3.15.3

2014-07-01 08:28:38 -05:00 · 2014-07-01 08:28:38 -05:00 · c67f8002d6
parent ea3f980e15
commit c67f8002d6
5 changed files with 5 additions and 240 deletions
--- a/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
+++ b/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
@ -1,48 +0,0 @@
-Bugzilla: 1112975
-Upstream-status: 3.16 and CC'd to stable
-
-From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001
-From: Benjamin LaHaise <bcrl@kvack.org>
-Date: Tue, 24 Jun 2014 13:12:55 -0400
-Subject: [PATCH] aio: fix aio request leak when events are reaped by userspace
-
-The aio cleanups and optimizations by kmo that were merged into the 3.10
-tree added a regression for userspace event reaping.  Specifically, the
-reference counts are not decremented if the event is reaped in userspace,
-leading to the application being unable to submit further aio requests.
-This patch applies to 3.12+.  A separate backport is required for 3.10/3.11.
-This issue was uncovered as part of CVE-2014-0206.
-
-Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
-Cc: stable@vger.kernel.org
-Cc: Kent Overstreet <kmo@daterainc.com>
-Cc: Mateusz Guzik <mguzik@redhat.com>
-Cc: Petr Matousek <pmatouse@redhat.com>
---
- fs/aio.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 4f078c054b41..6a9c7e489adf 100644
--- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)
- 
- 	/* everything turned out well, dispose of the aiocb. */
- 	kiocb_free(iocb);
-+	put_reqs_available(ctx, 1);
- 
- 	/*
- 	 * We have to order our ring_info tail store above and test
-@@ -1100,8 +1101,6 @@ static long aio_read_events_ring(struct kioctx *ctx,
- 	flush_dcache_page(ctx->ring_pages[0]);
- 
- 	pr_debug("%li  h%u t%u\n", ret, head, tail);
-
-	put_reqs_available(ctx, ret);
- out:
- 	mutex_unlock(&ctx->ring_lock);
- 
-- 
-1.9.3
-
--- a/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
+++ b/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
@ -1,46 +0,0 @@
-Bugzilla: 1112975
-Upstream-status: 3.16 and CC'd to stable
-
-From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001
-From: Benjamin LaHaise <bcrl@kvack.org>
-Date: Tue, 24 Jun 2014 13:32:51 -0400
-Subject: [PATCH] aio: fix kernel memory disclosure in io_getevents()
- introduced in v3.10
-
-A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
-by commit a31ad380bed817aa25f8830ad23e1a0480fef797.  The changes made to
-aio_read_events_ring() failed to correctly limit the index into
-ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
-an arbitrary page with a copy_to_user() to copy the contents into userspace.
-This vulnerability has been assigned CVE-2014-0206.  Thanks to Mateusz and
-Petr for disclosing this issue.
-
-This patch applies to v3.12+.  A separate backport is needed for 3.10/3.11.
-
-Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
-Cc: Mateusz Guzik <mguzik@redhat.com>
-Cc: Petr Matousek <pmatouse@redhat.com>
-Cc: Kent Overstreet <kmo@daterainc.com>
-Cc: Jeff Moyer <jmoyer@redhat.com>
-Cc: stable@vger.kernel.org
---
- fs/aio.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/fs/aio.c b/fs/aio.c
-index 6a9c7e489adf..955947ef3e02 100644
--- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -1063,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx,
- 	if (head == tail)
- 		goto out;
- 
-+	head %= ctx->nr_events;
-+	tail %= ctx->nr_events;
-+
- 	while (ret < nr) {
- 		long avail;
- 		struct io_event *ev;
-- 
-1.9.3
-
--- a/kernel.spec
+++ b/kernel.spec
@ -74,7 +74,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}

 # Do we have a -stable update to apply?
-%define stable_update 2
+%define stable_update 3
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@ -749,13 +749,6 @@ Patch25102: intel_pstate-Fix-setting-VID.patch
 Patch25103: intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch
 Patch25104: intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch

-#CVE-2014-4508 rhbz 1111590 1112073
-Patch25106: x86_32-entry-Do-syscall-exit-work-on-badsys.patch
-
-#CVE-2014-0206 rhbz 1094602 1112975
-Patch25107: aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
-Patch25108: aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
-
 Patch25109: revert-input-wacom-testing-result-shows-get_report-is-unnecessary.patch

 #rhbz 1021036, submitted upstream
@ -1475,13 +1468,6 @@ ApplyPatch intel_pstate-Fix-setting-VID.patch
 ApplyPatch intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch
 ApplyPatch intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch

-#CVE-2014-4508 rhbz 1111590 1112073
-ApplyPatch x86_32-entry-Do-syscall-exit-work-on-badsys.patch
-
-#CVE-2014-0206 rhbz 1094602 1112975
-ApplyPatch aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch
-ApplyPatch aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch
-
 ApplyPatch revert-input-wacom-testing-result-shows-get_report-is-unnecessary.patch

 #rhbz 1021036, submitted upstream
@ -2304,6 +2290,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue Jul  1 2014 Justin M. Forbes <jforbes@fedoraproject.org>
+- Linux v3.15.3
+
 * Tue Jul  1 2014 Hans de Goede <hdegoede@redhat.com>
 - Add min/max quirk for the ThinkPad Edge E531 touchpad (rhbz#1114768)

--- a/2
+++ b/2
@ -1,2 +1,2 @@
 97ca1625bb40368dc41b9a7971549071  linux-3.15.tar.xz
-53eb7e210c9330021e60ffe2c5081e19  patch-3.15.2.xz
+a2057d9b11f013482e2a7072552f3f02  patch-3.15.3.xz
--- a/x86_32-entry-Do-syscall-exit-work-on-badsys.patch
+++ b/x86_32-entry-Do-syscall-exit-work-on-badsys.patch
@ -1,130 +0,0 @@
-Bugzilla: 1112073
-Upstream-status: Sent for 3.16 and CC'd to stable                                                                                                                                                                                                                                                               
-Delivered-To: jwboyer@gmail.com
-Received: by 10.76.6.212 with SMTP id d20csp139586oaa;
-        Mon, 23 Jun 2014 14:28:15 -0700 (PDT)
-X-Received: by 10.68.222.196 with SMTP id qo4mr32453892pbc.14.1403558895116;
-        Mon, 23 Jun 2014 14:28:15 -0700 (PDT)
-Return-Path: <stable-owner@vger.kernel.org>
-Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
-        by mx.google.com with ESMTP id bm3si23587434pad.232.2014.06.23.14.27.47
-        for <multiple recipients>;
-        Mon, 23 Jun 2014 14:28:15 -0700 (PDT)
-Received-SPF: none (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67;
-Authentication-Results: mx.google.com;
-       spf=neutral (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) smtp.mail=stable-owner@vger.kernel.org
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-	id S1752475AbaFWVWX (ORCPT <rfc822;tuffkidtt@gmail.com> + 73 others);
-	Mon, 23 Jun 2014 17:22:23 -0400
-Received: from mail-pb0-f42.google.com ([209.85.160.42]:39692 "EHLO
-	mail-pb0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
-	with ESMTP id S1752518AbaFWVWW (ORCPT
-	<rfc822;stable@vger.kernel.org>); Mon, 23 Jun 2014 17:22:22 -0400
-Received: by mail-pb0-f42.google.com with SMTP id ma3so6319797pbc.15
-        for <stable@vger.kernel.org>; Mon, 23 Jun 2014 14:22:21 -0700 (PDT)
-X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
-        d=1e100.net; s=20130820;
-        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
-         :references:mime-version:content-type:content-transfer-encoding;
-        bh=7AW5eK5e3OhAcFYPrsffKoD56CbJdqfg9BcyF1JKfUE=;
-        b=iLlWTJCuH9FlKTif4N6XtFZNvj8a/fbsjuP4kWWD/gmHHGEOWI6bh2Jm8X3vcN6GtV
-         f7rqFO0SAMf197e66uME3pq8NzYFad4eRgJpBGON93P22+cPbqrsT9FZjMZqn2bJkEw4
-         EDZZy2MFqm3Kx2m/5g76NLDV1tgafEnwbgL1vg6IxlbPi6J8inkXwKP3FdMoTcfRBO6p
-         dIcI1cV7VDNf6zKaMj+XS/ZiSxqpArhwvZ6xnXRmLfgD+x/JsxEcg2pX03BXHTKO9QNm
-         nixe+cuug0X0E5idHuiLJzV0Wf6IhYsvVz/FvjY16pggduecA2NgNU2e7txqb+IcTBZ/
-         jBbA==
-X-Gm-Message-State: ALoCoQlblcwmTrVjpekrIOzidDrxwB18p5Rfd5SObiPQifpOQZmSFUKrxzV0kxCjcW/wVwxOzAG7
-X-Received: by 10.68.197.8 with SMTP id iq8mr32930210pbc.124.1403558541680;
-        Mon, 23 Jun 2014 14:22:21 -0700 (PDT)
-Received: from localhost (50-76-60-73-ip-static.hfc.comcastbusiness.net. [50.76.60.73])
-        by mx.google.com with ESMTPSA id fl6sm99195659pab.43.2014.06.23.14.22.19
-        for <multiple recipients>
-        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
-        Mon, 23 Jun 2014 14:22:20 -0700 (PDT)
-From:	Andy Lutomirski <luto@amacapital.net>
-Cc:	"H. Peter Anvin" <hpa@zytor.com>,
-	Richard Weinberger <richard@nod.at>, X86 ML <x86@kernel.org>,
-	Eric Paris <eparis@redhat.com>,
-	Linux Kernel <linux-kernel@vger.kernel.org>,
-	security@kernel.org, Steven Rostedt <rostedt@goodmis.org>,
-	Borislav Petkov <bp@alien8.de>,
-	=?UTF-8?q?Toralf=20F=C3=B6rster?= <toralf.foerster@gmx.de>,
-	Andy Lutomirski <luto@amacapital.net>, stable@vger.kernel.org,
-	Roland McGrath <roland@redhat.com>
-Subject: [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508)
-Date:	Mon, 23 Jun 2014 14:22:15 -0700
-Message-Id: <e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net>
-X-Mailer: git-send-email 1.9.3
-In-Reply-To: <CA+5PVA70nFS8JZkL0-Q-1HjFHT5NA04275_M4WstjQMrpT+hrQ@mail.gmail.com>
-References: <CA+5PVA70nFS8JZkL0-Q-1HjFHT5NA04275_M4WstjQMrpT+hrQ@mail.gmail.com>
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-To:	unlisted-recipients:; (no To-header on input)
-Sender:	stable-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <stable.vger.kernel.org>
-X-Mailing-List:	stable@vger.kernel.org
-
-The bad syscall nr paths are their own incomprehensible route
-through the entry control flow.  Rearrange them to work just like
-syscalls that return -ENOSYS.
-
-This fixes an OOPS in the audit code when fast-path auditing is
-enabled and sysenter gets a bad syscall nr (CVE-2014-4508).
-
-This has probably been broken since Linux 2.6.27:
-af0575bba0 i386 syscall audit fast-path
-
-Cc: stable@vger.kernel.org
-Cc: Roland McGrath <roland@redhat.com>
-Reported-by: Toralf Förster <toralf.foerster@gmx.de>
-Signed-off-by: Andy Lutomirski <luto@amacapital.net>
---
-
-I realize that the syscall audit fast path and badsys code, on 32-bit
-x86 no less, is possibly one of the least fun things in the kernel to
-review, but this is still a real security bug and should get fixed :(
-
-So I'm cc-ing a bunch of people and maybe someone will review it.
-
- arch/x86/kernel/entry_32.S | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
-index a2a4f46..f4258a5 100644
--- a/arch/x86/kernel/entry_32.S
-+++ b/arch/x86/kernel/entry_32.S
-@@ -431,9 +431,10 @@ sysenter_past_esp:
- 	jnz sysenter_audit
- sysenter_do_call:
- 	cmpl $(NR_syscalls), %eax
-	jae syscall_badsys
-+	jae sysenter_badsys
- 	call *sys_call_table(,%eax,4)
- 	movl %eax,PT_EAX(%esp)
-+sysenter_after_call:
- 	LOCKDEP_SYS_EXIT
- 	DISABLE_INTERRUPTS(CLBR_ANY)
- 	TRACE_IRQS_OFF
-@@ -688,7 +689,12 @@ END(syscall_fault)
- 
- syscall_badsys:
- 	movl $-ENOSYS,PT_EAX(%esp)
-	jmp resume_userspace
-+	jmp syscall_exit
-+END(syscall_badsys)
-+
-+sysenter_badsys:
-+	movl $-ENOSYS,PT_EAX(%esp)
-+	jmp sysenter_after_call
- END(syscall_badsys)
- 	CFI_ENDPROC
- /*
-- 
-1.9.3
-
--
-To unsubscribe from this list: send the line "unsubscribe stable" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at  http://vger.kernel.org/majordomo-info.html