From 99ae61bcfe23e97c5d8046fc271d6cf34aa4f0f7 Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Jan 30 2015 14:28:49 +0000 Subject: Linux v3.18.5 --- diff --git a/KEYS-close-race-between-key-lookup-and-freeing.patch b/KEYS-close-race-between-key-lookup-and-freeing.patch deleted file mode 100644 index 7994e2f..0000000 --- a/KEYS-close-race-between-key-lookup-and-freeing.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Sasha Levin -Date: Mon, 29 Dec 2014 14:39:01 -0500 -Subject: [PATCH] KEYS: close race between key lookup and freeing - -When a key is being garbage collected, it's key->user would get put before -the ->destroy() callback is called, where the key is removed from it's -respective tracking structures. - -This leaves a key hanging in a semi-invalid state which leaves a window open -for a different task to try an access key->user. An example is -find_keyring_by_name() which would dereference key->user for a key that is -in the process of being garbage collected (where key->user was freed but -->destroy() wasn't called yet - so it's still present in the linked list). - -This would cause either a panic, or corrupt memory. - -Signed-off-by: Sasha Levin ---- - security/keys/gc.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/security/keys/gc.c b/security/keys/gc.c -index 9609a7f0faea..c7952375ac53 100644 ---- a/security/keys/gc.c -+++ b/security/keys/gc.c -@@ -148,12 +148,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys) - if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) - atomic_dec(&key->user->nikeys); - -- key_user_put(key->user); -- - /* now throw away the key memory */ - if (key->type->destroy) - key->type->destroy(key); - -+ key_user_put(key->user); -+ - kfree(key->description); - - #ifdef KEY_DEBUGGING --- -2.1.0 - diff --git a/KVM-x86-SYSENTER-emulation-is-broken.patch b/KVM-x86-SYSENTER-emulation-is-broken.patch deleted file mode 100644 index bda8f9e..0000000 --- a/KVM-x86-SYSENTER-emulation-is-broken.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: Nadav Amit -Date: Thu, 1 Jan 2015 23:11:11 +0200 -Subject: [PATCH] KVM: x86: SYSENTER emulation is broken - -SYSENTER emulation is broken in several ways: -1. It misses the case of 16-bit code segments completely (CVE-2015-0239). -2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can - still be set without causing #GP). -3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in - legacy-mode. -4. There is some unneeded code. - -Fix it. - -Cc: stable@vger.linux.org -Signed-off-by: Nadav Amit -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/emulate.c | 27 ++++++++------------------- - 1 file changed, 8 insertions(+), 19 deletions(-) - -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 22e7ed9e6d8e..ac640d47c28d 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -2345,7 +2345,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) - * Not recognized on AMD in compat mode (but is recognized in legacy - * mode). - */ -- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA) -+ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA) - && !vendor_intel(ctxt)) - return emulate_ud(ctxt); - -@@ -2358,25 +2358,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) - setup_syscalls_segments(ctxt, &cs, &ss); - - ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); -- switch (ctxt->mode) { -- case X86EMUL_MODE_PROT32: -- if ((msr_data & 0xfffc) == 0x0) -- return emulate_gp(ctxt, 0); -- break; -- case X86EMUL_MODE_PROT64: -- if (msr_data == 0x0) -- return emulate_gp(ctxt, 0); -- break; -- default: -- break; -- } -+ if ((msr_data & 0xfffc) == 0x0) -+ return emulate_gp(ctxt, 0); - - ctxt->eflags &= ~(EFLG_VM | EFLG_IF); -- cs_sel = (u16)msr_data; -- cs_sel &= ~SELECTOR_RPL_MASK; -+ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK; - ss_sel = cs_sel + 8; -- ss_sel &= ~SELECTOR_RPL_MASK; -- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) { -+ if (efer & EFER_LMA) { - cs.d = 0; - cs.l = 1; - } -@@ -2385,10 +2373,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) - ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); - - ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data); -- ctxt->_eip = msr_data; -+ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data; - - ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data); -- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data; -+ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data : -+ (u32)msr_data; - - return X86EMUL_CONTINUE; - } --- -2.1.0 - diff --git a/kernel.spec b/kernel.spec index 1375dbd..6860f67 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -615,9 +615,6 @@ Patch26101: powerpc-powernv-force-all-CPUs-to-be-bootable.patch #rhbz 1163927 Patch26121: Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch -#CVE-2014-9529 rhbz 1179813 1179853 -Patch26124: KEYS-close-race-between-key-lookup-and-freeing.patch - #rhbz 1124119 Patch26126: uas-Do-not-blacklist-ASM1153-disk-enclosures.patch Patch26127: uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch @@ -636,10 +633,6 @@ Patch30000: kernel-arm64.patch # Fix for big-endian arches, already upstream Patch30001: mpssd-x86-only.patch -#CVE-2015-0239 rhbz 1186448 1186453 -Patch30004: KVM-x86-SYSENTER-emulation-is-broken.patch - - # END OF PATCH DEFINITIONS %endif @@ -1363,9 +1356,6 @@ ApplyPatch powerpc-powernv-force-all-CPUs-to-be-bootable.patch #rhbz 1163927 ApplyPatch Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch -#CVE-2014-9529 rhbz 1179813 1179853 -ApplyPatch KEYS-close-race-between-key-lookup-and-freeing.patch - #rhbz 1124119 ApplyPatch uas-Do-not-blacklist-ASM1153-disk-enclosures.patch ApplyPatch uas-Add-US_FL_NO_ATA_1X-for-2-more-Seagate-disk-encl.patch @@ -1381,9 +1371,6 @@ ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-Sa.patch # Fix for big-endian arches, already upstream ApplyPatch mpssd-x86-only.patch -#CVE-2015-0239 rhbz 1186448 1186453 -ApplyPatch KVM-x86-SYSENTER-emulation-is-broken.patch - %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2254,6 +2241,9 @@ fi # ||----w | # || || %changelog +* Fri Jan 30 2015 Justin M. Forbes - 3.18.5-100 +- Linux v3.18.5 + * Thu Jan 29 2015 Josh Boyer - Backport patch from Rob Clark to toggle i915 state machine checks - Disable i915 state checks diff --git a/sources b/sources index 9b63a7f..8bf0d43 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 9e854df51ca3fef8bfe566dbd7b89241 linux-3.18.tar.xz 813ccb96f0b379d656e57442c2587ca3 perf-man-3.18.tar.gz -e7c510c0df50abb2cbaea2a1a87f35b7 patch-3.18.4.xz +e8563b2feaa6c33d20d23ac7add9d385 patch-3.18.5.xz