From c47527ae073c62f705ebbfc6c590452999b70298 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Dec 15 2014 19:29:01 +0000 Subject: CVE-2014-8133 x86: espfix(64) bypass via set_thread_area and CLONE_SETTLS (rhbz 1172797 1174374) --- diff --git a/ACPI-Limit-access-to-custom_method.patch b/ACPI-Limit-access-to-custom_method.patch index 636c25b..21257b8 100644 --- a/ACPI-Limit-access-to-custom_method.patch +++ b/ACPI-Limit-access-to-custom_method.patch @@ -26,5 +26,5 @@ index c68e72414a67..4277938af700 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -1.9.3 +2.1.0 diff --git a/ARM-tegra-usb-no-reset.patch b/ARM-tegra-usb-no-reset.patch index 795f3a3..f67d503 100644 --- a/ARM-tegra-usb-no-reset.patch +++ b/ARM-tegra-usb-no-reset.patch @@ -27,5 +27,5 @@ index 674c262907d9..d3e4c73d56a2 100644 * disconnected while waiting for the lock to succeed. */ usb_lock_device(hdev); -- -1.9.3 +2.1.0 diff --git a/Add-EFI-signature-data-types.patch b/Add-EFI-signature-data-types.patch index b6df877..49417b0 100644 --- a/Add-EFI-signature-data-types.patch +++ b/Add-EFI-signature-data-types.patch @@ -52,5 +52,5 @@ index ebe6a24cc1e1..5ce40e215f15 100644 * All runtime access to EFI goes through this structure: */ -- -1.9.3 +2.1.0 diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch index e78b065..0a121de 100644 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -174,5 +174,5 @@ index 5ce40e215f15..41359e548bcb 100644 * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address -- -1.9.3 +2.1.0 diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch index 1b8e887..e89f2df 100644 --- a/Add-option-to-automatically-enforce-module-signature.patch +++ b/Add-option-to-automatically-enforce-module-signature.patch @@ -181,5 +181,5 @@ index f1d78afbe29f..ec12c156ea61 100644 { #ifdef CONFIG_MODULE_SIG -- -1.9.3 +2.1.0 diff --git a/Add-secure_modules-call.patch b/Add-secure_modules-call.patch index 18c8c82..d39399e 100644 --- a/Add-secure_modules-call.patch +++ b/Add-secure_modules-call.patch @@ -59,5 +59,5 @@ index 1c47139d161c..f1d78afbe29f 100644 +} +EXPORT_SYMBOL(secure_modules); -- -1.9.3 +2.1.0 diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch index ca29c5c..6c35c2f 100644 --- a/Add-sysrq-option-to-disable-secure-boot-mode.patch +++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch @@ -244,5 +244,5 @@ index ec12c156ea61..1db033284ad3 100644 static int param_set_bool_enable_only(const char *val, const struct kernel_param *kp) -- -1.9.3 +2.1.0 diff --git a/HID-add-support-for-MS-Surface-Pro-3-Type-Cover.patch b/HID-add-support-for-MS-Surface-Pro-3-Type-Cover.patch index 8d12cf3..87bd4f2 100644 --- a/HID-add-support-for-MS-Surface-Pro-3-Type-Cover.patch +++ b/HID-add-support-for-MS-Surface-Pro-3-Type-Cover.patch @@ -80,5 +80,5 @@ index 5014bb567b29..cebfaf288bd3 100644 { USB_VENDOR_ID_NEXIO, USB_DEVICE_ID_NEXIO_MULTITOUCH_PTI0750, HID_QUIRK_NO_INIT_REPORTS }, { USB_VENDOR_ID_NOVATEK, USB_DEVICE_ID_NOVATEK_MOUSE, HID_QUIRK_NO_INIT_REPORTS }, -- -1.9.3 +2.1.0 diff --git a/HID-wacom-Add-support-for-the-Cintiq-Companion.patch b/HID-wacom-Add-support-for-the-Cintiq-Companion.patch index 276fa10..3a09a56 100644 --- a/HID-wacom-Add-support-for-the-Cintiq-Companion.patch +++ b/HID-wacom-Add-support-for-the-Cintiq-Companion.patch @@ -42,5 +42,5 @@ index aa6a08eb7ad6..c3cbbfb5811f 100644 { USB_DEVICE_WACOM(0x314) }, { USB_DEVICE_WACOM(0x315) }, -- -1.9.3 +2.1.0 diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch index 17ef25b..0a17f6c 100644 --- a/KEYS-Add-a-system-blacklist-keyring.patch +++ b/KEYS-Add-a-system-blacklist-keyring.patch @@ -107,5 +107,5 @@ index 875f64e8935b..c15e93f5a418 100644 } -- -1.9.3 +2.1.0 diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch index a23a15c..3e02ef2 100644 --- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -181,5 +181,5 @@ index 000000000000..94b0eb38a284 +} +late_initcall(load_uefi_certs); -- -1.9.3 +2.1.0 diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch index 6ed99e6..60c090b 100644 --- a/MODSIGN-Support-not-importing-certs-from-db.patch +++ b/MODSIGN-Support-not-importing-certs-from-db.patch @@ -79,5 +79,5 @@ index 94b0eb38a284..ae28b974d49a 100644 mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -- -1.9.3 +2.1.0 diff --git a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 46f7261..691e5e8 100644 --- a/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -112,5 +112,5 @@ index b91c4da68365..98f5637304d1 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -1.9.3 +2.1.0 diff --git a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index 003bfec..812a50b 100644 --- a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -37,5 +37,5 @@ index cdf839f9defe..c63cf93b00eb 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -1.9.3 +2.1.0 diff --git a/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch b/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch index a733945..16d28b7 100644 --- a/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch +++ b/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch @@ -41,5 +41,5 @@ index 8e7e18567ae6..a3d293806f96 100644 /* -- -1.9.3 +2.1.0 diff --git a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index cea06c3..74477a5 100644 --- a/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -34,5 +34,5 @@ index 3abe9b223ba7..ee8f11cf65da 100644 #endif -- -1.9.3 +2.1.0 diff --git a/ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch b/ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch index edc6ce6..119c2c6 100644 --- a/ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch +++ b/ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch @@ -1,4 +1,3 @@ -From 905ef98a83d3782207c0bda8d093e8f654884a94 Mon Sep 17 00:00:00 2001 From: Tejun Heo Date: Thu, 4 Dec 2014 13:13:28 -0500 Subject: [PATCH] ahci: disable MSI on SAMSUNG 0xa800 SSD diff --git a/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch b/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch index e95955d..0c01d8a 100644 --- a/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch +++ b/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch @@ -41,5 +41,5 @@ index 86cdb52dbf8a..db4518ef755d 100644 pinctrl-single,pins = < 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ -- -1.9.3 +2.1.0 diff --git a/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch b/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch index 04efe22..dd40d28 100644 --- a/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch +++ b/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch @@ -65,5 +65,5 @@ index bde1777b62be..c7357bcc7d5c 100644 /include/ "tps65217.dtsi" -- -1.9.3 +2.1.0 diff --git a/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch b/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch index 180055d..5ffb64b 100644 --- a/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch +++ b/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch @@ -175,5 +175,5 @@ index c7357bcc7d5c..86cdb52dbf8a 100644 + }; +}; -- -1.9.3 +2.1.0 diff --git a/arm-dts-am335x-boneblack-add-cpu0-opp-points.patch b/arm-dts-am335x-boneblack-add-cpu0-opp-points.patch index 2c10bfa..8b2e49e 100644 --- a/arm-dts-am335x-boneblack-add-cpu0-opp-points.patch +++ b/arm-dts-am335x-boneblack-add-cpu0-opp-points.patch @@ -37,5 +37,5 @@ index bf5349165542..acfff3befff5 100644 compatible = "ti,tilcdc,slave"; i2c = <&i2c0>; -- -1.9.3 +2.1.0 diff --git a/arm-dts-am335x-boneblack-lcdc-add-panel-info.patch b/arm-dts-am335x-boneblack-lcdc-add-panel-info.patch index 00511f5..630af37 100644 --- a/arm-dts-am335x-boneblack-lcdc-add-panel-info.patch +++ b/arm-dts-am335x-boneblack-lcdc-add-panel-info.patch @@ -34,5 +34,5 @@ index 305975d3f531..bf5349165542 100644 }; }; -- -1.9.3 +2.1.0 diff --git a/arm-dts-sun7i-bananapi.patch b/arm-dts-sun7i-bananapi.patch index 0628096..ca0d727 100644 --- a/arm-dts-sun7i-bananapi.patch +++ b/arm-dts-sun7i-bananapi.patch @@ -209,5 +209,5 @@ index 000000000000..7214475a3c36 + }; +}; -- -1.9.3 +2.1.0 diff --git a/arm-highbank-l2-reverts.patch b/arm-highbank-l2-reverts.patch index f1e6d45..e930255 100644 --- a/arm-highbank-l2-reverts.patch +++ b/arm-highbank-l2-reverts.patch @@ -56,5 +56,5 @@ index 8c35ae4ff176..38e1dc3b4c6e 100644 .init_machine = highbank_init, .dt_compat = highbank_match, -- -1.9.3 +2.1.0 diff --git a/arm-i.MX6-Utilite-device-dtb.patch b/arm-i.MX6-Utilite-device-dtb.patch index 0354f75..826967f 100644 --- a/arm-i.MX6-Utilite-device-dtb.patch +++ b/arm-i.MX6-Utilite-device-dtb.patch @@ -61,5 +61,5 @@ index 99b46f8030ad..8b6ddd16dcc5 100644 + status = "okay"; +}; -- -1.9.3 +2.1.0 diff --git a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch index babfe87..01d2c93 100644 --- a/asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -49,5 +49,5 @@ index 21fc932da3a1..c6d42ad95c08 100644 1, asus->debug.method_id, &input, &output); -- -1.9.3 +2.1.0 diff --git a/ath9k-rx-dma-stop-check.patch b/ath9k-rx-dma-stop-check.patch index 32884eb..c1034a0 100644 --- a/ath9k-rx-dma-stop-check.patch +++ b/ath9k-rx-dma-stop-check.patch @@ -37,5 +37,5 @@ index 275205ab5f15..bb842623bdf6 100644 "DMA failed to stop in %d ms AR_CR=0x%08x AR_DIAG_SW=0x%08x DMADBG_7=0x%08x\n", AH_RX_STOP_DMA_TIMEOUT / 1000, -- -1.9.3 +2.1.0 diff --git a/cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch b/cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch index 539f21c..fb87d78 100644 --- a/cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch +++ b/cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch @@ -1,4 +1,3 @@ -From e95a7085483366d52dd93b9fe8258ea77b99b89a Mon Sep 17 00:00:00 2001 From: Emmanuel Grumbach Date: Tue, 2 Dec 2014 09:53:25 +0200 Subject: [PATCH] cfg80211: don't WARN about two consecutive Country IE hint @@ -20,10 +19,10 @@ Acked-by: Luis R. Rodriguez 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/net/wireless/reg.c b/net/wireless/reg.c -index b725a31a4751..695f12b2c176 100644 +index 1afdf45db38f..e676723e29e2 100644 --- a/net/wireless/reg.c +++ b/net/wireless/reg.c -@@ -1839,11 +1839,8 @@ __reg_process_hint_country_ie(struct wiphy *wiphy, +@@ -1799,11 +1799,8 @@ __reg_process_hint_country_ie(struct wiphy *wiphy, return REG_REQ_IGNORE; return REG_REQ_ALREADY_SET; } diff --git a/crash-driver.patch b/crash-driver.patch index 9ec016d..3515471 100644 --- a/crash-driver.patch +++ b/crash-driver.patch @@ -505,5 +505,5 @@ index 000000000000..25ab9869d566 + +#endif /* __CRASH_H__ */ -- -1.9.3 +2.1.0 diff --git a/criu-no-expert.patch b/criu-no-expert.patch index 2ac9eb0..19e1ad2 100644 --- a/criu-no-expert.patch +++ b/criu-no-expert.patch @@ -31,5 +31,5 @@ index 3c866db603a7..bfb3c54d5286 100644 help Provides the way to make tasks work with different objects using -- -1.9.3 +2.1.0 diff --git a/die-floppy-die.patch b/die-floppy-die.patch index b77c37a..bba3e57 100644 --- a/die-floppy-die.patch +++ b/die-floppy-die.patch @@ -28,5 +28,5 @@ index 56d46ffb08e1..1c8db250df88 100644 #else -- -1.9.3 +2.1.0 diff --git a/disable-i8042-check-on-apple-mac.patch b/disable-i8042-check-on-apple-mac.patch index 73d8037..8516532 100644 --- a/disable-i8042-check-on-apple-mac.patch +++ b/disable-i8042-check-on-apple-mac.patch @@ -57,5 +57,5 @@ index 9bb95eab6926..4b5015f27f9e 100644 if (err) return err; -- -1.9.3 +2.1.0 diff --git a/disable-libdw-unwind-on-non-x86.patch b/disable-libdw-unwind-on-non-x86.patch index a57c706..e238809 100644 --- a/disable-libdw-unwind-on-non-x86.patch +++ b/disable-libdw-unwind-on-non-x86.patch @@ -24,5 +24,5 @@ index 1f67aa02d240..86c21a24da46 100644 NO_LIBUNWIND := 1 else -- -1.9.3 +2.1.0 diff --git a/drm-i915-Don-t-WARN-in-edp_panel_vdd_off.patch b/drm-i915-Don-t-WARN-in-edp_panel_vdd_off.patch index 34011bf..12c9ce2 100644 --- a/drm-i915-Don-t-WARN-in-edp_panel_vdd_off.patch +++ b/drm-i915-Don-t-WARN-in-edp_panel_vdd_off.patch @@ -12,7 +12,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 deletions(-) diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c -index 4b3c09636990..cff7f2e04de2 100644 +index 1b7375efc670..a6fb06cc6cf0 100644 --- a/drivers/gpu/drm/i915/intel_dp.c +++ b/drivers/gpu/drm/i915/intel_dp.c @@ -1303,8 +1303,6 @@ static void edp_panel_vdd_off(struct intel_dp *intel_dp, bool sync) @@ -25,5 +25,5 @@ index 4b3c09636990..cff7f2e04de2 100644 if (sync) -- -1.9.3 +2.1.0 diff --git a/drm-i915-hush-check-crtc-state.patch b/drm-i915-hush-check-crtc-state.patch index 0ba147c..682dcfb 100644 --- a/drm-i915-hush-check-crtc-state.patch +++ b/drm-i915-hush-check-crtc-state.patch @@ -14,10 +14,10 @@ Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/0 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index b71a02663bae..c27b94be0a95 100644 +index 7bd17b3ee95c..15d8e8d97e46 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c -@@ -10656,7 +10656,7 @@ check_crtc_state(struct drm_device *dev) +@@ -10660,7 +10660,7 @@ check_crtc_state(struct drm_device *dev) if (active && !intel_pipe_config_compare(dev, &crtc->config, &pipe_config)) { @@ -27,5 +27,5 @@ index b71a02663bae..c27b94be0a95 100644 "[hw state]"); intel_dump_pipe_config(crtc, &crtc->config, -- -1.9.3 +2.1.0 diff --git a/efi-Add-EFI_SECURE_BOOT-bit.patch b/efi-Add-EFI_SECURE_BOOT-bit.patch index 8f49e00..5f8fd3a 100644 --- a/efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/efi-Add-EFI_SECURE_BOOT-bit.patch @@ -38,5 +38,5 @@ index 45cb4ffdea62..ebe6a24cc1e1 100644 #ifdef CONFIG_EFI /* -- -1.9.3 +2.1.0 diff --git a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch index 928e145..bb46ee2 100644 --- a/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +++ b/efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch @@ -53,5 +53,5 @@ index 975d11bfaf5b..94bf7819857a 100644 } -- -1.9.3 +2.1.0 diff --git a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index 18d2694..c142176 100644 --- a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -25,5 +25,5 @@ index 61542c282e70..e5ee669e87b6 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -1.9.3 +2.1.0 diff --git a/hibernate-Disable-in-a-signed-modules-environment.patch b/hibernate-Disable-in-a-signed-modules-environment.patch index 6c89536..fa1d53a 100644 --- a/hibernate-Disable-in-a-signed-modules-environment.patch +++ b/hibernate-Disable-in-a-signed-modules-environment.patch @@ -34,5 +34,5 @@ index 1f35a3478f3c..5e2472fc3dda 100644 /** -- -1.9.3 +2.1.0 diff --git a/input-kill-stupid-messages.patch b/input-kill-stupid-messages.patch index 65a3cd6..5b9c3d9 100644 --- a/input-kill-stupid-messages.patch +++ b/input-kill-stupid-messages.patch @@ -29,5 +29,5 @@ index 6f5d79569136..95469f6ecfa5 100644 case ATKBD_RET_ERR: atkbd->err_count++; -- -1.9.3 +2.1.0 diff --git a/input-silence-i8042-noise.patch b/input-silence-i8042-noise.patch index 8852a8e..68e94c1 100644 --- a/input-silence-i8042-noise.patch +++ b/input-silence-i8042-noise.patch @@ -61,5 +61,5 @@ index ce82337521f6..a3fee4becc93 100644 cp = can_get_proto(protocol); } -- -1.9.3 +2.1.0 diff --git a/kbuild-AFTER_LINK.patch b/kbuild-AFTER_LINK.patch index 603e0e0..3afe0b0 100644 --- a/kbuild-AFTER_LINK.patch +++ b/kbuild-AFTER_LINK.patch @@ -121,5 +121,5 @@ index 86a4fe75f453..161637ed5611 100644 -- -1.9.3 +2.1.0 diff --git a/kernel.spec b/kernel.spec index 5855af9..0811362 100644 --- a/kernel.spec +++ b/kernel.spec @@ -635,6 +635,9 @@ Patch26095: ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch #rhbz 1172543 Patch26096: cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch +#CVE-2014-8133 rhbz 1172797 1174374 +Patch26100: x86-tls-Validate-TLS-entries-to-protect-espfix.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1380,6 +1383,9 @@ ApplyPatch ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch #rhbz 1172543 ApplyPatch cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch +#CVE-2014-8133 rhbz 1172797 1174374 +ApplyPatch x86-tls-Validate-TLS-entries-to-protect-espfix.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2254,6 +2260,9 @@ fi # ||----w | # || || %changelog +* Mon Dec 15 2014 Josh Boyer +- CVE-2014-8133 x86: espfix(64) bypass via set_thread_area and CLONE_SETTLS (rhbz 1172797 1174374) + * Fri Dec 12 2014 Kyle McMartin - build in ahci_platform on aarch64 temporarily. diff --git a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index b332137..2fb2b90 100644 --- a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -39,5 +39,5 @@ index 2bee072268d9..891477dbfee0 100644 * This leaves us room for future extensions. */ -- -1.9.3 +2.1.0 diff --git a/lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch b/lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch index 73eb343..cfb3478 100644 --- a/lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch +++ b/lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch @@ -33,5 +33,5 @@ index 54cf309a92a5..64f8bb4882fb 100644 Use dynamic allocation for cpumask_var_t, instead of putting them on the stack. This is a bit more expensive, but avoids -- -1.9.3 +2.1.0 diff --git a/lis3-improve-handling-of-null-rate.patch b/lis3-improve-handling-of-null-rate.patch index e3d3f4e..5d25039 100644 --- a/lis3-improve-handling-of-null-rate.patch +++ b/lis3-improve-handling-of-null-rate.patch @@ -74,5 +74,5 @@ index 3ef4627f9cb1..2b2d2e8e5eeb 100644 return err; -- -1.9.3 +2.1.0 diff --git a/no-pcspkr-modalias.patch b/no-pcspkr-modalias.patch index 15bbe14..a258676 100644 --- a/no-pcspkr-modalias.patch +++ b/no-pcspkr-modalias.patch @@ -21,5 +21,5 @@ index 674a2cfc3c0e..9a2807227c69 100644 static int pcspkr_event(struct input_dev *dev, unsigned int type, unsigned int code, int value) { -- -1.9.3 +2.1.0 diff --git a/perf-install-trace-event-plugins.patch b/perf-install-trace-event-plugins.patch index 9a7ad3a..d33fd15 100644 --- a/perf-install-trace-event-plugins.patch +++ b/perf-install-trace-event-plugins.patch @@ -26,5 +26,5 @@ index 86c21a24da46..bf0fe97bd358 100644 # Shell quote (do not use $(call) to accommodate ancient setups); -- -1.9.3 +2.1.0 diff --git a/pinctrl-pinctrl-single-must-be-initialized-early.patch b/pinctrl-pinctrl-single-must-be-initialized-early.patch index d19b75f..0e1ea2f 100644 --- a/pinctrl-pinctrl-single-must-be-initialized-early.patch +++ b/pinctrl-pinctrl-single-must-be-initialized-early.patch @@ -33,5 +33,5 @@ index 95dd9cf55cb3..800fc34d7ea9 100644 MODULE_AUTHOR("Tony Lindgren "); MODULE_DESCRIPTION("One-register-per-pin type device tree based pinctrl driver"); -- -1.9.3 +2.1.0 diff --git a/ppc64-fixtools.patch b/ppc64-fixtools.patch index f8c934b..89e0b63 100644 --- a/ppc64-fixtools.patch +++ b/ppc64-fixtools.patch @@ -20,5 +20,5 @@ index a7c23a4b3778..d73ef8bb08c7 100644 /* * When saving the callchain on Power, the kernel conservatively saves -- -1.9.3 +2.1.0 diff --git a/psmouse-Add-psmouse_matches_pnp_id-helper-function.patch b/psmouse-Add-psmouse_matches_pnp_id-helper-function.patch index 6af7c53..68dbffb 100644 --- a/psmouse-Add-psmouse_matches_pnp_id-helper-function.patch +++ b/psmouse-Add-psmouse_matches_pnp_id-helper-function.patch @@ -53,10 +53,10 @@ index 2f0b39d59a9b..f4cf664c7db3 100644 struct psmouse_attribute { struct device_attribute dattr; diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c -index 2e8f3ba7b2bd..2a7a9174c702 100644 +index 3ebfb0386300..f9472920d986 100644 --- a/drivers/input/mouse/synaptics.c +++ b/drivers/input/mouse/synaptics.c -@@ -186,18 +186,6 @@ static const char * const topbuttonpad_pnp_ids[] = { +@@ -190,18 +190,6 @@ static const char * const topbuttonpad_pnp_ids[] = { NULL }; @@ -75,7 +75,7 @@ index 2e8f3ba7b2bd..2a7a9174c702 100644 /***************************************************************************** * Synaptics communications functions ****************************************************************************/ -@@ -363,7 +351,8 @@ static int synaptics_resolution(struct psmouse *psmouse) +@@ -367,7 +355,8 @@ static int synaptics_resolution(struct psmouse *psmouse) } for (i = 0; min_max_pnpid_table[i].pnp_ids; i++) { @@ -85,7 +85,7 @@ index 2e8f3ba7b2bd..2a7a9174c702 100644 priv->x_min = min_max_pnpid_table[i].x_min; priv->x_max = min_max_pnpid_table[i].x_max; priv->y_min = min_max_pnpid_table[i].y_min; -@@ -1495,7 +1484,7 @@ static void set_input_params(struct psmouse *psmouse, +@@ -1499,7 +1488,7 @@ static void set_input_params(struct psmouse *psmouse, if (SYN_CAP_CLICKPAD(priv->ext_cap_0c)) { __set_bit(INPUT_PROP_BUTTONPAD, dev->propbit); @@ -95,5 +95,5 @@ index 2e8f3ba7b2bd..2a7a9174c702 100644 /* Clickpads report only left button */ __clear_bit(BTN_RIGHT, dev->keybit); -- -1.9.3 +2.1.0 diff --git a/psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch b/psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch index 0d0583d..3cd8911 100644 --- a/psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch +++ b/psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch @@ -153,5 +153,5 @@ index 02e68c3008a3..2c8c8e2172a2 100644 * Reset to defaults in case the device got confused by extended * protocol probes. Note that we follow up with full reset because -- -1.9.3 +2.1.0 diff --git a/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch b/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch index 4c12bd7..86870bb 100644 --- a/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch +++ b/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch @@ -35,5 +35,5 @@ index ff765d8e1a09..864290243e46 100644 }; MODULE_DEVICE_TABLE(dmi, samsung_dmi_table); -- -1.9.3 +2.1.0 diff --git a/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch b/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch index 9dad35c..0a2c7fb 100644 --- a/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch +++ b/scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch @@ -33,5 +33,5 @@ index 2c2041ca4b70..e10812d985af 100644 * If the device is offline, don't try and read capacity or any * of the other niceties. -- -1.9.3 +2.1.0 diff --git a/silence-fbcon-logo.patch b/silence-fbcon-logo.patch index 2b907f9..ae4c118 100644 --- a/silence-fbcon-logo.patch +++ b/silence-fbcon-logo.patch @@ -51,5 +51,5 @@ index 57b1d44acbfe..31048a85713d 100644 #ifdef MODULE -- -1.9.3 +2.1.0 diff --git a/uas-Add-US_FL_NO_ATA_1X-for-Seagate-devices-with-usb.patch b/uas-Add-US_FL_NO_ATA_1X-for-Seagate-devices-with-usb.patch index 1e12a64..66e2823 100644 --- a/uas-Add-US_FL_NO_ATA_1X-for-Seagate-devices-with-usb.patch +++ b/uas-Add-US_FL_NO_ATA_1X-for-Seagate-devices-with-usb.patch @@ -1,7 +1,6 @@ -From 37a72caa7f031da7b3e63252c1f0023b8272203c Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Fri, 5 Dec 2014 11:06:36 +0100 -Subject: [PATCH 2/3] uas: Add US_FL_NO_ATA_1X for Seagate devices with usb-id +Subject: [PATCH] uas: Add US_FL_NO_ATA_1X for Seagate devices with usb-id 0bc2:a013 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/uas-Add-US_FL_NO_REPORT_OPCODES-for-JMicron-JMS566-w.patch b/uas-Add-US_FL_NO_REPORT_OPCODES-for-JMicron-JMS566-w.patch index 11725df..e95a5c7 100644 --- a/uas-Add-US_FL_NO_REPORT_OPCODES-for-JMicron-JMS566-w.patch +++ b/uas-Add-US_FL_NO_REPORT_OPCODES-for-JMicron-JMS566-w.patch @@ -1,7 +1,6 @@ -From a7ea9a460f28ef9781ba8dad4a6feb5fd01202f2 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Mon, 8 Dec 2014 09:46:36 +0100 -Subject: [PATCH 3/3] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS566 with +Subject: [PATCH] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS566 with usb-id 0bc2:a013 Like the JMicron JMS567 enclosures with the JMS566 choke on report-opcodes, diff --git a/watchdog-Disable-watchdog-on-virtual-machines.patch b/watchdog-Disable-watchdog-on-virtual-machines.patch index 23a17c0..ea7debc 100644 --- a/watchdog-Disable-watchdog-on-virtual-machines.patch +++ b/watchdog-Disable-watchdog-on-virtual-machines.patch @@ -74,5 +74,5 @@ index a8d6914030fe..d0a8c308170d 100644 if (watchdog_user_enabled) -- -1.9.3 +2.1.0 diff --git a/x86-Lock-down-IO-port-access-when-module-security-is.patch b/x86-Lock-down-IO-port-access-when-module-security-is.patch index 327c65e..fc1cfd5 100644 --- a/x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -66,5 +66,5 @@ index 917403fe10da..cdf839f9defe 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -1.9.3 +2.1.0 diff --git a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch index f21c938..12eedc9 100644 --- a/x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -38,5 +38,5 @@ index c9603ac80de5..8bef43fc3f40 100644 err = -EFAULT; break; -- -1.9.3 +2.1.0 diff --git a/x86-kvm-Clear-paravirt_enabled-on-KVM-guests-for-esp.patch b/x86-kvm-Clear-paravirt_enabled-on-KVM-guests-for-esp.patch index ba6928d..cae153c 100644 --- a/x86-kvm-Clear-paravirt_enabled-on-KVM-guests-for-esp.patch +++ b/x86-kvm-Clear-paravirt_enabled-on-KVM-guests-for-esp.patch @@ -1,4 +1,3 @@ -From 0fdb006a5af7f391a6de4ce810aba4af46c427e4 Mon Sep 17 00:00:00 2001 From: Andy Lutomirski Date: Fri, 5 Dec 2014 19:03:28 -0800 Subject: [PATCH] x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's diff --git a/x86-tls-Validate-TLS-entries-to-protect-espfix.patch b/x86-tls-Validate-TLS-entries-to-protect-espfix.patch new file mode 100644 index 0000000..52c0497 --- /dev/null +++ b/x86-tls-Validate-TLS-entries-to-protect-espfix.patch @@ -0,0 +1,77 @@ +From: Andy Lutomirski +Date: Thu, 4 Dec 2014 16:48:16 -0800 +Subject: [PATCH] x86/tls: Validate TLS entries to protect espfix + +Installing a 16-bit RW data segment into the GDT defeats espfix. +AFAICT this will not affect glibc, Wine, or dosemu at all. + +Signed-off-by: Andy Lutomirski +Acked-by: H. Peter Anvin +Cc: stable@vger.kernel.org +Cc: Konrad Rzeszutek Wilk +Cc: Linus Torvalds +Cc: security@kernel.org +Cc: Willy Tarreau +Signed-off-by: Ingo Molnar +--- + arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c +index f7fec09e3e3a..e7650bd71109 100644 +--- a/arch/x86/kernel/tls.c ++++ b/arch/x86/kernel/tls.c +@@ -27,6 +27,21 @@ static int get_free_idx(void) + return -ESRCH; + } + ++static bool tls_desc_okay(const struct user_desc *info) ++{ ++ if (LDT_empty(info)) ++ return true; ++ ++ /* ++ * espfix is required for 16-bit data segments, but espfix ++ * only works for LDT segments. ++ */ ++ if (!info->seg_32bit) ++ return false; ++ ++ return true; ++} ++ + static void set_tls_desc(struct task_struct *p, int idx, + const struct user_desc *info, int n) + { +@@ -66,6 +81,9 @@ int do_set_thread_area(struct task_struct *p, int idx, + if (copy_from_user(&info, u_info, sizeof(info))) + return -EFAULT; + ++ if (!tls_desc_okay(&info)) ++ return -EINVAL; ++ + if (idx == -1) + idx = info.entry_number; + +@@ -192,6 +210,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, + { + struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; + const struct user_desc *info; ++ int i; + + if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || + (pos % sizeof(struct user_desc)) != 0 || +@@ -205,6 +224,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, + else + info = infobuf; + ++ for (i = 0; i < count / sizeof(struct user_desc); i++) ++ if (!tls_desc_okay(info + i)) ++ return -EINVAL; ++ + set_tls_desc(target, + GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), + info, count / sizeof(struct user_desc)); +-- +2.1.0 + diff --git a/xhci-Add-broken-streams-quirk-for-Fresco-Logic-FL100.patch b/xhci-Add-broken-streams-quirk-for-Fresco-Logic-FL100.patch index 43181ff..e54425e 100644 --- a/xhci-Add-broken-streams-quirk-for-Fresco-Logic-FL100.patch +++ b/xhci-Add-broken-streams-quirk-for-Fresco-Logic-FL100.patch @@ -1,8 +1,7 @@ -From e6a429eb0bfa03e3dca62e3922874d768833395f Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Fri, 5 Dec 2014 11:01:00 +0100 -Subject: [PATCH 1/3] xhci: Add broken-streams quirk for Fresco Logic FL1000G - xhci controllers +Subject: [PATCH] xhci: Add broken-streams quirk for Fresco Logic FL1000G xhci + controllers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit