[packages/kernel/LINUX_4_1] - 4.1.40

baggins baggins at pld-linux.org
Sun Jun 4 11:10:37 CEST 2017 

commit 5703aaee26bee58dbf5098146c2f58c0eb9efbfc
Author: Jan Rękorajski <baggins at pld-linux.org>
Date:   Sun Jun 4 11:10:24 2017 +0200

    - 4.1.40

 kernel-small_fixes.patch | 115 -----------------------------------------------
 kernel.spec              |   6 +--
 2 files changed, 3 insertions(+), 118 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 877b4a32..1b104112 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -74,9 +74,9 @@
 %define		have_pcmcia	0
 %endif
 
-%define		rel		2
+%define		rel		1
 %define		basever		4.1
-%define		postver		.39
+%define		postver		.40
 
 # define this to '-%{basever}' for longterm branch
 %define		versuffix	-%{basever}
@@ -125,7 +125,7 @@ Source0:	http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{basever}.tar.xz
 # Source0-md5:	fe9dc0f6729f36400ea81aa41d614c37
 %if "%{postver}" != ".0"
 Patch0:		http://www.kernel.org/pub/linux/kernel/v4.x/patch-%{version}.xz
-# Patch0-md5:	899a9b178d49c145de7df9712aaafefc
+# Patch0-md5:	983f7240b2089186027fbef6dec65430
 %endif
 Source1:	kernel.sysconfig
 
diff --git a/kernel-small_fixes.patch b/kernel-small_fixes.patch
index a2fa50e2..1e3ab989 100644
--- a/kernel-small_fixes.patch
+++ b/kernel-small_fixes.patch
@@ -297,86 +297,6 @@ index 75b2745bac41..37d0b334bfe9 100644
 -- 
 1.8.5.6
 
-patches.fixes/0001-ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
-From 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 Mon Sep 17 00:00:00 2001
-From: Davidlohr Bueso <dave at stgolabs.net>
-Date: Mon, 27 Feb 2017 14:28:24 -0800
-Subject: [PATCH] ipc/shm: Fix shmat mmap nil-page protection
-Git-commit: 95e91b831f87ac8e1f8ed50c14d709089b4e01b8
-Patch-mainline: v4.11-rc1
-References: CVE-2017-5669 bsc#1026914
-
-The issue is described here, with a nice testcase:
-
-    https://bugzilla.kernel.org/show_bug.cgi?id=192931
-
-The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
-the address rounded down to 0.  For the regular mmap case, the
-protection mentioned above is that the kernel gets to generate the
-address -- arch_get_unmapped_area() will always check for MAP_FIXED and
-return that address.  So by the time we do security_mmap_addr(0) things
-get funky for shmat().
-
-The testcase itself shows that while a regular user crashes, root will
-not have a problem attaching a nil-page.  There are two possible fixes
-to this.  The first, and which this patch does, is to simply allow root
-to crash as well -- this is also regular mmap behavior, ie when hacking
-up the testcase and adding mmap(...  |MAP_FIXED).  While this approach
-is the safer option, the second alternative is to ignore SHM_RND if the
-rounded address is 0, thus only having MAP_SHARED flags.  This makes the
-behavior of shmat() identical to the mmap() case.  The downside of this
-is obviously user visible, but does make sense in that it maintains
-semantics after the round-down wrt 0 address and mmap.
-
-Passes shm related ltp tests.
-
-Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
-Signed-off-by: Davidlohr Bueso <dbueso at suse.de>
-Reported-by: Gareth Evans <gareth.evans at contextis.co.uk>
-Cc: Manfred Spraul <manfred at colorfullife.com>
-Cc: Michael Kerrisk <mtk.manpages at googlemail.com>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-
----
- ipc/shm.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/ipc/shm.c b/ipc/shm.c
-index d7805acb44fd..06ea9ef7f54a 100644
---- a/ipc/shm.c
-+++ b/ipc/shm.c
-@@ -1091,8 +1091,8 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
-  * "raddr" thing points to kernel space, and there has to be a wrapper around
-  * this.
-  */
--long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
--	      unsigned long shmlba)
-+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
-+	      ulong *raddr, unsigned long shmlba)
- {
- 	struct shmid_kernel *shp;
- 	unsigned long addr;
-@@ -1113,8 +1113,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
- 		goto out;
- 	else if ((addr = (ulong)shmaddr)) {
- 		if (addr & (shmlba - 1)) {
--			if (shmflg & SHM_RND)
--				addr &= ~(shmlba - 1);	   /* round down */
-+			/*
-+			 * Round down to the nearest multiple of shmlba.
-+			 * For sane do_mmap_pgoff() parameters, avoid
-+			 * round downs that trigger nil-page and MAP_FIXED.
-+			 */
-+			if ((shmflg & SHM_RND) && addr >= shmlba)
-+				addr &= ~(shmlba - 1);
- 			else
- #ifndef __ARCH_FORCE_SHMLBA
- 				if (addr & ~PAGE_MASK)
--- 
-2.6.6
-
 patches.fixes/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
 From: Kangjie Lu <kangjielu at gmail.com>
 Date: Thu, 2 Jun 2016 04:11:20 -0400
@@ -2481,41 +2401,6 @@ Acked-by: Johannes Thumshirn <jthumshirn at suse.de>
  	iov_for_each(iov, i, *iter) {
  		unsigned long uaddr = (unsigned long) iov.iov_base;
  
-patches.fixes/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
-From: peter chang <dpf at google.com>
-Date: Wed, 15 Feb 2017 14:11:54 -0800
-Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
-Git-commit: bf33f87dd04c371ea33feb821b60d63d754e3124
-Patch-mainline: v4.11-rc5
-References: bsc#1030213, CVE-2017-7187
-
-The user can control the size of the next command passed along, but the
-value passed to the ioctl isn't checked against the usable max command
-size.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Peter Chang <dpf at google.com>
-Acked-by: Douglas Gilbert <dgilbert at interlog.com>
-Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
-Acked-by: Johannes Thumshirn <jthumshirn at suse.de>
----
- drivers/scsi/sg.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index e831e01..849ff81 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
- 		result = get_user(val, ip);
- 		if (result)
- 			return result;
-+		if (val > SG_MAX_CDB_SIZE)
-+			return -ENOMEM;
- 		sfp->next_cmd_len = (val > 0) ? val : 0;
- 		return 0;
- 	case SG_GET_VERSION_NUM:
-
 patches.fixes/media-xc2028-avoid-use-after-free
 From 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 Mon Sep 17 00:00:00 2001
 From: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/5703aaee26bee58dbf5098146c2f58c0eb9efbfc

More information about the pld-cvs-commit mailing list