diff --git a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch b/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch deleted file mode 100644 index 3ba32ba..0000000 --- a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001 -From: Jann Horn -Date: Tue, 26 Apr 2016 22:26:26 +0200 -Subject: [PATCH] bpf: fix double-fdput in replace_map_fd_with_map_ptr() - -When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode -references a non-map file descriptor as a map file descriptor, the error -handling code called fdput() twice instead of once (in __bpf_map_get() and -in replace_map_fd_with_map_ptr()). If the file descriptor table of the -current task is shared, this causes f_count to be decremented too much, -allowing the struct file to be freed while it is still in use -(use-after-free). This can be exploited to gain root privileges by an -unprivileged user. - -This bug was introduced in -commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only -exploitable since -commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because -previously, CAP_SYS_ADMIN was required to reach the vulnerable code. - -(posted publicly according to request by maintainer) - -Signed-off-by: Jann Horn -Signed-off-by: Linus Torvalds -Acked-by: Alexei Starovoitov -Acked-by: Daniel Borkmann -Signed-off-by: David S. Miller ---- - kernel/bpf/verifier.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 618ef77c302a..db2574e7b8b0 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) - if (IS_ERR(map)) { - verbose("fd %d is not pointing to valid bpf_map\n", - insn->imm); -- fdput(f); - return PTR_ERR(map); - } - --- -2.5.5 - diff --git a/bpf-fix-refcnt-overflow.patch b/bpf-fix-refcnt-overflow.patch deleted file mode 100644 index 1143c82..0000000 --- a/bpf-fix-refcnt-overflow.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 86db8dac9286f8397434184a6b442b6419e54ec0 Mon Sep 17 00:00:00 2001 -From: Alexei Starovoitov -Date: Wed, 27 Apr 2016 18:56:20 -0700 -Subject: [PATCH] bpf: fix refcnt overflow - -On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK, -the malicious application may overflow 32-bit bpf program refcnt. -It's also possible to overflow map refcnt on 1Tb system. -Impose 32k hard limit which means that the same bpf program or -map cannot be shared by more than 32k processes. - -Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") -Reported-by: Jann Horn -Signed-off-by: Alexei Starovoitov -Acked-by: Daniel Borkmann -Signed-off-by: David S. Miller ---- - include/linux/bpf.h | 3 ++- - kernel/bpf/inode.c | 7 ++++--- - kernel/bpf/syscall.c | 24 ++++++++++++++++++++---- - kernel/bpf/verifier.c | 11 +++++++---- - 4 files changed, 33 insertions(+), 12 deletions(-) - -diff --git a/include/linux/bpf.h b/include/linux/bpf.h -index 83d1926c61e4..67bc2da5d233 100644 ---- a/include/linux/bpf.h -+++ b/include/linux/bpf.h -@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl); - void bpf_register_map_type(struct bpf_map_type_list *tl); - - struct bpf_prog *bpf_prog_get(u32 ufd); -+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog); - void bpf_prog_put(struct bpf_prog *prog); - void bpf_prog_put_rcu(struct bpf_prog *prog); - - struct bpf_map *bpf_map_get_with_uref(u32 ufd); - struct bpf_map *__bpf_map_get(struct fd f); --void bpf_map_inc(struct bpf_map *map, bool uref); -+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref); - void bpf_map_put_with_uref(struct bpf_map *map); - void bpf_map_put(struct bpf_map *map); - -diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c -index 5a8a797d50b7..d1a7646f79c5 100644 ---- a/kernel/bpf/inode.c -+++ b/kernel/bpf/inode.c -@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum bpf_type type) - { - switch (type) { - case BPF_TYPE_PROG: -- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt); -+ raw = bpf_prog_inc(raw); - break; - case BPF_TYPE_MAP: -- bpf_map_inc(raw, true); -+ raw = bpf_map_inc(raw, true); - break; - default: - WARN_ON_ONCE(1); -@@ -277,7 +277,8 @@ static void *bpf_obj_do_get(const struct filename *pathname, - goto out; - - raw = bpf_any_get(inode->i_private, *type); -- touch_atime(&path); -+ if (!IS_ERR(raw)) -+ touch_atime(&path); - - path_put(&path); - return raw; -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 3b39550d8485..4e32cc94edd9 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -181,11 +181,18 @@ struct bpf_map *__bpf_map_get(struct fd f) - return f.file->private_data; - } - --void bpf_map_inc(struct bpf_map *map, bool uref) -+/* prog's and map's refcnt limit */ -+#define BPF_MAX_REFCNT 32768 -+ -+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref) - { -- atomic_inc(&map->refcnt); -+ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) { -+ atomic_dec(&map->refcnt); -+ return ERR_PTR(-EBUSY); -+ } - if (uref) - atomic_inc(&map->usercnt); -+ return map; - } - - struct bpf_map *bpf_map_get_with_uref(u32 ufd) -@@ -197,7 +204,7 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd) - if (IS_ERR(map)) - return map; - -- bpf_map_inc(map, true); -+ map = bpf_map_inc(map, true); - fdput(f); - - return map; -@@ -580,6 +587,15 @@ static struct bpf_prog *__bpf_prog_get(struct fd f) - return f.file->private_data; - } - -+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog) -+{ -+ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) { -+ atomic_dec(&prog->aux->refcnt); -+ return ERR_PTR(-EBUSY); -+ } -+ return prog; -+} -+ - /* called by sockets/tracing/seccomp before attaching program to an event - * pairs with bpf_prog_put() - */ -@@ -592,7 +608,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd) - if (IS_ERR(prog)) - return prog; - -- atomic_inc(&prog->aux->refcnt); -+ prog = bpf_prog_inc(prog); - fdput(f); - - return prog; -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 2e7f7ab739e4..060e4c4c37ea 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2023,15 +2023,18 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) - return -E2BIG; - } - -- /* remember this map */ -- env->used_maps[env->used_map_cnt++] = map; -- - /* hold the map. If the program is rejected by verifier, - * the map will be released by release_maps() or it - * will be used by the valid program until it's unloaded - * and all maps are released in free_bpf_prog_info() - */ -- bpf_map_inc(map, false); -+ map = bpf_map_inc(map, false); -+ if (IS_ERR(map)) { -+ fdput(f); -+ return PTR_ERR(map); -+ } -+ env->used_maps[env->used_map_cnt++] = map; -+ - fdput(f); - next_insn: - insn++; --- -2.5.5 - diff --git a/get_rock_ridge_filename-handle-malformed-NM-entries.patch b/get_rock_ridge_filename-handle-malformed-NM-entries.patch deleted file mode 100644 index 3f5db6c..0000000 --- a/get_rock_ridge_filename-handle-malformed-NM-entries.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 99d825822eade8d827a1817357cbf3f889a552d6 Mon Sep 17 00:00:00 2001 -From: Al Viro -Date: Thu, 5 May 2016 16:25:35 -0400 -Subject: [PATCH] get_rock_ridge_filename(): handle malformed NM entries - -Payloads of NM entries are not supposed to contain NUL. When we run -into such, only the part prior to the first NUL goes into the -concatenation (i.e. the directory entry name being encoded by a bunch -of NM entries). We do stop when the amount collected so far + the -claimed amount in the current NM entry exceed 254. So far, so good, -but what we return as the total length is the sum of *claimed* -sizes, not the actual amount collected. And that can grow pretty -large - not unlimited, since you'd need to put CE entries in -between to be able to get more than the maximum that could be -contained in one isofs directory entry / continuation chunk and -we are stop once we'd encountered 32 CEs, but you can get about 8Kb -easily. And that's what will be passed to readdir callback as the -name length. 8Kb __copy_to_user() from a buffer allocated by -__get_free_page() - -Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really) -Signed-off-by: Al Viro ---- - fs/isofs/rock.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index 5384ceb35b1c..98b3eb7d8eaf 100644 ---- a/fs/isofs/rock.c -+++ b/fs/isofs/rock.c -@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de, - int retnamlen = 0; - int truncate = 0; - int ret = 0; -+ char *p; -+ int len; - - if (!ISOFS_SB(inode->i_sb)->s_rock) - return 0; -@@ -267,12 +269,17 @@ repeat: - rr->u.NM.flags); - break; - } -- if ((strlen(retname) + rr->len - 5) >= 254) { -+ len = rr->len - 5; -+ if (retnamlen + len >= 254) { - truncate = 1; - break; - } -- strncat(retname, rr->u.NM.name, rr->len - 5); -- retnamlen += rr->len - 5; -+ p = memchr(rr->u.NM.name, '\0', len); -+ if (unlikely(p)) -+ len = p - rr->u.NM.name; -+ memcpy(retname + retnamlen, rr->u.NM.name, len); -+ retnamlen += len; -+ retname[retnamlen] = '\0'; - break; - case SIG('R', 'E'): - kfree(rs.buffer); --- -2.5.5 - diff --git a/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch b/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch deleted file mode 100644 index 9e4cf4e..0000000 --- a/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9f79323a0aebccb9915ab8f4b7dcf531578b9cf9 Mon Sep 17 00:00:00 2001 -From: Paolo Abeni -Date: Thu, 21 Apr 2016 20:23:31 -0400 -Subject: [PATCH] ipv4/fib: don't warn when primary address is missing if - in_dev is dead - -After commit fbd40ea0180a ("ipv4: Don't do expensive useless work -during inetdev destroy.") when deleting an interface, -fib_del_ifaddr() can be executed without any primary address -present on the dead interface. - -The above is safe, but triggers some "bug: prim == NULL" warnings. - -This commit avoids warning if the in_dev is dead - -Signed-off-by: Paolo Abeni ---- - net/ipv4/fib_frontend.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c -index 8a9246deccfe..63566ec54794 100644 ---- a/net/ipv4/fib_frontend.c -+++ b/net/ipv4/fib_frontend.c -@@ -904,7 +904,11 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) - if (ifa->ifa_flags & IFA_F_SECONDARY) { - prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask); - if (!prim) { -- pr_warn("%s: bug: prim == NULL\n", __func__); -+ /* if the device has been deleted, we don't perform -+ * address promotion -+ */ -+ if (!in_dev->dead) -+ pr_warn("%s: bug: prim == NULL\n", __func__); - return; - } - if (iprim && iprim != prim) { --- -2.5.5 - diff --git a/kernel.spec b/kernel.spec index 38c8f0e..7e45a41 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -635,9 +635,6 @@ Patch701: antenna_select.patch #rhbz 1302071 Patch702: x86-build-Build-compressed-x86-kernels-as-PIE.patch -# Follow on for CVE-2016-3156 -Patch703: ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch - # Stop splashing crap about broken firmware BGRT Patch704: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch @@ -647,14 +644,6 @@ Patch705: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch #CVE-2016-4482 rhbz 1332931 1332932 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch -#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321 -Patch707: net-fix-infoleak-in-llc.patch -Patch708: net-fix-infoleak-in-rtnetlink.patch - -#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311 -Patch711: bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch -Patch712: bpf-fix-refcnt-overflow.patch - #rhbz 1328633 Patch713: sp5100_tco-properly-check-for-new-register-layouts.patch @@ -669,9 +658,6 @@ Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch #CVE-2016-3713 rhbz 1332139 1336410 Patch718: KVM-MTRR-remove-MSR-0x2f8.patch -#CVE-2016-4913 rhbz 1337528 1337529 -Patch719: get_rock_ridge_filename-handle-malformed-NM-entries.patch - # END OF PATCH DEFINITIONS %endif @@ -2193,7 +2179,8 @@ fi # # %changelog -* Thu May 19 2016 Josh Boyer +* Thu May 19 2016 Josh Boyer - 4.5.5-300 +- Linux v4.5.5 - CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529) * Mon May 16 2016 Justin M. Forbes diff --git a/net-fix-infoleak-in-llc.patch b/net-fix-infoleak-in-llc.patch deleted file mode 100644 index 38f0d50..0000000 --- a/net-fix-infoleak-in-llc.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001 -From: Kangjie Lu -Date: Tue, 3 May 2016 16:35:05 -0400 -Subject: [PATCH 2/2] net: fix infoleak in llc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “info” has a total size of 12 bytes. Its last byte -is padding which is not initialized and leaked via “put_cmsg”. - -Signed-off-by: Kangjie Lu -Signed-off-by: David S. Miller ---- - net/llc/af_llc.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index b3c52e3f689a..8ae3ed97d95c 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) - if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { - struct llc_pktinfo info; - -+ memset(&info, 0, sizeof(info)); - info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; - llc_pdu_decode_dsap(skb, &info.lpi_sap); - llc_pdu_decode_da(skb, info.lpi_mac); --- -2.5.5 - diff --git a/net-fix-infoleak-in-rtnetlink.patch b/net-fix-infoleak-in-rtnetlink.patch deleted file mode 100644 index 0da3510..0000000 --- a/net-fix-infoleak-in-rtnetlink.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001 -From: Kangjie Lu -Date: Tue, 3 May 2016 16:46:24 -0400 -Subject: [PATCH 1/2] net: fix infoleak in rtnetlink -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The stack object “map” has a total size of 32 bytes. Its last 4 -bytes are padding generated by compiler. These padding bytes are -not initialized and sent out via “nla_put”. - -Signed-off-by: Kangjie Lu -Signed-off-by: David S. Miller ---- - net/core/rtnetlink.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index a75f7e94b445..65763c29f845 100644 ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, - - static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev) - { -- struct rtnl_link_ifmap map = { -- .mem_start = dev->mem_start, -- .mem_end = dev->mem_end, -- .base_addr = dev->base_addr, -- .irq = dev->irq, -- .dma = dev->dma, -- .port = dev->if_port, -- }; -+ struct rtnl_link_ifmap map; -+ -+ memset(&map, 0, sizeof(map)); -+ map.mem_start = dev->mem_start; -+ map.mem_end = dev->mem_end; -+ map.base_addr = dev->base_addr; -+ map.irq = dev->irq; -+ map.dma = dev->dma; -+ map.port = dev->if_port; -+ - if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) - return -EMSGSIZE; - --- -2.5.5 - diff --git a/sources b/sources index 1d63590..aa47543 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ a60d48eee08ec0536d5efb17ca819aef linux-4.5.tar.xz 6f557fe90b800b615c85c2ca04da6154 perf-man-4.5.tar.gz -137460a1e32335e2eedc61fcfc2643fa patch-4.5.4.xz +fe89010925304f6f07713741f0c8e811 patch-4.5.5.xz