From 75bdc211fc60973e2edfbf0d40ea6d487c4437ca Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: May 03 2017 18:09:38 +0000 Subject: Linux v4.10.14 --- diff --git a/0001-ping-implement-proper-locking.patch b/0001-ping-implement-proper-locking.patch deleted file mode 100644 index 1fad1a8..0000000 --- a/0001-ping-implement-proper-locking.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 43a6684519ab0a6c52024b5e25322476cabad893 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Fri, 24 Mar 2017 19:36:13 -0700 -Subject: [PATCH] ping: implement proper locking - -We got a report of yet another bug in ping - -http://www.openwall.com/lists/oss-security/2017/03/24/6 - -->disconnect() is not called with socket lock held. - -Fix this by acquiring ping rwlock earlier. - -Thanks to Daniel, Alexander and Andrey for letting us know this problem. - -Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") -Signed-off-by: Eric Dumazet -Reported-by: Daniel Jiang -Reported-by: Solar Designer -Reported-by: Andrey Konovalov -Signed-off-by: David S. Miller ---- - net/ipv4/ping.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 2af6244..ccfbce1 100644 ---- a/net/ipv4/ping.c -+++ b/net/ipv4/ping.c -@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk) - void ping_unhash(struct sock *sk) - { - struct inet_sock *isk = inet_sk(sk); -+ - pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num); -+ write_lock_bh(&ping_table.lock); - if (sk_hashed(sk)) { -- write_lock_bh(&ping_table.lock); - hlist_nulls_del(&sk->sk_nulls_node); - sk_nulls_node_init(&sk->sk_nulls_node); - sock_put(sk); - isk->inet_num = 0; - isk->inet_sport = 0; - sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); -- write_unlock_bh(&ping_table.lock); - } -+ write_unlock_bh(&ping_table.lock); - } - EXPORT_SYMBOL_GPL(ping_unhash); - --- -2.9.3 - diff --git a/CVE-2017-7477.patch b/CVE-2017-7477.patch deleted file mode 100644 index 6405614..0000000 --- a/CVE-2017-7477.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" -Date: Fri, 21 Apr 2017 23:14:48 +0200 -Subject: macsec: avoid heap overflow in skb_to_sgvec - -While this may appear as a humdrum one line change, it's actually quite -important. An sk_buff stores data in three places: - -1. A linear chunk of allocated memory in skb->data. This is the easiest - one to work with, but it precludes using scatterdata since the memory - must be linear. -2. The array skb_shinfo(skb)->frags, which is of maximum length - MAX_SKB_FRAGS. This is nice for scattergather, since these fragments - can point to different pages. -3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff, - which in turn can have data in either (1) or (2). - -The first two are rather easy to deal with, since they're of a fixed -maximum length, while the third one is not, since there can be -potentially limitless chains of fragments. Fortunately dealing with -frag_list is opt-in for drivers, so drivers don't actually have to deal -with this mess. For whatever reason, macsec decided it wanted pain, and -so it explicitly specified NETIF_F_FRAGLIST. - -Because dealing with (1), (2), and (3) is insane, most users of sk_buff -doing any sort of crypto or paging operation calls a convenient function -called skb_to_sgvec (which happens to be recursive if (3) is in use!). -This takes a sk_buff as input, and writes into its output pointer an -array of scattergather list items. Sometimes people like to declare a -fixed size scattergather list on the stack; othertimes people like to -allocate a fixed size scattergather list on the heap. However, if you're -doing it in a fixed-size fashion, you really shouldn't be using -NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its -frag_list children arent't shared and then you check the number of -fragments in total required.) - -Macsec specifically does this: - - size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1); - tmp = kmalloc(size, GFP_ATOMIC); - *sg = (struct scatterlist *)(tmp + sg_offset); - ... - sg_init_table(sg, MAX_SKB_FRAGS + 1); - skb_to_sgvec(skb, sg, 0, skb->len); - -Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're -using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will -overflow the heap, and disaster ensues. - -Signed-off-by: Jason A. Donenfeld -Cc: stable@vger.kernel.org -Cc: security@kernel.org -Signed-off-by: David S. Miller ---- - drivers/net/macsec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c -index ff0a5ed..dbab05a 100644 ---- a/drivers/net/macsec.c -+++ b/drivers/net/macsec.c -@@ -2716,7 +2716,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb, - } - - #define MACSEC_FEATURES \ -- (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST) -+ (NETIF_F_SG | NETIF_F_HIGHDMA) - static struct lock_class_key macsec_netdev_addr_lock_key; - - static int macsec_dev_init(struct net_device *dev) --- -cgit v1.1 - diff --git a/CVE-2017-7645.patch b/CVE-2017-7645.patch deleted file mode 100644 index 0be019c..0000000 --- a/CVE-2017-7645.patch +++ /dev/null @@ -1,180 +0,0 @@ -From: "J. Bruce Fields" -Date: 2017-04-14 15:04:40 -Subject: [PATCH] nfsd: check for oversized NFSv2/v3 arguments - -A client can append random data to the end of an NFSv2 or NFSv3 RPC call -without our complaining; we'll just stop parsing at the end of the -expected data and ignore the rest. - -Encoded arguments and replies are stored together in an array of pages, -and if a call is too large it could leave inadequate space for the -reply. This is normally OK because NFS RPC's typically have either -short arguments and long replies (like READ) or long arguments and short -replies (like WRITE). But a client that sends an incorrectly long reply -can violate those assumptions. This was observed to cause crashes. - -So, insist that the argument not be any longer than we expect. - -Also, several operations increment rq_next_page in the decode routine -before checking the argument size, which can leave rq_next_page pointing -well past the end of the page array, causing trouble later in -svc_free_pages. - -As followup we may also want to rewrite the encoding routines to check -more carefully that they aren't running off the end of the page array. - -Reported-by: Tuomas Haanpää -Reported-by: Ari Kauppi -Cc: stable@vger.kernel.org -Signed-off-by: J. Bruce Fields ---- - fs/nfsd/nfs3xdr.c | 23 +++++++++++++++++------ - fs/nfsd/nfsxdr.c | 13 ++++++++++--- - include/linux/sunrpc/svc.h | 3 +-- - 3 files changed, 28 insertions(+), 11 deletions(-) - -diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c -index dba2ff8eaa68..be66bcadfaea 100644 ---- a/fs/nfsd/nfs3xdr.c -+++ b/fs/nfsd/nfs3xdr.c -@@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - if (!p) - return 0; - p = xdr_decode_hyper(p, &args->offset); -- - args->count = ntohl(*p++); -+ -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - len = min(args->count, max_blocksize); - - /* set up the kvec */ -@@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - v++; - } - args->vlen = v; -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -536,9 +539,11 @@ nfs3svc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, - p = decode_fh(p, &args->fh); - if (!p) - return 0; -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -564,10 +569,14 @@ nfs3svc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p, - args->verf = p; p += 2; - args->dircount = ~0; - args->count = ntohl(*p++); -+ -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - args->count = min_t(u32, args->count, PAGE_SIZE); - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -585,6 +594,9 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p, - args->dircount = ntohl(*p++); - args->count = ntohl(*p++); - -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - len = args->count = min(args->count, max_blocksize); - while (len > 0) { - struct page *p = *(rqstp->rq_next_page++); -@@ -592,8 +604,7 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p, - args->buffer = page_address(p); - len -= PAGE_SIZE; - } -- -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c -index 41b468a6a90f..79268369f7b3 100644 ---- a/fs/nfsd/nfsxdr.c -+++ b/fs/nfsd/nfsxdr.c -@@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - len = args->count = ntohl(*p++); - p++; /* totalcount - unused */ - -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; -+ - len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2); - - /* set up somewhere to store response. -@@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p, - v++; - } - args->vlen = v; -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -360,9 +363,11 @@ nfssvc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, struct nfsd_readli - p = decode_fh(p, &args->fh); - if (!p) - return 0; -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - int -@@ -400,9 +405,11 @@ nfssvc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p, - args->cookie = ntohl(*p++); - args->count = ntohl(*p++); - args->count = min_t(u32, args->count, PAGE_SIZE); -+ if (!xdr_argsize_check(rqstp, p)) -+ return 0; - args->buffer = page_address(*(rqstp->rq_next_page++)); - -- return xdr_argsize_check(rqstp, p); -+ return 1; - } - - /* -diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h -index e770abeed32d..6ef19cf658b4 100644 ---- a/include/linux/sunrpc/svc.h -+++ b/include/linux/sunrpc/svc.h -@@ -336,8 +336,7 @@ xdr_argsize_check(struct svc_rqst *rqstp, __be32 *p) - { - char *cp = (char *)p; - struct kvec *vec = &rqstp->rq_arg.head[0]; -- return cp >= (char*)vec->iov_base -- && cp <= (char*)vec->iov_base + vec->iov_len; -+ return cp == (char *)vec->iov_base + vec->iov_len; - } - - static inline int --- -2.9.3 - --- -To unsubscribe from this list: send the line "unsubscribe linux-nfs" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index a998c7a..2b4a657 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 13 +%define stable_update 14 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -599,23 +599,11 @@ Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch # selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch -#CVE-2017-7277 rhbz 1436629 1436661 -Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch - -# CVE-2017-2671 rhbz 1436649 1436663 -Patch860: 0001-ping-implement-proper-locking.patch - Patch861: 0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch #rhbz 1441310 Patch863: rhbz_1441310.patch -# CVE-2017-7645 rhbz 1443615 1443617 -Patch866: CVE-2017-7645.patch - -# CVE-2017-7477 rhbz 1445207 1445208 -Patch867: CVE-2017-7477.patch - # END OF PATCH DEFINITIONS %endif @@ -2185,7 +2173,11 @@ fi # # %changelog -* Thu Apr 27 2017 Justin M. Forbes - 4.10.13-200 +* Wed May 03 2017 Justin M. Forbes - 4.10.14-100 +- Linux v4.10.14 +- Fixes CVE-2017-7895 (rhbz 1446103 1446541) + +* Thu Apr 27 2017 Justin M. Forbes - 4.10.13-100 - Linux v4.10.13 * Tue Apr 25 2017 Justin M. Forbes diff --git a/sources b/sources index f6fee9a..68383b9 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8 -SHA512 (patch-4.10.13.xz) = 8ada730b91ffd0ab35f619e2dd1b29cbcc090f94a2d8de04178af0b7e303abb5393090888506bf6f1f3899c27bbe50f132a42186193203fa1214130623b2e050 +SHA512 (patch-4.10.14.xz) = 0979d6a503ac1f094914f56c0aed9cbcd949f68b3cc649fe6664460b9da68cb80d024c40859864d17c97de25b77c02bf08f9ab04d00d636dd6e336f32f74cdd9 diff --git a/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch b/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch deleted file mode 100644 index 9eabfc0..0000000 --- a/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 4ef1b2869447411ad3ef91ad7d4891a83c1a509a Mon Sep 17 00:00:00 2001 -From: Soheil Hassas Yeganeh -Date: Sat, 18 Mar 2017 17:03:00 -0400 -Subject: [PATCH] tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS - -SOF_TIMESTAMPING_OPT_STATS can be enabled and disabled -while packets are collected on the error queue. -So, checking SOF_TIMESTAMPING_OPT_STATS in sk->sk_tsflags -is not enough to safely assume that the skb contains -OPT_STATS data. - -Add a bit in sock_exterr_skb to indicate whether the -skb contains opt_stats data. - -Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING") -Reported-by: JongHwan Kim -Signed-off-by: Soheil Hassas Yeganeh -Signed-off-by: Eric Dumazet -Signed-off-by: Willem de Bruijn -Signed-off-by: David S. Miller ---- - include/linux/errqueue.h | 2 ++ - net/core/skbuff.c | 17 +++++++++++------ - net/socket.c | 2 +- - 3 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/include/linux/errqueue.h b/include/linux/errqueue.h -index 9ca23fc..6fdfc88 100644 ---- a/include/linux/errqueue.h -+++ b/include/linux/errqueue.h -@@ -20,6 +20,8 @@ struct sock_exterr_skb { - struct sock_extended_err ee; - u16 addr_offset; - __be16 port; -+ u8 opt_stats:1, -+ unused:7; - }; - - #endif -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index b1fbd19..9f78109 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -3793,16 +3793,20 @@ EXPORT_SYMBOL(skb_clone_sk); - - static void __skb_complete_tx_timestamp(struct sk_buff *skb, - struct sock *sk, -- int tstype) -+ int tstype, -+ bool opt_stats) - { - struct sock_exterr_skb *serr; - int err; - -+ BUILD_BUG_ON(sizeof(struct sock_exterr_skb) > sizeof(skb->cb)); -+ - serr = SKB_EXT_ERR(skb); - memset(serr, 0, sizeof(*serr)); - serr->ee.ee_errno = ENOMSG; - serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING; - serr->ee.ee_info = tstype; -+ serr->opt_stats = opt_stats; - if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) { - serr->ee.ee_data = skb_shinfo(skb)->tskey; - if (sk->sk_protocol == IPPROTO_TCP && -@@ -3843,7 +3847,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb, - */ - if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) { - *skb_hwtstamps(skb) = *hwtstamps; -- __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND); -+ __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false); - sock_put(sk); - } - } -@@ -3854,7 +3858,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, - struct sock *sk, int tstype) - { - struct sk_buff *skb; -- bool tsonly; -+ bool tsonly, opt_stats = false; - - if (!sk) - return; -@@ -3867,9 +3871,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, - #ifdef CONFIG_INET - if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) && - sk->sk_protocol == IPPROTO_TCP && -- sk->sk_type == SOCK_STREAM) -+ sk->sk_type == SOCK_STREAM) { - skb = tcp_get_timestamping_opt_stats(sk); -- else -+ opt_stats = true; -+ } else - #endif - skb = alloc_skb(0, GFP_ATOMIC); - } else { -@@ -3888,7 +3893,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, - else - skb->tstamp = ktime_get_real(); - -- __skb_complete_tx_timestamp(skb, sk, tstype); -+ __skb_complete_tx_timestamp(skb, sk, tstype, opt_stats); - } - EXPORT_SYMBOL_GPL(__skb_tstamp_tx); - - -diff --git a/net/socket.c b/net/socket.c -index 02bd924..84e3f85 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -697,7 +697,7 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk, - put_cmsg(msg, SOL_SOCKET, - SCM_TIMESTAMPING, sizeof(tss), &tss); - -- if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS)) -+ if (skb->len && SKB_EXT_ERR(skb)->opt_stats) - put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS, - skb->len, skb->data); - }