Linux v3.14.5
This commit is contained in:
parent
380415c20a
commit
ece962adcd
@ -1,44 +0,0 @@
|
||||
From 6186594c2c72d403832cf07d66cf6d6c6daad8f1 Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Fri, 2 May 2014 16:15:33 +0200
|
||||
Subject: [PATCH 1/4] hid-quirks: Add NO_INIT_REPORTS quirk for Synaptics Touch
|
||||
Pad V 103S
|
||||
|
||||
This touchpad seriously dislikes init reports, not only timeing out, but
|
||||
also refusing to work after this.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-and-tested-by: Vincent Fortier <th0ma7@gmail.com>
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
---
|
||||
drivers/hid/hid-ids.h | 1 +
|
||||
drivers/hid/usbhid/hid-quirks.c | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
|
||||
index c8af720..43f246e 100644
|
||||
--- a/drivers/hid/hid-ids.h
|
||||
+++ b/drivers/hid/hid-ids.h
|
||||
@@ -834,6 +834,7 @@
|
||||
#define USB_DEVICE_ID_SYNAPTICS_LTS2 0x1d10
|
||||
#define USB_DEVICE_ID_SYNAPTICS_HD 0x0ac3
|
||||
#define USB_DEVICE_ID_SYNAPTICS_QUAD_HD 0x1ac3
|
||||
+#define USB_DEVICE_ID_SYNAPTICS_TP_V103 0x5710
|
||||
|
||||
#define USB_VENDOR_ID_THINGM 0x27b8
|
||||
#define USB_DEVICE_ID_BLINK1 0x01ed
|
||||
diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
|
||||
index dbd8387..8e4ddb3 100644
|
||||
--- a/drivers/hid/usbhid/hid-quirks.c
|
||||
+++ b/drivers/hid/usbhid/hid-quirks.c
|
||||
@@ -119,6 +119,7 @@ static const struct hid_blacklist {
|
||||
{ USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_LTS2, HID_QUIRK_NO_INIT_REPORTS },
|
||||
{ USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_HD, HID_QUIRK_NO_INIT_REPORTS },
|
||||
{ USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_QUAD_HD, HID_QUIRK_NO_INIT_REPORTS },
|
||||
+ { USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_TP_V103, HID_QUIRK_NO_INIT_REPORTS },
|
||||
|
||||
{ 0, 0 }
|
||||
};
|
||||
--
|
||||
1.9.0
|
||||
|
@ -1,112 +0,0 @@
|
||||
Bugzilla: 1071914
|
||||
Upstream-status: 3.15
|
||||
|
||||
From efe26e16b1d93ac0085e69178cc18811629e8fc5 Mon Sep 17 00:00:00 2001
|
||||
From: Michele Baldessari <michele@acksyn.org>
|
||||
Date: Mon, 31 Mar 2014 10:51:00 +0200
|
||||
Subject: [PATCH] USB: serial: ftdi_sio: add id for Brainboxes serial cards
|
||||
|
||||
Custom VID/PIDs for Brainboxes cards as reported in
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1071914
|
||||
|
||||
Signed-off-by: Michele Baldessari <michele@acksyn.org>
|
||||
Cc: stable <stable@vger.kernel.org>
|
||||
Signed-off-by: Johan Hovold <jhovold@gmail.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/usb/serial/ftdi_sio.c | 33 +++++++++++++++++++++++++++++++++
|
||||
drivers/usb/serial/ftdi_sio_ids.h | 37 +++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 70 insertions(+)
|
||||
|
||||
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
|
||||
index 44ab12986805..7c6e1dedeb06 100644
|
||||
--- a/drivers/usb/serial/ftdi_sio.c
|
||||
+++ b/drivers/usb/serial/ftdi_sio.c
|
||||
@@ -909,6 +909,39 @@ static const struct usb_device_id id_table_combined[] = {
|
||||
{ USB_DEVICE(FTDI_VID, FTDI_Z3X_PID) },
|
||||
/* Cressi Devices */
|
||||
{ USB_DEVICE(FTDI_VID, FTDI_CRESSI_PID) },
|
||||
+ /* Brainboxes Devices */
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_001_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_012_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_023_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_034_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_101_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_1_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_2_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_3_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_4_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_5_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_6_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_7_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_8_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_257_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_1_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_2_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_3_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_4_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_313_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_324_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_1_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_2_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_357_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_606_1_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_606_2_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_606_3_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_701_1_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_701_2_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_1_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_2_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_3_PID) },
|
||||
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_4_PID) },
|
||||
{ } /* Terminating entry */
|
||||
};
|
||||
|
||||
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
|
||||
index e599fbfcde5f..993c93df6874 100644
|
||||
--- a/drivers/usb/serial/ftdi_sio_ids.h
|
||||
+++ b/drivers/usb/serial/ftdi_sio_ids.h
|
||||
@@ -1326,3 +1326,40 @@
|
||||
* Manufacturer: Cressi
|
||||
*/
|
||||
#define FTDI_CRESSI_PID 0x87d0
|
||||
+
|
||||
+/*
|
||||
+ * Brainboxes devices
|
||||
+ */
|
||||
+#define BRAINBOXES_VID 0x05d1
|
||||
+#define BRAINBOXES_VX_001_PID 0x1001 /* VX-001 ExpressCard 1 Port RS232 */
|
||||
+#define BRAINBOXES_VX_012_PID 0x1002 /* VX-012 ExpressCard 2 Port RS232 */
|
||||
+#define BRAINBOXES_VX_023_PID 0x1003 /* VX-023 ExpressCard 1 Port RS422/485 */
|
||||
+#define BRAINBOXES_VX_034_PID 0x1004 /* VX-034 ExpressCard 2 Port RS422/485 */
|
||||
+#define BRAINBOXES_US_101_PID 0x1011 /* US-101 1xRS232 */
|
||||
+#define BRAINBOXES_US_324_PID 0x1013 /* US-324 1xRS422/485 1Mbaud */
|
||||
+#define BRAINBOXES_US_606_1_PID 0x2001 /* US-606 6 Port RS232 Serial Port 1 and 2 */
|
||||
+#define BRAINBOXES_US_606_2_PID 0x2002 /* US-606 6 Port RS232 Serial Port 3 and 4 */
|
||||
+#define BRAINBOXES_US_606_3_PID 0x2003 /* US-606 6 Port RS232 Serial Port 4 and 6 */
|
||||
+#define BRAINBOXES_US_701_1_PID 0x2011 /* US-701 4xRS232 1Mbaud Port 1 and 2 */
|
||||
+#define BRAINBOXES_US_701_2_PID 0x2012 /* US-701 4xRS422 1Mbaud Port 3 and 4 */
|
||||
+#define BRAINBOXES_US_279_1_PID 0x2021 /* US-279 8xRS422 1Mbaud Port 1 and 2 */
|
||||
+#define BRAINBOXES_US_279_2_PID 0x2022 /* US-279 8xRS422 1Mbaud Port 3 and 4 */
|
||||
+#define BRAINBOXES_US_279_3_PID 0x2023 /* US-279 8xRS422 1Mbaud Port 5 and 6 */
|
||||
+#define BRAINBOXES_US_279_4_PID 0x2024 /* US-279 8xRS422 1Mbaud Port 7 and 8 */
|
||||
+#define BRAINBOXES_US_346_1_PID 0x3011 /* US-346 4xRS422/485 1Mbaud Port 1 and 2 */
|
||||
+#define BRAINBOXES_US_346_2_PID 0x3012 /* US-346 4xRS422/485 1Mbaud Port 3 and 4 */
|
||||
+#define BRAINBOXES_US_257_PID 0x5001 /* US-257 2xRS232 1Mbaud */
|
||||
+#define BRAINBOXES_US_313_PID 0x6001 /* US-313 2xRS422/485 1Mbaud */
|
||||
+#define BRAINBOXES_US_357_PID 0x7001 /* US_357 1xRS232/422/485 */
|
||||
+#define BRAINBOXES_US_842_1_PID 0x8001 /* US-842 8xRS422/485 1Mbaud Port 1 and 2 */
|
||||
+#define BRAINBOXES_US_842_2_PID 0x8002 /* US-842 8xRS422/485 1Mbaud Port 3 and 4 */
|
||||
+#define BRAINBOXES_US_842_3_PID 0x8003 /* US-842 8xRS422/485 1Mbaud Port 5 and 6 */
|
||||
+#define BRAINBOXES_US_842_4_PID 0x8004 /* US-842 8xRS422/485 1Mbaud Port 7 and 8 */
|
||||
+#define BRAINBOXES_US_160_1_PID 0x9001 /* US-160 16xRS232 1Mbaud Port 1 and 2 */
|
||||
+#define BRAINBOXES_US_160_2_PID 0x9002 /* US-160 16xRS232 1Mbaud Port 3 and 4 */
|
||||
+#define BRAINBOXES_US_160_3_PID 0x9003 /* US-160 16xRS232 1Mbaud Port 5 and 6 */
|
||||
+#define BRAINBOXES_US_160_4_PID 0x9004 /* US-160 16xRS232 1Mbaud Port 7 and 8 */
|
||||
+#define BRAINBOXES_US_160_5_PID 0x9005 /* US-160 16xRS232 1Mbaud Port 9 and 10 */
|
||||
+#define BRAINBOXES_US_160_6_PID 0x9006 /* US-160 16xRS232 1Mbaud Port 11 and 12 */
|
||||
+#define BRAINBOXES_US_160_7_PID 0x9007 /* US-160 16xRS232 1Mbaud Port 13 and 14 */
|
||||
+#define BRAINBOXES_US_160_8_PID 0x9008 /* US-160 16xRS232 1Mbaud Port 15 and 16 */
|
||||
--
|
||||
1.9.0
|
||||
|
@ -1,98 +0,0 @@
|
||||
Bugzilla: 1096784
|
||||
Upstream-status: 3.15
|
||||
|
||||
From 0e1e9b265ec6c9b69ba5443e0d11aaa9a92ded53 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 13 Apr 2014 18:23:33 +0200
|
||||
Subject: [PATCH] filter: prevent nla extensions to peek beyond the end of the
|
||||
message
|
||||
|
||||
Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3
|
||||
|
||||
The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
|
||||
for a minimal message length before testing the supplied offset to be
|
||||
within the bounds of the message. This allows the subtraction of the nla
|
||||
header to underflow and therefore -- as the data type is unsigned --
|
||||
allowing far to big offset and length values for the search of the
|
||||
netlink attribute.
|
||||
|
||||
The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
|
||||
also wrong. It has the minuend and subtrahend mixed up, therefore
|
||||
calculates a huge length value, allowing to overrun the end of the
|
||||
message while looking for the netlink attribute.
|
||||
|
||||
The following three BPF snippets will trigger the bugs when attached to
|
||||
a UNIX datagram socket and parsing a message with length 1, 2 or 3.
|
||||
|
||||
,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
|
||||
| ld #0x87654321
|
||||
| ldx #42
|
||||
| ld #nla
|
||||
| ret a
|
||||
`---
|
||||
|
||||
,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
|
||||
| ld #0x87654321
|
||||
| ldx #42
|
||||
| ld #nlan
|
||||
| ret a
|
||||
`---
|
||||
|
||||
,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
|
||||
| ; (needs a fake netlink header at offset 0)
|
||||
| ld #0
|
||||
| ldx #42
|
||||
| ld #nlan
|
||||
| ret a
|
||||
`---
|
||||
|
||||
Fix the first issue by ensuring the message length fulfills the minimal
|
||||
size constrains of a nla header. Fix the second bug by getting the math
|
||||
for the remainder calculation right.
|
||||
|
||||
Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
|
||||
Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
|
||||
Cc: Patrick McHardy <kaber@trash.net>
|
||||
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Acked-by: Daniel Borkmann <dborkman@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/core/filter.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/core/filter.c b/net/core/filter.c
|
||||
index ad30d626a5bd..7be35b5fc22f 100644
|
||||
--- a/net/core/filter.c
|
||||
+++ b/net/core/filter.c
|
||||
@@ -355,6 +355,10 @@ load_b:
|
||||
|
||||
if (skb_is_nonlinear(skb))
|
||||
return 0;
|
||||
+
|
||||
+ if (skb->len < sizeof(struct nlattr))
|
||||
+ return 0;
|
||||
+
|
||||
if (A > skb->len - sizeof(struct nlattr))
|
||||
return 0;
|
||||
|
||||
@@ -371,11 +375,15 @@ load_b:
|
||||
|
||||
if (skb_is_nonlinear(skb))
|
||||
return 0;
|
||||
+
|
||||
+ if (skb->len < sizeof(struct nlattr))
|
||||
+ return 0;
|
||||
+
|
||||
if (A > skb->len - sizeof(struct nlattr))
|
||||
return 0;
|
||||
|
||||
nla = (struct nlattr *)&skb->data[A];
|
||||
- if (nla->nla_len > A - skb->len)
|
||||
+ if (nla->nla_len > skb->len - A)
|
||||
return 0;
|
||||
|
||||
nla = nla_find_nested(nla, X);
|
||||
--
|
||||
1.9.0
|
||||
|
33
kernel.spec
33
kernel.spec
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
||||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 4
|
||||
%define stable_update 5
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
@ -715,15 +715,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||
#rhbz 1051748
|
||||
Patch25035: Bluetooth-allocate-static-minor-for-vhci.patch
|
||||
|
||||
#CVE-2014-2851 rhbz 1086730 1087420
|
||||
Patch25059: net-ipv4-current-group_info-should-be-put-after-using.patch
|
||||
|
||||
#rhbz 1074710
|
||||
Patch25061: mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
|
||||
|
||||
#rhbz 1071914
|
||||
Patch25063: USB-serial-ftdi_sio-add-id-for-Brainboxes-serial-car.patch
|
||||
|
||||
#rhbz 1048314
|
||||
Patch25062: 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch
|
||||
|
||||
@ -748,14 +742,10 @@ Patch25070: 0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch
|
||||
#rhbz 1060327
|
||||
Patch25071: drm-fix-qxl-mode-flags-backport.patch
|
||||
|
||||
#rhbz 1093931
|
||||
Patch25073: net-Start-with-correct-mac_len-in-skb_network_protoc.patch
|
||||
|
||||
#rhbz 1089545
|
||||
Patch25074: 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
|
||||
|
||||
#misc input fixes
|
||||
Patch25077: 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch
|
||||
Patch25078: 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch
|
||||
|
||||
#rhbz 861573
|
||||
@ -765,7 +755,6 @@ Patch25079: 0003-samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
|
||||
Patch25080: 0004-acpi-blacklist-Add-dmi_enable_osi_linux-quirk-for-As.patch
|
||||
|
||||
#CVE-2014-0181 rhbz 1094270 1094265
|
||||
Patch25081: net-Fix-ns_capable-check-in-sock_diag_put_filterinfo.patch
|
||||
Patch25082: 1-5-netlink-Rename-netlink_capable-netlink_allowed.patch
|
||||
Patch25083: 2-5-net-Move-the-permission-check-in-sock_diag_put_filterinfo-to-packet_diag_dump.patch
|
||||
Patch25084: 3-5-net-Add-variants-of-capable-for-use-on-on-sockets.patch
|
||||
@ -775,9 +764,6 @@ Patch25086: 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-m
|
||||
#rhbz 1082266
|
||||
Patch25087: jme-fix-dma-unmap-error.patch
|
||||
|
||||
# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
|
||||
Patch25090: filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
|
||||
|
||||
#rhbz 1096436
|
||||
Patch25091: 0001-synaptics-Add-min-max-quirk-for-the-ThinkPad-W540.patch
|
||||
|
||||
@ -1454,15 +1440,9 @@ ApplyPatch 0001-HID-rmi-do-not-handle-touchscreens-through-hid-rmi.patch
|
||||
#rhbz 1090161
|
||||
ApplyPatch HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch
|
||||
|
||||
#CVE-2014-2851 rhbz 1086730 1087420
|
||||
ApplyPatch net-ipv4-current-group_info-should-be-put-after-using.patch
|
||||
|
||||
#rhbz 1074710
|
||||
ApplyPatch mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
|
||||
|
||||
#rhbz 1071914
|
||||
ApplyPatch USB-serial-ftdi_sio-add-id-for-Brainboxes-serial-car.patch
|
||||
|
||||
#rhbz 1013466
|
||||
ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
|
||||
|
||||
@ -1478,14 +1458,10 @@ ApplyPatch 0001-acpi-video-Add-4-new-models-to-the-use_native_backli.patch
|
||||
#rhbz 1060327
|
||||
ApplyPatch drm-fix-qxl-mode-flags-backport.patch
|
||||
|
||||
#rhbz 1093931
|
||||
ApplyPatch net-Start-with-correct-mac_len-in-skb_network_protoc.patch
|
||||
|
||||
#rhbz 1089545
|
||||
ApplyPatch 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
|
||||
|
||||
#misc input fixes
|
||||
ApplyPatch 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch
|
||||
ApplyPatch 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch
|
||||
|
||||
#rhbz 861573
|
||||
@ -1495,7 +1471,6 @@ ApplyPatch 0003-samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
|
||||
ApplyPatch 0004-acpi-blacklist-Add-dmi_enable_osi_linux-quirk-for-As.patch
|
||||
|
||||
#CVE-2014-0181 rhbz 1094270 1094265
|
||||
ApplyPatch net-Fix-ns_capable-check-in-sock_diag_put_filterinfo.patch
|
||||
ApplyPatch 1-5-netlink-Rename-netlink_capable-netlink_allowed.patch
|
||||
ApplyPatch 2-5-net-Move-the-permission-check-in-sock_diag_put_filterinfo-to-packet_diag_dump.patch
|
||||
ApplyPatch 3-5-net-Add-variants-of-capable-for-use-on-on-sockets.patch
|
||||
@ -1505,9 +1480,6 @@ ApplyPatch 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-me
|
||||
#rhbz 1082266
|
||||
ApplyPatch jme-fix-dma-unmap-error.patch
|
||||
|
||||
# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
|
||||
ApplyPatch filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
|
||||
|
||||
#rhbz 1096436
|
||||
ApplyPatch 0001-synaptics-Add-min-max-quirk-for-the-ThinkPad-W540.patch
|
||||
|
||||
@ -2329,6 +2301,9 @@ fi
|
||||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon Jun 02 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.14.5-100
|
||||
- Linux v3.14.5
|
||||
|
||||
* Thu May 29 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-3917 DoS with syscall auditing (rhbz 1102571 1102715)
|
||||
|
||||
|
@ -283,9 +283,9 @@ index 0ff5407..ba76e57 100644
|
||||
+ are used by the module signature checking to reject loading of modules
|
||||
+ signed with a blacklisted key.
|
||||
+
|
||||
menuconfig MODULES
|
||||
bool "Enable loadable module support"
|
||||
option modules
|
||||
config PROFILING
|
||||
bool "Profiling support"
|
||||
help
|
||||
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
|
||||
index 0b6b870..0a29b40 100644
|
||||
--- a/kernel/module_signing.c
|
||||
|
@ -1,72 +0,0 @@
|
||||
Bugzilla: 1094270
|
||||
Upstream-status: 3.15 and queued for stable
|
||||
|
||||
From 3b72ed3ca18b9f55fc90f55a52c32b22b3a2837e Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Lutomirski <luto@amacapital.net>
|
||||
Date: Wed, 16 Apr 2014 21:41:34 -0700
|
||||
Subject: [PATCH 1/6] net: Fix ns_capable check in sock_diag_put_filterinfo
|
||||
|
||||
The caller needs capabilities on the namespace being queried, not on
|
||||
their own namespace. This is a security bug, although it likely has
|
||||
only a minor impact.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
||||
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
|
||||
---
|
||||
include/linux/sock_diag.h | 2 +-
|
||||
net/core/sock_diag.c | 4 ++--
|
||||
net/packet/diag.c | 2 +-
|
||||
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
|
||||
index 54f91d35e5fd..302ab805b0bb 100644
|
||||
--- a/include/linux/sock_diag.h
|
||||
+++ b/include/linux/sock_diag.h
|
||||
@@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie);
|
||||
void sock_diag_save_cookie(void *sk, __u32 *cookie);
|
||||
|
||||
int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
|
||||
-int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
|
||||
+int sock_diag_put_filterinfo(struct sock *sk,
|
||||
struct sk_buff *skb, int attrtype);
|
||||
|
||||
#endif
|
||||
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
|
||||
index a0e9cf6379de..6a7fae228634 100644
|
||||
--- a/net/core/sock_diag.c
|
||||
+++ b/net/core/sock_diag.c
|
||||
@@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype)
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(sock_diag_put_meminfo);
|
||||
|
||||
-int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
|
||||
+int sock_diag_put_filterinfo(struct sock *sk,
|
||||
struct sk_buff *skb, int attrtype)
|
||||
{
|
||||
struct nlattr *attr;
|
||||
@@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
|
||||
unsigned int len;
|
||||
int err = 0;
|
||||
|
||||
- if (!ns_capable(user_ns, CAP_NET_ADMIN)) {
|
||||
+ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
|
||||
nla_reserve(skb, attrtype, 0);
|
||||
return 0;
|
||||
}
|
||||
diff --git a/net/packet/diag.c b/net/packet/diag.c
|
||||
index 533ce4ff108a..435ff99ba8c7 100644
|
||||
--- a/net/packet/diag.c
|
||||
+++ b/net/packet/diag.c
|
||||
@@ -172,7 +172,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
|
||||
goto out_nlmsg_trim;
|
||||
|
||||
if ((req->pdiag_show & PACKET_SHOW_FILTER) &&
|
||||
- sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER))
|
||||
+ sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER))
|
||||
goto out_nlmsg_trim;
|
||||
|
||||
return nlmsg_end(skb, nlh);
|
||||
--
|
||||
1.9.0
|
||||
|
@ -1,48 +0,0 @@
|
||||
Bugzilla: 1093931
|
||||
Upstream-status: 3.15 and queued for stable (3.14.y only)
|
||||
|
||||
From 1e785f48d29a09b6cf96db7b49b6320dada332e1 Mon Sep 17 00:00:00 2001
|
||||
From: Vlad Yasevich <vyasevic@redhat.com>
|
||||
Date: Mon, 14 Apr 2014 17:37:26 -0400
|
||||
Subject: [PATCH] net: Start with correct mac_len in skb_network_protocol
|
||||
|
||||
Sometimes, when the packet arrives at skb_mac_gso_segment()
|
||||
its skb->mac_len already accounts for some of the mac lenght
|
||||
headers in the packet. This seems to happen when forwarding
|
||||
through and OpenSSL tunnel.
|
||||
|
||||
When we start looking for any vlan headers in skb_network_protocol()
|
||||
we seem to ignore any of the already known mac headers and start
|
||||
with an ETH_HLEN. This results in an incorrect offset, dropped
|
||||
TSO frames and general slowness of the connection.
|
||||
|
||||
We can start counting from the known skb->mac_len
|
||||
and return at least that much if all mac level headers
|
||||
are known and accounted for.
|
||||
|
||||
Fixes: 53d6471cef17262d3ad1c7ce8982a234244f68ec (net: Account for all vlan headers in skb_mac_gso_segment)
|
||||
CC: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
CC: Daniel Borkman <dborkman@redhat.com>
|
||||
Tested-by: Martin Filip <nexus+kernel@smoula.net>
|
||||
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/core/dev.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/core/dev.c b/net/core/dev.c
|
||||
index 14dac0654f28..5b3042e69f85 100644
|
||||
--- a/net/core/dev.c
|
||||
+++ b/net/core/dev.c
|
||||
@@ -2284,7 +2284,7 @@ EXPORT_SYMBOL(skb_checksum_help);
|
||||
__be16 skb_network_protocol(struct sk_buff *skb, int *depth)
|
||||
{
|
||||
__be16 type = skb->protocol;
|
||||
- int vlan_depth = ETH_HLEN;
|
||||
+ int vlan_depth = skb->mac_len;
|
||||
|
||||
/* Tunnel gso handlers can set protocol to ethernet. */
|
||||
if (type == htons(ETH_P_TEB)) {
|
||||
--
|
||||
1.9.0
|
||||
|
@ -1,64 +0,0 @@
|
||||
Bugzilla: 1087420
|
||||
Upstream-status: Queued for 3.15 and stable
|
||||
|
||||
From b04c46190219a4f845e46a459e3102137b7f6cac Mon Sep 17 00:00:00 2001
|
||||
From: "Wang, Xiaoming" <xiaoming.wang@intel.com>
|
||||
Date: Mon, 14 Apr 2014 12:30:45 -0400
|
||||
Subject: net: ipv4: current group_info should be put after using.
|
||||
|
||||
Plug a group_info refcount leak in ping_init.
|
||||
group_info is only needed during initialization and
|
||||
the code failed to release the reference on exit.
|
||||
While here move grabbing the reference to a place
|
||||
where it is actually needed.
|
||||
|
||||
Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
|
||||
Signed-off-by: Zhang Dongxing <dongxing.zhang@intel.com>
|
||||
Signed-off-by: xiaoming wang <xiaoming.wang@intel.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
|
||||
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
|
||||
index f4b19e5..8210964 100644
|
||||
--- a/net/ipv4/ping.c
|
||||
+++ b/net/ipv4/ping.c
|
||||
@@ -252,26 +252,33 @@ int ping_init_sock(struct sock *sk)
|
||||
{
|
||||
struct net *net = sock_net(sk);
|
||||
kgid_t group = current_egid();
|
||||
- struct group_info *group_info = get_current_groups();
|
||||
- int i, j, count = group_info->ngroups;
|
||||
+ struct group_info *group_info;
|
||||
+ int i, j, count;
|
||||
kgid_t low, high;
|
||||
+ int ret = 0;
|
||||
|
||||
inet_get_ping_group_range_net(net, &low, &high);
|
||||
if (gid_lte(low, group) && gid_lte(group, high))
|
||||
return 0;
|
||||
|
||||
+ group_info = get_current_groups();
|
||||
+ count = group_info->ngroups;
|
||||
for (i = 0; i < group_info->nblocks; i++) {
|
||||
int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
|
||||
for (j = 0; j < cp_count; j++) {
|
||||
kgid_t gid = group_info->blocks[i][j];
|
||||
if (gid_lte(low, gid) && gid_lte(gid, high))
|
||||
- return 0;
|
||||
+ goto out_release_group;
|
||||
}
|
||||
|
||||
count -= cp_count;
|
||||
}
|
||||
|
||||
- return -EACCES;
|
||||
+ ret = -EACCES;
|
||||
+
|
||||
+out_release_group:
|
||||
+ put_group_info(group_info);
|
||||
+ return ret;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(ping_init_sock);
|
||||
|
||||
--
|
||||
cgit v0.10.1
|
||||
|
Loading…
Reference in New Issue
Block a user