From: Jan Rękorajski Date: Thu, 14 Sep 2017 21:15:09 +0000 (+0200) Subject: - up to 4.9.50, CVE-2017-14340 fix merged upstream X-Git-Tag: auto/th/kernel-4.9-4.9.50-1 X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=91525cbd1b7516200f611670a20704a5b35eaf37;p=packages%2Fkernel.git - up to 4.9.50, CVE-2017-14340 fix merged upstream --- diff --git a/kernel-small_fixes.patch b/kernel-small_fixes.patch index 46c63695..319191ce 100644 --- a/kernel-small_fixes.patch +++ b/kernel-small_fixes.patch @@ -61,69 +61,3 @@ index 098ce9b179ee..fcf8d0aa66ec 100644 -- 2.11.0 -commit b31ff3cdf540110da4572e3e29bd172087af65cc -Author: Richard Wareing -Date: Wed Sep 13 09:09:35 2017 +1000 - - xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present - - If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on - a directory in a filesystem that does not have a realtime device and - create a new file in that directory, it gets marked as a real time file. - When data is written and a fsync is issued, the filesystem attempts to - flush a non-existent rt device during the fsync process. - - This results in a crash dereferencing a null buftarg pointer in - xfs_blkdev_issue_flush(): - - BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 - IP: xfs_blkdev_issue_flush+0xd/0x20 - ..... - Call Trace: - xfs_file_fsync+0x188/0x1c0 - vfs_fsync_range+0x3b/0xa0 - do_fsync+0x3d/0x70 - SyS_fsync+0x10/0x20 - do_syscall_64+0x4d/0xb0 - entry_SYSCALL64_slow_path+0x25/0x25 - - Setting RT inode flags does not require special privileges so any - unprivileged user can cause this oops to occur. To reproduce, confirm - kernel is compiled with CONFIG_XFS_RT=y and run: - - # mkfs.xfs -f /dev/pmem0 - # mount /dev/pmem0 /mnt/test - # mkdir /mnt/test/foo - # xfs_io -c 'chattr +t' /mnt/test/foo - # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar - - Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait. - - Kernels built with CONFIG_XFS_RT=n are not exposed to this bug. - - Fixes: f538d4da8d52 ("[XFS] write barrier support") - Cc: - Signed-off-by: Richard Wareing - Signed-off-by: Dave Chinner - Signed-off-by: Linus Torvalds - -diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h -index 9301c5a6060b..dcd1292664b3 100644 ---- a/fs/xfs/xfs_linux.h -+++ b/fs/xfs/xfs_linux.h -@@ -270,7 +270,14 @@ static inline uint64_t howmany_64(uint64_t x, uint32_t y) - #endif /* DEBUG */ - - #ifdef CONFIG_XFS_RT --#define XFS_IS_REALTIME_INODE(ip) ((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME) -+ -+/* -+ * make sure we ignore the inode flag if the filesystem doesn't have a -+ * configured realtime device. -+ */ -+#define XFS_IS_REALTIME_INODE(ip) \ -+ (((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME) && \ -+ (ip)->i_mount->m_rtdev_targp) - #else - #define XFS_IS_REALTIME_INODE(ip) (0) - #endif diff --git a/kernel.spec b/kernel.spec index f0948849..16c568fd 100644 --- a/kernel.spec +++ b/kernel.spec @@ -73,7 +73,7 @@ %define rel 1 %define basever 4.9 -%define postver .49 +%define postver .50 # define this to '-%{basever}' for longterm branch %define versuffix -%{basever} @@ -125,7 +125,7 @@ Source0: https://www.kernel.org/pub/linux/kernel/v4.x/linux-%{basever}.tar.xz # Source0-md5: 0a68ef3615c64bd5ee54a3320e46667d %if "%{postver}" != ".0" Patch0: https://www.kernel.org/pub/linux/kernel/v4.x/patch-%{version}.xz -# Patch0-md5: 034e10554bed9724f30f25adc020aecc +# Patch0-md5: 32a3d12bfa53372aed82ce7f5539730e %endif Source1: kernel.sysconfig