summaryrefslogtreecommitdiffstats
path: root/recipes-kernel/linux
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-kernel/linux')
-rw-r--r--recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch140
-rw-r--r--recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch52
-rw-r--r--recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch94
-rw-r--r--recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch62
-rw-r--r--recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch348
-rw-r--r--recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch92
-rw-r--r--recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch65
-rw-r--r--recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch86
-rw-r--r--recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch62
-rw-r--r--recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch102
-rw-r--r--recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch114
-rw-r--r--recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch137
-rw-r--r--recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch160
-rw-r--r--recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch51
-rw-r--r--recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch64
-rw-r--r--recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch324
-rw-r--r--recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch41
-rw-r--r--recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch212
-rw-r--r--recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch47
-rw-r--r--recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch91
-rw-r--r--recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch47
-rw-r--r--recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch145
-rw-r--r--recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch80
-rw-r--r--recipes-kernel/linux/files/sctp-CVE-2014-4667.patch51
-rw-r--r--recipes-kernel/linux/files/sctp-CVE-2014-7841.patch85
-rw-r--r--recipes-kernel/linux/files/udf-CVE-2014-6410.patch96
-rw-r--r--recipes-kernel/linux/linux-qoriq-prt_3.12.bb8
-rw-r--r--recipes-kernel/linux/linux-qoriq.inc46
-rw-r--r--recipes-kernel/linux/linux-qoriq_3.12.bb32
29 files changed, 2934 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch b/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch
new file mode 100644
index 0000000..0130768
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch
@@ -0,0 +1,140 @@
1From ed81e6b21790b717cda5f5bab2bdb07d2ce17ab1 Mon Sep 17 00:00:00 2001
2From: Lars-Peter Clausen <lars@metafoo.de>
3Date: Wed, 18 Jun 2014 13:32:31 +0200
4Subject: [PATCH] ALSA: control: Protect user controls against concurrent
5 access
6
7commit 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 upstream.
8
9The user-control put and get handlers as well as the tlv do not protect against
10concurrent access from multiple threads. Since the state of the control is not
11updated atomically it is possible that either two write operations or a write
12and a read operation race against each other. Both can lead to arbitrary memory
13disclosure. This patch introduces a new lock that protects user-controls from
14concurrent access. Since applications typically access controls sequentially
15than in parallel a single lock per card should be fine.
16
17This fixes CVE-2014-4652
18Upstream-Status: Backport
19
20Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
21Acked-by: Jaroslav Kysela <perex@perex.cz>
22Signed-off-by: Takashi Iwai <tiwai@suse.de>
23Signed-off-by: Jiri Slaby <jslaby@suse.cz>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 include/sound/core.h | 2 ++
27 sound/core/control.c | 31 +++++++++++++++++++++++++------
28 sound/core/init.c | 1 +
29 3 files changed, 28 insertions(+), 6 deletions(-)
30
31diff --git a/include/sound/core.h b/include/sound/core.h
32index 2a14f1f..d6bc961 100644
33--- a/include/sound/core.h
34+++ b/include/sound/core.h
35@@ -121,6 +121,8 @@ struct snd_card {
36 int user_ctl_count; /* count of all user controls */
37 struct list_head controls; /* all controls for this card */
38 struct list_head ctl_files; /* active control files */
39+ struct mutex user_ctl_lock; /* protects user controls against
40+ concurrent access */
41
42 struct snd_info_entry *proc_root; /* root for soundcard specific files */
43 struct snd_info_entry *proc_id; /* the card id */
44diff --git a/sound/core/control.c b/sound/core/control.c
45index d8aa206..183fab2 100644
46--- a/sound/core/control.c
47+++ b/sound/core/control.c
48@@ -992,6 +992,7 @@ static int snd_ctl_elem_unlock(struct snd_ctl_file *file,
49
50 struct user_element {
51 struct snd_ctl_elem_info info;
52+ struct snd_card *card;
53 void *elem_data; /* element data */
54 unsigned long elem_data_size; /* size of element data in bytes */
55 void *tlv_data; /* TLV data */
56@@ -1035,7 +1036,9 @@ static int snd_ctl_elem_user_get(struct snd_kcontrol *kcontrol,
57 {
58 struct user_element *ue = kcontrol->private_data;
59
60+ mutex_lock(&ue->card->user_ctl_lock);
61 memcpy(&ucontrol->value, ue->elem_data, ue->elem_data_size);
62+ mutex_unlock(&ue->card->user_ctl_lock);
63 return 0;
64 }
65
66@@ -1044,10 +1047,12 @@ static int snd_ctl_elem_user_put(struct snd_kcontrol *kcontrol,
67 {
68 int change;
69 struct user_element *ue = kcontrol->private_data;
70-
71+
72+ mutex_lock(&ue->card->user_ctl_lock);
73 change = memcmp(&ucontrol->value, ue->elem_data, ue->elem_data_size) != 0;
74 if (change)
75 memcpy(ue->elem_data, &ucontrol->value, ue->elem_data_size);
76+ mutex_unlock(&ue->card->user_ctl_lock);
77 return change;
78 }
79
80@@ -1067,19 +1072,32 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol,
81 new_data = memdup_user(tlv, size);
82 if (IS_ERR(new_data))
83 return PTR_ERR(new_data);
84+ mutex_lock(&ue->card->user_ctl_lock);
85 change = ue->tlv_data_size != size;
86 if (!change)
87 change = memcmp(ue->tlv_data, new_data, size);
88 kfree(ue->tlv_data);
89 ue->tlv_data = new_data;
90 ue->tlv_data_size = size;
91+ mutex_unlock(&ue->card->user_ctl_lock);
92 } else {
93- if (! ue->tlv_data_size || ! ue->tlv_data)
94- return -ENXIO;
95- if (size < ue->tlv_data_size)
96- return -ENOSPC;
97+ int ret = 0;
98+
99+ mutex_lock(&ue->card->user_ctl_lock);
100+ if (!ue->tlv_data_size || !ue->tlv_data) {
101+ ret = -ENXIO;
102+ goto err_unlock;
103+ }
104+ if (size < ue->tlv_data_size) {
105+ ret = -ENOSPC;
106+ goto err_unlock;
107+ }
108 if (copy_to_user(tlv, ue->tlv_data, ue->tlv_data_size))
109- return -EFAULT;
110+ ret = -EFAULT;
111+err_unlock:
112+ mutex_unlock(&ue->card->user_ctl_lock);
113+ if (ret)
114+ return ret;
115 }
116 return change;
117 }
118@@ -1211,6 +1229,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
119 ue = kzalloc(sizeof(struct user_element) + private_size, GFP_KERNEL);
120 if (ue == NULL)
121 return -ENOMEM;
122+ ue->card = card;
123 ue->info = *info;
124 ue->info.access = 0;
125 ue->elem_data = (char *)ue + sizeof(*ue);
126diff --git a/sound/core/init.c b/sound/core/init.c
127index d047851..b9268a5 100644
128--- a/sound/core/init.c
129+++ b/sound/core/init.c
130@@ -215,6 +215,7 @@ int snd_card_create(int idx, const char *xid,
131 INIT_LIST_HEAD(&card->devices);
132 init_rwsem(&card->controls_rwsem);
133 rwlock_init(&card->ctl_files_rwlock);
134+ mutex_init(&card->user_ctl_lock);
135 INIT_LIST_HEAD(&card->controls);
136 INIT_LIST_HEAD(&card->ctl_files);
137 spin_lock_init(&card->files_lock);
138--
1391.9.1
140
diff --git a/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
new file mode 100644
index 0000000..4355c68
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
@@ -0,0 +1,52 @@
1From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
2From: Jiri Kosina <jkosina@suse.cz>
3Date: Wed, 27 Aug 2014 09:12:24 +0200
4Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
5 callback
6
7The report passed to us from transport driver could potentially be
8arbitrarily large, therefore we better sanity-check it so that
9magicmouse_emit_touch() gets only valid values of raw_id.
10
11This fixes CVE-2014-3181
12Upstream-Status: Backport
13
14Cc: stable@vger.kernel.org
15Reported-by: Steven Vittitoe <scvitti@google.com>
16Signed-off-by: Jiri Kosina <jkosina@suse.cz>
17Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
18---
19 drivers/hid/hid-magicmouse.c | 10 ++++++++++
20 1 file changed, 10 insertions(+)
21
22diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
23index ecc2cbf..29a74c1 100644
24--- a/drivers/hid/hid-magicmouse.c
25+++ b/drivers/hid/hid-magicmouse.c
26@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
27 if (size < 4 || ((size - 4) % 9) != 0)
28 return 0;
29 npoints = (size - 4) / 9;
30+ if (npoints > 15) {
31+ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
32+ size);
33+ return 0;
34+ }
35 msc->ntouches = 0;
36 for (ii = 0; ii < npoints; ii++)
37 magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
38@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
39 if (size < 6 || ((size - 6) % 8) != 0)
40 return 0;
41 npoints = (size - 6) / 8;
42+ if (npoints > 15) {
43+ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
44+ size);
45+ return 0;
46+ }
47 msc->ntouches = 0;
48 for (ii = 0; ii < npoints; ii++)
49 magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
50--
511.9.1
52
diff --git a/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch b/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch
new file mode 100644
index 0000000..e19a3c1
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch
@@ -0,0 +1,94 @@
1From e35b1e9f17e0567f96502f3a2a31dace727ed3da Mon Sep 17 00:00:00 2001
2From: "Michael S. Tsirkin" <mst@redhat.com>
3Date: Tue, 19 Aug 2014 19:14:50 +0800
4Subject: [PATCH] kvm: iommu: fix the third parameter of kvm_iommu_put_pages
5 (CVE-2014-3601)
6
7commit 350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7 upstream.
8
9The third parameter of kvm_iommu_put_pages is wrong,
10It should be 'gfn - slot->base_gfn'.
11
12By making gfn very large, malicious guest or userspace can cause kvm to
13go to this error path, and subsequently to pass a huge value as size.
14Alternatively if gfn is small, then pages would be pinned but never
15unpinned, causing host memory leak and local DOS.
16
17Passing a reasonable but large value could be the most dangerous case,
18because it would unpin a page that should have stayed pinned, and thus
19allow the device to DMA into arbitrary memory. However, this cannot
20happen because of the condition that can trigger the error:
21
22- out of memory (where you can't allocate even a single page)
23 should not be possible for the attacker to trigger
24
25- when exceeding the iommu's address space, guest pages after gfn
26 will also exceed the iommu's address space, and inside
27 kvm_iommu_put_pages() the iommu_iova_to_phys() will fail. The
28 page thus would not be unpinned at all.
29
30Upstream-Status: Backport
31
32Reported-by: Jack Morgenstein <jackm@mellanox.com>
33Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
34Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
35Signed-off-by: Jiri Slaby <jslaby@suse.cz>
36Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
37---
38 virt/kvm/iommu.c | 19 ++++++++++---------
39 1 file changed, 10 insertions(+), 9 deletions(-)
40
41diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
42index c329c8f..dec9971 100644
43--- a/virt/kvm/iommu.c
44+++ b/virt/kvm/iommu.c
45@@ -61,6 +61,14 @@ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
46 return pfn;
47 }
48
49+static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages)
50+{
51+ unsigned long i;
52+
53+ for (i = 0; i < npages; ++i)
54+ kvm_release_pfn_clean(pfn + i);
55+}
56+
57 int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
58 {
59 gfn_t gfn, end_gfn;
60@@ -123,6 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
61 if (r) {
62 printk(KERN_ERR "kvm_iommu_map_address:"
63 "iommu failed to map pfn=%llx\n", pfn);
64+ kvm_unpin_pages(kvm, pfn, page_size);
65 goto unmap_pages;
66 }
67
68@@ -134,7 +143,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
69 return 0;
70
71 unmap_pages:
72- kvm_iommu_put_pages(kvm, slot->base_gfn, gfn);
73+ kvm_iommu_put_pages(kvm, slot->base_gfn, gfn - slot->base_gfn);
74 return r;
75 }
76
77@@ -272,14 +281,6 @@ out_unlock:
78 return r;
79 }
80
81-static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages)
82-{
83- unsigned long i;
84-
85- for (i = 0; i < npages; ++i)
86- kvm_release_pfn_clean(pfn + i);
87-}
88-
89 static void kvm_iommu_put_pages(struct kvm *kvm,
90 gfn_t base_gfn, unsigned long npages)
91 {
92--
931.9.1
94
diff --git a/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..aec8930
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,62 @@
1From 25c1def33a2f74079f3062b7afdf98fcf9f34e6d Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 16:26:53 -0700
4Subject: [PATCH] mnt: Only change user settable mount flags in remount
5
6commit a6138db815df5ee542d848318e5dae681590fccd upstream.
7
8Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
9read-only bind mount read-only in a user namespace the
10MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
11to the remount a read-only mount read-write.
12
13Correct this by replacing the mask of mount flags to preserve
14with a mask of mount flags that may be changed, and preserve
15all others. This ensures that any future bugs with this mask and
16remount will fail in an easy to detect way where new mount flags
17simply won't change.
18
19Fix for CVE-2014-5206 and CVE-2014-5207
20Upstream-Status: backport
21
22Cc: stable@vger.kernel.org
23Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
24Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
25Signed-off-by: Jiri Slaby <jslaby@suse.cz>
26Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27---
28 fs/namespace.c | 2 +-
29 include/linux/mount.h | 4 +++-
30 2 files changed, 4 insertions(+), 2 deletions(-)
31
32diff --git a/fs/namespace.c b/fs/namespace.c
33index 84447db..34fa7a5 100644
34--- a/fs/namespace.c
35+++ b/fs/namespace.c
36@@ -1847,7 +1847,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
37 err = do_remount_sb(sb, flags, data, 0);
38 if (!err) {
39 br_write_lock(&vfsmount_lock);
40- mnt_flags |= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK;
41+ mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK;
42 mnt->mnt.mnt_flags = mnt_flags;
43 br_write_unlock(&vfsmount_lock);
44 }
45diff --git a/include/linux/mount.h b/include/linux/mount.h
46index 38cd98f..8707c9e 100644
47--- a/include/linux/mount.h
48+++ b/include/linux/mount.h
49@@ -42,7 +42,9 @@ struct mnt_namespace;
50 * flag, consider how it interacts with shared mounts.
51 */
52 #define MNT_SHARED_MASK (MNT_UNBINDABLE)
53-#define MNT_PROPAGATION_MASK (MNT_SHARED | MNT_UNBINDABLE)
54+#define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
55+ | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
56+ | MNT_READONLY)
57
58
59 #define MNT_INTERNAL 0x4000
60--
611.9.1
62
diff --git a/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch b/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch
new file mode 100644
index 0000000..68289f2
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch
@@ -0,0 +1,348 @@
1From bbd951a21e0fd555cd9ede44c7196af09d04d171 Mon Sep 17 00:00:00 2001
2From: Daniel Borkmann <dborkman@redhat.com>
3Date: Thu, 9 Oct 2014 22:55:31 +0200
4Subject: [PATCH] net: sctp: fix skb_over_panic when receiving malformed ASCONF
5 chunks
6
7commit 9de7922bc709eee2f609cd01d98aaedc4cf5ea74 upstream.
8
9Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
10ASCONF chunk") added basic verification of ASCONF chunks, however,
11it is still possible to remotely crash a server by sending a
12special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
13
14skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
15 head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
16 end:0x440 dev:<NULL>
17 ------------[ cut here ]------------
18kernel BUG at net/core/skbuff.c:129!
19[...]
20Call Trace:
21 <IRQ>
22 [<ffffffff8144fb1c>] skb_put+0x5c/0x70
23 [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
24 [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
25 [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
26 [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
27 [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
28 [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
29 [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
30 [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
31 [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
32 [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
33 [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
34 [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
35 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
36 [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
37 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
38 [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
39 [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
40 [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
41 [<ffffffff81496ac5>] ip_rcv+0x275/0x350
42 [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
43 [<ffffffff81460588>] netif_receive_skb+0x58/0x60
44
45This can be triggered e.g., through a simple scripted nmap
46connection scan injecting the chunk after the handshake, for
47example, ...
48
49 -------------- INIT[ASCONF; ASCONF_ACK] ------------->
50 <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
51 -------------------- COOKIE-ECHO -------------------->
52 <-------------------- COOKIE-ACK ---------------------
53 ------------------ ASCONF; UNKNOWN ------------------>
54
55... where ASCONF chunk of length 280 contains 2 parameters ...
56
57 1) Add IP address parameter (param length: 16)
58 2) Add/del IP address parameter (param length: 255)
59
60... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
61Address Parameter in the ASCONF chunk is even missing, too.
62This is just an example and similarly-crafted ASCONF chunks
63could be used just as well.
64
65The ASCONF chunk passes through sctp_verify_asconf() as all
66parameters passed sanity checks, and after walking, we ended
67up successfully at the chunk end boundary, and thus may invoke
68sctp_process_asconf(). Parameter walking is done with
69WORD_ROUND() to take padding into account.
70
71In sctp_process_asconf()'s TLV processing, we may fail in
72sctp_process_asconf_param() e.g., due to removal of the IP
73address that is also the source address of the packet containing
74the ASCONF chunk, and thus we need to add all TLVs after the
75failure to our ASCONF response to remote via helper function
76sctp_add_asconf_response(), which basically invokes a
77sctp_addto_chunk() adding the error parameters to the given
78skb.
79
80When walking to the next parameter this time, we proceed
81with ...
82
83 length = ntohs(asconf_param->param_hdr.length);
84 asconf_param = (void *)asconf_param + length;
85
86... instead of the WORD_ROUND()'ed length, thus resulting here
87in an off-by-one that leads to reading the follow-up garbage
88parameter length of 12336, and thus throwing an skb_over_panic
89for the reply when trying to sctp_addto_chunk() next time,
90which implicitly calls the skb_put() with that length.
91
92Fix it by using sctp_walk_params() [ which is also used in
93INIT parameter processing ] macro in the verification *and*
94in ASCONF processing: it will make sure we don't spill over,
95that we walk parameters WORD_ROUND()'ed. Moreover, we're being
96more defensive and guard against unknown parameter types and
97missized addresses.
98
99Joint work with Vlad Yasevich.
100
101Fixes CVE-2014-3673
102Upstream-Status: Backport
103
104Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
105Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
106Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
107Acked-by: Neil Horman <nhorman@tuxdriver.com>
108Signed-off-by: David S. Miller <davem@davemloft.net>
109Cc: Josh Boyer <jwboyer@fedoraproject.org>
110Signed-off-by: Jiri Slaby <jslaby@suse.cz>
111Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
112---
113 include/net/sctp/sm.h | 6 +--
114 net/sctp/sm_make_chunk.c | 99 +++++++++++++++++++++++++++---------------------
115 net/sctp/sm_statefuns.c | 18 +--------
116 3 files changed, 60 insertions(+), 63 deletions(-)
117
118diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
119index 4ef75af..c91b6f5 100644
120--- a/include/net/sctp/sm.h
121+++ b/include/net/sctp/sm.h
122@@ -249,9 +249,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *,
123 int, __be16);
124 struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc,
125 union sctp_addr *addr);
126-int sctp_verify_asconf(const struct sctp_association *asoc,
127- struct sctp_paramhdr *param_hdr, void *chunk_end,
128- struct sctp_paramhdr **errp);
129+bool sctp_verify_asconf(const struct sctp_association *asoc,
130+ struct sctp_chunk *chunk, bool addr_param_needed,
131+ struct sctp_paramhdr **errp);
132 struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
133 struct sctp_chunk *asconf);
134 int sctp_process_asconf_ack(struct sctp_association *asoc,
135diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
136index e342387..d800160 100644
137--- a/net/sctp/sm_make_chunk.c
138+++ b/net/sctp/sm_make_chunk.c
139@@ -3126,50 +3126,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
140 return SCTP_ERROR_NO_ERROR;
141 }
142
143-/* Verify the ASCONF packet before we process it. */
144-int sctp_verify_asconf(const struct sctp_association *asoc,
145- struct sctp_paramhdr *param_hdr, void *chunk_end,
146- struct sctp_paramhdr **errp) {
147- sctp_addip_param_t *asconf_param;
148+/* Verify the ASCONF packet before we process it. */
149+bool sctp_verify_asconf(const struct sctp_association *asoc,
150+ struct sctp_chunk *chunk, bool addr_param_needed,
151+ struct sctp_paramhdr **errp)
152+{
153+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr;
154 union sctp_params param;
155- int length, plen;
156-
157- param.v = (sctp_paramhdr_t *) param_hdr;
158- while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) {
159- length = ntohs(param.p->length);
160- *errp = param.p;
161+ bool addr_param_seen = false;
162
163- if (param.v > chunk_end - length ||
164- length < sizeof(sctp_paramhdr_t))
165- return 0;
166+ sctp_walk_params(param, addip, addip_hdr.params) {
167+ size_t length = ntohs(param.p->length);
168
169+ *errp = param.p;
170 switch (param.p->type) {
171+ case SCTP_PARAM_ERR_CAUSE:
172+ break;
173+ case SCTP_PARAM_IPV4_ADDRESS:
174+ if (length != sizeof(sctp_ipv4addr_param_t))
175+ return false;
176+ addr_param_seen = true;
177+ break;
178+ case SCTP_PARAM_IPV6_ADDRESS:
179+ if (length != sizeof(sctp_ipv6addr_param_t))
180+ return false;
181+ addr_param_seen = true;
182+ break;
183 case SCTP_PARAM_ADD_IP:
184 case SCTP_PARAM_DEL_IP:
185 case SCTP_PARAM_SET_PRIMARY:
186- asconf_param = (sctp_addip_param_t *)param.v;
187- plen = ntohs(asconf_param->param_hdr.length);
188- if (plen < sizeof(sctp_addip_param_t) +
189- sizeof(sctp_paramhdr_t))
190- return 0;
191+ /* In ASCONF chunks, these need to be first. */
192+ if (addr_param_needed && !addr_param_seen)
193+ return false;
194+ length = ntohs(param.addip->param_hdr.length);
195+ if (length < sizeof(sctp_addip_param_t) +
196+ sizeof(sctp_paramhdr_t))
197+ return false;
198 break;
199 case SCTP_PARAM_SUCCESS_REPORT:
200 case SCTP_PARAM_ADAPTATION_LAYER_IND:
201 if (length != sizeof(sctp_addip_param_t))
202- return 0;
203-
204+ return false;
205 break;
206 default:
207- break;
208+ /* This is unkown to us, reject! */
209+ return false;
210 }
211-
212- param.v += WORD_ROUND(length);
213 }
214
215- if (param.v != chunk_end)
216- return 0;
217+ /* Remaining sanity checks. */
218+ if (addr_param_needed && !addr_param_seen)
219+ return false;
220+ if (!addr_param_needed && addr_param_seen)
221+ return false;
222+ if (param.v != chunk->chunk_end)
223+ return false;
224
225- return 1;
226+ return true;
227 }
228
229 /* Process an incoming ASCONF chunk with the next expected serial no. and
230@@ -3178,16 +3191,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc,
231 struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
232 struct sctp_chunk *asconf)
233 {
234+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr;
235+ bool all_param_pass = true;
236+ union sctp_params param;
237 sctp_addiphdr_t *hdr;
238 union sctp_addr_param *addr_param;
239 sctp_addip_param_t *asconf_param;
240 struct sctp_chunk *asconf_ack;
241-
242 __be16 err_code;
243 int length = 0;
244 int chunk_len;
245 __u32 serial;
246- int all_param_pass = 1;
247
248 chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
249 hdr = (sctp_addiphdr_t *)asconf->skb->data;
250@@ -3215,9 +3229,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
251 goto done;
252
253 /* Process the TLVs contained within the ASCONF chunk. */
254- while (chunk_len > 0) {
255+ sctp_walk_params(param, addip, addip_hdr.params) {
256+ /* Skip preceeding address parameters. */
257+ if (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
258+ param.p->type == SCTP_PARAM_IPV6_ADDRESS)
259+ continue;
260+
261 err_code = sctp_process_asconf_param(asoc, asconf,
262- asconf_param);
263+ param.addip);
264 /* ADDIP 4.1 A7)
265 * If an error response is received for a TLV parameter,
266 * all TLVs with no response before the failed TLV are
267@@ -3225,28 +3244,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
268 * the failed response are considered unsuccessful unless
269 * a specific success indication is present for the parameter.
270 */
271- if (SCTP_ERROR_NO_ERROR != err_code)
272- all_param_pass = 0;
273-
274+ if (err_code != SCTP_ERROR_NO_ERROR)
275+ all_param_pass = false;
276 if (!all_param_pass)
277- sctp_add_asconf_response(asconf_ack,
278- asconf_param->crr_id, err_code,
279- asconf_param);
280+ sctp_add_asconf_response(asconf_ack, param.addip->crr_id,
281+ err_code, param.addip);
282
283 /* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add
284 * an IP address sends an 'Out of Resource' in its response, it
285 * MUST also fail any subsequent add or delete requests bundled
286 * in the ASCONF.
287 */
288- if (SCTP_ERROR_RSRC_LOW == err_code)
289+ if (err_code == SCTP_ERROR_RSRC_LOW)
290 goto done;
291-
292- /* Move to the next ASCONF param. */
293- length = ntohs(asconf_param->param_hdr.length);
294- asconf_param = (void *)asconf_param + length;
295- chunk_len -= length;
296 }
297-
298 done:
299 asoc->peer.addip_serial++;
300
301diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
302index 62623cc..bf12098 100644
303--- a/net/sctp/sm_statefuns.c
304+++ b/net/sctp/sm_statefuns.c
305@@ -3595,9 +3595,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
306 struct sctp_chunk *asconf_ack = NULL;
307 struct sctp_paramhdr *err_param = NULL;
308 sctp_addiphdr_t *hdr;
309- union sctp_addr_param *addr_param;
310 __u32 serial;
311- int length;
312
313 if (!sctp_vtag_verify(chunk, asoc)) {
314 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
315@@ -3622,17 +3620,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
316 hdr = (sctp_addiphdr_t *)chunk->skb->data;
317 serial = ntohl(hdr->serial);
318
319- addr_param = (union sctp_addr_param *)hdr->params;
320- length = ntohs(addr_param->p.length);
321- if (length < sizeof(sctp_paramhdr_t))
322- return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
323- (void *)addr_param, commands);
324-
325 /* Verify the ASCONF chunk before processing it. */
326- if (!sctp_verify_asconf(asoc,
327- (sctp_paramhdr_t *)((void *)addr_param + length),
328- (void *)chunk->chunk_end,
329- &err_param))
330+ if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
331 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
332 (void *)err_param, commands);
333
334@@ -3750,10 +3739,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
335 rcvd_serial = ntohl(addip_hdr->serial);
336
337 /* Verify the ASCONF-ACK chunk before processing it. */
338- if (!sctp_verify_asconf(asoc,
339- (sctp_paramhdr_t *)addip_hdr->params,
340- (void *)asconf_ack->chunk_end,
341- &err_param))
342+ if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
343 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
344 (void *)err_param, commands);
345
346--
3471.9.1
348
diff --git a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch
new file mode 100644
index 0000000..8612d74
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch
@@ -0,0 +1,92 @@
1From 0bf595fd311aa4d6e82c43879f2c0d0650e83271 Mon Sep 17 00:00:00 2001
2From: Lars-Peter Clausen <lars@metafoo.de>
3Date: Wed, 18 Jun 2014 13:32:33 +0200
4Subject: [PATCH] ALSA: control: Don't access controls outside of protected
5 regions
6
7commit fd9f26e4eca5d08a27d12c0933fceef76ed9663d upstream.
8
9A control that is visible on the card->controls list can be freed at any time.
10This means we must not access any of its memory while not holding the
11controls_rw_lock. Otherwise we risk a use after free access.
12
13This fixes CVE-2014-4653
14Upstream-Status: Backport
15
16Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
17Acked-by: Jaroslav Kysela <perex@perex.cz>
18Signed-off-by: Takashi Iwai <tiwai@suse.de>
19Signed-off-by: Jiri Slaby <jslaby@suse.cz>
20Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
21---
22 sound/core/control.c | 15 ++++++++++-----
23 1 file changed, 10 insertions(+), 5 deletions(-)
24
25diff --git a/sound/core/control.c b/sound/core/control.c
26index 15bc844..d4a597f 100644
27--- a/sound/core/control.c
28+++ b/sound/core/control.c
29@@ -331,6 +331,7 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
30 {
31 struct snd_ctl_elem_id id;
32 unsigned int idx;
33+ unsigned int count;
34 int err = -EINVAL;
35
36 if (! kcontrol)
37@@ -359,8 +360,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
38 card->controls_count += kcontrol->count;
39 kcontrol->id.numid = card->last_numid + 1;
40 card->last_numid += kcontrol->count;
41+ count = kcontrol->count;
42 up_write(&card->controls_rwsem);
43- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++)
44+ for (idx = 0; idx < count; idx++, id.index++, id.numid++)
45 snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
46 return 0;
47
48@@ -389,6 +391,7 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol,
49 bool add_on_replace)
50 {
51 struct snd_ctl_elem_id id;
52+ unsigned int count;
53 unsigned int idx;
54 struct snd_kcontrol *old;
55 int ret;
56@@ -424,8 +427,9 @@ add:
57 card->controls_count += kcontrol->count;
58 kcontrol->id.numid = card->last_numid + 1;
59 card->last_numid += kcontrol->count;
60+ count = kcontrol->count;
61 up_write(&card->controls_rwsem);
62- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++)
63+ for (idx = 0; idx < count; idx++, id.index++, id.numid++)
64 snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
65 return 0;
66
67@@ -898,9 +902,9 @@ static int snd_ctl_elem_write(struct snd_card *card, struct snd_ctl_file *file,
68 result = kctl->put(kctl, control);
69 }
70 if (result > 0) {
71+ struct snd_ctl_elem_id id = control->id;
72 up_read(&card->controls_rwsem);
73- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE,
74- &control->id);
75+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE, &id);
76 return 0;
77 }
78 }
79@@ -1334,8 +1338,9 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
80 }
81 err = kctl->tlv.c(kctl, op_flag, tlv.length, _tlv->tlv);
82 if (err > 0) {
83+ struct snd_ctl_elem_id id = kctl->id;
84 up_read(&card->controls_rwsem);
85- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &kctl->id);
86+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &id);
87 return 0;
88 }
89 } else {
90--
911.9.1
92
diff --git a/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch b/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
new file mode 100644
index 0000000..a90d079
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
@@ -0,0 +1,65 @@
1From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001
2From: Jiri Kosina <jkosina@suse.cz>
3Date: Thu, 21 Aug 2014 09:57:17 -0500
4Subject: [PATCH] HID: logitech: perform bounds checking on device_id early
5 enough
6
7device_index is a char type and the size of paired_dj_deivces is 7
8elements, therefore proper bounds checking has to be applied to
9device_index before it is used.
10
11We are currently performing the bounds checking in
12logi_dj_recv_add_djhid_device(), which is too late, as malicious device
13could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
14problem in one of the report forwarding functions called from
15logi_dj_raw_event().
16
17Fix this by performing the check at the earliest possible ocasion in
18logi_dj_raw_event().
19
20This fixes CVE-2014-3182
21Upstream-Status: Backport
22
23Cc: stable@vger.kernel.org
24Reported-by: Ben Hawkes <hawkes@google.com>
25Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
26Signed-off-by: Jiri Kosina <jkosina@suse.cz>
27Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
28---
29 drivers/hid/hid-logitech-dj.c | 13 ++++++-------
30 1 file changed, 6 insertions(+), 7 deletions(-)
31
32diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
33index ca0ab51..b7ba829 100644
34--- a/drivers/hid/hid-logitech-dj.c
35+++ b/drivers/hid/hid-logitech-dj.c
36@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev,
37 return;
38 }
39
40- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
41- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
42- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
43- __func__, dj_report->device_index);
44- return;
45- }
46-
47 if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
48 /* The device is already known. No need to reallocate it. */
49 dbg_hid("%s: device is already known\n", __func__);
50@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_device *hdev,
51 * device (via hid_input_report() ) and return 1 so hid-core does not do
52 * anything else with it.
53 */
54+ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
55+ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
56+ dev_err(&hdev->dev, "%s: invalid device index:%d\n",
57+ __func__, dj_report->device_index);
58+ return false;
59+ }
60
61 spin_lock_irqsave(&djrcv_dev->lock, flags);
62 if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
63--
641.9.1
65
diff --git a/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch b/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch
new file mode 100644
index 0000000..e43771c
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch
@@ -0,0 +1,86 @@
1From 248541357433e3035d954435dafcdb9e70afee4e Mon Sep 17 00:00:00 2001
2From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
3Date: Fri, 17 Oct 2014 22:55:59 +0200
4Subject: [PATCH] kvm: fix excessive pages un-pinning in kvm_iommu_map error
5 path.
6
7commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream.
8
9The third parameter of kvm_unpin_pages() when called from
10kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
11and not the page size.
12
13This error was facilitated with an inconsistent API: kvm_pin_pages() takes
14a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
15by matching the two.
16
17This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
18of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
19un-pinning for pages intended to be un-pinned (i.e. memory leak) but
20unfortunately potentially aggravated the number of pages we un-pin that
21should have stayed pinned. As far as I understand though, the same
22practical mitigations apply.
23
24This issue was found during review of Red Hat 6.6 patches to prepare
25Ksplice rebootless updates.
26
27Thanks to Vegard for his time on a late Friday evening to help me in
28understanding this code.
29
30Fix for CVE-2014-8369
31
32Upstream-Status: Backport
33
34Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
35Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
36Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
37Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
38Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
39Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
40Signed-off-by: Jiri Slaby <jslaby@suse.cz>
41Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
42---
43 virt/kvm/iommu.c | 8 ++++----
44 1 file changed, 4 insertions(+), 4 deletions(-)
45
46diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
47index dec9971..a650aa4 100644
48--- a/virt/kvm/iommu.c
49+++ b/virt/kvm/iommu.c
50@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
51 gfn_t base_gfn, unsigned long npages);
52
53 static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
54- unsigned long size)
55+ unsigned long npages)
56 {
57 gfn_t end_gfn;
58 pfn_t pfn;
59
60 pfn = gfn_to_pfn_memslot(slot, gfn);
61- end_gfn = gfn + (size >> PAGE_SHIFT);
62+ end_gfn = gfn + npages;
63 gfn += 1;
64
65 if (is_error_noslot_pfn(pfn))
66@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
67 * Pin all pages we are about to map in memory. This is
68 * important because we unmap and unpin in 4kb steps later.
69 */
70- pfn = kvm_pin_pages(slot, gfn, page_size);
71+ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT);
72 if (is_error_noslot_pfn(pfn)) {
73 gfn += 1;
74 continue;
75@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
76 if (r) {
77 printk(KERN_ERR "kvm_iommu_map_address:"
78 "iommu failed to map pfn=%llx\n", pfn);
79- kvm_unpin_pages(kvm, pfn, page_size);
80+ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
81 goto unmap_pages;
82 }
83
84--
851.9.1
86
diff --git a/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..b08f217
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,62 @@
1From cab259f821fad20afa688d3fbeb47356447ac20b Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 17:10:56 -0700
4Subject: [PATCH] mnt: Move the test for MNT_LOCK_READONLY from
5 change_mount_flags into do_remount
6
7commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream.
8
9There are no races as locked mount flags are guaranteed to never change.
10
11Moving the test into do_remount makes it more visible, and ensures all
12filesystem remounts pass the MNT_LOCK_READONLY permission check. This
13second case is not an issue today as filesystem remounts are guarded
14by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
15mount namespaces, but it could become an issue in the future.
16
17Fix for CVE-2014-5206 and CVE-2014-5207
18Upstream-Status: backport
19
20Cc: stable@vger.kernel.org
21Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
22Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
23Signed-off-by: Jiri Slaby <jslaby@suse.cz>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 fs/namespace.c | 13 ++++++++++---
27 1 file changed, 10 insertions(+), 3 deletions(-)
28
29diff --git a/fs/namespace.c b/fs/namespace.c
30index 34fa7a5..8e90b03 100644
31--- a/fs/namespace.c
32+++ b/fs/namespace.c
33@@ -1806,9 +1806,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags)
34 if (readonly_request == __mnt_is_readonly(mnt))
35 return 0;
36
37- if (mnt->mnt_flags & MNT_LOCK_READONLY)
38- return -EPERM;
39-
40 if (readonly_request)
41 error = mnt_make_readonly(real_mount(mnt));
42 else
43@@ -1834,6 +1831,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
44 if (path->dentry != path->mnt->mnt_root)
45 return -EINVAL;
46
47+ /* Don't allow changing of locked mnt flags.
48+ *
49+ * No locks need to be held here while testing the various
50+ * MNT_LOCK flags because those flags can never be cleared
51+ * once they are set.
52+ */
53+ if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) &&
54+ !(mnt_flags & MNT_READONLY)) {
55+ return -EPERM;
56+ }
57 err = security_sb_remount(sb, data);
58 if (err)
59 return err;
60--
611.9.1
62
diff --git a/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch b/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch
new file mode 100644
index 0000000..b05aaf2
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch
@@ -0,0 +1,102 @@
1From a723db0be941b8aebaa1a98b33d17a91b16603e4 Mon Sep 17 00:00:00 2001
2From: Daniel Borkmann <dborkman@redhat.com>
3Date: Thu, 9 Oct 2014 22:55:32 +0200
4Subject: [PATCH] net: sctp: fix panic on duplicate ASCONF chunks
5
6commit b69040d8e39f20d5215a03502a8e8b4c6ab78395 upstream.
7
8When receiving a e.g. semi-good formed connection scan in the
9form of ...
10
11 -------------- INIT[ASCONF; ASCONF_ACK] ------------->
12 <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
13 -------------------- COOKIE-ECHO -------------------->
14 <-------------------- COOKIE-ACK ---------------------
15 ---------------- ASCONF_a; ASCONF_b ----------------->
16
17... where ASCONF_a equals ASCONF_b chunk (at least both serials
18need to be equal), we panic an SCTP server!
19
20The problem is that good-formed ASCONF chunks that we reply with
21ASCONF_ACK chunks are cached per serial. Thus, when we receive a
22same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
23not need to process them again on the server side (that was the
24idea, also proposed in the RFC). Instead, we know it was cached
25and we just resend the cached chunk instead. So far, so good.
26
27Where things get nasty is in SCTP's side effect interpreter, that
28is, sctp_cmd_interpreter():
29
30While incoming ASCONF_a (chunk = event_arg) is being marked
31!end_of_packet and !singleton, and we have an association context,
32we do not flush the outqueue the first time after processing the
33ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
34queued up, although we set local_cork to 1. Commit 2e3216cd54b1
35changed the precedence, so that as long as we get bundled, incoming
36chunks we try possible bundling on outgoing queue as well. Before
37this commit, we would just flush the output queue.
38
39Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
40continue to process the same ASCONF_b chunk from the packet. As
41we have cached the previous ASCONF_ACK, we find it, grab it and
42do another SCTP_CMD_REPLY command on it. So, effectively, we rip
43the chunk->list pointers and requeue the same ASCONF_ACK chunk
44another time. Since we process ASCONF_b, it's correctly marked
45with end_of_packet and we enforce an uncork, and thus flush, thus
46crashing the kernel.
47
48Fix it by testing if the ASCONF_ACK is currently pending and if
49that is the case, do not requeue it. When flushing the output
50queue we may relink the chunk for preparing an outgoing packet,
51but eventually unlink it when it's copied into the skb right
52before transmission.
53
54Joint work with Vlad Yasevich.
55
56Fixes CVE-2014-3687
57Upstream-Status: Backport
58
59Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
60Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
61Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
62Signed-off-by: David S. Miller <davem@davemloft.net>
63Cc: Josh Boyer <jwboyer@fedoraproject.org>
64Signed-off-by: Jiri Slaby <jslaby@suse.cz>
65Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
66---
67 include/net/sctp/sctp.h | 5 +++++
68 net/sctp/associola.c | 2 ++
69 2 files changed, 7 insertions(+)
70
71diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
72index 3794c5a..3848934 100644
73--- a/include/net/sctp/sctp.h
74+++ b/include/net/sctp/sctp.h
75@@ -454,6 +454,11 @@ static inline void sctp_assoc_pending_pmtu(struct sock *sk, struct sctp_associat
76 asoc->pmtu_pending = 0;
77 }
78
79+static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk)
80+{
81+ return !list_empty(&chunk->list);
82+}
83+
84 /* Walk through a list of TLV parameters. Don't trust the
85 * individual parameter lengths and instead depend on
86 * the chunk length to indicate when to stop. Make sure
87diff --git a/net/sctp/associola.c b/net/sctp/associola.c
88index ad5cd6f..737050f 100644
89--- a/net/sctp/associola.c
90+++ b/net/sctp/associola.c
91@@ -1645,6 +1645,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack(
92 * ack chunk whose serial number matches that of the request.
93 */
94 list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) {
95+ if (sctp_chunk_pending(ack))
96+ continue;
97 if (ack->subh.addip_hdr->serial == serial) {
98 sctp_chunk_hold(ack);
99 return ack;
100--
1011.9.1
102
diff --git a/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
new file mode 100644
index 0000000..f58b2f0
--- /dev/null
+++ b/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
@@ -0,0 +1,114 @@
1From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
2From: Jiri Kosina <jkosina@suse.cz>
3Date: Thu, 21 Aug 2014 09:57:48 -0500
4Subject: [PATCH] HID: fix a couple of off-by-ones
5
6There are a few very theoretical off-by-one bugs in report descriptor size
7checking when performing a pre-parsing fixup. Fix those.
8
9This fixes CVE-2014-3184
10Upstream-Status: Backport
11
12Cc: stable@vger.kernel.org
13Reported-by: Ben Hawkes <hawkes@google.com>
14Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
15Signed-off-by: Jiri Kosina <jkosina@suse.cz>
16Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
17---
18 drivers/hid/hid-cherry.c | 2 +-
19 drivers/hid/hid-kye.c | 2 +-
20 drivers/hid/hid-lg.c | 4 ++--
21 drivers/hid/hid-monterey.c | 2 +-
22 drivers/hid/hid-petalynx.c | 2 +-
23 drivers/hid/hid-sunplus.c | 2 +-
24 6 files changed, 7 insertions(+), 7 deletions(-)
25
26diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
27index 1bdcccc..f745d2c 100644
28--- a/drivers/hid/hid-cherry.c
29+++ b/drivers/hid/hid-cherry.c
30@@ -28,7 +28,7 @@
31 static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
32 unsigned int *rsize)
33 {
34- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
35+ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
36 hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
37 rdesc[11] = rdesc[16] = 0xff;
38 rdesc[12] = rdesc[17] = 0x03;
39diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
40index e776963..b92bf01 100644
41--- a/drivers/hid/hid-kye.c
42+++ b/drivers/hid/hid-kye.c
43@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
44 * - change the button usage range to 4-7 for the extra
45 * buttons
46 */
47- if (*rsize >= 74 &&
48+ if (*rsize >= 75 &&
49 rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
50 rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
51 rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
52diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
53index a976f48..f91ff14 100644
54--- a/drivers/hid/hid-lg.c
55+++ b/drivers/hid/hid-lg.c
56@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
57 struct usb_device_descriptor *udesc;
58 __u16 bcdDevice, rev_maj, rev_min;
59
60- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
61+ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
62 rdesc[84] == 0x8c && rdesc[85] == 0x02) {
63 hid_info(hdev,
64 "fixing up Logitech keyboard report descriptor\n");
65 rdesc[84] = rdesc[89] = 0x4d;
66 rdesc[85] = rdesc[90] = 0x10;
67 }
68- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
69+ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
70 rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
71 rdesc[49] == 0x81 && rdesc[50] == 0x06) {
72 hid_info(hdev,
73diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
74index 9e14c00..25daf28 100644
75--- a/drivers/hid/hid-monterey.c
76+++ b/drivers/hid/hid-monterey.c
77@@ -24,7 +24,7 @@
78 static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
79 unsigned int *rsize)
80 {
81- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
82+ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
83 hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
84 rdesc[30] = 0x0c;
85 }
86diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
87index 736b250..6aca4f2 100644
88--- a/drivers/hid/hid-petalynx.c
89+++ b/drivers/hid/hid-petalynx.c
90@@ -25,7 +25,7 @@
91 static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
92 unsigned int *rsize)
93 {
94- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
95+ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
96 rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
97 rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
98 hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
99diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
100index 87fc91e..91072fa 100644
101--- a/drivers/hid/hid-sunplus.c
102+++ b/drivers/hid/hid-sunplus.c
103@@ -24,7 +24,7 @@
104 static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
105 unsigned int *rsize)
106 {
107- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
108+ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
109 rdesc[106] == 0x03) {
110 hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
111 rdesc[105] = rdesc[110] = 0x03;
112--
1131.9.1
114
diff --git a/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..aa5ca1b
--- /dev/null
+++ b/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,137 @@
1From 8b18c0adbc5d0cb1530692e72bcfb88fd7bb77bb Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 17:26:07 -0700
4Subject: [PATCH] mnt: Correct permission checks in do_remount
5
6commit 9566d6742852c527bf5af38af5cbb878dad75705 upstream.
7
8While invesgiating the issue where in "mount --bind -oremount,ro ..."
9would result in later "mount --bind -oremount,rw" succeeding even if
10the mount started off locked I realized that there are several
11additional mount flags that should be locked and are not.
12
13In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime
14flags in addition to MNT_READONLY should all be locked. These
15flags are all per superblock, can all be changed with MS_BIND,
16and should not be changable if set by a more privileged user.
17
18The following additions to the current logic are added in this patch.
19- nosuid may not be clearable by a less privileged user.
20- nodev may not be clearable by a less privielged user.
21- noexec may not be clearable by a less privileged user.
22- atime flags may not be changeable by a less privileged user.
23
24The logic with atime is that always setting atime on access is a
25global policy and backup software and auditing software could break if
26atime bits are not updated (when they are configured to be updated),
27and serious performance degradation could result (DOS attack) if atime
28updates happen when they have been explicitly disabled. Therefore an
29unprivileged user should not be able to mess with the atime bits set
30by a more privileged user.
31
32The additional restrictions are implemented with the addition of
33MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME
34mnt flags.
35
36Taken together these changes and the fixes for MNT_LOCK_READONLY
37should make it safe for an unprivileged user to create a user
38namespace and to call "mount --bind -o remount,... ..." without
39the danger of mount flags being changed maliciously.
40
41Fix for CVE-2014-5206 and CVE-2014-5207
42Upstream-Status: backport
43
44Cc: stable@vger.kernel.org
45Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
46Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
47Signed-off-by: Jiri Slaby <jslaby@suse.cz>
48Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
49---
50 fs/namespace.c | 36 +++++++++++++++++++++++++++++++++---
51 include/linux/mount.h | 5 +++++
52 2 files changed, 38 insertions(+), 3 deletions(-)
53
54diff --git a/fs/namespace.c b/fs/namespace.c
55index 8e90b03..7c67de8 100644
56--- a/fs/namespace.c
57+++ b/fs/namespace.c
58@@ -827,8 +827,21 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
59
60 mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~MNT_WRITE_HOLD;
61 /* Don't allow unprivileged users to change mount flags */
62- if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))
63- mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
64+ if (flag & CL_UNPRIVILEGED) {
65+ mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
66+
67+ if (mnt->mnt.mnt_flags & MNT_READONLY)
68+ mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
69+
70+ if (mnt->mnt.mnt_flags & MNT_NODEV)
71+ mnt->mnt.mnt_flags |= MNT_LOCK_NODEV;
72+
73+ if (mnt->mnt.mnt_flags & MNT_NOSUID)
74+ mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID;
75+
76+ if (mnt->mnt.mnt_flags & MNT_NOEXEC)
77+ mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC;
78+ }
79
80 /* Don't allow unprivileged users to reveal what is under a mount */
81 if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire))
82@@ -1841,6 +1854,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
83 !(mnt_flags & MNT_READONLY)) {
84 return -EPERM;
85 }
86+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
87+ !(mnt_flags & MNT_NODEV)) {
88+ return -EPERM;
89+ }
90+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
91+ !(mnt_flags & MNT_NOSUID)) {
92+ return -EPERM;
93+ }
94+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
95+ !(mnt_flags & MNT_NOEXEC)) {
96+ return -EPERM;
97+ }
98+ if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
99+ ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) {
100+ return -EPERM;
101+ }
102+
103 err = security_sb_remount(sb, data);
104 if (err)
105 return err;
106@@ -2043,7 +2073,7 @@ static int do_new_mount(struct path *path, const char *fstype, int flags,
107 */
108 if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) {
109 flags |= MS_NODEV;
110- mnt_flags |= MNT_NODEV;
111+ mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV;
112 }
113 }
114
115diff --git a/include/linux/mount.h b/include/linux/mount.h
116index 8707c9e..22e5b96 100644
117--- a/include/linux/mount.h
118+++ b/include/linux/mount.h
119@@ -45,10 +45,15 @@ struct mnt_namespace;
120 #define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
121 | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
122 | MNT_READONLY)
123+#define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME )
124
125
126 #define MNT_INTERNAL 0x4000
127
128+#define MNT_LOCK_ATIME 0x040000
129+#define MNT_LOCK_NOEXEC 0x080000
130+#define MNT_LOCK_NOSUID 0x100000
131+#define MNT_LOCK_NODEV 0x200000
132 #define MNT_LOCK_READONLY 0x400000
133 #define MNT_LOCKED 0x800000
134
135--
1361.9.1
137
diff --git a/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch b/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch
new file mode 100644
index 0000000..1b4716d
--- /dev/null
+++ b/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch
@@ -0,0 +1,160 @@
1From e476841415c1b7b54e4118d8a219f5db71878675 Mon Sep 17 00:00:00 2001
2From: Daniel Borkmann <dborkman@redhat.com>
3Date: Thu, 9 Oct 2014 22:55:33 +0200
4Subject: [PATCH] net: sctp: fix remote memory pressure from excessive queueing
5
6commit 26b87c7881006311828bb0ab271a551a62dcceb4 upstream.
7
8This scenario is not limited to ASCONF, just taken as one
9example triggering the issue. When receiving ASCONF probes
10in the form of ...
11
12 -------------- INIT[ASCONF; ASCONF_ACK] ------------->
13 <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
14 -------------------- COOKIE-ECHO -------------------->
15 <-------------------- COOKIE-ACK ---------------------
16 ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
17 [...]
18 ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
19
20... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
21ASCONFs and have increasing serial numbers, we process such
22ASCONF chunk(s) marked with !end_of_packet and !singleton,
23since we have not yet reached the SCTP packet end. SCTP does
24only do verification on a chunk by chunk basis, as an SCTP
25packet is nothing more than just a container of a stream of
26chunks which it eats up one by one.
27
28We could run into the case that we receive a packet with a
29malformed tail, above marked as trailing JUNK. All previous
30chunks are here goodformed, so the stack will eat up all
31previous chunks up to this point. In case JUNK does not fit
32into a chunk header and there are no more other chunks in
33the input queue, or in case JUNK contains a garbage chunk
34header, but the encoded chunk length would exceed the skb
35tail, or we came here from an entirely different scenario
36and the chunk has pdiscard=1 mark (without having had a flush
37point), it will happen, that we will excessively queue up
38the association's output queue (a correct final chunk may
39then turn it into a response flood when flushing the
40queue ;)): I ran a simple script with incremental ASCONF
41serial numbers and could see the server side consuming
42excessive amount of RAM [before/after: up to 2GB and more].
43
44The issue at heart is that the chunk train basically ends
45with !end_of_packet and !singleton markers and since commit
462e3216cd54b1 ("sctp: Follow security requirement of responding
47with 1 packet") therefore preventing an output queue flush
48point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
49chunk (chunk = event_arg) even though local_cork is set,
50but its precedence has changed since then. In the normal
51case, the last chunk with end_of_packet=1 would trigger the
52queue flush to accommodate possible outgoing bundling.
53
54In the input queue, sctp_inq_pop() seems to do the right thing
55in terms of discarding invalid chunks. So, above JUNK will
56not enter the state machine and instead be released and exit
57the sctp_assoc_bh_rcv() chunk processing loop. It's simply
58the flush point being missing at loop exit. Adding a try-flush
59approach on the output queue might not work as the underlying
60infrastructure might be long gone at this point due to the
61side-effect interpreter run.
62
63One possibility, albeit a bit of a kludge, would be to defer
64invalid chunk freeing into the state machine in order to
65possibly trigger packet discards and thus indirectly a queue
66flush on error. It would surely be better to discard chunks
67as in the current, perhaps better controlled environment, but
68going back and forth, it's simply architecturally not possible.
69I tried various trailing JUNK attack cases and it seems to
70look good now.
71
72Joint work with Vlad Yasevich.
73
74Fixes CVE-2014-3688
75Upstream-Status: Backport
76
77Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
78Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
79Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
80Signed-off-by: David S. Miller <davem@davemloft.net>
81Cc: Josh Boyer <jwboyer@fedoraproject.org>
82Signed-off-by: Jiri Slaby <jslaby@suse.cz>
83Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
84---
85 net/sctp/inqueue.c | 33 +++++++--------------------------
86 net/sctp/sm_statefuns.c | 3 +++
87 2 files changed, 10 insertions(+), 26 deletions(-)
88
89diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
90index 5856932..560cd41 100644
91--- a/net/sctp/inqueue.c
92+++ b/net/sctp/inqueue.c
93@@ -141,18 +141,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
94 } else {
95 /* Nothing to do. Next chunk in the packet, please. */
96 ch = (sctp_chunkhdr_t *) chunk->chunk_end;
97-
98 /* Force chunk->skb->data to chunk->chunk_end. */
99- skb_pull(chunk->skb,
100- chunk->chunk_end - chunk->skb->data);
101-
102- /* Verify that we have at least chunk headers
103- * worth of buffer left.
104- */
105- if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
106- sctp_chunk_free(chunk);
107- chunk = queue->in_progress = NULL;
108- }
109+ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data);
110+ /* We are guaranteed to pull a SCTP header. */
111 }
112 }
113
114@@ -188,24 +179,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
115 skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
116 chunk->subh.v = NULL; /* Subheader is no longer valid. */
117
118- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
119+ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <
120+ skb_tail_pointer(chunk->skb)) {
121 /* This is not a singleton */
122 chunk->singleton = 0;
123 } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
124- /* RFC 2960, Section 6.10 Bundling
125- *
126- * Partial chunks MUST NOT be placed in an SCTP packet.
127- * If the receiver detects a partial chunk, it MUST drop
128- * the chunk.
129- *
130- * Since the end of the chunk is past the end of our buffer
131- * (which contains the whole packet, we can freely discard
132- * the whole packet.
133- */
134- sctp_chunk_free(chunk);
135- chunk = queue->in_progress = NULL;
136-
137- return NULL;
138+ /* Discard inside state machine. */
139+ chunk->pdiscard = 1;
140+ chunk->chunk_end = skb_tail_pointer(chunk->skb);
141 } else {
142 /* We are at the end of the packet, so mark the chunk
143 * in case we need to send a SACK.
144diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
145index 1dbcc6a..62623cc 100644
146--- a/net/sctp/sm_statefuns.c
147+++ b/net/sctp/sm_statefuns.c
148@@ -171,6 +171,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk,
149 {
150 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
151
152+ /* Previously already marked? */
153+ if (unlikely(chunk->pdiscard))
154+ return 0;
155 if (unlikely(chunk_length < required_length))
156 return 0;
157
158--
1591.9.1
160
diff --git a/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
new file mode 100644
index 0000000..0820807
--- /dev/null
+++ b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
@@ -0,0 +1,51 @@
1From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001
2From: James Forshaw <forshaw@google.com>
3Date: Sat, 23 Aug 2014 14:39:48 -0700
4Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command
5 response
6
7This patch fixes a potential security issue in the whiteheat USB driver
8which might allow a local attacker to cause kernel memory corrpution. This
9is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
10EHCI and XHCI busses it's possible to craft responses greater than 64
11bytes leading a buffer overflow.
12
13This fixes CVE-2014-3185
14Upstream-Status: Backport
15
16Signed-off-by: James Forshaw <forshaw@google.com>
17Cc: stable <stable@vger.kernel.org>
18Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
20---
21 drivers/usb/serial/whiteheat.c | 7 ++++++-
22 1 file changed, 6 insertions(+), 1 deletion(-)
23
24diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
25index e62f2df..6c3734d 100644
26--- a/drivers/usb/serial/whiteheat.c
27+++ b/drivers/usb/serial/whiteheat.c
28@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb)
29 dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
30 return;
31 }
32+ if (!urb->actual_length) {
33+ dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
34+ return;
35+ }
36 if (status) {
37 dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
38 if (status != -ENOENT)
39@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb)
40 /* These are unsolicited reports from the firmware, hence no
41 waiting command to wakeup */
42 dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
43- } else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
44+ } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
45+ (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
46 memcpy(command_info->result_buffer, &data[1],
47 urb->actual_length - 1);
48 command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
49--
501.9.1
51
diff --git a/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..8cd4b13
--- /dev/null
+++ b/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,64 @@
1From fafbc9412b8f2dae04bc3ca233ae7b49482c8df8 Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 17:36:04 -0700
4Subject: [PATCH] mnt: Change the default remount atime from relatime to the
5 existing value
6
7commit ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e upstream.
8
9Since March 2009 the kernel has treated the state that if no
10MS_..ATIME flags are passed then the kernel defaults to relatime.
11
12Defaulting to relatime instead of the existing atime state during a
13remount is silly, and causes problems in practice for people who don't
14specify any MS_...ATIME flags and to get the default filesystem atime
15setting. Those users may encounter a permission error because the
16default atime setting does not work.
17
18A default that does not work and causes permission problems is
19ridiculous, so preserve the existing value to have a default
20atime setting that is always guaranteed to work.
21
22Using the default atime setting in this way is particularly
23interesting for applications built to run in restricted userspace
24environments without /proc mounted, as the existing atime mount
25options of a filesystem can not be read from /proc/mounts.
26
27In practice this fixes user space that uses the default atime
28setting on remount that are broken by the permission checks
29keeping less privileged users from changing more privileged users
30atime settings.
31
32Fix for CVE-2014-5206 and CVE-2014-5207
33Upstream-Status: backport
34
35Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
36Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
37Signed-off-by: Jiri Slaby <jslaby@suse.cz>
38Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
39---
40 fs/namespace.c | 8 ++++++++
41 1 file changed, 8 insertions(+)
42
43diff --git a/fs/namespace.c b/fs/namespace.c
44index 7c67de8..4ea2b73 100644
45--- a/fs/namespace.c
46+++ b/fs/namespace.c
47@@ -2391,6 +2391,14 @@ long do_mount(const char *dev_name, const char *dir_name,
48 if (flags & MS_RDONLY)
49 mnt_flags |= MNT_READONLY;
50
51+ /* The default atime for remount is preservation */
52+ if ((flags & MS_REMOUNT) &&
53+ ((flags & (MS_NOATIME | MS_NODIRATIME | MS_RELATIME |
54+ MS_STRICTATIME)) == 0)) {
55+ mnt_flags &= ~MNT_ATIME_MASK;
56+ mnt_flags |= path.mnt->mnt_flags & MNT_ATIME_MASK;
57+ }
58+
59 flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE | MS_BORN |
60 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
61 MS_STRICTATIME);
62--
631.9.1
64
diff --git a/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch
new file mode 100644
index 0000000..caa89db
--- /dev/null
+++ b/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch
@@ -0,0 +1,324 @@
1From 4194b9700ce41ff2f7031aa0c6108c2539028ab5 Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Tue, 29 Jul 2014 15:50:44 -0700
4Subject: [PATCH] mnt: Add tests for unprivileged remount cases that have found
5 to be faulty
6
7commit db181ce011e3c033328608299cd6fac06ea50130 upstream.
8
9Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
10read-only bind mount read-only in a user namespace the
11MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
12to the remount a read-only mount read-write.
13
14Upon review of the code in remount it was discovered that the code allowed
15nosuid, noexec, and nodev to be cleared. It was also discovered that
16the code was allowing the per mount atime flags to be changed.
17
18The first naive patch to fix these issues contained the flaw that using
19default atime settings when remounting a filesystem could be disallowed.
20
21To avoid this problems in the future add tests to ensure unprivileged
22remounts are succeeding and failing at the appropriate times.
23
24Fix for CVE-2014-5206 and CVE-2014-5207
25Upstream-Status: backport
26
27Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
28Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
29Signed-off-by: Jiri Slaby <jslaby@suse.cz>
30Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
31---
32 tools/testing/selftests/Makefile | 1 +
33 tools/testing/selftests/mount/Makefile | 17 ++
34 .../selftests/mount/unprivileged-remount-test.c | 242 +++++++++++++++++++++
35 3 files changed, 260 insertions(+)
36 create mode 100644 tools/testing/selftests/mount/Makefile
37 create mode 100644 tools/testing/selftests/mount/unprivileged-remount-test.c
38
39diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
40index 9f3eae2..2d9ab94 100644
41--- a/tools/testing/selftests/Makefile
42+++ b/tools/testing/selftests/Makefile
43@@ -4,6 +4,7 @@ TARGETS += efivarfs
44 TARGETS += kcmp
45 TARGETS += memory-hotplug
46 TARGETS += mqueue
47+TARGETS += mount
48 TARGETS += net
49 TARGETS += ptrace
50 TARGETS += timers
51diff --git a/tools/testing/selftests/mount/Makefile b/tools/testing/selftests/mount/Makefile
52new file mode 100644
53index 0000000..337d853
54--- /dev/null
55+++ b/tools/testing/selftests/mount/Makefile
56@@ -0,0 +1,17 @@
57+# Makefile for mount selftests.
58+
59+all: unprivileged-remount-test
60+
61+unprivileged-remount-test: unprivileged-remount-test.c
62+ gcc -Wall -O2 unprivileged-remount-test.c -o unprivileged-remount-test
63+
64+# Allow specific tests to be selected.
65+test_unprivileged_remount: unprivileged-remount-test
66+ @if [ -f /proc/self/uid_map ] ; then ./unprivileged-remount-test ; fi
67+
68+run_tests: all test_unprivileged_remount
69+
70+clean:
71+ rm -f unprivileged-remount-test
72+
73+.PHONY: all test_unprivileged_remount
74diff --git a/tools/testing/selftests/mount/unprivileged-remount-test.c b/tools/testing/selftests/mount/unprivileged-remount-test.c
75new file mode 100644
76index 0000000..1b3ff2f
77--- /dev/null
78+++ b/tools/testing/selftests/mount/unprivileged-remount-test.c
79@@ -0,0 +1,242 @@
80+#define _GNU_SOURCE
81+#include <sched.h>
82+#include <stdio.h>
83+#include <errno.h>
84+#include <string.h>
85+#include <sys/types.h>
86+#include <sys/mount.h>
87+#include <sys/wait.h>
88+#include <stdlib.h>
89+#include <unistd.h>
90+#include <fcntl.h>
91+#include <grp.h>
92+#include <stdbool.h>
93+#include <stdarg.h>
94+
95+#ifndef CLONE_NEWNS
96+# define CLONE_NEWNS 0x00020000
97+#endif
98+#ifndef CLONE_NEWUTS
99+# define CLONE_NEWUTS 0x04000000
100+#endif
101+#ifndef CLONE_NEWIPC
102+# define CLONE_NEWIPC 0x08000000
103+#endif
104+#ifndef CLONE_NEWNET
105+# define CLONE_NEWNET 0x40000000
106+#endif
107+#ifndef CLONE_NEWUSER
108+# define CLONE_NEWUSER 0x10000000
109+#endif
110+#ifndef CLONE_NEWPID
111+# define CLONE_NEWPID 0x20000000
112+#endif
113+
114+#ifndef MS_RELATIME
115+#define MS_RELATIME (1 << 21)
116+#endif
117+#ifndef MS_STRICTATIME
118+#define MS_STRICTATIME (1 << 24)
119+#endif
120+
121+static void die(char *fmt, ...)
122+{
123+ va_list ap;
124+ va_start(ap, fmt);
125+ vfprintf(stderr, fmt, ap);
126+ va_end(ap);
127+ exit(EXIT_FAILURE);
128+}
129+
130+static void write_file(char *filename, char *fmt, ...)
131+{
132+ char buf[4096];
133+ int fd;
134+ ssize_t written;
135+ int buf_len;
136+ va_list ap;
137+
138+ va_start(ap, fmt);
139+ buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
140+ va_end(ap);
141+ if (buf_len < 0) {
142+ die("vsnprintf failed: %s\n",
143+ strerror(errno));
144+ }
145+ if (buf_len >= sizeof(buf)) {
146+ die("vsnprintf output truncated\n");
147+ }
148+
149+ fd = open(filename, O_WRONLY);
150+ if (fd < 0) {
151+ die("open of %s failed: %s\n",
152+ filename, strerror(errno));
153+ }
154+ written = write(fd, buf, buf_len);
155+ if (written != buf_len) {
156+ if (written >= 0) {
157+ die("short write to %s\n", filename);
158+ } else {
159+ die("write to %s failed: %s\n",
160+ filename, strerror(errno));
161+ }
162+ }
163+ if (close(fd) != 0) {
164+ die("close of %s failed: %s\n",
165+ filename, strerror(errno));
166+ }
167+}
168+
169+static void create_and_enter_userns(void)
170+{
171+ uid_t uid;
172+ gid_t gid;
173+
174+ uid = getuid();
175+ gid = getgid();
176+
177+ if (unshare(CLONE_NEWUSER) !=0) {
178+ die("unshare(CLONE_NEWUSER) failed: %s\n",
179+ strerror(errno));
180+ }
181+
182+ write_file("/proc/self/uid_map", "0 %d 1", uid);
183+ write_file("/proc/self/gid_map", "0 %d 1", gid);
184+
185+ if (setgroups(0, NULL) != 0) {
186+ die("setgroups failed: %s\n",
187+ strerror(errno));
188+ }
189+ if (setgid(0) != 0) {
190+ die ("setgid(0) failed %s\n",
191+ strerror(errno));
192+ }
193+ if (setuid(0) != 0) {
194+ die("setuid(0) failed %s\n",
195+ strerror(errno));
196+ }
197+}
198+
199+static
200+bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags)
201+{
202+ pid_t child;
203+
204+ child = fork();
205+ if (child == -1) {
206+ die("fork failed: %s\n",
207+ strerror(errno));
208+ }
209+ if (child != 0) { /* parent */
210+ pid_t pid;
211+ int status;
212+ pid = waitpid(child, &status, 0);
213+ if (pid == -1) {
214+ die("waitpid failed: %s\n",
215+ strerror(errno));
216+ }
217+ if (pid != child) {
218+ die("waited for %d got %d\n",
219+ child, pid);
220+ }
221+ if (!WIFEXITED(status)) {
222+ die("child did not terminate cleanly\n");
223+ }
224+ return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false;
225+ }
226+
227+ create_and_enter_userns();
228+ if (unshare(CLONE_NEWNS) != 0) {
229+ die("unshare(CLONE_NEWNS) failed: %s\n",
230+ strerror(errno));
231+ }
232+
233+ if (mount("testing", "/tmp", "ramfs", mount_flags, NULL) != 0) {
234+ die("mount of /tmp failed: %s\n",
235+ strerror(errno));
236+ }
237+
238+ create_and_enter_userns();
239+
240+ if (unshare(CLONE_NEWNS) != 0) {
241+ die("unshare(CLONE_NEWNS) failed: %s\n",
242+ strerror(errno));
243+ }
244+
245+ if (mount("/tmp", "/tmp", "none",
246+ MS_REMOUNT | MS_BIND | remount_flags, NULL) != 0) {
247+ /* system("cat /proc/self/mounts"); */
248+ die("remount of /tmp failed: %s\n",
249+ strerror(errno));
250+ }
251+
252+ if (mount("/tmp", "/tmp", "none",
253+ MS_REMOUNT | MS_BIND | invalid_flags, NULL) == 0) {
254+ /* system("cat /proc/self/mounts"); */
255+ die("remount of /tmp with invalid flags "
256+ "succeeded unexpectedly\n");
257+ }
258+ exit(EXIT_SUCCESS);
259+}
260+
261+static bool test_unpriv_remount_simple(int mount_flags)
262+{
263+ return test_unpriv_remount(mount_flags, mount_flags, 0);
264+}
265+
266+static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags)
267+{
268+ return test_unpriv_remount(mount_flags, mount_flags, invalid_flags);
269+}
270+
271+int main(int argc, char **argv)
272+{
273+ if (!test_unpriv_remount_simple(MS_RDONLY|MS_NODEV)) {
274+ die("MS_RDONLY malfunctions\n");
275+ }
276+ if (!test_unpriv_remount_simple(MS_NODEV)) {
277+ die("MS_NODEV malfunctions\n");
278+ }
279+ if (!test_unpriv_remount_simple(MS_NOSUID|MS_NODEV)) {
280+ die("MS_NOSUID malfunctions\n");
281+ }
282+ if (!test_unpriv_remount_simple(MS_NOEXEC|MS_NODEV)) {
283+ die("MS_NOEXEC malfunctions\n");
284+ }
285+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODEV,
286+ MS_NOATIME|MS_NODEV))
287+ {
288+ die("MS_RELATIME malfunctions\n");
289+ }
290+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODEV,
291+ MS_NOATIME|MS_NODEV))
292+ {
293+ die("MS_STRICTATIME malfunctions\n");
294+ }
295+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODEV,
296+ MS_STRICTATIME|MS_NODEV))
297+ {
298+ die("MS_RELATIME malfunctions\n");
299+ }
300+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME|MS_NODEV,
301+ MS_NOATIME|MS_NODEV))
302+ {
303+ die("MS_RELATIME malfunctions\n");
304+ }
305+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME|MS_NODEV,
306+ MS_NOATIME|MS_NODEV))
307+ {
308+ die("MS_RELATIME malfunctions\n");
309+ }
310+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME|MS_NODEV,
311+ MS_STRICTATIME|MS_NODEV))
312+ {
313+ die("MS_RELATIME malfunctions\n");
314+ }
315+ if (!test_unpriv_remount(MS_STRICTATIME|MS_NODEV, MS_NODEV,
316+ MS_NOATIME|MS_NODEV))
317+ {
318+ die("Default atime malfunctions\n");
319+ }
320+ return EXIT_SUCCESS;
321+}
322--
3231.9.1
324
diff --git a/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch b/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch
new file mode 100644
index 0000000..7d16535
--- /dev/null
+++ b/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch
@@ -0,0 +1,41 @@
1CVE-2014-5077 Kernel/SCTP: fix a NULL pointer dereference
2
3A NULL pointer dereference flaw was found in the way the
4Linux kernel's Stream Control Transmission Protocol
5(SCTP) implementation handled simultaneous connections
6between the same hosts. A remote attacker could use this
7flaw to crash the system.
8
9Upstream-Status: Backport (from v3.16, commit 1be9a950c646c)
10
11References:
12 - https://access.redhat.com/security/cve/CVE-2014-5077
13 - http://patchwork.ozlabs.org/patch/372475/
14
15Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
16Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
17Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
18Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
19Cc: Vlad Yasevich <vyasevich@gmail.com>
20Acked-by: Vlad Yasevich <vyasevich@gmail.com>
21Signed-off-by: David S. Miller <davem@davemloft.net>
22Signed-off-by: Liviu Gheorghisan <liviu.gheorghisan@enea.com>
23---
24 net/sctp/associola.c | 1 +
25 1 file changed, 1 insertion(+)
26
27diff --git a/net/sctp/associola.c b/net/sctp/associola.c
28index 9de23a2..06a9ee6 100644
29--- a/net/sctp/associola.c
30+++ b/net/sctp/associola.c
31@@ -1097,6 +1097,7 @@ void sctp_assoc_update(struct sctp_association *asoc,
32 asoc->c = new->c;
33 asoc->peer.rwnd = new->peer.rwnd;
34 asoc->peer.sack_needed = new->peer.sack_needed;
35+ asoc->peer.auth_capable = new->peer.auth_capable;
36 asoc->peer.i = new->peer.i;
37 sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL,
38 asoc->peer.i.initial_tsn, GFP_ATOMIC);
39--
401.9.1
41
diff --git a/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch b/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch
new file mode 100644
index 0000000..65107d6
--- /dev/null
+++ b/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch
@@ -0,0 +1,212 @@
1From 4488e1f5ef40441c9846b1d0a29152c208a05e66 Mon Sep 17 00:00:00 2001
2From: Jan Kara <jack@suse.cz>
3Date: Sun, 17 Aug 2014 11:49:57 +0200
4Subject: [PATCH] isofs: Fix unbounded recursion when processing relocated
5 directories
6
7commit 410dd3cf4c9b36f27ed4542ee18b1af5e68645a4 upstream.
8
9We did not check relocated directory in any way when processing Rock
10Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL
11entry pointing to another CL entry leading to possibly unbounded
12recursion in kernel code and thus stack overflow or deadlocks (if there
13is a loop created from CL entries).
14
15Fix the problem by not allowing CL entry to point to a directory entry
16with CL entry (such use makes no good sense anyway) and by checking
17whether CL entry doesn't point to itself.
18
19Upstream status: backported (from v3.12 e4ca8b780c82c04ec0)
20
21Reported-by: Chris Evans <cevans@google.com>
22Signed-off-by: Jan Kara <jack@suse.cz>
23Signed-off-by: Jiri Slaby <jslaby@suse.cz>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 fs/isofs/inode.c | 15 ++++++++-------
27 fs/isofs/isofs.h | 23 +++++++++++++++++++----
28 fs/isofs/rock.c | 39 ++++++++++++++++++++++++++++-----------
29 3 files changed, 55 insertions(+), 22 deletions(-)
30
31diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
32index e5d408a..2e2af97 100644
33--- a/fs/isofs/inode.c
34+++ b/fs/isofs/inode.c
35@@ -61,7 +61,7 @@ static void isofs_put_super(struct super_block *sb)
36 return;
37 }
38
39-static int isofs_read_inode(struct inode *);
40+static int isofs_read_inode(struct inode *, int relocated);
41 static int isofs_statfs (struct dentry *, struct kstatfs *);
42
43 static struct kmem_cache *isofs_inode_cachep;
44@@ -1258,7 +1258,7 @@ out_toomany:
45 goto out;
46 }
47
48-static int isofs_read_inode(struct inode *inode)
49+static int isofs_read_inode(struct inode *inode, int relocated)
50 {
51 struct super_block *sb = inode->i_sb;
52 struct isofs_sb_info *sbi = ISOFS_SB(sb);
53@@ -1403,7 +1403,7 @@ static int isofs_read_inode(struct inode *inode)
54 */
55
56 if (!high_sierra) {
57- parse_rock_ridge_inode(de, inode);
58+ parse_rock_ridge_inode(de, inode, relocated);
59 /* if we want uid/gid set, override the rock ridge setting */
60 if (sbi->s_uid_set)
61 inode->i_uid = sbi->s_uid;
62@@ -1482,9 +1482,10 @@ static int isofs_iget5_set(struct inode *ino, void *data)
63 * offset that point to the underlying meta-data for the inode. The
64 * code below is otherwise similar to the iget() code in
65 * include/linux/fs.h */
66-struct inode *isofs_iget(struct super_block *sb,
67- unsigned long block,
68- unsigned long offset)
69+struct inode *__isofs_iget(struct super_block *sb,
70+ unsigned long block,
71+ unsigned long offset,
72+ int relocated)
73 {
74 unsigned long hashval;
75 struct inode *inode;
76@@ -1506,7 +1507,7 @@ struct inode *isofs_iget(struct super_block *sb,
77 return ERR_PTR(-ENOMEM);
78
79 if (inode->i_state & I_NEW) {
80- ret = isofs_read_inode(inode);
81+ ret = isofs_read_inode(inode, relocated);
82 if (ret < 0) {
83 iget_failed(inode);
84 inode = ERR_PTR(ret);
85diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h
86index 9916723..0ac4c1f 100644
87--- a/fs/isofs/isofs.h
88+++ b/fs/isofs/isofs.h
89@@ -107,7 +107,7 @@ extern int iso_date(char *, int);
90
91 struct inode; /* To make gcc happy */
92
93-extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *);
94+extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated);
95 extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *);
96 extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *);
97
98@@ -118,9 +118,24 @@ extern struct dentry *isofs_lookup(struct inode *, struct dentry *, unsigned int
99 extern struct buffer_head *isofs_bread(struct inode *, sector_t);
100 extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long);
101
102-extern struct inode *isofs_iget(struct super_block *sb,
103- unsigned long block,
104- unsigned long offset);
105+struct inode *__isofs_iget(struct super_block *sb,
106+ unsigned long block,
107+ unsigned long offset,
108+ int relocated);
109+
110+static inline struct inode *isofs_iget(struct super_block *sb,
111+ unsigned long block,
112+ unsigned long offset)
113+{
114+ return __isofs_iget(sb, block, offset, 0);
115+}
116+
117+static inline struct inode *isofs_iget_reloc(struct super_block *sb,
118+ unsigned long block,
119+ unsigned long offset)
120+{
121+ return __isofs_iget(sb, block, offset, 1);
122+}
123
124 /* Because the inode number is no longer relevant to finding the
125 * underlying meta-data for an inode, we are free to choose a more
126diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
127index c0bf424..f488bba 100644
128--- a/fs/isofs/rock.c
129+++ b/fs/isofs/rock.c
130@@ -288,12 +288,16 @@ eio:
131 goto out;
132 }
133
134+#define RR_REGARD_XA 1
135+#define RR_RELOC_DE 2
136+
137 static int
138 parse_rock_ridge_inode_internal(struct iso_directory_record *de,
139- struct inode *inode, int regard_xa)
140+ struct inode *inode, int flags)
141 {
142 int symlink_len = 0;
143 int cnt, sig;
144+ unsigned int reloc_block;
145 struct inode *reloc;
146 struct rock_ridge *rr;
147 int rootflag;
148@@ -305,7 +309,7 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de,
149
150 init_rock_state(&rs, inode);
151 setup_rock_ridge(de, inode, &rs);
152- if (regard_xa) {
153+ if (flags & RR_REGARD_XA) {
154 rs.chr += 14;
155 rs.len -= 14;
156 if (rs.len < 0)
157@@ -485,12 +489,22 @@ repeat:
158 "relocated directory\n");
159 goto out;
160 case SIG('C', 'L'):
161- ISOFS_I(inode)->i_first_extent =
162- isonum_733(rr->u.CL.location);
163- reloc =
164- isofs_iget(inode->i_sb,
165- ISOFS_I(inode)->i_first_extent,
166- 0);
167+ if (flags & RR_RELOC_DE) {
168+ printk(KERN_ERR
169+ "ISOFS: Recursive directory relocation "
170+ "is not supported\n");
171+ goto eio;
172+ }
173+ reloc_block = isonum_733(rr->u.CL.location);
174+ if (reloc_block == ISOFS_I(inode)->i_iget5_block &&
175+ ISOFS_I(inode)->i_iget5_offset == 0) {
176+ printk(KERN_ERR
177+ "ISOFS: Directory relocation points to "
178+ "itself\n");
179+ goto eio;
180+ }
181+ ISOFS_I(inode)->i_first_extent = reloc_block;
182+ reloc = isofs_iget_reloc(inode->i_sb, reloc_block, 0);
183 if (IS_ERR(reloc)) {
184 ret = PTR_ERR(reloc);
185 goto out;
186@@ -637,9 +651,11 @@ static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit)
187 return rpnt;
188 }
189
190-int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode)
191+int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode,
192+ int relocated)
193 {
194- int result = parse_rock_ridge_inode_internal(de, inode, 0);
195+ int flags = relocated ? RR_RELOC_DE : 0;
196+ int result = parse_rock_ridge_inode_internal(de, inode, flags);
197
198 /*
199 * if rockridge flag was reset and we didn't look for attributes
200@@ -647,7 +663,8 @@ int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode)
201 */
202 if ((ISOFS_SB(inode->i_sb)->s_rock_offset == -1)
203 && (ISOFS_SB(inode->i_sb)->s_rock == 2)) {
204- result = parse_rock_ridge_inode_internal(de, inode, 14);
205+ result = parse_rock_ridge_inode_internal(de, inode,
206+ flags | RR_REGARD_XA);
207 }
208 return result;
209 }
210--
2111.9.1
212
diff --git a/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch b/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch
new file mode 100644
index 0000000..1ae600f
--- /dev/null
+++ b/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch
@@ -0,0 +1,47 @@
1fs: umount on symlink leaks mnt count
2
3commit 295dc39d941dc2ae53d5c170365af4c9d5c16212 upstream.
4
5Currently umount on symlink blocks following umount:
6
7/vz is separate mount
8
9drwxr-xr-x. 2 root root 4096 Jul 19 01:14 testdir
10lrwxrwxrwx. 1 root root 11 Jul 19 01:16 testlink -> /vz/testdir
11umount: /vz/testlink: not mounted (expected)
12
13umount: /vz: device is busy. (unexpected)
14
15In this case mountpoint_last() gets an extra refcount on path->mnt
16
17Upstream-Status: Backport
18
19Signed-off-by: Vasily Averin <vvs@openvz.org>
20Acked-by: Ian Kent <raven@themaw.net>
21Acked-by: Jeff Layton <jlayton@primarydata.com>
22Cc: stable@vger.kernel.org
23Signed-off-by: Christoph Hellwig <hch@lst.de>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 fs/namei.c | 3 ++-
27 1 file changed, 2 insertions(+), 1 deletion(-)
28
29diff --git a/fs/namei.c b/fs/namei.c
30index 187cacf..c199dcc 100644
31--- a/fs/namei.c
32+++ b/fs/namei.c
33@@ -2280,9 +2280,10 @@ done:
34 goto out;
35 }
36 path->dentry = dentry;
37- path->mnt = mntget(nd->path.mnt);
38+ path->mnt = nd->path.mnt;
39 if (should_follow_link(dentry->d_inode, nd->flags & LOOKUP_FOLLOW))
40 return 1;
41+ mntget(path->mnt);
42 follow_mount(path);
43 error = 0;
44 out:
45--
461.9.1
47
diff --git a/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch b/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch
new file mode 100644
index 0000000..a0bdc27
--- /dev/null
+++ b/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch
@@ -0,0 +1,91 @@
1From 6004b0e5ac2e8e9e1bb0f012dc9242e03cca95df Mon Sep 17 00:00:00 2001
2From: Andy Lutomirski <luto@amacapital.net>
3Date: Wed, 28 May 2014 23:09:58 -0400
4Subject: [PATCH] auditsc: audit_krule mask accesses need bounds checking
5
6commit a3c54931199565930d6d84f4c3456f6440aefd41 upstream.
7
8Fixes an easy DoS and possible information disclosure.
9
10This does nothing about the broken state of x32 auditing.
11
12eparis: If the admin has enabled auditd and has specifically loaded
13audit rules. This bug has been around since before git. Wow...
14
15This fixes CVE-2014-3917
16Upstream-Status: Backport
17
18Signed-off-by: Andy Lutomirski <luto@amacapital.net>
19Signed-off-by: Eric Paris <eparis@redhat.com>
20Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
21Signed-off-by: Jiri Slaby <jslaby@suse.cz>
22Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23---
24 kernel/auditsc.c | 27 ++++++++++++++++++---------
25 1 file changed, 18 insertions(+), 9 deletions(-)
26
27diff --git a/kernel/auditsc.c b/kernel/auditsc.c
28index 3b79a47..979c00b 100644
29--- a/kernel/auditsc.c
30+++ b/kernel/auditsc.c
31@@ -733,6 +733,22 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
32 return AUDIT_BUILD_CONTEXT;
33 }
34
35+static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
36+{
37+ int word, bit;
38+
39+ if (val > 0xffffffff)
40+ return false;
41+
42+ word = AUDIT_WORD(val);
43+ if (word >= AUDIT_BITMASK_SIZE)
44+ return false;
45+
46+ bit = AUDIT_BIT(val);
47+
48+ return rule->mask[word] & bit;
49+}
50+
51 /* At syscall entry and exit time, this filter is called if the
52 * audit_state is not low enough that auditing cannot take place, but is
53 * also not high enough that we already know we have to write an audit
54@@ -750,11 +766,8 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
55
56 rcu_read_lock();
57 if (!list_empty(list)) {
58- int word = AUDIT_WORD(ctx->major);
59- int bit = AUDIT_BIT(ctx->major);
60-
61 list_for_each_entry_rcu(e, list, list) {
62- if ((e->rule.mask[word] & bit) == bit &&
63+ if (audit_in_mask(&e->rule, ctx->major) &&
64 audit_filter_rules(tsk, &e->rule, ctx, NULL,
65 &state, false)) {
66 rcu_read_unlock();
67@@ -774,20 +787,16 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
68 static int audit_filter_inode_name(struct task_struct *tsk,
69 struct audit_names *n,
70 struct audit_context *ctx) {
71- int word, bit;
72 int h = audit_hash_ino((u32)n->ino);
73 struct list_head *list = &audit_inode_hash[h];
74 struct audit_entry *e;
75 enum audit_state state;
76
77- word = AUDIT_WORD(ctx->major);
78- bit = AUDIT_BIT(ctx->major);
79-
80 if (list_empty(list))
81 return 0;
82
83 list_for_each_entry_rcu(e, list, list) {
84- if ((e->rule.mask[word] & bit) == bit &&
85+ if (audit_in_mask(&e->rule, ctx->major) &&
86 audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
87 ctx->current_state = state;
88 return 1;
89--
901.9.1
91
diff --git a/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch b/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch
new file mode 100644
index 0000000..635c2bb
--- /dev/null
+++ b/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch
@@ -0,0 +1,47 @@
1From 8545129540a5862b22aad03badb2a9f93bf29117 Mon Sep 17 00:00:00 2001
2From: Bob Cochran <yocto@mindchasers.com>
3Date: Mon, 3 Nov 2014 22:45:35 -0500
4Subject: [meta-fsl-ppc][PATCH] linux-qoriq: Change defconfig for T1040 to
5 match number of CPUS
6
7Having a number higher than necessary for NR_CPUS wastes memory by
8instantiating unnecessary structures in RAM. An example is in the DPAA where
9DPAA_ETH_TX_QUEUES is defined based on NR_CPUS and used to create
10dozens of extra qman_fq structures. Using the prior value of 24, which was
11left over from the T4240 created an additonal 60 frame queue structures alone.
12
13This has been tested on t1040rdb-64b. .
14
15Signed-off-by: Bob Cochran <yocto@mindchasers.com>
16---
17 arch/powerpc/configs/corenet32_fmanv3_smp_defconfig | 2 +-
18 arch/powerpc/configs/corenet64_fmanv3_smp_defconfig | 2 +-
19 2 files changed, 2 insertions(+), 2 deletions(-)
20
21diff --git a/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig b/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig
22index a401e7c..5542248 100644
23--- a/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig
24+++ b/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig
25@@ -1,6 +1,6 @@
26 CONFIG_PPC_85xx=y
27 CONFIG_SMP=y
28-CONFIG_NR_CPUS=8
29+CONFIG_NR_CPUS=4
30 CONFIG_EXPERIMENTAL=y
31 CONFIG_SYSVIPC=y
32 CONFIG_POSIX_MQUEUE=y
33diff --git a/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig b/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig
34index 1b987d9..bc0dacf 100644
35--- a/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig
36+++ b/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig
37@@ -2,7 +2,7 @@ CONFIG_PPC64=y
38 CONFIG_PPC_BOOK3E_64=y
39 CONFIG_ALTIVEC=y
40 CONFIG_SMP=y
41-CONFIG_NR_CPUS=24
42+CONFIG_NR_CPUS=4
43 CONFIG_SYSVIPC=y
44 CONFIG_POSIX_MQUEUE=y
45 CONFIG_IRQ_DOMAIN_DEBUG=y
46--
471.7.9.5
diff --git a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
new file mode 100644
index 0000000..6fc5610
--- /dev/null
+++ b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
@@ -0,0 +1,145 @@
1From 00c53b02cb01976b35d37670a4b5c5d7a6ad3c62 Mon Sep 17 00:00:00 2001
2From: Daniel Borkmann <dborkman@redhat.com>
3Date: Mon, 3 Mar 2014 17:23:04 +0100
4Subject: [PATCH] net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is
5 AUTH capable
6
7[ Upstream commit ec0223ec48a90cb605244b45f7c62de856403729 ]
8
9RFC4895 introduced AUTH chunks for SCTP; during the SCTP
10handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
11being optional though):
12
13 ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
14 <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
15 -------------------- COOKIE-ECHO -------------------->
16 <-------------------- COOKIE-ACK ---------------------
17
18A special case is when an endpoint requires COOKIE-ECHO
19chunks to be authenticated:
20
21 ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
22 <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
23 ------------------ AUTH; COOKIE-ECHO ---------------->
24 <-------------------- COOKIE-ACK ---------------------
25
26RFC4895, section 6.3. Receiving Authenticated Chunks says:
27
28 The receiver MUST use the HMAC algorithm indicated in
29 the HMAC Identifier field. If this algorithm was not
30 specified by the receiver in the HMAC-ALGO parameter in
31 the INIT or INIT-ACK chunk during association setup, the
32 AUTH chunk and all the chunks after it MUST be discarded
33 and an ERROR chunk SHOULD be sent with the error cause
34 defined in Section 4.1. [...] If no endpoint pair shared
35 key has been configured for that Shared Key Identifier,
36 all authenticated chunks MUST be silently discarded. [...]
37
38 When an endpoint requires COOKIE-ECHO chunks to be
39 authenticated, some special procedures have to be followed
40 because the reception of a COOKIE-ECHO chunk might result
41 in the creation of an SCTP association. If a packet arrives
42 containing an AUTH chunk as a first chunk, a COOKIE-ECHO
43 chunk as the second chunk, and possibly more chunks after
44 them, and the receiver does not have an STCB for that
45 packet, then authentication is based on the contents of
46 the COOKIE-ECHO chunk. In this situation, the receiver MUST
47 authenticate the chunks in the packet by using the RANDOM
48 parameters, CHUNKS parameters and HMAC_ALGO parameters
49 obtained from the COOKIE-ECHO chunk, and possibly a local
50 shared secret as inputs to the authentication procedure
51 specified in Section 6.3. If authentication fails, then
52 the packet is discarded. If the authentication is successful,
53 the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
54 MUST be processed. If the receiver has an STCB, it MUST
55 process the AUTH chunk as described above using the STCB
56 from the existing association to authenticate the
57 COOKIE-ECHO chunk and all the chunks after it. [...]
58
59Commit bbd0d59809f9 introduced the possibility to receive
60and verification of AUTH chunk, including the edge case for
61authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
62the function sctp_sf_do_5_1D_ce() handles processing,
63unpacks and creates a new association if it passed sanity
64checks and also tests for authentication chunks being
65present. After a new association has been processed, it
66invokes sctp_process_init() on the new association and
67walks through the parameter list it received from the INIT
68chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
69and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
70meta data (peer_random, peer_hmacs, peer_chunks) in case
71sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
72SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
73peer_random != NULL and peer_hmacs != NULL the peer is to be
74assumed asoc->peer.auth_capable=1, in any other case
75asoc->peer.auth_capable=0.
76
77Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
78available, we set up a fake auth chunk and pass that on to
79sctp_sf_authenticate(), which at latest in
80sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
81at position 0..0008 when setting up the crypto key in
82crypto_hash_setkey() by using asoc->asoc_shared_key that is
83NULL as condition key_id == asoc->active_key_id is true if
84the AUTH chunk was injected correctly from remote. This
85happens no matter what net.sctp.auth_enable sysctl says.
86
87The fix is to check for net->sctp.auth_enable and for
88asoc->peer.auth_capable before doing any operations like
89sctp_sf_authenticate() as no key is activated in
90sctp_auth_asoc_init_active_key() for each case.
91
92Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
93passed from the INIT chunk was not used in the AUTH chunk, we
94SHOULD send an error; however in this case it would be better
95to just silently discard such a maliciously prepared handshake
96as we didn't even receive a parameter at all. Also, as our
97endpoint has no shared key configured, section 6.3 says that
98MUST silently discard, which we are doing from now onwards.
99
100Before calling sctp_sf_pdiscard(), we need not only to free
101the association, but also the chunk->auth_chunk skb, as
102commit bbd0d59809f9 created a skb clone in that case.
103
104I have tested this locally by using netfilter's nfqueue and
105re-injecting packets into the local stack after maliciously
106modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
107and the SCTP packet containing the COOKIE_ECHO (injecting
108AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
109
110This fixes CVE-2014-0101
111Upstream-Status: Backport
112
113Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
114Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
115Cc: Vlad Yasevich <yasevich@gmail.com>
116Cc: Neil Horman <nhorman@tuxdriver.com>
117Acked-by: Vlad Yasevich <vyasevich@gmail.com>
118Signed-off-by: David S. Miller <davem@davemloft.net>
119Signed-off-by: Jiri Slaby <jslaby@suse.cz>
120Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
121---
122 net/sctp/sm_statefuns.c | 7 +++++++
123 1 file changed, 7 insertions(+)
124
125diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
126index dfe3f36..56ebe71 100644
127--- a/net/sctp/sm_statefuns.c
128+++ b/net/sctp/sm_statefuns.c
129@@ -759,6 +759,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
130 struct sctp_chunk auth;
131 sctp_ierror_t ret;
132
133+ /* Make sure that we and the peer are AUTH capable */
134+ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
135+ kfree_skb(chunk->auth_chunk);
136+ sctp_association_free(new_asoc);
137+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
138+ }
139+
140 /* set-up our fake chunk so that we can process it */
141 auth.skb = chunk->auth_chunk;
142 auth.asoc = chunk->asoc;
143--
1441.9.1
145
diff --git a/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch b/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch
new file mode 100644
index 0000000..2fdcc9f
--- /dev/null
+++ b/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch
@@ -0,0 +1,80 @@
1From 7998eb3dc700aaf499f93f50b3d77da834ef9e1d Mon Sep 17 00:00:00 2001
2From: Guenter Roeck <linux@roeck-us.net>
3Date: Thu, 15 May 2014 09:33:42 -0700
4Subject: powerpc: Fix 64 bit builds with binutils 2.24
5
6Upstream-Status: Backport
7
8With binutils 2.24, various 64 bit builds fail with relocation errors
9such as
10
11arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e':
12 (.text+0x165ee): relocation truncated to fit: R_PPC64_ADDR16_HI
13 against symbol `interrupt_base_book3e' defined in .text section
14 in arch/powerpc/kernel/built-in.o
15arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e':
16 (.text+0x16602): relocation truncated to fit: R_PPC64_ADDR16_HI
17 against symbol `interrupt_end_book3e' defined in .text section
18 in arch/powerpc/kernel/built-in.o
19
20The assembler maintainer says:
21
22 I changed the ABI, something that had to be done but unfortunately
23 happens to break the booke kernel code. When building up a 64-bit
24 value with lis, ori, shl, oris, ori or similar sequences, you now
25 should use @high and @higha in place of @h and @ha. @h and @ha
26 (and their associated relocs R_PPC64_ADDR16_HI and R_PPC64_ADDR16_HA)
27 now report overflow if the value is out of 32-bit signed range.
28 ie. @h and @ha assume you're building a 32-bit value. This is needed
29 to report out-of-range -mcmodel=medium toc pointer offsets in @toc@h
30 and @toc@ha expressions, and for consistency I did the same for all
31 other @h and @ha relocs.
32
33Replacing @h with @high in one strategic location fixes the relocation
34errors. This has to be done conditionally since the assembler either
35supports @h or @high but not both.
36
37Cc: <stable@vger.kernel.org>
38Signed-off-by: Guenter Roeck <linux@roeck-us.net>
39Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
40
41diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
42index 4c0cedf..ce4c68a 100644
43--- a/arch/powerpc/Makefile
44+++ b/arch/powerpc/Makefile
45@@ -150,7 +150,9 @@ endif
46
47 CFLAGS-$(CONFIG_TUNE_CELL) += $(call cc-option,-mtune=cell)
48
49-KBUILD_CPPFLAGS += -Iarch/$(ARCH)
50+asinstr := $(call as-instr,lis 9$(comma)foo@high,-DHAVE_AS_ATHIGH=1)
51+
52+KBUILD_CPPFLAGS += -Iarch/$(ARCH) $(asinstr)
53 KBUILD_AFLAGS += -Iarch/$(ARCH)
54 KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y)
55 CPP = $(CC) -E $(KBUILD_CFLAGS)
56diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h
57index 6586a40..cded7c1 100644
58--- a/arch/powerpc/include/asm/ppc_asm.h
59+++ b/arch/powerpc/include/asm/ppc_asm.h
60@@ -318,11 +318,16 @@ n:
61 addi reg,reg,(name - 0b)@l;
62
63 #ifdef __powerpc64__
64+#ifdef HAVE_AS_ATHIGH
65+#define __AS_ATHIGH high
66+#else
67+#define __AS_ATHIGH h
68+#endif
69 #define LOAD_REG_IMMEDIATE(reg,expr) \
70 lis reg,(expr)@highest; \
71 ori reg,reg,(expr)@higher; \
72 rldicr reg,reg,32,31; \
73- oris reg,reg,(expr)@h; \
74+ oris reg,reg,(expr)@__AS_ATHIGH; \
75 ori reg,reg,(expr)@l;
76
77 #define LOAD_REG_ADDR(reg,name) \
78--
79cgit v0.10.1
80
diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
new file mode 100644
index 0000000..e7b1228
--- /dev/null
+++ b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
@@ -0,0 +1,51 @@
1From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001
2From: Xufeng Zhang <xufeng.zhang@windriver.com>
3Date: Thu, 12 Jun 2014 10:53:36 +0800
4Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem
5
6[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ]
7
8Consider the scenario:
9For a TCP-style socket, while processing the COOKIE_ECHO chunk in
10sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
11a new association would be created in sctp_unpack_cookie(), but afterwards,
12some processing maybe failed, and sctp_association_free() will be called to
13free the previously allocated association, in sctp_association_free(),
14sk_ack_backlog value is decremented for this socket, since the initial
15value for sk_ack_backlog is 0, after the decrement, it will be 65535,
16a wrap-around problem happens, and if we want to establish new associations
17afterward in the same socket, ABORT would be triggered since sctp deem the
18accept queue as full.
19Fix this issue by only decrementing sk_ack_backlog for associations in
20the endpoint's list.
21
22Fixes CVE-2014-4667
23Upstream-Status: Backport
24
25Fix-suggested-by: Neil Horman <nhorman@tuxdriver.com>
26Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
27Acked-by: Daniel Borkmann <dborkman@redhat.com>
28Acked-by: Vlad Yasevich <vyasevich@gmail.com>
29Signed-off-by: David S. Miller <davem@davemloft.net>
30Signed-off-by: Jiri Slaby <jslaby@suse.cz>
31Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
32---
33 net/sctp/associola.c | 2 +-
34 1 file changed, 1 insertion(+), 1 deletion(-)
35
36diff --git a/net/sctp/associola.c b/net/sctp/associola.c
37index cef5099..f6d6dcd 100644
38--- a/net/sctp/associola.c
39+++ b/net/sctp/associola.c
40@@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc)
41 /* Only real associations count against the endpoint, so
42 * don't bother for if this is a temporary association.
43 */
44- if (!asoc->temp) {
45+ if (!list_empty(&asoc->asocs)) {
46 list_del(&asoc->asocs);
47
48 /* Decrement the backlog value for a TCP-style listening
49--
501.9.1
51
diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch b/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch
new file mode 100644
index 0000000..0c4beb3
--- /dev/null
+++ b/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch
@@ -0,0 +1,85 @@
1From 4008f1dbe6fea8114e7f79ed2d238e369dc9138f Mon Sep 17 00:00:00 2001
2From: Daniel Borkmann <dborkman@redhat.com>
3Date: Mon, 10 Nov 2014 17:54:26 +0100
4Subject: [PATCH] net: sctp: fix NULL pointer dereference in
5 af->from_addr_param on malformed packet
6
7[ Upstream commit e40607cbe270a9e8360907cb1e62ddf0736e4864 ]
8
9An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
10in the form of:
11
12 ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
13
14While the INIT chunk parameter verification dissects through many things
15in order to detect malformed input, it misses to actually check parameters
16inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
17IP address' parameter in ASCONF, which has as a subparameter an address
18parameter.
19
20So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
21or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
22and thus sctp_get_af_specific() returns NULL, too, which we then happily
23dereference unconditionally through af->from_addr_param().
24
25The trace for the log:
26
27BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
28IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
29PGD 0
30Oops: 0000 [#1] SMP
31[...]
32Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
33RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
34[...]
35Call Trace:
36 <IRQ>
37 [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
38 [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
39 [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
40 [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
41 [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
42 [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
43 [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
44 [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
45 [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
46 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
47 [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
48 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
49[...]
50
51A minimal way to address this is to check for NULL as we do on all
52other such occasions where we know sctp_get_af_specific() could
53possibly return with NULL.
54
55Fix for CVE-2014-7841
56Upstream-Status: Backport
57
58Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
59Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
60Cc: Vlad Yasevich <vyasevich@gmail.com>
61Acked-by: Neil Horman <nhorman@tuxdriver.com>
62Signed-off-by: David S. Miller <davem@davemloft.net>
63Signed-off-by: Jiri Slaby <jslaby@suse.cz>
64Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
65---
66 net/sctp/sm_make_chunk.c | 3 +++
67 1 file changed, 3 insertions(+)
68
69diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
70index 1e06f3b..e342387 100644
71--- a/net/sctp/sm_make_chunk.c
72+++ b/net/sctp/sm_make_chunk.c
73@@ -2622,6 +2622,9 @@ do_addr_param:
74 addr_param = param.v + sizeof(sctp_addip_param_t);
75
76 af = sctp_get_af_specific(param_type2af(param.p->type));
77+ if (af == NULL)
78+ break;
79+
80 af->from_addr_param(&addr, addr_param,
81 htons(asoc->peer.port), 0);
82
83--
841.9.1
85
diff --git a/recipes-kernel/linux/files/udf-CVE-2014-6410.patch b/recipes-kernel/linux/files/udf-CVE-2014-6410.patch
new file mode 100644
index 0000000..9086e0a
--- /dev/null
+++ b/recipes-kernel/linux/files/udf-CVE-2014-6410.patch
@@ -0,0 +1,96 @@
1From 07d209bd092d023976fdb881ba6d4b30fe18aebe Mon Sep 17 00:00:00 2001
2From: Jan Kara <jack@suse.cz>
3Date: Thu, 4 Sep 2014 14:06:55 +0200
4Subject: [PATCH] udf: Avoid infinite loop when processing indirect ICBs
5
6commit c03aa9f6e1f938618e6db2e23afef0574efeeb65 upstream.
7
8We did not implement any bound on number of indirect ICBs we follow when
9loading inode. Thus corrupted medium could cause kernel to go into an
10infinite loop, possibly causing a stack overflow.
11
12Fix the possible stack overflow by removing recursion from
13__udf_read_inode() and limit number of indirect ICBs we follow to avoid
14infinite loops.
15
16Upstream-Status: Backport
17
18Signed-off-by: Jan Kara <jack@suse.cz>
19Cc: Chuck Ebbert <cebbert.lkml@gmail.com>
20Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
21Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
22---
23 fs/udf/inode.c | 35 +++++++++++++++++++++--------------
24 1 file changed, 21 insertions(+), 14 deletions(-)
25
26diff --git a/fs/udf/inode.c b/fs/udf/inode.c
27index b6d15d3..aa02328 100644
28--- a/fs/udf/inode.c
29+++ b/fs/udf/inode.c
30@@ -1270,13 +1270,22 @@ update_time:
31 return 0;
32 }
33
34+/*
35+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
36+ * arbitrary - just that we hopefully don't limit any real use of rewritten
37+ * inode on write-once media but avoid looping for too long on corrupted media.
38+ */
39+#define UDF_MAX_ICB_NESTING 1024
40+
41 static void __udf_read_inode(struct inode *inode)
42 {
43 struct buffer_head *bh = NULL;
44 struct fileEntry *fe;
45 uint16_t ident;
46 struct udf_inode_info *iinfo = UDF_I(inode);
47+ unsigned int indirections = 0;
48
49+reread:
50 /*
51 * Set defaults, but the inode is still incomplete!
52 * Note: get_new_inode() sets the following on a new inode:
53@@ -1313,28 +1322,26 @@ static void __udf_read_inode(struct inode *inode)
54 ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
55 &ident);
56 if (ident == TAG_IDENT_IE && ibh) {
57- struct buffer_head *nbh = NULL;
58 struct kernel_lb_addr loc;
59 struct indirectEntry *ie;
60
61 ie = (struct indirectEntry *)ibh->b_data;
62 loc = lelb_to_cpu(ie->indirectICB.extLocation);
63
64- if (ie->indirectICB.extLength &&
65- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
66- &ident))) {
67- if (ident == TAG_IDENT_FE ||
68- ident == TAG_IDENT_EFE) {
69- memcpy(&iinfo->i_location,
70- &loc,
71- sizeof(struct kernel_lb_addr));
72- brelse(bh);
73- brelse(ibh);
74- brelse(nbh);
75- __udf_read_inode(inode);
76+ if (ie->indirectICB.extLength) {
77+ brelse(bh);
78+ brelse(ibh);
79+ memcpy(&iinfo->i_location, &loc,
80+ sizeof(struct kernel_lb_addr));
81+ if (++indirections > UDF_MAX_ICB_NESTING) {
82+ udf_err(inode->i_sb,
83+ "too many ICBs in ICB hierarchy"
84+ " (max %d supported)\n",
85+ UDF_MAX_ICB_NESTING);
86+ make_bad_inode(inode);
87 return;
88 }
89- brelse(nbh);
90+ goto reread;
91 }
92 }
93 brelse(ibh);
94--
951.9.1
96
diff --git a/recipes-kernel/linux/linux-qoriq-prt_3.12.bb b/recipes-kernel/linux/linux-qoriq-prt_3.12.bb
new file mode 100644
index 0000000..1716651
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq-prt_3.12.bb
@@ -0,0 +1,8 @@
1require recipes-kernel/linux/linux-qoriq.inc
2
3SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
4 file://powerpc-Fix-64-bit-builds-with-binutils-2.24.patch \
5 file://Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch \
6"
7SRCREV = "c29fe1a733308cbe592b3af054a97be1b91cf2dd"
8
diff --git a/recipes-kernel/linux/linux-qoriq.inc b/recipes-kernel/linux/linux-qoriq.inc
new file mode 100644
index 0000000..3534445
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq.inc
@@ -0,0 +1,46 @@
1inherit kernel qoriq_build_64bit_kernel
2require recipes-kernel/linux/linux-dtb.inc
3
4DESCRIPTION = "Linux kernel for Freescale platforms"
5SECTION = "kernel"
6LICENSE = "GPLv2"
7LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"
8
9KSRC ?= ""
10S = '${@base_conditional("KSRC", "", "${WORKDIR}/git", "${KSRC}", d)}'
11
12DEPENDS_append = " libgcc"
13KERNEL_CC_append = " ${TOOLCHAIN_OPTIONS}"
14KERNEL_LD_append = " ${TOOLCHAIN_OPTIONS}"
15
16SCMVERSION ?= "y"
17DELTA_KERNEL_DEFCONFIG ?= ""
18do_configure_prepend() {
19 # copy desired defconfig so we pick it up for the real kernel_do_configure
20 cp ${KERNEL_DEFCONFIG} ${B}/.config
21
22 # add config fragments
23 for deltacfg in ${DELTA_KERNEL_DEFCONFIG}; do
24 if [ -f "${WORKDIR}/${deltacfg}" ]; then
25 ${S}/scripts/kconfig/merge_config.sh -m .config ${WORKDIR}/${deltacfg}
26 elif [ -f "${S}/arch/powerpc/configs/${deltacfg}" ]; then
27 ${S}/scripts/kconfig/merge_config.sh -m .config \
28 ${S}/arch/powerpc/configs/${deltacfg}
29 fi
30 done
31
32 #add git revision to the local version
33 if [ "${SCMVERSION}" = "y" ]; then
34 # append sdk version if SDK_VERSION is defined
35 sdkversion=''
36 if [ -n "${SDK_VERSION}" ]; then
37 sdkversion="-${SDK_VERSION}"
38 fi
39 head=`git --git-dir=${S}/.git rev-parse --verify --short HEAD 2> /dev/null`
40 printf "%s%s%s" $sdkversion +g $head > ${B}/.scmversion
41 fi
42}
43
44# make everything compatible for the time being
45COMPATIBLE_MACHINE_$MACHINE = "$MACHINE"
46
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
new file mode 100644
index 0000000..5c67dc3
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -0,0 +1,32 @@
1require recipes-kernel/linux/linux-qoriq.inc
2
3SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
4 file://powerpc-Fix-64-bit-builds-with-binutils-2.24.patch \
5 file://Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch \
6 file://Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch \
7 file://Fix-CVE-2014-5471_CVE-2014-5472.patch \
8 file://modify-defconfig-t1040-nr-cpus.patch \
9 file://0001-mnt-CVE-2014-5206_CVE-2014-5207.patch \
10 file://0002-mnt-CVE-2014-5206_CVE-2014-5207.patch \
11 file://0003-mnt-CVE-2014-5206_CVE-2014-5207.patch \
12 file://0004-mnt-CVE-2014-5206_CVE-2014-5207.patch \
13 file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \
14 file://udf-CVE-2014-6410.patch \
15 file://net-sctp-CVE-2014-0101.patch \
16 file://0001-HID-CVE-2014-3181.patch \
17 file://0002-HID-CVE-2014-3182.patch \
18 file://0003-HID-CVE-2014-3184.patch \
19 file://0004-USB-CVE-2014-3185.patch \
20 file://0001-kvm-iommu-CVE-2014-3601.patch \
21 file://0002-kvm-iommu-CVE-2014-8369.patch \
22 file://0001-net-sctp-CVE-2014-3673.patch \
23 file://0002-net-sctp-CVE-2014-3687.patch \
24 file://0003-net-sctp-CVE-2014-3688.patch \
25 file://auditsc-CVE-2014-3917.patch \
26 file://0001-ALSA-CVE-2014-4652.patch \
27 file://0002-ALSA-CVE-2014-4653.patch \
28 file://sctp-CVE-2014-4667.patch \
29 file://sctp-CVE-2014-7841.patch \
30"
31SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
32
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-14 14:09:52 +0000