From d7ae676988427af377c4107f536a63a1f93e22e8 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 7 Oct 2015 08:25:49 -0500 Subject: [PATCH] Enable CONFIG_ACPI_REV_OVERRIDE_POSSIBLE and CONFIG_X86_NUMACHIP --- config-x86-generic | 2 +- config-x86_64-generic | 2 +- kernel.spec | 22 +++++++++++++ si2157-Bounds-check-firmware.patch | 39 +++++++++++++++++++++++ si2168-Bounds-check-firmware.patch | 50 ++++++++++++++++++++++++++++++ 5 files changed, 113 insertions(+), 2 deletions(-) create mode 100644 si2157-Bounds-check-firmware.patch create mode 100644 si2168-Bounds-check-firmware.patch diff --git a/config-x86-generic b/config-x86-generic index 9bfd81de5..b82a9b12b 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -102,7 +102,7 @@ CONFIG_ACPI_IPMI=m CONFIG_ACPI_CUSTOM_METHOD=m CONFIG_ACPI_BGRT=y # CONFIG_ACPI_EXTLOG is not set -# CONFIG_ACPI_REV_OVERRIDE_POSSIBLE is not set +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y CONFIG_INTEL_SOC_PMIC=y CONFIG_PMIC_OPREGION=y diff --git a/config-x86_64-generic b/config-x86_64-generic index 0fc3068dd..94c476027 100644 --- a/config-x86_64-generic +++ b/config-x86_64-generic @@ -14,7 +14,7 @@ CONFIG_X86_64_ACPI_NUMA=y CONFIG_ACPI_NFIT=m # CONFIG_ACPI_NFIT_DEBUG is not set # CONFIG_NUMA_EMU is not set -# CONFIG_X86_NUMACHIP is not set +CONFIG_X86_NUMACHIP=y CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y CONFIG_NUMA_BALANCING=y diff --git a/kernel.spec b/kernel.spec index 110cafdcc..6f947be70 100644 --- a/kernel.spec +++ b/kernel.spec @@ -638,6 +638,13 @@ Patch532: Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch Patch533: net-inet-fix-race-in-reqsk_queue_unlink.patch +#rhbz 1265978 +Patch536: si2168-Bounds-check-firmware.patch +Patch537: si2157-Bounds-check-firmware.patch + +#rhbz 1268037 +Patch538: ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch + # END OF PATCH DEFINITIONS %endif @@ -1395,6 +1402,13 @@ ApplyPatch Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch ApplyPatch net-inet-fix-race-in-reqsk_queue_unlink.patch +#rhbz 1265978 +ApplyPatch si2168-Bounds-check-firmware.patch +ApplyPatch si2157-Bounds-check-firmware.patch + +#rhbz 1268037 +ApplyPatch ALSA-hda-Add-dock-support-for-ThinkPad-T550.patch + # END OF PATCH APPLICATIONS %endif @@ -2245,6 +2259,14 @@ fi # # %changelog +* Wed Oct 07 2015 Justin M. Forbes +- Enable CONFIG_ACPI_REV_OVERRIDE_POSSIBLE for Dell XPS sound (rhbz 1255070) +- Enable CONFIG_X86_NUMACHIP + +* Mon Oct 05 2015 Laura Abbott +- Stop stack smash for several DVB devices (rhbz 1265978) +- Make headphone work with with T550 + Dock (rhbz 1268037) + * Mon Oct 05 2015 Justin M. Forbes - Linux v4.2.3 - Netdev fix race in resq_queue_unlink diff --git a/si2157-Bounds-check-firmware.patch b/si2157-Bounds-check-firmware.patch new file mode 100644 index 000000000..284006160 --- /dev/null +++ b/si2157-Bounds-check-firmware.patch @@ -0,0 +1,39 @@ +From 526fbce5b0e44c67a97c57656b3be9911f0a9b9b Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Tue, 29 Sep 2015 16:59:20 -0700 +Subject: [PATCH 2/2] si2157: Bounds check firmware +To: Antti Palosaari +To: Mauro Carvalho Chehab +Cc: Olli Salonen +Cc: linux-media@vger.kernel.org +Cc: linux-kernel@vger.kernel.org + +When reading the firmware and sending commands, the length +must be bounds checked to avoid overrunning the size of the command +buffer and smashing the stack if the firmware is not in the +expected format. Add the proper check. + +Cc: stable@kernel.org +Signed-off-by: Laura Abbott +--- + drivers/media/tuners/si2157.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c +index 5073821..ce157ed 100644 +--- a/drivers/media/tuners/si2157.c ++++ b/drivers/media/tuners/si2157.c +@@ -166,6 +166,10 @@ static int si2157_init(struct dvb_frontend *fe) + + for (remaining = fw->size; remaining > 0; remaining -= 17) { + len = fw->data[fw->size - remaining]; ++ if (len > SI2157_ARGLEN) { ++ dev_err(&client->dev, "Bad firmware length\n"); ++ goto err_release_firmware; ++ } + memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); + cmd.wlen = len; + cmd.rlen = 1; +-- +2.4.3 + diff --git a/si2168-Bounds-check-firmware.patch b/si2168-Bounds-check-firmware.patch new file mode 100644 index 000000000..e9c5bcc50 --- /dev/null +++ b/si2168-Bounds-check-firmware.patch @@ -0,0 +1,50 @@ +From 43018528944fa4965a4048fee91d76b47dcaf60e Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Mon, 28 Sep 2015 14:10:34 -0700 +Subject: [PATCH 1/2] si2168: Bounds check firmware +To: Antti Palosaari +To: Mauro Carvalho Chehab +Cc: Olli Salonen +Cc: linux-media@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: Stuart Auchterlonie + + +When reading the firmware and sending commands, the length must +be bounds checked to avoid overrunning the size of the command +buffer and smashing the stack if the firmware is not in the expected +format: + +si2168 11-0064: found a 'Silicon Labs Si2168-B40' +si2168 11-0064: downloading firmware from file 'dvb-demod-si2168-b40-01.fw' +si2168 11-0064: firmware download failed -95 +Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa085708f + +Add the proper check. + +Cc: stable@kernel.org +Reported-by: Stuart Auchterlonie +Reviewed-by: Antti Palosaari +Signed-off-by: Laura Abbott +--- + drivers/media/dvb-frontends/si2168.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c +index 81788c5..821a8f4 100644 +--- a/drivers/media/dvb-frontends/si2168.c ++++ b/drivers/media/dvb-frontends/si2168.c +@@ -502,6 +502,10 @@ static int si2168_init(struct dvb_frontend *fe) + /* firmware is in the new format */ + for (remaining = fw->size; remaining > 0; remaining -= 17) { + len = fw->data[fw->size - remaining]; ++ if (len > SI2168_ARGLEN) { ++ ret = -EINVAL; ++ break; ++ } + memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); + cmd.wlen = len; + cmd.rlen = 1; +-- +2.4.3 +