From 6b375296a7557bc617ed814b212ed7eada68d69f Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Oct 13 2014 17:42:01 +0000 Subject: Linux v3.17-7872-g5ff0b9e1a1da --- diff --git a/KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch b/KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch deleted file mode 100644 index cd141ea..0000000 --- a/KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: David Howells -Date: Tue, 16 Sep 2014 17:29:03 +0100 -Subject: [PATCH] KEYS: Reinstate EPERM for a key type name beginning with a - '.' - -Reinstate the generation of EPERM for a key type name beginning with a '.' in -a userspace call. Types whose name begins with a '.' are internal only. - -The test was removed by: - - commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d - Author: Mimi Zohar - Date: Thu May 22 14:02:23 2014 -0400 - Subject: KEYS: special dot prefixed keyring name bug fix - -I think we want to keep the restriction on type name so that userspace can't -add keys of a special internal type. - -Note that removal of the test causes several of the tests in the keyutils -testsuite to fail. - -Signed-off-by: David Howells -Acked-by: Vivek Goyal -cc: Mimi Zohar ---- - security/keys/keyctl.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c -index e26f860e5f2e..eff88a5f5d40 100644 ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -37,6 +37,8 @@ static int key_get_type_from_user(char *type, - return ret; - if (ret == 0 || ret >= len) - return -EINVAL; -+ if (type[0] == '.') -+ return -EPERM; - type[len - 1] = '\0'; - return 0; - } --- -1.9.3 - diff --git a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index 003bfec..3cdd467 100644 --- a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -13,7 +13,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index cdf839f9defe..c63cf93b00eb 100644 +index c268e2581ed6..fb9ea1172ba8 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, diff --git a/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch b/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch index 8d400c7..0554468 100644 --- a/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch +++ b/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch @@ -15,7 +15,7 @@ Signed-off-by: Josh Boyer 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 41f7ec1fcf61..c79eb60a7869 100644 +index f8a07128a6e8..41eff584e169 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -3625,7 +3625,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted. diff --git a/config-generic b/config-generic index c3a019f..e3a3eba 100644 --- a/config-generic +++ b/config-generic @@ -5066,6 +5066,8 @@ CONFIG_ALTERA_STAPL=m CONFIG_NOP_USB_XCEIV=m +# CONFIG_INTEGRITY is not set + # CONFIG_IMA is not set CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_LSM_RULES=y diff --git a/fs-Add-a-missing-permission-check-to-do_umount.patch b/fs-Add-a-missing-permission-check-to-do_umount.patch new file mode 100644 index 0000000..ce9de66 --- /dev/null +++ b/fs-Add-a-missing-permission-check-to-do_umount.patch @@ -0,0 +1,31 @@ +From: Andy Lutomirski +Date: Wed, 8 Oct 2014 12:37:46 -0700 +Subject: [PATCH] fs: Add a missing permission check to do_umount + +Accessing do_remount_sb should require global CAP_SYS_ADMIN, but +only one of the two call sites was appropriately protected. + +Fixes CVE-2014-7975. + +Cc: stable@vger.kernel.org +Signed-off-by: Andy Lutomirski +--- + fs/namespace.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index c8e3034ff4b2..fbba8b17330d 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1439,6 +1439,8 @@ static int do_umount(struct mount *mnt, int flags) + * Special case for "unmounting" root ... + * we just try to remount it readonly. + */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + down_write(&sb->s_umount); + if (!(sb->s_flags & MS_RDONLY)) + retval = do_remount_sb(sb, MS_RDONLY, NULL, 0); +-- +1.9.3 + diff --git a/kernel.spec b/kernel.spec index 258fca0..a446dae 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 5 +%define gitrev 6 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -607,14 +607,16 @@ Patch26002: samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch #rhbz 1138759 Patch26021: drm-vmwgfx-Fix-drm.h-include.patch -#rhbz 1145318 -Patch26029: KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch - Patch26032: Revert-pinctrl-qcom-use-restart_notifier-mechanism-f.patch #CVE-2014-7970 rhbz 1151095 1151484 Patch26033: mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch +#CVE-2014-7975 rhbz 1151108 1152025 +Patch26034: fs-Add-a-missing-permission-check-to-do_umount.patch + +Patch26035: nf_reject_ipv4-module-license-unspecified-taints-ker.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1334,14 +1336,16 @@ ApplyPatch samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch #rhbz 1138759 ApplyPatch drm-vmwgfx-Fix-drm.h-include.patch -#rhbz 1145318 -ApplyPatch KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch - ApplyPatch Revert-pinctrl-qcom-use-restart_notifier-mechanism-f.patch #CVE-2014-7970 rhbz 1151095 1151484 ApplyPatch mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch +#CVE-2014-7975 rhbz 1151108 1152025 +ApplyPatch fs-Add-a-missing-permission-check-to-do_umount.patch + +ApplyPatch nf_reject_ipv4-module-license-unspecified-taints-ker.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2210,6 +2214,9 @@ fi # ||----w | # || || %changelog +* Mon Oct 13 2014 Josh Boyer - 3.18.0-0.rc0.git6.1 +- Linux v3.17-7872-g5ff0b9e1a1da + * Sun Oct 12 2014 Josh Boyer - 3.18.0-0.rc0.git5.1 - Linux v3.17-7639-g90eac7eee2f4 diff --git a/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch b/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch index 0faadaf..b89527f 100644 --- a/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch +++ b/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch @@ -26,10 +26,10 @@ Signed-off-by: "Eric W. Biederman" 1 file changed, 3 insertions(+) diff --git a/fs/namespace.c b/fs/namespace.c -index ef42d9bee212..74647c2fe69c 100644 +index 348562f14e93..c8e3034ff4b2 100644 --- a/fs/namespace.c +++ b/fs/namespace.c -@@ -2820,6 +2820,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, +@@ -2913,6 +2913,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, /* make sure we can reach put_old from new_root */ if (!is_path_reachable(old_mnt, old.dentry, &new)) goto out4; diff --git a/nf_reject_ipv4-module-license-unspecified-taints-ker.patch b/nf_reject_ipv4-module-license-unspecified-taints-ker.patch new file mode 100644 index 0000000..f46a0c4 --- /dev/null +++ b/nf_reject_ipv4-module-license-unspecified-taints-ker.patch @@ -0,0 +1,84 @@ +From: Pablo Neira +Date: Fri, 10 Oct 2014 11:56:16 +0200 +Subject: [PATCH] nf_reject_ipv4: module license 'unspecified' taints kernel + +On Fri, Oct 10, 2014 at 05:19:04PM +0800, Dave Young wrote: +> Hi, +> +> With today's linus tree, I got below kmsg: +> [ 23.545204] nf_reject_ipv4: module license 'unspecified' taints kernel. +> +> It could be caused by below commit: +> +> commit c8d7b98bec43faaa6583c3135030be5eb4693acb +> Author: Pablo Neira Ayuso +> Date: Fri Sep 26 14:35:15 2014 +0200 +> +> netfilter: move nf_send_resetX() code to nf_reject_ipvX modules +> +> Move nf_send_reset() and nf_send_reset6() to nf_reject_ipv4 and +> nf_reject_ipv6 respectively. This code is shared by x_tables and +> nf_tables. +> +> Signed-off-by: Pablo Neira Ayuso + +Patch attached, thanks for reporting. + +P.S: Please, Cc netfilter-devel@vger.kernel.org in future reports, so +we make sure things don't get lost. + +>From d4358bcf64ba7a64d4de4e1dc5533c4c8f88ea82 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 10 Oct 2014 11:25:20 +0200 +Subject: [PATCH] netfilter: missing module license in the nf_reject_ipvX + modules + +[ 23.545204] nf_reject_ipv4: module license 'unspecified' taints kernel. + +Reported-by: Dave Young +Signed-off-by: Pablo Neira Ayuso +--- + net/ipv4/netfilter/nf_reject_ipv4.c | 3 +++ + net/ipv6/netfilter/nf_reject_ipv6.c | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c +index b023b4eb1a96..92b303dbd5fc 100644 +--- a/net/ipv4/netfilter/nf_reject_ipv4.c ++++ b/net/ipv4/netfilter/nf_reject_ipv4.c +@@ -6,6 +6,7 @@ + * published by the Free Software Foundation. + */ + ++#include + #include + #include + #include +@@ -125,3 +126,5 @@ void nf_send_reset(struct sk_buff *oldskb, int hook) + kfree_skb(nskb); + } + EXPORT_SYMBOL_GPL(nf_send_reset); ++ ++MODULE_LICENSE("GPL"); +diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c +index 5f5f0438d74d..20d9defc6c59 100644 +--- a/net/ipv6/netfilter/nf_reject_ipv6.c ++++ b/net/ipv6/netfilter/nf_reject_ipv6.c +@@ -5,6 +5,8 @@ + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ ++ ++#include + #include + #include + #include +@@ -161,3 +163,5 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook) + ip6_local_out(nskb); + } + EXPORT_SYMBOL_GPL(nf_send_reset6); ++ ++MODULE_LICENSE("GPL"); +-- +1.9.3 + diff --git a/sources b/sources index 797fc15..d94bb72 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ fb30d0f29214d75cddd2faa94f73d5cf linux-3.17.tar.xz 159e969cbc27201d8e2fa0f609dc722f perf-man-3.17.tar.gz -e0ed84718bffdd7b33b2220c98034259 patch-3.17-git5.xz +5740b0a6b49144f85e75da8acb275576 patch-3.17-git6.xz diff --git a/x86-Lock-down-IO-port-access-when-module-security-is.patch b/x86-Lock-down-IO-port-access-when-module-security-is.patch index 327c65e..4d0b4ac 100644 --- a/x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -44,7 +44,7 @@ index 4ddaf66ea35f..00b440307419 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 917403fe10da..cdf839f9defe 100644 +index 524b707894ef..c268e2581ed6 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -27,6 +27,7 @@