From: Greg Kroah-Hartman Date: Tue, 21 Nov 2017 16:56:41 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.84~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5aa65997a4e5b551edb8fa9a73ea580a9fb26a04;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch rcu-fix-up-pending-cbs-check-in-rcu_prepare_for_idle.patch serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch serial-omap-fix-efr-write-on-rts-deassertion.patch tpm-dev-common-reject-too-short-writes.patch --- diff --git a/queue-4.14/ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch b/queue-4.14/ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch new file mode 100644 index 00000000000..9226e8fec08 --- /dev/null +++ b/queue-4.14/ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch @@ -0,0 +1,46 @@ +From 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Tue, 7 Nov 2017 11:37:07 +0100 +Subject: ima: do not update security.ima if appraisal status is not INTEGRITY_PASS + +From: Roberto Sassu + +commit 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb upstream. + +Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters") +moved the call of ima_file_check() from may_open() to do_filp_open() at a +point where the file descriptor is already opened. + +This breaks the assumption made by IMA that file descriptors being closed +belong to files whose access was granted by ima_file_check(). The +consequence is that security.ima and security.evm are updated with good +values, regardless of the current appraisal status. + +For example, if a file does not have security.ima, IMA will create it after +opening the file for writing, even if access is denied. Access to the file +will be allowed afterwards. + +Avoid this issue by checking the appraisal status before updating +security.ima. + +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_appraise.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -320,6 +320,9 @@ void ima_update_xattr(struct integrity_i + if (iint->flags & IMA_DIGSIG) + return; + ++ if (iint->ima_file_status != INTEGRITY_PASS) ++ return; ++ + rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo); + if (rc < 0) + return; diff --git a/queue-4.14/rcu-fix-up-pending-cbs-check-in-rcu_prepare_for_idle.patch b/queue-4.14/rcu-fix-up-pending-cbs-check-in-rcu_prepare_for_idle.patch new file mode 100644 index 00000000000..b8ef0ba3d74 --- /dev/null +++ b/queue-4.14/rcu-fix-up-pending-cbs-check-in-rcu_prepare_for_idle.patch @@ -0,0 +1,34 @@ +From 135bd1a230bb69a68c9808a7d25467318900b80a Mon Sep 17 00:00:00 2001 +From: Neeraj Upadhyay +Date: Mon, 7 Aug 2017 11:20:10 +0530 +Subject: rcu: Fix up pending cbs check in rcu_prepare_for_idle + +From: Neeraj Upadhyay + +commit 135bd1a230bb69a68c9808a7d25467318900b80a upstream. + +The pending-callbacks check in rcu_prepare_for_idle() is backwards. +It should accelerate if there are pending callbacks, but the check +rather uselessly accelerates only if there are no callbacks. This commit +therefore inverts this check. + +Fixes: 15fecf89e46a ("srcu: Abstract multi-tail callback list handling") +Signed-off-by: Neeraj Upadhyay +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rcu/tree_plugin.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -1507,7 +1507,7 @@ static void rcu_prepare_for_idle(void) + rdtp->last_accelerate = jiffies; + for_each_rcu_flavor(rsp) { + rdp = this_cpu_ptr(rsp->rda); +- if (rcu_segcblist_pend_cbs(&rdp->cblist)) ++ if (!rcu_segcblist_pend_cbs(&rdp->cblist)) + continue; + rnp = rdp->mynode; + raw_spin_lock_rcu_node(rnp); /* irqs already disabled. */ diff --git a/queue-4.14/serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch b/queue-4.14/serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch new file mode 100644 index 00000000000..3392fe96bb7 --- /dev/null +++ b/queue-4.14/serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch @@ -0,0 +1,38 @@ +From fd97e66c5529046e989a0879c3bb58fddb592c71 Mon Sep 17 00:00:00 2001 +From: "Ji-Ze Hong (Peter Hong)" +Date: Tue, 17 Oct 2017 14:23:08 +0800 +Subject: serial: 8250_fintek: Fix finding base_port with activated SuperIO + +From: Ji-Ze Hong (Peter Hong) + +commit fd97e66c5529046e989a0879c3bb58fddb592c71 upstream. + +The SuperIO will be configured at boot time by BIOS, but some BIOS +will not deactivate the SuperIO when the end of configuration. It'll +lead to mismatch for pdata->base_port in probe_setup_port(). So we'll +deactivate all SuperIO before activate special base_port in +fintek_8250_enter_key(). + +Tested on iBASE MI802. + +Tested-by: Ji-Ze Hong (Peter Hong) +Signed-off-by: Ji-Ze Hong (Peter Hong) +Reviewd-by: Alan Cox +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_fintek.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/8250/8250_fintek.c ++++ b/drivers/tty/serial/8250/8250_fintek.c +@@ -118,6 +118,9 @@ static int fintek_8250_enter_key(u16 bas + if (!request_muxed_region(base_port, 2, "8250_fintek")) + return -EBUSY; + ++ /* Force to deactive all SuperIO in this base_port */ ++ outb(EXIT_KEY, base_port + ADDR_PORT); ++ + outb(key, base_port + ADDR_PORT); + outb(key, base_port + ADDR_PORT); + return 0; diff --git a/queue-4.14/serial-omap-fix-efr-write-on-rts-deassertion.patch b/queue-4.14/serial-omap-fix-efr-write-on-rts-deassertion.patch new file mode 100644 index 00000000000..0c9fba9bb10 --- /dev/null +++ b/queue-4.14/serial-omap-fix-efr-write-on-rts-deassertion.patch @@ -0,0 +1,34 @@ +From 2a71de2f7366fb1aec632116d0549ec56d6a3940 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sat, 21 Oct 2017 10:50:18 +0200 +Subject: serial: omap: Fix EFR write on RTS deassertion + +From: Lukas Wunner + +commit 2a71de2f7366fb1aec632116d0549ec56d6a3940 upstream. + +Commit 348f9bb31c56 ("serial: omap: Fix RTS handling") sought to enable +auto RTS upon manual RTS assertion and disable it on deassertion. +However it seems the latter was done incorrectly, it clears all bits in +the Extended Features Register *except* auto RTS. + +Fixes: 348f9bb31c56 ("serial: omap: Fix RTS handling") +Cc: Peter Hurley +Signed-off-by: Lukas Wunner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/omap-serial.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/omap-serial.c ++++ b/drivers/tty/serial/omap-serial.c +@@ -693,7 +693,7 @@ static void serial_omap_set_mctrl(struct + if ((mctrl & TIOCM_RTS) && (port->status & UPSTAT_AUTORTS)) + up->efr |= UART_EFR_RTS; + else +- up->efr &= UART_EFR_RTS; ++ up->efr &= ~UART_EFR_RTS; + serial_out(up, UART_EFR, up->efr); + serial_out(up, UART_LCR, lcr); + diff --git a/queue-4.14/series b/queue-4.14/series index 291266007fd..c09a5277461 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -4,3 +4,8 @@ vxlan-fix-the-issue-that-neigh-proxy-blocks-all-icmpv6-packets.patch net-cdc_ncm-getntbformat-endian-fix.patch fealnx-fix-building-error-on-mips.patch net-sctp-always-set-scope_id-in-sctp_inet6_skb_msgname.patch +ima-do-not-update-security.ima-if-appraisal-status-is-not-integrity_pass.patch +serial-omap-fix-efr-write-on-rts-deassertion.patch +serial-8250_fintek-fix-finding-base_port-with-activated-superio.patch +tpm-dev-common-reject-too-short-writes.patch +rcu-fix-up-pending-cbs-check-in-rcu_prepare_for_idle.patch diff --git a/queue-4.14/tpm-dev-common-reject-too-short-writes.patch b/queue-4.14/tpm-dev-common-reject-too-short-writes.patch new file mode 100644 index 00000000000..eb584c466fd --- /dev/null +++ b/queue-4.14/tpm-dev-common-reject-too-short-writes.patch @@ -0,0 +1,44 @@ +From ee70bc1e7b63ac8023c9ff9475d8741e397316e7 Mon Sep 17 00:00:00 2001 +From: Alexander Steffen +Date: Fri, 8 Sep 2017 17:21:32 +0200 +Subject: tpm-dev-common: Reject too short writes + +From: Alexander Steffen + +commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7 upstream. + +tpm_transmit() does not offer an explicit interface to indicate the number +of valid bytes in the communication buffer. Instead, it relies on the +commandSize field in the TPM header that is encoded within the buffer. +Therefore, ensure that a) enough data has been written to the buffer, so +that the commandSize field is present and b) the commandSize field does not +announce more data than has been written to the buffer. + +This should have been fixed with CVE-2011-1161 long ago, but apparently +a correct version of that patch never made it into the kernel. + +Signed-off-by: Alexander Steffen +Reviewed-by: Jarkko Sakkinen +Tested-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-dev-common.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/char/tpm/tpm-dev-common.c ++++ b/drivers/char/tpm/tpm-dev-common.c +@@ -110,6 +110,12 @@ ssize_t tpm_common_write(struct file *fi + return -EFAULT; + } + ++ if (in_size < 6 || ++ in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) { ++ mutex_unlock(&priv->buffer_mutex); ++ return -EINVAL; ++ } ++ + /* atomic tpm command send and result receive. We only hold the ops + * lock during this period so that the tpm can be unregistered even if + * the char dev is held open.