diff --git a/0001-proc-do-not-access-cmdline-nor-environ-from-file-bac.patch b/0001-proc-do-not-access-cmdline-nor-environ-from-file-bac.patch deleted file mode 100644 index a893c36..0000000 --- a/0001-proc-do-not-access-cmdline-nor-environ-from-file-bac.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 7f7ccc2ccc2e70c6054685f5e3522efa81556830 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Fri, 11 May 2018 08:11:44 +0200 -Subject: [PATCH] proc: do not access cmdline nor environ from file-backed - areas - -proc_pid_cmdline_read() and environ_read() directly access the target -process' VM to retrieve the command line and environment. If this -process remaps these areas onto a file via mmap(), the requesting -process may experience various issues such as extra delays if the -underlying device is slow to respond. - -Let's simply refuse to access file-backed areas in these functions. -For this we add a new FOLL_ANON gup flag that is passed to all calls -to access_remote_vm(). The code already takes care of such failures -(including unmapped areas). Accesses via /proc/pid/mem were not -changed though. - -This was assigned CVE-2018-1120. - -Note for stable backports: the patch may apply to kernels prior to 4.11 -but silently miss one location; it must be checked that no call to -access_remote_vm() keeps zero as the last argument. - -Reported-by: Qualys Security Advisory -Cc: Linus Torvalds -Cc: Andy Lutomirski -Cc: Oleg Nesterov -Cc: stable@vger.kernel.org -Signed-off-by: Willy Tarreau -Signed-off-by: Linus Torvalds ---- - fs/proc/base.c | 8 ++++---- - include/linux/mm.h | 1 + - mm/gup.c | 3 +++ - 3 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 1b2ede6abcdf..1a76d751cf3c 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -261,7 +261,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf, - * Inherently racy -- command line shares address space - * with code and data. - */ -- rv = access_remote_vm(mm, arg_end - 1, &c, 1, 0); -+ rv = access_remote_vm(mm, arg_end - 1, &c, 1, FOLL_ANON); - if (rv <= 0) - goto out_free_page; - -@@ -279,7 +279,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf, - int nr_read; - - _count = min3(count, len, PAGE_SIZE); -- nr_read = access_remote_vm(mm, p, page, _count, 0); -+ nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON); - if (nr_read < 0) - rv = nr_read; - if (nr_read <= 0) -@@ -325,7 +325,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf, - bool final; - - _count = min3(count, len, PAGE_SIZE); -- nr_read = access_remote_vm(mm, p, page, _count, 0); -+ nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON); - if (nr_read < 0) - rv = nr_read; - if (nr_read <= 0) -@@ -946,7 +946,7 @@ static ssize_t environ_read(struct file *file, char __user *buf, - max_len = min_t(size_t, PAGE_SIZE, count); - this_len = min(max_len, this_len); - -- retval = access_remote_vm(mm, (env_start + src), page, this_len, 0); -+ retval = access_remote_vm(mm, (env_start + src), page, this_len, FOLL_ANON); - - if (retval <= 0) { - ret = retval; -diff --git a/include/linux/mm.h b/include/linux/mm.h -index 1ac1f06a4be6..c080af584ddd 100644 ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -2493,6 +2493,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma, - #define FOLL_MLOCK 0x1000 /* lock present pages */ - #define FOLL_REMOTE 0x2000 /* we are working on non-current tsk/mm */ - #define FOLL_COW 0x4000 /* internal GUP flag */ -+#define FOLL_ANON 0x8000 /* don't do file mappings */ - - static inline int vm_fault_to_errno(int vm_fault, int foll_flags) - { -diff --git a/mm/gup.c b/mm/gup.c -index 76af4cfeaf68..541904a7c60f 100644 ---- a/mm/gup.c -+++ b/mm/gup.c -@@ -544,6 +544,9 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags) - if (vm_flags & (VM_IO | VM_PFNMAP)) - return -EFAULT; - -+ if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma)) -+ return -EFAULT; -+ - if (write) { - if (!(vm_flags & VM_WRITE)) { - if (!(gup_flags & FOLL_FORCE)) --- -2.17.0 - diff --git a/kernel.spec b/kernel.spec index 564e4b4..b773d18 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -669,9 +669,6 @@ Patch511: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch # rhbz 1566258 Patch512: KVM-vmx-update-sec-exec-controls-for-UMIP-iff-emulating-UMIP.patch -# CVE-2018-1120 rhbz 1575472 1579542 -Patch513: 0001-proc-do-not-access-cmdline-nor-environ-from-file-bac.patch - # END OF PATCH DEFINITIONS %endif @@ -1922,6 +1919,9 @@ fi # # %changelog +* Mon May 21 2018 Jeremy Cline - 4.16.10-300 +- Linux v4.16.10 + * Sun May 20 2018 Hans de Goede - Enable GPIO_AMDPT, PINCTRL_AMD and X86_AMD_PLATFORM_DEVICE Kconfig options to fix i2c and GPIOs not working on AMD based laptops (rhbz#1510649) diff --git a/sources b/sources index 679cdca..467dc6e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-4.16.tar.xz) = ab47849314b177d0eec9dbf261f33972b0d89fb92fb0650130ffa7abc2f36c0fab2d06317dc1683c51a472a9a631573a9b1e7258d6281a2ee189897827f14662 -SHA512 (patch-4.16.9.xz) = d3a26957b13ba6e7e9488991cbdfe4ac20112efccbd3ed6a5c786e344731561323ec3d36e0b163debcbdcc33a8c7c545ee755b33e14c8d10e0ce3e27d90ac109 +SHA512 (patch-4.16.10.xz) = 53d700ca245341cd6493ecd01af069b2015564c9d7514751348e57047838bb1a6379f065dcf21312cf8f861f5569d28e7445846b40d14c225c644a69c09da5d1