[packages/kernel/LINUX_4_1] - 4.1.40
baggins
baggins at pld-linux.org
Sun Jun 4 11:10:37 CEST 2017
commit 5703aaee26bee58dbf5098146c2f58c0eb9efbfc
Author: Jan Rękorajski <baggins at pld-linux.org>
Date: Sun Jun 4 11:10:24 2017 +0200
- 4.1.40
kernel-small_fixes.patch | 115 -----------------------------------------------
kernel.spec | 6 +--
2 files changed, 3 insertions(+), 118 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 877b4a32..1b104112 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -74,9 +74,9 @@
%define have_pcmcia 0
%endif
-%define rel 2
+%define rel 1
%define basever 4.1
-%define postver .39
+%define postver .40
# define this to '-%{basever}' for longterm branch
%define versuffix -%{basever}
@@ -125,7 +125,7 @@ Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{basever}.tar.xz
# Source0-md5: fe9dc0f6729f36400ea81aa41d614c37
%if "%{postver}" != ".0"
Patch0: http://www.kernel.org/pub/linux/kernel/v4.x/patch-%{version}.xz
-# Patch0-md5: 899a9b178d49c145de7df9712aaafefc
+# Patch0-md5: 983f7240b2089186027fbef6dec65430
%endif
Source1: kernel.sysconfig
diff --git a/kernel-small_fixes.patch b/kernel-small_fixes.patch
index a2fa50e2..1e3ab989 100644
--- a/kernel-small_fixes.patch
+++ b/kernel-small_fixes.patch
@@ -297,86 +297,6 @@ index 75b2745bac41..37d0b334bfe9 100644
--
1.8.5.6
-patches.fixes/0001-ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
-From 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 Mon Sep 17 00:00:00 2001
-From: Davidlohr Bueso <dave at stgolabs.net>
-Date: Mon, 27 Feb 2017 14:28:24 -0800
-Subject: [PATCH] ipc/shm: Fix shmat mmap nil-page protection
-Git-commit: 95e91b831f87ac8e1f8ed50c14d709089b4e01b8
-Patch-mainline: v4.11-rc1
-References: CVE-2017-5669 bsc#1026914
-
-The issue is described here, with a nice testcase:
-
- https://bugzilla.kernel.org/show_bug.cgi?id=192931
-
-The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
-the address rounded down to 0. For the regular mmap case, the
-protection mentioned above is that the kernel gets to generate the
-address -- arch_get_unmapped_area() will always check for MAP_FIXED and
-return that address. So by the time we do security_mmap_addr(0) things
-get funky for shmat().
-
-The testcase itself shows that while a regular user crashes, root will
-not have a problem attaching a nil-page. There are two possible fixes
-to this. The first, and which this patch does, is to simply allow root
-to crash as well -- this is also regular mmap behavior, ie when hacking
-up the testcase and adding mmap(... |MAP_FIXED). While this approach
-is the safer option, the second alternative is to ignore SHM_RND if the
-rounded address is 0, thus only having MAP_SHARED flags. This makes the
-behavior of shmat() identical to the mmap() case. The downside of this
-is obviously user visible, but does make sense in that it maintains
-semantics after the round-down wrt 0 address and mmap.
-
-Passes shm related ltp tests.
-
-Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
-Signed-off-by: Davidlohr Bueso <dbueso at suse.de>
-Reported-by: Gareth Evans <gareth.evans at contextis.co.uk>
-Cc: Manfred Spraul <manfred at colorfullife.com>
-Cc: Michael Kerrisk <mtk.manpages at googlemail.com>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-
----
- ipc/shm.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/ipc/shm.c b/ipc/shm.c
-index d7805acb44fd..06ea9ef7f54a 100644
---- a/ipc/shm.c
-+++ b/ipc/shm.c
-@@ -1091,8 +1091,8 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
- * "raddr" thing points to kernel space, and there has to be a wrapper around
- * this.
- */
--long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
-- unsigned long shmlba)
-+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
-+ ulong *raddr, unsigned long shmlba)
- {
- struct shmid_kernel *shp;
- unsigned long addr;
-@@ -1113,8 +1113,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
- goto out;
- else if ((addr = (ulong)shmaddr)) {
- if (addr & (shmlba - 1)) {
-- if (shmflg & SHM_RND)
-- addr &= ~(shmlba - 1); /* round down */
-+ /*
-+ * Round down to the nearest multiple of shmlba.
-+ * For sane do_mmap_pgoff() parameters, avoid
-+ * round downs that trigger nil-page and MAP_FIXED.
-+ */
-+ if ((shmflg & SHM_RND) && addr >= shmlba)
-+ addr &= ~(shmlba - 1);
- else
- #ifndef __ARCH_FORCE_SHMLBA
- if (addr & ~PAGE_MASK)
---
-2.6.6
-
patches.fixes/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
From: Kangjie Lu <kangjielu at gmail.com>
Date: Thu, 2 Jun 2016 04:11:20 -0400
@@ -2481,41 +2401,6 @@ Acked-by: Johannes Thumshirn <jthumshirn at suse.de>
iov_for_each(iov, i, *iter) {
unsigned long uaddr = (unsigned long) iov.iov_base;
-patches.fixes/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
-From: peter chang <dpf at google.com>
-Date: Wed, 15 Feb 2017 14:11:54 -0800
-Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
-Git-commit: bf33f87dd04c371ea33feb821b60d63d754e3124
-Patch-mainline: v4.11-rc5
-References: bsc#1030213, CVE-2017-7187
-
-The user can control the size of the next command passed along, but the
-value passed to the ioctl isn't checked against the usable max command
-size.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Peter Chang <dpf at google.com>
-Acked-by: Douglas Gilbert <dgilbert at interlog.com>
-Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
-Acked-by: Johannes Thumshirn <jthumshirn at suse.de>
----
- drivers/scsi/sg.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index e831e01..849ff81 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
- result = get_user(val, ip);
- if (result)
- return result;
-+ if (val > SG_MAX_CDB_SIZE)
-+ return -ENOMEM;
- sfp->next_cmd_len = (val > 0) ? val : 0;
- return 0;
- case SG_GET_VERSION_NUM:
-
patches.fixes/media-xc2028-avoid-use-after-free
From 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 Mon Sep 17 00:00:00 2001
From: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/5703aaee26bee58dbf5098146c2f58c0eb9efbfc
More information about the pld-cvs-commit
mailing list