Linux v4.17.4

2018-07-03 08:29:41 -05:00 · 2018-07-03 08:29:41 -05:00 · d7febc550b
parent f17b62cb59
commit d7febc550b
5 changed files with 5 additions and 217 deletions
--- a/0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch
+++ b/0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch
@ -1,95 +0,0 @@
-From f620d1d7afc7db57ab59f35000752840c91f67e7 Mon Sep 17 00:00:00 2001
-From: ming_qian <ming_qian@realsil.com.cn>
-Date: Tue, 8 May 2018 22:13:08 -0400
-Subject: [PATCH] media: uvcvideo: Support realtek's UVC 1.5 device
-
-media: uvcvideo: Support UVC 1.5 video probe & commit controls
-
-The length of UVC 1.5 video control is 48, and it is 34 for UVC 1.1.
-Change it to 48 for UVC 1.5 device, and the UVC 1.5 device can be
-recognized.
-
-More changes to the driver are needed for full UVC 1.5 compatibility.
-However, at least the UVC 1.5 Realtek RTS5847/RTS5852 cameras have been
-reported to work well.
-
-[laurent.pinchart@ideasonboard.com: Factor out code to helper function, update size checks]
-
-Cc: stable@vger.kernel.org
-Signed-off-by: ming_qian <ming_qian@realsil.com.cn>
-Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
-Tested-by: Ana Guerrero Lopez <ana.guerrero@collabora.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
---
- drivers/media/usb/uvc/uvc_video.c | 24 ++++++++++++++++++------
- 1 file changed, 18 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
-index aa0082fe5833..b28c997a7ab0 100644
--- a/drivers/media/usb/uvc/uvc_video.c
-+++ b/drivers/media/usb/uvc/uvc_video.c
-@@ -163,14 +163,27 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
- 	}
- }
- 
-+static size_t uvc_video_ctrl_size(struct uvc_streaming *stream)
-+{
-+	/*
-+	 * Return the size of the video probe and commit controls, which depends
-+	 * on the protocol version.
-+	 */
-+	if (stream->dev->uvc_version < 0x0110)
-+		return 26;
-+	else if (stream->dev->uvc_version < 0x0150)
-+		return 34;
-+	else
-+		return 48;
-+}
-+
- static int uvc_get_video_ctrl(struct uvc_streaming *stream,
- 	struct uvc_streaming_control *ctrl, int probe, u8 query)
- {
-+	u16 size = uvc_video_ctrl_size(stream);
- 	u8 *data;
-	u16 size;
- 	int ret;
- 
-	size = stream->dev->uvc_version >= 0x0110 ? 34 : 26;
- 	if ((stream->dev->quirks & UVC_QUIRK_PROBE_DEF) &&
- 			query == UVC_GET_DEF)
- 		return -EIO;
-@@ -225,7 +238,7 @@ static int uvc_get_video_ctrl(struct uvc_streaming *stream,
- 	ctrl->dwMaxVideoFrameSize = get_unaligned_le32(&data[18]);
- 	ctrl->dwMaxPayloadTransferSize = get_unaligned_le32(&data[22]);
- 
-	if (size == 34) {
-+	if (size >= 34) {
- 		ctrl->dwClockFrequency = get_unaligned_le32(&data[26]);
- 		ctrl->bmFramingInfo = data[30];
- 		ctrl->bPreferedVersion = data[31];
-@@ -254,11 +267,10 @@ static int uvc_get_video_ctrl(struct uvc_streaming *stream,
- static int uvc_set_video_ctrl(struct uvc_streaming *stream,
- 	struct uvc_streaming_control *ctrl, int probe)
- {
-+	u16 size = uvc_video_ctrl_size(stream);
- 	u8 *data;
-	u16 size;
- 	int ret;
- 
-	size = stream->dev->uvc_version >= 0x0110 ? 34 : 26;
- 	data = kzalloc(size, GFP_KERNEL);
- 	if (data == NULL)
- 		return -ENOMEM;
-@@ -275,7 +287,7 @@ static int uvc_set_video_ctrl(struct uvc_streaming *stream,
- 	put_unaligned_le32(ctrl->dwMaxVideoFrameSize, &data[18]);
- 	put_unaligned_le32(ctrl->dwMaxPayloadTransferSize, &data[22]);
- 
-	if (size == 34) {
-+	if (size >= 34) {
- 		put_unaligned_le32(ctrl->dwClockFrequency, &data[26]);
- 		data[30] = ctrl->bmFramingInfo;
- 		data[31] = ctrl->bPreferedVersion;
-- 
-2.17.1
-
--- a/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch
+++ b/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch
@ -1,47 +0,0 @@
-From bd23a7269834dc7c1f93e83535d16ebc44b75eba Mon Sep 17 00:00:00 2001
-From: Wenwen Wang <wang6495@umn.edu>
-Date: Tue, 8 May 2018 08:50:28 -0500
-Subject: [PATCH] virt: vbox: Only copy_from_user the request-header once
-
-In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from
-the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the
-'version', 'size_in', and 'size_out' fields of 'hdr' are verified.
-
-Before this commit, after the checks a buffer for the entire request would
-be allocated and then all data including the verified header would be
-copied from the userspace 'arg' pointer again.
-
-Given that the 'arg' pointer resides in userspace, a malicious userspace
-process can race to change the data pointed to by 'arg' between the two
-copies. By doing so, the user can bypass the verifications on the ioctl
-argument.
-
-This commit fixes this by using the already checked copy of the header
-to fill the header part of the allocated buffer and only copying the
-remainder of the data from userspace.
-
-Signed-off-by: Wenwen Wang <wang6495@umn.edu>
-Reviewed-by: Hans de Goede <hdegoede@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- drivers/virt/vboxguest/vboxguest_linux.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c
-index 398d22693234..6e2a9619192d 100644
--- a/drivers/virt/vboxguest/vboxguest_linux.c
-+++ b/drivers/virt/vboxguest/vboxguest_linux.c
-@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct file *filp, unsigned int req,
- 	if (!buf)
- 		return -ENOMEM;
-
-	if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
-+	*((struct vbg_ioctl_hdr *)buf) = hdr;
-+	if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
-+			   hdr.size_in - sizeof(hdr))) {
- 		ret = -EFAULT;
- 		goto out;
- 	}
-- 
-2.17.1
-
--- a/CVE-2018-12714.patch
+++ b/CVE-2018-12714.patch
@ -1,64 +0,0 @@
-From 70303420b5721c38998cf987e6b7d30cc62d4ff1 Mon Sep 17 00:00:00 2001
-From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
-Date: Thu, 21 Jun 2018 13:20:53 -0400
-Subject: [PATCH] tracing: Check for no filter when processing event filters
-
-The syzkaller detected a out-of-bounds issue with the events filter code,
-specifically here:
-
-	prog[N].pred = NULL;					/* #13 */
-	prog[N].target = 1;		/* TRUE */
-	prog[N+1].pred = NULL;
-	prog[N+1].target = 0;		/* FALSE */
->	prog[N-1].target = N;
-	prog[N-1].when_to_branch = false;
-
-As that's the first reference to a "N-1" index, it appears that the code got
-here with N = 0, which means the filter parser found no filter to parse
-(which shouldn't ever happen, but apparently it did).
-
-Add a new error to the parsing code that will check to make sure that N is
-not zero before going into this part of the code. If N = 0, then -EINVAL is
-returned, and a error message is added to the filter.
-
-Cc: stable@vger.kernel.org
-Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
-Reported-by: air icy <icytxw@gmail.com>
-bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019
-Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
-Signed-off-by: Jeremy Cline <jcline@redhat.com>
---
- kernel/trace/trace_events_filter.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
-index e1c818dbc0d7..0dceb77d1d42 100644
--- a/kernel/trace/trace_events_filter.c
-+++ b/kernel/trace/trace_events_filter.c
-@@ -78,7 +78,8 @@ static const char * ops[] = { OPS };
- 	C(TOO_MANY_PREDS,	"Too many terms in predicate expression"), \
- 	C(INVALID_FILTER,	"Meaningless filter expression"),	\
- 	C(IP_FIELD_ONLY,	"Only 'ip' field is supported for function trace"), \
-	C(INVALID_VALUE,	"Invalid value (did you forget quotes)?"),
-+	C(INVALID_VALUE,	"Invalid value (did you forget quotes)?"), \
-+	C(NO_FILTER,		"No filter found"),
- 
- #undef C
- #define C(a, b)		FILT_ERR_##a
-@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_parens, int nr_preds,
- 		goto out_free;
- 	}
- 
-+	if (!N) {
-+		/* No program? */
-+		ret = -EINVAL;
-+		parse_error(pe, FILT_ERR_NO_FILTER, ptr - str);
-+		goto out_free;
-+	}
-+
- 	prog[N].pred = NULL;					/* #13 */
- 	prog[N].target = 1;		/* TRUE */
- 	prog[N+1].pred = NULL;
-- 
-2.17.1
-
--- a/kernel.spec
+++ b/kernel.spec
@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}

 # Do we have a -stable update to apply?
-%define stable_update 3
+%define stable_update 4
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@ -643,18 +643,9 @@ Patch509: rtc-nvmem-don-t-return-an-error-when-not-enabled.patch
 Patch510: 1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch
 Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch

-# CVE-2018-12633 rhbz 1594170 1594172
-Patch512: 0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch
-
-# rhbz 1592454
-Patch514: 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch
-
 # rhbz 1591516
 Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch

-# CVE-2018-12714 rhbz 1595835 1595837
-Patch516: CVE-2018-12714.patch
-
 # rhbz 1572944
 Patch517: Revert-the-random-series-for-4.16.4.patch

@ -1907,6 +1898,9 @@ fi
 #
 #
 %changelog
+* Tue Jul 03 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.4-200
+- Linux v4.17.4
+
 * Fri Jun 29 2018 Jeremy Cline <jeremy@jcline.org>
 - Revert the CRNG init patches (rhbz 1572944)

--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db
-SHA512 (patch-4.17.3.xz) = c0b3dfb1c1d64edc74cb3b35a4d6160ccf80b5b58d19e5a11dde372ab515c350576f8981b3816e4e8689da38b792eb85b3ef46581d65d7c51c72943dea7409f4
+SHA512 (patch-4.17.4.xz) = 0a9f976e7cf2c2cc9ba29b5eb45a6b9722059674efa99153bf449537e022426138a0848cfdb69e1df4a1a3b71ee7c9de92b4086799d0e15f44f8356b2fd63754