Linux v3.13.4
This commit is contained in:
parent
0262fc1ed2
commit
ee193af2a6
|
@ -1,116 +0,0 @@
|
|||
From 2172fa709ab32ca60e86179dc67d0857be8e2c98 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Date: Thu, 30 Jan 2014 11:26:59 -0500
|
||||
Subject: [PATCH] SELinux: Fix kernel BUG on empty security contexts.
|
||||
|
||||
Setting an empty security context (length=0) on a file will
|
||||
lead to incorrectly dereferencing the type and other fields
|
||||
of the security context structure, yielding a kernel BUG.
|
||||
As a zero-length security context is never valid, just reject
|
||||
all such security contexts whether coming from userspace
|
||||
via setxattr or coming from the filesystem upon a getxattr
|
||||
request by SELinux.
|
||||
|
||||
Setting a security context value (empty or otherwise) unknown to
|
||||
SELinux in the first place is only possible for a root process
|
||||
(CAP_MAC_ADMIN), and, if running SELinux in enforcing mode, only
|
||||
if the corresponding SELinux mac_admin permission is also granted
|
||||
to the domain by policy. In Fedora policies, this is only allowed for
|
||||
specific domains such as livecd for setting down security contexts
|
||||
that are not defined in the build host policy.
|
||||
|
||||
Reproducer:
|
||||
su
|
||||
setenforce 0
|
||||
touch foo
|
||||
setfattr -n security.selinux foo
|
||||
|
||||
Caveat:
|
||||
Relabeling or removing foo after doing the above may not be possible
|
||||
without booting with SELinux disabled. Any subsequent access to foo
|
||||
after doing the above will also trigger the BUG.
|
||||
|
||||
BUG output from Matthew Thode:
|
||||
[ 473.893141] ------------[ cut here ]------------
|
||||
[ 473.962110] kernel BUG at security/selinux/ss/services.c:654!
|
||||
[ 473.995314] invalid opcode: 0000 [#6] SMP
|
||||
[ 474.027196] Modules linked in:
|
||||
[ 474.058118] CPU: 0 PID: 8138 Comm: ls Tainted: G D I
|
||||
3.13.0-grsec #1
|
||||
[ 474.116637] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0
|
||||
07/29/10
|
||||
[ 474.149768] task: ffff8805f50cd010 ti: ffff8805f50cd488 task.ti:
|
||||
ffff8805f50cd488
|
||||
[ 474.183707] RIP: 0010:[<ffffffff814681c7>] [<ffffffff814681c7>]
|
||||
context_struct_compute_av+0xce/0x308
|
||||
[ 474.219954] RSP: 0018:ffff8805c0ac3c38 EFLAGS: 00010246
|
||||
[ 474.252253] RAX: 0000000000000000 RBX: ffff8805c0ac3d94 RCX:
|
||||
0000000000000100
|
||||
[ 474.287018] RDX: ffff8805e8aac000 RSI: 00000000ffffffff RDI:
|
||||
ffff8805e8aaa000
|
||||
[ 474.321199] RBP: ffff8805c0ac3cb8 R08: 0000000000000010 R09:
|
||||
0000000000000006
|
||||
[ 474.357446] R10: 0000000000000000 R11: ffff8805c567a000 R12:
|
||||
0000000000000006
|
||||
[ 474.419191] R13: ffff8805c2b74e88 R14: 00000000000001da R15:
|
||||
0000000000000000
|
||||
[ 474.453816] FS: 00007f2e75220800(0000) GS:ffff88061fc00000(0000)
|
||||
knlGS:0000000000000000
|
||||
[ 474.489254] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
[ 474.522215] CR2: 00007f2e74716090 CR3: 00000005c085e000 CR4:
|
||||
00000000000207f0
|
||||
[ 474.556058] Stack:
|
||||
[ 474.584325] ffff8805c0ac3c98 ffffffff811b549b ffff8805c0ac3c98
|
||||
ffff8805f1190a40
|
||||
[ 474.618913] ffff8805a6202f08 ffff8805c2b74e88 00068800d0464990
|
||||
ffff8805e8aac860
|
||||
[ 474.653955] ffff8805c0ac3cb8 000700068113833a ffff880606c75060
|
||||
ffff8805c0ac3d94
|
||||
[ 474.690461] Call Trace:
|
||||
[ 474.723779] [<ffffffff811b549b>] ? lookup_fast+0x1cd/0x22a
|
||||
[ 474.778049] [<ffffffff81468824>] security_compute_av+0xf4/0x20b
|
||||
[ 474.811398] [<ffffffff8196f419>] avc_compute_av+0x2a/0x179
|
||||
[ 474.843813] [<ffffffff8145727b>] avc_has_perm+0x45/0xf4
|
||||
[ 474.875694] [<ffffffff81457d0e>] inode_has_perm+0x2a/0x31
|
||||
[ 474.907370] [<ffffffff81457e76>] selinux_inode_getattr+0x3c/0x3e
|
||||
[ 474.938726] [<ffffffff81455cf6>] security_inode_getattr+0x1b/0x22
|
||||
[ 474.970036] [<ffffffff811b057d>] vfs_getattr+0x19/0x2d
|
||||
[ 475.000618] [<ffffffff811b05e5>] vfs_fstatat+0x54/0x91
|
||||
[ 475.030402] [<ffffffff811b063b>] vfs_lstat+0x19/0x1b
|
||||
[ 475.061097] [<ffffffff811b077e>] SyS_newlstat+0x15/0x30
|
||||
[ 475.094595] [<ffffffff8113c5c1>] ? __audit_syscall_entry+0xa1/0xc3
|
||||
[ 475.148405] [<ffffffff8197791e>] system_call_fastpath+0x16/0x1b
|
||||
[ 475.179201] Code: 00 48 85 c0 48 89 45 b8 75 02 0f 0b 48 8b 45 a0 48
|
||||
8b 3d 45 d0 b6 00 8b 40 08 89 c6 ff ce e8 d1 b0 06 00 48 85 c0 49 89 c7
|
||||
75 02 <0f> 0b 48 8b 45 b8 4c 8b 28 eb 1e 49 8d 7d 08 be 80 01 00 00 e8
|
||||
[ 475.255884] RIP [<ffffffff814681c7>]
|
||||
context_struct_compute_av+0xce/0x308
|
||||
[ 475.296120] RSP <ffff8805c0ac3c38>
|
||||
[ 475.328734] ---[ end trace f076482e9d754adc ]---
|
||||
|
||||
Reported-by: Matthew Thode <mthode@mthode.org>
|
||||
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
||||
---
|
||||
security/selinux/ss/services.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
|
||||
index fc5a63a..f1e46d7 100644
|
||||
--- a/security/selinux/ss/services.c
|
||||
+++ b/security/selinux/ss/services.c
|
||||
@@ -1232,6 +1232,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
|
||||
struct context context;
|
||||
int rc = 0;
|
||||
|
||||
+ /* An empty security context is never valid. */
|
||||
+ if (!scontext_len)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (!ss_initialized) {
|
||||
int i;
|
||||
|
||||
--
|
||||
1.8.5.3
|
||||
|
19
kernel.spec
19
kernel.spec
|
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 201
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 3
|
||||
%define stable_update 4
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -747,9 +747,6 @@ Patch25186: ath9k_htc-make-sta_rc_update-atomic-for-most-calls.patch
|
|||
#rhbz 950630
|
||||
Patch25187: xhci-fix-resume-issues-on-renesas-chips-in-samsung-laptops.patch
|
||||
|
||||
#CVE-2014-1874 rhbz 1062356 1062507
|
||||
Patch25188: SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
|
||||
|
||||
#rhbz 1031296
|
||||
Patch25189: tick-Clear-broadcast-pending-bit-when-switching-to-oneshot.patch
|
||||
|
||||
|
@ -760,9 +757,6 @@ Patch25195: cgroup-fixes.patch
|
|||
Patch25196: ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.patch
|
||||
Patch25197: ipv6-addrconf-revert-if_inet6ifa_flag-format.patch
|
||||
|
||||
#rhbz 1051918
|
||||
Patch25198: pinctrl-protect-pinctrl_list-add.patch
|
||||
|
||||
#CVE-2014-0069 rhbz 1064253 1062584
|
||||
Patch25200: cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch
|
||||
Patch25201: cifs-sanity-check-length-of-data-to-send-before-sending.patch
|
||||
|
@ -1473,9 +1467,6 @@ ApplyPatch ath9k_htc-make-sta_rc_update-atomic-for-most-calls.patch
|
|||
#rhbz 950630
|
||||
ApplyPatch xhci-fix-resume-issues-on-renesas-chips-in-samsung-laptops.patch
|
||||
|
||||
#CVE-2014-1874 rhbz 1062356 1062507
|
||||
ApplyPatch SELinux-Fix-kernel-BUG-on-empty-security-contexts.patch
|
||||
|
||||
#rhbz 1031296
|
||||
ApplyPatch tick-Clear-broadcast-pending-bit-when-switching-to-oneshot.patch
|
||||
|
||||
|
@ -1486,9 +1477,6 @@ ApplyPatch cgroup-fixes.patch
|
|||
ApplyPatch ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.patch
|
||||
ApplyPatch ipv6-addrconf-revert-if_inet6ifa_flag-format.patch
|
||||
|
||||
#rhbz 1051918
|
||||
ApplyPatch pinctrl-protect-pinctrl_list-add.patch
|
||||
|
||||
#CVE-2014-0069 rhbz 1064253 1062584
|
||||
ApplyPatch cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch
|
||||
ApplyPatch cifs-sanity-check-length-of-data-to-send-before-sending.patch
|
||||
|
@ -2308,6 +2296,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Thu Feb 20 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.13.4-200
|
||||
- Linux v3.13.4
|
||||
|
||||
* Tue Feb 18 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix r8169 ethernet after suspend (rhbz 1054408)
|
||||
- Enable INTEL_MIC drivers (rhbz 1064086)
|
||||
|
|
|
@ -16,8 +16,8 @@ index d8064af..04dcfe1 100644
|
|||
|
||||
# Actual build commands
|
||||
quiet_cmd_vdsold = VDSOL $@
|
||||
- cmd_vdsold = $(CC) $(c_flags) -Wl,-T $^ -o $@
|
||||
+ cmd_vdsold = $(CC) $(c_flags) -Wl,-T $^ -o $@ \
|
||||
- cmd_vdsold = $(CC) $(c_flags) -Wl,-n -Wl,-T $^ -o $@
|
||||
+ cmd_vdsold = $(CC) $(c_flags) -Wl,-n -Wl,-T $^ -o $@ \
|
||||
+ $(if $(AFTER_LINK),; $(AFTER_LINK))
|
||||
quiet_cmd_vdsoas = VDSOA $@
|
||||
cmd_vdsoas = $(CC) $(a_flags) -c -o $@ $<
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
From 7b320cb1ed2dbd2c5f2a778197baf76fd6bf545a Mon Sep 17 00:00:00 2001
|
||||
From: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Date: Tue, 4 Feb 2014 09:07:09 +0100
|
||||
Subject: [PATCH] pinctrl: protect pinctrl_list add
|
||||
|
||||
We have few fedora bug reports about list corruption on pinctrl,
|
||||
for example:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1051918
|
||||
|
||||
Most likely corruption happen due lack of protection of pinctrl_list
|
||||
when adding new nodes to it. Patch corrects that.
|
||||
|
||||
Fixes: 42fed7ba44e ("pinctrl: move subsystem mutex to pinctrl_dev struct")
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Acked-by: Stephen Warren <swarren@nvidia.com>
|
||||
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
||||
---
|
||||
drivers/pinctrl/core.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
|
||||
index 5ee61a4..cab020a 100644
|
||||
--- a/drivers/pinctrl/core.c
|
||||
+++ b/drivers/pinctrl/core.c
|
||||
@@ -851,7 +851,9 @@ static struct pinctrl *create_pinctrl(struct device *dev)
|
||||
kref_init(&p->users);
|
||||
|
||||
/* Add the pinctrl handle to the global list */
|
||||
+ mutex_lock(&pinctrl_list_mutex);
|
||||
list_add_tail(&p->node, &pinctrl_list);
|
||||
+ mutex_unlock(&pinctrl_list_mutex);
|
||||
|
||||
return p;
|
||||
}
|
||||
--
|
||||
1.8.5.3
|
||||
|
Loading…
Reference in New Issue