From 43a1944dd77b11f4bbc2489baf2f96563aea8550 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 20 Jan 2016 12:18:25 -0600 Subject: [PATCH] Linux v4.4-8950-g2b4015e --- ...ing-ref-leak-in-join_session_keyring.patch | 78 ------------------- config-x86-generic | 3 + gitrev | 2 +- kernel.spec | 8 +- sources | 2 +- 5 files changed, 9 insertions(+), 84 deletions(-) delete mode 100644 KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch diff --git a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch deleted file mode 100644 index 5eec95c62..000000000 --- a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Mon, 18 Jan 2016 10:53:31 +0000 -Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring() - -This fixes CVE-2016-0728. - -If a thread is asked to join as a session keyring the keyring that's already -set as its session, we leak a keyring reference. - -This can be tested with the following program: - - #include - #include - #include - #include - - int main(int argc, const char *argv[]) - { - int i = 0; - key_serial_t serial; - - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, - "leaked-keyring"); - if (serial < 0) { - perror("keyctl"); - return -1; - } - - if (keyctl(KEYCTL_SETPERM, serial, - KEY_POS_ALL | KEY_USR_ALL) < 0) { - perror("keyctl"); - return -1; - } - - for (i = 0; i < 100; i++) { - serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, - "leaked-keyring"); - if (serial < 0) { - perror("keyctl"); - return -1; - } - } - - return 0; - } - -If, after the program has run, there something like the following line in -/proc/keys: - -3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty - -with a usage count of 100 * the number of times the program has been run, -then the kernel is malfunctioning. If leaked-keyring has zero usages or -has been garbage collected, then the problem is fixed. - -Reported-by: Yevgeny Pats -Signed-off-by: David Howells -RH-bugzilla: 1298036 ---- - security/keys/process_keys.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index 43b4cddbf2b3..7877e5cd4e23 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) - ret = PTR_ERR(keyring); - goto error2; - } else if (keyring == new->session_keyring) { -+ key_put(keyring); - ret = 0; - goto error2; - } --- -2.5.0 - diff --git a/config-x86-generic b/config-x86-generic index 5648f7a8f..2d41bfbb1 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -226,6 +226,7 @@ CONFIG_X86_PLATFORM_DEVICES=y CONFIG_AMILO_RFKILL=m CONFIG_ASUS_LAPTOP=m +CONFIG_ASUS_WIRELESS=m CONFIG_COMPAL_LAPTOP=m CONFIG_DELL_LAPTOP=m CONFIG_DELL_RBTN=m @@ -236,6 +237,7 @@ CONFIG_FUJITSU_TABLET=m CONFIG_FUJITSU_LAPTOP=m # CONFIG_FUJITSU_LAPTOP_DEBUG is not set CONFIG_IDEAPAD_LAPTOP=m +CONFIG_INTEL_HID_EVENT=m CONFIG_MSI_LAPTOP=m CONFIG_PANASONIC_LAPTOP=m CONFIG_SAMSUNG_LAPTOP=m @@ -480,6 +482,7 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m CONFIG_HP_ACCEL=m CONFIG_SURFACE_PRO3_BUTTON=m +CONFIG_INTEL_PUNIT_IPC=m # CONFIG_RAPIDIO is not set diff --git a/gitrev b/gitrev index d5f87db06..3b6c2e53a 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -a200dcb34693084e56496960d855afdeaaf9578f +2b4015e9fb335aa6982a68dbe6e4158d6c1b10ee diff --git a/kernel.spec b/kernel.spec index 0425225d2..15d671516 100644 --- a/kernel.spec +++ b/kernel.spec @@ -67,7 +67,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 0 # The git snapshot level -%define gitrev 6 +%define gitrev 7 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -599,9 +599,6 @@ Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch # https://patchwork.kernel.org/patch/8055301/ Patch625: cpupower-Fix-build-error-in-cpufreq-info.patch -#CVE-2016-0728 rhbz 1296623 -Patch626: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch - #CVE-2016-0723 rhbz 1296253 1300224 Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch @@ -2050,6 +2047,9 @@ fi # # %changelog +* Wed Jan 20 2016 Justin M. Forbes - 4.5.0-0.rc0.git7.1 +- Linux v4.4-8950-g2b4015e + * Wed Jan 20 2016 Josh Boyer - CVE-2016-0723 memory disclosure and crash in tty layer (rhbz 1296253 1300224) diff --git a/sources b/sources index 0055051a8..98d6b437b 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -64ceedc19f6080bedbafdc1321d9ac95 patch-4.4-git6.xz +4a6920139ec6f59ebb913cf13aad26af patch-4.4-git7.xz