diff --git a/block-do-not-pass-disk-names-as-format-strings.patch b/block-do-not-pass-disk-names-as-format-strings.patch deleted file mode 100644 index 496111d..0000000 --- a/block-do-not-pass-disk-names-as-format-strings.patch +++ /dev/null @@ -1,64 +0,0 @@ -Disk names may contain arbitrary strings, so they must not be interpreted -as format strings. It seems that only md allows arbitrary strings to be -used for disk names, but this could allow for a local memory corruption -from uid 0 into ring 0. - -CVE-2013-2851 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Cc: Jens Axboe ---- - block/genhd.c | 2 +- - drivers/block/nbd.c | 3 ++- - drivers/scsi/osd/osd_uld.c | 2 +- - 3 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/block/genhd.c b/block/genhd.c -index 20625ee..cdeb527 100644 ---- a/block/genhd.c -+++ b/block/genhd.c -@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk) - - ddev->parent = disk->driverfs_dev; - -- dev_set_name(ddev, disk->disk_name); -+ dev_set_name(ddev, "%s", disk->disk_name); - - /* delay uevents, until we scanned partition table */ - dev_set_uevent_suppress(ddev, 1); -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index 037288e..46b35f7 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, - else - blk_queue_flush(nbd->disk->queue, 0); - -- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); -+ thread = kthread_create(nbd_thread, nbd, "%s", -+ nbd->disk->disk_name); - if (IS_ERR(thread)) { - mutex_lock(&nbd->tx_lock); - return PTR_ERR(thread); -diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c -index 0fab6b5..9d86947 100644 ---- a/drivers/scsi/osd/osd_uld.c -+++ b/drivers/scsi/osd/osd_uld.c -@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) - oud->class_dev.class = &osd_uld_class; - oud->class_dev.parent = dev; - oud->class_dev.release = __remove; -- error = dev_set_name(&oud->class_dev, disk->disk_name); -+ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); - if (error) { - OSD_ERR("dev_set_name failed => %d\n", error); - goto err_put_cdev; --- -1.7.9.5 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ \ No newline at end of file diff --git a/cdrom-use-kzalloc-for-failing-hardware.patch b/cdrom-use-kzalloc-for-failing-hardware.patch deleted file mode 100644 index 6afb6c4..0000000 --- a/cdrom-use-kzalloc-for-failing-hardware.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001 -From: Jonathan Salwan -Date: Thu, 06 Jun 2013 00:39:39 +0000 -Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware - -In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory -area with kmalloc in line 2885. - -2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); -2886 if (cgc->buffer == NULL) -2887 return -ENOMEM; - -In line 2908 we can find the copy_to_user function: - -2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) - -The cgc->buffer is never cleaned and initialized before this function. If -ret = 0 with the previous basic block, it's possible to display some -memory bytes in kernel space from userspace. - -When we read a block from the disk it normally fills the ->buffer but if -the drive is malfunctioning there is a chance that it would only be -partially filled. The result is an leak information to userspace. - -Signed-off-by: Dan Carpenter -Cc: Jens Axboe -Signed-off-by: Andrew Morton ---- -(limited to 'drivers/cdrom/cdrom.c') - -diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c -index d620b44..8a3aff7 100644 ---- a/drivers/cdrom/cdrom.c -+++ b/drivers/cdrom/cdrom.c -@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, - if (lba < 0) - return -EINVAL; - -- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); -+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); - if (cgc->buffer == NULL) - return -ENOMEM; - --- -cgit v0.9.2 diff --git a/ceph-fix.patch b/ceph-fix.patch deleted file mode 100644 index 6515e75..0000000 --- a/ceph-fix.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/net/ceph/auth_none.c b/net/ceph/auth_none.c -index 925ca58..0ef2458 100644 ---- a/net/ceph/auth_none.c -+++ b/net/ceph/auth_none.c -@@ -39,6 +39,11 @@ static int should_authenticate(struct ceph_auth_client *ac) - return xi->starting; - } - -+static int build_request(struct ceph_auth_client *ac, void *buf, void *end) -+{ -+ return 0; -+} -+ - /* - * the generic auth code decode the global_id, and we carry no actual - * authenticate state, so nothing happens here. -@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = { - .destroy = destroy, - .is_authenticated = is_authenticated, - .should_authenticate = should_authenticate, -+ .build_request = build_request, - .handle_reply = handle_reply, - .create_authorizer = ceph_auth_none_create_authorizer, - .destroy_authorizer = ceph_auth_none_destroy_authorizer, diff --git a/kernel.spec b/kernel.spec index 095c965..3e7672a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 103 +%global baserelease 100 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -66,7 +66,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -743,12 +743,6 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch -#CVE-2013-2851 rhbz 969515 971662 -Patch25035: block-do-not-pass-disk-names-as-format-strings.patch - -#CVE-2013-2164 rhbz 973100 973109 -Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch - #rhbz 969644 Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch @@ -774,9 +768,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch #CVE-2013-2234 rhbz 980995 981007 Patch25058: af_key-fix-info-leaks-in-notify-messages.patch -#CVE-2013-1059 rhbz 977356 980341 -Patch25059: ceph-fix.patch - #CVE-2013-2232 rhbz 981552 981564 Patch25060: ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch @@ -1486,12 +1477,6 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch -#CVE-2013-2851 rhbz 969515 971662 -ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch - -#CVE-2013-2164 rhbz 973100 973109 -ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch - #rhbz 969644 ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch @@ -1516,9 +1501,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch #CVE-2013-2234 rhbz 980995 981007 ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch -#CVE-2013-1059 rhbz 977356 980341 -ApplyPatch ceph-fix.patch - #CVE-2013-2232 rhbz 981552 981564 ApplyPatch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch @@ -2377,6 +2359,9 @@ fi # '-' | | # '-' %changelog +* Sat Jul 13 2013 Josh Boyer - 3.9.10-100 +- Linux v3.9.10 + * Fri Jul 12 2013 Dave Jones - 3.9.9-103 - Disable LATENCYTOP/SCHEDSTATS in non-debug builds. diff --git a/sources b/sources index 372d198..7bd5308 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -41f350c2fd6aa14414bf39f173a8e6a3 patch-3.9.9.xz +9ceaca9b18b47e126858900bd7502672 patch-3.9.10.xz