diff --git a/0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch b/0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch deleted file mode 100644 index 1265939..0000000 --- a/0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch +++ /dev/null @@ -1,95 +0,0 @@ -From f620d1d7afc7db57ab59f35000752840c91f67e7 Mon Sep 17 00:00:00 2001 -From: ming_qian -Date: Tue, 8 May 2018 22:13:08 -0400 -Subject: [PATCH] media: uvcvideo: Support realtek's UVC 1.5 device - -media: uvcvideo: Support UVC 1.5 video probe & commit controls - -The length of UVC 1.5 video control is 48, and it is 34 for UVC 1.1. -Change it to 48 for UVC 1.5 device, and the UVC 1.5 device can be -recognized. - -More changes to the driver are needed for full UVC 1.5 compatibility. -However, at least the UVC 1.5 Realtek RTS5847/RTS5852 cameras have been -reported to work well. - -[laurent.pinchart@ideasonboard.com: Factor out code to helper function, update size checks] - -Cc: stable@vger.kernel.org -Signed-off-by: ming_qian -Signed-off-by: Laurent Pinchart -Tested-by: Kai-Heng Feng -Tested-by: Ana Guerrero Lopez -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/usb/uvc/uvc_video.c | 24 ++++++++++++++++++------ - 1 file changed, 18 insertions(+), 6 deletions(-) - -diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c -index aa0082fe5833..b28c997a7ab0 100644 ---- a/drivers/media/usb/uvc/uvc_video.c -+++ b/drivers/media/usb/uvc/uvc_video.c -@@ -163,14 +163,27 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream, - } - } - -+static size_t uvc_video_ctrl_size(struct uvc_streaming *stream) -+{ -+ /* -+ * Return the size of the video probe and commit controls, which depends -+ * on the protocol version. -+ */ -+ if (stream->dev->uvc_version < 0x0110) -+ return 26; -+ else if (stream->dev->uvc_version < 0x0150) -+ return 34; -+ else -+ return 48; -+} -+ - static int uvc_get_video_ctrl(struct uvc_streaming *stream, - struct uvc_streaming_control *ctrl, int probe, u8 query) - { -+ u16 size = uvc_video_ctrl_size(stream); - u8 *data; -- u16 size; - int ret; - -- size = stream->dev->uvc_version >= 0x0110 ? 34 : 26; - if ((stream->dev->quirks & UVC_QUIRK_PROBE_DEF) && - query == UVC_GET_DEF) - return -EIO; -@@ -225,7 +238,7 @@ static int uvc_get_video_ctrl(struct uvc_streaming *stream, - ctrl->dwMaxVideoFrameSize = get_unaligned_le32(&data[18]); - ctrl->dwMaxPayloadTransferSize = get_unaligned_le32(&data[22]); - -- if (size == 34) { -+ if (size >= 34) { - ctrl->dwClockFrequency = get_unaligned_le32(&data[26]); - ctrl->bmFramingInfo = data[30]; - ctrl->bPreferedVersion = data[31]; -@@ -254,11 +267,10 @@ static int uvc_get_video_ctrl(struct uvc_streaming *stream, - static int uvc_set_video_ctrl(struct uvc_streaming *stream, - struct uvc_streaming_control *ctrl, int probe) - { -+ u16 size = uvc_video_ctrl_size(stream); - u8 *data; -- u16 size; - int ret; - -- size = stream->dev->uvc_version >= 0x0110 ? 34 : 26; - data = kzalloc(size, GFP_KERNEL); - if (data == NULL) - return -ENOMEM; -@@ -275,7 +287,7 @@ static int uvc_set_video_ctrl(struct uvc_streaming *stream, - put_unaligned_le32(ctrl->dwMaxVideoFrameSize, &data[18]); - put_unaligned_le32(ctrl->dwMaxPayloadTransferSize, &data[22]); - -- if (size == 34) { -+ if (size >= 34) { - put_unaligned_le32(ctrl->dwClockFrequency, &data[26]); - data[30] = ctrl->bmFramingInfo; - data[31] = ctrl->bPreferedVersion; --- -2.17.1 - diff --git a/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch b/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch deleted file mode 100644 index ae10a4d..0000000 --- a/0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch +++ /dev/null @@ -1,47 +0,0 @@ -From bd23a7269834dc7c1f93e83535d16ebc44b75eba Mon Sep 17 00:00:00 2001 -From: Wenwen Wang -Date: Tue, 8 May 2018 08:50:28 -0500 -Subject: [PATCH] virt: vbox: Only copy_from_user the request-header once - -In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from -the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the -'version', 'size_in', and 'size_out' fields of 'hdr' are verified. - -Before this commit, after the checks a buffer for the entire request would -be allocated and then all data including the verified header would be -copied from the userspace 'arg' pointer again. - -Given that the 'arg' pointer resides in userspace, a malicious userspace -process can race to change the data pointed to by 'arg' between the two -copies. By doing so, the user can bypass the verifications on the ioctl -argument. - -This commit fixes this by using the already checked copy of the header -to fill the header part of the allocated buffer and only copying the -remainder of the data from userspace. - -Signed-off-by: Wenwen Wang -Reviewed-by: Hans de Goede -Signed-off-by: Greg Kroah-Hartman ---- - drivers/virt/vboxguest/vboxguest_linux.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c -index 398d22693234..6e2a9619192d 100644 ---- a/drivers/virt/vboxguest/vboxguest_linux.c -+++ b/drivers/virt/vboxguest/vboxguest_linux.c -@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct file *filp, unsigned int req, - if (!buf) - return -ENOMEM; - -- if (copy_from_user(buf, (void *)arg, hdr.size_in)) { -+ *((struct vbg_ioctl_hdr *)buf) = hdr; -+ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), -+ hdr.size_in - sizeof(hdr))) { - ret = -EFAULT; - goto out; - } --- -2.17.1 - diff --git a/CVE-2018-12714.patch b/CVE-2018-12714.patch deleted file mode 100644 index d3df531..0000000 --- a/CVE-2018-12714.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 70303420b5721c38998cf987e6b7d30cc62d4ff1 Mon Sep 17 00:00:00 2001 -From: "Steven Rostedt (VMware)" -Date: Thu, 21 Jun 2018 13:20:53 -0400 -Subject: [PATCH] tracing: Check for no filter when processing event filters - -The syzkaller detected a out-of-bounds issue with the events filter code, -specifically here: - - prog[N].pred = NULL; /* #13 */ - prog[N].target = 1; /* TRUE */ - prog[N+1].pred = NULL; - prog[N+1].target = 0; /* FALSE */ --> prog[N-1].target = N; - prog[N-1].when_to_branch = false; - -As that's the first reference to a "N-1" index, it appears that the code got -here with N = 0, which means the filter parser found no filter to parse -(which shouldn't ever happen, but apparently it did). - -Add a new error to the parsing code that will check to make sure that N is -not zero before going into this part of the code. If N = 0, then -EINVAL is -returned, and a error message is added to the filter. - -Cc: stable@vger.kernel.org -Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster") -Reported-by: air icy -bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019 -Signed-off-by: Steven Rostedt (VMware) -Signed-off-by: Jeremy Cline ---- - kernel/trace/trace_events_filter.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c -index e1c818dbc0d7..0dceb77d1d42 100644 ---- a/kernel/trace/trace_events_filter.c -+++ b/kernel/trace/trace_events_filter.c -@@ -78,7 +78,8 @@ static const char * ops[] = { OPS }; - C(TOO_MANY_PREDS, "Too many terms in predicate expression"), \ - C(INVALID_FILTER, "Meaningless filter expression"), \ - C(IP_FIELD_ONLY, "Only 'ip' field is supported for function trace"), \ -- C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), -+ C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), \ -+ C(NO_FILTER, "No filter found"), - - #undef C - #define C(a, b) FILT_ERR_##a -@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_parens, int nr_preds, - goto out_free; - } - -+ if (!N) { -+ /* No program? */ -+ ret = -EINVAL; -+ parse_error(pe, FILT_ERR_NO_FILTER, ptr - str); -+ goto out_free; -+ } -+ - prog[N].pred = NULL; /* #13 */ - prog[N].target = 1; /* TRUE */ - prog[N+1].pred = NULL; --- -2.17.1 - diff --git a/kernel.spec b/kernel.spec index 6217d59..d80833b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -643,18 +643,9 @@ Patch509: rtc-nvmem-don-t-return-an-error-when-not-enabled.patch Patch510: 1-2-xen-netfront-Fix-mismatched-rtnl_unlock.patch Patch511: 2-2-xen-netfront-Update-features-after-registering-netdev.patch -# CVE-2018-12633 rhbz 1594170 1594172 -Patch512: 0001-virt-vbox-Only-copy_from_user-the-request-header-onc.patch - -# rhbz 1592454 -Patch514: 0001-media-uvcvideo-Support-realtek-s-UVC-1.5-device.patch - # rhbz 1591516 Patch515: 0001-signal-Stop-special-casing-TRAP_FIXME-and-FPE_FIXME-.patch -# CVE-2018-12714 rhbz 1595835 1595837 -Patch516: CVE-2018-12714.patch - # rhbz 1572944 Patch517: Revert-the-random-series-for-4.16.4.patch @@ -1907,6 +1898,9 @@ fi # # %changelog +* Tue Jul 03 2018 Justin M. Forbes - 4.17.4-100 +- Linux v4.17.4 + * Fri Jun 29 2018 Jeremy Cline - Revert the CRNG init patches (rhbz 1572944) diff --git a/sources b/sources index 94d4bc7..b2a4a03 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db -SHA512 (patch-4.17.3.xz) = c0b3dfb1c1d64edc74cb3b35a4d6160ccf80b5b58d19e5a11dde372ab515c350576f8981b3816e4e8689da38b792eb85b3ef46581d65d7c51c72943dea7409f4 +SHA512 (patch-4.17.4.xz) = 0a9f976e7cf2c2cc9ba29b5eb45a6b9722059674efa99153bf449537e022426138a0848cfdb69e1df4a1a3b71ee7c9de92b4086799d0e15f44f8356b2fd63754