Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2016-07-07 15:09:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/kernel-debug.changes 2016-06-12 18:50:28.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/kernel-debug.changes 2016-07-07 15:09:31.000000000 +0200 @@ -1,0 +2,30 @@ +Sun Jun 26 09:34:33 CEST 2016 - jsl...@suse.cz + +- Linux 4.6.3 (CVE-2016-4951 bsc#981058 bsc#983458). +- Delete + patches.arch/arm64-mm-always-take-dirty-state-from-new-pte-in-pte.patch. +- Delete + patches.fixes/tipc-check-nl-sock-before-parsing-nested-attributes.patch. +- commit d4bcf2a + +------------------------------------------------------------------- +Tue Jun 21 08:12:52 CEST 2016 - j...@suse.com + +- KEYS: potential uninitialized variable (bsc#984755, + CVE-2016-4470). +- commit 96a29db + +------------------------------------------------------------------- +Mon Jun 20 14:03:35 CEST 2016 - jsl...@suse.cz + +- base: make module_create_drivers_dir race-free (bnc#983977). +- commit 6cfe0b8 + +------------------------------------------------------------------- +Fri Jun 10 16:51:08 CEST 2016 - b...@suse.de + +- rds: fix an infoleak in rds_inc_info_copy (bsc#983213 + CVE-2016-5244). +- commit 14295d6 + +------------------------------------------------------------------- kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-vanilla.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kernel-debug.spec ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:35.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:35.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.2 +%define patchversion 4.6.3 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: A Debug Version of the Kernel License: GPL-2.0 Group: System/Kernel -Version: 4.6.2 +Version: 4.6.3 %if 0%{?is_kotd} -Release: <RELEASE>.g2a68ef0 +Release: <RELEASE>.gd4bcf2a %else Release: 0 %endif kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:36.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:36.000000000 +0200 @@ -16,7 +16,7 @@ # -%define patchversion 4.6.2 +%define patchversion 4.6.3 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -27,9 +27,9 @@ Summary: Kernel Documentation (man pages) License: GPL-2.0 Group: Documentation/Man -Version: 4.6.2 +Version: 4.6.3 %if 0%{?is_kotd} -Release: <RELEASE>.g2a68ef0 +Release: <RELEASE>.gd4bcf2a %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:36.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:36.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.2 +%define patchversion 4.6.3 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.6.2 +Version: 4.6.3 %if 0%{?is_kotd} -Release: <RELEASE>.g2a68ef0 +Release: <RELEASE>.gd4bcf2a %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:36.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:36.000000000 +0200 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.6.2 +%define patchversion 4.6.3 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -51,9 +51,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.6.2 +Version: 4.6.3 %if 0%{?is_kotd} -Release: <RELEASE>.g2a68ef0 +Release: <RELEASE>.gd4bcf2a %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:36.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:36.000000000 +0200 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.6.2 +%define patchversion 4.6.3 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.6.2 +Version: 4.6.3 %if 0%{?is_kotd} -Release: <RELEASE>.g2a68ef0 +Release: <RELEASE>.gd4bcf2a %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:36.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:36.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.2 +%define patchversion 4.6.3 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.6.2 +Version: 4.6.3 %if 0%{?is_kotd} -Release: <RELEASE>.g2a68ef0 +Release: <RELEASE>.gd4bcf2a %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:36.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:36.000000000 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.6 -%define patchversion 4.6.2 +%define patchversion 4.6.3 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.6.2 +Version: 4.6.3 %if 0%{?is_kotd} -Release: <RELEASE>.g2a68ef0 +Release: <RELEASE>.gd4bcf2a %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:36.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:36.000000000 +0200 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.6.2 +Version: 4.6.3 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.g2a68ef0 +Release: <RELEASE>.gd4bcf2a %else Release: 0 %endif ++++++ kernel-vanilla.spec ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:36.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:36.000000000 +0200 @@ -20,7 +20,7 @@ # needssslcertforbuild %define srcversion 4.6 -%define patchversion 4.6.2 +%define patchversion 4.6.3 %define variant %{nil} %define vanilla_only 0 @@ -61,9 +61,9 @@ Summary: The Standard Kernel - without any SUSE patches License: GPL-2.0 Group: System/Kernel -Version: 4.6.2 +Version: 4.6.3 %if 0%{?is_kotd} -Release: <RELEASE>.g2a68ef0 +Release: <RELEASE>.gd4bcf2a %else Release: 0 %endif ++++++ patches.arch.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.arch/arm64-mm-always-take-dirty-state-from-new-pte-in-pte.patch new/patches.arch/arm64-mm-always-take-dirty-state-from-new-pte-in-pte.patch --- old/patches.arch/arm64-mm-always-take-dirty-state-from-new-pte-in-pte.patch 2016-06-09 16:52:07.000000000 +0200 +++ new/patches.arch/arm64-mm-always-take-dirty-state-from-new-pte-in-pte.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,60 +0,0 @@ -From 69a21d254fb02fdaeb61c6352ea36f3c755f257c Mon Sep 17 00:00:00 2001 -From: Will Deacon <will.dea...@arm.com> -Date: Wed, 8 Jun 2016 10:24:39 +0100 -Subject: [PATCH] arm64: mm: always take dirty state from new pte in - ptep_set_access_flags -Patch-mainline: Submitted 06/08/2016 linux-arm-ker...@lists.infradead.org -References: bsc#983458 - -Commit 66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for -hardware AF/DBM") ensured that pte flags are updated atomically in the -face of potential concurrent, hardware-assisted updates. However, Alex -reports that: - - | This patch breaks swapping for me. - | In the broken case, you'll see either systemd cpu time spike (because - | it's stuck in a page fault loop) or the system hang (because the - | application owning the screen is stuck in a page fault loop). - -It turns out that this is because the 'dirty' argument to -ptep_set_access_flags is always 0 for read faults, and so we can't use -it to set PTE_RDONLY. The failing sequence is: - - 1. We put down a PTE_WRITE | PTE_DIRTY | PTE_AF pte - 2. Memory pressure -> pte_mkold(pte) -> clear PTE_AF - 3. A read faults due to the missing access flag - 4. ptep_set_access_flags is called with dirty = 0, due to the read fault - 5. pte is then made PTE_WRITE | PTE_DIRTY | PTE_AF | PTE_RDONLY (!) - 6. A write faults, but pte_write is true so we get stuck - -The solution is to check the new page table entry (as would be done by -the generic, non-atomic definition of ptep_set_access_flags that just -calls set_pte_at) to establish the dirty state. - -Cc: <sta...@vger.kernel.org> # 4.3+ -Fixes: 66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for hardware AF/DBM") -Reviewed-by: Catalin Marinas <catalin.mari...@arm.com> -Reported-by: Alexander Graf <ag...@suse.de> -Tested-by: Alexander Graf <ag...@suse.de> -Signed-off-by: Will Deacon <will.dea...@arm.com> -Signed-off-by: Alexander Graf <ag...@suse.de> ---- - arch/arm64/mm/fault.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c -index 40f5522..4c1a118 100644 ---- a/arch/arm64/mm/fault.c -+++ b/arch/arm64/mm/fault.c -@@ -109,7 +109,7 @@ int ptep_set_access_flags(struct vm_area_struct *vma, - * PTE_RDONLY is cleared by default in the asm below, so set it in - * back if necessary (read-only or clean PTE). - */ -- if (!pte_write(entry) || !dirty) -+ if (!pte_write(entry) || !pte_sw_dirty(entry)) - pte_val(entry) |= PTE_RDONLY; - - /* --- -1.8.5.6 - ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/0001-KEYS-potential-uninitialized-variable.patch new/patches.fixes/0001-KEYS-potential-uninitialized-variable.patch --- old/patches.fixes/0001-KEYS-potential-uninitialized-variable.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/0001-KEYS-potential-uninitialized-variable.patch 2016-06-26 09:34:33.000000000 +0200 @@ -0,0 +1,91 @@ +From 38327424b40bcebe2de92d07312c89360ac9229a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpen...@oracle.com> +Date: Thu, 16 Jun 2016 15:48:57 +0100 +Subject: [PATCH] KEYS: potential uninitialized variable + +Git-commit: 38327424b40bcebe2de92d07312c89360ac9229a +Patch-mainline: v4.7-rc4 +References: bsc#984755, CVE-2016-4470 + +If __key_link_begin() failed then "edit" would be uninitialized. I've +added a check to fix that. + +This allows a random user to crash the kernel, though it's quite +difficult to achieve. There are three ways it can be done as the user +would have to cause an error to occur in __key_link(): + + (1) Cause the kernel to run out of memory. In practice, this is difficult + to achieve without ENOMEM cropping up elsewhere and aborting the + attempt. + + (2) Revoke the destination keyring between the keyring ID being looked up + and it being tested for revocation. In practice, this is difficult to + time correctly because the KEYCTL_REJECT function can only be used + from the request-key upcall process. Further, users can only make use + of what's in /sbin/request-key.conf, though this does including a + rejection debugging test - which means that the destination keyring + has to be the caller's session keyring in practice. + + (3) Have just enough key quota available to create a key, a new session + keyring for the upcall and a link in the session keyring, but not then + sufficient quota to create a link in the nominated destination keyring + so that it fails with EDQUOT. + +The bug can be triggered using option (3) above using something like the +following: + + echo 80 >/proc/sys/kernel/keys/root_maxbytes + keyctl request2 user debug:fred negate @t + +The above sets the quota to something much lower (80) to make the bug +easier to trigger, but this is dependent on the system. Note also that +the name of the keyring created contains a random number that may be +between 1 and 10 characters in size, so may throw the test off by +changing the amount of quota used. + +Assuming the failure occurs, something like the following will be seen: + + kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h + ------------[ cut here ]------------ + kernel BUG at ../mm/slab.c:2821! + ... + RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25 + RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092 + RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000 + RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300 + RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000 + R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202 + R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001 + ... + Call Trace: + kfree+0xde/0x1bc + assoc_array_cancel_edit+0x1f/0x36 + __key_link_end+0x55/0x63 + key_reject_and_link+0x124/0x155 + keyctl_reject_key+0xb6/0xe0 + keyctl_negate_key+0x10/0x12 + SyS_keyctl+0x9f/0xe7 + do_syscall_64+0x63/0x13a + entry_SYSCALL64_slow_path+0x25/0x25 + +Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()') +Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com> +Signed-off-by: David Howells <dhowe...@redhat.com> +cc: sta...@vger.kernel.org +Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> +Acked-by: Lee, Chun-Yi <j...@suse.com> +--- + security/keys/key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -584,7 +584,7 @@ int key_reject_and_link(struct key *key, + + mutex_unlock(&key_construction_mutex); + +- if (keyring) ++ if (keyring && link_ret == 0) + __key_link_end(keyring, &key->index_key, edit); + + /* wake up anyone waiting for a key to be constructed */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/base-make-module_create_drivers_dir-race-free.patch new/patches.fixes/base-make-module_create_drivers_dir-race-free.patch --- old/patches.fixes/base-make-module_create_drivers_dir-race-free.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/base-make-module_create_drivers_dir-race-free.patch 2016-06-26 09:34:33.000000000 +0200 @@ -0,0 +1,86 @@ +From: Jiri Slaby <jsl...@suse.cz> +Date: Fri, 10 Jun 2016 10:54:32 +0200 +Subject: base: make module_create_drivers_dir race-free +Git-commit: 7e1b1fc4dabd6ec8e28baa0708866e13fa93c9b3 +Patch-mainline: v4.7-rc4 +References: bnc#983977 + +Modules which register drivers via standard path (driver_register) in +parallel can cause a warning: +WARNING: CPU: 2 PID: 3492 at ../fs/sysfs/dir.c:31 sysfs_warn_dup+0x62/0x80 +sysfs: cannot create duplicate filename '/module/saa7146/drivers' +Modules linked in: hexium_gemini(+) mxb(+) ... +... +Call Trace: +... + [<ffffffff812e63a2>] sysfs_warn_dup+0x62/0x80 + [<ffffffff812e6487>] sysfs_create_dir_ns+0x77/0x90 + [<ffffffff8140f2c4>] kobject_add_internal+0xb4/0x340 + [<ffffffff8140f5b8>] kobject_add+0x68/0xb0 + [<ffffffff8140f631>] kobject_create_and_add+0x31/0x70 + [<ffffffff8157a703>] module_add_driver+0xc3/0xd0 + [<ffffffff8155e5d4>] bus_add_driver+0x154/0x280 + [<ffffffff815604c0>] driver_register+0x60/0xe0 + [<ffffffff8145bed0>] __pci_register_driver+0x60/0x70 + [<ffffffffa0273e14>] saa7146_register_extension+0x64/0x90 [saa7146] + [<ffffffffa0033011>] hexium_init_module+0x11/0x1000 [hexium_gemini] +... + +As can be (mostly) seen, driver_register causes this call sequence: + -> bus_add_driver + -> module_add_driver + -> module_create_drivers_dir +The last one creates "drivers" directory in /sys/module/<...>. When +this is done in parallel, the directory is attempted to be created +twice at the same time. + +This can be easily reproduced by loading mxb and hexium_gemini in +parallel: +while :; do + modprobe mxb & + modprobe hexium_gemini + wait + rmmod mxb hexium_gemini saa7146_vv saa7146 +done + +saa7146 calls pci_register_driver for both mxb and hexium_gemini, +which means /sys/module/saa7146/drivers is to be created for both of +them. + +Fix this by a new mutex in module_create_drivers_dir which makes the +test-and-create "drivers" dir atomic. + +I inverted the condition and removed 'return' to avoid multiple +unlocks or a goto. + +Signed-off-by: Jiri Slaby <jsl...@suse.cz> +Fixes: fe480a2675ed (Modules: only add drivers/ direcory if needed) +Cc: v2.6.21+ <sta...@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> +--- + drivers/base/module.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/base/module.c b/drivers/base/module.c +index db930d3ee312..2a215780eda2 100644 +--- a/drivers/base/module.c ++++ b/drivers/base/module.c +@@ -24,10 +24,12 @@ static char *make_driver_name(struct device_driver *drv) + + static void module_create_drivers_dir(struct module_kobject *mk) + { +- if (!mk || mk->drivers_dir) +- return; ++ static DEFINE_MUTEX(drivers_dir_mutex); + +- mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj); ++ mutex_lock(&drivers_dir_mutex); ++ if (mk && !mk->drivers_dir) ++ mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj); ++ mutex_unlock(&drivers_dir_mutex); + } + + void module_add_driver(struct module *mod, struct device_driver *drv) +-- +2.9.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/rds-fix-an-infoleak-in-rds_inc_info_copy.patch new/patches.fixes/rds-fix-an-infoleak-in-rds_inc_info_copy.patch --- old/patches.fixes/rds-fix-an-infoleak-in-rds_inc_info_copy.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/rds-fix-an-infoleak-in-rds_inc_info_copy.patch 2016-06-26 09:34:33.000000000 +0200 @@ -0,0 +1,33 @@ +From: Kangjie Lu <kangji...@gmail.com> +Date: Thu, 2 Jun 2016 04:11:20 -0400 +Subject: rds: fix an infoleak in rds_inc_info_copy +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git +Git-commit: 4116def2337991b39919f3b448326e21c40e0dbb +Patch-mainline: Queued in davem's tree +References: bsc#983213 CVE-2016-5244 + +The last field "flags" of object "minfo" is not initialized. +Copying this object out may leak kernel stack data. +Assign 0 to it to avoid leak. + +Signed-off-by: Kangjie Lu <k...@gatech.edu> +Acked-by: Santosh Shilimkar <santosh.shilim...@oracle.com> +Signed-off-by: David S. Miller <da...@davemloft.net> +Acked-by: Borislav Petkov <b...@suse.de> +--- + net/rds/recv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/rds/recv.c b/net/rds/recv.c +index c0be1ecd11c9..8413f6c99e13 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -561,5 +561,7 @@ void rds_inc_info_copy(struct rds_incoming *inc, + minfo.fport = inc->i_hdr.h_dport; + } + ++ minfo.flags = 0; ++ + rds_info_copy(iter, &minfo, sizeof(minfo)); + } + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/tipc-check-nl-sock-before-parsing-nested-attributes.patch new/patches.fixes/tipc-check-nl-sock-before-parsing-nested-attributes.patch --- old/patches.fixes/tipc-check-nl-sock-before-parsing-nested-attributes.patch 2016-06-09 17:51:38.000000000 +0200 +++ new/patches.fixes/tipc-check-nl-sock-before-parsing-nested-attributes.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,40 +0,0 @@ -From: Richard Alpe <richard.a...@ericsson.com> -Date: Mon, 16 May 2016 11:14:54 +0200 -Subject: tipc: check nl sock before parsing nested attributes -Patch-mainline: v4.7-rc1 -Git-commit: 45e093ae2830cd1264677d47ff9a95a71f5d9f9c -References: CVE-2016-4951 bsc#981058 - -Make sure the socket for which the user is listing publication exists -before parsing the socket netlink attributes. - -Prior to this patch a call without any socket caused a NULL pointer -dereference in tipc_nl_publ_dump(). - -Tested-and-reported-by: Baozeng Ding <splovi...@gmail.com> -Signed-off-by: Richard Alpe <richard.a...@ericsson.com> -Acked-by: Jon Maloy <jon.ma...@ericsson.cm> -Signed-off-by: David S. Miller <da...@davemloft.net> -Acked-by: Michal Kubecek <mkube...@suse.cz> - ---- - net/tipc/socket.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/tipc/socket.c b/net/tipc/socket.c -index 3eeb50a27b89..5f80d3fa9c85 100644 ---- a/net/tipc/socket.c -+++ b/net/tipc/socket.c -@@ -2807,6 +2807,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb) - if (err) - return err; - -+ if (!attrs[TIPC_NLA_SOCK]) -+ return -EINVAL; -+ - err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, - attrs[TIPC_NLA_SOCK], - tipc_nl_sock_policy); --- -2.8.3 - ++++++ patches.kernel.org.tar.bz2 ++++++ ++++ 4811 lines of diff (skipped) ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:37.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:37.000000000 +0200 @@ -29,6 +29,7 @@ ######################################################## patches.kernel.org/patch-4.6.1 patches.kernel.org/patch-4.6.1-2 + patches.kernel.org/patch-4.6.2-3 ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -79,6 +80,7 @@ # Scheduler / Core ######################################################## patches.suse/setuid-dumpable-wrongdir + patches.fixes/base-make-module_create_drivers_dir-race-free.patch ######################################################## # Architecture-specific patches. These used to be all @@ -172,7 +174,6 @@ patches.arch/arm64-3-6-drivers-net-phy-Add-MDIO-driver.patch patches.arch/arm64-6-6-drivers-net-xgene-Fix-module-load-unload-crash.patch - patches.arch/arm64-mm-always-take-dirty-state-from-new-pte-in-pte.patch ######################################################## # S/390 @@ -235,7 +236,9 @@ ######################################################## # Networking, IPv6 ######################################################## - patches.fixes/tipc-check-nl-sock-before-parsing-nested-attributes.patch + + # bsc#983213 CVE-2016-5244 + patches.fixes/rds-fix-an-infoleak-in-rds_inc_info_copy.patch ######################################################## # Netfilter @@ -435,6 +438,9 @@ # ########################################################## + # Bug 984755 - CVE-2016-4470: kernel-source: Uninitialized variable in request_key handling causes kernel crash in error handling path + patches.fixes/0001-KEYS-potential-uninitialized-variable.patch + ########################################################## # Audit ########################################################## ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.U8M6Dc/_old 2016-07-07 15:09:37.000000000 +0200 +++ /var/tmp/diff_new_pack.U8M6Dc/_new 2016-07-07 15:09:37.000000000 +0200 @@ -1,3 +1,3 @@ -2016-06-10 10:12:44 +0200 -GIT Revision: 2a68ef06204cc0147a96070ce5815eb47e35b33c +2016-06-26 09:34:33 +0200 +GIT Revision: d4bcf2abd85a8d69da9d3f3e4e5dc57c556bca61 GIT Branch: stable