[kernel] Linux v3.17-7872-g5ff0b9e1a1da

Josh Boyer jwboyer at fedoraproject.org
Mon Oct 13 17:42:20 UTC 2014 

commit 6b375296a7557bc617ed814b212ed7eada68d69f
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Oct 13 13:42:01 2014 -0400

    Linux v3.17-7872-g5ff0b9e1a1da

 ...ate-EPERM-for-a-key-type-name-beginning-w.patch |   44 ----------
 ...v-mem-and-dev-kmem-when-module-loading-is.patch |    2 +-
 ...rt-ACPI-video-change-acpi-video-brightnes.patch |    2 +-
 config-generic                                     |    2 +
 ...d-a-missing-permission-check-to-do_umount.patch |   31 +++++++
 kernel.spec                                        |   21 +++--
 ...-pivot_root-from-creating-a-loop-in-the-m.patch |    4 +-
 ...pv4-module-license-unspecified-taints-ker.patch |   84 ++++++++++++++++++++
 sources                                            |    2 +-
 ...wn-IO-port-access-when-module-security-is.patch |    2 +-
 10 files changed, 137 insertions(+), 57 deletions(-)
---
diff --git a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
index 003bfec..3cdd467 100644
--- a/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
+++ b/Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
@@ -13,7 +13,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett at nebula.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index cdf839f9defe..c63cf93b00eb 100644
+index c268e2581ed6..fb9ea1172ba8 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
diff --git a/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch b/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch
index 8d400c7..0554468 100644
--- a/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch
+++ b/Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch
@@ -15,7 +15,7 @@ Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 41f7ec1fcf61..c79eb60a7869 100644
+index f8a07128a6e8..41eff584e169 100644
 --- a/Documentation/kernel-parameters.txt
 +++ b/Documentation/kernel-parameters.txt
 @@ -3625,7 +3625,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
diff --git a/config-generic b/config-generic
index c3a019f..e3a3eba 100644
--- a/config-generic
+++ b/config-generic
@@ -5066,6 +5066,8 @@ CONFIG_ALTERA_STAPL=m
 
 CONFIG_NOP_USB_XCEIV=m
 
+# CONFIG_INTEGRITY is not set
+
 # CONFIG_IMA is not set
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_LSM_RULES=y
diff --git a/fs-Add-a-missing-permission-check-to-do_umount.patch b/fs-Add-a-missing-permission-check-to-do_umount.patch
new file mode 100644
index 0000000..ce9de66
--- /dev/null
+++ b/fs-Add-a-missing-permission-check-to-do_umount.patch
@@ -0,0 +1,31 @@
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Wed, 8 Oct 2014 12:37:46 -0700
+Subject: [PATCH] fs: Add a missing permission check to do_umount
+
+Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
+only one of the two call sites was appropriately protected.
+
+Fixes CVE-2014-7975.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+---
+ fs/namespace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index c8e3034ff4b2..fbba8b17330d 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1439,6 +1439,8 @@ static int do_umount(struct mount *mnt, int flags)
+ 		 * Special case for "unmounting" root ...
+ 		 * we just try to remount it readonly.
+ 		 */
++		if (!capable(CAP_SYS_ADMIN))
++			return -EPERM;
+ 		down_write(&sb->s_umount);
+ 		if (!(sb->s_flags & MS_RDONLY))
+ 			retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
+-- 
+1.9.3
+
diff --git a/kernel.spec b/kernel.spec
index 258fca0..a446dae 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 5
+%define gitrev 6
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@@ -607,14 +607,16 @@ Patch26002: samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
 #rhbz 1138759
 Patch26021: drm-vmwgfx-Fix-drm.h-include.patch
 
-#rhbz 1145318
-Patch26029: KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch
-
 Patch26032: Revert-pinctrl-qcom-use-restart_notifier-mechanism-f.patch
 
 #CVE-2014-7970 rhbz 1151095 1151484
 Patch26033: mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
 
+#CVE-2014-7975 rhbz 1151108 1152025
+Patch26034: fs-Add-a-missing-permission-check-to-do_umount.patch
+
+Patch26035: nf_reject_ipv4-module-license-unspecified-taints-ker.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 
@@ -1334,14 +1336,16 @@ ApplyPatch samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
 #rhbz 1138759
 ApplyPatch drm-vmwgfx-Fix-drm.h-include.patch
 
-#rhbz 1145318
-ApplyPatch KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch
-
 ApplyPatch Revert-pinctrl-qcom-use-restart_notifier-mechanism-f.patch
 
 #CVE-2014-7970 rhbz 1151095 1151484
 ApplyPatch mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
 
+#CVE-2014-7975 rhbz 1151108 1152025
+ApplyPatch fs-Add-a-missing-permission-check-to-do_umount.patch
+
+ApplyPatch nf_reject_ipv4-module-license-unspecified-taints-ker.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2210,6 +2214,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Mon Oct 13 2014 Josh Boyer <jwboyer at fedoraproject.org> - 3.18.0-0.rc0.git6.1
+- Linux v3.17-7872-g5ff0b9e1a1da
+
 * Sun Oct 12 2014 Josh Boyer <jwboyer at fedoraproject.org> - 3.18.0-0.rc0.git5.1
 - Linux v3.17-7639-g90eac7eee2f4
 
diff --git a/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch b/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
index 0faadaf..b89527f 100644
--- a/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
+++ b/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
@@ -26,10 +26,10 @@ Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/fs/namespace.c b/fs/namespace.c
-index ef42d9bee212..74647c2fe69c 100644
+index 348562f14e93..c8e3034ff4b2 100644
 --- a/fs/namespace.c
 +++ b/fs/namespace.c
-@@ -2820,6 +2820,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
+@@ -2913,6 +2913,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
  	/* make sure we can reach put_old from new_root */
  	if (!is_path_reachable(old_mnt, old.dentry, &new))
  		goto out4;
diff --git a/nf_reject_ipv4-module-license-unspecified-taints-ker.patch b/nf_reject_ipv4-module-license-unspecified-taints-ker.patch
new file mode 100644
index 0000000..f46a0c4
--- /dev/null
+++ b/nf_reject_ipv4-module-license-unspecified-taints-ker.patch
@@ -0,0 +1,84 @@
+From: Pablo Neira <pablo at netfilter.org>
+Date: Fri, 10 Oct 2014 11:56:16 +0200
+Subject: [PATCH] nf_reject_ipv4: module license 'unspecified' taints kernel
+
+On Fri, Oct 10, 2014 at 05:19:04PM +0800, Dave Young wrote:
+> Hi,
+>
+> With today's linus tree, I got below kmsg:
+> [   23.545204] nf_reject_ipv4: module license 'unspecified' taints kernel.
+>
+> It could be caused by below commit:
+>
+> commit c8d7b98bec43faaa6583c3135030be5eb4693acb
+> Author: Pablo Neira Ayuso <pablo at netfilter.org>
+> Date:   Fri Sep 26 14:35:15 2014 +0200
+>
+>     netfilter: move nf_send_resetX() code to nf_reject_ipvX modules
+>
+>     Move nf_send_reset() and nf_send_reset6() to nf_reject_ipv4 and
+>     nf_reject_ipv6 respectively. This code is shared by x_tables and
+>     nf_tables.
+>
+>     Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+
+Patch attached, thanks for reporting.
+
+P.S: Please, Cc netfilter-devel at vger.kernel.org in future reports, so
+we make sure things don't get lost.
+
+>From d4358bcf64ba7a64d4de4e1dc5533c4c8f88ea82 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo at netfilter.org>
+Date: Fri, 10 Oct 2014 11:25:20 +0200
+Subject: [PATCH] netfilter: missing module license in the nf_reject_ipvX
+ modules
+
+[   23.545204] nf_reject_ipv4: module license 'unspecified' taints kernel.
+
+Reported-by: Dave Young <dyoung at redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/ipv4/netfilter/nf_reject_ipv4.c | 3 +++
+ net/ipv6/netfilter/nf_reject_ipv6.c | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
+index b023b4eb1a96..92b303dbd5fc 100644
+--- a/net/ipv4/netfilter/nf_reject_ipv4.c
++++ b/net/ipv4/netfilter/nf_reject_ipv4.c
+@@ -6,6 +6,7 @@
+  * published by the Free Software Foundation.
+  */
+ 
++#include <linux/module.h>
+ #include <net/ip.h>
+ #include <net/tcp.h>
+ #include <net/route.h>
+@@ -125,3 +126,5 @@ void nf_send_reset(struct sk_buff *oldskb, int hook)
+ 	kfree_skb(nskb);
+ }
+ EXPORT_SYMBOL_GPL(nf_send_reset);
++
++MODULE_LICENSE("GPL");
+diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
+index 5f5f0438d74d..20d9defc6c59 100644
+--- a/net/ipv6/netfilter/nf_reject_ipv6.c
++++ b/net/ipv6/netfilter/nf_reject_ipv6.c
+@@ -5,6 +5,8 @@
+  * it under the terms of the GNU General Public License version 2 as
+  * published by the Free Software Foundation.
+  */
++
++#include <linux/module.h>
+ #include <net/ipv6.h>
+ #include <net/ip6_route.h>
+ #include <net/ip6_fib.h>
+@@ -161,3 +163,5 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
+ 		ip6_local_out(nskb);
+ }
+ EXPORT_SYMBOL_GPL(nf_send_reset6);
++
++MODULE_LICENSE("GPL");
+-- 
+1.9.3
+
diff --git a/sources b/sources
index 797fc15..d94bb72 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 fb30d0f29214d75cddd2faa94f73d5cf  linux-3.17.tar.xz
 159e969cbc27201d8e2fa0f609dc722f  perf-man-3.17.tar.gz
-e0ed84718bffdd7b33b2220c98034259  patch-3.17-git5.xz
+5740b0a6b49144f85e75da8acb275576  patch-3.17-git6.xz
diff --git a/x86-Lock-down-IO-port-access-when-module-security-is.patch b/x86-Lock-down-IO-port-access-when-module-security-is.patch
index 327c65e..4d0b4ac 100644
--- a/x86-Lock-down-IO-port-access-when-module-security-is.patch
+++ b/x86-Lock-down-IO-port-access-when-module-security-is.patch
@@ -44,7 +44,7 @@ index 4ddaf66ea35f..00b440307419 100644
  	}
  	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 917403fe10da..cdf839f9defe 100644
+index 524b707894ef..c268e2581ed6 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -27,6 +27,7 @@

More information about the scm-commits mailing list