From ff622db2731cde5a17773f5d2da74292ce581975 Mon Sep 17 00:00:00 2001 From: Michal Koutný Date: Mar 28 2024 09:23:55 +0000 Subject: Merge remote-tracking branch 'origin/cve/linux-5.14-LTSS' into SLE15-SP5 Conflicts: metadata merge: patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch --- diff --git a/patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch b/patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch index 0609d8c..3e4cbb9 100644 --- a/patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch +++ b/patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch @@ -4,7 +4,7 @@ Date: Thu, 27 Jan 2022 08:16:38 +0100 Subject: [PATCH] moxart: fix potential use-after-free on remove path Git-commit: bd2db32e7c3e35bd4d9b8bbff689434a50893546 Patch-mainline: v5.17-rc4 -References: bsc#1194516 CVE-2022-0487 +References: bsc#1194516 CVE-2022-0487 CVE-2022-48626 bsc#1220366 It was reported that the mmc host structure could be accessed after it was freed in moxart_remove(), so fix this by saving the base register of diff --git a/patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch b/patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch index fc4a225..9cdff10 100644 --- a/patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch +++ b/patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: 385f287f9853da402d94278e59f594501c1d1dad Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-46926 bsc#1220478 The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to diff --git a/patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch b/patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch index 7f8ca99..411ab8c 100644 --- a/patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch +++ b/patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch @@ -4,7 +4,7 @@ Date: Sat, 18 Dec 2021 13:39:25 +0100 Subject: [PATCH] ALSA: rawmidi - fix the uninitalized user_pversion Git-commit: 39a8fc4971a00d22536aeb7d446ee4a97810611b Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47096 bsc#1220981 The user_pversion was uninitialized for the user space file structure in the open function, because the file private structure use diff --git a/patches.suse/HID-intel-ish-hid-ipc-Disable-and-reenable-ACPI-GPE-.patch b/patches.suse/HID-intel-ish-hid-ipc-Disable-and-reenable-ACPI-GPE-.patch index e5ae38d..33f544e 100644 --- a/patches.suse/HID-intel-ish-hid-ipc-Disable-and-reenable-ACPI-GPE-.patch +++ b/patches.suse/HID-intel-ish-hid-ipc-Disable-and-reenable-ACPI-GPE-.patch @@ -4,7 +4,7 @@ Date: Tue, 3 Oct 2023 08:53:32 -0700 Subject: [PATCH] HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit Git-commit: 8f02139ad9a7e6e5c05712f8c1501eebed8eacfd Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52519 bsc#1220920 The EHL (Elkhart Lake) based platforms provide a OOB (Out of band) service, which allows to wakup device when the system is in S5 (Soft-Off diff --git a/patches.suse/HID-sony-Fix-a-potential-memory-leak-in-sony_probe.patch b/patches.suse/HID-sony-Fix-a-potential-memory-leak-in-sony_probe.patch index 23e432f..5ea5159 100644 --- a/patches.suse/HID-sony-Fix-a-potential-memory-leak-in-sony_probe.patch +++ b/patches.suse/HID-sony-Fix-a-potential-memory-leak-in-sony_probe.patch @@ -4,7 +4,7 @@ Date: Sun, 3 Sep 2023 18:04:00 +0200 Subject: [PATCH] HID: sony: Fix a potential memory leak in sony_probe() Git-commit: e1cd4004cde7c9b694bbdd8def0e02288ee58c74 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52529 bsc#1220929 If an error occurs after a successful usb_alloc_urb() call, usb_free_urb() should be called. diff --git a/patches.suse/IB-hfi1-Fix-bugs-with-non-PAGE_SIZE-end-multi-iovec-.patch b/patches.suse/IB-hfi1-Fix-bugs-with-non-PAGE_SIZE-end-multi-iovec-.patch index 7362d12..963f55f 100644 --- a/patches.suse/IB-hfi1-Fix-bugs-with-non-PAGE_SIZE-end-multi-iovec-.patch +++ b/patches.suse/IB-hfi1-Fix-bugs-with-non-PAGE_SIZE-end-multi-iovec-.patch @@ -5,7 +5,7 @@ Subject: [PATCH 1/1] IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests Git-commit: 00cbce5cbf88459cd1aa1d60d0f1df15477df127 Patch-mainline: v6.4-rc1 -References: git-fixes +References: git-fixes CVE-2023-52474 bsc#1220445 hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs diff --git a/patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch b/patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch index b5193c6..4838a0c 100644 --- a/patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch +++ b/patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch @@ -6,7 +6,7 @@ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: v5.16-rc7 Git-commit: bee90911e0138c76ee67458ac0d58b38a3190f65 -References: git-fixes +References: git-fixes CVE-2021-47104 bsc#1220960 The wrong goto label was used for the error case and missed cleanup of the pkt allocation. diff --git a/patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch b/patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch index 9cc3a11..063926f 100644 --- a/patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch +++ b/patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch @@ -4,7 +4,7 @@ Date: Mon, 29 Nov 2021 00:08:13 -0800 Subject: [PATCH] Input: elantech - fix stack out of bound access in elantech_change_report_id() Git-commit: 1d72d9f960ccf1052a0630a68c3d358791dbdaaa Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47097 bsc#1220982 The array param[] in elantech_change_report_id() must be at least 3 bytes, because elantech_read_reg_params() is calling ps2_command() with diff --git a/patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch b/patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch index a17ae0a..0d4da73 100644 --- a/patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch +++ b/patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch @@ -1,6 +1,6 @@ Patch-mainline: v5.16-rc7 Git-commit: 3a0f64de479cae75effb630a2e0a237ca0d0623c -References: git-fixes +References: git-fixes CVE-2021-47094 bsc#1221551 From: Sean Christopherson Date: Tue, 14 Dec 2021 03:35:28 +0000 Subject: [PATCH] KVM: x86/mmu: Don't advance iterator after restart due to diff --git a/patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch b/patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch index afd866b..0eddcfb 100644 --- a/patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch +++ b/patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch @@ -3,7 +3,7 @@ Date: Thu, 16 Dec 2021 11:12:11 -0500 Subject: [PATCH] NFSD: Fix READDIR buffer overflow Git-commit: 53b1119a6e5028b125f431a0116ba73510d82a72 Patch-mainline: v5.16 -References: git-fixes bsc#1196346 +References: git-fixes bsc#1196346 CVE-2021-47107 bsc#1220965 If a client sends a READDIR count argument that is too small (say, zero), then the buffer size calculation in the new init_dirlist diff --git a/patches.suse/RDMA-siw-Fix-connection-failure-handling.patch b/patches.suse/RDMA-siw-Fix-connection-failure-handling.patch index b754fd6..65a1f90 100644 --- a/patches.suse/RDMA-siw-Fix-connection-failure-handling.patch +++ b/patches.suse/RDMA-siw-Fix-connection-failure-handling.patch @@ -4,7 +4,7 @@ Date: Tue, 5 Sep 2023 16:58:22 +0200 Subject: [PATCH 1/1] RDMA/siw: Fix connection failure handling Git-commit: 53a3f777049771496f791504e7dc8ef017cba590 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52513 bsc#1221022 In case immediate MPA request processing fails, the newly created endpoint unlinks the listening endpoint and is diff --git a/patches.suse/RDMA-srp-Do-not-call-scsi_done-from-srp_abort.patch b/patches.suse/RDMA-srp-Do-not-call-scsi_done-from-srp_abort.patch index 415e4ae..5ef0158 100644 --- a/patches.suse/RDMA-srp-Do-not-call-scsi_done-from-srp_abort.patch +++ b/patches.suse/RDMA-srp-Do-not-call-scsi_done-from-srp_abort.patch @@ -4,7 +4,7 @@ Date: Wed, 23 Aug 2023 13:57:27 -0700 Subject: [PATCH 1/1] RDMA/srp: Do not call scsi_done() from srp_abort() Git-commit: e193b7955dfad68035b983a0011f4ef3590c85eb Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52515 bsc#1221048 After scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler callback, it performs one of the following actions: diff --git a/patches.suse/Revert-tty-n_gsm-fix-UAF-in-gsm_cleanup_mux.patch b/patches.suse/Revert-tty-n_gsm-fix-UAF-in-gsm_cleanup_mux.patch index 423dc39..c678a51 100644 --- a/patches.suse/Revert-tty-n_gsm-fix-UAF-in-gsm_cleanup_mux.patch +++ b/patches.suse/Revert-tty-n_gsm-fix-UAF-in-gsm_cleanup_mux.patch @@ -4,7 +4,7 @@ Date: Thu, 14 Sep 2023 07:15:07 +0200 Subject: [PATCH] Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" Git-commit: 29346e217b8ab8a52889b88f00b268278d6b7668 Patch-mainline: v6.6-rc4 -References: git-fixes +References: git-fixes CVE-2023-52564 bsc#1220938 This reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239. diff --git a/patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch b/patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch index 91c2597..02a8b41 100644 --- a/patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch +++ b/patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch @@ -4,7 +4,7 @@ Date: Tue, 21 Dec 2021 23:10:36 +0300 Subject: [PATCH] asix: fix uninit-value in asix_mdio_read() Git-commit: 8035b1a2a37a29d8c717ef84fca8fe7278bc9f03 Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47101 bsc#1220987 asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized. diff --git a/patches.suse/bpf-Check-rcu_read_lock_trace_held-before-calling-bp.patch b/patches.suse/bpf-Check-rcu_read_lock_trace_held-before-calling-bp.patch index 1f5d655..897ee78 100644 --- a/patches.suse/bpf-Check-rcu_read_lock_trace_held-before-calling-bp.patch +++ b/patches.suse/bpf-Check-rcu_read_lock_trace_held-before-calling-bp.patch @@ -3,7 +3,7 @@ Date: Mon, 4 Dec 2023 22:04:19 +0800 Subject: bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers Patch-mainline: v6.8-rc1 Git-commit: 169410eba271afc9f0fb476d996795aa26770c6d -References: bsc#1220251 CVE-2023-52447 +References: bsc#1220251 CVE-2023-52447 CVE-2023-52621 bsc#1222073 X-Info: additional change in include/linux/bpf.h pulled from 8c7dcb84e3b7 "bpf: implement sleepable uprobes by chaining gps" These three bpf_map_{lookup,update,delete}_elem() helpers are also diff --git a/patches.suse/crypto-qcom-rng-ensure-buffer-for-generate-is-comple.patch b/patches.suse/crypto-qcom-rng-ensure-buffer-for-generate-is-comple.patch index 6e4df9d..bf823f3 100644 --- a/patches.suse/crypto-qcom-rng-ensure-buffer-for-generate-is-comple.patch +++ b/patches.suse/crypto-qcom-rng-ensure-buffer-for-generate-is-comple.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: a680b1832ced3b5fa7c93484248fd221ea0d614b Patch-mainline: v5.17 -References: git-fixes +References: git-fixes CVE-2022-48629 bsc#1220989 The generate function in struct rng_alg expects that the destination buffer is completely filled if the function returns 0. qcom_rng_read() diff --git a/patches.suse/crypto-qcom-rng-fix-infinite-loop-on-requests-not-mu.patch b/patches.suse/crypto-qcom-rng-fix-infinite-loop-on-requests-not-mu.patch index e920bc6..6797c88 100644 --- a/patches.suse/crypto-qcom-rng-fix-infinite-loop-on-requests-not-mu.patch +++ b/patches.suse/crypto-qcom-rng-fix-infinite-loop-on-requests-not-mu.patch @@ -4,7 +4,7 @@ Date: Tue, 3 May 2022 13:50:10 +0200 Subject: [PATCH] crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ Git-commit: 16287397ec5c08aa58db6acf7dbc55470d78087d Patch-mainline: v5.18 -References: git-fixes +References: git-fixes CVE-2022-48630 bsc#1220990 The commit referenced in the Fixes tag removed the 'break' from the else branch in qcom_rng_read(), causing an infinite loop whenever 'max' is diff --git a/patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch b/patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch index cca0997..62f04c1 100644 --- a/patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch +++ b/patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch @@ -4,7 +4,7 @@ Date: Thu, 28 Oct 2021 09:43:11 +0200 Subject: drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf Git-commit: 3b8e19a0aa3933a785be9f1541afd8d398c4ec69 Patch-mainline: v5.16-rc7 -References: jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 +References: jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 CVE-2021-47108 bsc#1220986 In commit 41ca9caaae0b ("drm/mediatek: hdmi: Add check for CEA modes only") a check diff --git a/patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch b/patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch index 45174bd..a394808 100644 --- a/patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch +++ b/patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch @@ -4,7 +4,7 @@ Date: Wed, 17 Nov 2021 09:51:47 -0800 Subject: [PATCH] hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations Git-commit: 55840b9eae5367b5d5b29619dc2fb7e4596dba46 Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47098 bsc#1220983 Commit b50aa49638c7 ("hwmon: (lm90) Prevent integer underflows of temperature calculations") addressed a number of underflow situations diff --git a/patches.suse/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_prob.patch b/patches.suse/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_prob.patch index d30c366..79fdf65 100644 --- a/patches.suse/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_prob.patch +++ b/patches.suse/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_prob.patch @@ -4,7 +4,7 @@ Date: Sat, 7 Oct 2023 11:30:49 +0800 Subject: [PATCH] ieee802154: ca8210: Fix a potential UAF in ca8210_probe Git-commit: f990874b1c98fe8e57ee9385669f501822979258 Patch-mainline: v6.6-rc6 -References: git-fixes +References: git-fixes CVE-2023-52510 bsc#1220898 If of_clk_add_provider() fails in ca8210_register_ext_clock(), it calls clk_unregister() to release priv->clk and returns an diff --git a/patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch b/patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch index 8e941a9..cd4d37a 100644 --- a/patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch +++ b/patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch @@ -3,7 +3,7 @@ Date: Tue, 21 Dec 2021 15:00:34 +0800 Subject: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Git-commit: ffb76a86f8096a8206be03b14adda6092e18e275 Patch-mainline: 5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47100 bsc#1220985 Hi, diff --git a/patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch b/patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch index e3c4c00..4a363f0 100644 --- a/patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch +++ b/patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch @@ -5,7 +5,7 @@ Subject: [PATCH] ipmi: ssif: initialize ssif_info->client early Git-commit: 34f35f8f14bc406efc06ee4ff73202c6fd245d15 Patch-mainline: v5.16-rc7 -References: bsc#1193490 +References: bsc#1193490 CVE-2021-47095 bsc#1220979 During probe ssif_info->client is dereferenced in error path. However, it is set when some of the error checking has already been done. This diff --git a/patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch b/patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch index 7f7a2f8..b289fce 100644 --- a/patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch +++ b/patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch @@ -4,7 +4,7 @@ Date: Mon, 20 Dec 2021 10:22:40 +0100 Subject: [PATCH] mac80211: fix locking in ieee80211_start_ap error path Git-commit: 87a270625a89fc841f1a7e21aae6176543d8385c Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47091 bsc#1220959 We need to hold the local->mtx to release the channel context, as even encoded by the lockdep_assert_held() there. Fix it. diff --git a/patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch b/patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch index 0dcb3ee..70d82cb 100644 --- a/patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch +++ b/patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch @@ -2,7 +2,7 @@ From e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 Mon Sep 17 00:00:00 2001 From: Muchun Song Date: Tue, 28 Dec 2021 18:41:45 +0800 Subject: [PATCH] net: fix use-after-free in tw_timer_handler -References: bsc#1217195 +References: bsc#1217195 CVE-2021-46936 bsc#1220439 Git-commit: e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 Patch-mainline: v5.16-rc8 diff --git a/patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch b/patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch index fb6c621..dc034c2 100644 --- a/patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch +++ b/patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch @@ -4,7 +4,7 @@ Date: Thu, 16 Dec 2021 19:17:14 +0200 Subject: [PATCH 5/8] net: marvell: prestera: fix incorrect structure access Git-commit: 2efc2256febf214e7b2bdaa21fe6c3c3146acdcb Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47102 bsc#1221009 In line: upper = info->upper_dev; diff --git a/patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch b/patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch index 0810522..5ce319f 100644 --- a/patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch +++ b/patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch @@ -4,7 +4,7 @@ Date: Fri, 8 Sep 2023 19:58:53 -0400 Subject: [PATCH] net: nfc: llcp: Add lock when modifying device list Git-commit: dfc7f7a988dad34c3bf4c053124fb26aa6c5f916 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52524 bsc#1220927 The device list needs its associated lock held when modifying it, or the list could become corrupted, as syzbot discovered. diff --git a/patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock b/patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock index 5795f9d..f634c20 100644 --- a/patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock +++ b/patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock @@ -3,7 +3,7 @@ Date: Tue, 28 Dec 2021 17:03:25 +0800 Subject: net/smc: fix kernel panic caused by race of smc_sock Git-commit: 349d43127dac00c15231e8ffbcaabd70f7b0e544 Patch-mainline: v5.16-rc8 -References: git-fixes +References: git-fixes CVE-2021-46925 bsc#1220466 A crash occurs when smc_cdc_tx_handler() tries to access smc_sock but smc_release() has already freed it. diff --git a/patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch b/patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch index 4277b00..a800dd5 100644 --- a/patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch +++ b/patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch @@ -4,7 +4,7 @@ Date: Sun, 24 Sep 2023 02:35:49 +0900 Subject: [PATCH] net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg Git-commit: e9c65989920f7c28775ec4e0c11b483910fb67b8 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52528 bsc#1220843 syzbot reported the following uninit-value access issue: diff --git a/patches.suse/nfc-nci-assert-requested-protocol-is-valid.patch b/patches.suse/nfc-nci-assert-requested-protocol-is-valid.patch index b81da54..1966a99 100644 --- a/patches.suse/nfc-nci-assert-requested-protocol-is-valid.patch +++ b/patches.suse/nfc-nci-assert-requested-protocol-is-valid.patch @@ -4,7 +4,7 @@ Date: Mon, 9 Oct 2023 16:00:54 -0400 Subject: [PATCH] nfc: nci: assert requested protocol is valid Git-commit: 354a6e707e29cb0c007176ee5b8db8be7bd2dee0 Patch-mainline: v6.6-rc6 -References: git-fixes +References: git-fixes CVE-2023-52507 bsc#1220833 The protocol is used in a bit mask to determine if the protocol is supported. Assert the provided protocol is less than the maximum diff --git a/patches.suse/nilfs2-fix-potential-use-after-free-in-nilfs_gccache.patch b/patches.suse/nilfs2-fix-potential-use-after-free-in-nilfs_gccache.patch index c969fb6..7d564fb 100644 --- a/patches.suse/nilfs2-fix-potential-use-after-free-in-nilfs_gccache.patch +++ b/patches.suse/nilfs2-fix-potential-use-after-free-in-nilfs_gccache.patch @@ -4,7 +4,7 @@ Date: Thu, 21 Sep 2023 23:17:31 +0900 Subject: [PATCH] nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() Git-commit: 7ee29facd8a9c5a26079148e36bcf07141b3a6bc Patch-mainline: v6.6-rc4 -References: git-fixes +References: git-fixes CVE-2023-52566 bsc#1220940 In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the reference count of bh when the call to nilfs_dat_translate() fails. If diff --git a/patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch b/patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch index d1001ff..1207f3f 100644 --- a/patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch +++ b/patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch @@ -4,7 +4,7 @@ Date: Mon, 20 Dec 2021 19:58:56 +0000 Subject: [PATCH] nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert -References: git fixes (mm/gup) +References: git fixes (mm/gup) CVE-2021-46927 bsc#1220443 Patch-mainline: v5.16 Git-commit: 3a0152b219523227c2a62a0a122cf99608287176 diff --git a/patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch b/patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch index 4e282c4..8c8aa54 100644 --- a/patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch +++ b/patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch @@ -3,7 +3,7 @@ Date: Thu, 17 Aug 2023 12:43:01 -0700 Subject: nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() Patch-mainline: v6.6-rc2 Git-commit: 8ae5b3a685dc59a8cf7ccfe0e850999ba9727a3c -References: bsc#1214842 +References: bsc#1214842 CVE-2023-52508 bsc#1221015 The nvme_fc_fcp_op structure describing an AEN operation is initialized with a null request structure pointer. An FC LLDD may make a call to diff --git a/patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch b/patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch index 84b06eb..5bb2d7c 100644 --- a/patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch +++ b/patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch @@ -4,7 +4,7 @@ Subject: nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length Patch-mainline: v6.8-rc1 Git-commit: efa56305908ba20de2104f1b8508c6a7401833be -References: bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356 +References: bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356 CVE-2023-52454 bsc#1220320 If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmet_tcp_build_pdu_iovec(). diff --git a/patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch b/patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch index 3ee1beb..d092c56 100644 --- a/patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch +++ b/patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch @@ -4,7 +4,7 @@ Date: Wed, 22 Dec 2021 11:50:23 +0100 Subject: [PATCH] platform/x86: intel_pmc_core: fix memleak on registration failure Git-commit: 26a8b09437804fabfb1db080d676b96c0de68e7c Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47093 bsc#1220978 Alt-commit: 7c4f5cd18cb169a4ce8610b1696ec152d62b4820 In case device registration fails during module initialisation, the diff --git a/patches.suse/platform-x86-think-lmi-Fix-reference-leak.patch b/patches.suse/platform-x86-think-lmi-Fix-reference-leak.patch index 9ed58bd..bb0180c 100644 --- a/patches.suse/platform-x86-think-lmi-Fix-reference-leak.patch +++ b/patches.suse/platform-x86-think-lmi-Fix-reference-leak.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: 528ab3e605cabf2f9c9bd5944d3bfe15f6e94f81 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52520 bsc#1220921 If a duplicate attribute is found using kset_find_obj(), a reference to that attribute is returned which needs to be disposed accordingly diff --git a/patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch b/patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch index 37e845b..60d6ffb 100644 --- a/patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch +++ b/patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch @@ -3,7 +3,7 @@ Date: Thu, 5 Oct 2023 10:12:01 +0900 Subject: ravb: Fix use-after-free issue in ravb_tx_timeout_work() Patch-mainline: v6.6-rc6 Git-commit: 3971442870713de527684398416970cf025b4f89 -References: bsc#1212514 CVE-2023-35827 +References: bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836 The ravb_stop() should call cancel_work_sync(). Otherwise, ravb_tx_timeout_work() is possible to use the freed priv after diff --git a/patches.suse/ring-buffer-Do-not-attempt-to-read-past-commit.patch b/patches.suse/ring-buffer-Do-not-attempt-to-read-past-commit.patch index bc60756..421e248 100644 --- a/patches.suse/ring-buffer-Do-not-attempt-to-read-past-commit.patch +++ b/patches.suse/ring-buffer-Do-not-attempt-to-read-past-commit.patch @@ -3,7 +3,7 @@ Date: Thu, 7 Sep 2023 12:28:20 -0400 Subject: ring-buffer: Do not attempt to read past "commit" Git-commit: 95a404bd60af6c4d9d8db01ad14fe8957ece31ca Patch-mainline: v6.6-rc2 -References: git-fixes +References: git-fixes CVE-2023-52501 bsc#1220885 When iterating over the ring buffer while the ring buffer is active, the writer can corrupt the reader. There's barriers to help detect this and diff --git a/patches.suse/sctp-use-call_rcu-to-free-endpoint.patch b/patches.suse/sctp-use-call_rcu-to-free-endpoint.patch index e1dc8fe..24e5ae0 100644 --- a/patches.suse/sctp-use-call_rcu-to-free-endpoint.patch +++ b/patches.suse/sctp-use-call_rcu-to-free-endpoint.patch @@ -4,7 +4,7 @@ Date: Thu, 23 Dec 2021 13:04:30 -0500 Subject: [PATCH] sctp: use call_rcu to free endpoint Git-commit: 5ec7d18d1813a5bead0b495045606c93873aecbb Patch-mainline: v5.16-rc8 -References: CVE-2022-20154 bsc#1200599 +References: CVE-2022-20154 bsc#1200599 CVE-2021-46929 bsc#1220482 This patch is to delay the endpoint free by calling call_rcu() to fix another use-after-free issue in sctp_sock_dump(): diff --git a/patches.suse/serial-8250_port-Check-IRQ-data-before-use.patch b/patches.suse/serial-8250_port-Check-IRQ-data-before-use.patch index c00b39a..d55b5de 100644 --- a/patches.suse/serial-8250_port-Check-IRQ-data-before-use.patch +++ b/patches.suse/serial-8250_port-Check-IRQ-data-before-use.patch @@ -4,7 +4,7 @@ Date: Fri, 1 Sep 2023 01:25:55 +0300 Subject: [PATCH] serial: 8250_port: Check IRQ data before use Git-commit: cce7fc8b29961b64fadb1ce398dc5ff32a79643b Patch-mainline: v6.6-rc4 -References: git-fixes +References: git-fixes CVE-2023-52567 bsc#1220839 In case the leaf driver wants to use IRQ polling (irq = 0) and IIR register shows that an interrupt happened in the 8250 hardware diff --git a/patches.suse/spi-sun6i-fix-race-between-DMA-RX-transfer-completio.patch b/patches.suse/spi-sun6i-fix-race-between-DMA-RX-transfer-completio.patch index d6ac3eb..464fb81 100644 --- a/patches.suse/spi-sun6i-fix-race-between-DMA-RX-transfer-completio.patch +++ b/patches.suse/spi-sun6i-fix-race-between-DMA-RX-transfer-completio.patch @@ -4,7 +4,7 @@ Date: Sun, 27 Aug 2023 17:25:58 +0200 Subject: [PATCH] spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain Git-commit: 1f11f4202caf5710204d334fe63392052783876d Patch-mainline: v6.6-rc1 -References: git-fixes +References: git-fixes CVE-2023-52517 bsc#1221055 Previously the transfer complete IRQ immediately drained to RX FIFO to read any data remaining in FIFO to the RX buffer. This behaviour is diff --git a/patches.suse/spi-sun6i-reduce-DMA-RX-transfer-width-to-single-byt.patch b/patches.suse/spi-sun6i-reduce-DMA-RX-transfer-width-to-single-byt.patch index 86ab506..8705111 100644 --- a/patches.suse/spi-sun6i-reduce-DMA-RX-transfer-width-to-single-byt.patch +++ b/patches.suse/spi-sun6i-reduce-DMA-RX-transfer-width-to-single-byt.patch @@ -4,7 +4,7 @@ Date: Sun, 27 Aug 2023 17:25:57 +0200 Subject: [PATCH] spi: sun6i: reduce DMA RX transfer width to single byte Git-commit: 171f8a49f212e87a8b04087568e1b3d132e36a18 Patch-mainline: v6.6-rc1 -References: git-fixes +References: git-fixes CVE-2023-52511 bsc#1221012 Through empirical testing it has been determined that sometimes RX SPI transfers with DMA enabled return corrupted data. This is down to single diff --git a/patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch b/patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch index 8161b45..86cf315 100644 --- a/patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch +++ b/patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch @@ -3,7 +3,7 @@ Date: Thu, 16 Dec 2021 11:17:25 +0530 Subject: tee: optee: Fix incorrect page free bug Git-commit: 18549bf4b21c739a9def39f27dcac53e27286ab5 Patch-mainline: v5.16-rc7 -References: jsc#SLE-21844 +References: jsc#SLE-21844 CVE-2021-47087 bsc#1220954 Pointer to the allocated pages (struct page *page) has already progressed towards the end of allocation. It is incorrect to perform diff --git a/patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch b/patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch index 046432b..1a4e467 100644 --- a/patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch +++ b/patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch @@ -4,7 +4,7 @@ Date: Thu, 16 Dec 2021 13:25:32 -0500 Subject: [PATCH] tun: avoid double free in tun_free_netdev Git-commit: 158b515f703e75e7d68289bf4d98c664e1d632df Patch-mainline: v5.16-rc7 -References: bsc#1209635 CVE-2022-4744 git-fixes +References: bsc#1209635 CVE-2022-4744 git-fixes CVE-2021-47082 bsc#1220969 Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine diff --git a/patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch b/patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch index 5cae50d..b7e9dfa 100644 --- a/patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch +++ b/patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch @@ -4,7 +4,7 @@ Date: Sat, 18 Dec 2021 02:18:40 +0000 Subject: [PATCH] usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. Git-commit: b1e0887379422975f237d43d8839b751a6bcf154 Patch-mainline: v5.16-rc8 -References: git-fixes +References: git-fixes CVE-2021-46933 bsc#1220487 ffs_data_clear is indirectly called from both ffs_fs_kill_sb and ffs_ep0_release, so it ends up being called twice when userland closes ep0 diff --git a/patches.suse/usb-mtu3-fix-list_head-check-warning.patch b/patches.suse/usb-mtu3-fix-list_head-check-warning.patch index 06cc70b..f038173 100644 --- a/patches.suse/usb-mtu3-fix-list_head-check-warning.patch +++ b/patches.suse/usb-mtu3-fix-list_head-check-warning.patch @@ -4,7 +4,7 @@ Date: Sat, 18 Dec 2021 17:57:48 +0800 Subject: [PATCH] usb: mtu3: fix list_head check warning Git-commit: 8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf Patch-mainline: v5.16-rc8 -References: git-fixes +References: git-fixes CVE-2021-46930 bsc#1220484 This is caused by uninitialization of list_head. diff --git a/patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch b/patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch index 7b0ef96..04bf288 100644 --- a/patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch +++ b/patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch @@ -4,7 +4,7 @@ Date: Wed, 22 Dec 2021 19:39:52 +0100 Subject: [PATCH 26/37] veth: ensure skb entering GRO are not cloned. Git-commit: 9695b7de5b4760ed22132aca919570c0190cb0ce Patch-mainline: v5.16-rc7 -References: git-fixes +References: git-fixes CVE-2021-47099 bsc#1220955 After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"), if GRO is enabled on a veth device and TSO is disabled on the peer diff --git a/patches.suse/wifi-mwifiex-Fix-oob-check-condition-in-mwifiex_proc.patch b/patches.suse/wifi-mwifiex-Fix-oob-check-condition-in-mwifiex_proc.patch index f40ff19..7b32be5 100644 --- a/patches.suse/wifi-mwifiex-Fix-oob-check-condition-in-mwifiex_proc.patch +++ b/patches.suse/wifi-mwifiex-Fix-oob-check-condition-in-mwifiex_proc.patch @@ -4,7 +4,7 @@ Date: Fri, 8 Sep 2023 18:41:12 +0800 Subject: [PATCH] wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet Git-commit: aef7a0300047e7b4707ea0411dc9597cba108fc8 Patch-mainline: v6.6-rc5 -References: git-fixes +References: git-fixes CVE-2023-52525 bsc#1220840 Only skip the code path trying to access the rfc1042 headers when the buffer is too small, so the driver can still process packets without diff --git a/patches.suse/x86-alternatives-disable-kasan-in-apply_alternatives.patch b/patches.suse/x86-alternatives-disable-kasan-in-apply_alternatives.patch index 381b025..b336e0d 100644 --- a/patches.suse/x86-alternatives-disable-kasan-in-apply_alternatives.patch +++ b/patches.suse/x86-alternatives-disable-kasan-in-apply_alternatives.patch @@ -3,7 +3,7 @@ Date: Thu, 12 Oct 2023 13:04:24 +0300 Subject: x86/alternatives: Disable KASAN in apply_alternatives() Git-commit: d35652a5fc9944784f6f50a5c979518ff8dacf61 Patch-mainline: v6.6-rc6 -References: git-fixes +References: git-fixes CVE-2023-52504 bsc#1221553 Fei has reported that KASAN triggers during apply_alternatives() on a 5-level paging machine: diff --git a/patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch b/patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch index 79e1d63..e2b76d8 100644 --- a/patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch +++ b/patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch @@ -3,7 +3,7 @@ Date: Mon, 4 Sep 2023 22:04:48 -0700 Subject: x86/srso: Fix SBPB enablement for spec_rstack_overflow=off Git-commit: 01b057b2f4cc2d905a0bd92195657dbd9a7005ab Patch-mainline: v6.6-rc3 -References: git-fixes +References: git-fixes CVE-2023-52575 bsc#1220871 If the user has requested no SRSO mitigation, other mitigations can use the lighter-weight SBPB instead of IBPB. diff --git a/scripts/check-kernel-fix b/scripts/check-kernel-fix new file mode 100755 index 0000000..8ea73fe --- /dev/null +++ b/scripts/check-kernel-fix @@ -0,0 +1,379 @@ +#!/bin/bash +# vim: sw=4:sts=4:et + +. $(dirname "$0")/common-functions + +usage() +{ + echo "Check state of a kernel fix and eventually suggest needed actions" + echo + echo "Expect upstream kernel tree sha or CVE number as the parameter." + echo "The script checks whether the commit is already in the upstream" + echo "baseline or backported in kernel-source tree." + echo + echo "If backported, checks for CVE/bsc references and recommends adding these" + echo "if they are missing. (Requires VULNS_GIT pointing to" + echo "https://git.kernel.org/pub/scm/linux/security/vulns.git tree." + echo "This will also allow cve number instead of sha and it resolves proer" + echo "upstream commit automatically." + echo + echo "Also the script looks for \"Fixes:\" tag of the given \"sha\"." + echo "When defined, the script informs where the fix has to be backported." + echo + echo "The script also takes into account the hierarchy of branches." + echo "It checks all branches. But the action is proposed only for" + echo "the top level ones. The assumption is that the other branches" + echo "will get the fix via a merge." + echo + echo "If the patch has CVE number with CVSS score associated then limits" + echo "actions only to CVSS affected branches." + echo + echo "Usage: ${0##*/} [options] sha|CVE" + echo + echo "Parameters:" + echo " sha: sha of the upstream commit" + echo " cve: CVE-XXXX-YYYY of the upstream commit (requires VULNS_GIT)" + echo + echo "Options:" + echo " -h: help" + echo " -q: quiet mode (no progress)" + echo " -v: verbose mode: show state of each branch and even NOP actions" + echo " -r: refresh any cached data. Use if cve->sha or cve->cvss fails" + echo " (git pull VULNS_GIT, cve, bsc medata)" +} + +branch= +bprefix= +sha= +references= + +cve= +top_level= + +tmpdir=$(mktemp -d /tmp/${0##*/}.XXXXXX) +trap 'rm -rf "$tmpdir"' EXIT + +branch_state_file="$tmpdir/branch-state" +patch_file="$tmpdir/patches" +actions_file="$tmpdir/actions" + +print_branch_state() +{ + local msg="$@" + + if [ -n "$verbose_mode" ] ; then + echo "$msg" + elif [ -z "$quiet_mode" ] ; then + # show progress + echo -n "." + fi + + echo "$msg" >> "$branch_state_file" +} + +# Check state of the given branch and store +# The states are stored $tmpdir/branch-state are are the following: +# +# + nope: branch not affected +# + ok: branch has the fix and all references +# + missing_references: all or some references were not found +# + missing_patch: patch has to be backported +# + maybe_missing_patch: patch is missing and it is not known which commit +# introduced the bug +# +# When found, the name of the patch is stored into "$patch_file". +check_branch_state() +{ + local branch="$1" + local sha="$2" + shift 2 + local references="$@" + + [ -z "$branch" ] && fail "check_branch_state: No branch provided" + [ -z "$sha" ] && fail "check_branch_state: No sha provided" + + local patch= + local base= + local ref= + local missing_references= + local msg_prefix="$branch:$sha" + + + base=$(branch_base_ver $branch) + + # Already merged upstream? + if sha_merged_in_upstream_tag "$sha" "$base" ; then + print_branch_state "$msg_prefix:nope" + return + fi + + # Does the patch exist? + patch=$(sha_to_patch_in_branch "$sha" "$branch") + + if [ -n "$patch" ] ; then + echo "$branch:$patch" >> "$patch_file" + + # Check references + for ref in $references ; do + if ! patch_has_reference_in_branch "$patch" "$ref" "$branch" ; then + [ -n "$missing_references" ] && missing_references="$missing_references " + missing_references="$missing_references$ref" + fi + done + + if [ -z "$missing_references" ] ; then + print_branch_state "$msg_prefix:ok" + else + print_branch_state "$msg_prefix:missing_references:$missing_references" + fi + + return + fi + + # Sha is not backported + # Do we need to backport it because of the Fixes tag? + local sha_git_fixes=$(sha_get_upstream_git_fixes $sha) + if [ -n "$sha_git_fixes" ] ; then + local affected_by_git_fixes="$(affected_by_git_fixes "$branch" "$base" $sha_git_fixes)" + + if [ -n "$affected_by_git_fixes" ] ; then + print_branch_state "$msg_prefix:missing_patch:$affected_by_git_fixes" + else + print_branch_state "$msg_prefix:nope" + fi + + return + fi + + # missing git fixes + print_branch_state "$msg_prefix:maybe_missing_patch:$ref" +} + +print_action() +{ + local branch="$1" + local sha="$2" + local state="$3" + shift 3 + local references="$@" + + [ -z "$branch" ] && fail "print_action: No branch provided" + [ -z "$sha" ] && fail "print action: No sha provided" + [ -z "$state" ] && fail "print action: No state provided" + + # make sure tha the file exists + touch "$patch_file" + + patch= + action= + case "$state" in + missing_patch) + action="$branch: MANUAL: backport $sha ($references)" + ;; + + maybe_missing_patch) + action="$branch: MANUAL: might need backport of $sha ($references)" + ;; + + missing_references) + patch=$(grep "^$branch:" "$patch_file" | cut -d : -f 2) + if [ -n "$patch" ] ; then + ref_args=$(printf -- '-r %s ' $references) + action="$branch: RUN: scripts/cve_tools/add-missing-reference $ref_args$patch" + else + action="$branch: MANUAL: no patch has the references: $references" + fi + ;; + + nope) + [ -n "$verbose_mode" ] && action="$branch: NOPE: no problema for $sha $references" + ;; + + ok) + [ -n "$verbose_mode" ] && action="$branch: NOPE: up-to-date $sha $references" + ;; + + *) + echo "print_action: Unknown action: $action" >&2 + echo "for $branch:$sha:$state:$references" >&2 + exit 1 + ;; + esac + + if [ -n "$action" ] ; then + if [ ! -e "$actions_file" ] ; then + # first action + echo "ACTION NEEDED!" + touch "$actions_file" + fi + + echo "$action" + fi +} + +cvss_affects_branch() +{ + local branch="$1" + local cvss="$2" + + local ret=1 + if [[ "$branch" =~ .*-EB.* ]] + then + [ $cvss -ge 9 ] && ret=0 + elif [[ "$branch" =~ .*-GA.* ]] + then + [ $cvss -ge 7 ] && ret=0 + elif [[ "$branch" =~ .*-LTSS.* ]] + then + [ $cvss -ge 7 ] && ret=0 + else + ret=0 + fi + return $ret +} + +find_and_print_toplevel_actions() +{ + local branch="$1" + local cvss="${2%%.*}" + local action_parameters= + local merge_branch= + local mb_line= + local line= + local merge_found= + local state= + local mb_state= + + [ -z "$branch" ] && fail "find_and_print_toplevel_actions: No branch provided" + + grep "^$branch:" "$branch_state_file" | \ + while read line ; do + state=$(echo $line | cut -d: -f3) + + # We only want to print branches which really need CVE fix backported + # CVSS 9+ EB branches + # CVSS 7+ LTSS branches + # Any CVSS for regular branch + # If we just need to add a reference then print everything + if [ -n "$cvss" -a "$state" != "missing_references" ] + then + if ! cvss_affects_branch "$branch" "$cvss" + then + continue + fi + fi + + for merge_branch in $(print_merge_branches $branches_conf $branch) ; do + + # Make sure merge_branches are in the same cvss scope + if [ -n "$cvss" -a "$state" != "missing_references" ] + then + if ! cvss_affects_branch "$merge_branch" "$cvss" + then + continue + fi + fi + + # branch name might include '/', e.g. cve/linux-4.12 + mb_line=$(echo -n "$line" | sed -e "s|^$branch:|$merge_branch:|") + + # ignore the state when the same change is needed in a merge branch + if grep -q "^$mb_line$" "$branch_state_file" ; then + merge_found=1 + fi + + mb_state=$(echo $mb_line | cut -d: -f3) + + if [ "$state" == "missing_references" -o \ + "$state" == "missing_patch" -o \ + "$state" == "maybe_missing_patch" ] ; then + + # No action is needed when the patch is backported + # and has all the references in the merge branch + if [ "$mb_state" == "ok" ] ; then + merge_found=1 + fi + fi + + done + + if [ -z "$merge_found" ] ; then + # split line into parameters + print_action ${line//:/ } + fi + done +} + +verbose_mode= +quiet_mode= + +while getopts "hvrq" OPT +do + case $OPT in + h) + usage + exit + ;; + v) + verbose_mode=1 + ;; + r) + refresh=1 + ;; + q) + quiet_mode=1 + ;; + esac +done + +shift "$(($OPTIND-1))" + +[ -n "$verbose_mode" ] && quiet_mode= + +if [ -z "$1" ] ; then + echo "No references provided" + usage + exit 1 +fi + +sha=$1 +if ! sha_in_upstream "$1" ; then + sha=$(cve2sha $1 $refresh) + if [ -z "$sha" ] + then + [ -z "$VULNS_GIT" ] && fail "VULNS_GIT not defined. It has to point https://git.kernel.org/pub/scm/linux/security/vulns.git tree clone." + fail "Can find't sha in upstream: $1." + fi +fi + +print_upstream_sha_summary $sha + +cve=$(sha2cve $sha $refresh) +bsc= +if [ -n "$cve" ] +then + bsc=$(cve2bugzilla $cve $refresh) + cvss=$(cve2cvss $cve $refresh) + echo "Security fix for $cve $bsc with CVSS ${cvss:-unknown}" +else + # emulate no CVE fix as CVSS==0. This will typically happen + # for upstream commit with Fixes: which we want to target to + # less conservative branches only + cvss=0 +fi +references="$cve $bsc" + +branches_conf="$(fetch_branches $refresh)" + +# Check state of each branch +for_each_build_branch "$branches_conf" check_branch_state $sha $references + +# Newline after the dots showing progress +[ -z "$quiet_mode" ] && echo + +for_each_build_branch "$branches_conf" find_and_print_toplevel_actions $cvss + +if [ ! -e "$actions_file" ] ; then + echo "EVERYTHING IS OK!" +fi + diff --git a/scripts/common-functions b/scripts/common-functions new file mode 100644 index 0000000..2cd4a78 --- /dev/null +++ b/scripts/common-functions @@ -0,0 +1,502 @@ +#!/bin/bash +# vim: sw=4:sts=4:et + +fetch_cache() +{ + local CACHE_URL=$1 + local CACHE_FILE=$2 + local EXPIRE=$3 + local REFRESH=$4 + + [ -n "$REFRESH" ] && rm "$CACHE_FILE" + if [[ $(find "$CACHE_FILE" -mtime -${EXPIRE:-7} -print 2>/dev/null) \ + && -s "$CACHE_FILE" ]]; then + echo $CACHE_FILE + return + fi + curl -L "$CACHE_URL" -o "$CACHE_FILE" >/dev/null 2>&1 && echo $CACHE_FILE +} + +fetch_branches() +{ + local CACHED_BRANCHES="/tmp/$USER-branches.conf" + local URL="https://kerncvs.suse.de/branches.conf" + local REFRESH=$1 + branches=$CACHED_BRANCHES + fetch_cache $URL $CACHED_BRANCHES 7 $REFRESH +} + +fetch_cve2bugzilla() +{ + local CACHED_CVE2BSC="/tmp/$USER-cve2bugzilla" + local URL="https://gitlab.suse.de/security/cve-database/-/raw/master/data/cve2bugzilla" + local REFRESH=$1 + fetch_cache $URL $CACHED_CVE2BSC 1 $REFRESH +} + +cve2bugzilla() +{ + local CVE=$1 + local CVE2BUGZILLA=$(fetch_cve2bugzilla $2) + local NR_TO_REPORT=1 + # The first bsc should be the actual report others are product specific (e.g. LP) + for bsc in $(grep $CVE $CVE2BUGZILLA | cut -d: -f2 | head -n $NR_TO_REPORT) + do + echo -n "bsc#$bsc" + done +} + +fetch_cve2cvss() +{ + local CACHED_CVE2CVSS="/tmp/$USER-cve2cvss" + local URL="http://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" + local REFRESH=$1 + fetch_cache $URL $CACHED_CVE2CVSS 1 $REFRESH +} + +cve2cvss() +{ + local CVE=$1 + local REFRESH=$2 + local CVE2CVSS=$(fetch_cve2cvss $REFRESH) + local cvss="$(grep $CVE -A3 $CVE2CVSS | grep score:)" + + echo ${cvss##*:} +} + +cve2sha() +{ + local arg=$1 + local REFRESH=$2 + sha="$(cd $VULNS_GIT; [ -n "$REFRESH" ] && git pull >/dev/null 2>&1; scripts/cve_search $arg 2>/dev/null | cut -d" " -f7)" + + if [ $(echo $sha | wc -c) -eq 41 ] + then + echo $sha + fi +} + +sha2cve() +{ + local arg=$1 + local REFRESH=$2 + cve_sha="$(cd $VULNS_GIT; [ -n "$REFRESH" ] && git pull >/dev/null 2>&1; scripts/cve_search $arg 2>/dev/null | cut -d" " -f1,7)" + + if [ $(echo ${cve_sha##* } | wc -c) -eq 41 ] + then + echo ${cve_sha%% *} + fi +} + +current_branch() +{ + git branch --show-current +} + +print_merge_branches() +{ + local branches_conf="$1" + local branch="$2" + local merge_branch= + + [ -z "$branches_conf" ] && fail "megre_branches: No branches_conf provided" + [ -z "$branch" ] && fail "merge_branches: No branch provided" + + for word in $(grep -w "^$branch:" "$branches_conf") ; do + if [ "${word#merge:}" != "$word" ] ; then + merge_branch="${word#merge:}" + merge_branch="${merge_branch#-}" + [ -z "$merge_branch" ] && fail "print_merge_branges: non supported syntax" + echo "$merge_branch" + fi + done +} + +for_each_build_branch() +{ + local branches_conf="$1" + local fn="$2" + shift 2 + local args="$@" + + grep -w build "$branches_conf" | grep -v -E "^(master|vanilla|linux-next|stable|slowroll)" | \ + while read line ; do + line=${line%%\#*} + branch=${line%%:*} + + # empty line or comment + if [ -z "$branch" ] ; then + continue + fi + + $fn $branch $args || break + done +} + +fail() +{ + echo $* >&2 + exit 1 +} + +branch_base_ver() +{ + local branch="origin/$1" + git show-ref --verify --quiet "refs/remotes/${branch}" || fail "$branch invalid branch" + + local base_ver="v$(git grep SRCVERSION $branch -- rpm/config.sh | sed 's@.*=@@')" + + echo $base_ver +} + +sha_get_upstream_git_fixes() +{ + local sha=$1 + local upstream_git=${2:-$LINUX_GIT} + + [ -z "$sha" ] && fail "No commit provided" + [ -z "$upstream_git" ] && fail "No upstream git tree" + + git --git-dir="$upstream_git/.git" show $sha | grep -i "^[[:space:]]*fixes:" | awk '{print $2}' +} + +print_upstream_sha_info() +{ + local sha=$1 + local upstream_git=${2:-$LINUX_GIT} + + echo -n "$(git --git-dir="$upstream_git/.git" show -s --pretty='format:%h ("%s")' $sha) merged " + git --git-dir="$upstream_git/.git" describe --contains --abbrev=0 --match="v*" $sha +} + +print_upstream_sha_summary() +{ + local sha=$1 + local upstream_git=${2:-$LINUX_GIT} + + print_upstream_sha_info $sha $upstream_git + for fix in $(sha_get_upstream_git_fixes $1 $upstream_git) + do + echo -n "Fixes: " + print_upstream_sha_info $fix $upstream_git + done +} + +sha_merged_in_upstream_tag() +{ + local sha=$1 + local base=$2 + local upstream_git=${3:-$LINUX_GIT} + + [ -z "$sha" ] && fail "sha_merged_in_upstream_tag: No sha provided" + [ -z "$base" ] && fail "sha_merged_in_upstream_tag: No base provided" + [ -z "$upstream_git" ] && fail "sha_merged_in_upstream_tag: No upstream git tree" + + git --git-dir="$LINUX_GIT/.git" merge-base --is-ancestor "$sha" "$base" 2>/dev/null +} + +sha_in_upstream() +{ + local sha=$1 + local upstream_git=${2:-$LINUX_GIT} + + [ -z "$sha" ] && fail "sha_in_upstream: No sha provided" + [ -z "$upstream_git" ] && fail "sha_in_upstream: No upstream git tree" + + sha_merged_in_upstream_tag $sha origin/master $upstream_git +} + + +sha_has_git_fixes() +{ + local sha="$1" + local base="$2" + local upstream_git=${3:-$LINUX_GIT} + + [ -z "$sha" ] && fail "sha_affected_by_git_fixes: No sha provided" + [ -z "$base" ] && fail "sha_affected_by_git_fixes: No tag provided" + [ -z "$upstream_git" ] && fail "sha_affected_by_git_fixes: No upstream_git provided" + + # Check git fixes when the bug was introduced + local git_fixes="$(sha_get_upstream_git_fixes $sha)" + + test -n "$git_fixes" +} + + +affected_by_git_fixes() +{ + local branch="$1" + local base="$2" + shift 2 + local git_fixes="$@" + + [ -z "$branch" ] && fail "affected_by_git_fixes: No branch provided" + [ -z "$base" ] && fail "affected_by_git_fixes: No tag provided" + [ -z "$git_fixes" ] && fail "affected_by_git_fixes: No git fixes provided" + + # Check git fixes when the bug was introduced + local git_fix= + local affected_by= + + for git_fix in $git_fixes ; do + local needs_fix= + + # Is it merged in the upstream base kernel? + if sha_merged_in_upstream_tag "$git_fix" "$base" ; then + needs_fix=1 + fi + + # Do we have it backported? + if sha_merged_in_suse_tree "$git_fix" "$branch" ; then + needs_fix=1 + fi + + if [ -n "$needs_fix" ] ; then + if [ -z "$affected_by" ] ; then + affected_by="$git_fix" + else + affected_by="$affected_by $git_fix" + fi + fi + done + + if [ -n "$affected_by" ] ; then + echo "Fixes: $affected_by" + fi +} + +sha_to_patch_in_branch() +{ + local sha="$1" + local branch="$2" + + [ -z "$sha" ] && fail "sha_to_patch_in_branch: No sha provided" + [ -z "$branch" ] && fail "sha_to_patch_in_branch: No branch provided" + + branch_file=$(git --no-pager grep -l -i "^git-commit[[:space:]]*:[[:space:]]*$sha" "origin/$branch") + + echo "${branch_file#origin/$branch:}" +} + +sha_to_patch() +{ + local sha="$1" + + [ -z "$sha" ] && fail "sha_to_patch: No sha provided" + + git --no-pager grep -l -i "^git-commit[[:space:]]*:[[:space:]]*$sha" +} + +sha_merged_in_suse_tree() +{ + local sha="$1" + local branch="$2" + + [ -z "$sha" ] && fail "sha_merged_in_suse_tree: No sha provided" + [ -z "$branch" ] && fail "sha_merged_in_suse_tree: No branch provided" + + local patch=$(sha_to_patch_in_branch "$sha" "$branch") + + test -n "$patch" +} + +references_to_patches_in_branch() +{ + local branch="$1" + shift + local references="$@" + + [ -z "$branch" ] && fail "references_to_patches_in_branch: No branch provided" + [ -z "$references" ] && fail "references_to_patches_in_branch: No references provided" + + local pattern_prefix="^references[[:space:]]*:[[:space:]]*" + local pattern= + + for ref in $references ; do + [ -n "$pattern" ] && pattern="$pattern|" + pattern="$pattern$pattern_prefix$ref" + done + + branch_files=$(git --no-pager grep -l -E -i "$pattern" "origin/$branch") + + for branch_file in $branch_files ; do + echo "${branch_file#origin/$branch:}" + done +} + +patch_has_reference() +{ + local ref="$1" + local patch="$2" + + [ -z "$patch" ] && fail "No patch provided" + [ -z "$ref" ] && fail "No reference provided" + + grep -q -i "^references:.*$ref" "$patch" +} + +patch_has_reference_in_branch() +{ + local patch="$1" + local ref="$2" + local branch="$3" + + [ -z "$patch" ] && fail "patch_has_reference_in_branch: No patch provided" + [ -z "$ref" ] && fail "patch_has_reference_in_branch: No reference provided" + [ -z "$branch" ] && fail "patch_has_reference_in_branch: No branch provided" + + git --no-pager grep -w -q -i "^references:.*$ref" "origin/$branch" -- "$patch" +} + +sha_has_reference_in_branch() +{ + local sha="$1" + local ref="$2" + local branch="$3" + local patch= + + [ -z "$sha" ] && fail "sha_has_reference_in_branch: No sha provided" + [ -z "$ref" ] && fail "sha_has_reference_in_branch: No reference provided" + [ -z "$branch" ] && fail "sha_has_reference_in_branch: No branch provided" + + patch=$(sha_to_patch_in_branch "$sha" "$branch") + + if [ -n "$patch" ] ; then + patch_has_reference_in_branch "$patch" "$ref" "$branch" + else + # no patch, no refence needed + true + fi +} + +patch_add_reference() +{ + local ref=$1 + local patch=$2 + + [ -z "$patch" ] && fail "No patch provided" + [ -z "$ref" ] && fail "No reference provided" + + if ! patch_has_reference "$ref" "$patch" ; then + local references=$(grep -i "^references:" $patch | sed -e 's/^[Rr]eferences:[[:space:]]//') + + references="$references $ref" + patch-tag --delete "references" "$patch" + patch-tag --add "References=$references" "$patch" + + change_to_commit=1 + fi + + if ! patch_has_reference "$ref" "$patch" ; then + fail "Failed to add reference '$ref' into $patch" + fi +} + +current_branch_state() +{ + local state_line + + status_line=$(git status | grep "Your branch") + + [ -z "$status_line" ] && fail "Can't get status of the current branch" + + if (echo "$status_line" | grep -q "up to date") ; then + echo "up to date" + elif (echo "$status_line" | grep -q "ahead") ; then + echo "ahead" + elif (echo "$status_line" | grep -q "behind.*fast-forwarded") ; then + echo "behind-ff" + elif (echo "$status_line" | grep -q "have diverged") ; then + echo "diverged" + else + echo "unknown" + fi +} + +push_list_name() +{ + local type=$1 + + [ -z "$type" ] && fail "push_list_name: called with no type" + + echo "push-list.$type" +} + +push_list_has_branch() +{ + local type=$1 + local branch=$2 + local file= + + [ -z "$type" ] && fail "push_list_has_branch: called with no type" + [ -z "$branch" ] && fail "push_list_has_branch: called with no branch" + + file=$(push_list_name $type) + + if [ -e "$file" ] ; then + grep -q "^branch\$" "$file" + else + false + fi +} + +push_list_add_branch() +{ + local type="$1" + local branch="$2" + local file= + + [ -z "$type" ] && fail "push_list_update: called with no type" + [ -z "$branch" ] && fail "push_list_has_branch: called with no branch" + + if ! $(push_list_has_branch $type $branch) ; then + file=$(push_list_name $type) + echo "$branch" >> "$file" + fi +} + +queue_push() +{ + local branch_state= + + branch_state=$(current_branch_state) + + case "$branch_state" in + "up to date") + // nope + ;; + ahead) + push_list_add_branch "ready" $(current_branch) + ;; + *) + push_list_add_branch "manual" $(current_branch) + ;; + esac +} + +push_list_msg() +{ + local type="$1" + local msg="$2" + local file= + + [ -z "$type" ] && fail "push_list_msg: called with no type" + [ -z "$msg" ] && fail "push_list_msg: called with no message" + + file=$(push_list_name "$type") + + if ! grep -q "^$msg$" "$file" ; then + echo "$msg" >> "$file" + fi +} + +log_fail() +{ + local msg="$1" + + [ -z "$msg" ] && fail "log_failure: called with no message" + + push_list_msg "failure" "$msg" + fail "$msg" +} diff --git a/scripts/cve_tools/add-missing-reference b/scripts/cve_tools/add-missing-reference new file mode 100755 index 0000000..72af708 --- /dev/null +++ b/scripts/cve_tools/add-missing-reference @@ -0,0 +1,31 @@ +#!/usr/bin/python3 + +import argparse +import sys +import os.path + +scriptsdir = os.path.dirname(__file__) +sys.path.append(os.path.join(scriptsdir, "../git_sort")) +from patch import Patch + +if __name__ == "__main__": + parser = argparse.ArgumentParser( + description="Add references to patch file") + parser.add_argument("-r", "--reference", action="append", + help="bsc# or CVE token used to tag the patch file. The option can be used more times.") + parser.add_argument("patches", help="Patch files.", + nargs=argparse.REMAINDER) + args = parser.parse_args() + + + added_refs = list(args.reference) + for f in args.patches: + with Patch(open(f, "r+b")) as patch: + refs = "".join(patch.get("References")) + refs = list(refs.replace(",", " ").split()) + new_refs = refs + [r for r in added_refs if not r in refs] + if new_refs == refs: + continue + patch.change("References", " ".join(new_refs)) + + diff --git a/scripts/cve_tools/cve2metadata.sh b/scripts/cve_tools/cve2metadata.sh new file mode 100755 index 0000000..d0dd51d --- /dev/null +++ b/scripts/cve_tools/cve2metadata.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# +# Usage: +# cve2metadata.sh CVE-NUM[...CVE-NUM] +# +# expects: +# VULNS_GIT to point to vulns DB git tree (clone from https://git.kernel.org/pub/scm/linux/security/vulns.git) + +if [ -z "$VULNS_GIT" -o ! -d "$VULNS_GIT" ] +then + echo "VULNS_GIT should point to vulns git tree" >&2 + echo "clone from https://git.kernel.org/pub/scm/linux/security/vulns.git" >&2 + exit 1 +fi + +. scripts/common-functions + +while [ $# -gt 0 ] +do + arg=$1 + cve_sha="$(cd $VULNS_GIT; scripts/cve_search $arg 2>/dev/null | cut -d" " -f1,7)" + cve=${cve_sha%% *} + sha=${cve_sha##* } + if [ $(echo $sha | wc -c) -eq 41 ] + then + echo -n "$sha" + cvss="$(cve2cvss $cve)" + echo -n " score:${cvss:-unknown}" + bsc="$(cve2bugzilla $cve)" + echo " $cve $bsc" + else + echo $arg cannot be resolved to a CVE >&2 + fi + shift +done