summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libre-testing/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch80
-rw-r--r--libre-testing/linux-libre/PKGBUILD15
-rw-r--r--libre-testing/linux-libre/i8042-fix-aliases.patch226
3 files changed, 203 insertions, 118 deletions
diff --git a/libre-testing/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch b/libre-testing/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch
new file mode 100644
index 000000000..3f1bccc80
--- /dev/null
+++ b/libre-testing/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch
@@ -0,0 +1,80 @@
+From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001
+From: PaX Team <pageexec@freemail.hu>
+Date: Thu, 30 Jan 2014 16:59:25 -0800
+Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel
+
+The x32 case for the recvmsg() timout handling is broken:
+
+ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ unsigned int vlen, unsigned int flags,
+ struct compat_timespec __user *timeout)
+ {
+ int datagrams;
+ struct timespec ktspec;
+
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+
+ if (COMPAT_USE_64BIT_TIME)
+ return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ flags | MSG_CMSG_COMPAT,
+ (struct timespec *) timeout);
+ ...
+
+The timeout pointer parameter is provided by userland (hence the __user
+annotation) but for x32 syscalls it's simply cast to a kernel pointer
+and is passed to __sys_recvmmsg which will eventually directly
+dereference it for both reading and writing. Other callers to
+__sys_recvmmsg properly copy from userland to the kernel first.
+
+The bug was introduced by commit ee4fa23c4bfc ("compat: Use
+COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels
+since 3.4 (and perhaps vendor kernels if they backported x32 support
+along with this code).
+
+Note that CONFIG_X86_X32_ABI gets enabled at build time and only if
+CONFIG_X86_X32 is enabled and ld can build x32 executables.
+
+Other uses of COMPAT_USE_64BIT_TIME seem fine.
+
+This addresses CVE-2014-0038.
+
+Signed-off-by: PaX Team <pageexec@freemail.hu>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v3.4+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ net/compat.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/net/compat.c b/net/compat.c
+index dd32e34..f50161f 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ if (flags & MSG_CMSG_COMPAT)
+ return -EINVAL;
+
+- if (COMPAT_USE_64BIT_TIME)
+- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+- flags | MSG_CMSG_COMPAT,
+- (struct timespec *) timeout);
+-
+ if (timeout == NULL)
+ return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ flags | MSG_CMSG_COMPAT, NULL);
+
+- if (get_compat_timespec(&ktspec, timeout))
++ if (compat_get_timespec(&ktspec, timeout))
+ return -EFAULT;
+
+ datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ flags | MSG_CMSG_COMPAT, &ktspec);
+- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout))
++ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout))
+ datagrams = -EFAULT;
+
+ return datagrams;
+--
+1.8.5.3
+
diff --git a/libre-testing/linux-libre/PKGBUILD b/libre-testing/linux-libre/PKGBUILD
index e295e81ad..c9368029f 100644
--- a/libre-testing/linux-libre/PKGBUILD
+++ b/libre-testing/linux-libre/PKGBUILD
@@ -12,8 +12,8 @@ pkgbase=linux-libre # Build stock -LIBRE kernel
_basekernel=3.13
_sublevel=1
pkgver=${_basekernel}.${_sublevel}
-pkgrel=1
-_lxopkgver=${_basekernel}.0 # nearly always the same as pkgver
+pkgrel=2
+_lxopkgver=${_basekernel}.1 # nearly always the same as pkgver
arch=('i686' 'x86_64' 'mips64el')
url="http://linux-libre.fsfla.org/"
license=('GPL2')
@@ -38,7 +38,8 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
'0006-rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-no.patch'
'0001-syscalls.h-use-gcc-alias-instead-of-assembler-aliase.patch'
'i8042-fix-aliases.patch'
- "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.bz2")
+ '0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch'
+ "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz")
md5sums=('98a8e803e0ed08557f3cdd4d56b0ddc1'
'312e6bf90c4de3f455669f8cccf4eddd'
'b6a3a3f9cac1be38384241ad58d45d46'
@@ -56,8 +57,9 @@ md5sums=('98a8e803e0ed08557f3cdd4d56b0ddc1'
'd5907a721b97299f0685c583499f7820'
'a724515b350b29c53f20e631c6cf9a14'
'e6fa278c092ad83780e2dd0568e24ca6'
- '47fc9cc705752f1f16db23383504e194'
- '7e16faa84d4cd04e43bca12bdf9d9e4b')
+ '93dbf73af819b77f03453a9c6de2bb47'
+ '336d2c4afd7ee5f2bdf0dcb1a54df4b2'
+ '7710668dfdd138f3ad0b93c50455455e')
if [ "$CARCH" != "mips64el" ]; then
# don't use the Loongson-specific patches on non-mips64el arches.
unset source[${#source[@]}-1]
@@ -110,6 +112,9 @@ prepare() {
# Fix i8042 aliases
patch -p1 -i "${srcdir}/i8042-fix-aliases.patch"
+ # Fix CVE-2014-0038
+ patch -p1 -i "${srcdir}/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch"
+
if [ "$CARCH" == "mips64el" ]; then
sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre|" Makefile
sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \
diff --git a/libre-testing/linux-libre/i8042-fix-aliases.patch b/libre-testing/linux-libre/i8042-fix-aliases.patch
index 302dcf604..961968c78 100644
--- a/libre-testing/linux-libre/i8042-fix-aliases.patch
+++ b/libre-testing/linux-libre/i8042-fix-aliases.patch
@@ -1,113 +1,113 @@
-commit 5a420e61e39862c7c3356080eddb23dfe4ccadb7
-Author: Tom Gundersen <teg@jklm.no>
-Date: Sun Jan 26 17:00:32 2014 +0100
-
- Input: i8042 - fix PNP modaliases when both aux and kdb are enabled
-
- Commit 78551277e4 exposed the PNP modaliases for the i8042 module. However,
- when both the aux and the kbd drivers are enabled the aux entries would
- override the kdb ones.
-
- Refactor the device_id lists, and unconditionally attempt to load the driver
- if either a kdb or aux devices is present.
-
- Signed-off-by: Tom Gundersen <teg@jklm.no>
-
-diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
-index 0ec9abb..dbc6958 100644
---- a/drivers/input/serio/i8042-x86ia64io.h
-+++ b/drivers/input/serio/i8042-x86ia64io.h
-@@ -747,25 +747,27 @@ static int i8042_pnp_aux_probe(struct pnp_dev *dev, const struct pnp_device_id *
- return 0;
- }
-
--static struct pnp_device_id pnp_kbd_devids[] = {
-- { .id = "PNP0300", .driver_data = 0 },
-- { .id = "PNP0301", .driver_data = 0 },
-- { .id = "PNP0302", .driver_data = 0 },
-- { .id = "PNP0303", .driver_data = 0 },
-- { .id = "PNP0304", .driver_data = 0 },
-- { .id = "PNP0305", .driver_data = 0 },
-- { .id = "PNP0306", .driver_data = 0 },
-- { .id = "PNP0309", .driver_data = 0 },
-- { .id = "PNP030a", .driver_data = 0 },
-- { .id = "PNP030b", .driver_data = 0 },
-- { .id = "PNP0320", .driver_data = 0 },
-- { .id = "PNP0343", .driver_data = 0 },
-- { .id = "PNP0344", .driver_data = 0 },
-- { .id = "PNP0345", .driver_data = 0 },
-+#define KBD_DEVIDS \
-+ { .id = "PNP0300", .driver_data = 0 }, \
-+ { .id = "PNP0301", .driver_data = 0 }, \
-+ { .id = "PNP0302", .driver_data = 0 }, \
-+ { .id = "PNP0303", .driver_data = 0 }, \
-+ { .id = "PNP0304", .driver_data = 0 }, \
-+ { .id = "PNP0305", .driver_data = 0 }, \
-+ { .id = "PNP0306", .driver_data = 0 }, \
-+ { .id = "PNP0309", .driver_data = 0 }, \
-+ { .id = "PNP030a", .driver_data = 0 }, \
-+ { .id = "PNP030b", .driver_data = 0 }, \
-+ { .id = "PNP0320", .driver_data = 0 }, \
-+ { .id = "PNP0343", .driver_data = 0 }, \
-+ { .id = "PNP0344", .driver_data = 0 }, \
-+ { .id = "PNP0345", .driver_data = 0 }, \
- { .id = "CPQA0D7", .driver_data = 0 },
-+
-+static struct pnp_device_id pnp_kbd_devids[] = {
-+ KBD_DEVIDS
- { .id = "", },
- };
--MODULE_DEVICE_TABLE(pnp, pnp_kbd_devids);
-
- static struct pnp_driver i8042_pnp_kbd_driver = {
- .name = "i8042 kbd",
-@@ -773,21 +775,23 @@ static struct pnp_driver i8042_pnp_kbd_driver = {
- .probe = i8042_pnp_kbd_probe,
- };
-
--static struct pnp_device_id pnp_aux_devids[] = {
-- { .id = "AUI0200", .driver_data = 0 },
-- { .id = "FJC6000", .driver_data = 0 },
-- { .id = "FJC6001", .driver_data = 0 },
-- { .id = "PNP0f03", .driver_data = 0 },
-- { .id = "PNP0f0b", .driver_data = 0 },
-- { .id = "PNP0f0e", .driver_data = 0 },
-- { .id = "PNP0f12", .driver_data = 0 },
-- { .id = "PNP0f13", .driver_data = 0 },
-- { .id = "PNP0f19", .driver_data = 0 },
-- { .id = "PNP0f1c", .driver_data = 0 },
-+#define AUX_DEVIDS \
-+ { .id = "AUI0200", .driver_data = 0 }, \
-+ { .id = "FJC6000", .driver_data = 0 }, \
-+ { .id = "FJC6001", .driver_data = 0 }, \
-+ { .id = "PNP0f03", .driver_data = 0 }, \
-+ { .id = "PNP0f0b", .driver_data = 0 }, \
-+ { .id = "PNP0f0e", .driver_data = 0 }, \
-+ { .id = "PNP0f12", .driver_data = 0 }, \
-+ { .id = "PNP0f13", .driver_data = 0 }, \
-+ { .id = "PNP0f19", .driver_data = 0 }, \
-+ { .id = "PNP0f1c", .driver_data = 0 }, \
- { .id = "SYN0801", .driver_data = 0 },
-+
-+static struct pnp_device_id pnp_aux_devids[] = {
-+ AUX_DEVIDS
- { .id = "", },
- };
--MODULE_DEVICE_TABLE(pnp, pnp_aux_devids);
-
- static struct pnp_driver i8042_pnp_aux_driver = {
- .name = "i8042 aux",
-@@ -795,6 +799,13 @@ static struct pnp_driver i8042_pnp_aux_driver = {
- .probe = i8042_pnp_aux_probe,
- };
-
-+static struct pnp_device_id pnp_kdb_aux_devids[] = {
-+ KBD_DEVIDS
-+ AUX_DEVIDS
-+ { .id = "", },
-+};
-+MODULE_DEVICE_TABLE(pnp, pnp_kdb_aux_devids);
-+
- static void i8042_pnp_exit(void)
- {
- if (i8042_pnp_kbd_registered) {
+commit 5a420e61e39862c7c3356080eddb23dfe4ccadb7
+Author: Tom Gundersen <teg@jklm.no>
+Date: Sun Jan 26 17:00:32 2014 +0100
+
+ Input: i8042 - fix PNP modaliases when both aux and kdb are enabled
+
+ Commit 78551277e4 exposed the PNP modaliases for the i8042 module. However,
+ when both the aux and the kbd drivers are enabled the aux entries would
+ override the kdb ones.
+
+ Refactor the device_id lists, and unconditionally attempt to load the driver
+ if either a kdb or aux devices is present.
+
+ Signed-off-by: Tom Gundersen <teg@jklm.no>
+
+diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
+index 0ec9abb..dbc6958 100644
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -747,25 +747,27 @@ static int i8042_pnp_aux_probe(struct pnp_dev *dev, const struct pnp_device_id *
+ return 0;
+ }
+
+-static struct pnp_device_id pnp_kbd_devids[] = {
+- { .id = "PNP0300", .driver_data = 0 },
+- { .id = "PNP0301", .driver_data = 0 },
+- { .id = "PNP0302", .driver_data = 0 },
+- { .id = "PNP0303", .driver_data = 0 },
+- { .id = "PNP0304", .driver_data = 0 },
+- { .id = "PNP0305", .driver_data = 0 },
+- { .id = "PNP0306", .driver_data = 0 },
+- { .id = "PNP0309", .driver_data = 0 },
+- { .id = "PNP030a", .driver_data = 0 },
+- { .id = "PNP030b", .driver_data = 0 },
+- { .id = "PNP0320", .driver_data = 0 },
+- { .id = "PNP0343", .driver_data = 0 },
+- { .id = "PNP0344", .driver_data = 0 },
+- { .id = "PNP0345", .driver_data = 0 },
++#define KBD_DEVIDS \
++ { .id = "PNP0300", .driver_data = 0 }, \
++ { .id = "PNP0301", .driver_data = 0 }, \
++ { .id = "PNP0302", .driver_data = 0 }, \
++ { .id = "PNP0303", .driver_data = 0 }, \
++ { .id = "PNP0304", .driver_data = 0 }, \
++ { .id = "PNP0305", .driver_data = 0 }, \
++ { .id = "PNP0306", .driver_data = 0 }, \
++ { .id = "PNP0309", .driver_data = 0 }, \
++ { .id = "PNP030a", .driver_data = 0 }, \
++ { .id = "PNP030b", .driver_data = 0 }, \
++ { .id = "PNP0320", .driver_data = 0 }, \
++ { .id = "PNP0343", .driver_data = 0 }, \
++ { .id = "PNP0344", .driver_data = 0 }, \
++ { .id = "PNP0345", .driver_data = 0 }, \
+ { .id = "CPQA0D7", .driver_data = 0 },
++
++static struct pnp_device_id pnp_kbd_devids[] = {
++ KBD_DEVIDS
+ { .id = "", },
+ };
+-MODULE_DEVICE_TABLE(pnp, pnp_kbd_devids);
+
+ static struct pnp_driver i8042_pnp_kbd_driver = {
+ .name = "i8042 kbd",
+@@ -773,21 +775,23 @@ static struct pnp_driver i8042_pnp_kbd_driver = {
+ .probe = i8042_pnp_kbd_probe,
+ };
+
+-static struct pnp_device_id pnp_aux_devids[] = {
+- { .id = "AUI0200", .driver_data = 0 },
+- { .id = "FJC6000", .driver_data = 0 },
+- { .id = "FJC6001", .driver_data = 0 },
+- { .id = "PNP0f03", .driver_data = 0 },
+- { .id = "PNP0f0b", .driver_data = 0 },
+- { .id = "PNP0f0e", .driver_data = 0 },
+- { .id = "PNP0f12", .driver_data = 0 },
+- { .id = "PNP0f13", .driver_data = 0 },
+- { .id = "PNP0f19", .driver_data = 0 },
+- { .id = "PNP0f1c", .driver_data = 0 },
++#define AUX_DEVIDS \
++ { .id = "AUI0200", .driver_data = 0 }, \
++ { .id = "FJC6000", .driver_data = 0 }, \
++ { .id = "FJC6001", .driver_data = 0 }, \
++ { .id = "PNP0f03", .driver_data = 0 }, \
++ { .id = "PNP0f0b", .driver_data = 0 }, \
++ { .id = "PNP0f0e", .driver_data = 0 }, \
++ { .id = "PNP0f12", .driver_data = 0 }, \
++ { .id = "PNP0f13", .driver_data = 0 }, \
++ { .id = "PNP0f19", .driver_data = 0 }, \
++ { .id = "PNP0f1c", .driver_data = 0 }, \
+ { .id = "SYN0801", .driver_data = 0 },
++
++static struct pnp_device_id pnp_aux_devids[] = {
++ AUX_DEVIDS
+ { .id = "", },
+ };
+-MODULE_DEVICE_TABLE(pnp, pnp_aux_devids);
+
+ static struct pnp_driver i8042_pnp_aux_driver = {
+ .name = "i8042 aux",
+@@ -795,6 +799,13 @@ static struct pnp_driver i8042_pnp_aux_driver = {
+ .probe = i8042_pnp_aux_probe,
+ };
+
++static struct pnp_device_id pnp_kdb_aux_devids[] = {
++ KBD_DEVIDS
++ AUX_DEVIDS
++ { .id = "", },
++};
++MODULE_DEVICE_TABLE(pnp, pnp_kdb_aux_devids);
++
+ static void i8042_pnp_exit(void)
+ {
+ if (i8042_pnp_kbd_registered) {