From: Greg Kroah-Hartman Date: Fri, 10 Feb 2017 13:35:36 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.9.10~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=58828c83737488dc1b8483bfe6fec8b2a8bdf842;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch selinux-fix-off-by-one-in-setprocattr.patch --- diff --git a/queue-4.4/arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch b/queue-4.4/arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch new file mode 100644 index 00000000000..9450c881467 --- /dev/null +++ b/queue-4.4/arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch @@ -0,0 +1,32 @@ +From a524c218bc94c705886a0e0fedeee45d1931da32 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Tue, 7 Feb 2017 09:44:58 -0800 +Subject: ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup + +From: Vineet Gupta + +commit a524c218bc94c705886a0e0fedeee45d1931da32 upstream. + +Reported-by: Jo-Philipp Wich +Fixes: 9aed02feae57bf7 ("ARC: [arcompact] handle unaligned access delay slot") +Cc: linux-kernel@vger.kernel.org +Cc: linux-snps-arc@lists.infradead.org +Signed-off-by: Vineet Gupta +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/unaligned.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/kernel/unaligned.c ++++ b/arch/arc/kernel/unaligned.c +@@ -243,7 +243,7 @@ int misaligned_fixup(unsigned long addre + + /* clear any remanants of delay slot */ + if (delay_mode(regs)) { +- regs->ret = regs->bta ~1U; ++ regs->ret = regs->bta & ~1U; + regs->status32 &= ~STATUS_DE_MASK; + } else { + regs->ret += state.instr_len; diff --git a/queue-4.4/selinux-fix-off-by-one-in-setprocattr.patch b/queue-4.4/selinux-fix-off-by-one-in-setprocattr.patch new file mode 100644 index 00000000000..3060b0eaed9 --- /dev/null +++ b/queue-4.4/selinux-fix-off-by-one-in-setprocattr.patch @@ -0,0 +1,65 @@ +From 0c461cb727d146c9ef2d3e86214f498b78b7d125 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Tue, 31 Jan 2017 11:54:04 -0500 +Subject: selinux: fix off-by-one in setprocattr + +From: Stephen Smalley + +commit 0c461cb727d146c9ef2d3e86214f498b78b7d125 upstream. + +SELinux tries to support setting/clearing of /proc/pid/attr attributes +from the shell by ignoring terminating newlines and treating an +attribute value that begins with a NUL or newline as an attempt to +clear the attribute. However, the test for clearing attributes has +always been wrong; it has an off-by-one error, and this could further +lead to reading past the end of the allocated buffer since commit +bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write(): +switch to memdup_user()"). Fix the off-by-one error. + +Even with this fix, setting and clearing /proc/pid/attr attributes +from the shell is not straightforward since the interface does not +support multiple write() calls (so shells that write the value and +newline separately will set and then immediately clear the attribute, +requiring use of echo -n to set the attribute), whereas trying to use +echo -n "" to clear the attribute causes the shell to skip the +write() call altogether since POSIX says that a zero-length write +causes no side effects. Thus, one must use echo -n to set and echo +without -n to clear, as in the following example: +$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate +$ cat /proc/$$/attr/fscreate +unconfined_u:object_r:user_home_t:s0 +$ echo "" > /proc/$$/attr/fscreate +$ cat /proc/$$/attr/fscreate + +Note the use of /proc/$$ rather than /proc/self, as otherwise +the cat command will read its own attribute value, not that of the shell. + +There are no users of this facility to my knowledge; possibly we +should just get rid of it. + +UPDATE: Upon further investigation it appears that a local process +with the process:setfscreate permission can cause a kernel panic as a +result of this bug. This patch fixes CVE-2017-2618. + +Signed-off-by: Stephen Smalley +[PM: added the update about CVE-2017-2618 to the commit description] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: James Morris + +--- + security/selinux/hooks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -5640,7 +5640,7 @@ static int selinux_setprocattr(struct ta + return error; + + /* Obtain a SID for the context, if one was specified. */ +- if (size && str[1] && str[1] != '\n') { ++ if (size && str[0] && str[0] != '\n') { + if (str[size-1] == '\n') { + str[size-1] = 0; + size--; diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..6bab094930e --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,2 @@ +arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch +selinux-fix-off-by-one-in-setprocattr.patch diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..8a4d4039ca8 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,14 @@ +cpufreq-intel_pstate-disable-energy-efficiency-optimization.patch +acpi-nfit-fix-acpi_nfit_flush_probe-crash.patch +libnvdimm-namespace-do-not-delete-namespace-id-0.patch +libnvdimm-pfn-fix-memmap-reservation-size-versus-4k-alignment.patch +dm-rq-cope-with-dm-device-destruction-while-in-dm_old_request_fn.patch +crypto-algif_aead-fix-kernel-panic-on-list_del.patch +crypto-chcr-check-device-is-allocated-before-use.patch +crypto-qat-fix-bar-discovery-for-c62x.patch +crypto-qat-zero-esram-only-for-dh85x-devices.patch +crypto-ccp-fix-dma-operations-when-iommu-is-enabled.patch +crypto-ccp-fix-double-add-when-creating-new-dma-command.patch +arc-brown-paper-bag-bug-in-unaligned-access-delay-slot-fixup.patch +input-uinput-fix-crash-when-mixing-old-and-new-init-style.patch +selinux-fix-off-by-one-in-setprocattr.patch