Linux 4.18.14

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 13
+%define stable_update 14
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -617,9 +617,6 @@ Patch501: Fix-for-module-sig-verification.patch
 # rhbz 1431375
 Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
 
-# CVE-2018-15471 rhbz 1610555 1618414
-Patch504: xsa270.patch
-
 # rhbz 1572944
 Patch506: 0001-random-add-a-config-option-to-trust-the-CPU-s-hwrng.patch
 Patch507: 0001-random-make-CPU-trust-a-boot-parameter.patch
@@ -1873,6 +1870,9 @@ fi
 #
 #
 %changelog
+* Mon Oct 15 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.18.14-100
+- Linux v4.18.14
+
 * Wed Oct 10 2018 Laura Abbott <labbott@redhat.com> - 4.18.13-300
 - Linux v4.18.13
 

sources

@@ -1,2 +1,2 @@
 SHA512 (linux-4.18.tar.xz) = 950eb85ac743b291afe9f21cd174d823e25f11883ee62cecfbfff8fe8c5672aae707654b1b8f29a133b1f2e3529e63b9f7fba4c45d6dacccc8000b3a9a9ae038
-SHA512 (patch-4.18.13.xz) = 169c232c1799eae10b5fa399fc2cb0567536681e8e17f59fe0c489c6186d368261ba45baf1b6f71a0d111895cbf4a44d93f7ee3e20d4842b699f75f5372c8d38
+SHA512 (patch-4.18.14.xz) = 1bfcb475dad5100496e3f47989cd84d476631e87725df9bd22c462d87415199d4dfc30fe22772531bb21ede96c40187c3ee79fa64e61ec3503f743aba723d744

xsa270.patch

@@ -1,55 +0,0 @@
-From: Jan Beulich <jbeulich@suse.com>
-Subject: xen-netback: fix input validation in xenvif_set_hash_mapping()
-
-Both len and off are frontend specified values, so we need to make
-sure there's no overflow when adding the two for the bounds check. We
-also want to avoid undefined behavior and hence use off to index into
-->hash.mapping[] only after bounds checking. This at the same time
-allows to take care of not applying off twice for the bounds checking
-against vif->num_queues.
-
-It is also insufficient to bounds check copy_op.len, as this is len
-truncated to 16 bits.
-
-This is XSA-270.
-
-Reported-by: Felix Wilhelm <fwilhelm@google.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
-Tested-by: Paul Durrant <paul.durrant@citrix.com>
----
-The bounds checking against vif->num_queues also occurs too early afaict
-(it should be done after the grant copy). I have patches ready as public
-follow-ups for both this and the (at least latent) issue of the mapping
-array crossing a page boundary.
-
---- a/drivers/net/xen-netback/hash.c
-+++ b/drivers/net/xen-netback/hash.c
-@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct
- u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len,
- 			    u32 off)
- {
--	u32 *mapping = &vif->hash.mapping[off];
-+	u32 *mapping = vif->hash.mapping;
- 	struct gnttab_copy copy_op = {
- 		.source.u.ref = gref,
- 		.source.domid = vif->domid,
--		.dest.u.gmfn = virt_to_gfn(mapping),
- 		.dest.domid = DOMID_SELF,
--		.dest.offset = xen_offset_in_page(mapping),
--		.len = len * sizeof(u32),
-+		.len = len * sizeof(*mapping),
- 		.flags = GNTCOPY_source_gref
- 	};
- 
--	if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE)
-+	if ((off + len < off) || (off + len > vif->hash.size) ||
-+	    len > XEN_PAGE_SIZE / sizeof(*mapping))
- 		return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;
- 
-+	copy_op.dest.u.gmfn = virt_to_gfn(mapping + off);
-+	copy_op.dest.offset = xen_offset_in_page(mapping + off);
-+
- 	while (len-- != 0)
- 		if (mapping[off++] >= vif->num_queues)
- 			return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER;