summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--recipes-kernel/linux/files/CVE-2016-4951.patch43
-rw-r--r--recipes-kernel/linux/files/CVE-2016-5195.patch100
-rw-r--r--recipes-kernel/linux/files/CVE-2016-5400.patch57
-rw-r--r--recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch109
-rw-r--r--recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch88
-rw-r--r--recipes-kernel/linux/files/CVE-2016-6480.patch71
-rw-r--r--recipes-kernel/linux/files/hid-CVE-2016-5829.patch51
-rw-r--r--recipes-kernel/linux/linux-yocto_4.%.bbappend9
8 files changed, 0 insertions, 528 deletions
diff --git a/recipes-kernel/linux/files/CVE-2016-4951.patch b/recipes-kernel/linux/files/CVE-2016-4951.patch
deleted file mode 100644
index 31eb29e..0000000
--- a/recipes-kernel/linux/files/CVE-2016-4951.patch
+++ /dev/null
@@ -1,43 +0,0 @@
1From 23cdd8c3cbe9d790f23d7f9ae14e9b828f56f69c Mon Sep 17 00:00:00 2001
2From: Richard Alpe <richard.alpe@ericsson.com>
3Date: Mon, 16 May 2016 11:14:54 +0200
4Subject: tipc: check nl sock before parsing nested attributes
5
6[ Upstream commit 45e093ae2830cd1264677d47ff9a95a71f5d9f9c ]
7
8Make sure the socket for which the user is listing publication exists
9before parsing the socket netlink attributes.
10
11Prior to this patch a call without any socket caused a NULL pointer
12dereference in tipc_nl_publ_dump().
13
14Upstream-Status: Backport
15CVE: CVE-2016-4951
16
17Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com>
18Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
19Acked-by: Jon Maloy <jon.maloy@ericsson.cm>
20Signed-off-by: David S. Miller <davem@davemloft.net>
21Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
22Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23---
24 net/tipc/socket.c | 3 +++
25 1 file changed, 3 insertions(+)
26
27diff --git a/net/tipc/socket.c b/net/tipc/socket.c
28index e53003c..9b713e0 100644
29--- a/net/tipc/socket.c
30+++ b/net/tipc/socket.c
31@@ -2814,6 +2814,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
32 if (err)
33 return err;
34
35+ if (!attrs[TIPC_NLA_SOCK])
36+ return -EINVAL;
37+
38 err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
39 attrs[TIPC_NLA_SOCK],
40 tipc_nl_sock_policy);
41--
42cgit v0.12
43
diff --git a/recipes-kernel/linux/files/CVE-2016-5195.patch b/recipes-kernel/linux/files/CVE-2016-5195.patch
deleted file mode 100644
index 3f81b19..0000000
--- a/recipes-kernel/linux/files/CVE-2016-5195.patch
+++ /dev/null
@@ -1,100 +0,0 @@
1From 1294d355881cc5c3421d24fee512f16974addb6c Mon Sep 17 00:00:00 2001
2From: Linus Torvalds <torvalds@linux-foundation.org>
3Date: Thu, 13 Oct 2016 13:07:36 -0700
4Subject: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
5
6commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
7
8This is an ancient bug that was actually attempted to be fixed once
9(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
10get_user_pages() race for write access") but that was then undone due to
11problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
12
13In the meantime, the s390 situation has long been fixed, and we can now
14fix it by checking the pte_dirty() bit properly (and do it better). The
15s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
16software dirty bits") which made it into v3.9. Earlier kernels will
17have to look at the page state itself.
18
19Also, the VM has become more scalable, and what used a purely
20theoretical race back then has become easier to trigger.
21
22To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
23we already did a COW" rather than play racy games with FOLL_WRITE that
24is very fundamental, and then use the pte dirty flag to validate that
25the FOLL_COW flag is still valid.
26
27Upstream-Status: Backport
28CVE: CVE-2016-5195
29
30Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
31Acked-by: Hugh Dickins <hughd@google.com>
32Reviewed-by: Michal Hocko <mhocko@suse.com>
33Cc: Andy Lutomirski <luto@kernel.org>
34Cc: Kees Cook <keescook@chromium.org>
35Cc: Oleg Nesterov <oleg@redhat.com>
36Cc: Willy Tarreau <w@1wt.eu>
37Cc: Nick Piggin <npiggin@gmail.com>
38Cc: Greg Thelen <gthelen@google.com>
39Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
41Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
42---
43 include/linux/mm.h | 1 +
44 mm/gup.c | 14 ++++++++++++--
45 2 files changed, 13 insertions(+), 2 deletions(-)
46
47diff --git a/include/linux/mm.h b/include/linux/mm.h
48index cfebb74..f0ffa01 100644
49--- a/include/linux/mm.h
50+++ b/include/linux/mm.h
51@@ -2112,6 +2112,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
52 #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */
53 #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */
54 #define FOLL_MLOCK 0x1000 /* lock present pages */
55+#define FOLL_COW 0x4000 /* internal GUP flag */
56
57 typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
58 void *data);
59diff --git a/mm/gup.c b/mm/gup.c
60index deafa2c..4b0b7e7 100644
61--- a/mm/gup.c
62+++ b/mm/gup.c
63@@ -58,6 +58,16 @@ static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address,
64 return -EEXIST;
65 }
66
67+/*
68+ * FOLL_FORCE can write to even unwritable pte's, but only
69+ * after we've gone through a COW cycle and they are dirty.
70+ */
71+static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
72+{
73+ return pte_write(pte) ||
74+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
75+}
76+
77 static struct page *follow_page_pte(struct vm_area_struct *vma,
78 unsigned long address, pmd_t *pmd, unsigned int flags)
79 {
80@@ -92,7 +102,7 @@ retry:
81 }
82 if ((flags & FOLL_NUMA) && pte_protnone(pte))
83 goto no_page;
84- if ((flags & FOLL_WRITE) && !pte_write(pte)) {
85+ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
86 pte_unmap_unlock(ptep, ptl);
87 return NULL;
88 }
89@@ -352,7 +362,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
90 * reCOWed by userspace write).
91 */
92 if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
93- *flags &= ~FOLL_WRITE;
94+ *flags |= FOLL_COW;
95 return 0;
96 }
97
98--
99cgit v0.12
100
diff --git a/recipes-kernel/linux/files/CVE-2016-5400.patch b/recipes-kernel/linux/files/CVE-2016-5400.patch
deleted file mode 100644
index dd62bcd..0000000
--- a/recipes-kernel/linux/files/CVE-2016-5400.patch
+++ /dev/null
@@ -1,57 +0,0 @@
1From d863bec646a590584eabcb40550bff0708c26b0d Mon Sep 17 00:00:00 2001
2From: James Patrick-Evans <james@jmp-e.com>
3Date: Fri, 15 Jul 2016 16:40:45 +0100
4Subject: media: fix airspy usb probe error path
5
6commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream.
7
8Fix a memory leak on probe error of the airspy usb device driver.
9
10The problem is triggered when more than 64 usb devices register with
11v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.
12
13The memory leak is caused by the probe function of the airspy driver
14mishandeling errors and not freeing the corresponding control structures
15when an error occours registering the device to v4l2 core.
16
17A badusb device can emulate 64 of these devices, and then through
18continual emulated connect/disconnect of the 65th device, cause the
19kernel to run out of RAM and crash the kernel, thus causing a local DOS
20vulnerability.
21
22Fixes CVE-2016-5400
23CVE: CVE-2016-5400
24
25Signed-off-by: James Patrick-Evans <james@jmp-e.com>
26Reviewed-by: Kees Cook <keescook@chromium.org>
27Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
28Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
29Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
30---
31 drivers/media/usb/airspy/airspy.c | 3 +--
32 1 file changed, 1 insertion(+), 2 deletions(-)
33
34diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
35index 565a593..34b35eb 100644
36--- a/drivers/media/usb/airspy/airspy.c
37+++ b/drivers/media/usb/airspy/airspy.c
38@@ -1073,7 +1073,7 @@ static int airspy_probe(struct usb_interface *intf,
39 if (ret) {
40 dev_err(s->dev, "Failed to register as video device (%d)\n",
41 ret);
42- goto err_unregister_v4l2_dev;
43+ goto err_free_controls;
44 }
45 dev_info(s->dev, "Registered as %s\n",
46 video_device_node_name(&s->vdev));
47@@ -1082,7 +1082,6 @@ static int airspy_probe(struct usb_interface *intf,
48
49 err_free_controls:
50 v4l2_ctrl_handler_free(&s->hdl);
51-err_unregister_v4l2_dev:
52 v4l2_device_unregister(&s->v4l2_dev);
53 err_free_mem:
54 kfree(s);
55--
56cgit v0.12
57
diff --git a/recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch b/recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch
deleted file mode 100644
index f2c2364..0000000
--- a/recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch
+++ /dev/null
@@ -1,109 +0,0 @@
1From 5413f1a526d2d51d7a5768133c90936c017165c6 Mon Sep 17 00:00:00 2001
2From: Jason Baron <jbaron@akamai.com>
3Date: Thu, 14 Jul 2016 11:38:40 -0400
4Subject: [PATCH] tcp: enable per-socket rate limiting of all 'challenge acks'
5
6[ Upstream commit 083ae308280d13d187512b9babe3454342a7987e ]
7
8The per-socket rate limit for 'challenge acks' was introduced in the
9context of limiting ack loops:
10
11commit f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock")
12
13And I think it can be extended to rate limit all 'challenge acks' on a
14per-socket basis.
15
16Since we have the global tcp_challenge_ack_limit, this patch allows for
17tcp_challenge_ack_limit to be set to a large value and effectively rely on
18the per-socket limit, or set tcp_challenge_ack_limit to a lower value and
19still prevents a single connections from consuming the entire challenge ack
20quota.
21
22It further moves in the direction of eliminating the global limit at some
23point, as Eric Dumazet has suggested. This a follow-up to:
24Subject: tcp: make challenge acks less predictable
25
26CVE: CVE-2016-5696
27Upstream-Status: Backport
28
29Cc: Eric Dumazet <edumazet@google.com>
30Cc: David S. Miller <davem@davemloft.net>
31Cc: Neal Cardwell <ncardwell@google.com>
32Cc: Yuchung Cheng <ycheng@google.com>
33Cc: Yue Cao <ycao009@ucr.edu>
34Signed-off-by: Jason Baron <jbaron@akamai.com>
35Signed-off-by: David S. Miller <davem@davemloft.net>
36Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
37Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
38---
39 net/ipv4/tcp_input.c | 39 ++++++++++++++++++++++-----------------
40 1 file changed, 22 insertions(+), 17 deletions(-)
41
42diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
43index 05f10df..12b98e2 100644
44--- a/net/ipv4/tcp_input.c
45+++ b/net/ipv4/tcp_input.c
46@@ -3390,6 +3390,23 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32
47 return flag;
48 }
49
50+static bool __tcp_oow_rate_limited(struct net *net, int mib_idx,
51+ u32 *last_oow_ack_time)
52+{
53+ if (*last_oow_ack_time) {
54+ s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time);
55+
56+ if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) {
57+ NET_INC_STATS_BH(net, mib_idx);
58+ return true; /* rate-limited: don't send yet! */
59+ }
60+ }
61+
62+ *last_oow_ack_time = tcp_time_stamp;
63+
64+ return false; /* not rate-limited: go ahead, send dupack now! */
65+}
66+
67 /* Return true if we're currently rate-limiting out-of-window ACKs and
68 * thus shouldn't send a dupack right now. We rate-limit dupacks in
69 * response to out-of-window SYNs or ACKs to mitigate ACK loops or DoS
70@@ -3403,21 +3420,9 @@ bool tcp_oow_rate_limited(struct net *net, const struct sk_buff *skb,
71 /* Data packets without SYNs are not likely part of an ACK loop. */
72 if ((TCP_SKB_CB(skb)->seq != TCP_SKB_CB(skb)->end_seq) &&
73 !tcp_hdr(skb)->syn)
74- goto not_rate_limited;
75-
76- if (*last_oow_ack_time) {
77- s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time);
78-
79- if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) {
80- NET_INC_STATS_BH(net, mib_idx);
81- return true; /* rate-limited: don't send yet! */
82- }
83- }
84-
85- *last_oow_ack_time = tcp_time_stamp;
86+ return false;
87
88-not_rate_limited:
89- return false; /* not rate-limited: go ahead, send dupack now! */
90+ return __tcp_oow_rate_limited(net, mib_idx, last_oow_ack_time);
91 }
92
93 /* RFC 5961 7 [ACK Throttling] */
94@@ -3430,9 +3435,9 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
95 u32 count, now;
96
97 /* First check our per-socket dupack rate limit. */
98- if (tcp_oow_rate_limited(sock_net(sk), skb,
99- LINUX_MIB_TCPACKSKIPPEDCHALLENGE,
100- &tp->last_oow_ack_time))
101+ if (__tcp_oow_rate_limited(sock_net(sk),
102+ LINUX_MIB_TCPACKSKIPPEDCHALLENGE,
103+ &tp->last_oow_ack_time))
104 return;
105
106 /* Then check host-wide RFC 5961 rate limit. */
107--
1081.9.1
109
diff --git a/recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch b/recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch
deleted file mode 100644
index fe67b3b..0000000
--- a/recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch
+++ /dev/null
@@ -1,88 +0,0 @@
1From 72c2d3bccaba4a0a4de354f9d2d24eccd05bfccf Mon Sep 17 00:00:00 2001
2From: Eric Dumazet <edumazet@google.com>
3Date: Sun, 10 Jul 2016 10:04:02 +0200
4Subject: [PATCH] tcp: make challenge acks less predictable
5
6[ Upstream commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 ]
7
8Yue Cao claims that current host rate limiting of challenge ACKS
9(RFC 5961) could leak enough information to allow a patient attacker
10to hijack TCP sessions. He will soon provide details in an academic
11paper.
12
13This patch increases the default limit from 100 to 1000, and adds
14some randomization so that the attacker can no longer hijack
15sessions without spending a considerable amount of probes.
16
17Based on initial analysis and patch from Linus.
18
19Note that we also have per socket rate limiting, so it is tempting
20to remove the host limit in the future.
21
22v2: randomize the count of challenge acks per second, not the period.
23
24CVE: CVE-2016-5696
25Upstream-Status: Backport
26
27Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
28Reported-by: Yue Cao <ycao009@ucr.edu>
29Signed-off-by: Eric Dumazet <edumazet@google.com>
30Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
31Cc: Yuchung Cheng <ycheng@google.com>
32Cc: Neal Cardwell <ncardwell@google.com>
33Acked-by: Neal Cardwell <ncardwell@google.com>
34Acked-by: Yuchung Cheng <ycheng@google.com>
35Signed-off-by: David S. Miller <davem@davemloft.net>
36Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
37Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
38---
39 net/ipv4/tcp_input.c | 15 ++++++++++-----
40 1 file changed, 10 insertions(+), 5 deletions(-)
41
42diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
43index d4c5115..05f10df 100644
44--- a/net/ipv4/tcp_input.c
45+++ b/net/ipv4/tcp_input.c
46@@ -89,7 +89,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
47 EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
48
49 /* rfc5961 challenge ack rate limiting */
50-int sysctl_tcp_challenge_ack_limit = 100;
51+int sysctl_tcp_challenge_ack_limit = 1000;
52
53 int sysctl_tcp_stdurg __read_mostly;
54 int sysctl_tcp_rfc1337 __read_mostly;
55@@ -3427,7 +3427,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
56 static u32 challenge_timestamp;
57 static unsigned int challenge_count;
58 struct tcp_sock *tp = tcp_sk(sk);
59- u32 now;
60+ u32 count, now;
61
62 /* First check our per-socket dupack rate limit. */
63 if (tcp_oow_rate_limited(sock_net(sk), skb,
64@@ -3435,13 +3435,18 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
65 &tp->last_oow_ack_time))
66 return;
67
68- /* Then check the check host-wide RFC 5961 rate limit. */
69+ /* Then check host-wide RFC 5961 rate limit. */
70 now = jiffies / HZ;
71 if (now != challenge_timestamp) {
72+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
73+
74 challenge_timestamp = now;
75- challenge_count = 0;
76+ WRITE_ONCE(challenge_count, half +
77+ prandom_u32_max(sysctl_tcp_challenge_ack_limit));
78 }
79- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
80+ count = READ_ONCE(challenge_count);
81+ if (count > 0) {
82+ WRITE_ONCE(challenge_count, count - 1);
83 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
84 tcp_send_ack(sk);
85 }
86--
871.9.1
88
diff --git a/recipes-kernel/linux/files/CVE-2016-6480.patch b/recipes-kernel/linux/files/CVE-2016-6480.patch
deleted file mode 100644
index 2cd521a..0000000
--- a/recipes-kernel/linux/files/CVE-2016-6480.patch
+++ /dev/null
@@ -1,71 +0,0 @@
1From e4878ef66e5b8d01d6734b1952f9abb3eeea454c Mon Sep 17 00:00:00 2001
2From: Dave Carroll <david.carroll@microsemi.com>
3Date: Fri, 5 Aug 2016 13:44:10 -0600
4Subject: aacraid: Check size values after double-fetch from user
5
6commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.
7
8In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
9get the fib header's size and one for the fib itself. Later we use the
10size field from the second fetch to further process the fib. If for some
11reason the size from the second fetch is different than from the first
12fix, we may encounter an out-of- bounds access in aac_fib_send(). We
13also check the sender size to insure it is not out of bounds. This was
14reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
15assigned CVE-2016-6480.
16
17CVE: CVE-2016-6480
18Upstream-Status: Backport
19
20Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
21Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
22Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
23Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
24Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
25Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
26Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27---
28 drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
29 1 file changed, 11 insertions(+), 2 deletions(-)
30
31diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
32index 54195a1..f78cc94 100644
33--- a/drivers/scsi/aacraid/commctrl.c
34+++ b/drivers/scsi/aacraid/commctrl.c
35@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
36 struct fib *fibptr;
37 struct hw_fib * hw_fib = (struct hw_fib *)0;
38 dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
39- unsigned size;
40+ unsigned int size, osize;
41 int retval;
42
43 if (dev->in_reset) {
44@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
45 * will not overrun the buffer when we copy the memory. Return
46 * an error if we would.
47 */
48- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
49+ osize = size = le16_to_cpu(kfib->header.Size) +
50+ sizeof(struct aac_fibhdr);
51 if (size < le16_to_cpu(kfib->header.SenderSize))
52 size = le16_to_cpu(kfib->header.SenderSize);
53 if (size > dev->max_fib_size) {
54@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
55 goto cleanup;
56 }
57
58+ /* Sanity check the second copy */
59+ if ((osize != le16_to_cpu(kfib->header.Size) +
60+ sizeof(struct aac_fibhdr))
61+ || (size < le16_to_cpu(kfib->header.SenderSize))) {
62+ retval = -EINVAL;
63+ goto cleanup;
64+ }
65+
66 if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
67 aac_adapter_interrupt(dev);
68 /*
69--
70cgit v0.12
71
diff --git a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch b/recipes-kernel/linux/files/hid-CVE-2016-5829.patch
deleted file mode 100644
index fca7e51..0000000
--- a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch
+++ /dev/null
@@ -1,51 +0,0 @@
1From f67b6920a0cf03d363c5f3bfb14f5d258168dc8c Mon Sep 17 00:00:00 2001
2From: Scott Bauer <sbauer@plzdonthack.me>
3Date: Thu, 23 Jun 2016 08:59:47 -0600
4Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES
5 commands
6
7[ Upstream commit 93a2001bdfd5376c3dc2158653034c20392d15c5 ]
8
9This patch validates the num_values parameter from userland during the
10HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
11to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
12leading to a heap overflow.
13
14CVE: CVE-2016-5829
15Upstream-Status: Backport
16
17Cc: stable@vger.kernel.org
18Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
19Signed-off-by: Jiri Kosina <jkosina@suse.cz>
20Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
21Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
22---
23 drivers/hid/usbhid/hiddev.c | 10 +++++-----
24 1 file changed, 5 insertions(+), 5 deletions(-)
25
26diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
27index 2f1ddca..700145b 100644
28--- a/drivers/hid/usbhid/hiddev.c
29+++ b/drivers/hid/usbhid/hiddev.c
30@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
31 goto inval;
32 } else if (uref->usage_index >= field->report_count)
33 goto inval;
34-
35- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
36- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
37- uref->usage_index + uref_multi->num_values > field->report_count))
38- goto inval;
39 }
40
41+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
42+ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
43+ uref->usage_index + uref_multi->num_values > field->report_count))
44+ goto inval;
45+
46 switch (cmd) {
47 case HIDIOCGUSAGE:
48 uref->value = field->value[uref->usage_index];
49--
50cgit v0.12
51
diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend
index 1a22b88..c438328 100644
--- a/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -2,15 +2,6 @@ require recipes-kernel/linux/enea-common.inc
2 2
3FILESEXTRAPATHS_prepend := "${THISDIR}/files:" 3FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
4 4
5SRC_URI += "file://hid-CVE-2016-5829.patch \
6 file://CVE-2016-5696-limiting-of-all-challenge.patch \
7 file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \
8 file://CVE-2016-4951.patch \
9 file://CVE-2016-5195.patch \
10 file://CVE-2016-5400.patch \
11 file://CVE-2016-6480.patch \
12 "
13
14ENEA_KERNEL_FRAGMENTS += "\ 5ENEA_KERNEL_FRAGMENTS += "\
15 cfg/localversion.cfg \ 6 cfg/localversion.cfg \
16 cfg/with_modules.cfg \ 7 cfg/with_modules.cfg \