[kernel/f20] Linux v3.11.2
Justin M. Forbes
jforbes at fedoraproject.org
Fri Sep 27 12:29:06 UTC 2013
commit b61169ac06e6c26ec5a8bee4415ebd38026a5e89
Author: Justin M. Forbes <jforbes at redhat.com>
Date: Fri Sep 27 07:28:53 2013 -0500
Linux v3.11.2
...-report-fixup-for-Genius-Gx-Imperator-Key.patch | 118 --------
HID-CVE-fixes-3.11.patch | 291 --------------------
acpi-pcie-hotplug-conflict.patch | 149 ----------
crypto-fix-race-in-larval-lookup.patch | 44 ---
kernel.spec | 23 +--
sources | 2 +-
6 files changed, 5 insertions(+), 622 deletions(-)
---
diff --git a/HID-CVE-fixes-3.11.patch b/HID-CVE-fixes-3.11.patch
index b2d7f19..4cdc594 100644
--- a/HID-CVE-fixes-3.11.patch
+++ b/HID-CVE-fixes-3.11.patch
@@ -1,83 +1,3 @@
-From aab9cb0a00ecdd937273f3b9649311d81bf4f0cb Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook at chromium.org>
-Date: Wed, 28 Aug 2013 22:29:55 +0200
-Subject: [PATCH 01/16] HID: validate HID report id size
-
-The "Report ID" field of a HID report is used to build indexes of
-reports. The kernel's index of these is limited to 256 entries, so any
-malicious device that sets a Report ID greater than 255 will trigger
-memory corruption on the host:
-
-[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
-[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
-
-CVE-2013-2888
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/hid-core.c | 10 +++++++---
- include/linux/hid.h | 4 +++-
- 2 files changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 36668d1..5ea7d51 100644
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
- struct hid_report_enum *report_enum = device->report_enum + type;
- struct hid_report *report;
-
-+ if (id >= HID_MAX_IDS)
-+ return NULL;
- if (report_enum->report_id_hash[id])
- return report_enum->report_id_hash[id];
-
-@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
-
- case HID_GLOBAL_ITEM_TAG_REPORT_ID:
- parser->global.report_id = item_udata(item);
-- if (parser->global.report_id == 0) {
-- hid_err(parser->device, "report_id 0 is invalid\n");
-+ if (parser->global.report_id == 0 ||
-+ parser->global.report_id >= HID_MAX_IDS) {
-+ hid_err(parser->device, "report_id %u is invalid\n",
-+ parser->global.report_id);
- return -1;
- }
- return 0;
-@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
- for (i = 0; i < HID_REPORT_TYPES; i++) {
- struct hid_report_enum *report_enum = device->report_enum + i;
-
-- for (j = 0; j < 256; j++) {
-+ for (j = 0; j < HID_MAX_IDS; j++) {
- struct hid_report *report = report_enum->report_id_hash[j];
- if (report)
- hid_free_report(report);
-diff --git a/include/linux/hid.h b/include/linux/hid.h
-index 0c48991..ff545cc 100644
---- a/include/linux/hid.h
-+++ b/include/linux/hid.h
-@@ -393,10 +393,12 @@ struct hid_report {
- struct hid_device *device; /* associated device */
- };
-
-+#define HID_MAX_IDS 256
-+
- struct hid_report_enum {
- unsigned numbered;
- struct list_head report_list;
-- struct hid_report *report_id_hash[256];
-+ struct hid_report *report_id_hash[HID_MAX_IDS];
- };
-
- #define HID_REPORT_TYPES 3
---
-1.8.3.1
-
-
From ba6d8d44eaeb0ee58082f4b4c95138416e1f58a5 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook at chromium.org>
Date: Wed, 11 Sep 2013 21:56:50 +0200
@@ -906,214 +826,3 @@ index 762d988..31cf29a 100644
--
1.8.3.1
-
-
-From b2438ded3cdd8d6d6af77d9bce38d2d8f353a790 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook at chromium.org>
-Date: Wed, 28 Aug 2013 22:32:01 +0200
-Subject: [PATCH 12/16] HID: check for NULL field when setting values
-
-Defensively check that the field to be worked on is not NULL.
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/hid-core.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 08500bc..e331cb1 100644
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -1212,7 +1212,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
-
- int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
- {
-- unsigned size = field->report_size;
-+ unsigned size;
-+
-+ if (!field)
-+ return -1;
-+
-+ size = field->report_size;
-
- hid_dump_input(field->report->device, field->usage + offset, value);
-
---
-1.8.3.1
-
-
-From d0502783cdafcdb0a677492c43a373748d900d50 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook at chromium.org>
-Date: Wed, 28 Aug 2013 22:30:49 +0200
-Subject: [PATCH 13/16] HID: pantherlord: validate output report details
-
-A HID device could send a malicious output report that would cause the
-pantherlord HID driver to write beyond the output report allocation
-during initialization, causing a heap overflow:
-
-[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
-...
-[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
-
-CVE-2013-2892
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/hid-pl.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
-index d29112f..2dcd7d9 100644
---- a/drivers/hid/hid-pl.c
-+++ b/drivers/hid/hid-pl.c
-@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
- strong = &report->field[0]->value[2];
- weak = &report->field[0]->value[3];
- debug("detected single-field device");
-- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
-- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
-+ } else if (report->field[0]->maxusage == 1 &&
-+ report->field[0]->usage[0].hid ==
-+ (HID_UP_LED | 0x43) &&
-+ report->maxfield >= 4 &&
-+ report->field[0]->report_count >= 1 &&
-+ report->field[1]->report_count >= 1 &&
-+ report->field[2]->report_count >= 1 &&
-+ report->field[3]->report_count >= 1) {
- report->field[0]->value[0] = 0x00;
- report->field[1]->value[0] = 0x00;
- strong = &report->field[2]->value[0];
---
-1.8.3.1
-
-
-From dc4db3b624cc7bf6972817615af88e250a8526cc Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook at chromium.org>
-Date: Wed, 28 Aug 2013 22:31:28 +0200
-Subject: [PATCH 14/16] HID: ntrig: validate feature report details
-
-A HID device could send a malicious feature report that would cause the
-ntrig HID driver to trigger a NULL dereference during initialization:
-
-[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
-...
-[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
-[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
-
-CVE-2013-2896
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
-Signed-off-by: Rafi Rubin <rafi at seas.upenn.edu>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/hid-ntrig.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
-index ef95102..5482156 100644
---- a/drivers/hid/hid-ntrig.c
-+++ b/drivers/hid/hid-ntrig.c
-@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
- struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
- report_id_hash[0x0d];
-
-- if (!report)
-+ if (!report || report->maxfield < 1 ||
-+ report->field[0]->report_count < 1)
- return -EINVAL;
-
- hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
---
-1.8.3.1
-
-
-From 34490675479f16680a60726632ad2e808eab54bd Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook at chromium.org>
-Date: Wed, 28 Aug 2013 22:31:44 +0200
-Subject: [PATCH 15/16] HID: sensor-hub: validate feature report details
-
-A HID device could send a malicious feature report that would cause the
-sensor-hub HID driver to read past the end of heap allocation, leaking
-kernel memory contents to the caller.
-
-CVE-2013-2898
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
-Reviewed-by: Mika Westerberg <mika.westerberg at linux.intel.com>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/hid-sensor-hub.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
-index ca749810..aa34755 100644
---- a/drivers/hid/hid-sensor-hub.c
-+++ b/drivers/hid/hid-sensor-hub.c
-@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
-
- mutex_lock(&data->mutex);
- report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
-- if (!report || (field_index >= report->maxfield)) {
-+ if (!report || (field_index >= report->maxfield) ||
-+ report->field[field_index]->report_count < 1) {
- ret = -EINVAL;
- goto done_proc;
- }
---
-1.8.3.1
-
-
-From a0155e41d3a7a9bd901368271d86ee1bb28d100f Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook at chromium.org>
-Date: Wed, 28 Aug 2013 22:31:52 +0200
-Subject: [PATCH 16/16] HID: picolcd_core: validate output report details
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A HID device could send a malicious output report that would cause the
-picolcd HID driver to trigger a NULL dereference during attr file writing.
-
-[jkosina at suse.cz: changed
-
- report->maxfield < 1
-
-to
-
- report->maxfield != 1
-
-as suggested by Bruno].
-
-CVE-2013-2899
-
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Cc: stable at kernel.org
-Reviewed-by: Bruno Prémont <bonbons at linux-vserver.org>
-Acked-by: Bruno Prémont <bonbons at linux-vserver.org>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/hid-picolcd_core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
-index b48092d..acbb0210 100644
---- a/drivers/hid/hid-picolcd_core.c
-+++ b/drivers/hid/hid-picolcd_core.c
-@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
- buf += 10;
- cnt -= 10;
- }
-- if (!report)
-+ if (!report || report->maxfield != 1)
- return -EINVAL;
-
- while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
---
-1.8.3.1
-
diff --git a/kernel.spec b/kernel.spec
index 3e40b04..26c75c8 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -74,7 +74,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
-%define stable_update 1
+%define stable_update 2
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@@ -779,12 +779,6 @@ Patch25078: rt2800-rearrange-bbp-rfcsr-initialization.patch
#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604
Patch25099: HID-CVE-fixes-3.11.patch
-#rhbz 963991
-Patch26000: acpi-pcie-hotplug-conflict.patch
-
-#rhbz 1002351
-Patch25100: crypto-fix-race-in-larval-lookup.patch
-
#CVE-2013-4343 rhbz 1007733 1007741
Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch
@@ -794,9 +788,6 @@ Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
#CVE-2013-4345 rhbz 1007690 1009136
Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
-#rhbz 928561
-Patch25105: 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch
-
#rhbz 1008323
Patch25106: 0001-skge-fix-broken-driver.patch
Patch25120: skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch
@@ -1553,12 +1544,6 @@ ApplyPatch HID-CVE-fixes-3.11.patch
#rhbz 1000679
ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch
-#rhbz 963991
-ApplyPatch acpi-pcie-hotplug-conflict.patch
-
-#rhbz1002351
-ApplyPatch crypto-fix-race-in-larval-lookup.patch
-
#CVE-2013-4343 rhbz 1007733 1007741
ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
@@ -1568,9 +1553,6 @@ ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
#CVE-2013-4345 rhbz 1007690 1009136
ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
-#rhbz 928561
-ApplyPatch 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch
-
#rhbz 985522
ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch
@@ -2392,6 +2374,9 @@ fi
# ||----w |
# || ||
%changelog
+* Fri Sep 27 2013 Justin M. Forbes <jforbes at fedoraproject.org> - 3.11.2-300
+- Linux v3.11.2
+
* Wed Sep 25 2013 Josh Boyer <jwboyer at fedoraproject.org>
- Fix debuginfo_args regex for + separator (rhbz 1009751)
- Add another fix for skge (rhbz 1008323)
diff --git a/sources b/sources
index 1bb8782..9c3b879 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz
-43331cad943b9540afea49ad8ce5cf46 patch-3.11.1.xz
+5aa3286dcc7d70ceb50c3cbc64bc1cd8 patch-3.11.2.xz
More information about the scm-commits
mailing list