rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

3.10-rc4 

merged: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
  merged: iscsi-target-fix-heap-buffer-overflow-on-error.patch
This commit is contained in:
Dave Jones 2013-06-04 17:14:21 -04:00
parent f58391d7ed
commit bc6523eec2
5 changed files with 37 additions and 193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
Modify-UEFI-anti-bricking-code.patch
View File

@ -1,7 +1,14 @@
From 2380baac8b96f6e93ef72135d1b60d686d7f82e6 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Sat, 1 Jun 2013 16:06:20 -0400
To: rja@sgi.com
Cc: mingo@kernel.org, torvalds@linux-foundation.org, bp@alien8.de,
jkosina@suse.cz, jlee@suse.com, matt.fleming@intel.com,
linux-efi@vger.kernel.org, x86@kernel.org,
linux-kernel@vger.kernel.org, tglx@linutronix.de, hpa@linux.intel.com,
akpm@linux-foundation.org,
Matthew Garrett <matthew.garrett@nebula.com>
Subject: [PATCH] Modify UEFI anti-bricking code
Date: Sat, 1 Jun 2013 16:06:20 -0400
Message-Id: <1370117180-1712-1-git-send-email-matthew.garrett@nebula.com>
This patch reworks the UEFI anti-bricking code, including an effective
reversion of cc5a080c and 31ff2f20. It turns out that calling
@ -33,8 +40,8 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
arch/x86/boot/compressed/eboot.c | 47 ----------
arch/x86/include/asm/efi.h | 7 --
arch/x86/include/uapi/asm/bootparam.h | 1 -
arch/x86/platform/efi/efi.c | 167 +++++++++-------------------------
4 files changed, 44 insertions(+), 178 deletions(-)
arch/x86/platform/efi/efi.c | 169 +++++++++-------------------------
4 files changed, 45 insertions(+), 179 deletions(-)
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 35ee62f..c205035 100644
@ -132,10 +139,10 @@ index 0874424..c15ddaf 100644
/* ram_size flags */
#define RAMDISK_IMAGE_START_MASK 0x07FF
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
index e4a86a6..beb5d5f 100644
index 82089d8..63e167a 100644
--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -41,7 +41,6 @@
@@ -42,7 +42,6 @@
#include <linux/io.h>
#include <linux/reboot.h>
#include <linux/bcd.h>
@ -143,7 +150,7 @@ index e4a86a6..beb5d5f 100644
#include <asm/setup.h>
#include <asm/efi.h>
@@ -52,13 +51,6 @@
@@ -54,13 +53,6 @@
#define EFI_DEBUG 1
@ -157,7 +164,7 @@ index e4a86a6..beb5d5f 100644
struct efi __read_mostly efi = {
.mps = EFI_INVALID_TABLE_ADDR,
.acpi = EFI_INVALID_TABLE_ADDR,
@@ -77,13 +69,6 @@ struct efi_memory_map memmap;
@@ -79,13 +71,6 @@ struct efi_memory_map memmap;
static struct efi efi_phys __initdata;
static efi_system_table_t efi_systab __initdata;
@ -171,7 +178,7 @@ index e4a86a6..beb5d5f 100644
unsigned long x86_efi_facility;
/*
@@ -186,53 +171,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size,
@@ -188,53 +173,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size,
efi_char16_t *name,
efi_guid_t *vendor)
{
@ -180,8 +187,7 @@ index e4a86a6..beb5d5f 100644
- static u64 var_size;
-
- status = efi_call_virt3(get_next_variable,
+ return efi_call_virt3(get_next_variable,
name_size, name, vendor);
- name_size, name, vendor);
-
- if (status == EFI_NOT_FOUND) {
- finished = true;
@ -194,7 +200,7 @@ index e4a86a6..beb5d5f 100644
- }
-
- if (boot_used_size && !finished) {
- unsigned long size;
- unsigned long size = 0;
- u32 attr;
- efi_status_t s;
- void *tmp;
@ -223,10 +229,12 @@ index e4a86a6..beb5d5f 100644
- }
-
- return status;
+ return efi_call_virt3(get_next_variable,
+ name_size, name, vendor);
}
static efi_status_t virt_efi_set_variable(efi_char16_t *name,
@@ -241,34 +181,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name,
@@ -243,34 +183,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name,
unsigned long data_size,
void *data)
{
@ -264,7 +272,7 @@ index e4a86a6..beb5d5f 100644
}
static efi_status_t virt_efi_query_variable_info(u32 attr,
@@ -776,9 +691,6 @@ void __init efi_init(void)
@@ -786,9 +701,6 @@ void __init efi_init(void)
char vendor[100] = "unknown";
int i = 0;
void *tmp;
@ -274,7 +282,7 @@ index e4a86a6..beb5d5f 100644
#ifdef CONFIG_X86_32
if (boot_params.efi_info.efi_systab_hi ||
@@ -796,22 +708,6 @@ void __init efi_init(void)
@@ -806,22 +718,6 @@ void __init efi_init(void)
if (efi_systab_init(efi_phys.systab))
return;
@ -297,7 +305,7 @@ index e4a86a6..beb5d5f 100644
set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
/*
@@ -1131,28 +1027,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size)
@@ -1141,28 +1037,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size)
if (status != EFI_SUCCESS)
return status;
@ -369,3 +377,8 @@ index e4a86a6..beb5d5f 100644
--
1.8.1.4
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

63
iscsi-target-fix-heap-buffer-overflow-on-error.patch
View File

@ -1,63 +0,0 @@
From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Thu, 23 May 2013 17:32:17 +0000
Subject: iscsi-target: fix heap buffer overflow on error
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
error response packet, generated by iscsi_add_notunderstood_response(),
would still attempt to copy the entire key into the packet, overflowing
the structure on the heap.
Remote preauthentication kernel memory corruption was possible if a
target was configured and listening on the network.
CVE-2013-2850
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
index c2185fc..e382221 100644
--- a/drivers/target/iscsi/iscsi_target_parameters.c
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
}
INIT_LIST_HEAD(&extra_response->er_list);
- strncpy(extra_response->key, key, strlen(key) + 1);
- strncpy(extra_response->value, NOTUNDERSTOOD,
- strlen(NOTUNDERSTOOD) + 1);
+ strlcpy(extra_response->key, key, sizeof(extra_response->key));
+ strlcpy(extra_response->value, NOTUNDERSTOOD,
+ sizeof(extra_response->value));
list_add_tail(&extra_response->er_list,
&param_list->extra_response_list);
@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
if (phase & PHASE_SECURITY) {
if (iscsi_check_for_auth_key(key) > 0) {
- char *tmpptr = key + strlen(key);
- *tmpptr = '=';
kfree(tmpbuf);
return 1;
}
diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
index 915b067..a47046a 100644
--- a/drivers/target/iscsi/iscsi_target_parameters.h
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
@@ -1,8 +1,10 @@
#ifndef ISCSI_PARAMETERS_H
#define ISCSI_PARAMETERS_H
+#include <scsi/iscsi_proto.h>
+
struct iscsi_extra_response {
- char key[64];
+ char key[KEY_MAXLEN];
char value[32];
struct list_head er_list;
} ____cacheline_aligned;
--
cgit v0.9.2

21
kernel.spec
View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
%global baserelease 2
%global baserelease 1
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -93,7 +93,7 @@ Summary: The Linux kernel
# The next upstream release sublevel (base_sublevel+1)
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
# The rc snapshot level
%define rcrev 3
%define rcrev 4
# The git snapshot level
%define gitrev 0
# Set rpm version accordingly
@ -733,18 +733,12 @@ Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
#rhbz 927469
Patch23006: fix-child-thread-introspection.patch
#rhbz 961527
Patch25021: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
#rhbz 964367
Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
#rhbz 948262
Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
#CVE-2013-2850 rhbz 968036 969272
Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch
#rhbz 964335
Patch25026: Modify-UEFI-anti-bricking-code.patch
@ -1424,18 +1418,12 @@ ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
#rhbz 927469
ApplyPatch fix-child-thread-introspection.patch
#rhbz 961527
ApplyPatch radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
#rhbz 964367
ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
#rhbz 948262
ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
#CVE-2013-2850 rhbz 968036 969272
ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch
#rhbz 964335
ApplyPatch Modify-UEFI-anti-bricking-code.patch
@ -2244,6 +2232,11 @@ fi
# ||----w |
# || ||
%changelog
* Tue Jun 04 2013 Dave Jones <davej@redhat.com> - 3.10.0-0.rc4.git0.1
- 3.10-rc4
merged: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
merged: iscsi-target-fix-heap-buffer-overflow-on-error.patch
* Mon Jun 03 2013 Josh Boyer <jwboyer@redhat.com>
- Fix UEFI anti-bricking code (rhbz 964335)

99
radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
View File

@ -1,99 +0,0 @@
radeon: use max_bus_speed to activate gen2 speeds
radeon currently uses a drm function to get the speed capabilities for
the bus, drm_pcie_get_speed_cap_mask. However, this is a non-standard
method of performing this detection and this patch changes it to use
the max_bus_speed attribute.
From: Lucas Kannebley Tavares <lucaskt at linux.vnet.ibm.com>
Signed-off-by: Kleber Sacilotto de Souza <klebers at linux.vnet.ibm.com>
---
drivers/gpu/drm/radeon/evergreen.c | 10 +++-------
drivers/gpu/drm/radeon/r600.c | 9 ++-------
drivers/gpu/drm/radeon/rv770.c | 9 ++-------
3 files changed, 7 insertions(+), 21 deletions(-)
diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
index 105bafb..3966696 100644
--- a/drivers/gpu/drm/radeon/evergreen.c
+++ b/drivers/gpu/drm/radeon/evergreen.c
@@ -4992,8 +4992,7 @@ void evergreen_fini(struct radeon_device *rdev)
void evergreen_pcie_gen2_enable(struct radeon_device *rdev)
{
- u32 link_width_cntl, speed_cntl, mask;
- int ret;
+ u32 link_width_cntl, speed_cntl;
if (radeon_pcie_gen2 == 0)
return;
@@ -5008,11 +5007,8 @@ void evergreen_pcie_gen2_enable(struct radeon_device *rdev)
if (ASIC_IS_X2(rdev))
return;
- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask);
- if (ret != 0)
- return;
-
- if (!(mask & DRM_PCIE_SPEED_50))
+ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) &&
+ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT))
return;
speed_cntl = RREG32_PCIE_PORT(PCIE_LC_SPEED_CNTL);
diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
index 1a08008..b45e648 100644
--- a/drivers/gpu/drm/radeon/r600.c
+++ b/drivers/gpu/drm/radeon/r600.c
@@ -4631,8 +4631,6 @@ static void r600_pcie_gen2_enable(struct radeon_device *rdev)
{
u32 link_width_cntl, lanes, speed_cntl, training_cntl, tmp;
u16 link_cntl2;
- u32 mask;
- int ret;
if (radeon_pcie_gen2 == 0)
return;
@@ -4651,11 +4649,8 @@ static void r600_pcie_gen2_enable(struct radeon_device *rdev)
if (rdev->family <= CHIP_R600)
return;
- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask);
- if (ret != 0)
- return;
-
- if (!(mask & DRM_PCIE_SPEED_50))
+ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) &&
+ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT))
return;
speed_cntl = RREG32_PCIE_PORT(PCIE_LC_SPEED_CNTL);
diff --git a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c
index 83f612a..a6af4aa 100644
--- a/drivers/gpu/drm/radeon/rv770.c
+++ b/drivers/gpu/drm/radeon/rv770.c
@@ -2113,8 +2113,6 @@ static void rv770_pcie_gen2_enable(struct radeon_device *rdev)
{
u32 link_width_cntl, lanes, speed_cntl, tmp;
u16 link_cntl2;
- u32 mask;
- int ret;
if (radeon_pcie_gen2 == 0)
return;
@@ -2129,11 +2127,8 @@ static void rv770_pcie_gen2_enable(struct radeon_device *rdev)
if (ASIC_IS_X2(rdev))
return;
- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask);
- if (ret != 0)
- return;
-
- if (!(mask & DRM_PCIE_SPEED_50))
+ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) &&
+ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT))
return;
DRM_INFO("enabling PCIE gen 2 link speeds, disable with radeon.pcie_gen2=0\n");
--
1.7.1

2
sources
View File

@ -1,2 +1,2 @@
4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz
bc974df2cd7a1b1216a2c518ce4ab756 patch-3.10-rc3.xz
ae685dcb736096739eb20122a1395f6e patch-3.10-rc4.xz