2 files changed, 95 insertions, 7 deletions

diff --git a/libre/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch b/libre/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch
new file mode 100644
index 000000000..3f1bccc80
--- /dev/null
+++ b/libre/linux-libre/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch
@@ -0,0 +1,80 @@
+From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001
+From: PaX Team <pageexec@freemail.hu>
+Date: Thu, 30 Jan 2014 16:59:25 -0800
+Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel
+
+The x32 case for the recvmsg() timout handling is broken:
+
+  asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+                                      unsigned int vlen, unsigned int flags,
+                                      struct compat_timespec __user *timeout)
+  {
+          int datagrams;
+          struct timespec ktspec;
+
+          if (flags & MSG_CMSG_COMPAT)
+                  return -EINVAL;
+
+          if (COMPAT_USE_64BIT_TIME)
+                  return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+                                        flags | MSG_CMSG_COMPAT,
+                                        (struct timespec *) timeout);
+          ...
+
+The timeout pointer parameter is provided by userland (hence the __user
+annotation) but for x32 syscalls it's simply cast to a kernel pointer
+and is passed to __sys_recvmmsg which will eventually directly
+dereference it for both reading and writing.  Other callers to
+__sys_recvmmsg properly copy from userland to the kernel first.
+
+The bug was introduced by commit ee4fa23c4bfc ("compat: Use
+COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels
+since 3.4 (and perhaps vendor kernels if they backported x32 support
+along with this code).
+
+Note that CONFIG_X86_X32_ABI gets enabled at build time and only if
+CONFIG_X86_X32 is enabled and ld can build x32 executables.
+
+Other uses of COMPAT_USE_64BIT_TIME seem fine.
+
+This addresses CVE-2014-0038.
+
+Signed-off-by: PaX Team <pageexec@freemail.hu>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v3.4+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ net/compat.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/net/compat.c b/net/compat.c
+index dd32e34..f50161f 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ 	if (flags & MSG_CMSG_COMPAT)
+ 		return -EINVAL;
+ 
+-	if (COMPAT_USE_64BIT_TIME)
+-		return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+-				      flags | MSG_CMSG_COMPAT,
+-				      (struct timespec *) timeout);
+-
+ 	if (timeout == NULL)
+ 		return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ 				      flags | MSG_CMSG_COMPAT, NULL);
+ 
+-	if (get_compat_timespec(&ktspec, timeout))
++	if (compat_get_timespec(&ktspec, timeout))
+ 		return -EFAULT;
+ 
+ 	datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ 				   flags | MSG_CMSG_COMPAT, &ktspec);
+-	if (datagrams > 0 && put_compat_timespec(&ktspec, timeout))
++	if (datagrams > 0 && compat_put_timespec(&ktspec, timeout))
+ 		datagrams = -EFAULT;
+ 
+ 	return datagrams;
+-- 
+1.8.5.3
+
diff --git a/libre/linux-libre/PKGBUILD b/libre/linux-libre/PKGBUILD
index ebf30af10..b744bb9d5 100644
--- a/libre/linux-libre/PKGBUILD
+++ b/libre/linux-libre/PKGBUILD
@@ -1,4 +1,4 @@
-# $Id: PKGBUILD 203524 2014-01-12 13:05:55Z tpowa $
+# $Id: PKGBUILD 204911 2014-01-31 09:59:51Z bluewind $
 # Maintainer: Tobias Powalowski <tpowa@archlinux.org>
 # Maintainer: Thomas Baechler <thomas@archlinux.org>
 # Maintainer (Parabola): André Silva <emulatorman@parabola.nu>
@@ -10,10 +10,10 @@
 pkgbase=linux-libre         # Build stock -LIBRE kernel
 #pkgbase=linux-libre-custom # Build kernel with a different name
 _basekernel=3.12
-_sublevel=7
+_sublevel=9
 pkgver=${_basekernel}.${_sublevel}
 pkgrel=2
-_lxopkgver=${_basekernel}.7 # nearly always the same as pkgver
+_lxopkgver=${_basekernel}.9 # nearly always the same as pkgver
 arch=('i686' 'x86_64' 'mips64el')
 url="http://linux-libre.fsfla.org/"
 license=('GPL2')
@@ -36,9 +36,10 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
         'rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-fails.patch'
         'sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch'
         'rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch'
-        "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.bz2")
+        '0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch'
+        "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz")
 md5sums=('254f59707b6676b59ce5ca5c3c698319'
-         'c42ff446236915fe1a6e2b6f9724d267'
+         '348975e36e4dd27f5d8fc50e92de8922'
          '568ce15a9df133072489cbac8c4fefb3'
          '772873c548059c57c8ec7898f35c0e2b'
          'e49ac236dfeef709f91a3d993ea7b62c'
@@ -53,7 +54,8 @@ md5sums=('254f59707b6676b59ce5ca5c3c698319'
          'cec0bb8981936eab2943b2009b7a6fff'
          '88d9cddf9e0050a76ec4674f264fb2a1'
          'cb9016630212ef07b168892fbcfd4e5d'
-         '7554da820df91c282656972976d9e0b5')
+         '336d2c4afd7ee5f2bdf0dcb1a54df4b2'
+         '9cdff00e5aa53962869857d64a1ccf01')
 if [ "$CARCH" != "mips64el" ]; then
     # don't use the Loongson-specific patches on non-mips64el arches.
     unset source[${#source[@]}-1]
@@ -76,6 +78,9 @@ prepare() {
   # fix issue on Hal8188EFWImg_CE.c deblobbed file
   sed -i "\|DEBLOBBED| s|,||" drivers/staging/rtl8188eu/hal/Hal8188EFWImg_CE.c
 
+  # add latest fixes from stable queue, if needed
+  # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
+
   # set DEFAULT_CONSOLE_LOGLEVEL to 4 (same value as the 'quiet' kernel param)
   # remove this when a Kconfig knob is made available by upstream
   # (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227)
@@ -85,7 +90,7 @@ prepare() {
   # patch from fedora
   patch -Np1 -i "${srcdir}/criu-no-expert.patch"
 
-  # fix 15 seocnds nfs delay
+  # fix 15 seconds nfs delay
   patch -Np1 -i "${srcdir}/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch"
   patch -Np1 -i "${srcdir}/sunrpc-replace-gssd_running-with-more-reliable-check.patch"
   patch -Np1 -i "${srcdir}/nfs-check-gssd-running-before-krb5i-auth.patch"
@@ -96,6 +101,9 @@ prepare() {
 
   patch -Np1 -i "${srcdir}/rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-notification-fails.patch"
 
+  # Fix CVE-2014-0038
+  patch -p1 -i "${srcdir}/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch"
+
   if [ "$CARCH" == "mips64el" ]; then
     sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre|" Makefile
     sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \