From c67f8002d601eecd9ef2f5cb1b32077d4a219b2a Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 1 Jul 2014 08:28:38 -0500 Subject: [PATCH] 3.15.3 --- ...est-leak-when-events-are-reaped-by-u.patch | 48 ------- ...emory-disclosure-in-io_getevents-int.patch | 46 ------- kernel.spec | 19 +-- sources | 2 +- ...entry-Do-syscall-exit-work-on-badsys.patch | 130 ------------------ 5 files changed, 5 insertions(+), 240 deletions(-) delete mode 100644 aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch delete mode 100644 aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch delete mode 100644 x86_32-entry-Do-syscall-exit-work-on-badsys.patch diff --git a/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch b/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch deleted file mode 100644 index fa93d6622..000000000 --- a/aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch +++ /dev/null @@ -1,48 +0,0 @@ -Bugzilla: 1112975 -Upstream-status: 3.16 and CC'd to stable - -From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001 -From: Benjamin LaHaise -Date: Tue, 24 Jun 2014 13:12:55 -0400 -Subject: [PATCH] aio: fix aio request leak when events are reaped by userspace - -The aio cleanups and optimizations by kmo that were merged into the 3.10 -tree added a regression for userspace event reaping. Specifically, the -reference counts are not decremented if the event is reaped in userspace, -leading to the application being unable to submit further aio requests. -This patch applies to 3.12+. A separate backport is required for 3.10/3.11. -This issue was uncovered as part of CVE-2014-0206. - -Signed-off-by: Benjamin LaHaise -Cc: stable@vger.kernel.org -Cc: Kent Overstreet -Cc: Mateusz Guzik -Cc: Petr Matousek ---- - fs/aio.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 4f078c054b41..6a9c7e489adf 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2) - - /* everything turned out well, dispose of the aiocb. */ - kiocb_free(iocb); -+ put_reqs_available(ctx, 1); - - /* - * We have to order our ring_info tail store above and test -@@ -1100,8 +1101,6 @@ static long aio_read_events_ring(struct kioctx *ctx, - flush_dcache_page(ctx->ring_pages[0]); - - pr_debug("%li h%u t%u\n", ret, head, tail); -- -- put_reqs_available(ctx, ret); - out: - mutex_unlock(&ctx->ring_lock); - --- -1.9.3 - diff --git a/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch b/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch deleted file mode 100644 index 831a6a85f..000000000 --- a/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch +++ /dev/null @@ -1,46 +0,0 @@ -Bugzilla: 1112975 -Upstream-status: 3.16 and CC'd to stable - -From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001 -From: Benjamin LaHaise -Date: Tue, 24 Jun 2014 13:32:51 -0400 -Subject: [PATCH] aio: fix kernel memory disclosure in io_getevents() - introduced in v3.10 - -A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10 -by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to -aio_read_events_ring() failed to correctly limit the index into -ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of -an arbitrary page with a copy_to_user() to copy the contents into userspace. -This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and -Petr for disclosing this issue. - -This patch applies to v3.12+. A separate backport is needed for 3.10/3.11. - -Signed-off-by: Benjamin LaHaise -Cc: Mateusz Guzik -Cc: Petr Matousek -Cc: Kent Overstreet -Cc: Jeff Moyer -Cc: stable@vger.kernel.org ---- - fs/aio.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/fs/aio.c b/fs/aio.c -index 6a9c7e489adf..955947ef3e02 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1063,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx, - if (head == tail) - goto out; - -+ head %= ctx->nr_events; -+ tail %= ctx->nr_events; -+ - while (ret < nr) { - long avail; - struct io_event *ev; --- -1.9.3 - diff --git a/kernel.spec b/kernel.spec index 9b2bc0fb5..24d5a0a0c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 2 +%define stable_update 3 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -749,13 +749,6 @@ Patch25102: intel_pstate-Fix-setting-VID.patch Patch25103: intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch Patch25104: intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch -#CVE-2014-4508 rhbz 1111590 1112073 -Patch25106: x86_32-entry-Do-syscall-exit-work-on-badsys.patch - -#CVE-2014-0206 rhbz 1094602 1112975 -Patch25107: aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch -Patch25108: aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch - Patch25109: revert-input-wacom-testing-result-shows-get_report-is-unnecessary.patch #rhbz 1021036, submitted upstream @@ -1475,13 +1468,6 @@ ApplyPatch intel_pstate-Fix-setting-VID.patch ApplyPatch intel_pstate-dont-touch-turbo-bit-if-turbo-disabled-or-unavailable.patch ApplyPatch intel_pstate-Update-documentation-of-max-min_perf_pct-sysfs-files.patch -#CVE-2014-4508 rhbz 1111590 1112073 -ApplyPatch x86_32-entry-Do-syscall-exit-work-on-badsys.patch - -#CVE-2014-0206 rhbz 1094602 1112975 -ApplyPatch aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch -ApplyPatch aio-fix-aio-request-leak-when-events-are-reaped-by-u.patch - ApplyPatch revert-input-wacom-testing-result-shows-get_report-is-unnecessary.patch #rhbz 1021036, submitted upstream @@ -2304,6 +2290,9 @@ fi # ||----w | # || || %changelog +* Tue Jul 1 2014 Justin M. Forbes +- Linux v3.15.3 + * Tue Jul 1 2014 Hans de Goede - Add min/max quirk for the ThinkPad Edge E531 touchpad (rhbz#1114768) diff --git a/sources b/sources index 8c7215eb9..25efe2ae8 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 97ca1625bb40368dc41b9a7971549071 linux-3.15.tar.xz -53eb7e210c9330021e60ffe2c5081e19 patch-3.15.2.xz +a2057d9b11f013482e2a7072552f3f02 patch-3.15.3.xz diff --git a/x86_32-entry-Do-syscall-exit-work-on-badsys.patch b/x86_32-entry-Do-syscall-exit-work-on-badsys.patch deleted file mode 100644 index c174e9453..000000000 --- a/x86_32-entry-Do-syscall-exit-work-on-badsys.patch +++ /dev/null @@ -1,130 +0,0 @@ -Bugzilla: 1112073 -Upstream-status: Sent for 3.16 and CC'd to stable -Delivered-To: jwboyer@gmail.com -Received: by 10.76.6.212 with SMTP id d20csp139586oaa; - Mon, 23 Jun 2014 14:28:15 -0700 (PDT) -X-Received: by 10.68.222.196 with SMTP id qo4mr32453892pbc.14.1403558895116; - Mon, 23 Jun 2014 14:28:15 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id bm3si23587434pad.232.2014.06.23.14.27.47 - for ; - Mon, 23 Jun 2014 14:28:15 -0700 (PDT) -Received-SPF: none (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=neutral (google.com: stable-owner@vger.kernel.org does not designate permitted sender hosts) smtp.mail=stable-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1752475AbaFWVWX (ORCPT + 73 others); - Mon, 23 Jun 2014 17:22:23 -0400 -Received: from mail-pb0-f42.google.com ([209.85.160.42]:39692 "EHLO - mail-pb0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1752518AbaFWVWW (ORCPT - ); Mon, 23 Jun 2014 17:22:22 -0400 -Received: by mail-pb0-f42.google.com with SMTP id ma3so6319797pbc.15 - for ; Mon, 23 Jun 2014 14:22:21 -0700 (PDT) -X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=1e100.net; s=20130820; - h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to - :references:mime-version:content-type:content-transfer-encoding; - bh=7AW5eK5e3OhAcFYPrsffKoD56CbJdqfg9BcyF1JKfUE=; - b=iLlWTJCuH9FlKTif4N6XtFZNvj8a/fbsjuP4kWWD/gmHHGEOWI6bh2Jm8X3vcN6GtV - f7rqFO0SAMf197e66uME3pq8NzYFad4eRgJpBGON93P22+cPbqrsT9FZjMZqn2bJkEw4 - EDZZy2MFqm3Kx2m/5g76NLDV1tgafEnwbgL1vg6IxlbPi6J8inkXwKP3FdMoTcfRBO6p - dIcI1cV7VDNf6zKaMj+XS/ZiSxqpArhwvZ6xnXRmLfgD+x/JsxEcg2pX03BXHTKO9QNm - nixe+cuug0X0E5idHuiLJzV0Wf6IhYsvVz/FvjY16pggduecA2NgNU2e7txqb+IcTBZ/ - jBbA== -X-Gm-Message-State: ALoCoQlblcwmTrVjpekrIOzidDrxwB18p5Rfd5SObiPQifpOQZmSFUKrxzV0kxCjcW/wVwxOzAG7 -X-Received: by 10.68.197.8 with SMTP id iq8mr32930210pbc.124.1403558541680; - Mon, 23 Jun 2014 14:22:21 -0700 (PDT) -Received: from localhost (50-76-60-73-ip-static.hfc.comcastbusiness.net. [50.76.60.73]) - by mx.google.com with ESMTPSA id fl6sm99195659pab.43.2014.06.23.14.22.19 - for - (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); - Mon, 23 Jun 2014 14:22:20 -0700 (PDT) -From: Andy Lutomirski -Cc: "H. Peter Anvin" , - Richard Weinberger , X86 ML , - Eric Paris , - Linux Kernel , - security@kernel.org, Steven Rostedt , - Borislav Petkov , - =?UTF-8?q?Toralf=20F=C3=B6rster?= , - Andy Lutomirski , stable@vger.kernel.org, - Roland McGrath -Subject: [PATCH] x86_32,entry: Do syscall exit work on badsys (CVE-2014-4508) -Date: Mon, 23 Jun 2014 14:22:15 -0700 -Message-Id: -X-Mailer: git-send-email 1.9.3 -In-Reply-To: -References: -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -To: unlisted-recipients:; (no To-header on input) -Sender: stable-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: stable@vger.kernel.org - -The bad syscall nr paths are their own incomprehensible route -through the entry control flow. Rearrange them to work just like -syscalls that return -ENOSYS. - -This fixes an OOPS in the audit code when fast-path auditing is -enabled and sysenter gets a bad syscall nr (CVE-2014-4508). - -This has probably been broken since Linux 2.6.27: -af0575bba0 i386 syscall audit fast-path - -Cc: stable@vger.kernel.org -Cc: Roland McGrath -Reported-by: Toralf Förster -Signed-off-by: Andy Lutomirski ---- - -I realize that the syscall audit fast path and badsys code, on 32-bit -x86 no less, is possibly one of the least fun things in the kernel to -review, but this is still a real security bug and should get fixed :( - -So I'm cc-ing a bunch of people and maybe someone will review it. - - arch/x86/kernel/entry_32.S | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index a2a4f46..f4258a5 100644 ---- a/arch/x86/kernel/entry_32.S -+++ b/arch/x86/kernel/entry_32.S -@@ -431,9 +431,10 @@ sysenter_past_esp: - jnz sysenter_audit - sysenter_do_call: - cmpl $(NR_syscalls), %eax -- jae syscall_badsys -+ jae sysenter_badsys - call *sys_call_table(,%eax,4) - movl %eax,PT_EAX(%esp) -+sysenter_after_call: - LOCKDEP_SYS_EXIT - DISABLE_INTERRUPTS(CLBR_ANY) - TRACE_IRQS_OFF -@@ -688,7 +689,12 @@ END(syscall_fault) - - syscall_badsys: - movl $-ENOSYS,PT_EAX(%esp) -- jmp resume_userspace -+ jmp syscall_exit -+END(syscall_badsys) -+ -+sysenter_badsys: -+ movl $-ENOSYS,PT_EAX(%esp) -+ jmp sysenter_after_call - END(syscall_badsys) - CFI_ENDPROC - /* --- -1.9.3 - --- -To unsubscribe from this list: send the line "unsubscribe stable" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html