Change-Id: I5e20e58bba02dc90e9b9d5c81c6013a70e64ffb6
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6970
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
(cherry picked from commit 29273e50649b892f9a4a5b91bad4150ea68f08d2)
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6984
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,305 @@ |
0 |
+From 84c4e1f89fefe70554da0ab33be72c9be7994379 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Linus Torvalds <torvalds@linux-foundation.org> |
|
2 |
+Date: Sun, 3 Mar 2019 14:23:33 -0800 |
|
3 |
+Subject: aio: simplify - and fix - fget/fput for io_submit() |
|
4 |
+ |
|
5 |
+commit 84c4e1f89fefe70554da0ab33be72c9be7994379 upstream. |
|
6 |
+ |
|
7 |
+Al Viro root-caused a race where the IOCB_CMD_POLL handling of |
|
8 |
+fget/fput() could cause us to access the file pointer after it had |
|
9 |
+already been freed: |
|
10 |
+ |
|
11 |
+ "In more details - normally IOCB_CMD_POLL handling looks so: |
|
12 |
+ |
|
13 |
+ 1) io_submit(2) allocates aio_kiocb instance and passes it to |
|
14 |
+ aio_poll() |
|
15 |
+ |
|
16 |
+ 2) aio_poll() resolves the descriptor to struct file by req->file = |
|
17 |
+ fget(iocb->aio_fildes) |
|
18 |
+ |
|
19 |
+ 3) aio_poll() sets ->woken to false and raises ->ki_refcnt of that |
|
20 |
+ aio_kiocb to 2 (bumps by 1, that is). |
|
21 |
+ |
|
22 |
+ 4) aio_poll() calls vfs_poll(). After sanity checks (basically, |
|
23 |
+ "poll_wait() had been called and only once") it locks the queue. |
|
24 |
+ That's what the extra reference to iocb had been for - we know we |
|
25 |
+ can safely access it. |
|
26 |
+ |
|
27 |
+ 5) With queue locked, we check if ->woken has already been set to |
|
28 |
+ true (by aio_poll_wake()) and, if it had been, we unlock the |
|
29 |
+ queue, drop a reference to aio_kiocb and bugger off - at that |
|
30 |
+ point it's a responsibility to aio_poll_wake() and the stuff |
|
31 |
+ called/scheduled by it. That code will drop the reference to file |
|
32 |
+ in req->file, along with the other reference to our aio_kiocb. |
|
33 |
+ |
|
34 |
+ 6) otherwise, we see whether we need to wait. If we do, we unlock the |
|
35 |
+ queue, drop one reference to aio_kiocb and go away - eventual |
|
36 |
+ wakeup (or cancel) will deal with the reference to file and with |
|
37 |
+ the other reference to aio_kiocb |
|
38 |
+ |
|
39 |
+ 7) otherwise we remove ourselves from waitqueue (still under the |
|
40 |
+ queue lock), so that wakeup won't get us. No async activity will |
|
41 |
+ be happening, so we can safely drop req->file and iocb ourselves. |
|
42 |
+ |
|
43 |
+ If wakeup happens while we are in vfs_poll(), we are fine - aio_kiocb |
|
44 |
+ won't get freed under us, so we can do all the checks and locking |
|
45 |
+ safely. And we don't touch ->file if we detect that case. |
|
46 |
+ |
|
47 |
+ However, vfs_poll() most certainly *does* touch the file it had been |
|
48 |
+ given. So wakeup coming while we are still in ->poll() might end up |
|
49 |
+ doing fput() on that file. That case is not too rare, and usually we |
|
50 |
+ are saved by the still present reference from descriptor table - that |
|
51 |
+ fput() is not the final one. |
|
52 |
+ |
|
53 |
+ But if another thread closes that descriptor right after our fget() |
|
54 |
+ and wakeup does happen before ->poll() returns, we are in trouble - |
|
55 |
+ final fput() done while we are in the middle of a method: |
|
56 |
+ |
|
57 |
+Al also wrote a patch to take an extra reference to the file descriptor |
|
58 |
+to fix this, but I instead suggested we just streamline the whole file |
|
59 |
+pointer handling by submit_io() so that the generic aio submission code |
|
60 |
+simply keeps the file pointer around until the aio has completed. |
|
61 |
+ |
|
62 |
+Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL") |
|
63 |
+Acked-by: Al Viro <viro@zeniv.linux.org.uk> |
|
64 |
+Reported-by: syzbot+503d4cc169fcec1cb18c@syzkaller.appspotmail.com |
|
65 |
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
|
66 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
67 |
+[ Srivatsa: Fixed accessing aio_fildes within iocb. ] |
|
68 |
+Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> |
|
69 |
+--- |
|
70 |
+ |
|
71 |
+ fs/aio.c | 67 ++++++++++++++++++++++-------------------------------- |
|
72 |
+ include/linux/fs.h | 8 ++++++- |
|
73 |
+ 2 files changed, 34 insertions(+), 41 deletions(-) |
|
74 |
+ |
|
75 |
+diff --git a/fs/aio.c b/fs/aio.c |
|
76 |
+index 45d5ef8..014d692 100644 |
|
77 |
+--- a/fs/aio.c |
|
78 |
+@@ -161,9 +161,13 @@ struct kioctx { |
|
79 |
+ unsigned id; |
|
80 |
+ }; |
|
81 |
+ |
|
82 |
++/* |
|
83 |
++ * First field must be the file pointer in all the |
|
84 |
++ * iocb unions! See also 'struct kiocb' in <linux/fs.h> |
|
85 |
++ */ |
|
86 |
+ struct fsync_iocb { |
|
87 |
+- struct work_struct work; |
|
88 |
+ struct file *file; |
|
89 |
++ struct work_struct work; |
|
90 |
+ bool datasync; |
|
91 |
+ }; |
|
92 |
+ |
|
93 |
+@@ -177,8 +181,15 @@ struct poll_iocb { |
|
94 |
+ struct work_struct work; |
|
95 |
+ }; |
|
96 |
+ |
|
97 |
++/* |
|
98 |
++ * NOTE! Each of the iocb union members has the file pointer |
|
99 |
++ * as the first entry in their struct definition. So you can |
|
100 |
++ * access the file pointer through any of the sub-structs, |
|
101 |
++ * or directly as just 'ki_filp' in this struct. |
|
102 |
++ */ |
|
103 |
+ struct aio_kiocb { |
|
104 |
+ union { |
|
105 |
++ struct file *ki_filp; |
|
106 |
+ struct kiocb rw; |
|
107 |
+ struct fsync_iocb fsync; |
|
108 |
+ struct poll_iocb poll; |
|
109 |
+@@ -1054,6 +1065,8 @@ static inline void iocb_put(struct aio_kiocb *iocb) |
|
110 |
+ { |
|
111 |
+ if (refcount_read(&iocb->ki_refcnt) == 0 || |
|
112 |
+ refcount_dec_and_test(&iocb->ki_refcnt)) { |
|
113 |
++ if (iocb->ki_filp) |
|
114 |
++ fput(iocb->ki_filp); |
|
115 |
+ percpu_ref_put(&iocb->ki_ctx->reqs); |
|
116 |
+ kmem_cache_free(kiocb_cachep, iocb); |
|
117 |
+ } |
|
118 |
+@@ -1412,7 +1425,6 @@ static void aio_complete_rw(struct kiocb *kiocb, long res, long res2) |
|
119 |
+ file_end_write(kiocb->ki_filp); |
|
120 |
+ } |
|
121 |
+ |
|
122 |
+- fput(kiocb->ki_filp); |
|
123 |
+ aio_complete(iocb, res, res2); |
|
124 |
+ } |
|
125 |
+ |
|
126 |
+@@ -1420,9 +1432,6 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) |
|
127 |
+ { |
|
128 |
+ int ret; |
|
129 |
+ |
|
130 |
+- req->ki_filp = fget(iocb->aio_fildes); |
|
131 |
+- if (unlikely(!req->ki_filp)) |
|
132 |
+- return -EBADF; |
|
133 |
+ req->ki_complete = aio_complete_rw; |
|
134 |
+ req->ki_pos = iocb->aio_offset; |
|
135 |
+ req->ki_flags = iocb_flags(req->ki_filp); |
|
136 |
+@@ -1438,7 +1447,6 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) |
|
137 |
+ ret = ioprio_check_cap(iocb->aio_reqprio); |
|
138 |
+ if (ret) { |
|
139 |
+ pr_debug("aio ioprio check cap error: %d\n", ret); |
|
140 |
+- fput(req->ki_filp); |
|
141 |
+ return ret; |
|
142 |
+ } |
|
143 |
+ |
|
144 |
+@@ -1447,8 +1455,6 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) |
|
145 |
+ req->ki_ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, 0); |
|
146 |
+ |
|
147 |
+ ret = kiocb_set_rw_flags(req, iocb->aio_rw_flags); |
|
148 |
+- if (unlikely(ret)) |
|
149 |
+- fput(req->ki_filp); |
|
150 |
+ return ret; |
|
151 |
+ } |
|
152 |
+ |
|
153 |
+@@ -1503,24 +1509,19 @@ static ssize_t aio_read(struct kiocb *req, struct iocb *iocb, bool vectored, |
|
154 |
+ if (ret) |
|
155 |
+ return ret; |
|
156 |
+ file = req->ki_filp; |
|
157 |
+- |
|
158 |
+- ret = -EBADF; |
|
159 |
+ if (unlikely(!(file->f_mode & FMODE_READ))) |
|
160 |
+- goto out_fput; |
|
161 |
++ return -EBADF; |
|
162 |
+ ret = -EINVAL; |
|
163 |
+ if (unlikely(!file->f_op->read_iter)) |
|
164 |
+- goto out_fput; |
|
165 |
++ return -EINVAL; |
|
166 |
+ |
|
167 |
+ ret = aio_setup_rw(READ, iocb, &iovec, vectored, compat, &iter); |
|
168 |
+ if (ret) |
|
169 |
+- goto out_fput; |
|
170 |
++ return ret; |
|
171 |
+ ret = rw_verify_area(READ, file, &req->ki_pos, iov_iter_count(&iter)); |
|
172 |
+ if (!ret) |
|
173 |
+ aio_rw_done(req, call_read_iter(file, req, &iter)); |
|
174 |
+ kfree(iovec); |
|
175 |
+-out_fput: |
|
176 |
+- if (unlikely(ret)) |
|
177 |
+- fput(file); |
|
178 |
+ return ret; |
|
179 |
+ } |
|
180 |
+ |
|
181 |
+@@ -1537,16 +1538,14 @@ static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored, |
|
182 |
+ return ret; |
|
183 |
+ file = req->ki_filp; |
|
184 |
+ |
|
185 |
+- ret = -EBADF; |
|
186 |
+ if (unlikely(!(file->f_mode & FMODE_WRITE))) |
|
187 |
+- goto out_fput; |
|
188 |
+- ret = -EINVAL; |
|
189 |
++ return -EBADF; |
|
190 |
+ if (unlikely(!file->f_op->write_iter)) |
|
191 |
+- goto out_fput; |
|
192 |
++ return -EINVAL; |
|
193 |
+ |
|
194 |
+ ret = aio_setup_rw(WRITE, iocb, &iovec, vectored, compat, &iter); |
|
195 |
+ if (ret) |
|
196 |
+- goto out_fput; |
|
197 |
++ return ret; |
|
198 |
+ ret = rw_verify_area(WRITE, file, &req->ki_pos, iov_iter_count(&iter)); |
|
199 |
+ if (!ret) { |
|
200 |
+ /* |
|
201 |
+@@ -1564,9 +1563,6 @@ static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored, |
|
202 |
+ aio_rw_done(req, call_write_iter(file, req, &iter)); |
|
203 |
+ } |
|
204 |
+ kfree(iovec); |
|
205 |
+-out_fput: |
|
206 |
+- if (unlikely(ret)) |
|
207 |
+- fput(file); |
|
208 |
+ return ret; |
|
209 |
+ } |
|
210 |
+ |
|
211 |
+@@ -1576,7 +1572,6 @@ static void aio_fsync_work(struct work_struct *work) |
|
212 |
+ int ret; |
|
213 |
+ |
|
214 |
+ ret = vfs_fsync(req->file, req->datasync); |
|
215 |
+- fput(req->file); |
|
216 |
+ aio_complete(container_of(req, struct aio_kiocb, fsync), ret, 0); |
|
217 |
+ } |
|
218 |
+ |
|
219 |
+@@ -1586,13 +1581,8 @@ static int aio_fsync(struct fsync_iocb *req, struct iocb *iocb, bool datasync) |
|
220 |
+ iocb->aio_rw_flags)) |
|
221 |
+ return -EINVAL; |
|
222 |
+ |
|
223 |
+- req->file = fget(iocb->aio_fildes); |
|
224 |
+- if (unlikely(!req->file)) |
|
225 |
+- return -EBADF; |
|
226 |
+- if (unlikely(!req->file->f_op->fsync)) { |
|
227 |
+- fput(req->file); |
|
228 |
++ if (unlikely(!req->file->f_op->fsync)) |
|
229 |
+ return -EINVAL; |
|
230 |
+- } |
|
231 |
+ |
|
232 |
+ req->datasync = datasync; |
|
233 |
+ INIT_WORK(&req->work, aio_fsync_work); |
|
234 |
+@@ -1602,10 +1592,7 @@ static int aio_fsync(struct fsync_iocb *req, struct iocb *iocb, bool datasync) |
|
235 |
+ |
|
236 |
+ static inline void aio_poll_complete(struct aio_kiocb *iocb, __poll_t mask) |
|
237 |
+ { |
|
238 |
+- struct file *file = iocb->poll.file; |
|
239 |
+- |
|
240 |
+ aio_complete(iocb, mangle_poll(mask), 0); |
|
241 |
+- fput(file); |
|
242 |
+ } |
|
243 |
+ |
|
244 |
+ static void aio_poll_complete_work(struct work_struct *work) |
|
245 |
+@@ -1730,9 +1717,6 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb) |
|
246 |
+ |
|
247 |
+ INIT_WORK(&req->work, aio_poll_complete_work); |
|
248 |
+ req->events = demangle_poll(iocb->aio_buf) | EPOLLERR | EPOLLHUP; |
|
249 |
+- req->file = fget(iocb->aio_fildes); |
|
250 |
+- if (unlikely(!req->file)) |
|
251 |
+- return -EBADF; |
|
252 |
+ |
|
253 |
+ apt.pt._qproc = aio_poll_queue_proc; |
|
254 |
+ apt.pt._key = req->events; |
|
255 |
+@@ -1771,10 +1755,8 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb) |
|
256 |
+ spin_unlock_irq(&ctx->ctx_lock); |
|
257 |
+ |
|
258 |
+ out: |
|
259 |
+- if (unlikely(apt.error)) { |
|
260 |
+- fput(req->file); |
|
261 |
++ if (unlikely(apt.error)) |
|
262 |
+ return apt.error; |
|
263 |
+- } |
|
264 |
+ |
|
265 |
+ if (mask) |
|
266 |
+ aio_poll_complete(aiocb, mask); |
|
267 |
+@@ -1812,6 +1794,11 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, |
|
268 |
+ if (unlikely(!req)) |
|
269 |
+ return -EAGAIN; |
|
270 |
+ |
|
271 |
++ req->ki_filp = fget(iocb.aio_fildes); |
|
272 |
++ ret = -EBADF; |
|
273 |
++ if (unlikely(!req->ki_filp)) |
|
274 |
++ goto out_put_req; |
|
275 |
++ |
|
276 |
+ if (iocb.aio_flags & IOCB_FLAG_RESFD) { |
|
277 |
+ /* |
|
278 |
+ * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an |
|
279 |
+diff --git a/include/linux/fs.h b/include/linux/fs.h |
|
280 |
+index 7b60848..111c94c 100644 |
|
281 |
+--- a/include/linux/fs.h |
|
282 |
+@@ -304,13 +304,19 @@ enum rw_hint { |
|
283 |
+ |
|
284 |
+ struct kiocb { |
|
285 |
+ struct file *ki_filp; |
|
286 |
++ |
|
287 |
++ /* The 'ki_filp' pointer is shared in a union for aio */ |
|
288 |
++ randomized_struct_fields_start |
|
289 |
++ |
|
290 |
+ loff_t ki_pos; |
|
291 |
+ void (*ki_complete)(struct kiocb *iocb, long ret, long ret2); |
|
292 |
+ void *private; |
|
293 |
+ int ki_flags; |
|
294 |
+ u16 ki_hint; |
|
295 |
+ u16 ki_ioprio; /* See linux/ioprio.h */ |
|
296 |
+-} __randomize_layout; |
|
297 |
++ |
|
298 |
++ randomized_struct_fields_end |
|
299 |
++}; |
|
300 |
+ |
|
301 |
+ static inline bool is_sync_kiocb(struct kiocb *kiocb) |
|
302 |
+ { |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-aws |
4 | 4 |
Version: 4.19.32 |
5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -34,7 +34,11 @@ Patch28: kvm-dont-accept-wrong-gsi-values.patch |
34 | 34 |
Patch29: 4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch |
35 | 35 |
Patch30: 4.17-0002-apparmor-af_unix-mediation.patch |
36 | 36 |
Patch31: 4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch |
37 |
+# RDRAND-based RNG driver to enhance the kernel's entropy pool: |
|
37 | 38 |
Patch32: 4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch |
39 |
+# Fix CVE-2019-10125 |
|
40 |
+Patch33: 0001-aio-simplify-and-fix-fget-fput-for-io_submit.patch |
|
41 |
+ |
|
38 | 42 |
|
39 | 43 |
# Amazon AWS |
40 | 44 |
Patch101: 0002-watchdog-Disable-watchdog-on-virtual-machines.patch |
... | ... |
@@ -152,6 +156,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
152 | 152 |
%patch30 -p1 |
153 | 153 |
%patch31 -p1 |
154 | 154 |
%patch32 -p1 |
155 |
+%patch33 -p1 |
|
155 | 156 |
|
156 | 157 |
%patch101 -p1 |
157 | 158 |
%patch102 -p1 |
... | ... |
@@ -356,6 +361,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
356 | 356 |
%{_libdir}/perf/include/bpf/* |
357 | 357 |
|
358 | 358 |
%changelog |
359 |
+* Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2 |
|
360 |
+- Fix CVE-2019-10125 |
|
359 | 361 |
* Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1 |
360 | 362 |
- Update to version 4.19.32 |
361 | 363 |
* Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.19.32 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -34,11 +34,14 @@ Patch20: 07-vmware-only.patch |
34 | 34 |
Patch22: 4.18-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
35 | 35 |
# Fix CVE-2017-1000252 |
36 | 36 |
Patch24: kvm-dont-accept-wrong-gsi-values.patch |
37 |
+# RDRAND-based RNG driver to enhance the kernel's entropy pool: |
|
37 | 38 |
Patch25: 4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch |
38 | 39 |
# Out-of-tree patches from AppArmor: |
39 | 40 |
Patch26: 4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch |
40 | 41 |
Patch27: 4.17-0002-apparmor-af_unix-mediation.patch |
41 | 42 |
Patch28: 4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch |
43 |
+# Fix CVE-2019-10125 |
|
44 |
+Patch29: 0001-aio-simplify-and-fix-fget-fput-for-io_submit.patch |
|
42 | 45 |
|
43 | 46 |
BuildArch: x86_64 |
44 | 47 |
BuildRequires: bc |
... | ... |
@@ -97,6 +100,7 @@ The Linux package contains the Linux kernel doc files |
97 | 97 |
%patch26 -p1 |
98 | 98 |
%patch27 -p1 |
99 | 99 |
%patch28 -p1 |
100 |
+%patch29 -p1 |
|
100 | 101 |
|
101 | 102 |
%build |
102 | 103 |
# patch vmw_balloon driver |
... | ... |
@@ -193,6 +197,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
193 | 193 |
/usr/src/linux-headers-%{uname_r} |
194 | 194 |
|
195 | 195 |
%changelog |
196 |
+* Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2 |
|
197 |
+- Fix CVE-2019-10125 |
|
196 | 198 |
* Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1 |
197 | 199 |
- Update to version 4.19.32 |
198 | 200 |
* Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 | 4 |
Version: 4.19.32 |
5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -37,7 +37,11 @@ Patch31: kvm-dont-accept-wrong-gsi-values.patch |
37 | 37 |
Patch32: 4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch |
38 | 38 |
Patch33: 4.17-0002-apparmor-af_unix-mediation.patch |
39 | 39 |
Patch34: 4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch |
40 |
+# RDRAND-based RNG driver to enhance the kernel's entropy pool: |
|
40 | 41 |
Patch35: 4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch |
42 |
+# Fix CVE-2019-10125 |
|
43 |
+Patch36: 0001-aio-simplify-and-fix-fget-fput-for-io_submit.patch |
|
44 |
+ |
|
41 | 45 |
|
42 | 46 |
# NSX requirements (should be removed) |
43 | 47 |
Patch99: LKCM.patch |
... | ... |
@@ -108,6 +112,7 @@ The Linux package contains the Linux kernel doc files |
108 | 108 |
%patch33 -p1 |
109 | 109 |
%patch34 -p1 |
110 | 110 |
%patch35 -p1 |
111 |
+%patch36 -p1 |
|
111 | 112 |
|
112 | 113 |
pushd .. |
113 | 114 |
%patch99 -p0 |
... | ... |
@@ -235,6 +240,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
235 | 235 |
/usr/src/linux-headers-%{uname_r} |
236 | 236 |
|
237 | 237 |
%changelog |
238 |
+* Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2 |
|
239 |
+- Fix CVE-2019-10125 |
|
238 | 240 |
* Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1 |
239 | 241 |
- Update to version 4.19.32 |
240 | 242 |
* Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.19.32 |
5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -42,7 +42,10 @@ Patch28: kvm-dont-accept-wrong-gsi-values.patch |
42 | 42 |
Patch29: 4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch |
43 | 43 |
Patch30: 4.17-0002-apparmor-af_unix-mediation.patch |
44 | 44 |
Patch31: 4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch |
45 |
+# RDRAND-based RNG driver to enhance the kernel's entropy pool: |
|
45 | 46 |
Patch32: 4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch |
47 |
+# Fix CVE-2019-10125 |
|
48 |
+Patch33: 0001-aio-simplify-and-fix-fget-fput-for-io_submit.patch |
|
46 | 49 |
|
47 | 50 |
%ifarch aarch64 |
48 | 51 |
# NXP LS1012a FRWY patches |
... | ... |
@@ -180,6 +183,7 @@ Kernel Device Tree Blob files for NXP ls1012a FRWY board |
180 | 180 |
%patch30 -p1 |
181 | 181 |
%patch31 -p1 |
182 | 182 |
%patch32 -p1 |
183 |
+%patch33 -p1 |
|
183 | 184 |
|
184 | 185 |
%ifarch aarch64 |
185 | 186 |
# NXP FSL_PPFE Driver patches |
... | ... |
@@ -438,6 +442,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
438 | 438 |
%endif |
439 | 439 |
|
440 | 440 |
%changelog |
441 |
+* Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2 |
|
442 |
+- Fix CVE-2019-10125 |
|
441 | 443 |
* Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1 |
442 | 444 |
- Update to version 4.19.32 |
443 | 445 |
* Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1 |