Linux v3.13.4

2014-02-20 15:02:14 -06:00 · 2014-02-20 15:02:14 -06:00 · ee193af2a6
parent 0262fc1ed2
commit ee193af2a6
5 changed files with 8 additions and 171 deletions
--- a/SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
+++ b/SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
@ -1,116 +0,0 @@
-From 2172fa709ab32ca60e86179dc67d0857be8e2c98 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <sds@tycho.nsa.gov>
-Date: Thu, 30 Jan 2014 11:26:59 -0500
-Subject: [PATCH] SELinux:  Fix kernel BUG on empty security contexts.
-
-Setting an empty security context (length=0) on a file will
-lead to incorrectly dereferencing the type and other fields
-of the security context structure, yielding a kernel BUG.
-As a zero-length security context is never valid, just reject
-all such security contexts whether coming from userspace
-via setxattr or coming from the filesystem upon a getxattr
-request by SELinux.
-
-Setting a security context value (empty or otherwise) unknown to
-SELinux in the first place is only possible for a root process
-(CAP_MAC_ADMIN), and, if running SELinux in enforcing mode, only
-if the corresponding SELinux mac_admin permission is also granted
-to the domain by policy.  In Fedora policies, this is only allowed for
-specific domains such as livecd for setting down security contexts
-that are not defined in the build host policy.
-
-Reproducer:
-su
-setenforce 0
-touch foo
-setfattr -n security.selinux foo
-
-Caveat:
-Relabeling or removing foo after doing the above may not be possible
-without booting with SELinux disabled.  Any subsequent access to foo
-after doing the above will also trigger the BUG.
-
-BUG output from Matthew Thode:
-[  473.893141] ------------[ cut here ]------------
-[  473.962110] kernel BUG at security/selinux/ss/services.c:654!
-[  473.995314] invalid opcode: 0000 [#6] SMP
-[  474.027196] Modules linked in:
-[  474.058118] CPU: 0 PID: 8138 Comm: ls Tainted: G      D   I
-3.13.0-grsec #1
-[  474.116637] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0
-07/29/10
-[  474.149768] task: ffff8805f50cd010 ti: ffff8805f50cd488 task.ti:
-ffff8805f50cd488
-[  474.183707] RIP: 0010:[<ffffffff814681c7>]  [<ffffffff814681c7>]
-context_struct_compute_av+0xce/0x308
-[  474.219954] RSP: 0018:ffff8805c0ac3c38  EFLAGS: 00010246
-[  474.252253] RAX: 0000000000000000 RBX: ffff8805c0ac3d94 RCX:
-0000000000000100
-[  474.287018] RDX: ffff8805e8aac000 RSI: 00000000ffffffff RDI:
-ffff8805e8aaa000
-[  474.321199] RBP: ffff8805c0ac3cb8 R08: 0000000000000010 R09:
-0000000000000006
-[  474.357446] R10: 0000000000000000 R11: ffff8805c567a000 R12:
-0000000000000006
-[  474.419191] R13: ffff8805c2b74e88 R14: 00000000000001da R15:
-0000000000000000
-[  474.453816] FS:  00007f2e75220800(0000) GS:ffff88061fc00000(0000)
-knlGS:0000000000000000
-[  474.489254] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[  474.522215] CR2: 00007f2e74716090 CR3: 00000005c085e000 CR4:
-00000000000207f0
-[  474.556058] Stack:
-[  474.584325]  ffff8805c0ac3c98 ffffffff811b549b ffff8805c0ac3c98
-ffff8805f1190a40
-[  474.618913]  ffff8805a6202f08 ffff8805c2b74e88 00068800d0464990
-ffff8805e8aac860
-[  474.653955]  ffff8805c0ac3cb8 000700068113833a ffff880606c75060
-ffff8805c0ac3d94
-[  474.690461] Call Trace:
-[  474.723779]  [<ffffffff811b549b>] ? lookup_fast+0x1cd/0x22a
-[  474.778049]  [<ffffffff81468824>] security_compute_av+0xf4/0x20b
-[  474.811398]  [<ffffffff8196f419>] avc_compute_av+0x2a/0x179
-[  474.843813]  [<ffffffff8145727b>] avc_has_perm+0x45/0xf4
-[  474.875694]  [<ffffffff81457d0e>] inode_has_perm+0x2a/0x31
-[  474.907370]  [<ffffffff81457e76>] selinux_inode_getattr+0x3c/0x3e
-[  474.938726]  [<ffffffff81455cf6>] security_inode_getattr+0x1b/0x22
-[  474.970036]  [<ffffffff811b057d>] vfs_getattr+0x19/0x2d
-[  475.000618]  [<ffffffff811b05e5>] vfs_fstatat+0x54/0x91
-[  475.030402]  [<ffffffff811b063b>] vfs_lstat+0x19/0x1b
-[  475.061097]  [<ffffffff811b077e>] SyS_newlstat+0x15/0x30
-[  475.094595]  [<ffffffff8113c5c1>] ? __audit_syscall_entry+0xa1/0xc3
-[  475.148405]  [<ffffffff8197791e>] system_call_fastpath+0x16/0x1b
-[  475.179201] Code: 00 48 85 c0 48 89 45 b8 75 02 0f 0b 48 8b 45 a0 48
-8b 3d 45 d0 b6 00 8b 40 08 89 c6 ff ce e8 d1 b0 06 00 48 85 c0 49 89 c7
-75 02 <0f> 0b 48 8b 45 b8 4c 8b 28 eb 1e 49 8d 7d 08 be 80 01 00 00 e8
-[  475.255884] RIP  [<ffffffff814681c7>]
-context_struct_compute_av+0xce/0x308
-[  475.296120]  RSP <ffff8805c0ac3c38>
-[  475.328734] ---[ end trace f076482e9d754adc ]---
-
-Reported-by:  Matthew Thode <mthode@mthode.org>
-Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-Cc: stable@vger.kernel.org
-Signed-off-by: Paul Moore <pmoore@redhat.com>
---
- security/selinux/ss/services.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
-index fc5a63a..f1e46d7 100644
--- a/security/selinux/ss/services.c
-+++ b/security/selinux/ss/services.c
-@@ -1232,6 +1232,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
- 	struct context context;
- 	int rc = 0;
- 
-+	/* An empty security context is never valid. */
-+	if (!scontext_len)
-+		return -EINVAL;
-+
- 	if (!ss_initialized) {
- 		int i;
- 
-- 
-1.8.5.3
-
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 201
+%global baserelease 200
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@ -74,7 +74,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}

 # Do we have a -stable update to apply?
-%define stable_update 3
+%define stable_update 4
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@ -747,9 +747,6 @@ Patch25186: ath9k_htc-make-sta_rc_update-atomic-for-most-calls.patch
 #rhbz 950630
 Patch25187: xhci-fix-resume-issues-on-renesas-chips-in-samsung-laptops.patch

-#CVE-2014-1874 rhbz 1062356 1062507
-Patch25188: SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
-
 #rhbz 1031296
 Patch25189: tick-Clear-broadcast-pending-bit-when-switching-to-oneshot.patch

@ -760,9 +757,6 @@ Patch25195: cgroup-fixes.patch
 Patch25196: ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.patch
 Patch25197: ipv6-addrconf-revert-if_inet6ifa_flag-format.patch

-#rhbz 1051918
-Patch25198: pinctrl-protect-pinctrl_list-add.patch
-
 #CVE-2014-0069 rhbz 1064253 1062584
 Patch25200: cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch
 Patch25201: cifs-sanity-check-length-of-data-to-send-before-sending.patch
@ -1473,9 +1467,6 @@ ApplyPatch ath9k_htc-make-sta_rc_update-atomic-for-most-calls.patch
 #rhbz 950630
 ApplyPatch xhci-fix-resume-issues-on-renesas-chips-in-samsung-laptops.patch

-#CVE-2014-1874 rhbz 1062356 1062507
-ApplyPatch SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
-
 #rhbz 1031296
 ApplyPatch tick-Clear-broadcast-pending-bit-when-switching-to-oneshot.patch

@ -1486,9 +1477,6 @@ ApplyPatch cgroup-fixes.patch
 ApplyPatch ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.patch
 ApplyPatch ipv6-addrconf-revert-if_inet6ifa_flag-format.patch

-#rhbz 1051918
-ApplyPatch pinctrl-protect-pinctrl_list-add.patch
-
 #CVE-2014-0069 rhbz 1064253 1062584
 ApplyPatch cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch
 ApplyPatch cifs-sanity-check-length-of-data-to-send-before-sending.patch
@ -2308,6 +2296,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Thu Feb 20 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.13.4-200
+- Linux v3.13.4
+
 * Tue Feb 18 2014 Josh Boyer <jwboyer@fedoraproject.org>
 - Fix r8169 ethernet after suspend (rhbz 1054408)
 - Enable INTEL_MIC drivers (rhbz 1064086)
--- a/makefile-after_link.patch
+++ b/makefile-after_link.patch
@ -16,8 +16,8 @@ index d8064af..04dcfe1 100644
 
 # Actual build commands
 quiet_cmd_vdsold = VDSOL $@
-      cmd_vdsold = $(CC) $(c_flags) -Wl,-T $^ -o $@
-+      cmd_vdsold = $(CC) $(c_flags) -Wl,-T $^ -o $@ \
+-      cmd_vdsold = $(CC) $(c_flags) -Wl,-n -Wl,-T $^ -o $@
+      cmd_vdsold = $(CC) $(c_flags) -Wl,-n -Wl,-T $^ -o $@ \
 +			$(if $(AFTER_LINK),; $(AFTER_LINK))
 quiet_cmd_vdsoas = VDSOA $@
       cmd_vdsoas = $(CC) $(a_flags) -c -o $@ $<
--- a/pinctrl-protect-pinctrl_list-add.patch
+++ b/pinctrl-protect-pinctrl_list-add.patch
@ -1,38 +0,0 @@
-From 7b320cb1ed2dbd2c5f2a778197baf76fd6bf545a Mon Sep 17 00:00:00 2001
-From: Stanislaw Gruszka <sgruszka@redhat.com>
-Date: Tue, 4 Feb 2014 09:07:09 +0100
-Subject: [PATCH] pinctrl: protect pinctrl_list add
-
-We have few fedora bug reports about list corruption on pinctrl,
-for example:
-https://bugzilla.redhat.com/show_bug.cgi?id=1051918
-
-Most likely corruption happen due lack of protection of pinctrl_list
-when adding new nodes to it. Patch corrects that.
-
-Fixes: 42fed7ba44e ("pinctrl: move subsystem mutex to pinctrl_dev struct")
-Cc: stable@vger.kernel.org
-Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
-Acked-by: Stephen Warren <swarren@nvidia.com>
-Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
---
- drivers/pinctrl/core.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
-index 5ee61a4..cab020a 100644
--- a/drivers/pinctrl/core.c
-+++ b/drivers/pinctrl/core.c
-@@ -851,7 +851,9 @@ static struct pinctrl *create_pinctrl(struct device *dev)
- 	kref_init(&p->users);
- 
- 	/* Add the pinctrl handle to the global list */
-+	mutex_lock(&pinctrl_list_mutex);
- 	list_add_tail(&p->node, &pinctrl_list);
-+	mutex_unlock(&pinctrl_list_mutex);
- 
- 	return p;
- }
-- 
-1.8.5.3
-
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 0ecbaf65c00374eb4a826c2f9f37606f  linux-3.13.tar.xz
-2d3d298f2b430122f4baf2af88277231  patch-3.13.3.xz
+77ca721ea0e8373f58f596fe0d9b1b47  patch-3.13.4.xz