From 77f47977a38b84e0a6a955b14d9fb5628b77ca8e Mon Sep 17 00:00:00 2001 From: Joakim Hernberg Date: Sun, 24 Jan 2016 12:52:11 +0100 Subject: bump to 3.18.25-rt23 and add patch for CVE-2016-0728 --- .SRCINFO | 24 +++++++++-------- CVE-2016-0728.patch | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 17 +++++++----- 3 files changed, 102 insertions(+), 17 deletions(-) create mode 100644 CVE-2016-0728.patch diff --git a/.SRCINFO b/.SRCINFO index da7121b..f997493 100644 --- a/.SRCINFO +++ b/.SRCINFO @@ -1,7 +1,7 @@ # Generated by makepkg 4.2.1 -# Sun Nov 15 11:52:27 UTC 2015 +# Sun Jan 24 11:49:22 UTC 2016 pkgbase = linux-rt-lts - pkgver = 3.18.24_rt22 + pkgver = 3.18.25_rt23 pkgrel = 1 url = http://www.kernel.org/ arch = i686 @@ -15,26 +15,28 @@ pkgbase = linux-rt-lts options = !strip source = https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.18.tar.xz source = https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.18.tar.sign - source = https://www.kernel.org/pub/linux/kernel/v3.x/patch-3.18.24.xz - source = https://www.kernel.org/pub/linux/kernel/v3.x/patch-3.18.24.sign - source = https://www.kernel.org/pub/linux/kernel/projects/rt/3.18/patch-3.18.24-rt22.patch.xz - source = https://www.kernel.org/pub/linux/kernel/projects/rt/3.18/patch-3.18.24-rt22.patch.sign + source = https://www.kernel.org/pub/linux/kernel/v3.x/patch-3.18.25.xz + source = https://www.kernel.org/pub/linux/kernel/v3.x/patch-3.18.25.sign + source = https://www.kernel.org/pub/linux/kernel/projects/rt/3.18/patch-3.18.25-rt23.patch.xz + source = https://www.kernel.org/pub/linux/kernel/projects/rt/3.18/patch-3.18.25-rt23.patch.sign source = config source = config.x86_64 source = linux-rt-lts.preset source = change-default-console-loglevel.patch source = fix-race-in-PRT-wait-for-completion-simple-wait-code_Nvidia-RT.patch + source = CVE-2016-0728.patch sha256sums = becc413cc9e6d7f5cc52a3ce66d65c3725bc1d1cc1001f4ce6c32b69eb188cbd sha256sums = SKIP - sha256sums = d0397cacc44b9097b0ed03e824453d59d709f11095b40d02ad6e34247086b347 + sha256sums = 78df9b97449715fa4e39158fc27fadbdbb50eab04ac29d1374a95bebaf7adfbf sha256sums = SKIP - sha256sums = 4f79a003202a81d16704e68c5545bf40414ba614771fa56716f02417e0fb3c0d + sha256sums = f8d608e2237b5da7354d5fafc88644a9736c1ae0a303fc64f360bcb69c78c93d sha256sums = SKIP sha256sums = 3c876bd83489e56e62629fc09ce85391bef5ef94cb2feab7751841c221c000c6 sha256sums = 49202f4733bd9de254083a85d0a17390f78e68fc6e4bea9e91bfce7e8167349e sha256sums = a8886f2c9896f81f59cf0413b3e380cda2fbdc667eb9ce8dfcb0fceb6d92279f sha256sums = 1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99 sha256sums = 7a42d16108eb9a8eacadef3603527fa1beab857cc4db3bd228858488fb1f3fda + sha256sums = 03bed5b1c6ef34a917e218a46d38cd1347c5ab5693131996113c6cad275dc4e9 pkgname = linux-rt-lts pkgdesc = The Linux-rt-lts kernel and modules @@ -44,20 +46,20 @@ pkgname = linux-rt-lts depends = kmod depends = mkinitcpio>=0.7 optdepends = crda: to set the correct wireless channels of your country - provides = kernel26-rt-lts=3.18.24 + provides = kernel26-rt-lts=3.18.25 conflicts = kernel26-rt-lts replaces = kernel26-rt-lts backup = etc/mkinitcpio.d/linux-rt-lts.preset pkgname = linux-rt-lts-headers pkgdesc = Header files and scripts for building modules for Linux-rt-lts kernel - provides = kernel26-rt-lts-headers=3.18.24 + provides = kernel26-rt-lts-headers=3.18.25 conflicts = kernel26-rt-lts-headers replaces = kernel26-rt-lts-headers pkgname = linux-rt-lts-docs pkgdesc = Kernel hackers manual - HTML documentation that comes with the Linux-rt-lts kernel - provides = kernel26-rt-lts-docs=3.18.24 + provides = kernel26-rt-lts-docs=3.18.25 conflicts = kernel26-rt-lts-docs replaces = kernel26-rt-lts-docs diff --git a/CVE-2016-0728.patch b/CVE-2016-0728.patch new file mode 100644 index 0000000..e915d82 --- /dev/null +++ b/CVE-2016-0728.patch @@ -0,0 +1,78 @@ +From 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 Mon Sep 17 00:00:00 2001 +From: Yevgeny Pats +Date: Tue, 19 Jan 2016 22:09:04 +0000 +Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring() + +This fixes CVE-2016-0728. + +If a thread is asked to join as a session keyring the keyring that's already +set as its session, we leak a keyring reference. + +This can be tested with the following program: + + #include + #include + #include + #include + + int main(int argc, const char *argv[]) + { + int i = 0; + key_serial_t serial; + + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + + if (keyctl(KEYCTL_SETPERM, serial, + KEY_POS_ALL | KEY_USR_ALL) < 0) { + perror("keyctl"); + return -1; + } + + for (i = 0; i < 100; i++) { + serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, + "leaked-keyring"); + if (serial < 0) { + perror("keyctl"); + return -1; + } + } + + return 0; + } + +If, after the program has run, there something like the following line in +/proc/keys: + +3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty + +with a usage count of 100 * the number of times the program has been run, +then the kernel is malfunctioning. If leaked-keyring has zero usages or +has been garbage collected, then the problem is fixed. + +Reported-by: Yevgeny Pats +Signed-off-by: David Howells +Acked-by: Don Zickus +Acked-by: Prarit Bhargava +Acked-by: Jarod Wilson +Signed-off-by: James Morris +--- + security/keys/process_keys.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index a3f85d2a..e6d50172 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { ++ key_put(keyring); + ret = 0; + goto error2; + } diff --git a/PKGBUILD b/PKGBUILD index 383fc7c..1dbe26d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -8,8 +8,8 @@ #pkgbase=linux # Build stock -ARCH kernel pkgbase=linux-rt-lts # Build kernel with a different name _srcname=linux-3.18 -_pkgver=3.18.24 -_rtpatchver=rt22 +_pkgver=3.18.25 +_rtpatchver=rt23 pkgver=${_pkgver}_${_rtpatchver} pkgrel=1 arch=('i686' 'x86_64') @@ -26,19 +26,21 @@ source=("https://www.kernel.org/pub/linux/kernel/v3.x/${_srcname}.tar."{xz,sign} # standard config files for mkinitcpio ramdisk "${pkgbase}.preset" 'change-default-console-loglevel.patch' - 'fix-race-in-PRT-wait-for-completion-simple-wait-code_Nvidia-RT.patch') + 'fix-race-in-PRT-wait-for-completion-simple-wait-code_Nvidia-RT.patch' + 'CVE-2016-0728.patch') sha256sums=('becc413cc9e6d7f5cc52a3ce66d65c3725bc1d1cc1001f4ce6c32b69eb188cbd' 'SKIP' - 'd0397cacc44b9097b0ed03e824453d59d709f11095b40d02ad6e34247086b347' + '78df9b97449715fa4e39158fc27fadbdbb50eab04ac29d1374a95bebaf7adfbf' 'SKIP' - '4f79a003202a81d16704e68c5545bf40414ba614771fa56716f02417e0fb3c0d' + 'f8d608e2237b5da7354d5fafc88644a9736c1ae0a303fc64f360bcb69c78c93d' 'SKIP' '3c876bd83489e56e62629fc09ce85391bef5ef94cb2feab7751841c221c000c6' '49202f4733bd9de254083a85d0a17390f78e68fc6e4bea9e91bfce7e8167349e' 'a8886f2c9896f81f59cf0413b3e380cda2fbdc667eb9ce8dfcb0fceb6d92279f' '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' - '7a42d16108eb9a8eacadef3603527fa1beab857cc4db3bd228858488fb1f3fda') + '7a42d16108eb9a8eacadef3603527fa1beab857cc4db3bd228858488fb1f3fda' + '03bed5b1c6ef34a917e218a46d38cd1347c5ab5693131996113c6cad275dc4e9') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman @@ -70,6 +72,9 @@ prepare() { # Stops X from hanging on certain NVIDIA cards msg "fix-race-in-PRT-wait-for-completion-simple-wait-code_Nvidia-RT.patch" patch -p1 -i "${srcdir}/fix-race-in-PRT-wait-for-completion-simple-wait-code_Nvidia-RT.patch" + + msg "CVE-2016-0728.patch" + patch -p1 -i "${srcdir}/CVE-2016-0728.patch" msg "All patches have successfully been applied" -- cgit v1.2.3