From: Greg Kroah-Hartman Date: Sat, 28 Jun 2014 16:36:51 +0000 (-0400) Subject: 3.14-stable patches X-Git-Tag: v3.4.96~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=79b58c8ae836af6301aef44c14cd8248a771dc89;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: builddeb-use-objcopy-variable-instead-of-objcopy.patch efi-pstore-fix-an-overflow-on-32-bit-builds.patch epoll-fix-use-after-free-in-eventpoll_release_file.patch x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch --- diff --git a/queue-3.14/builddeb-use-objcopy-variable-instead-of-objcopy.patch b/queue-3.14/builddeb-use-objcopy-variable-instead-of-objcopy.patch new file mode 100644 index 00000000000..f32e2491028 --- /dev/null +++ b/queue-3.14/builddeb-use-objcopy-variable-instead-of-objcopy.patch @@ -0,0 +1,43 @@ +From 6b4a144a92ab81a1f45fb9b12aebaaaee0d08120 Mon Sep 17 00:00:00 2001 +From: Fathi Boudra +Date: Sat, 12 Apr 2014 13:13:24 +0300 +Subject: builddeb: use $OBJCOPY variable instead of objcopy + +From: Fathi Boudra + +commit 6b4a144a92ab81a1f45fb9b12aebaaaee0d08120 upstream. + +In cross-build environment, we expect to use the cross-compiler objcopy +instead of the host objcopy. + +It fixes following build failures: +objcopy --only-keep-debug lib/modules/3.14/kernel/net/ipv6/xfrm6_mode_tunnel.ko /srv/build/linux/debian/dbgtmp/usr/lib/debug/lib/modules/3.14/kernel/net/ipv6/xfrm6_mode_tunnel.ko +objcopy: Unable to recognise the format of the input file `lib/modules/3.14/kernel/net/ipv6/xfrm6_mode_tunnel.ko' + +Signed-off-by: Fathi Boudra +Fixes: 810e843746b7 ('deb-pkg: split debug symbols in their own package') +Reviewed-by: Ben Hutchings +Signed-off-by: Michal Marek +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/package/builddeb | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -155,11 +155,11 @@ if grep -q '^CONFIG_MODULES=y' $KCONFIG_ + for module in $(find lib/modules/ -name *.ko); do + mkdir -p $(dirname $dbg_dir/usr/lib/debug/$module) + # only keep debug symbols in the debug file +- objcopy --only-keep-debug $module $dbg_dir/usr/lib/debug/$module ++ $OBJCOPY --only-keep-debug $module $dbg_dir/usr/lib/debug/$module + # strip original module from debug symbols +- objcopy --strip-debug $module ++ $OBJCOPY --strip-debug $module + # then add a link to those +- objcopy --add-gnu-debuglink=$dbg_dir/usr/lib/debug/$module $module ++ $OBJCOPY --add-gnu-debuglink=$dbg_dir/usr/lib/debug/$module $module + done + ) + fi diff --git a/queue-3.14/efi-pstore-fix-an-overflow-on-32-bit-builds.patch b/queue-3.14/efi-pstore-fix-an-overflow-on-32-bit-builds.patch new file mode 100644 index 00000000000..efbca5af1ce --- /dev/null +++ b/queue-3.14/efi-pstore-fix-an-overflow-on-32-bit-builds.patch @@ -0,0 +1,40 @@ +From 783ee43118dc773bc8b0342c5b230e017d5a04d0 Mon Sep 17 00:00:00 2001 +From: Andrzej Zaborowski +Date: Mon, 9 Jun 2014 16:50:40 +0200 +Subject: efi-pstore: Fix an overflow on 32-bit builds + +From: Andrzej Zaborowski + +commit 783ee43118dc773bc8b0342c5b230e017d5a04d0 upstream. + +In generic_id the long int timestamp is multiplied by 100000 and needs +an explicit cast to u64. + +Without that the id in the resulting pstore filename is wrong and +userspace may have problems parsing it, but more importantly files in +pstore can never be deleted and may fill the EFI flash (brick device?). +This happens because when generic pstore code wants to delete a file, +it passes the id to the EFI backend which reinterpretes it and a wrong +variable name is attempted to be deleted. There's no error message but +after remounting pstore, deleted files would reappear. + +Signed-off-by: Andrew Zaborowski +Acked-by: David Rientjes +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/efi-pstore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/efi/efi-pstore.c ++++ b/drivers/firmware/efi/efi-pstore.c +@@ -40,7 +40,7 @@ struct pstore_read_data { + static inline u64 generic_id(unsigned long timestamp, + unsigned int part, int count) + { +- return (timestamp * 100 + part) * 1000 + count; ++ return ((u64) timestamp * 100 + part) * 1000 + count; + } + + static int efi_pstore_read_func(struct efivar_entry *entry, void *data) diff --git a/queue-3.14/epoll-fix-use-after-free-in-eventpoll_release_file.patch b/queue-3.14/epoll-fix-use-after-free-in-eventpoll_release_file.patch new file mode 100644 index 00000000000..110d4336302 --- /dev/null +++ b/queue-3.14/epoll-fix-use-after-free-in-eventpoll_release_file.patch @@ -0,0 +1,52 @@ +From ebe06187bf2aec10d537ce4595e416035367d703 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Tue, 17 Jun 2014 06:58:05 +0400 +Subject: epoll: fix use-after-free in eventpoll_release_file + +From: Konstantin Khlebnikov + +commit ebe06187bf2aec10d537ce4595e416035367d703 upstream. + +This fixes use-after-free of epi->fllink.next inside list loop macro. +This loop actually releases elements in the body. The list is +rcu-protected but here we cannot hold rcu_read_lock because we need to +lock mutex inside. + +The obvious solution is to use list_for_each_entry_safe(). RCU-ness +isn't essential because nobody can change this list under us, it's final +fput for this file. + +The bug was introduced by ae10b2b4eb01 ("epoll: optimize EPOLL_CTL_DEL +using rcu") + +Signed-off-by: Konstantin Khlebnikov +Reported-by: Cyrill Gorcunov +Cc: Sasha Levin +Cc: Jason Baron +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/eventpoll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -910,7 +910,7 @@ static const struct file_operations even + void eventpoll_release_file(struct file *file) + { + struct eventpoll *ep; +- struct epitem *epi; ++ struct epitem *epi, *next; + + /* + * We don't want to get "file->f_lock" because it is not +@@ -926,7 +926,7 @@ void eventpoll_release_file(struct file + * Besides, ep_remove() acquires the lock, so we can't hold it here. + */ + mutex_lock(&epmutex); +- list_for_each_entry_rcu(epi, &file->f_ep_links, fllink) { ++ list_for_each_entry_safe(epi, next, &file->f_ep_links, fllink) { + ep = epi->ep; + mutex_lock_nested(&ep->mtx, 0); + ep_remove(ep, epi); diff --git a/queue-3.14/series b/queue-3.14/series index 1d1bd5fe55b..26e345f20b0 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -104,3 +104,7 @@ btrfs-fix-use-of-uninit-ret-in-end_extent_writepage.patch btrfs-fix-lockdep-warning-with-reclaim-lock-inversion.patch btrfs-allocate-raid-type-kobjects-dynamically.patch lz4-fix-another-possible-overrun.patch +x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch +epoll-fix-use-after-free-in-eventpoll_release_file.patch +builddeb-use-objcopy-variable-instead-of-objcopy.patch +efi-pstore-fix-an-overflow-on-32-bit-builds.patch diff --git a/queue-3.14/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch b/queue-3.14/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch new file mode 100644 index 00000000000..56956af6ddd --- /dev/null +++ b/queue-3.14/x86_32-entry-do-syscall-exit-work-on-badsys-cve-2014-4508.patch @@ -0,0 +1,61 @@ +From 554086d85e71f30abe46fc014fea31929a7c6a8a Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Mon, 23 Jun 2014 14:22:15 -0700 +Subject: x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Lutomirski + +commit 554086d85e71f30abe46fc014fea31929a7c6a8a upstream. + +The bad syscall nr paths are their own incomprehensible route +through the entry control flow. Rearrange them to work just like +syscalls that return -ENOSYS. + +This fixes an OOPS in the audit code when fast-path auditing is +enabled and sysenter gets a bad syscall nr (CVE-2014-4508). + +This has probably been broken since Linux 2.6.27: +af0575bba0 i386 syscall audit fast-path + +Cc: Roland McGrath +Reported-by: Toralf Förster +Signed-off-by: Andy Lutomirski +Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/entry_32.S | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -431,9 +431,10 @@ sysenter_past_esp: + jnz sysenter_audit + sysenter_do_call: + cmpl $(NR_syscalls), %eax +- jae syscall_badsys ++ jae sysenter_badsys + call *sys_call_table(,%eax,4) + movl %eax,PT_EAX(%esp) ++sysenter_after_call: + LOCKDEP_SYS_EXIT + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +@@ -683,7 +684,12 @@ END(syscall_fault) + + syscall_badsys: + movl $-ENOSYS,PT_EAX(%esp) +- jmp resume_userspace ++ jmp syscall_exit ++END(syscall_badsys) ++ ++sysenter_badsys: ++ movl $-ENOSYS,PT_EAX(%esp) ++ jmp sysenter_after_call + END(syscall_badsys) + CFI_ENDPROC + /*