rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v4.11.3

This commit is contained in:
Laura Abbott 2017-05-25 11:18:44 -07:00
parent 9dd5b58701
commit ca0ee6d885
5 changed files with 122 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
0001-ipx-call-ipxitf_put-in-ioctl-error-path.patch
View File

@ -1,38 +0,0 @@
From ee0d8d8482345ff97a75a7d747efc309f13b0d80 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 2 May 2017 13:58:53 +0300
Subject: [PATCH] ipx: call ipxitf_put() in ioctl error path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We should call ipxitf_put() if the copy_to_user() fails.
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipx/af_ipx.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index 8a9219f..fa31ef2 100644
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg)
sipx->sipx_network = ipxif->if_netnum;
memcpy(sipx->sipx_node, ipxif->if_node,
sizeof(sipx->sipx_node));
- rc = -EFAULT;
+ rc = 0;
if (copy_to_user(arg, &ifr, sizeof(ifr)))
- break;
+ rc = -EFAULT;
ipxitf_put(ipxif);
- rc = 0;
break;
}
case SIOCAIPXITFCRT:
--
2.9.3

239
efi-lockdown.patch
View File

@ -1,4 +1,4 @@
From df7d76ae50f18d4465e59fdf7f19d3df44906cb5 Mon Sep 17 00:00:00 2001
From 85255f3885abdd1d2e5dc9f6e51f2fc9db075843 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mon, 21 Nov 2016 23:55:55 +0000
Subject: [PATCH 07/32] efi: Add EFI_SECURE_BOOT bit
@ -18,10 +18,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
2 files changed, 2 insertions(+)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 69780ed..447905e 100644
index 4bf0c89..396285b 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1182,6 +1182,7 @@ void __init setup_arch(char **cmdline_p)
@@ -1184,6 +1184,7 @@ void __init setup_arch(char **cmdline_p)
pr_info("Secure boot disabled\n");
break;
case efi_secureboot_mode_enabled:
@ -42,13 +42,13 @@ index 94d34e0..6049600 100644
#ifdef CONFIG_EFI
/*
--
2.7.4
2.7.5
From f05a90c19a9613d8d50597319ed91f691e25b689 Mon Sep 17 00:00:00 2001
From 341507e80b888b5b587bdb60f0d95275dbbcad89 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Mon, 21 Nov 2016 23:36:17 +0000
Subject: [PATCH 09/32] Add the ability to lock down access to the running
kernel image
Subject: [PATCH 09/32] Add the ability to lock down access to the running kernel
image
Provide a single call to allow kernel code to determine whether the system
should be locked down, thereby disallowing various accesses that might
@ -67,10 +67,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
create mode 100644 security/lock_down.c
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index cb09238..3cd3be9 100644
index 4c26dc3..b820a80 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -273,6 +273,15 @@ extern int oops_may_print(void);
@@ -275,6 +275,15 @@ extern int oops_may_print(void);
void do_exit(long error_code) __noreturn;
void complete_and_exit(struct completion *, long) __noreturn;
@ -87,10 +87,10 @@ index cb09238..3cd3be9 100644
int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
int __must_check _kstrtol(const char *s, unsigned int base, long *res);
diff --git a/include/linux/security.h b/include/linux/security.h
index d3868f2..187b74b 100644
index 96899fa..5808570 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1679,5 +1679,16 @@ static inline void free_secdata(void *secdata)
@@ -1678,5 +1678,16 @@ static inline void free_secdata(void *secdata)
{ }
#endif /* CONFIG_SECURITY */
@ -191,9 +191,9 @@ index 0000000..5788c60
+}
+EXPORT_SYMBOL(kernel_is_locked_down);
--
2.7.4
2.7.5
From fb6feb38e297260d050fc477c72683ac51d07ae3 Mon Sep 17 00:00:00 2001
From dfabd5c5acc95a2de69d44f794e6f1ce894fd3ff Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Mon, 21 Nov 2016 23:55:55 +0000
Subject: [PATCH 10/32] efi: Lock down the kernel if booted in secure boot mode
@ -211,10 +211,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 874c123..a315974 100644
index cc98d5a..21f3985 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1816,6 +1816,18 @@ config EFI_MIXED
@@ -1817,6 +1817,18 @@ config EFI_MIXED
If unsure, say N.
@ -234,7 +234,7 @@ index 874c123..a315974 100644
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 447905e..d44e60e 100644
index 396285b..85dfa74 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -69,6 +69,7 @@
@ -245,7 +245,7 @@ index 447905e..d44e60e 100644
#include <video/edid.h>
@@ -1183,7 +1184,12 @@ void __init setup_arch(char **cmdline_p)
@@ -1185,7 +1186,12 @@ void __init setup_arch(char **cmdline_p)
break;
case efi_secureboot_mode_enabled:
set_bit(EFI_SECURE_BOOT, &efi.flags);
@ -260,9 +260,9 @@ index 447905e..d44e60e 100644
default:
pr_info("Secure boot could not be determined\n");
--
2.7.4
2.7.5
From 7182f2f5b254d6dc6d3105d2f99219a76adf9de0 Mon Sep 17 00:00:00 2001
From 0329e34894da0599619b03fa6cb16d575bfc68d4 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 23 Nov 2016 13:22:22 +0000
Subject: [PATCH 11/32] Enforce module signatures if the kernel is locked down
@ -289,13 +289,13 @@ index 7eba6de..3331f2e 100644
return err;
--
2.7.4
2.7.5
From 7e97c58bcd0b4c082b889fb093a2779147532b9f Mon Sep 17 00:00:00 2001
From 236e7dcbf5eb7b27416a819d6cb69d3006481cef Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 12/32] Restrict /dev/mem and /dev/kmem when the kernel is
locked down
Subject: [PATCH 12/32] Restrict /dev/mem and /dev/kmem when the kernel is locked
down
Allowing users to write to address space makes it possible for the kernel to
be subverted, avoiding module loading restrictions. Prevent this when the
@ -308,10 +308,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 6d9cc2d..f814404 100644
index 6e0cbe0..a97b22f 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -163,6 +163,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
if (p != *ppos)
return -EFBIG;
@ -321,7 +321,7 @@ index 6d9cc2d..f814404 100644
if (!valid_phys_addr_range(p, count))
return -EFAULT;
@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
@@ -540,6 +543,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
int err = 0;
@ -332,9 +332,9 @@ index 6d9cc2d..f814404 100644
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
--
2.7.4
2.7.5
From b83b68a9a13120664eaabf21a7b3ff0b065bd5b2 Mon Sep 17 00:00:00 2001
From 58a5ca7a67b9091800f61c1c411b3f411fcd857b Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@redhat.com>
Date: Mon, 21 Nov 2016 23:55:56 +0000
Subject: [PATCH 13/32] Add a sysrq option to exit secure boot mode
@ -354,10 +354,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
7 files changed, 68 insertions(+), 8 deletions(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index a315974..6931e68 100644
index 21f3985..457c049 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1828,6 +1828,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN
@@ -1829,6 +1829,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN
image. Say Y here to automatically lock down the kernel when a
system boots with UEFI Secure Boot enabled.
@ -375,7 +375,7 @@ index a315974..6931e68 100644
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index d44e60e..f7635d0 100644
index 85dfa74..a415a48 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -71,6 +71,11 @@
@ -390,7 +390,7 @@ index d44e60e..f7635d0 100644
#include <video/edid.h>
#include <asm/mtrr.h>
@@ -1328,6 +1333,32 @@ void __init i386_reserve_resources(void)
@@ -1330,6 +1335,32 @@ void __init i386_reserve_resources(void)
#endif /* CONFIG_X86_32 */
@ -436,10 +436,10 @@ index 022be0e..4a054a5 100644
input_set_drvdata(udev->dev, udev);
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index 7113674..e1addc3 100644
index c6fc714..0c96cf6 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -479,6 +479,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
@ -447,7 +447,7 @@ index 7113674..e1addc3 100644
NULL, /* x */
/* y: May be registered on sparc64 for global register dump */
NULL, /* y */
@@ -522,7 +523,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
sysrq_key_table[i] = op_p;
}
@ -456,7 +456,7 @@ index 7113674..e1addc3 100644
{
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -542,11 +543,15 @@ void __handle_sysrq(int key, bool check_mask)
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
op_p = __sysrq_get_key_op(key);
if (op_p) {
@ -473,7 +473,7 @@ index 7113674..e1addc3 100644
pr_cont("%s\n", op_p->action_msg);
console_loglevel = orig_log_level;
op_p->handler(key);
@@ -578,7 +583,7 @@ void __handle_sysrq(int key, bool check_mask)
@@ -580,7 +585,7 @@ void __handle_sysrq(int key, bool check_mask)
void handle_sysrq(int key)
{
if (sysrq_on())
@ -482,7 +482,7 @@ index 7113674..e1addc3 100644
}
EXPORT_SYMBOL(handle_sysrq);
@@ -659,7 +664,7 @@ static void sysrq_do_reset(unsigned long _state)
@@ -661,7 +666,7 @@ static void sysrq_do_reset(unsigned long _state)
static void sysrq_handle_reset_request(struct sysrq_state *state)
{
if (state->reset_requested)
@ -491,7 +491,7 @@ index 7113674..e1addc3 100644
if (sysrq_reset_downtime_ms)
mod_timer(&state->keyreset_timer,
@@ -810,8 +815,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
@@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
default:
if (sysrq->active && value && value != 2) {
@ -503,7 +503,7 @@ index 7113674..e1addc3 100644
}
break;
}
@@ -1095,7 +1102,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
@@ -1097,7 +1104,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
if (get_user(c, buf))
return -EFAULT;
@ -570,10 +570,10 @@ index 387fa7d..f7c52a9 100644
int unregister_sysrq_key(int key, struct sysrq_key_op *op);
struct sysrq_key_op *__sysrq_get_key_op(int key);
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
index ca18391..c4524b8 100644
index c8146d5..b480cad 100644
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -1967,7 +1967,7 @@ static int kdb_sr(int argc, const char **argv)
@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
return KDB_ARGCOUNT;
kdb_trap_printk++;
@ -583,9 +583,9 @@ index ca18391..c4524b8 100644
return 0;
--
2.7.4
2.7.5
From 8884bd44932e595323fcddfb09c2a2a586134cdf Mon Sep 17 00:00:00 2001
From 1b5f90719268c27616172f00cde6e1078eb413c5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 14/32] kexec: Disable at runtime if the kernel is locked down
@ -622,13 +622,12 @@ index 980936a..46de8e6 100644
* This leaves us room for future extensions.
*/
--
2.7.4
2.7.5
From cace563d1743c3d2faf1e46bd4df8e63e2310207 Mon Sep 17 00:00:00 2001
From 85eaf32ad6cb1ce6ab88601daac8e601386929bb Mon Sep 17 00:00:00 2001
From: Dave Young <dyoung@redhat.com>
Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 15/32] Copy secure_boot flag in boot params across kexec
reboot
Subject: [PATCH] Copy secure_boot flag in boot params across kexec reboot
Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
@ -660,13 +659,12 @@ index d0a814a..3551bca 100644
ei->efi_systab = current_ei->efi_systab;
ei->efi_systab_hi = current_ei->efi_systab_hi;
--
2.7.4
2.7.5
From 08a3467acbc28bb469d1eebd0f5fd40b944d984a Mon Sep 17 00:00:00 2001
From 421f4933387c7663b99d63624bdc23d4037e9c26 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Wed, 23 Nov 2016 13:49:19 +0000
Subject: [PATCH 16/32] kexec_file: Disable at runtime if securelevel has been
set
Subject: [PATCH 16/32] kexec_file: Disable at runtime if securelevel has been set
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.
@ -682,7 +680,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b56a558..003cade 100644
index b118735..f6937ee 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
@ -699,9 +697,9 @@ index b56a558..003cade 100644
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;
--
2.7.4
2.7.5
From 925fd10d7a99a6f999dde76daf2b1ef1238b251a Mon Sep 17 00:00:00 2001
From 0376070dd24c4226e047cf5ab8d68c8341b8d521 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 17/32] hibernate: Disable when the kernel is locked down
@ -718,10 +716,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index 86385af..1629798 100644
index a8b978c..50cca5d 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -67,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
bool hibernation_available(void)
{
@ -731,12 +729,12 @@ index 86385af..1629798 100644
/**
--
2.7.4
2.7.5
From b14fb5fcd60c84a09a15bd7ec974b6fbce68335c Mon Sep 17 00:00:00 2001
From fff7953fd653f695d0a43872726086637cad224b Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Wed, 23 Nov 2016 13:28:17 +0000
Subject: [PATCH 18/32] uswsusp: Disable when the kernel is locked down
Subject: [PATCH] uswsusp: Disable when the kernel is locked down
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
@ -763,13 +761,12 @@ index 22df9f7..e4b926d 100644
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
--
2.7.4
2.7.5
From d8167273e7562e5aa866d2b65e25bb1962de972c Mon Sep 17 00:00:00 2001
From a4cb6a7d28d27aa8166b7e0d5f75fe16f2f18ac8 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 19/32] PCI: Lock down BAR access when the kernel is locked
down
Subject: [PATCH 19/32] PCI: Lock down BAR access when the kernel is locked down
Any hardware that can potentially generate DMA has to be locked down in
order to avoid it being possible for an attacker to modify kernel code,
@ -786,10 +783,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 0666287..b10992c 100644
index 7ac258f..7d29b03 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -718,6 +718,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
@@ -727,6 +727,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
loff_t init_off = off;
u8 *data = (u8 *) buf;
@ -799,7 +796,7 @@ index 0666287..b10992c 100644
if (off > dev->cfg_size)
return 0;
if (off + count > dev->cfg_size) {
@@ -1009,6 +1012,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
@@ -1022,6 +1025,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
resource_size_t start, end;
int i;
@ -809,7 +806,7 @@ index 0666287..b10992c 100644
for (i = 0; i < PCI_ROM_RESOURCE; i++)
if (res == &pdev->resource[i])
break;
@@ -1108,6 +1114,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
@@ -1121,6 +1127,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
struct bin_attribute *attr, char *buf,
loff_t off, size_t count)
{
@ -820,7 +817,7 @@ index 0666287..b10992c 100644
}
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index f82710a..139d6f0 100644
index dc8912e..e2c5eff 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
@ -845,13 +842,13 @@ index f82710a..139d6f0 100644
ret = pci_domain_nr(dev->bus);
@@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
struct pci_filp_private *fpriv = file->private_data;
int i, ret, write_combine;
int i, ret, write_combine = 0, res_bit;
- if (!capable(CAP_SYS_RAWIO))
+ if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())
return -EPERM;
/* Make sure the caller is mapping a real resource for this device */
if (fpriv->mmap_state == pci_mmap_io)
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
index 9bf993e..c095247 100644
--- a/drivers/pci/syscall.c
@ -866,13 +863,12 @@ index 9bf993e..c095247 100644
dev = pci_get_bus_and_slot(bus, dfn);
--
2.7.4
2.7.5
From 169d13e0c5240ac6aad13aace5ecbdb3de2cfada Mon Sep 17 00:00:00 2001
From 4f9b39483a30ae4bd6e9c90caaf3a0466161d024 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 20/32] x86: Lock down IO port access when the kernel is locked
down
Subject: [PATCH 20/32] x86: Lock down IO port access when the kernel is locked down
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
@ -890,10 +886,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index b01bc8517..4ccaace 100644
index 9c3cf09..4a613fe 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -29,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
@@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
return -EINVAL;
@ -902,7 +898,7 @@ index b01bc8517..4ccaace 100644
return -EPERM;
/*
@@ -113,7 +113,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
@@ -120,7 +120,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
return -EINVAL;
/* Trying to gain more privileges? */
if (level > old) {
@ -912,10 +908,10 @@ index b01bc8517..4ccaace 100644
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index f814404..9afebb6 100644
index a97b22f..8705f8f 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -741,6 +741,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
@@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
static int open_port(struct inode *inode, struct file *filp)
{
@ -925,9 +921,9 @@ index f814404..9afebb6 100644
}
--
2.7.4
2.7.5
From efd24f7e9af624b62f39efce4f60b31f0ca643d8 Mon Sep 17 00:00:00 2001
From b746ba587c937240794cd7006c15a0fb3b2f8128 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:17 +0000
Subject: [PATCH 21/32] x86: Restrict MSR access when the kernel is locked down
@ -969,9 +965,9 @@ index ef68880..fbcce02 100644
err = -EFAULT;
break;
--
2.7.4
2.7.5
From 62ebdffbcb0726b98562e9f1173a6d5967755764 Mon Sep 17 00:00:00 2001
From 5aff4c16ee0a6441b1abbf6e80a5da9cf2007469 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 22/32] asus-wmi: Restrict debugfs interface when the kernel is
@ -990,10 +986,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 9 insertions(+)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index 43cb680..9be3e08 100644
index 8fe5890..feef250 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -1898,6 +1898,9 @@ static int show_dsts(struct seq_file *m, void *data)
@@ -1900,6 +1900,9 @@ static int show_dsts(struct seq_file *m, void *data)
int err;
u32 retval = -1;
@ -1003,7 +999,7 @@ index 43cb680..9be3e08 100644
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
if (err < 0)
@@ -1914,6 +1917,9 @@ static int show_devs(struct seq_file *m, void *data)
@@ -1916,6 +1919,9 @@ static int show_devs(struct seq_file *m, void *data)
int err;
u32 retval = -1;
@ -1013,7 +1009,7 @@ index 43cb680..9be3e08 100644
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
&retval);
@@ -1938,6 +1944,9 @@ static int show_call(struct seq_file *m, void *data)
@@ -1940,6 +1946,9 @@ static int show_call(struct seq_file *m, void *data)
union acpi_object *obj;
acpi_status status;
@ -1024,13 +1020,13 @@ index 43cb680..9be3e08 100644
1, asus->debug.method_id,
&input, &output);
--
2.7.4
2.7.5
From 31f493d03dde1854fa9e540f87a751fbeeb41cb9 Mon Sep 17 00:00:00 2001
From f0b27fdb42b57c2044ea3cf49371f786acc7b58e Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 23/32] ACPI: Limit access to custom_method when the kernel is
locked down
Subject: [PATCH 23/32] ACPI: Limit access to custom_method when the kernel is locked
down
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
@ -1057,13 +1053,13 @@ index c68e724..e4d721c 100644
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
--
2.7.4
2.7.5
From 1dec5dc62c78f78b9efe44aac3d6119d97b67017 Mon Sep 17 00:00:00 2001
From d67f882220ae3d969b496ad93fcbbcd3b09288cd Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 24/32] acpi: Ignore acpi_rsdp kernel param when the kernel has
been locked down
Subject: [PATCH 24/32] acpi: Ignore acpi_rsdp kernel param when the kernel has been
locked down
This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to circumvent any restrictions imposed on
@ -1089,13 +1085,13 @@ index db78d35..d4d4ba3 100644
#endif
--
2.7.4
2.7.5
From 96eaf04100d7365d93f898013175351c7d2702a6 Mon Sep 17 00:00:00 2001
From 15b10045321ac2af988918726a461178237d2d24 Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com>
Date: Wed, 23 Nov 2016 13:32:27 +0000
Subject: [PATCH 25/32] acpi: Disable ACPI table override if the kernel is
locked down
Subject: [PATCH 25/32] acpi: Disable ACPI table override if the kernel is locked
down
From the kernel documentation (initrd_table_override.txt):
@ -1130,13 +1126,13 @@ index 2604189..601096d 100644
memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
all_tables_size, PAGE_SIZE);
--
2.7.4
2.7.5
From 521979b819b853f7578ba8edef8b33bc2077026d Mon Sep 17 00:00:00 2001
From dec3a108f63021d82b132847a02e8496f613ac6f Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com>
Date: Wed, 23 Nov 2016 13:39:41 +0000
Subject: [PATCH 26/32] acpi: Disable APEI error injection if the kernel is
locked down
Subject: [PATCH 26/32] acpi: Disable APEI error injection if the kernel is locked
down
ACPI provides an error injection mechanism, EINJ, for debugging and testing
the ACPI Platform Error Interface (APEI) and other RAS features. If
@ -1174,9 +1170,9 @@ index ec50c32..e082718 100644
if (flags && (flags &
~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
--
2.7.4
2.7.5
From fe597dad1cba83345d62c4079c0d8861c426698c Mon Sep 17 00:00:00 2001
From dcc51d5b69c23c3f955b332d959f13cb61b4500c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Wed, 23 Nov 2016 13:41:23 +0000
Subject: [PATCH 27/32] Enable cold boot attack mitigation
@ -1232,13 +1228,13 @@ index 801c7a1..ef9409b 100644
* If the boot loader gave us a value for secure_boot then we use that,
* otherwise we ask the BIOS.
--
2.7.4
2.7.5
From 04fac895731801bc6cb26a6061f1c353c80a866c Mon Sep 17 00:00:00 2001
From 6cff44c809671affbf65ac2e0d0c2b0a0f705756 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Wed, 23 Nov 2016 13:52:16 +0000
Subject: [PATCH 28/32] bpf: Restrict kernel image access functions when the
kernel is locked down
Subject: [PATCH 28/32] bpf: Restrict kernel image access functions when the kernel
is locked down
There are some bpf functions can be used to read kernel memory:
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
@ -1289,9 +1285,9 @@ index cee9802..7fde851 100644
for (i = 0; i < fmt_size; i++) {
if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
--
2.7.4
2.7.5
From 707d0e14c2c0d6c3139ff4bcb16ee22c462b4304 Mon Sep 17 00:00:00 2001
From 9c7dd48309e4d8e18a9979f6c0cbf9c7b8bf4ea1 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 22 Nov 2016 10:10:34 +0000
Subject: [PATCH 29/32] scsi: Lock down the eata driver
@ -1317,7 +1313,7 @@ cc: linux-scsi@vger.kernel.org
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
index 227dd2c..5c036d10 100644
index 227dd2c..5c036d1 100644
--- a/drivers/scsi/eata.c
+++ b/drivers/scsi/eata.c
@@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
@ -1336,13 +1332,12 @@ index 227dd2c..5c036d10 100644
#if defined(MODULE)
/* io_port could have been modified when loading as a module */
--
2.7.4
2.7.5
From 07e05e0b7d806a05eba55092630bb75a92311344 Mon Sep 17 00:00:00 2001
From 5e2b99e099ba52131c7a87695b294961a0bf54f1 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 25 Nov 2016 14:37:45 +0000
Subject: [PATCH 30/32] Prohibit PCMCIA CIS storage when the kernel is locked
down
Subject: [PATCH 30/32] Prohibit PCMCIA CIS storage when the kernel is locked down
Prohibit replacement of the PCMCIA Card Information Structure when the
kernel is locked down.
@ -1369,9 +1364,9 @@ index 55ef7d1..193e4f7 100644
if (off)
--
2.7.4
2.7.5
From cf1e877adbe35c5f72a9d85570b494aa3f35be6a Mon Sep 17 00:00:00 2001
From 6d6e052a6c2df0a7a492439efe1ac6d62498e0d4 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 7 Dec 2016 10:28:39 +0000
Subject: [PATCH 31/32] Lock down TIOCSSERIAL
@ -1388,10 +1383,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
index 9939c3d..7c040e2 100644
index 3fe5689..4181b00 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -820,6 +820,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
@@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
new_flags = new_info->flags;
old_custom_divisor = uport->custom_divisor;
@ -1405,5 +1400,5 @@ index 9939c3d..7c040e2 100644
retval = -EPERM;
if (change_irq || change_port ||
--
2.7.4
2.7.5

11
kernel.spec
View File

@ -54,7 +54,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 2
%define stable_update 3
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@ -549,9 +549,6 @@ Patch437: bcm283x-hdmi-audio.patch
# https://www.spinics.net/lists/arm-kernel/msg554183.html
Patch438: arm-imx6-hummingboard2.patch
# https://lkml.org/lkml/2017/4/4/316
Patch339: media-cec-Fix-runtime-BUG-when-CONFIG_RC_CORE-CEC_CAP_RC.patch
Patch440: arm64-Add-option-of-13-for-FORCE_MAX_ZONEORDER.patch
Patch460: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
@ -620,9 +617,6 @@ Patch668: CVE-2017-7477.patch
#rhbz 1436686
Patch864: dell-laptop-Adds-support-for-keyboard-backlight-timeout-AC-settings.patch
#CVE-2017-7487 rhbz 1447734 1450417
Patch865: 0001-ipx-call-ipxitf_put-in-ioctl-error-path.patch
#CVE-2017-9059 rhbz 1451386 1451996
Patch866: 0001-SUNRPC-Refactor-svc_set_num_threads.patch
Patch867: 0002-NFSv4-Fix-callback-server-shutdown.patch
@ -2203,6 +2197,9 @@ fi
#
#
%changelog
* Thu May 25 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.3-200
- Linux v4.11.3
* Mon May 22 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.2-200
- Linux v4.11.2

45
media-cec-Fix-runtime-BUG-when-CONFIG_RC_CORE-CEC_CAP_RC.patch
View File

@ -1,45 +0,0 @@
From patchwork Tue Apr 4 12:32:19 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [2/2, media] cec: Fix runtime BUG when (CONFIG_RC_CORE && !CEC_CAP_RC)
From: Lee Jones <lee.jones@linaro.org>
X-Patchwork-Id: 9661691
Message-Id: <20170404123219.22040-2-lee.jones@linaro.org>
To: hans.verkuil@cisco.com,
mchehab@kernel.org
Cc: benjamin.gaignard@st.com, patrice.chotard@st.com,
linux-kernel@vger.kernel.org, kernel@stlinux.com,
Lee Jones <lee.jones@linaro.org>, linux-arm-kernel@lists.infradead.org,
linux-media@vger.kernel.org
Date: Tue, 4 Apr 2017 13:32:19 +0100
Currently when the RC Core is enabled (reachable) core code located
in cec_register_adapter() attempts to populate the RC structure with
a pointer to the 'parent' passed in by the caller.
Unfortunately if the caller did not specify RC capibility when calling
cec_allocate_adapter(), then there will be no RC structure to populate.
This causes a "NULL pointer dereference" error.
Fixes: f51e80804f0 ("[media] cec: pass parent device in register(), not allocate()")
Signed-off-by: Lee Jones <lee.jones@linaro.org>
---
drivers/media/cec/cec-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/cec/cec-core.c b/drivers/media/cec/cec-core.c
index 06a312c..d64937b 100644
--- a/drivers/media/cec/cec-core.c
+++ b/drivers/media/cec/cec-core.c
@@ -286,8 +286,8 @@ int cec_register_adapter(struct cec_adapter *adap,
adap->devnode.dev.parent = parent;
#if IS_REACHABLE(CONFIG_RC_CORE)
- adap->rc->dev.parent = parent;
if (adap->capabilities & CEC_CAP_RC) {
+ adap->rc->dev.parent = parent;
res = rc_register_device(adap->rc);
if (res) {

2
sources
View File

@ -1,3 +1,3 @@
SHA512 (perf-man-4.11.tar.gz) = 0b070d2f10a743329de2f532e2d7e19ef385a3e6ef3c700b591ae2697604dbe542b36e31121b3e37517ee8071ab800386fa8663c24a5b36520a18e096c6eefc8
SHA512 (linux-4.11.tar.xz) = 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3
SHA512 (patch-4.11.2.xz) = e090598bb339f04a92febe9c03317b76e51f67c2e3bfebaddb97177b19a2c195332477333be29e9f46483ff937fc85fd63fea1bb4ae18dec0fbe5bc1738afbcb
SHA512 (patch-4.11.3.xz) = d1beb9b48ce12e87bb6ec53f0cf03d5650fd421edd8757d31dda20821c9a9f5b5c3dc8f131058ea8b9de45d67c43424ad246baf5c33e0174372f952cce26ad72