From 0f7105e9bcbc8e6d67aa6a7a400ce8a54fea6377 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 29 Apr 2015 10:27:20 -0500 Subject: [PATCH] Linux v4.0.1 --- ...during-prepare_binprm-for-set-ug-id-.patch | 116 ------------------ kernel.spec | 13 +- sources | 1 + 3 files changed, 6 insertions(+), 124 deletions(-) delete mode 100644 fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch diff --git a/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch b/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch deleted file mode 100644 index 230956f82..000000000 --- a/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch +++ /dev/null @@ -1,116 +0,0 @@ -From: Jann Horn -Date: Sun, 19 Apr 2015 02:48:39 +0200 -Subject: [PATCH] fs: take i_mutex during prepare_binprm for set[ug]id - executables - -This prevents a race between chown() and execve(), where chowning a -setuid-user binary to root would momentarily make the binary setuid -root. - -This patch was mostly written by Linus Torvalds. - -Signed-off-by: Jann Horn -Signed-off-by: Linus Torvalds ---- - fs/exec.c | 76 ++++++++++++++++++++++++++++++++++++++++----------------------- - 1 file changed, 48 insertions(+), 28 deletions(-) - -diff --git a/fs/exec.c b/fs/exec.c -index c7f9b733406d..00400cf522dc 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -1265,6 +1265,53 @@ static void check_unsafe_exec(struct linux_binprm *bprm) - spin_unlock(&p->fs->lock); - } - -+static void bprm_fill_uid(struct linux_binprm *bprm) -+{ -+ struct inode *inode; -+ unsigned int mode; -+ kuid_t uid; -+ kgid_t gid; -+ -+ /* clear any previous set[ug]id data from a previous binary */ -+ bprm->cred->euid = current_euid(); -+ bprm->cred->egid = current_egid(); -+ -+ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) -+ return; -+ -+ if (task_no_new_privs(current)) -+ return; -+ -+ inode = file_inode(bprm->file); -+ mode = READ_ONCE(inode->i_mode); -+ if (!(mode & (S_ISUID|S_ISGID))) -+ return; -+ -+ /* Be careful if suid/sgid is set */ -+ mutex_lock(&inode->i_mutex); -+ -+ /* reload atomically mode/uid/gid now that lock held */ -+ mode = inode->i_mode; -+ uid = inode->i_uid; -+ gid = inode->i_gid; -+ mutex_unlock(&inode->i_mutex); -+ -+ /* We ignore suid/sgid if there are no mappings for them in the ns */ -+ if (!kuid_has_mapping(bprm->cred->user_ns, uid) || -+ !kgid_has_mapping(bprm->cred->user_ns, gid)) -+ return; -+ -+ if (mode & S_ISUID) { -+ bprm->per_clear |= PER_CLEAR_ON_SETID; -+ bprm->cred->euid = uid; -+ } -+ -+ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { -+ bprm->per_clear |= PER_CLEAR_ON_SETID; -+ bprm->cred->egid = gid; -+ } -+} -+ - /* - * Fill the binprm structure from the inode. - * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes -@@ -1273,36 +1320,9 @@ static void check_unsafe_exec(struct linux_binprm *bprm) - */ - int prepare_binprm(struct linux_binprm *bprm) - { -- struct inode *inode = file_inode(bprm->file); -- umode_t mode = inode->i_mode; - int retval; - -- -- /* clear any previous set[ug]id data from a previous binary */ -- bprm->cred->euid = current_euid(); -- bprm->cred->egid = current_egid(); -- -- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) && -- !task_no_new_privs(current) && -- kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) && -- kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) { -- /* Set-uid? */ -- if (mode & S_ISUID) { -- bprm->per_clear |= PER_CLEAR_ON_SETID; -- bprm->cred->euid = inode->i_uid; -- } -- -- /* Set-gid? */ -- /* -- * If setgid is set but no group execute bit then this -- * is a candidate for mandatory locking, not a setgid -- * executable. -- */ -- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { -- bprm->per_clear |= PER_CLEAR_ON_SETID; -- bprm->cred->egid = inode->i_gid; -- } -- } -+ bprm_fill_uid(bprm); - - /* fill in binprm security blob */ - retval = security_bprm_set_creds(bprm); --- -2.1.0 - diff --git a/kernel.spec b/kernel.spec index aa4f0c3e0..aa71c604b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -40,7 +40,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -52,7 +52,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 0 +%define stable_update 1 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -642,9 +642,6 @@ Patch26184: 0001-ALSA-hda-realtek-Support-headset-mode-for-ALC286-288.patch #rhbz 1208999 Patch26177: SCSI-add-1024-max-sectors-black-list-flag.patch -#CVE-2015-3330 rbhz 1214030 -Patch26188: fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch - #rhbz 1211017 1211013 Patch26190: nfs-fix-DIO-good-bytes-calculation.patch Patch26191: nfs-remove-WARN_ON_ONCE-from-nfs_direct_good_bytes.patch @@ -1408,9 +1405,6 @@ ApplyPatch 0001-ALSA-hda-realtek-Support-headset-mode-for-ALC286-288.patch #rhbz 1208999 ApplyPatch SCSI-add-1024-max-sectors-black-list-flag.patch -#CVE-2015-3330 rbhz 1214030 -ApplyPatch fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch - #rhbz 1211017 1211013 ApplyPatch nfs-fix-DIO-good-bytes-calculation.patch ApplyPatch nfs-remove-WARN_ON_ONCE-from-nfs_direct_good_bytes.patch @@ -2269,6 +2263,9 @@ fi # # %changelog +* Wed Apr 29 2015 Justin M. Forbes - 4.0.1-300 +- Linux v4.0.1 + * Tue Apr 28 2015 Justin M. Forbes - Fix up boot times for live images (rhbz 1210857) diff --git a/sources b/sources index 6f4c65cef..0d1cacfb5 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ a86916bd12798220da9eb4a1eec3616d linux-4.0.tar.xz d125eecce68ab6fb5f1f23523c2c04b8 perf-man-4.0.tar.gz +80f12ad5146991a83bb35ab141c24f81 patch-4.0.1.xz