From f954e765f102a94081fe2b7b2b38c34c12a3088c Mon Sep 17 00:00:00 2001 From: Tobias Powalowski Date: Tue, 13 May 2014 15:06:31 +0000 Subject: [PATCH] bump to latest version --- 0014-fix-rtl8192se.patch | 15 -------- CVE-2014-0196.patch | 80 ---------------------------------------- PKGBUILD | 18 ++------- 3 files changed, 3 insertions(+), 110 deletions(-) delete mode 100644 0014-fix-rtl8192se.patch delete mode 100644 CVE-2014-0196.patch diff --git a/0014-fix-rtl8192se.patch b/0014-fix-rtl8192se.patch deleted file mode 100644 index 512e281..0000000 --- a/0014-fix-rtl8192se.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- linux-2.6/drivers/net/wireless/rtlwifi/rtl8192se/trx.c -+++ linux-2.6/drivers/net/wireless/rtlwifi/rtl8192se/trx.c -@@ -49,6 +49,12 @@ static u8 _rtl92se_map_hwqueue_to_fwqueu - if (ieee80211_is_nullfunc(fc)) - return QSLT_HIGH; - -+ /* Kernel commit 1bf4bbb4024dcdab changed EAPOL packets to use -+ * queue V0 at priority 7; however, the RTL8192SE appears to have -+ * that queue at priority 6 -+ */ -+ if (skb->priority == 7) -+ return QSLT_VO; - return skb->priority; - } - diff --git a/CVE-2014-0196.patch b/CVE-2014-0196.patch deleted file mode 100644 index a58707d..0000000 --- a/CVE-2014-0196.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001 -From: Peter Hurley -Date: Sat, 3 May 2014 14:04:59 +0200 -Subject: n_tty: Fix n_tty_write crash when echoing in raw mode - -The tty atomic_write_lock does not provide an exclusion guarantee for -the tty driver if the termios settings are LECHO & !OPOST. And since -it is unexpected and not allowed to call TTY buffer helpers like -tty_insert_flip_string concurrently, this may lead to crashes when -concurrect writers call pty_write. In that case the following two -writers: -* the ECHOing from a workqueue and -* pty_write from the process -race and can overflow the corresponding TTY buffer like follows. - -If we look into tty_insert_flip_string_fixed_flag, there is: - int space = __tty_buffer_request_room(port, goal, flags); - struct tty_buffer *tb = port->buf.tail; - ... - memcpy(char_buf_ptr(tb, tb->used), chars, space); - ... - tb->used += space; - -so the race of the two can result in something like this: - A B -__tty_buffer_request_room - __tty_buffer_request_room -memcpy(buf(tb->used), ...) -tb->used += space; - memcpy(buf(tb->used), ...) ->BOOM - -B's memcpy is past the tty_buffer due to the previous A's tb->used -increment. - -Since the N_TTY line discipline input processing can output -concurrently with a tty write, obtain the N_TTY ldisc output_lock to -serialize echo output with normal tty writes. This ensures the tty -buffer helper tty_insert_flip_string is not called concurrently and -everything is fine. - -Note that this is nicely reproducible by an ordinary user using -forkpty and some setup around that (raw termios + ECHO). And it is -present in kernels at least after commit -d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to -use the normal buffering logic) in 2.6.31-rc3. - -js: add more info to the commit log -js: switch to bool -js: lock unconditionally -js: lock only the tty->ops->write call - -References: CVE-2014-0196 -Reported-and-tested-by: Jiri Slaby -Signed-off-by: Peter Hurley -Signed-off-by: Jiri Slaby -Cc: Linus Torvalds -Cc: Alan Cox -Cc: -Signed-off-by: Greg Kroah-Hartman - -diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 41fe8a0..fe9d129 100644 ---- a/drivers/tty/n_tty.c -+++ b/drivers/tty/n_tty.c -@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, - if (tty->ops->flush_chars) - tty->ops->flush_chars(tty); - } else { -+ struct n_tty_data *ldata = tty->disc_data; -+ - while (nr > 0) { -+ mutex_lock(&ldata->output_lock); - c = tty->ops->write(tty, b, nr); -+ mutex_unlock(&ldata->output_lock); - if (c < 0) { - retval = c; - goto break_out; --- -cgit v0.10.1-7-g08dc - diff --git a/PKGBUILD b/PKGBUILD index ba0175a..1bc6ab4 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -4,8 +4,8 @@ pkgbase=linux # Build stock -ARCH kernel #pkgbase=linux-custom # Build kernel with a different name _srcname=linux-3.14 -pkgver=3.14.3 -pkgrel=2 +pkgver=3.14.4 +pkgrel=1 arch=('i686' 'x86_64') url="http://www.kernel.org/" license=('GPL2') @@ -13,7 +13,6 @@ makedepends=('xmlto' 'docbook-xsl' 'kmod' 'inetutils' 'bc') options=('!strip') source=("https://www.kernel.org/pub/linux/kernel/v3.x/${_srcname}.tar.xz" "https://www.kernel.org/pub/linux/kernel/v3.x/patch-${pkgver}.xz" - 'CVE-2014-0196.patch' # the main kernel config files 'config' 'config.x86_64' # standard config files for mkinitcpio ramdisk @@ -29,12 +28,10 @@ source=("https://www.kernel.org/pub/linux/kernel/v3.x/${_srcname}.tar.xz" '0011-kernfs-fix-removed-error-check.patch' '0012-fix-saa7134.patch' '0013-net-Start-with-correct-mac_len-in-skb_network_protocol.patch' - '0014-fix-rtl8192se.patch' '0015-fix-xsdt-validation.patch' ) sha256sums=('61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa' - 'a26a25739c50d639174698ae498530205b55e5a2b11f8c33ab92a8581bc83fbd' - '56d6dc13617645184e2a14b2ee466ccba5241961953f4950aed7377bc34902d7' + 'af640ea64e923d525a8238832e8452381e6dc76a3bf28046411cadd67c408114' 'c01d212694eddcf694c55e0943bf3336b6e1ff41b90ac1cdc88b26789785ed45' '9a33feb450005a43bf9aa8fbb74b2e463c72ea17ad06bab3357f8a0a89088e85' 'f0d90e756f14533ee67afda280500511a62465b4f76adcc5effa95a40045179c' @@ -49,7 +46,6 @@ sha256sums=('61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa' '04f44bf5c181d6dc31905937c1bdccb0f5aecaad3a579e99b302502b9cbe0f7a' '79359454c9d8446eb55add2b1cdbf8332bd67dafb01fefb5b1ca090225f64d18' 'f2a5e22c1ba6e9b8a32a7bd4a5327ee95538aa10edcee3cd12578f8ff49bf6be' - 'ff9df6746d7cbfe858d5b4bce932951c26414a7635cb5c26cd8d5c97df36a2a1' '384dd13fd4248fd6809da8c6ae29ced55d4a5cacc33ac2ae7522093ec0fb26d4') _kernelname=${pkgbase#linux} @@ -60,9 +56,6 @@ prepare() { # add upstream patch patch -p1 -i "${srcdir}/patch-${pkgver}" - # fix upstream CVE-2014-0196 - patch -p1 -i "${srcdir}/CVE-2014-0196.patch" - # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git @@ -109,11 +102,6 @@ prepare() { # https://bugzilla.kernel.org/show_bug.cgi?id=74051 patch -Np1 -i "${srcdir}/0013-net-Start-with-correct-mac_len-in-skb_network_protocol.patch" - # fix rtl8192se authentification - # https://bugs.archlinux.org/task/39858 - # https://bugzilla.kernel.org/show_bug.cgi?id=74541 - patch -Np1 -i "${srcdir}/0014-fix-rtl8192se.patch" - # fix xsdt validation bug # https://bugs.archlinux.org/task/39811 # https://bugzilla.kernel.org/show_bug.cgi?id=73911