diff options
Diffstat (limited to 'recipes-kernel/linux/files')
7 files changed, 0 insertions, 519 deletions
diff --git a/recipes-kernel/linux/files/CVE-2016-4951.patch b/recipes-kernel/linux/files/CVE-2016-4951.patch deleted file mode 100644 index 31eb29e..0000000 --- a/recipes-kernel/linux/files/CVE-2016-4951.patch +++ /dev/null | |||
@@ -1,43 +0,0 @@ | |||
1 | From 23cdd8c3cbe9d790f23d7f9ae14e9b828f56f69c Mon Sep 17 00:00:00 2001 | ||
2 | From: Richard Alpe <richard.alpe@ericsson.com> | ||
3 | Date: Mon, 16 May 2016 11:14:54 +0200 | ||
4 | Subject: tipc: check nl sock before parsing nested attributes | ||
5 | |||
6 | [ Upstream commit 45e093ae2830cd1264677d47ff9a95a71f5d9f9c ] | ||
7 | |||
8 | Make sure the socket for which the user is listing publication exists | ||
9 | before parsing the socket netlink attributes. | ||
10 | |||
11 | Prior to this patch a call without any socket caused a NULL pointer | ||
12 | dereference in tipc_nl_publ_dump(). | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | CVE: CVE-2016-4951 | ||
16 | |||
17 | Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com> | ||
18 | Signed-off-by: Richard Alpe <richard.alpe@ericsson.com> | ||
19 | Acked-by: Jon Maloy <jon.maloy@ericsson.cm> | ||
20 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
21 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
23 | --- | ||
24 | net/tipc/socket.c | 3 +++ | ||
25 | 1 file changed, 3 insertions(+) | ||
26 | |||
27 | diff --git a/net/tipc/socket.c b/net/tipc/socket.c | ||
28 | index e53003c..9b713e0 100644 | ||
29 | --- a/net/tipc/socket.c | ||
30 | +++ b/net/tipc/socket.c | ||
31 | @@ -2814,6 +2814,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb) | ||
32 | if (err) | ||
33 | return err; | ||
34 | |||
35 | + if (!attrs[TIPC_NLA_SOCK]) | ||
36 | + return -EINVAL; | ||
37 | + | ||
38 | err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, | ||
39 | attrs[TIPC_NLA_SOCK], | ||
40 | tipc_nl_sock_policy); | ||
41 | -- | ||
42 | cgit v0.12 | ||
43 | |||
diff --git a/recipes-kernel/linux/files/CVE-2016-5195.patch b/recipes-kernel/linux/files/CVE-2016-5195.patch deleted file mode 100644 index 3f81b19..0000000 --- a/recipes-kernel/linux/files/CVE-2016-5195.patch +++ /dev/null | |||
@@ -1,100 +0,0 @@ | |||
1 | From 1294d355881cc5c3421d24fee512f16974addb6c Mon Sep 17 00:00:00 2001 | ||
2 | From: Linus Torvalds <torvalds@linux-foundation.org> | ||
3 | Date: Thu, 13 Oct 2016 13:07:36 -0700 | ||
4 | Subject: mm: remove gup_flags FOLL_WRITE games from __get_user_pages() | ||
5 | |||
6 | commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream. | ||
7 | |||
8 | This is an ancient bug that was actually attempted to be fixed once | ||
9 | (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix | ||
10 | get_user_pages() race for write access") but that was then undone due to | ||
11 | problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). | ||
12 | |||
13 | In the meantime, the s390 situation has long been fixed, and we can now | ||
14 | fix it by checking the pte_dirty() bit properly (and do it better). The | ||
15 | s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement | ||
16 | software dirty bits") which made it into v3.9. Earlier kernels will | ||
17 | have to look at the page state itself. | ||
18 | |||
19 | Also, the VM has become more scalable, and what used a purely | ||
20 | theoretical race back then has become easier to trigger. | ||
21 | |||
22 | To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, | ||
23 | we already did a COW" rather than play racy games with FOLL_WRITE that | ||
24 | is very fundamental, and then use the pte dirty flag to validate that | ||
25 | the FOLL_COW flag is still valid. | ||
26 | |||
27 | Upstream-Status: Backport | ||
28 | CVE: CVE-2016-5195 | ||
29 | |||
30 | Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com> | ||
31 | Acked-by: Hugh Dickins <hughd@google.com> | ||
32 | Reviewed-by: Michal Hocko <mhocko@suse.com> | ||
33 | Cc: Andy Lutomirski <luto@kernel.org> | ||
34 | Cc: Kees Cook <keescook@chromium.org> | ||
35 | Cc: Oleg Nesterov <oleg@redhat.com> | ||
36 | Cc: Willy Tarreau <w@1wt.eu> | ||
37 | Cc: Nick Piggin <npiggin@gmail.com> | ||
38 | Cc: Greg Thelen <gthelen@google.com> | ||
39 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
40 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
41 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
42 | --- | ||
43 | include/linux/mm.h | 1 + | ||
44 | mm/gup.c | 14 ++++++++++++-- | ||
45 | 2 files changed, 13 insertions(+), 2 deletions(-) | ||
46 | |||
47 | diff --git a/include/linux/mm.h b/include/linux/mm.h | ||
48 | index cfebb74..f0ffa01 100644 | ||
49 | --- a/include/linux/mm.h | ||
50 | +++ b/include/linux/mm.h | ||
51 | @@ -2112,6 +2112,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma, | ||
52 | #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */ | ||
53 | #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */ | ||
54 | #define FOLL_MLOCK 0x1000 /* lock present pages */ | ||
55 | +#define FOLL_COW 0x4000 /* internal GUP flag */ | ||
56 | |||
57 | typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr, | ||
58 | void *data); | ||
59 | diff --git a/mm/gup.c b/mm/gup.c | ||
60 | index deafa2c..4b0b7e7 100644 | ||
61 | --- a/mm/gup.c | ||
62 | +++ b/mm/gup.c | ||
63 | @@ -58,6 +58,16 @@ static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address, | ||
64 | return -EEXIST; | ||
65 | } | ||
66 | |||
67 | +/* | ||
68 | + * FOLL_FORCE can write to even unwritable pte's, but only | ||
69 | + * after we've gone through a COW cycle and they are dirty. | ||
70 | + */ | ||
71 | +static inline bool can_follow_write_pte(pte_t pte, unsigned int flags) | ||
72 | +{ | ||
73 | + return pte_write(pte) || | ||
74 | + ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte)); | ||
75 | +} | ||
76 | + | ||
77 | static struct page *follow_page_pte(struct vm_area_struct *vma, | ||
78 | unsigned long address, pmd_t *pmd, unsigned int flags) | ||
79 | { | ||
80 | @@ -92,7 +102,7 @@ retry: | ||
81 | } | ||
82 | if ((flags & FOLL_NUMA) && pte_protnone(pte)) | ||
83 | goto no_page; | ||
84 | - if ((flags & FOLL_WRITE) && !pte_write(pte)) { | ||
85 | + if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) { | ||
86 | pte_unmap_unlock(ptep, ptl); | ||
87 | return NULL; | ||
88 | } | ||
89 | @@ -352,7 +362,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma, | ||
90 | * reCOWed by userspace write). | ||
91 | */ | ||
92 | if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE)) | ||
93 | - *flags &= ~FOLL_WRITE; | ||
94 | + *flags |= FOLL_COW; | ||
95 | return 0; | ||
96 | } | ||
97 | |||
98 | -- | ||
99 | cgit v0.12 | ||
100 | |||
diff --git a/recipes-kernel/linux/files/CVE-2016-5400.patch b/recipes-kernel/linux/files/CVE-2016-5400.patch deleted file mode 100644 index dd62bcd..0000000 --- a/recipes-kernel/linux/files/CVE-2016-5400.patch +++ /dev/null | |||
@@ -1,57 +0,0 @@ | |||
1 | From d863bec646a590584eabcb40550bff0708c26b0d Mon Sep 17 00:00:00 2001 | ||
2 | From: James Patrick-Evans <james@jmp-e.com> | ||
3 | Date: Fri, 15 Jul 2016 16:40:45 +0100 | ||
4 | Subject: media: fix airspy usb probe error path | ||
5 | |||
6 | commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream. | ||
7 | |||
8 | Fix a memory leak on probe error of the airspy usb device driver. | ||
9 | |||
10 | The problem is triggered when more than 64 usb devices register with | ||
11 | v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV. | ||
12 | |||
13 | The memory leak is caused by the probe function of the airspy driver | ||
14 | mishandeling errors and not freeing the corresponding control structures | ||
15 | when an error occours registering the device to v4l2 core. | ||
16 | |||
17 | A badusb device can emulate 64 of these devices, and then through | ||
18 | continual emulated connect/disconnect of the 65th device, cause the | ||
19 | kernel to run out of RAM and crash the kernel, thus causing a local DOS | ||
20 | vulnerability. | ||
21 | |||
22 | Fixes CVE-2016-5400 | ||
23 | CVE: CVE-2016-5400 | ||
24 | |||
25 | Signed-off-by: James Patrick-Evans <james@jmp-e.com> | ||
26 | Reviewed-by: Kees Cook <keescook@chromium.org> | ||
27 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
29 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
30 | --- | ||
31 | drivers/media/usb/airspy/airspy.c | 3 +-- | ||
32 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
33 | |||
34 | diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c | ||
35 | index 565a593..34b35eb 100644 | ||
36 | --- a/drivers/media/usb/airspy/airspy.c | ||
37 | +++ b/drivers/media/usb/airspy/airspy.c | ||
38 | @@ -1073,7 +1073,7 @@ static int airspy_probe(struct usb_interface *intf, | ||
39 | if (ret) { | ||
40 | dev_err(s->dev, "Failed to register as video device (%d)\n", | ||
41 | ret); | ||
42 | - goto err_unregister_v4l2_dev; | ||
43 | + goto err_free_controls; | ||
44 | } | ||
45 | dev_info(s->dev, "Registered as %s\n", | ||
46 | video_device_node_name(&s->vdev)); | ||
47 | @@ -1082,7 +1082,6 @@ static int airspy_probe(struct usb_interface *intf, | ||
48 | |||
49 | err_free_controls: | ||
50 | v4l2_ctrl_handler_free(&s->hdl); | ||
51 | -err_unregister_v4l2_dev: | ||
52 | v4l2_device_unregister(&s->v4l2_dev); | ||
53 | err_free_mem: | ||
54 | kfree(s); | ||
55 | -- | ||
56 | cgit v0.12 | ||
57 | |||
diff --git a/recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch b/recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch deleted file mode 100644 index f2c2364..0000000 --- a/recipes-kernel/linux/files/CVE-2016-5696-limiting-of-all-challenge.patch +++ /dev/null | |||
@@ -1,109 +0,0 @@ | |||
1 | From 5413f1a526d2d51d7a5768133c90936c017165c6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Baron <jbaron@akamai.com> | ||
3 | Date: Thu, 14 Jul 2016 11:38:40 -0400 | ||
4 | Subject: [PATCH] tcp: enable per-socket rate limiting of all 'challenge acks' | ||
5 | |||
6 | [ Upstream commit 083ae308280d13d187512b9babe3454342a7987e ] | ||
7 | |||
8 | The per-socket rate limit for 'challenge acks' was introduced in the | ||
9 | context of limiting ack loops: | ||
10 | |||
11 | commit f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock") | ||
12 | |||
13 | And I think it can be extended to rate limit all 'challenge acks' on a | ||
14 | per-socket basis. | ||
15 | |||
16 | Since we have the global tcp_challenge_ack_limit, this patch allows for | ||
17 | tcp_challenge_ack_limit to be set to a large value and effectively rely on | ||
18 | the per-socket limit, or set tcp_challenge_ack_limit to a lower value and | ||
19 | still prevents a single connections from consuming the entire challenge ack | ||
20 | quota. | ||
21 | |||
22 | It further moves in the direction of eliminating the global limit at some | ||
23 | point, as Eric Dumazet has suggested. This a follow-up to: | ||
24 | Subject: tcp: make challenge acks less predictable | ||
25 | |||
26 | CVE: CVE-2016-5696 | ||
27 | Upstream-Status: Backport | ||
28 | |||
29 | Cc: Eric Dumazet <edumazet@google.com> | ||
30 | Cc: David S. Miller <davem@davemloft.net> | ||
31 | Cc: Neal Cardwell <ncardwell@google.com> | ||
32 | Cc: Yuchung Cheng <ycheng@google.com> | ||
33 | Cc: Yue Cao <ycao009@ucr.edu> | ||
34 | Signed-off-by: Jason Baron <jbaron@akamai.com> | ||
35 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
36 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
37 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
38 | --- | ||
39 | net/ipv4/tcp_input.c | 39 ++++++++++++++++++++++----------------- | ||
40 | 1 file changed, 22 insertions(+), 17 deletions(-) | ||
41 | |||
42 | diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c | ||
43 | index 05f10df..12b98e2 100644 | ||
44 | --- a/net/ipv4/tcp_input.c | ||
45 | +++ b/net/ipv4/tcp_input.c | ||
46 | @@ -3390,6 +3390,23 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32 | ||
47 | return flag; | ||
48 | } | ||
49 | |||
50 | +static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, | ||
51 | + u32 *last_oow_ack_time) | ||
52 | +{ | ||
53 | + if (*last_oow_ack_time) { | ||
54 | + s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); | ||
55 | + | ||
56 | + if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { | ||
57 | + NET_INC_STATS_BH(net, mib_idx); | ||
58 | + return true; /* rate-limited: don't send yet! */ | ||
59 | + } | ||
60 | + } | ||
61 | + | ||
62 | + *last_oow_ack_time = tcp_time_stamp; | ||
63 | + | ||
64 | + return false; /* not rate-limited: go ahead, send dupack now! */ | ||
65 | +} | ||
66 | + | ||
67 | /* Return true if we're currently rate-limiting out-of-window ACKs and | ||
68 | * thus shouldn't send a dupack right now. We rate-limit dupacks in | ||
69 | * response to out-of-window SYNs or ACKs to mitigate ACK loops or DoS | ||
70 | @@ -3403,21 +3420,9 @@ bool tcp_oow_rate_limited(struct net *net, const struct sk_buff *skb, | ||
71 | /* Data packets without SYNs are not likely part of an ACK loop. */ | ||
72 | if ((TCP_SKB_CB(skb)->seq != TCP_SKB_CB(skb)->end_seq) && | ||
73 | !tcp_hdr(skb)->syn) | ||
74 | - goto not_rate_limited; | ||
75 | - | ||
76 | - if (*last_oow_ack_time) { | ||
77 | - s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); | ||
78 | - | ||
79 | - if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { | ||
80 | - NET_INC_STATS_BH(net, mib_idx); | ||
81 | - return true; /* rate-limited: don't send yet! */ | ||
82 | - } | ||
83 | - } | ||
84 | - | ||
85 | - *last_oow_ack_time = tcp_time_stamp; | ||
86 | + return false; | ||
87 | |||
88 | -not_rate_limited: | ||
89 | - return false; /* not rate-limited: go ahead, send dupack now! */ | ||
90 | + return __tcp_oow_rate_limited(net, mib_idx, last_oow_ack_time); | ||
91 | } | ||
92 | |||
93 | /* RFC 5961 7 [ACK Throttling] */ | ||
94 | @@ -3430,9 +3435,9 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) | ||
95 | u32 count, now; | ||
96 | |||
97 | /* First check our per-socket dupack rate limit. */ | ||
98 | - if (tcp_oow_rate_limited(sock_net(sk), skb, | ||
99 | - LINUX_MIB_TCPACKSKIPPEDCHALLENGE, | ||
100 | - &tp->last_oow_ack_time)) | ||
101 | + if (__tcp_oow_rate_limited(sock_net(sk), | ||
102 | + LINUX_MIB_TCPACKSKIPPEDCHALLENGE, | ||
103 | + &tp->last_oow_ack_time)) | ||
104 | return; | ||
105 | |||
106 | /* Then check host-wide RFC 5961 rate limit. */ | ||
107 | -- | ||
108 | 1.9.1 | ||
109 | |||
diff --git a/recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch b/recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch deleted file mode 100644 index fe67b3b..0000000 --- a/recipes-kernel/linux/files/CVE-2016-5696-make-challenge-acks-less-predictable.patch +++ /dev/null | |||
@@ -1,88 +0,0 @@ | |||
1 | From 72c2d3bccaba4a0a4de354f9d2d24eccd05bfccf Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Dumazet <edumazet@google.com> | ||
3 | Date: Sun, 10 Jul 2016 10:04:02 +0200 | ||
4 | Subject: [PATCH] tcp: make challenge acks less predictable | ||
5 | |||
6 | [ Upstream commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 ] | ||
7 | |||
8 | Yue Cao claims that current host rate limiting of challenge ACKS | ||
9 | (RFC 5961) could leak enough information to allow a patient attacker | ||
10 | to hijack TCP sessions. He will soon provide details in an academic | ||
11 | paper. | ||
12 | |||
13 | This patch increases the default limit from 100 to 1000, and adds | ||
14 | some randomization so that the attacker can no longer hijack | ||
15 | sessions without spending a considerable amount of probes. | ||
16 | |||
17 | Based on initial analysis and patch from Linus. | ||
18 | |||
19 | Note that we also have per socket rate limiting, so it is tempting | ||
20 | to remove the host limit in the future. | ||
21 | |||
22 | v2: randomize the count of challenge acks per second, not the period. | ||
23 | |||
24 | CVE: CVE-2016-5696 | ||
25 | Upstream-Status: Backport | ||
26 | |||
27 | Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") | ||
28 | Reported-by: Yue Cao <ycao009@ucr.edu> | ||
29 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
30 | Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
31 | Cc: Yuchung Cheng <ycheng@google.com> | ||
32 | Cc: Neal Cardwell <ncardwell@google.com> | ||
33 | Acked-by: Neal Cardwell <ncardwell@google.com> | ||
34 | Acked-by: Yuchung Cheng <ycheng@google.com> | ||
35 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
36 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
37 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
38 | --- | ||
39 | net/ipv4/tcp_input.c | 15 ++++++++++----- | ||
40 | 1 file changed, 10 insertions(+), 5 deletions(-) | ||
41 | |||
42 | diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c | ||
43 | index d4c5115..05f10df 100644 | ||
44 | --- a/net/ipv4/tcp_input.c | ||
45 | +++ b/net/ipv4/tcp_input.c | ||
46 | @@ -89,7 +89,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1; | ||
47 | EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); | ||
48 | |||
49 | /* rfc5961 challenge ack rate limiting */ | ||
50 | -int sysctl_tcp_challenge_ack_limit = 100; | ||
51 | +int sysctl_tcp_challenge_ack_limit = 1000; | ||
52 | |||
53 | int sysctl_tcp_stdurg __read_mostly; | ||
54 | int sysctl_tcp_rfc1337 __read_mostly; | ||
55 | @@ -3427,7 +3427,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) | ||
56 | static u32 challenge_timestamp; | ||
57 | static unsigned int challenge_count; | ||
58 | struct tcp_sock *tp = tcp_sk(sk); | ||
59 | - u32 now; | ||
60 | + u32 count, now; | ||
61 | |||
62 | /* First check our per-socket dupack rate limit. */ | ||
63 | if (tcp_oow_rate_limited(sock_net(sk), skb, | ||
64 | @@ -3435,13 +3435,18 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) | ||
65 | &tp->last_oow_ack_time)) | ||
66 | return; | ||
67 | |||
68 | - /* Then check the check host-wide RFC 5961 rate limit. */ | ||
69 | + /* Then check host-wide RFC 5961 rate limit. */ | ||
70 | now = jiffies / HZ; | ||
71 | if (now != challenge_timestamp) { | ||
72 | + u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; | ||
73 | + | ||
74 | challenge_timestamp = now; | ||
75 | - challenge_count = 0; | ||
76 | + WRITE_ONCE(challenge_count, half + | ||
77 | + prandom_u32_max(sysctl_tcp_challenge_ack_limit)); | ||
78 | } | ||
79 | - if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { | ||
80 | + count = READ_ONCE(challenge_count); | ||
81 | + if (count > 0) { | ||
82 | + WRITE_ONCE(challenge_count, count - 1); | ||
83 | NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); | ||
84 | tcp_send_ack(sk); | ||
85 | } | ||
86 | -- | ||
87 | 1.9.1 | ||
88 | |||
diff --git a/recipes-kernel/linux/files/CVE-2016-6480.patch b/recipes-kernel/linux/files/CVE-2016-6480.patch deleted file mode 100644 index 2cd521a..0000000 --- a/recipes-kernel/linux/files/CVE-2016-6480.patch +++ /dev/null | |||
@@ -1,71 +0,0 @@ | |||
1 | From e4878ef66e5b8d01d6734b1952f9abb3eeea454c Mon Sep 17 00:00:00 2001 | ||
2 | From: Dave Carroll <david.carroll@microsemi.com> | ||
3 | Date: Fri, 5 Aug 2016 13:44:10 -0600 | ||
4 | Subject: aacraid: Check size values after double-fetch from user | ||
5 | |||
6 | commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream. | ||
7 | |||
8 | In aacraid's ioctl_send_fib() we do two fetches from userspace, one the | ||
9 | get the fib header's size and one for the fib itself. Later we use the | ||
10 | size field from the second fetch to further process the fib. If for some | ||
11 | reason the size from the second fetch is different than from the first | ||
12 | fix, we may encounter an out-of- bounds access in aac_fib_send(). We | ||
13 | also check the sender size to insure it is not out of bounds. This was | ||
14 | reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was | ||
15 | assigned CVE-2016-6480. | ||
16 | |||
17 | CVE: CVE-2016-6480 | ||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> | ||
21 | Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' | ||
22 | Signed-off-by: Dave Carroll <david.carroll@microsemi.com> | ||
23 | Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> | ||
24 | Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> | ||
25 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
26 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
27 | --- | ||
28 | drivers/scsi/aacraid/commctrl.c | 13 +++++++++++-- | ||
29 | 1 file changed, 11 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c | ||
32 | index 54195a1..f78cc94 100644 | ||
33 | --- a/drivers/scsi/aacraid/commctrl.c | ||
34 | +++ b/drivers/scsi/aacraid/commctrl.c | ||
35 | @@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) | ||
36 | struct fib *fibptr; | ||
37 | struct hw_fib * hw_fib = (struct hw_fib *)0; | ||
38 | dma_addr_t hw_fib_pa = (dma_addr_t)0LL; | ||
39 | - unsigned size; | ||
40 | + unsigned int size, osize; | ||
41 | int retval; | ||
42 | |||
43 | if (dev->in_reset) { | ||
44 | @@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) | ||
45 | * will not overrun the buffer when we copy the memory. Return | ||
46 | * an error if we would. | ||
47 | */ | ||
48 | - size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr); | ||
49 | + osize = size = le16_to_cpu(kfib->header.Size) + | ||
50 | + sizeof(struct aac_fibhdr); | ||
51 | if (size < le16_to_cpu(kfib->header.SenderSize)) | ||
52 | size = le16_to_cpu(kfib->header.SenderSize); | ||
53 | if (size > dev->max_fib_size) { | ||
54 | @@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) | ||
55 | goto cleanup; | ||
56 | } | ||
57 | |||
58 | + /* Sanity check the second copy */ | ||
59 | + if ((osize != le16_to_cpu(kfib->header.Size) + | ||
60 | + sizeof(struct aac_fibhdr)) | ||
61 | + || (size < le16_to_cpu(kfib->header.SenderSize))) { | ||
62 | + retval = -EINVAL; | ||
63 | + goto cleanup; | ||
64 | + } | ||
65 | + | ||
66 | if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { | ||
67 | aac_adapter_interrupt(dev); | ||
68 | /* | ||
69 | -- | ||
70 | cgit v0.12 | ||
71 | |||
diff --git a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch b/recipes-kernel/linux/files/hid-CVE-2016-5829.patch deleted file mode 100644 index fca7e51..0000000 --- a/recipes-kernel/linux/files/hid-CVE-2016-5829.patch +++ /dev/null | |||
@@ -1,51 +0,0 @@ | |||
1 | From f67b6920a0cf03d363c5f3bfb14f5d258168dc8c Mon Sep 17 00:00:00 2001 | ||
2 | From: Scott Bauer <sbauer@plzdonthack.me> | ||
3 | Date: Thu, 23 Jun 2016 08:59:47 -0600 | ||
4 | Subject: HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES | ||
5 | commands | ||
6 | |||
7 | [ Upstream commit 93a2001bdfd5376c3dc2158653034c20392d15c5 ] | ||
8 | |||
9 | This patch validates the num_values parameter from userland during the | ||
10 | HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set | ||
11 | to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter | ||
12 | leading to a heap overflow. | ||
13 | |||
14 | CVE: CVE-2016-5829 | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Cc: stable@vger.kernel.org | ||
18 | Signed-off-by: Scott Bauer <sbauer@plzdonthack.me> | ||
19 | Signed-off-by: Jiri Kosina <jkosina@suse.cz> | ||
20 | Signed-off-by: Sasha Levin <sasha.levin@oracle.com> | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | --- | ||
23 | drivers/hid/usbhid/hiddev.c | 10 +++++----- | ||
24 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
25 | |||
26 | diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c | ||
27 | index 2f1ddca..700145b 100644 | ||
28 | --- a/drivers/hid/usbhid/hiddev.c | ||
29 | +++ b/drivers/hid/usbhid/hiddev.c | ||
30 | @@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, | ||
31 | goto inval; | ||
32 | } else if (uref->usage_index >= field->report_count) | ||
33 | goto inval; | ||
34 | - | ||
35 | - else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && | ||
36 | - (uref_multi->num_values > HID_MAX_MULTI_USAGES || | ||
37 | - uref->usage_index + uref_multi->num_values > field->report_count)) | ||
38 | - goto inval; | ||
39 | } | ||
40 | |||
41 | + if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && | ||
42 | + (uref_multi->num_values > HID_MAX_MULTI_USAGES || | ||
43 | + uref->usage_index + uref_multi->num_values > field->report_count)) | ||
44 | + goto inval; | ||
45 | + | ||
46 | switch (cmd) { | ||
47 | case HIDIOCGUSAGE: | ||
48 | uref->value = field->value[uref->usage_index]; | ||
49 | -- | ||
50 | cgit v0.12 | ||
51 | |||