[kernel/f21] CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)
Josh Boyer
jwboyer at fedoraproject.org
Tue Mar 10 12:46:44 UTC 2015
commit 19bd16235d42f24bffd2d4354b44a44e686a495f
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Tue Mar 10 08:43:37 2015 -0400
CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)
ARM-tegra-usb-no-reset.patch | 2 +-
Add-sysrq-option-to-disable-secure-boot-mode.patch | 2 +-
...th3k-Add-support-Atheros-AR5B195-combo-Mi.patch | 6 ++--
Kbuild-Add-an-option-to-enable-GCC-VTA.patch | 2 +-
...35x-bone-common-add-uart2_pins-uart4_pins.patch | 2 +-
...ts-am335x-bone-common-enable-and-use-i2c2.patch | 4 +--
...35x-bone-common-setup-default-pinmux-http.patch | 6 ++--
kernel.spec | 9 +++++
...-correct-size-for-max-unacked-packets-and.patch | 40 ++++++++++++++++++++++
...top-Add-broken-acpi-video-quirk-for-NC210.patch | 4 +--
10 files changed, 63 insertions(+), 14 deletions(-)
---
diff --git a/ARM-tegra-usb-no-reset.patch b/ARM-tegra-usb-no-reset.patch
index 2b1058b..e8a4b58 100644
--- a/ARM-tegra-usb-no-reset.patch
+++ b/ARM-tegra-usb-no-reset.patch
@@ -9,7 +9,7 @@ Patch for disconnect issues with storage attached to a
1 file changed, 7 insertions(+)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index b649fef2e35d..fb89290710ad 100644
+index 2246954d7df3..dbd69b7eae92 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5023,6 +5023,13 @@ static void hub_event(struct work_struct *work)
diff --git a/Add-sysrq-option-to-disable-secure-boot-mode.patch b/Add-sysrq-option-to-disable-secure-boot-mode.patch
index e0c567d..b9d220c 100644
--- a/Add-sysrq-option-to-disable-secure-boot-mode.patch
+++ b/Add-sysrq-option-to-disable-secure-boot-mode.patch
@@ -215,7 +215,7 @@ index 387fa7d05c98..4b07e30b3279 100644
int unregister_sysrq_key(int key, struct sysrq_key_op *op);
struct sysrq_key_op *__sysrq_get_key_op(int key);
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
-index 379650b984f8..070f29fefdc2 100644
+index 6ffdc96059a0..2f8f814ae94c 100644
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -1924,7 +1924,7 @@ static int kdb_sr(int argc, const char **argv)
diff --git a/Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch b/Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
index 38afde1..d09756e 100644
--- a/Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
+++ b/Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
@@ -43,7 +43,7 @@ Cc: stable at vger.kernel.org
2 files changed, 2 insertions(+)
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
-index 086240cd29c3..b2c68213696a 100644
+index fe1678c4ff89..99e9d879a460 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -65,6 +65,7 @@ static const struct usb_device_id ath3k_table[] = {
@@ -55,10 +55,10 @@ index 086240cd29c3..b2c68213696a 100644
{ USB_DEVICE(0x0CF3, 0x3002) },
{ USB_DEVICE(0x0CF3, 0xE019) },
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
-index 091c813df8e9..79e344f9e681 100644
+index f0e2f721c8ce..d8b5b37aa1bd 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
-@@ -142,6 +142,7 @@ static const struct usb_device_id blacklist_table[] = {
+@@ -150,6 +150,7 @@ static const struct usb_device_id blacklist_table[] = {
/* Atheros 3011 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
{ USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
diff --git a/Kbuild-Add-an-option-to-enable-GCC-VTA.patch b/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
index f2b0d0b..5df360b 100644
--- a/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
+++ b/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
@@ -43,7 +43,7 @@ Signed-off-by: Josh Stone <jistone at redhat.com>
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
-index 0b3f8a1b3715..ffac1ebfc6b9 100644
+index 62b333802a0e..7d683b59afa4 100644
--- a/Makefile
+++ b/Makefile
@@ -704,7 +704,11 @@ KBUILD_CFLAGS += -fomit-frame-pointer
diff --git a/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch b/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
index 6cec247..0d6ccd7 100644
--- a/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
+++ b/arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch
@@ -9,7 +9,7 @@ Signed-off-by: Robert Nelson <robertcnelson at gmail.com>
1 file changed, 21 insertions(+)
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
-index 4991a1664773..096ddbe4c4b3 100644
+index db880bf46135..c931ec7201c0 100644
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
@@ -102,6 +102,27 @@
diff --git a/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch b/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch
index 6a6ea50..94fd324 100644
--- a/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch
+++ b/arm-dts-am335x-bone-common-enable-and-use-i2c2.patch
@@ -8,7 +8,7 @@ Signed-off-by: Robert Nelson <robertcnelson at gmail.com>
1 file changed, 39 insertions(+)
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
-index 6cc25ed912ee..754b96c5dbb1 100644
+index 2c6248d9a9ef..ec755eeb78ee 100644
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
@@ -81,6 +81,13 @@
@@ -25,7 +25,7 @@ index 6cc25ed912ee..754b96c5dbb1 100644
uart0_pins: pinmux_uart0_pins {
pinctrl-single,pins = <
0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */
-@@ -217,6 +224,38 @@
+@@ -218,6 +225,38 @@
reg = <0x24>;
};
diff --git a/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch b/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch
index d676839..7f10489 100644
--- a/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch
+++ b/arm-dts-am335x-bone-common-setup-default-pinmux-http.patch
@@ -9,7 +9,7 @@ Signed-off-by: Robert Nelson <robertcnelson at gmail.com>
1 file changed, 130 insertions(+)
diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi
-index 754b96c5dbb1..4991a1664773 100644
+index ec755eeb78ee..db880bf46135 100644
--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
@@ -95,6 +95,13 @@
@@ -74,7 +74,7 @@ index 754b96c5dbb1..4991a1664773 100644
&usb {
status = "okay";
};
-@@ -258,6 +299,56 @@
+@@ -259,6 +300,56 @@
};
};
@@ -131,7 +131,7 @@ index 754b96c5dbb1..4991a1664773 100644
/include/ "tps65217.dtsi"
&tps {
-@@ -339,3 +430,42 @@
+@@ -340,3 +431,42 @@
cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>;
cd-inverted;
};
diff --git a/kernel.spec b/kernel.spec
index 68f979f..57e6e96 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -645,6 +645,9 @@ Patch26138: ext4-Allocate-entire-range-in-zero-range.patch
#rhbz 1190947
Patch26141: Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
+#CVE-2015-2042 rhbz 1195355 1199365
+Patch26143: net-rds-use-correct-size-for-max-unacked-packets-and.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1395,6 +1398,9 @@ ApplyPatch Bluetooth-ath3k-Add-support-Atheros-AR5B195-combo-Mi.patch
#rhbz 1185519
ApplyPatch NFS-fix-clp-cl_revoked-list-deletion-causing-softloc.patch
+#CVE-2015-2042 rhbz 1195355 1199365
+ApplyPatch net-rds-use-correct-size-for-max-unacked-packets-and.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2265,6 +2271,9 @@ fi
# ||----w |
# || ||
%changelog
+* Tue Mar 10 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2015-2042 rds: information handling flaw in sysctl (rhbz 1195355 1199365)
+
* Mon Mar 09 2015 Justin M. Forbes <jforbes at fedoraproject.org> - 3.18.9-200
- Linux v3.18.9
diff --git a/net-rds-use-correct-size-for-max-unacked-packets-and.patch b/net-rds-use-correct-size-for-max-unacked-packets-and.patch
new file mode 100644
index 0000000..3cf4a90
--- /dev/null
+++ b/net-rds-use-correct-size-for-max-unacked-packets-and.patch
@@ -0,0 +1,40 @@
+From: Sasha Levin <sasha.levin at oracle.com>
+Date: Tue, 3 Feb 2015 08:55:58 -0500
+Subject: [PATCH] net: rds: use correct size for max unacked packets and bytes
+
+Max unacked packets/bytes is an int while sizeof(long) was used in the
+sysctl table.
+
+This means that when they were getting read we'd also leak kernel memory
+to userspace along with the timeout values.
+
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rds/sysctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c
+index c3b0cd43eb56..c173f69e1479 100644
+--- a/net/rds/sysctl.c
++++ b/net/rds/sysctl.c
+@@ -71,14 +71,14 @@ static struct ctl_table rds_sysctl_rds_table[] = {
+ {
+ .procname = "max_unacked_packets",
+ .data = &rds_sysctl_max_unacked_packets,
+- .maxlen = sizeof(unsigned long),
++ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+ {
+ .procname = "max_unacked_bytes",
+ .data = &rds_sysctl_max_unacked_bytes,
+- .maxlen = sizeof(unsigned long),
++ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+--
+2.1.0
+
diff --git a/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch b/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
index 86870bb..fdf8f44 100644
--- a/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
+++ b/samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch
@@ -14,10 +14,10 @@ Signed-off-by: Hans de Goede <hdegoede at redhat.com>
1 file changed, 10 insertions(+)
diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
-index ff765d8e1a09..864290243e46 100644
+index ce364a41842a..477de0a9e1ee 100644
--- a/drivers/platform/x86/samsung-laptop.c
+++ b/drivers/platform/x86/samsung-laptop.c
-@@ -1578,6 +1578,16 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
+@@ -1583,6 +1583,16 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
},
.driver_data = &samsung_np740u3e,
},
More information about the scm-commits
mailing list