From 5053df01408552c969e072e5ab9aabb4f56b6915 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 6 Nov 2017 09:57:52 -0600 Subject: [PATCH] Disable debugging options. --- CVE-2017-7477.patch | 73 ------------------- ...to-cache-a-partially-constructed-BO..patch | 42 ----------- kernel.spec | 11 +-- 3 files changed, 4 insertions(+), 122 deletions(-) delete mode 100644 CVE-2017-7477.patch delete mode 100644 bcm283x-vc4-Fix-OOPSes-from-trying-to-cache-a-partially-constructed-BO..patch diff --git a/CVE-2017-7477.patch b/CVE-2017-7477.patch deleted file mode 100644 index 6405614cc..000000000 --- a/CVE-2017-7477.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" -Date: Fri, 21 Apr 2017 23:14:48 +0200 -Subject: macsec: avoid heap overflow in skb_to_sgvec - -While this may appear as a humdrum one line change, it's actually quite -important. An sk_buff stores data in three places: - -1. A linear chunk of allocated memory in skb->data. This is the easiest - one to work with, but it precludes using scatterdata since the memory - must be linear. -2. The array skb_shinfo(skb)->frags, which is of maximum length - MAX_SKB_FRAGS. This is nice for scattergather, since these fragments - can point to different pages. -3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff, - which in turn can have data in either (1) or (2). - -The first two are rather easy to deal with, since they're of a fixed -maximum length, while the third one is not, since there can be -potentially limitless chains of fragments. Fortunately dealing with -frag_list is opt-in for drivers, so drivers don't actually have to deal -with this mess. For whatever reason, macsec decided it wanted pain, and -so it explicitly specified NETIF_F_FRAGLIST. - -Because dealing with (1), (2), and (3) is insane, most users of sk_buff -doing any sort of crypto or paging operation calls a convenient function -called skb_to_sgvec (which happens to be recursive if (3) is in use!). -This takes a sk_buff as input, and writes into its output pointer an -array of scattergather list items. Sometimes people like to declare a -fixed size scattergather list on the stack; othertimes people like to -allocate a fixed size scattergather list on the heap. However, if you're -doing it in a fixed-size fashion, you really shouldn't be using -NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its -frag_list children arent't shared and then you check the number of -fragments in total required.) - -Macsec specifically does this: - - size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1); - tmp = kmalloc(size, GFP_ATOMIC); - *sg = (struct scatterlist *)(tmp + sg_offset); - ... - sg_init_table(sg, MAX_SKB_FRAGS + 1); - skb_to_sgvec(skb, sg, 0, skb->len); - -Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're -using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will -overflow the heap, and disaster ensues. - -Signed-off-by: Jason A. Donenfeld -Cc: stable@vger.kernel.org -Cc: security@kernel.org -Signed-off-by: David S. Miller ---- - drivers/net/macsec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c -index ff0a5ed..dbab05a 100644 ---- a/drivers/net/macsec.c -+++ b/drivers/net/macsec.c -@@ -2716,7 +2716,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb, - } - - #define MACSEC_FEATURES \ -- (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST) -+ (NETIF_F_SG | NETIF_F_HIGHDMA) - static struct lock_class_key macsec_netdev_addr_lock_key; - - static int macsec_dev_init(struct net_device *dev) --- -cgit v1.1 - diff --git a/bcm283x-vc4-Fix-OOPSes-from-trying-to-cache-a-partially-constructed-BO..patch b/bcm283x-vc4-Fix-OOPSes-from-trying-to-cache-a-partially-constructed-BO..patch deleted file mode 100644 index 70a528253..000000000 --- a/bcm283x-vc4-Fix-OOPSes-from-trying-to-cache-a-partially-constructed-BO..patch +++ /dev/null @@ -1,42 +0,0 @@ -From patchwork Thu Feb 9 18:16:00 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: drm/vc4: Fix OOPSes from trying to cache a partially constructed BO. -From: Eric Anholt -X-Patchwork-Id: 138087 -Message-Id: <20170209181600.24048-1-eric@anholt.net> -To: dri-devel@lists.freedesktop.org -Cc: linux-kernel@vger.kernel.org, pbrobinson@gmail.com -Date: Thu, 9 Feb 2017 10:16:00 -0800 - -If a CMA allocation failed, the partially constructed BO would be -unreferenced through the normal path, and we might choose to put it in -the BO cache. If we then reused it before it expired from the cache, -the kernel would OOPS. - -Signed-off-by: Eric Anholt -Fixes: c826a6e10644 ("drm/vc4: Add a BO cache.") ---- - drivers/gpu/drm/vc4/vc4_bo.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c -index 5ec14f25625d..fd83a2807656 100644 ---- a/drivers/gpu/drm/vc4/vc4_bo.c -+++ b/drivers/gpu/drm/vc4/vc4_bo.c -@@ -314,6 +314,14 @@ void vc4_free_object(struct drm_gem_object *gem_bo) - goto out; - } - -+ /* If this object was partially constructed but CMA allocation -+ * had failed, just free it. -+ */ -+ if (!bo->base.vaddr) { -+ vc4_bo_destroy(bo); -+ goto out; -+ } -+ - cache_list = vc4_get_cache_list_for_size(dev, gem_bo->size); - if (!cache_list) { - vc4_bo_destroy(bo); diff --git a/kernel.spec b/kernel.spec index 70a066b9f..2fc6281f3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -125,7 +125,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -611,9 +611,6 @@ Patch310: qcom-msm89xx-fixes.patch # https://patchwork.kernel.org/patch/9831825/ # https://patchwork.kernel.org/patch/9833721/ -# http://www.spinics.net/lists/dri-devel/msg132235.html -Patch320: bcm283x-vc4-Fix-OOPSes-from-trying-to-cache-a-partially-constructed-BO..patch - # Fix USB on the RPi https://patchwork.kernel.org/patch/9879371/ Patch321: bcm283x-dma-mapping-skip-USB-devices-when-configuring-DMA-during-probe.patch @@ -634,9 +631,6 @@ Patch335: arm-exynos-fix-usb3.patch # 500 - Temp fixes/CVEs etc -# CVE-2017-7477 rhbz 1445207 1445208 -Patch502: CVE-2017-7477.patch - # rhbz 1498016 1498017 #Patch503: KEYS-don-t-let-add_key-update-an-uninstantiated-key.patch @@ -2217,6 +2211,9 @@ fi # # %changelog +* Mon Nov 06 2017 Justin M. Forbes +- Disable debugging options. + * Fri Nov 03 2017 Justin M. Forbes - 4.14.0-0.rc7.git4.1 - Linux v4.14-rc7-129-g81ca2caefc6d