Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2017-04-13 10:43:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Thu Apr 13 10:43:42 2017 rev:359 rq:486879 version:4.10.9 Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/dtb-aarch64.changes 2017-04-03 11:04:54.405388226 +0200 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/dtb-aarch64.changes 2017-04-13 10:43:47.584262694 +0200 @@ -1,0 +2,24 @@ +Sat Apr 8 17:30:03 CEST 2017 - [email protected] + +- Linux 4.10.9 (CVE-2017-7187 bnc#1012628 bsc#1030213). +- Delete + patches.fixes/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch. +- commit 195f937 + +------------------------------------------------------------------- +Mon Apr 3 19:03:43 CEST 2017 - [email protected] + +- drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() + (boo#1031440 CVE-2017-7294). +- drm/vmwgfx: NULL pointer dereference in + vmw_surface_define_ioctl() (boo#1031052 CVE-2017-7261). +- commit eb4ae7d + +------------------------------------------------------------------- +Mon Apr 3 13:29:20 CEST 2017 - [email protected] + +- scsi: sg: check length passed to SG_NEXT_CMD_LEN (bsc#1030213, + CVE-2017-7187). +- commit 64f4c97 + +------------------------------------------------------------------- @@ -25,0 +50,7 @@ + +------------------------------------------------------------------- +Fri Mar 31 18:20:54 CEST 2017 - [email protected] + +- drm/fb-helper: Allow var->x/yres(_virtual) < fb->width/height + again (bsc#1031935). +- commit 62e9602 dtb-armv6l.changes: same change dtb-armv7l.changes: same change kernel-64kb.changes: same change kernel-debug.changes: same change kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-syzkaller.changes: same change kernel-vanilla.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dtb-aarch64.spec ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:56.291031414 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:56.295030849 +0200 @@ -16,15 +16,15 @@ # -%define patchversion 4.10.8 +%define patchversion 4.10.9 %define vanilla_only 0 %include %_sourcedir/kernel-spec-macros Name: dtb-aarch64 -Version: 4.10.8 +Version: 4.10.9 %if 0%{?is_kotd} -Release: <RELEASE>.gea9dcd4 +Release: <RELEASE>.g195f937 %else Release: 0 %endif dtb-armv6l.spec: same change dtb-armv7l.spec: same change ++++++ kernel-64kb.spec ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:56.367020668 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:56.367020668 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.10 -%define patchversion 4.10.8 +%define patchversion 4.10.9 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with 64kb PAGE_SIZE License: GPL-2.0 Group: System/Kernel -Version: 4.10.8 +Version: 4.10.9 %if 0%{?is_kotd} -Release: <RELEASE>.gea9dcd4 +Release: <RELEASE>.g195f937 %else Release: 0 %endif kernel-debug.spec: same change kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:56.427012184 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:56.431011619 +0200 @@ -16,7 +16,7 @@ # -%define patchversion 4.10.8 +%define patchversion 4.10.9 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -42,9 +42,9 @@ Summary: Kernel Documentation (man pages) License: GPL-2.0 Group: Documentation/Man -Version: 4.10.8 +Version: 4.10.9 %if 0%{?is_kotd} -Release: <RELEASE>.gea9dcd4 +Release: <RELEASE>.g195f937 %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:56.447009357 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:56.451008791 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.10 -%define patchversion 4.10.8 +%define patchversion 4.10.9 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.10.8 +Version: 4.10.9 %if 0%{?is_kotd} -Release: <RELEASE>.gea9dcd4 +Release: <RELEASE>.g195f937 %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:56.483004266 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:56.483004266 +0200 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.10.8 +%define patchversion 4.10.9 %define variant %{nil} %define vanilla_only 0 @@ -57,9 +57,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.10.8 +Version: 4.10.9 %if 0%{?is_kotd} -Release: <RELEASE>.gea9dcd4 +Release: <RELEASE>.g195f937 %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:56.503001438 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:56.503001438 +0200 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.10.8 +%define patchversion 4.10.9 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.10.8 +Version: 4.10.9 %if 0%{?is_kotd} -Release: <RELEASE>.gea9dcd4 +Release: <RELEASE>.g195f937 %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:56.522998611 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:56.522998611 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.10 -%define patchversion 4.10.8 +%define patchversion 4.10.9 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.10.8 +Version: 4.10.9 %if 0%{?is_kotd} -Release: <RELEASE>.gea9dcd4 +Release: <RELEASE>.g195f937 %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:56.542995782 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:56.542995782 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.10 -%define patchversion 4.10.8 +%define patchversion 4.10.9 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.10.8 +Version: 4.10.9 %if 0%{?is_kotd} -Release: <RELEASE>.gea9dcd4 +Release: <RELEASE>.g195f937 %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:56.566992389 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:56.566992389 +0200 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.10.8 +Version: 4.10.9 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.gea9dcd4 +Release: <RELEASE>.g195f937 %else Release: 0 %endif ++++++ kernel-syzkaller.spec ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:56.586989561 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:56.586989561 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.10 -%define patchversion 4.10.8 +%define patchversion 4.10.9 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel used for fuzzing by syzkaller License: GPL-2.0 Group: System/Kernel -Version: 4.10.8 +Version: 4.10.9 %if 0%{?is_kotd} -Release: <RELEASE>.gea9dcd4 +Release: <RELEASE>.g195f937 %else Release: 0 %endif kernel-vanilla.spec: same change ++++++ patches.drivers.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch new/patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch --- old/patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch 2017-04-04 12:46:31.000000000 +0200 @@ -0,0 +1,36 @@ +From: Murray McAllister <[email protected]> +Date: Mon Mar 27 11:12:53 2017 +0200 +Subject: drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() +Patch-mainline: Queued in driver maintainer repository +Git-repo: git://people.freedesktop.org/~thomash/linux +Git-commit: 36274ab8c596f1240c606bb514da329add2a1bcd +References: boo#1031052 CVE-2017-7261 + +Before memory allocations vmw_surface_define_ioctl() checks the +upper-bounds of a user-supplied size, but does not check if the +supplied size is 0. + +Add check to avoid NULL pointer dereferences. + +Cc: <[email protected]> +Signed-off-by: Murray McAllister <[email protected]> +Reviewed-by: Sinclair Yeh <[email protected]> +Signed-off-by: Max Staudt <[email protected]> +--- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +index b445ce9..f410502 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, + for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) + num_sizes += req->mip_levels[i]; + +- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * +- DRM_VMW_MAX_MIP_LEVELS) ++ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || ++ num_sizes == 0) + return -EINVAL; + + size = vmw_user_surface_size + 128 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch new/patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch --- old/patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch 2017-04-04 12:46:31.000000000 +0200 @@ -0,0 +1,39 @@ +From: Li Qiang <[email protected]> +Date: Mon Mar 27 20:10:53 2017 -0700 +Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() +Patch-mainline: Queued in driver maintainer repository +Git-repo: git://people.freedesktop.org/~thomash/linux +Git-commit: e7e11f99564222d82f0ce84bd521e57d78a6b678 +References: boo#1031440 CVE-2017-7294 + +In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the +'req->mip_levels' array. This array can be assigned any value from +the user space. As both the 'num_sizes' and the array is uint32_t, +it is easy to make 'num_sizes' overflow. The later 'mip_levels' is +used as the loop count. This can lead an oob write. Add the check of +'req->mip_levels' to avoid this. + +Cc: <[email protected]> +Signed-off-by: Li Qiang <[email protected]> +Reviewed-by: Thomas Hellstrom <[email protected]> +Signed-off-by: Max Staudt <[email protected]> +--- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +index f410502..96760a4 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -713,8 +713,11 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, + 128; + + num_sizes = 0; +- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) ++ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) { ++ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS) ++ return -EINVAL; + num_sizes += req->mip_levels[i]; ++ } + + if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || + num_sizes == 0) ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/drm-fb-helper-Allow-var-x-yres-_virtual-fb-width-hei new/patches.fixes/drm-fb-helper-Allow-var-x-yres-_virtual-fb-width-hei --- old/patches.fixes/drm-fb-helper-Allow-var-x-yres-_virtual-fb-width-hei 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/drm-fb-helper-Allow-var-x-yres-_virtual-fb-width-hei 2017-04-08 17:30:03.000000000 +0200 @@ -0,0 +1,46 @@ +From 12ffed96d4369f086261ba2ee734fa8c932d7f55 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <[email protected]> +Date: Thu, 23 Mar 2017 17:53:26 +0900 +Subject: [PATCH] drm/fb-helper: Allow var->x/yres(_virtual) < fb->width/height again +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 12ffed96d4369f086261ba2ee734fa8c932d7f55 +Patch-mainline: 4.11-rc4 +References: bsc#1031935 + +Otherwise this can also prevent modesets e.g. for switching VTs, when +multiple monitors with different native resolutions are connected. + +The depths must match though, so keep the != test for that. + +Also update the DRM_DEBUG output to be slightly more accurate, this +doesn't only affect requests from userspace. + +Bugzilla: https://bugs.freedesktop.org/99841 +Fixes: 865afb11949e ("drm/fb-helper: reject any changes to the fbdev") +Signed-off-by: Michel Dänzer <[email protected]> +Reviewed-by: Daniel Stone <[email protected]> +Signed-off-by: Daniel Vetter <[email protected]> +Link: http://patchwork.freedesktop.org/patch/msgid/[email protected] +Acked-by: Takashi Iwai <[email protected]> + +--- + drivers/gpu/drm/drm_fb_helper.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -1256,9 +1256,9 @@ int drm_fb_helper_check_var(struct fb_va + * to KMS, hence fail if different settings are requested. + */ + if (var->bits_per_pixel != fb->bits_per_pixel || +- var->xres != fb->width || var->yres != fb->height || +- var->xres_virtual != fb->width || var->yres_virtual != fb->height) { +- DRM_DEBUG("fb userspace requested width/height/bpp different than current fb " ++ var->xres > fb->width || var->yres > fb->height || ++ var->xres_virtual > fb->width || var->yres_virtual > fb->height) { ++ DRM_DEBUG("fb requested width/height/bpp can't fit in current fb " + "request %dx%d-%d (virtual %dx%d) > %dx%d-%d\n", + var->xres, var->yres, var->bits_per_pixel, + var->xres_virtual, var->yres_virtual, ++++++ patches.kernel.org.tar.bz2 ++++++ ++++ 4650 lines of diff (skipped) ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:57.582848730 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:57.582848730 +0200 @@ -35,6 +35,7 @@ patches.kernel.org/patch-4.10.5-6 patches.kernel.org/patch-4.10.6-7 patches.kernel.org/patch-4.10.7-8 + patches.kernel.org/patch-4.10.8-9 ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -325,10 +326,15 @@ patches.fixes/scsi-ibmvscsi-module_alias.patch + ######################################################## # DRM/Video ######################################################## patches.fixes/drm-i915-Fix-S4-resume-breakage + patches.fixes/drm-fb-helper-Allow-var-x-yres-_virtual-fb-width-hei + + patches.drivers/drm-vmwgfx-NULL-pointer-dereference-in-vmw_surface_define_ioctl.patch + patches.drivers/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch ######################################################## # video4linux ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.8Yhja0/_old 2017-04-13 10:43:57.614844206 +0200 +++ /var/tmp/diff_new_pack.8Yhja0/_new 2017-04-13 10:43:57.618843641 +0200 @@ -1,3 +1,3 @@ -2017-03-31 19:16:00 +0200 -GIT Revision: ea9dcd468d472551aa10e99534387143f44aa33f +2017-04-08 17:30:03 +0200 +GIT Revision: 195f9370151c1957e58902b22d8b49d2db8bdd5f GIT Branch: stable
