CVE-2014-8133 x86: espfix(64) bypass via set_thread_area and CLONE_SETTLS (rhbz 1172797 1174374)
This commit is contained in:
parent
23afd37815
commit
c47527ae07
|
@ -26,5 +26,5 @@ index c68e72414a67..4277938af700 100644
|
|||
/* parse the table header to get the table length */
|
||||
if (count <= sizeof(struct acpi_table_header))
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -27,5 +27,5 @@ index 674c262907d9..d3e4c73d56a2 100644
|
|||
* disconnected while waiting for the lock to succeed. */
|
||||
usb_lock_device(hdev);
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -52,5 +52,5 @@ index ebe6a24cc1e1..5ce40e215f15 100644
|
|||
* All runtime access to EFI goes through this structure:
|
||||
*/
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -174,5 +174,5 @@ index 5ce40e215f15..41359e548bcb 100644
|
|||
* efi_range_is_wc - check the WC bit on an address range
|
||||
* @start: starting kvirt address
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -181,5 +181,5 @@ index f1d78afbe29f..ec12c156ea61 100644
|
|||
{
|
||||
#ifdef CONFIG_MODULE_SIG
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -59,5 +59,5 @@ index 1c47139d161c..f1d78afbe29f 100644
|
|||
+}
|
||||
+EXPORT_SYMBOL(secure_modules);
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -244,5 +244,5 @@ index ec12c156ea61..1db033284ad3 100644
|
|||
static int param_set_bool_enable_only(const char *val,
|
||||
const struct kernel_param *kp)
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -80,5 +80,5 @@ index 5014bb567b29..cebfaf288bd3 100644
|
|||
{ USB_VENDOR_ID_NEXIO, USB_DEVICE_ID_NEXIO_MULTITOUCH_PTI0750, HID_QUIRK_NO_INIT_REPORTS },
|
||||
{ USB_VENDOR_ID_NOVATEK, USB_DEVICE_ID_NOVATEK_MOUSE, HID_QUIRK_NO_INIT_REPORTS },
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -42,5 +42,5 @@ index aa6a08eb7ad6..c3cbbfb5811f 100644
|
|||
{ USB_DEVICE_WACOM(0x314) },
|
||||
{ USB_DEVICE_WACOM(0x315) },
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -107,5 +107,5 @@ index 875f64e8935b..c15e93f5a418 100644
|
|||
}
|
||||
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -181,5 +181,5 @@ index 000000000000..94b0eb38a284
|
|||
+}
|
||||
+late_initcall(load_uefi_certs);
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -79,5 +79,5 @@ index 94b0eb38a284..ae28b974d49a 100644
|
|||
|
||||
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -112,5 +112,5 @@ index b91c4da68365..98f5637304d1 100644
|
|||
|
||||
dev = pci_get_bus_and_slot(bus, dfn);
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -37,5 +37,5 @@ index cdf839f9defe..c63cf93b00eb 100644
|
|||
unsigned long to_write = min_t(unsigned long, count,
|
||||
(unsigned long)high_memory - p);
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -41,5 +41,5 @@ index 8e7e18567ae6..a3d293806f96 100644
|
|||
|
||||
/*
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -34,5 +34,5 @@ index 3abe9b223ba7..ee8f11cf65da 100644
|
|||
#endif
|
||||
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
From 905ef98a83d3782207c0bda8d093e8f654884a94 Mon Sep 17 00:00:00 2001
|
||||
From: Tejun Heo <tj@kernel.org>
|
||||
Date: Thu, 4 Dec 2014 13:13:28 -0500
|
||||
Subject: [PATCH] ahci: disable MSI on SAMSUNG 0xa800 SSD
|
||||
|
|
|
@ -41,5 +41,5 @@ index 86cdb52dbf8a..db4518ef755d 100644
|
|||
pinctrl-single,pins = <
|
||||
0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -65,5 +65,5 @@ index bde1777b62be..c7357bcc7d5c 100644
|
|||
|
||||
/include/ "tps65217.dtsi"
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -175,5 +175,5 @@ index c7357bcc7d5c..86cdb52dbf8a 100644
|
|||
+ };
|
||||
+};
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -37,5 +37,5 @@ index bf5349165542..acfff3befff5 100644
|
|||
compatible = "ti,tilcdc,slave";
|
||||
i2c = <&i2c0>;
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -34,5 +34,5 @@ index 305975d3f531..bf5349165542 100644
|
|||
};
|
||||
};
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -209,5 +209,5 @@ index 000000000000..7214475a3c36
|
|||
+ };
|
||||
+};
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -56,5 +56,5 @@ index 8c35ae4ff176..38e1dc3b4c6e 100644
|
|||
.init_machine = highbank_init,
|
||||
.dt_compat = highbank_match,
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -61,5 +61,5 @@ index 99b46f8030ad..8b6ddd16dcc5 100644
|
|||
+ status = "okay";
|
||||
+};
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -49,5 +49,5 @@ index 21fc932da3a1..c6d42ad95c08 100644
|
|||
1, asus->debug.method_id,
|
||||
&input, &output);
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -37,5 +37,5 @@ index 275205ab5f15..bb842623bdf6 100644
|
|||
"DMA failed to stop in %d ms AR_CR=0x%08x AR_DIAG_SW=0x%08x DMADBG_7=0x%08x\n",
|
||||
AH_RX_STOP_DMA_TIMEOUT / 1000,
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
From e95a7085483366d52dd93b9fe8258ea77b99b89a Mon Sep 17 00:00:00 2001
|
||||
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
Date: Tue, 2 Dec 2014 09:53:25 +0200
|
||||
Subject: [PATCH] cfg80211: don't WARN about two consecutive Country IE hint
|
||||
|
@ -20,10 +19,10 @@ Acked-by: Luis R. Rodriguez <mcgrof@suse.com>
|
|||
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
|
||||
index b725a31a4751..695f12b2c176 100644
|
||||
index 1afdf45db38f..e676723e29e2 100644
|
||||
--- a/net/wireless/reg.c
|
||||
+++ b/net/wireless/reg.c
|
||||
@@ -1839,11 +1839,8 @@ __reg_process_hint_country_ie(struct wiphy *wiphy,
|
||||
@@ -1799,11 +1799,8 @@ __reg_process_hint_country_ie(struct wiphy *wiphy,
|
||||
return REG_REQ_IGNORE;
|
||||
return REG_REQ_ALREADY_SET;
|
||||
}
|
||||
|
|
|
@ -505,5 +505,5 @@ index 000000000000..25ab9869d566
|
|||
+
|
||||
+#endif /* __CRASH_H__ */
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -31,5 +31,5 @@ index 3c866db603a7..bfb3c54d5286 100644
|
|||
help
|
||||
Provides the way to make tasks work with different objects using
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -28,5 +28,5 @@ index 56d46ffb08e1..1c8db250df88 100644
|
|||
#else
|
||||
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -57,5 +57,5 @@ index 9bb95eab6926..4b5015f27f9e 100644
|
|||
if (err)
|
||||
return err;
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -24,5 +24,5 @@ index 1f67aa02d240..86c21a24da46 100644
|
|||
NO_LIBUNWIND := 1
|
||||
else
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
|
||||
index 4b3c09636990..cff7f2e04de2 100644
|
||||
index 1b7375efc670..a6fb06cc6cf0 100644
|
||||
--- a/drivers/gpu/drm/i915/intel_dp.c
|
||||
+++ b/drivers/gpu/drm/i915/intel_dp.c
|
||||
@@ -1303,8 +1303,6 @@ static void edp_panel_vdd_off(struct intel_dp *intel_dp, bool sync)
|
||||
|
@ -25,5 +25,5 @@ index 4b3c09636990..cff7f2e04de2 100644
|
|||
|
||||
if (sync)
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -14,10 +14,10 @@ Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/0
|
|||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
|
||||
index b71a02663bae..c27b94be0a95 100644
|
||||
index 7bd17b3ee95c..15d8e8d97e46 100644
|
||||
--- a/drivers/gpu/drm/i915/intel_display.c
|
||||
+++ b/drivers/gpu/drm/i915/intel_display.c
|
||||
@@ -10656,7 +10656,7 @@ check_crtc_state(struct drm_device *dev)
|
||||
@@ -10660,7 +10660,7 @@ check_crtc_state(struct drm_device *dev)
|
||||
|
||||
if (active &&
|
||||
!intel_pipe_config_compare(dev, &crtc->config, &pipe_config)) {
|
||||
|
@ -27,5 +27,5 @@ index b71a02663bae..c27b94be0a95 100644
|
|||
"[hw state]");
|
||||
intel_dump_pipe_config(crtc, &crtc->config,
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -38,5 +38,5 @@ index 45cb4ffdea62..ebe6a24cc1e1 100644
|
|||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -53,5 +53,5 @@ index 975d11bfaf5b..94bf7819857a 100644
|
|||
}
|
||||
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -25,5 +25,5 @@ index 61542c282e70..e5ee669e87b6 100644
|
|||
---help---
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -34,5 +34,5 @@ index 1f35a3478f3c..5e2472fc3dda 100644
|
|||
|
||||
/**
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -29,5 +29,5 @@ index 6f5d79569136..95469f6ecfa5 100644
|
|||
case ATKBD_RET_ERR:
|
||||
atkbd->err_count++;
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -61,5 +61,5 @@ index ce82337521f6..a3fee4becc93 100644
|
|||
cp = can_get_proto(protocol);
|
||||
}
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -121,5 +121,5 @@ index 86a4fe75f453..161637ed5611 100644
|
|||
|
||||
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -635,6 +635,9 @@ Patch26095: ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch
|
|||
#rhbz 1172543
|
||||
Patch26096: cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch
|
||||
|
||||
#CVE-2014-8133 rhbz 1172797 1174374
|
||||
Patch26100: x86-tls-Validate-TLS-entries-to-protect-espfix.patch
|
||||
|
||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||
Patch30000: kernel-arm64.patch
|
||||
|
||||
|
@ -1380,6 +1383,9 @@ ApplyPatch ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch
|
|||
#rhbz 1172543
|
||||
ApplyPatch cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch
|
||||
|
||||
#CVE-2014-8133 rhbz 1172797 1174374
|
||||
ApplyPatch x86-tls-Validate-TLS-entries-to-protect-espfix.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
|
@ -2254,6 +2260,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Mon Dec 15 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-8133 x86: espfix(64) bypass via set_thread_area and CLONE_SETTLS (rhbz 1172797 1174374)
|
||||
|
||||
* Fri Dec 12 2014 Kyle McMartin <kyle@fedoraproject.org>
|
||||
- build in ahci_platform on aarch64 temporarily.
|
||||
|
||||
|
|
|
@ -39,5 +39,5 @@ index 2bee072268d9..891477dbfee0 100644
|
|||
* This leaves us room for future extensions.
|
||||
*/
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -33,5 +33,5 @@ index 54cf309a92a5..64f8bb4882fb 100644
|
|||
Use dynamic allocation for cpumask_var_t, instead of putting
|
||||
them on the stack. This is a bit more expensive, but avoids
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -74,5 +74,5 @@ index 3ef4627f9cb1..2b2d2e8e5eeb 100644
|
|||
return err;
|
||||
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -21,5 +21,5 @@ index 674a2cfc3c0e..9a2807227c69 100644
|
|||
static int pcspkr_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
|
||||
{
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -26,5 +26,5 @@ index 86c21a24da46..bf0fe97bd358 100644
|
|||
|
||||
# Shell quote (do not use $(call) to accommodate ancient setups);
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -33,5 +33,5 @@ index 95dd9cf55cb3..800fc34d7ea9 100644
|
|||
MODULE_AUTHOR("Tony Lindgren <tony@atomide.com>");
|
||||
MODULE_DESCRIPTION("One-register-per-pin type device tree based pinctrl driver");
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -20,5 +20,5 @@ index a7c23a4b3778..d73ef8bb08c7 100644
|
|||
/*
|
||||
* When saving the callchain on Power, the kernel conservatively saves
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -53,10 +53,10 @@ index 2f0b39d59a9b..f4cf664c7db3 100644
|
|||
struct psmouse_attribute {
|
||||
struct device_attribute dattr;
|
||||
diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
|
||||
index 2e8f3ba7b2bd..2a7a9174c702 100644
|
||||
index 3ebfb0386300..f9472920d986 100644
|
||||
--- a/drivers/input/mouse/synaptics.c
|
||||
+++ b/drivers/input/mouse/synaptics.c
|
||||
@@ -186,18 +186,6 @@ static const char * const topbuttonpad_pnp_ids[] = {
|
||||
@@ -190,18 +190,6 @@ static const char * const topbuttonpad_pnp_ids[] = {
|
||||
NULL
|
||||
};
|
||||
|
||||
|
@ -75,7 +75,7 @@ index 2e8f3ba7b2bd..2a7a9174c702 100644
|
|||
/*****************************************************************************
|
||||
* Synaptics communications functions
|
||||
****************************************************************************/
|
||||
@@ -363,7 +351,8 @@ static int synaptics_resolution(struct psmouse *psmouse)
|
||||
@@ -367,7 +355,8 @@ static int synaptics_resolution(struct psmouse *psmouse)
|
||||
}
|
||||
|
||||
for (i = 0; min_max_pnpid_table[i].pnp_ids; i++) {
|
||||
|
@ -85,7 +85,7 @@ index 2e8f3ba7b2bd..2a7a9174c702 100644
|
|||
priv->x_min = min_max_pnpid_table[i].x_min;
|
||||
priv->x_max = min_max_pnpid_table[i].x_max;
|
||||
priv->y_min = min_max_pnpid_table[i].y_min;
|
||||
@@ -1495,7 +1484,7 @@ static void set_input_params(struct psmouse *psmouse,
|
||||
@@ -1499,7 +1488,7 @@ static void set_input_params(struct psmouse *psmouse,
|
||||
|
||||
if (SYN_CAP_CLICKPAD(priv->ext_cap_0c)) {
|
||||
__set_bit(INPUT_PROP_BUTTONPAD, dev->propbit);
|
||||
|
@ -95,5 +95,5 @@ index 2e8f3ba7b2bd..2a7a9174c702 100644
|
|||
/* Clickpads report only left button */
|
||||
__clear_bit(BTN_RIGHT, dev->keybit);
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -153,5 +153,5 @@ index 02e68c3008a3..2c8c8e2172a2 100644
|
|||
* Reset to defaults in case the device got confused by extended
|
||||
* protocol probes. Note that we follow up with full reset because
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -35,5 +35,5 @@ index ff765d8e1a09..864290243e46 100644
|
|||
};
|
||||
MODULE_DEVICE_TABLE(dmi, samsung_dmi_table);
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -33,5 +33,5 @@ index 2c2041ca4b70..e10812d985af 100644
|
|||
* If the device is offline, don't try and read capacity or any
|
||||
* of the other niceties.
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -51,5 +51,5 @@ index 57b1d44acbfe..31048a85713d 100644
|
|||
|
||||
#ifdef MODULE
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
From 37a72caa7f031da7b3e63252c1f0023b8272203c Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Fri, 5 Dec 2014 11:06:36 +0100
|
||||
Subject: [PATCH 2/3] uas: Add US_FL_NO_ATA_1X for Seagate devices with usb-id
|
||||
Subject: [PATCH] uas: Add US_FL_NO_ATA_1X for Seagate devices with usb-id
|
||||
0bc2:a013
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
From a7ea9a460f28ef9781ba8dad4a6feb5fd01202f2 Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Mon, 8 Dec 2014 09:46:36 +0100
|
||||
Subject: [PATCH 3/3] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS566 with
|
||||
Subject: [PATCH] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS566 with
|
||||
usb-id 0bc2:a013
|
||||
|
||||
Like the JMicron JMS567 enclosures with the JMS566 choke on report-opcodes,
|
||||
|
|
|
@ -74,5 +74,5 @@ index a8d6914030fe..d0a8c308170d 100644
|
|||
|
||||
if (watchdog_user_enabled)
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -66,5 +66,5 @@ index 917403fe10da..cdf839f9defe 100644
|
|||
return -EFAULT;
|
||||
while (count-- > 0 && i < 65536) {
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -38,5 +38,5 @@ index c9603ac80de5..8bef43fc3f40 100644
|
|||
err = -EFAULT;
|
||||
break;
|
||||
--
|
||||
1.9.3
|
||||
2.1.0
|
||||
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
From 0fdb006a5af7f391a6de4ce810aba4af46c427e4 Mon Sep 17 00:00:00 2001
|
||||
From: Andy Lutomirski <luto@amacapital.net>
|
||||
Date: Fri, 5 Dec 2014 19:03:28 -0800
|
||||
Subject: [PATCH] x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
From: Andy Lutomirski <luto@amacapital.net>
|
||||
Date: Thu, 4 Dec 2014 16:48:16 -0800
|
||||
Subject: [PATCH] x86/tls: Validate TLS entries to protect espfix
|
||||
|
||||
Installing a 16-bit RW data segment into the GDT defeats espfix.
|
||||
AFAICT this will not affect glibc, Wine, or dosemu at all.
|
||||
|
||||
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
||||
Acked-by: H. Peter Anvin <hpa@zytor.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: security@kernel.org <security@kernel.org>
|
||||
Cc: Willy Tarreau <w@1wt.eu>
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++
|
||||
1 file changed, 23 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
|
||||
index f7fec09e3e3a..e7650bd71109 100644
|
||||
--- a/arch/x86/kernel/tls.c
|
||||
+++ b/arch/x86/kernel/tls.c
|
||||
@@ -27,6 +27,21 @@ static int get_free_idx(void)
|
||||
return -ESRCH;
|
||||
}
|
||||
|
||||
+static bool tls_desc_okay(const struct user_desc *info)
|
||||
+{
|
||||
+ if (LDT_empty(info))
|
||||
+ return true;
|
||||
+
|
||||
+ /*
|
||||
+ * espfix is required for 16-bit data segments, but espfix
|
||||
+ * only works for LDT segments.
|
||||
+ */
|
||||
+ if (!info->seg_32bit)
|
||||
+ return false;
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
static void set_tls_desc(struct task_struct *p, int idx,
|
||||
const struct user_desc *info, int n)
|
||||
{
|
||||
@@ -66,6 +81,9 @@ int do_set_thread_area(struct task_struct *p, int idx,
|
||||
if (copy_from_user(&info, u_info, sizeof(info)))
|
||||
return -EFAULT;
|
||||
|
||||
+ if (!tls_desc_okay(&info))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (idx == -1)
|
||||
idx = info.entry_number;
|
||||
|
||||
@@ -192,6 +210,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
|
||||
{
|
||||
struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
|
||||
const struct user_desc *info;
|
||||
+ int i;
|
||||
|
||||
if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
|
||||
(pos % sizeof(struct user_desc)) != 0 ||
|
||||
@@ -205,6 +224,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
|
||||
else
|
||||
info = infobuf;
|
||||
|
||||
+ for (i = 0; i < count / sizeof(struct user_desc); i++)
|
||||
+ if (!tls_desc_okay(info + i))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
set_tls_desc(target,
|
||||
GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
|
||||
info, count / sizeof(struct user_desc));
|
||||
--
|
||||
2.1.0
|
||||
|
|
@ -1,8 +1,7 @@
|
|||
From e6a429eb0bfa03e3dca62e3922874d768833395f Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Fri, 5 Dec 2014 11:01:00 +0100
|
||||
Subject: [PATCH 1/3] xhci: Add broken-streams quirk for Fresco Logic FL1000G
|
||||
xhci controllers
|
||||
Subject: [PATCH] xhci: Add broken-streams quirk for Fresco Logic FL1000G xhci
|
||||
controllers
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
|
Loading…
Reference in New Issue