Linux v3.17-7872-g5ff0b9e1a1da

KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch

@@ -1,44 +0,0 @@
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 16 Sep 2014 17:29:03 +0100
-Subject: [PATCH] KEYS: Reinstate EPERM for a key type name beginning with a
- '.'
-
-Reinstate the generation of EPERM for a key type name beginning with a '.' in
-a userspace call.  Types whose name begins with a '.' are internal only.
-
-The test was removed by:
-
-	commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
-	Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
-	Date:   Thu May 22 14:02:23 2014 -0400
-	Subject: KEYS: special dot prefixed keyring name bug fix
-
-I think we want to keep the restriction on type name so that userspace can't
-add keys of a special internal type.
-
-Note that removal of the test causes several of the tests in the keyutils
-testsuite to fail.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Vivek Goyal <vgoyal@redhat.com>
-cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
----
- security/keys/keyctl.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index e26f860e5f2e..eff88a5f5d40 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -37,6 +37,8 @@ static int key_get_type_from_user(char *type,
- 		return ret;
- 	if (ret == 0 || ret >= len)
- 		return -EINVAL;
-+	if (type[0] == '.')
-+		return -EPERM;
- 	type[len - 1] = '\0';
- 	return 0;
- }
--- 
-1.9.3
-

Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -13,7 +13,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index cdf839f9defe..c63cf93b00eb 100644
+index c268e2581ed6..fb9ea1172ba8 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,

Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch

@@ -15,7 +15,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 41f7ec1fcf61..c79eb60a7869 100644
+index f8a07128a6e8..41eff584e169 100644
 --- a/Documentation/kernel-parameters.txt
 +++ b/Documentation/kernel-parameters.txt
 @@ -3625,7 +3625,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.

config-generic

@@ -5066,6 +5066,8 @@ CONFIG_ALTERA_STAPL=m
 
 CONFIG_NOP_USB_XCEIV=m
 
+# CONFIG_INTEGRITY is not set
+
 # CONFIG_IMA is not set
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_LSM_RULES=y

fs-Add-a-missing-permission-check-to-do_umount.patch

@@ -0,0 +1,31 @@
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Wed, 8 Oct 2014 12:37:46 -0700
+Subject: [PATCH] fs: Add a missing permission check to do_umount
+
+Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
+only one of the two call sites was appropriately protected.
+
+Fixes CVE-2014-7975.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+---
+ fs/namespace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index c8e3034ff4b2..fbba8b17330d 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1439,6 +1439,8 @@ static int do_umount(struct mount *mnt, int flags)
+ 		 * Special case for "unmounting" root ...
+ 		 * we just try to remount it readonly.
+ 		 */
++		if (!capable(CAP_SYS_ADMIN))
++			return -EPERM;
+ 		down_write(&sb->s_umount);
+ 		if (!(sb->s_flags & MS_RDONLY))
+ 			retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
+-- 
+1.9.3
+

kernel.spec

@@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 5
+%define gitrev 6
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@@ -607,14 +607,16 @@ Patch26002: samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
 #rhbz 1138759
 Patch26021: drm-vmwgfx-Fix-drm.h-include.patch
 
-#rhbz 1145318
-Patch26029: KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch
-
 Patch26032: Revert-pinctrl-qcom-use-restart_notifier-mechanism-f.patch
 
 #CVE-2014-7970 rhbz 1151095 1151484
 Patch26033: mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
 
+#CVE-2014-7975 rhbz 1151108 1152025
+Patch26034: fs-Add-a-missing-permission-check-to-do_umount.patch
+
+Patch26035: nf_reject_ipv4-module-license-unspecified-taints-ker.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 
@@ -1334,14 +1336,16 @@ ApplyPatch samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
 #rhbz 1138759
 ApplyPatch drm-vmwgfx-Fix-drm.h-include.patch
 
-#rhbz 1145318
-ApplyPatch KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch
-
 ApplyPatch Revert-pinctrl-qcom-use-restart_notifier-mechanism-f.patch
 
 #CVE-2014-7970 rhbz 1151095 1151484
 ApplyPatch mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
 
+#CVE-2014-7975 rhbz 1151108 1152025
+ApplyPatch fs-Add-a-missing-permission-check-to-do_umount.patch
+
+ApplyPatch nf_reject_ipv4-module-license-unspecified-taints-ker.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2210,6 +2214,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Mon Oct 13 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.18.0-0.rc0.git6.1
+- Linux v3.17-7872-g5ff0b9e1a1da
+
 * Sun Oct 12 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.18.0-0.rc0.git5.1
 - Linux v3.17-7639-g90eac7eee2f4
 

mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch

@@ -26,10 +26,10 @@ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/fs/namespace.c b/fs/namespace.c
-index ef42d9bee212..74647c2fe69c 100644
+index 348562f14e93..c8e3034ff4b2 100644
 --- a/fs/namespace.c
 +++ b/fs/namespace.c
-@@ -2820,6 +2820,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
+@@ -2913,6 +2913,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
  	/* make sure we can reach put_old from new_root */
  	if (!is_path_reachable(old_mnt, old.dentry, &new))
  		goto out4;

nf_reject_ipv4-module-license-unspecified-taints-ker.patch

@@ -0,0 +1,84 @@
+From: Pablo Neira <pablo@netfilter.org>
+Date: Fri, 10 Oct 2014 11:56:16 +0200
+Subject: [PATCH] nf_reject_ipv4: module license 'unspecified' taints kernel
+
+On Fri, Oct 10, 2014 at 05:19:04PM +0800, Dave Young wrote:
+> Hi,
+>
+> With today's linus tree, I got below kmsg:
+> [   23.545204] nf_reject_ipv4: module license 'unspecified' taints kernel.
+>
+> It could be caused by below commit:
+>
+> commit c8d7b98bec43faaa6583c3135030be5eb4693acb
+> Author: Pablo Neira Ayuso <pablo@netfilter.org>
+> Date:   Fri Sep 26 14:35:15 2014 +0200
+>
+>     netfilter: move nf_send_resetX() code to nf_reject_ipvX modules
+>
+>     Move nf_send_reset() and nf_send_reset6() to nf_reject_ipv4 and
+>     nf_reject_ipv6 respectively. This code is shared by x_tables and
+>     nf_tables.
+>
+>     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Patch attached, thanks for reporting.
+
+P.S: Please, Cc netfilter-devel@vger.kernel.org in future reports, so
+we make sure things don't get lost.
+
+>From d4358bcf64ba7a64d4de4e1dc5533c4c8f88ea82 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 10 Oct 2014 11:25:20 +0200
+Subject: [PATCH] netfilter: missing module license in the nf_reject_ipvX
+ modules
+
+[   23.545204] nf_reject_ipv4: module license 'unspecified' taints kernel.
+
+Reported-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv4/netfilter/nf_reject_ipv4.c | 3 +++
+ net/ipv6/netfilter/nf_reject_ipv6.c | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
+index b023b4eb1a96..92b303dbd5fc 100644
+--- a/net/ipv4/netfilter/nf_reject_ipv4.c
++++ b/net/ipv4/netfilter/nf_reject_ipv4.c
+@@ -6,6 +6,7 @@
+  * published by the Free Software Foundation.
+  */
+ 
++#include <linux/module.h>
+ #include <net/ip.h>
+ #include <net/tcp.h>
+ #include <net/route.h>
+@@ -125,3 +126,5 @@ void nf_send_reset(struct sk_buff *oldskb, int hook)
+ 	kfree_skb(nskb);
+ }
+ EXPORT_SYMBOL_GPL(nf_send_reset);
++
++MODULE_LICENSE("GPL");
+diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
+index 5f5f0438d74d..20d9defc6c59 100644
+--- a/net/ipv6/netfilter/nf_reject_ipv6.c
++++ b/net/ipv6/netfilter/nf_reject_ipv6.c
+@@ -5,6 +5,8 @@
+  * it under the terms of the GNU General Public License version 2 as
+  * published by the Free Software Foundation.
+  */
++
++#include <linux/module.h>
+ #include <net/ipv6.h>
+ #include <net/ip6_route.h>
+ #include <net/ip6_fib.h>
+@@ -161,3 +163,5 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
+ 		ip6_local_out(nskb);
+ }
+ EXPORT_SYMBOL_GPL(nf_send_reset6);
++
++MODULE_LICENSE("GPL");
+-- 
+1.9.3
+

sources

@@ -1,3 +1,3 @@
 fb30d0f29214d75cddd2faa94f73d5cf  linux-3.17.tar.xz
 159e969cbc27201d8e2fa0f609dc722f  perf-man-3.17.tar.gz
-e0ed84718bffdd7b33b2220c98034259  patch-3.17-git5.xz
+5740b0a6b49144f85e75da8acb275576  patch-3.17-git6.xz

x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -44,7 +44,7 @@ index 4ddaf66ea35f..00b440307419 100644
  	}
  	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 917403fe10da..cdf839f9defe 100644
+index 524b707894ef..c268e2581ed6 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -27,6 +27,7 @@