
return PAGE_ALIGN(stack_top) + random_variable;
|
||||
return PAGE_ALIGN(stack_top) - random_variable;
|
||||
}
|
||||
|
||||
Note that, it declares the "random_variable" variable as "unsigned int". Since
|
||||
the result of the shifting operation between STACK_RND_MASK (which is
|
||||
0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
|
||||
|
||||
random_variable <<= PAGE_SHIFT;
|
||||
|
||||
then the two leftmost bits are dropped when storing the result in the
|
||||
"random_variable". This variable shall be at least 34 bits long to hold the
|
||||
(22+12) result.
|
||||
|
||||
These two dropped bits have an impact on the entropy of process stack.
|
||||
Concretely, the total stack entropy is reduced by four: from 2^28 to 2^30 (One
|
||||
fourth of expected entropy).
|
||||
|
||||
This patch restores back the entropy by correcting the types involved in the
|
||||
operations in the functions randomize_stack_top() and stack_maxrandom_size().
|
||||
|
||||
The successful fix can be tested with:
|
||||
$ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
|
||||
7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack]
|
||||
7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack]
|
||||
7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack]
|
||||
7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack]
|
||||
...
|
||||
|
||||
Once corrected, the leading bytes should be between 7ffc and 7fff, rather
|
||||
than always being 7fff.
|
||||
|
||||
CVE-2015-1593
|
||||
|
||||
Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
|
||||
Signed-off-by: Ismael Ripoll <iripoll@upv.es>
|
||||
[kees: rebase, fix 80 char, clean up commit message, add test example, cve]
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
arch/x86/mm/mmap.c | 6 +++---
|
||||
fs/binfmt_elf.c | 5 +++--
|
||||
2 files changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
|
||||
index 919b91205cd4..df4552bd239e 100644
|
||||
--- a/arch/x86/mm/mmap.c
|
||||
+++ b/arch/x86/mm/mmap.c
|
||||
@@ -35,12 +35,12 @@ struct va_alignment __read_mostly va_align = {
|
||||
.flags = -1,
|
||||
};
|
||||
|
||||
-static unsigned int stack_maxrandom_size(void)
|
||||
+static unsigned long stack_maxrandom_size(void)
|
||||
{
|
||||
- unsigned int max = 0;
|
||||
+ unsigned long max = 0;
|
||||
if ((current->flags & PF_RANDOMIZE) &&
|
||||
!(current->personality & ADDR_NO_RANDOMIZE)) {
|
||||
- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
|
||||
+ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT;
|
||||
}
|
||||
|
||||
return max;
|
||||
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
|
||||
index d8fc0605b9d2..e1efcaa1b245 100644
|
||||
--- a/fs/binfmt_elf.c
|
||||
+++ b/fs/binfmt_elf.c
|
||||
@@ -554,11 +554,12 @@ out:
|
||||
|
||||
static unsigned long randomize_stack_top(unsigned long stack_top)
|
||||
{
|
||||
- unsigned int random_variable = 0;
|
||||
+ unsigned long random_variable = 0;
|
||||
|
||||
if ((current->flags & PF_RANDOMIZE) &&
|
||||
!(current->personality & ADDR_NO_RANDOMIZE)) {
|
||||
- random_variable = get_random_int() & STACK_RND_MASK;
|
||||
+ random_variable = (unsigned long) get_random_int();
|
||||
+ random_variable &= STACK_RND_MASK;
|
||||
random_variable <<= PAGE_SHIFT;
|
||||
}
|
||||
#ifdef CONFIG_STACK_GROWSUP
|
||||
--
|
||||
2.1.0
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From: Seth Forshee <seth.forshee () canonical ! com>
|
||||
Date: Fri, 20 Feb 2015 17:45:11 -0500
|
||||
Subject: [PATCH] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input
|
||||
events
|
||||
|
||||
d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ)
|
||||
changed hid_get_input() to read ihid->bufsize bytes, which can be
|
||||
more than wMaxInputLength. This is the case with the Dell XPS 13
|
||||
9343, and it is causing events to be missed. In some cases the
|
||||
missed events are releases, which can cause the cursor to jump or
|
||||
freeze, among other problems. Limit the number of bytes read to
|
||||
min(wMaxInputLength, ihid->bufsize) to prevent such problems.
|
||||
|
||||
Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ"
|
||||
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
||||
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
|
||||
---
|
||||
drivers/hid/i2c-hid/i2c-hid.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
|
||||
index 80e33e0abc52..6d7c9c580ceb 100644
|
||||
--- a/drivers/hid/i2c-hid/i2c-hid.c
|
||||
+++ b/drivers/hid/i2c-hid/i2c-hid.c
|
||||
@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_client *client)
|
||||
static void i2c_hid_get_input(struct i2c_hid *ihid)
|
||||
{
|
||||
int ret, ret_size;
|
||||
- int size = ihid->bufsize;
|
||||
+ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
|
||||
+
|
||||
+ if (size > ihid->bufsize)
|
||||
+ size = ihid->bufsize;
|
||||
|
||||
ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
|
||||
if (ret != size) {
|
||||
--
|
||||
2.1.0
|
||||
|
29
kernel.spec
29
kernel.spec
|
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 201
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 8
|
||||
%define stable_update 9
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -619,8 +619,6 @@ Patch26121: Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch
|
|||
Patch26126: uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
|
||||
Patch26127: uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch
|
||||
|
||||
#rhbz 1115713
|
||||
Patch26129: samsung-laptop-Add-use_native_backlight-quirk-and-en.patch
|
||||
#rhbz 1163574
|
||||
Patch26130: acpi-video-Add-disable_native_backlight-quirk-for-De.patch
|
||||
#rhbz 1094948
|
||||
|
@ -632,15 +630,9 @@ Patch30000: kernel-arm64.patch
|
|||
# Fix for big-endian arches, already upstream
|
||||
Patch30001: mpssd-x86-only.patch
|
||||
|
||||
#rhbz 1188074
|
||||
Patch30003: 0001-ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch
|
||||
|
||||
#rhbz 1186097
|
||||
Patch30004: acpi-video-add-disable_native_backlight_quirk_for_samsung_510r.patch
|
||||
|
||||
#CVE-2015-1593 rhbz 1192519 1192520
|
||||
Patch26135: ASLR-fix-stack-randomization-on-64-bit-systems.patch
|
||||
|
||||
#CVE-XXXX-XXXX rhbz 1189864 1192079
|
||||
Patch26136: vhost-scsi-potential-memory-corruption.patch
|
||||
|
||||
|
@ -650,9 +642,6 @@ Patch26142: NFS-fix-clp-cl_revoked-list-deletion-causing-softloc.patch
|
|||
#CVE-2015-0275 rhbz 1193907 1195178
|
||||
Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
|
||||
|
||||
#rhbz 1188439
|
||||
Patch26139: HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
|
||||
|
||||
#rhbz 1190947
|
||||
Patch26141: Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
|
||||
|
||||
|
@ -1383,8 +1372,6 @@ ApplyPatch Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch
|
|||
ApplyPatch uas-Do-not-blacklist-ASM1153-disk-enclosures.patch
|
||||
ApplyPatch uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch
|
||||
|
||||
#rhbz 1115713
|
||||
ApplyPatch samsung-laptop-Add-use_native_backlight-quirk-and-en.patch
|
||||
#rhbz 1163574
|
||||
ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-De.patch
|
||||
#rhbz 1094948
|
||||
|
@ -1393,24 +1380,15 @@ ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-Sa.patch
|
|||
# Fix for big-endian arches, already upstream
|
||||
ApplyPatch mpssd-x86-only.patch
|
||||
|
||||
#rhbz 1188074
|
||||
ApplyPatch 0001-ntp-Fixup-adjtimex-freq-validation-on-32bit-systems.patch
|
||||
|
||||
#rhbz 1186097
|
||||
ApplyPatch acpi-video-add-disable_native_backlight_quirk_for_samsung_510r.patch
|
||||
|
||||
#CVE-2015-1593 rhbz 1192519 1192520
|
||||
ApplyPatch ASLR-fix-stack-randomization-on-64-bit-systems.patch
|
||||
|
||||
#CVE-XXXX-XXXX rhbz 1189864 1192079
|
||||
ApplyPatch vhost-scsi-potential-memory-corruption.patch
|
||||
|
||||
#CVE-2015-0275 rhbz 1193907 1195178
|
||||
ApplyPatch ext4-Allocate-entire-range-in-zero-range.patch
|
||||
|
||||
#rhbz 1188439
|
||||
ApplyPatch HID-i2c-hid-Limit-reads-to-wMaxInputLength-bytes-for.patch
|
||||
|
||||
#rhbz 1190947
|
||||
ApplyPatch Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
|
||||
|
||||
|
@ -2287,6 +2265,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Mon Mar 09 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.18.9-200
|
||||
- Linux v3.18.9
|
||||
|
||||
* Mon Mar 02 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Add patch to fix nfsd soft lockup (rhbz 1185519)
|
||||
- Enable ET131X driver (rhbz 1197842)
|
||||
|
|
|
@ -1,107 +0,0 @@
|
|||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Fri, 9 Jan 2015 14:51:21 +0100
|
||||
Subject: [PATCH] samsung-laptop: Add use_native_backlight quirk, and enable it
|
||||
on some models
|
||||
|
||||
Since kernel 3.14 the backlight control has been broken on various Samsung
|
||||
Atom based netbooks. This has been bisected and this problem happens since
|
||||
commit b35684b8fa94 ("drm/i915: do full backlight setup at enable time")
|
||||
|
||||
This has been reported and discussed in detail here:
|
||||
http://lists.freedesktop.org/archives/intel-gfx/2014-July/049395.html
|
||||
|
||||
Unfortunately no-one has been able to fix this. This only affects Samsung
|
||||
Atom netbooks, and the Linux kernel and the BIOS of those laptops have never
|
||||
worked well together. All affected laptops already have a quirk to avoid using
|
||||
the standard acpi-video interface and instead use the samsung specific SABI
|
||||
interface which samsung-laptop uses. It seems that recent fixes to the i915
|
||||
driver have also broken backlight control through the SABI interface.
|
||||
|
||||
The intel_backlight driver OTOH works fine, and also allows for finer grained
|
||||
backlight control. So add a new use_native_backlight quirk, and replace the
|
||||
broken_acpi_video quirk with this quirk for affected models. This new quirk
|
||||
disables acpi-video as before and also stops samsung-laptop from registering
|
||||
the SABI based samsung_laptop backlight interface, leaving only the working
|
||||
intel_backlight interface.
|
||||
|
||||
This commit enables this new quirk for 3 models which are known to be affected,
|
||||
chances are that it needs to be used on other models too.
|
||||
|
||||
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1094948 # N145P
|
||||
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1115713 # N250P
|
||||
Reported-by: Bertrik Sikken <bertrik@sikken.nl> # N150P
|
||||
Cc: stable@vger.kernel.org # 3.16
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
---
|
||||
drivers/platform/x86/samsung-laptop.c | 20 +++++++++++++++++---
|
||||
1 file changed, 17 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
|
||||
index 864290243e46..477de0a9e1ee 100644
|
||||
--- a/drivers/platform/x86/samsung-laptop.c
|
||||
+++ b/drivers/platform/x86/samsung-laptop.c
|
||||
@@ -353,6 +353,7 @@ struct samsung_quirks {
|
||||
bool broken_acpi_video;
|
||||
bool four_kbd_backlight_levels;
|
||||
bool enable_kbd_backlight;
|
||||
+ bool use_native_backlight;
|
||||
};
|
||||
|
||||
static struct samsung_quirks samsung_unknown = {};
|
||||
@@ -361,6 +362,10 @@ static struct samsung_quirks samsung_broken_acpi_video = {
|
||||
.broken_acpi_video = true,
|
||||
};
|
||||
|
||||
+static struct samsung_quirks samsung_use_native_backlight = {
|
||||
+ .use_native_backlight = true,
|
||||
+};
|
||||
+
|
||||
static struct samsung_quirks samsung_np740u3e = {
|
||||
.four_kbd_backlight_levels = true,
|
||||
.enable_kbd_backlight = true,
|
||||
@@ -1507,7 +1512,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
|
||||
DMI_MATCH(DMI_PRODUCT_NAME, "N150P"),
|
||||
DMI_MATCH(DMI_BOARD_NAME, "N150P"),
|
||||
},
|
||||
- .driver_data = &samsung_broken_acpi_video,
|
||||
+ .driver_data = &samsung_use_native_backlight,
|
||||
},
|
||||
{
|
||||
.callback = samsung_dmi_matched,
|
||||
@@ -1517,7 +1522,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
|
||||
DMI_MATCH(DMI_PRODUCT_NAME, "N145P/N250P/N260P"),
|
||||
DMI_MATCH(DMI_BOARD_NAME, "N145P/N250P/N260P"),
|
||||
},
|
||||
- .driver_data = &samsung_broken_acpi_video,
|
||||
+ .driver_data = &samsung_use_native_backlight,
|
||||
},
|
||||
{
|
||||
.callback = samsung_dmi_matched,
|
||||
@@ -1557,7 +1562,7 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
|
||||
DMI_MATCH(DMI_PRODUCT_NAME, "N250P"),
|
||||
DMI_MATCH(DMI_BOARD_NAME, "N250P"),
|
||||
},
|
||||
- .driver_data = &samsung_broken_acpi_video,
|
||||
+ .driver_data = &samsung_use_native_backlight,
|
||||
},
|
||||
{
|
||||
.callback = samsung_dmi_matched,
|
||||
@@ -1626,6 +1631,15 @@ static int __init samsung_init(void)
|
||||
pr_info("Disabling ACPI video driver\n");
|
||||
acpi_video_unregister();
|
||||
}
|
||||
+
|
||||
+ if (samsung->quirks->use_native_backlight) {
|
||||
+ pr_info("Using native backlight driver\n");
|
||||
+ /* Tell acpi-video to not handle the backlight */
|
||||
+ acpi_video_dmi_promote_vendor();
|
||||
+ acpi_video_unregister();
|
||||
+ /* And also do not handle it ourselves */
|
||||
+ samsung->handle_backlight = false;
|
||||
+ }
|
||||
#endif
|
||||
|
||||
ret = samsung_platform_init(samsung);
|
||||
--
|
||||
2.1.0
|
||||
|
Loading…
Reference in New Issue