Linux v4.6-6148-g03b979d
- Docs, i2c, md, iommu, sound, pci, pinctrl, dmaengine, kvm, security merges
This commit is contained in:
		
							parent
							
								
									e8f3f4f939
								
							
						
					
					
						commit
						8a052bf240
					
				| @ -1,33 +0,0 @@ | ||||
| From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001 | ||||
| From: Kangjie Lu <kangjielu@gmail.com> | ||||
| Date: Tue, 3 May 2016 16:44:07 -0400 | ||||
| Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS | ||||
| MIME-Version: 1.0 | ||||
| Content-Type: text/plain; charset=UTF-8 | ||||
| Content-Transfer-Encoding: 8bit | ||||
| 
 | ||||
| The stack object “tread” has a total size of 32 bytes. Its field | ||||
| “event” and “val” both contain 4 bytes padding. These 8 bytes | ||||
| padding bytes are sent to user without being initialized. | ||||
| 
 | ||||
| Signed-off-by: Kangjie Lu <kjlu@gatech.edu> | ||||
| Signed-off-by: Takashi Iwai <tiwai@suse.de> | ||||
| ---
 | ||||
|  sound/core/timer.c | 1 + | ||||
|  1 file changed, 1 insertion(+) | ||||
| 
 | ||||
| diff --git a/sound/core/timer.c b/sound/core/timer.c
 | ||||
| index 6469bedda2f3..964f5ebf495e 100644
 | ||||
| --- a/sound/core/timer.c
 | ||||
| +++ b/sound/core/timer.c
 | ||||
| @@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
 | ||||
|  	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { | ||||
|  		if (tu->tread) { | ||||
|  			struct snd_timer_tread tread; | ||||
| +			memset(&tread, 0, sizeof(tread));
 | ||||
|  			tread.event = SNDRV_TIMER_EVENT_EARLY; | ||||
|  			tread.tstamp.tv_sec = 0; | ||||
|  			tread.tstamp.tv_nsec = 0; | ||||
| -- 
 | ||||
| 2.5.5 | ||||
| 
 | ||||
| @ -1,34 +0,0 @@ | ||||
| From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001 | ||||
| From: Kangjie Lu <kangjielu@gmail.com> | ||||
| Date: Tue, 3 May 2016 16:44:20 -0400 | ||||
| Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via | ||||
|  snd_timer_user_ccallback | ||||
| MIME-Version: 1.0 | ||||
| Content-Type: text/plain; charset=UTF-8 | ||||
| Content-Transfer-Encoding: 8bit | ||||
| 
 | ||||
| The stack object “r1” has a total size of 32 bytes. Its field | ||||
| “event” and “val” both contain 4 bytes padding. These 8 bytes | ||||
| padding bytes are sent to user without being initialized. | ||||
| 
 | ||||
| Signed-off-by: Kangjie Lu <kjlu@gatech.edu> | ||||
| Signed-off-by: Takashi Iwai <tiwai@suse.de> | ||||
| ---
 | ||||
|  sound/core/timer.c | 1 + | ||||
|  1 file changed, 1 insertion(+) | ||||
| 
 | ||||
| diff --git a/sound/core/timer.c b/sound/core/timer.c
 | ||||
| index 964f5ebf495e..e98fa5feb731 100644
 | ||||
| --- a/sound/core/timer.c
 | ||||
| +++ b/sound/core/timer.c
 | ||||
| @@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
 | ||||
|  		tu->tstamp = *tstamp; | ||||
|  	if ((tu->filter & (1 << event)) == 0 || !tu->tread) | ||||
|  		return; | ||||
| +	memset(&r1, 0, sizeof(r1));
 | ||||
|  	r1.event = event; | ||||
|  	r1.tstamp = *tstamp; | ||||
|  	r1.val = resolution; | ||||
| -- 
 | ||||
| 2.5.5 | ||||
| 
 | ||||
| @ -1,34 +0,0 @@ | ||||
| From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001 | ||||
| From: Kangjie Lu <kangjielu@gmail.com> | ||||
| Date: Tue, 3 May 2016 16:44:32 -0400 | ||||
| Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via | ||||
|  snd_timer_user_tinterrupt | ||||
| MIME-Version: 1.0 | ||||
| Content-Type: text/plain; charset=UTF-8 | ||||
| Content-Transfer-Encoding: 8bit | ||||
| 
 | ||||
| The stack object “r1” has a total size of 32 bytes. Its field | ||||
| “event” and “val” both contain 4 bytes padding. These 8 bytes | ||||
| padding bytes are sent to user without being initialized. | ||||
| 
 | ||||
| Signed-off-by: Kangjie Lu <kjlu@gatech.edu> | ||||
| Signed-off-by: Takashi Iwai <tiwai@suse.de> | ||||
| ---
 | ||||
|  sound/core/timer.c | 1 + | ||||
|  1 file changed, 1 insertion(+) | ||||
| 
 | ||||
| diff --git a/sound/core/timer.c b/sound/core/timer.c
 | ||||
| index e98fa5feb731..c69a27155433 100644
 | ||||
| --- a/sound/core/timer.c
 | ||||
| +++ b/sound/core/timer.c
 | ||||
| @@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
 | ||||
|  	} | ||||
|  	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && | ||||
|  	    tu->last_resolution != resolution) { | ||||
| +		memset(&r1, 0, sizeof(r1));
 | ||||
|  		r1.event = SNDRV_TIMER_EVENT_RESOLUTION; | ||||
|  		r1.tstamp = tstamp; | ||||
|  		r1.val = resolution; | ||||
| -- 
 | ||||
| 2.5.5 | ||||
| 
 | ||||
| @ -1,4 +1,4 @@ | ||||
| From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001 | ||||
| From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001 | ||||
| From: Dave Howells <dhowells@redhat.com> | ||||
| Date: Tue, 23 Oct 2012 09:36:28 -0400 | ||||
| Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. | ||||
| @ -6,20 +6,21 @@ Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. | ||||
| X.509 certificates are loaded into the specified keyring as asymmetric type | ||||
| keys. | ||||
| 
 | ||||
| [labbott@fedoraproject.org: Drop KEY_ALLOC_TRUSTED] | ||||
| Signed-off-by: David Howells <dhowells@redhat.com> | ||||
| ---
 | ||||
|  crypto/asymmetric_keys/Kconfig      |   8 +++ | ||||
|  crypto/asymmetric_keys/Makefile     |   1 + | ||||
|  crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++ | ||||
|  crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++ | ||||
|  include/linux/efi.h                 |   4 ++ | ||||
|  4 files changed, 122 insertions(+) | ||||
|  4 files changed, 121 insertions(+) | ||||
|  create mode 100644 crypto/asymmetric_keys/efi_parser.c | ||||
| 
 | ||||
| diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
 | ||||
| index 4870f28403f5..4a1b50d73b80 100644
 | ||||
| index e28e912..94024e8 100644
 | ||||
| --- a/crypto/asymmetric_keys/Kconfig
 | ||||
| +++ b/crypto/asymmetric_keys/Kconfig
 | ||||
| @@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION
 | ||||
| @@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
 | ||||
|  	  This option provides support for verifying the signature(s) on a | ||||
|  	  signed PE binary. | ||||
|   | ||||
| @ -33,10 +34,11 @@ index 4870f28403f5..4a1b50d73b80 100644 | ||||
| +
 | ||||
|  endif # ASYMMETRIC_KEY_TYPE | ||||
| diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
 | ||||
| index cd1406f9b14a..d9db380bbe53 100644
 | ||||
| index 6516855..c099fe1 100644
 | ||||
| --- a/crypto/asymmetric_keys/Makefile
 | ||||
| +++ b/crypto/asymmetric_keys/Makefile
 | ||||
| @@ -7,5 +7,6 @@ asymmetric_keys-y := asymmetric_type.o signature.o
 | ||||
| @@ -10,6 +10,7 @@ asymmetric_keys-y := \
 | ||||
|  	signature.o | ||||
|   | ||||
|  obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o | ||||
| +obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
 | ||||
| @ -45,10 +47,10 @@ index cd1406f9b14a..d9db380bbe53 100644 | ||||
|  # X.509 Certificate handling | ||||
| diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
 | ||||
| new file mode 100644 | ||||
| index 000000000000..424896a0b169
 | ||||
| index 0000000..636feb1
 | ||||
| --- /dev/null
 | ||||
| +++ b/crypto/asymmetric_keys/efi_parser.c
 | ||||
| @@ -0,0 +1,109 @@
 | ||||
| @@ -0,0 +1,108 @@
 | ||||
| +/* EFI signature/key/certificate list parser
 | ||||
| + *
 | ||||
| + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
 | ||||
| @ -139,8 +141,7 @@ index 000000000000..424896a0b169 | ||||
| +				esize - sizeof(*elem),
 | ||||
| +				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
 | ||||
| +				KEY_USR_VIEW,
 | ||||
| +				KEY_ALLOC_NOT_IN_QUOTA |
 | ||||
| +				KEY_ALLOC_TRUSTED);
 | ||||
| +				KEY_ALLOC_NOT_IN_QUOTA);
 | ||||
| +
 | ||||
| +			if (IS_ERR(key))
 | ||||
| +				pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
 | ||||
| @ -159,10 +160,10 @@ index 000000000000..424896a0b169 | ||||
| +	return 0;
 | ||||
| +}
 | ||||
| diff --git a/include/linux/efi.h b/include/linux/efi.h
 | ||||
| index fac43c611614..414c3c3d988d 100644
 | ||||
| index b80227a..18443e3 100644
 | ||||
| --- a/include/linux/efi.h
 | ||||
| +++ b/include/linux/efi.h
 | ||||
| @@ -941,6 +941,10 @@ extern bool efi_poweroff_required(void);
 | ||||
| @@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
 | ||||
|  char * __init efi_md_typeattr_format(char *buf, size_t size, | ||||
|  				     const efi_memory_desc_t *md); | ||||
|   | ||||
| @ -174,5 +175,5 @@ index fac43c611614..414c3c3d988d 100644 | ||||
|   * efi_range_is_wc - check the WC bit on an address range | ||||
|   * @start: starting kvirt address | ||||
| -- 
 | ||||
| 2.4.3 | ||||
| 2.5.5 | ||||
| 
 | ||||
|  | ||||
| @ -1,49 +0,0 @@ | ||||
| From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001 | ||||
| From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com> | ||||
| Date: Mon, 16 May 2016 09:45:35 -0400 | ||||
| Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 | ||||
| MIME-Version: 1.0 | ||||
| Content-Type: text/plain; charset=UTF-8 | ||||
| Content-Transfer-Encoding: 8bit | ||||
| 
 | ||||
| MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support | ||||
| was introduced by 9ba075a664df ("KVM: MTRR support"). | ||||
| 
 | ||||
| 0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the | ||||
| size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, | ||||
| which made access to index 124 out of bounds.  The surrounding code only | ||||
| WARNs in this situation, thus the guest gained a limited read/write | ||||
| access to struct kvm_arch_vcpu. | ||||
| 
 | ||||
| 0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR | ||||
| MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8 | ||||
| was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was | ||||
| not implemented in KVM, therefore 0x2f8 could never do anything useful | ||||
| and getting rid of it is safe. | ||||
| 
 | ||||
| This fixes CVE-2016-TBD. | ||||
| 
 | ||||
| Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") | ||||
| Cc: stable@vger.kernel.org | ||||
| Reported-by: David Matlack <dmatlack@google.com> | ||||
| Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> | ||||
| ---
 | ||||
|  arch/x86/kvm/mtrr.c | 2 -- | ||||
|  1 file changed, 2 deletions(-) | ||||
| 
 | ||||
| diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
 | ||||
| index 3f8c732117ec..c146f3c262c3 100644
 | ||||
| --- a/arch/x86/kvm/mtrr.c
 | ||||
| +++ b/arch/x86/kvm/mtrr.c
 | ||||
| @@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
 | ||||
|  	case MSR_MTRRdefType: | ||||
|  	case MSR_IA32_CR_PAT: | ||||
|  		return true; | ||||
| -	case 0x2f8:
 | ||||
| -		return true;
 | ||||
|  	} | ||||
|  	return false; | ||||
|  } | ||||
| -- 
 | ||||
| 2.5.5 | ||||
| 
 | ||||
| @ -547,3 +547,6 @@ CONFIG_CHECKPOINT_RESTORE=y | ||||
| 
 | ||||
| # CONFIG_HW_RANDOM_HISI is not set | ||||
| # CONFIG_QRTR is not set | ||||
| 
 | ||||
| # This Xilinx option is now built for arm64 as well as ARM | ||||
| CONFIG_XILINX_VDMA=m | ||||
|  | ||||
| @ -587,7 +587,6 @@ CONFIG_SPI_CADENCE=m | ||||
| CONFIG_I2C_CADENCE=m | ||||
| CONFIG_XILINX_WATCHDOG=m | ||||
| CONFIG_XILINX_XADC=m | ||||
| CONFIG_XILINX_VDMA=m | ||||
| CONFIG_SND_SOC_ADI=m | ||||
| CONFIG_SND_SOC_ADI_AXI_I2S=m | ||||
| CONFIG_SND_SOC_ADI_AXI_SPDIF=m | ||||
|  | ||||
| @ -461,6 +461,7 @@ CONFIG_RTC_DRV_ARMADA38X=m | ||||
| CONFIG_LEDS_NS2=m | ||||
| CONFIG_SERIAL_MVEBU_UART=y | ||||
| # CONFIG_SERIAL_MVEBU_CONSOLE is not set | ||||
| # CONFIG_PCIE_ARMADA_8K is not set | ||||
| 
 | ||||
| # DRM panels | ||||
| CONFIG_DRM_PANEL=y | ||||
|  | ||||
| @ -111,6 +111,7 @@ CONFIG_HOTPLUG_PCI=y | ||||
| # CONFIG_HOTPLUG_PCI_SHPC is not set | ||||
| CONFIG_HOTPLUG_PCI_PCIE=y | ||||
| # CONFIG_PCIE_DW_PLAT is not set | ||||
| CONFIG_PCIE_DPC=m | ||||
| 
 | ||||
| # CONFIG_SGI_IOC4 is not set | ||||
| 
 | ||||
| @ -4935,6 +4936,7 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y | ||||
| # CONFIG_SECURITY_SMACK is not set | ||||
| # CONFIG_SECURITY_TOMOYO is not set | ||||
| # CONFIG_SECURITY_APPARMOR is not set | ||||
| # CONFIG_SECURITY_LOADPIN is not set | ||||
| CONFIG_SECURITY_YAMA=y | ||||
| CONFIG_AUDIT=y | ||||
| CONFIG_AUDITSYSCALL=y | ||||
| @ -5071,6 +5073,7 @@ CONFIG_PERSISTENT_KEYRINGS=y | ||||
| CONFIG_BIG_KEYS=y | ||||
| CONFIG_TRUSTED_KEYS=m | ||||
| CONFIG_ENCRYPTED_KEYS=m | ||||
| CONFIG_KEY_DH_OPERATIONS=y | ||||
| CONFIG_CDROM_PKTCDVD=m | ||||
| CONFIG_CDROM_PKTCDVD_BUFFERS=8 | ||||
| # CONFIG_CDROM_PKTCDVD_WCACHE is not set | ||||
| @ -5920,6 +5923,7 @@ CONFIG_MODULE_SIG_SHA256=y | ||||
| CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" | ||||
| CONFIG_SYSTEM_TRUSTED_KEYS="" | ||||
| # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set | ||||
| CONFIG_SECONDARY_TRUSTED_KEYRING=y | ||||
| CONFIG_PKCS7_MESSAGE_PARSER=y | ||||
| # CONFIG_PKCS7_TEST_KEY is not set | ||||
| CONFIG_SIGNED_PE_FILE_VERIFICATION=y | ||||
| @ -5955,3 +5959,5 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y | ||||
| # The kernel code has a nice comment | ||||
| # WARNING: Do not even assume this interface is staying stable! | ||||
| # CONFIG_MCE_AMD_INJ is not set | ||||
| 
 | ||||
| # CONFIG_EZNPS_GIC is not set | ||||
|  | ||||
| @ -575,6 +575,7 @@ CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH=m | ||||
| CONFIG_SND_SOC_INTEL_SKL_RT286_MACH=m | ||||
| CONFIG_SND_SOC_INTEL_SKL_NAU88L25_SSM4567_MACH=m | ||||
| CONFIG_SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH=m | ||||
| CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m | ||||
| CONFIG_SND_SOC_AC97_CODEC=m | ||||
| # CONFIG_SND_SOC_TAS571X is not set | ||||
| # CONFIG_SND_SUN4I_CODEC is not set | ||||
|  | ||||
							
								
								
									
										2
									
								
								gitrev
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								gitrev
									
									
									
									
									
								
							| @ -1 +1 @@ | ||||
| 2600a46ee0ed57c0e0a382c2a37ebac64d374d20 | ||||
| 03b979dd0323ace8e29a0561cd5232f73a060c09 | ||||
|  | ||||
							
								
								
									
										19
									
								
								kernel.spec
									
									
									
									
									
								
							
							
						
						
									
										19
									
								
								kernel.spec
									
									
									
									
									
								
							| @ -69,7 +69,7 @@ Summary: The Linux kernel | ||||
| # The rc snapshot level | ||||
| %define rcrev 0 | ||||
| # The git snapshot level | ||||
| %define gitrev 4 | ||||
| %define gitrev 5 | ||||
| # Set rpm version accordingly | ||||
| %define rpmversion 4.%{upstream_sublevel}.0 | ||||
| %endif | ||||
| @ -562,7 +562,10 @@ Patch487: Add-EFI-signature-data-types.patch | ||||
| 
 | ||||
| Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch | ||||
| 
 | ||||
| Patch489: KEYS-Add-a-system-blacklist-keyring.patch | ||||
| # This doesn't apply. It seems like it could be replaced by | ||||
| # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c | ||||
| # which has an explicit line about blacklisting | ||||
| # Patch489: KEYS-Add-a-system-blacklist-keyring.patch | ||||
| 
 | ||||
| Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch | ||||
| 
 | ||||
| @ -606,14 +609,6 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch | ||||
| #CVE-2016-4482 rhbz 1332931 1332932 | ||||
| Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch | ||||
| 
 | ||||
| #CVE-2016-4569 rhbz 1334643 1334645 | ||||
| Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch | ||||
| Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch | ||||
| Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch | ||||
| 
 | ||||
| #CVE-2016-3713 rhbz 1332139 1336410 | ||||
| Patch717: KVM-MTRR-remove-MSR-0x2f8.patch | ||||
| 
 | ||||
| #CVE-2016-4440 rhbz 1337806 1337807 | ||||
| Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch | ||||
| 
 | ||||
| @ -2142,6 +2137,10 @@ fi | ||||
| # | ||||
| #  | ||||
| %changelog | ||||
| * Fri May 20 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git5.1 | ||||
| - Linux v4.6-6148-g03b979d | ||||
| - Docs, i2c, md, iommu, sound, pci, pinctrl, dmaengine, kvm, security merges | ||||
| 
 | ||||
| * Fri May 20 2016 Josh Boyer <jwboyer@fedoraproject.org> | ||||
| - CVE-2016-4440 kvm: incorrect state leading to APIC register access (rhbz 1337806 1337807) | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user