From 978e9d5ec43ca50fde1ed6eeaa17a4954b4b814e Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 19 Sep 2016 09:41:52 -0500 Subject: [PATCH] Linux v4.8-rc7 --- ...overflow-in-archmsr_iop_message_xfer.patch | 41 +++++++ config-generic | 6 +- config-nodebug | 112 +++++++++--------- config-x86-generic | 2 +- gitrev | 2 +- kernel.spec | 14 ++- sources | 3 +- 7 files changed, 114 insertions(+), 66 deletions(-) create mode 100644 arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch diff --git a/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch new file mode 100644 index 000000000..81ed8814d --- /dev/null +++ b/arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch @@ -0,0 +1,41 @@ +From: Dan Carpenter +Date: 2016-09-15 13:44:56 +Subject: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer() + +We need to put an upper bound on "user_len" so the memcpy() doesn't +overflow. + +Reported-by: Marco Grassi +Signed-off-by: Dan Carpenter +Reviewed-by: Tomas Henzl + +diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c +index 7640498..110eca9 100644 +--- a/drivers/scsi/arcmsr/arcmsr_hba.c ++++ b/drivers/scsi/arcmsr/arcmsr_hba.c +@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, + } + case ARCMSR_MESSAGE_WRITE_WQBUFFER: { + unsigned char *ver_addr; +- int32_t user_len, cnt2end; ++ uint32_t user_len; ++ int32_t cnt2end; + uint8_t *pQbuffer, *ptmpuserbuffer; + ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); + if (!ver_addr) { +@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, + } + ptmpuserbuffer = ver_addr; + user_len = pcmdmessagefld->cmdmessage.Length; ++ if (user_len > ARCMSR_API_DATA_BUFLEN) { ++ retvalue = ARCMSR_MESSAGE_FAIL; ++ kfree(ver_addr); ++ goto message_out; ++ } + memcpy(ptmpuserbuffer, + pcmdmessagefld->messagedatabuffer, user_len); + spin_lock_irqsave(&acb->wqbuffer_lock, flags); +-- +To unsubscribe from this list: send the line "unsubscribe linux-scsi" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/config-generic b/config-generic index c9d6e6ed0..ed9d18306 100644 --- a/config-generic +++ b/config-generic @@ -1859,13 +1859,13 @@ CONFIG_B43=m CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y CONFIG_B43_BCMA_PIO=y -CONFIG_B43_DEBUG=y +# CONFIG_B43_DEBUG is not set CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y CONFIG_B43_PHY_G=y CONFIG_B43LEGACY=m -CONFIG_B43LEGACY_DEBUG=y +# CONFIG_B43LEGACY_DEBUG is not set CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -5278,7 +5278,7 @@ CONFIG_PM_DEBUG=y # CONFIG_DPM_WATCHDOG is not set # revisit this in debug CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -CONFIG_PM_TEST_SUSPEND=y +# CONFIG_PM_TEST_SUSPEND is not set # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set # CONFIG_PM_WAKELOCKS is not set diff --git a/config-nodebug b/config-nodebug index 0dc864752..4bd461d8f 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,102 +2,102 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -CONFIG_DEBUG_ATOMIC_SLEEP=y +# CONFIG_DEBUG_ATOMIC_SLEEP is not set -CONFIG_DEBUG_MUTEXES=y -CONFIG_DEBUG_RT_MUTEXES=y -CONFIG_DEBUG_LOCK_ALLOC=y -CONFIG_LOCK_TORTURE_TEST=m -CONFIG_PROVE_LOCKING=y -CONFIG_DEBUG_SPINLOCK=y -CONFIG_PROVE_RCU=y +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_PROVE_RCU is not set # CONFIG_PROVE_RCU_REPEATEDLY is not set -CONFIG_DEBUG_PER_CPU_MAPS=y +# CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_CPUMASK_OFFSTACK=y -CONFIG_CPU_NOTIFIER_ERROR_INJECT=m +# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set -CONFIG_FAULT_INJECTION=y -CONFIG_FAILSLAB=y -CONFIG_FAIL_PAGE_ALLOC=y -CONFIG_FAIL_MAKE_REQUEST=y -CONFIG_FAULT_INJECTION_DEBUG_FS=y -CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y -CONFIG_FAIL_IO_TIMEOUT=y -CONFIG_FAIL_MMC_REQUEST=y +# CONFIG_FAULT_INJECTION is not set +# CONFIG_FAILSLAB is not set +# CONFIG_FAIL_PAGE_ALLOC is not set +# CONFIG_FAIL_MAKE_REQUEST is not set +# CONFIG_FAULT_INJECTION_DEBUG_FS is not set +# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set +# CONFIG_FAIL_IO_TIMEOUT is not set +# CONFIG_FAIL_MMC_REQUEST is not set # CONFIG_F2FS_FAULT_INJECTION is not set -CONFIG_LOCK_STAT=y +# CONFIG_LOCK_STAT is not set -CONFIG_DEBUG_STACK_USAGE=y +# CONFIG_DEBUG_STACK_USAGE is not set -CONFIG_ACPI_DEBUG=y +# CONFIG_ACPI_DEBUG is not set # CONFIG_ACPI_DEBUGGER is not set -CONFIG_DEBUG_SG=y -CONFIG_DEBUG_PI_LIST=y +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_PI_LIST is not set # CONFIG_PAGE_EXTENSION is not set # CONFIG_PAGE_OWNER is not set # CONFIG_DEBUG_PAGEALLOC is not set -CONFIG_DEBUG_OBJECTS=y +# CONFIG_DEBUG_OBJECTS is not set # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -CONFIG_DEBUG_OBJECTS_FREE=y -CONFIG_DEBUG_OBJECTS_TIMERS=y -CONFIG_DEBUG_OBJECTS_RCU_HEAD=y +# CONFIG_DEBUG_OBJECTS_FREE is not set +# CONFIG_DEBUG_OBJECTS_TIMERS is not set +# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 CONFIG_X86_PTDUMP=y -CONFIG_ARM64_PTDUMP=y -CONFIG_EFI_PGT_DUMP=y +# CONFIG_ARM64_PTDUMP is not set +# CONFIG_EFI_PGT_DUMP is not set -CONFIG_CAN_DEBUG_DEVICES=y +# CONFIG_CAN_DEBUG_DEVICES is not set -CONFIG_MODULE_FORCE_UNLOAD=y +# CONFIG_MODULE_FORCE_UNLOAD is not set -CONFIG_DEBUG_NOTIFIERS=y +# CONFIG_DEBUG_NOTIFIERS is not set -CONFIG_DMA_API_DEBUG=y +# CONFIG_DMA_API_DEBUG is not set -CONFIG_MMIOTRACE=y +# CONFIG_MMIOTRACE is not set -CONFIG_DEBUG_CREDENTIALS=y +# CONFIG_DEBUG_CREDENTIALS is not set # off in both production debug and nodebug builds, # on in rawhide nodebug builds -CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set -CONFIG_EXT4_DEBUG=y +# CONFIG_EXT4_DEBUG is not set # CONFIG_XFS_WARN is not set -CONFIG_DEBUG_PERF_USE_VMALLOC=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set -CONFIG_JBD2_DEBUG=y +# CONFIG_JBD2_DEBUG is not set -CONFIG_NFSD_FAULT_INJECTION=y +# CONFIG_NFSD_FAULT_INJECTION is not set -CONFIG_DEBUG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set -CONFIG_DRBD_FAULT_INJECTION=y +# CONFIG_DRBD_FAULT_INJECTION is not set -CONFIG_ATH_DEBUG=y -CONFIG_CARL9170_DEBUGFS=y -CONFIG_IWLWIFI_DEVICE_TRACING=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_CARL9170_DEBUGFS is not set +# CONFIG_IWLWIFI_DEVICE_TRACING is not set # CONFIG_RTLWIFI_DEBUG is not set -CONFIG_DEBUG_OBJECTS_WORK=y +# CONFIG_DEBUG_OBJECTS_WORK is not set -CONFIG_DMADEVICES_DEBUG=y +# CONFIG_DMADEVICES_DEBUG is not set # CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y -CONFIG_CEPH_LIB_PRETTYDEBUG=y -CONFIG_QUOTA_DEBUG=y +# CONFIG_CEPH_LIB_PRETTYDEBUG is not set +# CONFIG_QUOTA_DEBUG is not set CONFIG_KGDB_KDB=y @@ -105,19 +105,19 @@ CONFIG_KDB_DEFAULT_ENABLE=0x0 CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y +# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set # CONFIG_PERCPU_TEST is not set -CONFIG_TEST_LIST_SORT=y +# CONFIG_TEST_LIST_SORT is not set # CONFIG_TEST_STRING_HELPERS is not set -CONFIG_DETECT_HUNG_TASK=y +# CONFIG_DETECT_HUNG_TASK is not set CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -CONFIG_WQ_WATCHDOG=y +# CONFIG_WQ_WATCHDOG is not set -CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y +# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set -CONFIG_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y @@ -128,4 +128,4 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_SPI_DEBUG is not set -CONFIG_DEBUG_VM_PGFLAGS=y +# CONFIG_DEBUG_VM_PGFLAGS is not set diff --git a/config-x86-generic b/config-x86-generic index f011f027d..a44190bd7 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -380,7 +380,7 @@ CONFIG_SP5100_TCO=m # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -CONFIG_MAXSMP=y +# CONFIG_MAXSMP is not set CONFIG_HP_ILO=m diff --git a/gitrev b/gitrev index 1a7cfb211..800fd8125 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -024c7e3756d8a42fc41fe8a9488488b9b09d1dcc +3be7988674ab33565700a37b210f502563d932e6 diff --git a/kernel.spec b/kernel.spec index 6b10f9613..396d35936 100644 --- a/kernel.spec +++ b/kernel.spec @@ -67,9 +67,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 6 +%define rcrev 7 # The git snapshot level -%define gitrev 4 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -125,7 +125,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -619,6 +619,9 @@ Patch848: 0001-cpupower-Correct-return-type-of-cpu_power_is_cpu_onl.patch #ongoing complaint, full discussion delayed until ksummit/plumbers Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch +#CVE-2016-7425 rhbz 1377330 1377331 +Patch850: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch + # END OF PATCH DEFINITIONS %endif @@ -2155,6 +2158,11 @@ fi # # %changelog +* Mon Sep 19 2016 Justin M. Forbes - 4.8.0-0.rc7.git0.1 +- Linux v4.8-rc7 +- Disable debugging options. +- CVE-2016-7425 SCSI arcmsr buffer overflow (rhbz 1377330 1377331) + * Sat Sep 17 2016 Peter Robinson - Enable CPU IDLE on ARMv7 - Tweak big.LITTLE on ARMv7 diff --git a/sources b/sources index 8801cfcc1..1099fbde8 100644 --- a/sources +++ b/sources @@ -1,4 +1,3 @@ 5276563eb1f39a048e4a8a887408c031 linux-4.7.tar.xz fe259c02c75eec61d1aa4b1211f3c853 perf-man-4.7.tar.gz -5c667b81145f4ebdc27d2716eab35eb5 patch-4.8-rc6.xz -57a2b9f6eddf053d9188a9d1f051917b patch-4.8-rc6-git4.xz +f3c565cb3f80b13e7e78fcde4ac87b8b patch-4.8-rc7.xz