--- /dev/null
+From 0b938a2e2cf0b0a2c8bac9769111545aff0fee97 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 18 Nov 2015 11:41:05 -0800
+Subject: apparmor: fix ref count leak when profile sha1 hash is read
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 0b938a2e2cf0b0a2c8bac9769111545aff0fee97 upstream.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Seth Arnold <seth.arnold@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/apparmorfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct se
+ seq_printf(seq, "%.2x", profile->hash[i]);
+ seq_puts(seq, "\n");
+ }
++ aa_put_profile(profile);
+
+ return 0;
+ }
--- /dev/null
+From 7de249964f5578e67b99699c5f0b405738d820a2 Mon Sep 17 00:00:00 2001
+From: Dave Weinstein <olorin@google.com>
+Date: Thu, 28 Jul 2016 11:55:41 -0700
+Subject: arm: oabi compat: add missing access checks
+
+From: Dave Weinstein <olorin@google.com>
+
+commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream.
+
+Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop().
+This fixes CVE-2016-3857, a local privilege escalation under
+CONFIG_OABI_COMPAT.
+
+Reported-by: Chiachih Wu <wuchiachih@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Dave Weinstein <olorin@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/sys_oabi-compat.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -279,8 +279,12 @@ asmlinkage long sys_oabi_epoll_wait(int
+ mm_segment_t fs;
+ long ret, err, i;
+
+- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
++ if (maxevents <= 0 ||
++ maxevents > (INT_MAX/sizeof(*kbuf)) ||
++ maxevents > (INT_MAX/sizeof(*events)))
+ return -EINVAL;
++ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
++ return -EFAULT;
+ kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
+ if (!kbuf)
+ return -ENOMEM;
+@@ -317,6 +321,8 @@ asmlinkage long sys_oabi_semtimedop(int
+
+ if (nsops < 1 || nsops > SEMOPM)
+ return -EINVAL;
++ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
++ return -EFAULT;
+ sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ if (!sops)
+ return -ENOMEM;
--- /dev/null
+From a154a8cd080b437969ef194dee365bbb60a3b38a Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Tue, 19 Jul 2016 10:03:44 -0700
+Subject: IB/hfi1: Disable by default
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit a154a8cd080b437969ef194dee365bbb60a3b38a upstream.
+
+There is a strict policy in the Linux kernel that new drivers must be
+disabled by default. Hence leave out the "default m" line from Kconfig.
+
+Fixes: f48ad614c100 ("IB/hfi1: Move driver out of staging")
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Cc: Jubin John <jubin.john@intel.com>
+Cc: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Acked-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hfi1/Kconfig
++++ b/drivers/infiniband/hw/hfi1/Kconfig
+@@ -3,7 +3,6 @@ config INFINIBAND_HFI1
+ depends on X86_64 && INFINIBAND_RDMAVT
+ select MMU_NOTIFIER
+ select CRC32
+- default m
+ ---help---
+ This is a low-level driver for Intel OPA Gen1 adapter.
+ config HFI1_DEBUG_SDMA_ORDER
--- /dev/null
+From 20f06ed9f61a185c6dabd662c310bed6189470df Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 27 Jul 2016 11:43:37 +0100
+Subject: KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace
+
+From: David Howells <dhowells@redhat.com>
+
+commit 20f06ed9f61a185c6dabd662c310bed6189470df upstream.
+
+MIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than
+calling sys_keyctl. The latter will work in a lot of cases, thereby hiding
+the issue.
+
+Reported-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-security-module@vger.kernel.org
+Cc: keyrings@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/13832/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -348,7 +348,7 @@ EXPORT(sysn32_call_table)
+ PTR sys_ni_syscall /* available, was setaltroot */
+ PTR sys_add_key
+ PTR sys_request_key
+- PTR sys_keyctl /* 6245 */
++ PTR compat_sys_keyctl /* 6245 */
+ PTR sys_set_thread_area
+ PTR sys_inotify_init
+ PTR sys_inotify_add_watch
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -504,7 +504,7 @@ EXPORT(sys32_call_table)
+ PTR sys_ni_syscall /* available, was setaltroot */
+ PTR sys_add_key /* 4280 */
+ PTR sys_request_key
+- PTR sys_keyctl
++ PTR compat_sys_keyctl
+ PTR sys_set_thread_area
+ PTR sys_inotify_init
+ PTR sys_inotify_add_watch /* 4285 */
--- /dev/null
+From 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 3 Jul 2016 17:01:26 -0400
+Subject: random: strengthen input validation for RNDADDTOENTCNT
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec upstream.
+
+Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative
+entropy value. It doesn't make any sense to subtract from the entropy
+counter, and it can trigger a warning:
+
+random: negative entropy/overflow: pool input count -40000
+------------[ cut here ]------------
+WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[< none
+ >] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
+Modules linked in:
+CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40
+ fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40
+ ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f
+Call Trace:
+ [< inline >] __dump_stack lib/dump_stack.c:15
+ [<ffffffff82cc838f>] dump_stack+0x12e/0x18f lib/dump_stack.c:51
+ [<ffffffff8136d27f>] __warn+0x19f/0x1e0 kernel/panic.c:516
+ [<ffffffff8136d48c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551
+ [<ffffffff83283dae>] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
+ [< inline >] credit_entropy_bits_safe drivers/char/random.c:734
+ [<ffffffff8328785d>] random_ioctl+0x21d/0x250 drivers/char/random.c:1546
+ [< inline >] vfs_ioctl fs/ioctl.c:43
+ [<ffffffff8185316c>] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674
+ [< inline >] SYSC_ioctl fs/ioctl.c:689
+ [<ffffffff8185405f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
+ [<ffffffff86a995c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
+arch/x86/entry/entry_64.S:207
+---[ end trace 5d4902b2ba842f1f ]---
+
+This was triggered using the test program:
+
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+int main() {
+ int fd = open("/dev/random", O_RDWR);
+ int val = -5000;
+ ioctl(fd, RNDADDTOENTCNT, &val);
+ return 0;
+}
+
+It's harmless in that (a) only root can trigger it, and (b) after
+complaining the code never does let the entropy count go negative, but
+it's better to simply not allow this userspace from passing in a
+negative entropy value altogether.
+
+Google-Bug-Id: #29575089
+Reported-By: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -723,15 +723,18 @@ retry:
+ }
+ }
+
+-static void credit_entropy_bits_safe(struct entropy_store *r, int nbits)
++static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
+ {
+ const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1));
+
++ if (nbits < 0)
++ return -EINVAL;
++
+ /* Cap the value to avoid overflows */
+ nbits = min(nbits, nbits_max);
+- nbits = max(nbits, -nbits_max);
+
+ credit_entropy_bits(r, nbits);
++ return 0;
+ }
+
+ /*********************************************************************
+@@ -1543,8 +1546,7 @@ static long random_ioctl(struct file *f,
+ return -EPERM;
+ if (get_user(ent_count, p))
+ return -EFAULT;
+- credit_entropy_bits_safe(&input_pool, ent_count);
+- return 0;
++ return credit_entropy_bits_safe(&input_pool, ent_count);
+ case RNDADDENTROPY:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+@@ -1558,8 +1560,7 @@ static long random_ioctl(struct file *f,
+ size);
+ if (retval < 0)
+ return retval;
+- credit_entropy_bits_safe(&input_pool, ent_count);
+- return 0;
++ return credit_entropy_bits_safe(&input_pool, ent_count);
+ case RNDZAPENTCNT:
+ case RNDCLEARPOOL:
+ /*
qed-fix-setting-clearing-bit-in-completion-bitmap.patch
macsec-ensure-rx_sa-is-set-when-validation-is-disabled.patch
tcp-consider-recv-buf-for-the-initial-window-scale.patch
+arm-oabi-compat-add-missing-access-checks.patch
+keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch
+ib-hfi1-disable-by-default.patch
+apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch
+random-strengthen-input-validation-for-rndaddtoentcnt.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
