diff options
Diffstat (limited to 'kernels/linux-libre-lts-knock')
3 files changed, 100 insertions, 189 deletions
diff --git a/kernels/linux-libre-lts-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch b/kernels/linux-libre-lts-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch new file mode 100644 index 000000000..3f1bccc80 --- /dev/null +++ b/kernels/linux-libre-lts-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch @@ -0,0 +1,80 @@ +From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001 +From: PaX Team <pageexec@freemail.hu> +Date: Thu, 30 Jan 2014 16:59:25 -0800 +Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel + +The x32 case for the recvmsg() timout handling is broken: + + asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + unsigned int vlen, unsigned int flags, + struct compat_timespec __user *timeout) + { + int datagrams; + struct timespec ktspec; + + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + + if (COMPAT_USE_64BIT_TIME) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, + (struct timespec *) timeout); + ... + +The timeout pointer parameter is provided by userland (hence the __user +annotation) but for x32 syscalls it's simply cast to a kernel pointer +and is passed to __sys_recvmmsg which will eventually directly +dereference it for both reading and writing. Other callers to +__sys_recvmmsg properly copy from userland to the kernel first. + +The bug was introduced by commit ee4fa23c4bfc ("compat: Use +COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels +since 3.4 (and perhaps vendor kernels if they backported x32 support +along with this code). + +Note that CONFIG_X86_X32_ABI gets enabled at build time and only if +CONFIG_X86_X32 is enabled and ld can build x32 executables. + +Other uses of COMPAT_USE_64BIT_TIME seem fine. + +This addresses CVE-2014-0038. + +Signed-off-by: PaX Team <pageexec@freemail.hu> +Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> +Cc: <stable@vger.kernel.org> # v3.4+ +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + net/compat.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/net/compat.c b/net/compat.c +index dd32e34..f50161f 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + +- if (COMPAT_USE_64BIT_TIME) +- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, +- flags | MSG_CMSG_COMPAT, +- (struct timespec *) timeout); +- + if (timeout == NULL) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, NULL); + +- if (get_compat_timespec(&ktspec, timeout)) ++ if (compat_get_timespec(&ktspec, timeout)) + return -EFAULT; + + datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, &ktspec); +- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) ++ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) + datagrams = -EFAULT; + + return datagrams; +-- +1.8.5.3 + diff --git a/kernels/linux-libre-lts-knock/3.10.6-logitech-dj.patch b/kernels/linux-libre-lts-knock/3.10.6-logitech-dj.patch deleted file mode 100644 index 1c112ccde..000000000 --- a/kernels/linux-libre-lts-knock/3.10.6-logitech-dj.patch +++ /dev/null @@ -1,172 +0,0 @@ -From c63e0e370028d7e4033bd40165f18499872b5183 Mon Sep 17 00:00:00 2001 -From: Nestor Lopez Casado <nlopezcasad@logitech.com> -Date: Thu, 18 Jul 2013 13:21:30 +0000 -Subject: HID: Revert "Revert "HID: Fix logitech-dj: missing Unifying device issue"" - -This reverts commit 8af6c08830b1ae114d1a8b548b1f8b056e068887. - -This patch re-adds the workaround introduced by 596264082f10dd4 -which was reverted by 8af6c08830b1ae114. - -The original patch 596264 was needed to overcome a situation where -the hid-core would drop incoming reports while probe() was being -executed. - -This issue was solved by c849a6143bec520af which added -hid_device_io_start() and hid_device_io_stop() that enable a specific -hid driver to opt-in for input reports while its probe() is being -executed. - -Commit a9dd22b730857347 modified hid-logitech-dj so as to use the -functionality added to hid-core. Having done that, workaround 596264 -was no longer necessary and was reverted by 8af6c08. - -We now encounter a different problem that ends up 'again' thwarting -the Unifying receiver enumeration. The problem is time and usb controller -dependent. Ocasionally the reports sent to the usb receiver to start -the paired devices enumeration fail with -EPIPE and the receiver never -gets to enumerate the paired devices. - -With dcd9006b1b053c7b1c the problem was "hidden" as the call to the usb -driver became asynchronous and none was catching the error from the -failing URB. - -As the root cause for this failing SET_REPORT is not understood yet, --possibly a race on the usb controller drivers or a problem with the -Unifying receiver- reintroducing this workaround solves the problem. - -Overall what this workaround does is: If an input report from an -unknown device is received, then a (re)enumeration is performed. - -related bug: -https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1194649 - -Signed-off-by: Nestor Lopez Casado <nlopezcasad@logitech.com> -Signed-off-by: Jiri Kosina <jkosina@suse.cz> ---- -diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index 5207591a..cd33084 100644 ---- a/drivers/hid/hid-logitech-dj.c -+++ b/drivers/hid/hid-logitech-dj.c -@@ -192,6 +192,7 @@ static struct hid_ll_driver logi_dj_ll_driver; - static int logi_dj_output_hidraw_report(struct hid_device *hid, u8 * buf, - size_t count, - unsigned char report_type); -+static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev); - - static void logi_dj_recv_destroy_djhid_device(struct dj_receiver_dev *djrcv_dev, - struct dj_report *dj_report) -@@ -232,6 +233,7 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, - if (dj_report->report_params[DEVICE_PAIRED_PARAM_SPFUNCTION] & - SPFUNCTION_DEVICE_LIST_EMPTY) { - dbg_hid("%s: device list is empty\n", __func__); -+ djrcv_dev->querying_devices = false; - return; - } - -@@ -242,6 +244,12 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, - return; - } - -+ if (djrcv_dev->paired_dj_devices[dj_report->device_index]) { -+ /* The device is already known. No need to reallocate it. */ -+ dbg_hid("%s: device is already known\n", __func__); -+ return; -+ } -+ - dj_hiddev = hid_allocate_device(); - if (IS_ERR(dj_hiddev)) { - dev_err(&djrcv_hdev->dev, "%s: hid_allocate_device failed\n", -@@ -305,6 +313,7 @@ static void delayedwork_callback(struct work_struct *work) - struct dj_report dj_report; - unsigned long flags; - int count; -+ int retval; - - dbg_hid("%s\n", __func__); - -@@ -337,6 +346,25 @@ static void delayedwork_callback(struct work_struct *work) - logi_dj_recv_destroy_djhid_device(djrcv_dev, &dj_report); - break; - default: -+ /* A normal report (i. e. not belonging to a pair/unpair notification) -+ * arriving here, means that the report arrived but we did not have a -+ * paired dj_device associated to the report's device_index, this -+ * means that the original "device paired" notification corresponding -+ * to this dj_device never arrived to this driver. The reason is that -+ * hid-core discards all packets coming from a device while probe() is -+ * executing. */ -+ if (!djrcv_dev->paired_dj_devices[dj_report.device_index]) { -+ /* ok, we don't know the device, just re-ask the -+ * receiver for the list of connected devices. */ -+ retval = logi_dj_recv_query_paired_devices(djrcv_dev); -+ if (!retval) { -+ /* everything went fine, so just leave */ -+ break; -+ } -+ dev_err(&djrcv_dev->hdev->dev, -+ "%s:logi_dj_recv_query_paired_devices " -+ "error:%d\n", __func__, retval); -+ } - dbg_hid("%s: unexpected report type\n", __func__); - } - } -@@ -367,6 +395,12 @@ static void logi_dj_recv_forward_null_report(struct dj_receiver_dev *djrcv_dev, - if (!djdev) { - dbg_hid("djrcv_dev->paired_dj_devices[dj_report->device_index]" - " is NULL, index %d\n", dj_report->device_index); -+ kfifo_in(&djrcv_dev->notif_fifo, dj_report, sizeof(struct dj_report)); -+ -+ if (schedule_work(&djrcv_dev->work) == 0) { -+ dbg_hid("%s: did not schedule the work item, was already " -+ "queued\n", __func__); -+ } - return; - } - -@@ -397,6 +431,12 @@ static void logi_dj_recv_forward_report(struct dj_receiver_dev *djrcv_dev, - if (dj_device == NULL) { - dbg_hid("djrcv_dev->paired_dj_devices[dj_report->device_index]" - " is NULL, index %d\n", dj_report->device_index); -+ kfifo_in(&djrcv_dev->notif_fifo, dj_report, sizeof(struct dj_report)); -+ -+ if (schedule_work(&djrcv_dev->work) == 0) { -+ dbg_hid("%s: did not schedule the work item, was already " -+ "queued\n", __func__); -+ } - return; - } - -@@ -444,6 +484,10 @@ static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev) - struct dj_report *dj_report; - int retval; - -+ /* no need to protect djrcv_dev->querying_devices */ -+ if (djrcv_dev->querying_devices) -+ return 0; -+ - dj_report = kzalloc(sizeof(struct dj_report), GFP_KERNEL); - if (!dj_report) - return -ENOMEM; -@@ -455,6 +499,7 @@ static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev) - return retval; - } - -+ - static int logi_dj_recv_switch_to_dj_mode(struct dj_receiver_dev *djrcv_dev, - unsigned timeout) - { -diff --git a/drivers/hid/hid-logitech-dj.h b/drivers/hid/hid-logitech-dj.h -index fd28a5e..4a40003 100644 ---- a/drivers/hid/hid-logitech-dj.h -+++ b/drivers/hid/hid-logitech-dj.h -@@ -101,6 +101,7 @@ struct dj_receiver_dev { - struct work_struct work; - struct kfifo notif_fifo; - spinlock_t lock; -+ bool querying_devices; - }; - - struct dj_device { --- -cgit v0.9.2 diff --git a/kernels/linux-libre-lts-knock/PKGBUILD b/kernels/linux-libre-lts-knock/PKGBUILD index 3d42ff6ab..d008ca244 100644 --- a/kernels/linux-libre-lts-knock/PKGBUILD +++ b/kernels/linux-libre-lts-knock/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 203427 2014-01-10 20:21:13Z andyrtr $ +# $Id: PKGBUILD 204934 2014-01-31 16:13:52Z bpiotrowski $ # Maintainer: Tobias Powalowski <tpowa@archlinux.org> # Maintainer: Thomas Baechler <thomas@archlinux.org> # Maintainer (Parabola): André Silva <emulatorman@parabola.nu> @@ -10,11 +10,11 @@ pkgbase=linux-libre-lts-knock # Build stock -LIBRE-LTS-KNOCK kernel #pkgbase=linux-libre-custom # Build kernel with a different name _basekernel=3.10 -_sublevel=26 +_sublevel=28 _knockpatchver=${_basekernel} pkgver=${_basekernel}.${_sublevel} -pkgrel=1 -_lxopkgver=${_basekernel}.26 # nearly always the same as pkgver +pkgrel=1.1 +_lxopkgver=${_basekernel}.28 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="http://linux-libre.fsfla.org/" license=('GPL2') @@ -32,10 +32,10 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn 'boot-logo.patch' 'change-default-console-loglevel.patch' 'criu-no-expert.patch' - '3.10.6-logitech-dj.patch' - "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.bz2") + '0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch' + "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz") md5sums=('d562fd52580a3b6b18b6eeb5921d1d5c' - 'b04f41f84f48724609baac04282e9755' + '1eeedf694bd64b34a031ac27549bc7a3' '26380d6f05471ef8e065a77d87588009' 'f22e0a6a7634902f5a00eb25ad677c65' '6550ba0e23b7729cd9db2475bde8fac2' @@ -45,8 +45,8 @@ md5sums=('d562fd52580a3b6b18b6eeb5921d1d5c' '04b21c79df0a952c22d681dd4f4562df' 'f3def2cefdcbb954c21d8505d23cc83c' 'd50c1ac47394e9aec637002ef3392bd1' - '3ff40ca684cfe719723e627e2cef7cea' - '040015fc338ec1a35616e72bade6bdc2') + '336d2c4afd7ee5f2bdf0dcb1a54df4b2' + 'cec0d90f5d3fae8752b0020c6b785954') if [ "$CARCH" != "mips64el" ]; then # don't use the Loongson-specific patches on non-mips64el arches. unset source[${#source[@]}-1] @@ -69,6 +69,9 @@ prepare() { # add freedo as boot logo patch -Np1 -i "${srcdir}/boot-logo.patch" + # add latest fixes from stable queue, if needed + # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git + # set DEFAULT_CONSOLE_LOGLEVEL to 4 (same value as the 'quiet' kernel param) # remove this when a Kconfig knob is made available by upstream # (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227) @@ -77,9 +80,9 @@ prepare() { # allow criu without expert option set # patch from fedora patch -Np1 -i "${srcdir}/criu-no-expert.patch" - - # fix https://bugs.archlinux.org/task/35991 - [linux] 3.10.x renders Logitech Unified Receivers useless - patch -Np1 -i "${srcdir}/3.10.6-logitech-dj.patch" + + # CVE-2014-0038 + patch -Np1 -i "${srcdir}/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch" if [ "$CARCH" == "mips64el" ]; then sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-lts-knock|" Makefile @@ -192,7 +195,7 @@ _package() { cp vmlinuz "${pkgdir}/boot/vmlinuz-${pkgbase}" cp vmlinux "${pkgdir}/boot/vmlinux-${pkgbase}" else - cp "arch/${KARCH}/boot/bzImage" "${pkgdir}/boot/vmlinuz-${pkgbase}" + cp arch/${KARCH}/boot/bzImage "${pkgdir}/boot/vmlinuz-${pkgbase}" fi # add vmlinux @@ -277,16 +280,16 @@ _package-headers() { # copy arch includes for external modules mkdir -p "${pkgdir}/usr/src/linux-${_kernver}/arch/${KARCH}" - cp -a "arch/${KARCH}/include" "${pkgdir}/usr/src/linux-${_kernver}/arch/${KARCH}/" + cp -a arch/${KARCH}/include "${pkgdir}/usr/src/linux-${_kernver}/arch/${KARCH}/" # copy files necessary for later builds cp Module.symvers "${pkgdir}/usr/src/linux-${_kernver}" cp -a scripts "${pkgdir}/usr/src/linux-${_kernver}" if [ "$CARCH" = "mips64el" ]; then - cp "arch/${KARCH}/Kbuild" "${pkgdir}/usr/src/linux-${_kernver}/arch/${KARCH}/" - cp -a "arch/${KARCH}/loongson" "${pkgdir}/usr/src/linux-${_kernver}/arch/${KARCH}/" - cp "${srcdir}/Kbuild.platforms" "${pkgdir}/usr/src/linux-${_kernver}/arch/$KARCH/" + cp arch/${KARCH}/Kbuild "${pkgdir}/usr/src/linux-${_kernver}/arch/${KARCH}/" + cp -a arch/${KARCH}/loongson "${pkgdir}/usr/src/linux-${_kernver}/arch/${KARCH}/" + cp ${srcdir}/Kbuild.platforms "${pkgdir}/usr/src/linux-${_kernver}/arch/${KARCH}/" fi # fix permissions on scripts dir |