Hello community,
here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2016-01-04 09:20:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kernel-source (Old)
and /work/SRC/openSUSE:Factory/.kernel-source.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source"
Changes:
--------
--- /work/SRC/openSUSE:Factory/kernel-source/kernel-debug.changes 2016-01-01 19:46:46.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.kernel-source.new/kernel-debug.changes 2016-01-04 09:21:13.000000000 +0100
@@ -1,0 +2,7 @@
+Wed Dec 30 10:32:09 CET 2015 - jlee@suse.com
+
+- KEYS: Fix handling of stored error in a negatively instantiated
+ user key (bnc#958463, CVE-2015-8539OD).
+- commit 008195a
+
+-------------------------------------------------------------------
kernel-default.changes: same change
kernel-docs.changes: same change
kernel-lpae.changes: same change
kernel-obs-build.changes: same change
kernel-obs-qa.changes: same change
kernel-pae.changes: same change
kernel-source.changes: same change
kernel-syms.changes: same change
kernel-vanilla.changes: same change
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kernel-debug.spec ++++++
--- /var/tmp/diff_new_pack.dsG63C/_old 2016-01-04 09:21:19.000000000 +0100
+++ /var/tmp/diff_new_pack.dsG63C/_new 2016-01-04 09:21:19.000000000 +0100
@@ -59,7 +59,7 @@
Group: System/Kernel
Version: 4.3.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g77a3e32
+Release: <RELEASE>.g008195a
%else
Release: 0
%endif
kernel-default.spec: same change
++++++ kernel-docs.spec ++++++
--- /var/tmp/diff_new_pack.dsG63C/_old 2016-01-04 09:21:19.000000000 +0100
+++ /var/tmp/diff_new_pack.dsG63C/_new 2016-01-04 09:21:19.000000000 +0100
@@ -29,7 +29,7 @@
Group: Documentation/Man
Version: 4.3.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g77a3e32
+Release: <RELEASE>.g008195a
%else
Release: 0
%endif
++++++ kernel-lpae.spec ++++++
--- /var/tmp/diff_new_pack.dsG63C/_old 2016-01-04 09:21:19.000000000 +0100
+++ /var/tmp/diff_new_pack.dsG63C/_new 2016-01-04 09:21:19.000000000 +0100
@@ -59,7 +59,7 @@
Group: System/Kernel
Version: 4.3.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g77a3e32
+Release: <RELEASE>.g008195a
%else
Release: 0
%endif
++++++ kernel-obs-build.spec ++++++
--- /var/tmp/diff_new_pack.dsG63C/_old 2016-01-04 09:21:19.000000000 +0100
+++ /var/tmp/diff_new_pack.dsG63C/_new 2016-01-04 09:21:19.000000000 +0100
@@ -44,7 +44,7 @@
Group: SLES
Version: 4.3.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g77a3e32
+Release: <RELEASE>.g008195a
%else
Release: 0
%endif
kernel-obs-qa.spec: same change
++++++ kernel-pae.spec ++++++
--- /var/tmp/diff_new_pack.dsG63C/_old 2016-01-04 09:21:19.000000000 +0100
+++ /var/tmp/diff_new_pack.dsG63C/_new 2016-01-04 09:21:19.000000000 +0100
@@ -59,7 +59,7 @@
Group: System/Kernel
Version: 4.3.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g77a3e32
+Release: <RELEASE>.g008195a
%else
Release: 0
%endif
++++++ kernel-source.spec ++++++
--- /var/tmp/diff_new_pack.dsG63C/_old 2016-01-04 09:21:19.000000000 +0100
+++ /var/tmp/diff_new_pack.dsG63C/_new 2016-01-04 09:21:19.000000000 +0100
@@ -32,7 +32,7 @@
Group: Development/Sources
Version: 4.3.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g77a3e32
+Release: <RELEASE>.g008195a
%else
Release: 0
%endif
++++++ kernel-syms.spec ++++++
--- /var/tmp/diff_new_pack.dsG63C/_old 2016-01-04 09:21:19.000000000 +0100
+++ /var/tmp/diff_new_pack.dsG63C/_new 2016-01-04 09:21:19.000000000 +0100
@@ -27,7 +27,7 @@
Version: 4.3.3
%if %using_buildservice
%if 0%{?is_kotd}
-Release: <RELEASE>.g77a3e32
+Release: <RELEASE>.g008195a
%else
Release: 0
%endif
++++++ kernel-vanilla.spec ++++++
--- /var/tmp/diff_new_pack.dsG63C/_old 2016-01-04 09:21:19.000000000 +0100
+++ /var/tmp/diff_new_pack.dsG63C/_new 2016-01-04 09:21:19.000000000 +0100
@@ -59,7 +59,7 @@
Group: System/Kernel
Version: 4.3.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g77a3e32
+Release: <RELEASE>.g008195a
%else
Release: 0
%endif
++++++ patches.fixes.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/0001-KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch new/patches.fixes/0001-KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
--- old/patches.fixes/0001-KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/0001-KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch 2015-12-30 10:32:09.000000000 +0100
@@ -0,0 +1,121 @@
+From 096fe9eaea40a17e125569f9e657e34cdb6d73bd Mon Sep 17 00:00:00 2001
+From: David Howells
+Date: Tue, 24 Nov 2015 21:36:31 +0000
+Subject: [PATCH] KEYS: Fix handling of stored error in a negatively
+ instantiated user key
+
+Git-commit: 096fe9eaea40a17e125569f9e657e34cdb6d73bd
+Patch-mainline: v4.4-rc3
+References: bnc#958463, CVE-2015-8539OD
+
+If a user key gets negatively instantiated, an error code is cached in the
+payload area. A negatively instantiated key may be then be positively
+instantiated by updating it with valid data. However, the ->update key
+type method must be aware that the error code may be there.
+
+The following may be used to trigger the bug in the user key type:
+
+ keyctl request2 user user "" @u
+ keyctl add user user "a" @u
+
+which manifests itself as:
+
+ BUG: unable to handle kernel paging request at 00000000ffffff8a
+ IP: [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
+ PGD 7cc30067 PUD 0
+ Oops: 0002 [#1] SMP
+ Modules linked in:
+ CPU: 3 PID: 2644 Comm: a.out Not tainted 4.3.0+ #49
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ task: ffff88003ddea700 ti: ffff88003dd88000 task.ti: ffff88003dd88000
+ RIP: 0010:[<ffffffff810a376f>] [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280
+ [<ffffffff810a376f>] __call_rcu.constprop.76+0x1f/0x280 kernel/rcu/tree.c:3046
+ RSP: 0018:ffff88003dd8bdb0 EFLAGS: 00010246
+ RAX: 00000000ffffff82 RBX: 0000000000000000 RCX: 0000000000000001
+ RDX: ffffffff81e3fe40 RSI: 0000000000000000 RDI: 00000000ffffff82
+ RBP: ffff88003dd8bde0 R08: ffff88007d2d2da0 R09: 0000000000000000
+ R10: 0000000000000000 R11: ffff88003e8073c0 R12: 00000000ffffff82
+ R13: ffff88003dd8be68 R14: ffff88007d027600 R15: ffff88003ddea700
+ FS: 0000000000b92880(0063) GS:ffff88007fd00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ CR2: 00000000ffffff8a CR3: 000000007cc5f000 CR4: 00000000000006e0
+ Stack:
+ ffff88003dd8bdf0 ffffffff81160a8a 0000000000000000 00000000ffffff82
+ ffff88003dd8be68 ffff88007d027600 ffff88003dd8bdf0 ffffffff810a39e5
+ ffff88003dd8be20 ffffffff812a31ab ffff88007d027600 ffff88007d027620
+ Call Trace:
+ [<ffffffff810a39e5>] kfree_call_rcu+0x15/0x20 kernel/rcu/tree.c:3136
+ [<ffffffff812a31ab>] user_update+0x8b/0xb0 security/keys/user_defined.c:129
+ [< inline >] __key_update security/keys/key.c:730
+ [<ffffffff8129e5c1>] key_create_or_update+0x291/0x440 security/keys/key.c:908
+ [< inline >] SYSC_add_key security/keys/keyctl.c:125
+ [<ffffffff8129fc21>] SyS_add_key+0x101/0x1e0 security/keys/keyctl.c:60
+ [<ffffffff8185f617>] entry_SYSCALL_64_fastpath+0x12/0x6a arch/x86/entry/entry_64.S:185
+
+Note the error code (-ENOKEY) in EDX.
+
+A similar bug can be tripped by:
+
+ keyctl request2 trusted user "" @u
+ keyctl add trusted user "a" @u
+
+This should also affect encrypted keys - but that has to be correctly
+parameterised or it will fail with EINVAL before getting to the bit that
+will crashes.
+
+Reported-by: Dmitry Vyukov
+Signed-off-by: David Howells
+Acked-by: Mimi Zohar
+Signed-off-by: James Morris
+Acked-by: Lee, Chun-Yi
+---
+ security/keys/encrypted-keys/encrypted.c | 2 ++
+ security/keys/trusted.c | 5 ++++-
+ security/keys/user_defined.c | 5 ++++-
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -845,6 +845,8 @@ static int encrypted_update(struct key *
+ size_t datalen = prep->datalen;
+ int ret = 0;
+
++ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
++ return -ENOKEY;
+ if (datalen <= 0 || datalen > 32767 || !prep->data)
+ return -EINVAL;
+
+--- a/security/keys/trusted.c
++++ b/security/keys/trusted.c
+@@ -984,13 +984,16 @@ static void trusted_rcu_free(struct rcu_
+ */
+ static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
+ {
+- struct trusted_key_payload *p = key->payload.data;
++ struct trusted_key_payload *p;
+ struct trusted_key_payload *new_p;
+ struct trusted_key_options *new_o;
+ size_t datalen = prep->datalen;
+ char *datablob;
+ int ret = 0;
+
++ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
++ return -ENOKEY;
++ p = key->payload.data;
+ if (!p->migratable)
+ return -EPERM;
+ if (datalen <= 0 || datalen > 32767 || !prep->data)
+--- a/security/keys/user_defined.c
++++ b/security/keys/user_defined.c
+@@ -120,7 +120,10 @@ int user_update(struct key *key, struct
+
+ if (ret == 0) {
+ /* attach the new data, displacing the old */
+- zap = key->payload.data;
++ if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags))
++ zap = key->payload.data;
++ else
++ zap = NULL;
+ rcu_assign_keypointer(key, upayload);
+ key->expiry = 0;
+ }
++++++ series.conf ++++++
--- /var/tmp/diff_new_pack.dsG63C/_old 2016-01-04 09:21:19.000000000 +0100
+++ /var/tmp/diff_new_pack.dsG63C/_new 2016-01-04 09:21:19.000000000 +0100
@@ -456,6 +456,9 @@
#
##########################################################
+ # bsc#958463 VUL-0: CVE-2015-8539: kernel: Fix handling of stored error in a negatively instantiated user key
+ patches.fixes/0001-KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
+
##########################################################
# Audit
++++++ source-timestamp ++++++
--- /var/tmp/diff_new_pack.dsG63C/_old 2016-01-04 09:21:19.000000000 +0100
+++ /var/tmp/diff_new_pack.dsG63C/_new 2016-01-04 09:21:19.000000000 +0100
@@ -1,3 +1,3 @@
-2015-12-28 16:58:51 +0100
-GIT Revision: 77a3e32efb4979780b41ec71dde40026a3045fbc
+2015-12-30 10:32:09 +0100
+GIT Revision: 008195af0bd30b4154392c382ad19eb6248fdeb1
GIT Branch: stable