diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index c381472..096a878 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -592,6 +592,7 @@ CONFIG_BONDING=m CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0 CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-aarch64.config b/kernel-aarch64.config index ff42b3e..adc683b 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -592,6 +592,7 @@ CONFIG_BONDING=m CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0 CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index 5590eba..5afccdd 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -634,6 +634,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index a0c27a9..9abaef8 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -610,6 +610,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index 98b8b22..690d07f 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -609,6 +609,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index 5178717..6660b1a 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -633,6 +633,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-i686-PAE.config b/kernel-i686-PAE.config index 416e643..fb3af6c 100644 --- a/kernel-i686-PAE.config +++ b/kernel-i686-PAE.config @@ -502,6 +502,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-i686-PAEdebug.config b/kernel-i686-PAEdebug.config index 9641900..d6d3a04 100644 --- a/kernel-i686-PAEdebug.config +++ b/kernel-i686-PAEdebug.config @@ -503,6 +503,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index af590b6..9429d66 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -503,6 +503,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-i686.config b/kernel-i686.config index d12ab1a..860184f 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -502,6 +502,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-ppc64-debug.config b/kernel-ppc64-debug.config index 89d5614..2937c13 100644 --- a/kernel-ppc64-debug.config +++ b/kernel-ppc64-debug.config @@ -488,6 +488,7 @@ CONFIG_BONDING=m CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOOTX_TEXT=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-ppc64.config b/kernel-ppc64.config index 57c9c2d..92a2912 100644 --- a/kernel-ppc64.config +++ b/kernel-ppc64.config @@ -487,6 +487,7 @@ CONFIG_BONDING=m CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOOTX_TEXT=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index 688b514..285b298 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -444,6 +444,7 @@ CONFIG_BONDING=m CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOOTX_TEXT=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config index d65e528..125388c 100644 --- a/kernel-ppc64le.config +++ b/kernel-ppc64le.config @@ -443,6 +443,7 @@ CONFIG_BONDING=m CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOOTX_TEXT=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config index 9d4b47c..a1d4f94 100644 --- a/kernel-s390x-debug.config +++ b/kernel-s390x-debug.config @@ -444,6 +444,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-s390x.config b/kernel-s390x.config index 6959ed2..1d2bfc3 100644 --- a/kernel-s390x.config +++ b/kernel-s390x.config @@ -443,6 +443,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index 75ecb42..e7b469b 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -515,6 +515,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel-x86_64.config b/kernel-x86_64.config index a9b4428..9fdfed9 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -514,6 +514,7 @@ CONFIG_BONDING=m # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set CONFIG_BOOT_PRINTK_DELAY=y CONFIG_BOUNCE=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y diff --git a/kernel.spec b/kernel.spec index 70248c2..91cb87a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 15 +%define stable_update 16 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -632,20 +632,11 @@ Patch335: arm-exynos-fix-usb3.patch # rbhz 1519591 1520764 Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch -# CVE-2017-17450 -# rhbz 1525761 1525764 -Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch - -# CVE-2017-17448 -# rhbz 1525768 1525769 -Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch - # CVE-2018-5344 rhbz 1533909 1533911 Patch507: loop-fix-concurrent-lo_open-lo_release.patch # 550-600 Meltdown and Spectre Fixes Patch550: prevent-bounds-check-bypass-via-speculative-execution.patch -Patch551: revert-module-add-retpoline-tag-to-vermagic.patch # 600 - Patches for improved Bay and Cherry Trail device support # Below patches are submitted upstream, awaiting review / merging @@ -2243,6 +2234,9 @@ fi # # %changelog +* Wed Jan 31 2018 Justin M. Forbes - 4.14.16-300 +- Linux v4.14.16 + * Mon Jan 29 2018 Justin M. Forbes - Fix CVE-2018-5750 (rhbz 1539706 1539708) - Fix softlockup (rhbz 1492664 1492665) diff --git a/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch b/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch deleted file mode 100644 index d7d795d..0000000 --- a/netfilter-nfnetlink_cthelper-Add-missing-permission-.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 56ae5f7c9230c0aa474eef638cf9bf8ae6a79ab1 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee -Date: Sun, 3 Dec 2017 12:12:45 -0800 -Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission - checks - -The capability check in nfnetlink_rcv() verifies that the caller -has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. -However, nfnl_cthelper_list is shared by all net namespaces on the -system. An unprivileged user can create user and net namespaces -in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() -check: - - $ nfct helper list - nfct v1.4.4: netlink error: Operation not permitted - $ vpnns -- nfct helper list - { - .name = ftp, - .queuenum = 0, - .l3protonum = 2, - .l4protonum = 6, - .priv_data_len = 24, - .status = enabled, - }; - -Add capable() checks in nfnetlink_cthelper, as this is cleaner than -trying to generalize the solution. - -Signed-off-by: Kevin Cernekee ---- - net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c -index 41628b393673..d33ce6d5ebce 100644 ---- a/net/netfilter/nfnetlink_cthelper.c -+++ b/net/netfilter/nfnetlink_cthelper.c -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth; - int ret = 0; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) - return -EINVAL; - -@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth; - bool tuple_set = false; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (nlh->nlmsg_flags & NLM_F_DUMP) { - struct netlink_dump_control c = { - .dump = nfnl_cthelper_dump_table, -@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth, *n; - int j = 0, ret; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (tb[NFCTH_NAME]) - helper_name = nla_data(tb[NFCTH_NAME]); - --- -2.14.3 - diff --git a/netfilter-xt_osf-Add-missing-permission-checks.patch b/netfilter-xt_osf-Add-missing-permission-checks.patch deleted file mode 100644 index 80cd608..0000000 --- a/netfilter-xt_osf-Add-missing-permission-checks.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 2af0d441c8b1151a5d8bb46ec9c58ab575fe7d6f Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee -Date: Tue, 5 Dec 2017 15:42:41 -0800 -Subject: [PATCH] netfilter: xt_osf: Add missing permission checks - -The capability check in nfnetlink_rcv() verifies that the caller -has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. -However, xt_osf_fingers is shared by all net namespaces on the -system. An unprivileged user can create user and net namespaces -in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() -check: - - vpnns -- nfnl_osf -f /tmp/pf.os - - vpnns -- nfnl_osf -f /tmp/pf.os -d - -These non-root operations successfully modify the systemwide OS -fingerprint list. Add new capable() checks so that they can't. - -Signed-off-by: Kevin Cernekee ---- - net/netfilter/xt_osf.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c -index 36e14b1f061d..a34f314a8c23 100644 ---- a/net/netfilter/xt_osf.c -+++ b/net/netfilter/xt_osf.c -@@ -19,6 +19,7 @@ - #include - #include - -+#include - #include - #include - #include -@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl, - struct xt_osf_finger *kf = NULL, *sf; - int err = 0; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!osf_attrs[OSF_ATTR_FINGER]) - return -EINVAL; - -@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl, - struct xt_osf_finger *sf; - int err = -ENOENT; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!osf_attrs[OSF_ATTR_FINGER]) - return -EINVAL; - --- -2.14.3 - diff --git a/revert-module-add-retpoline-tag-to-vermagic.patch b/revert-module-add-retpoline-tag-to-vermagic.patch deleted file mode 100644 index 2b4d0ea..0000000 --- a/revert-module-add-retpoline-tag-to-vermagic.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 5132ede0fe8092b043dae09a7cc32b8ae7272baa Mon Sep 17 00:00:00 2001 -From: Greg Kroah-Hartman -Date: Wed, 24 Jan 2018 15:28:17 +0100 -Subject: Revert "module: Add retpoline tag to VERMAGIC" - -From: Greg Kroah-Hartman - -commit 5132ede0fe8092b043dae09a7cc32b8ae7272baa upstream. - -This reverts commit 6cfb521ac0d5b97470883ff9b7facae264b7ab12. - -Turns out distros do not want to make retpoline as part of their "ABI", -so this patch should not have been merged. Sorry Andi, this was my -fault, I suggested it when your original patch was the "correct" way of -doing this instead. - -Reported-by: Jiri Kosina -Fixes: 6cfb521ac0d5 ("module: Add retpoline tag to VERMAGIC") -Acked-by: Andi Kleen -Cc: Thomas Gleixner -Cc: David Woodhouse -Cc: rusty@rustcorp.com.au -Cc: arjan.van.de.ven@intel.com -Cc: jeyu@kernel.org -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - include/linux/vermagic.h | 8 +------- - 1 file changed, 1 insertion(+), 7 deletions(-) - ---- a/include/linux/vermagic.h -+++ b/include/linux/vermagic.h -@@ -31,17 +31,11 @@ - #else - #define MODULE_RANDSTRUCT_PLUGIN - #endif --#ifdef RETPOLINE --#define MODULE_VERMAGIC_RETPOLINE "retpoline " --#else --#define MODULE_VERMAGIC_RETPOLINE "" --#endif - - #define VERMAGIC_STRING \ - UTS_RELEASE " " \ - MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \ - MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \ - MODULE_ARCH_VERMAGIC \ -- MODULE_RANDSTRUCT_PLUGIN \ -- MODULE_VERMAGIC_RETPOLINE -+ MODULE_RANDSTRUCT_PLUGIN - diff --git a/sources b/sources index cd3c8f3..cab3af6 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8 -SHA512 (patch-4.14.15.xz) = faf165072fcff9f6f8cec76f0c35cf422afc453dfa2fc9ab5bc918eb177ebefd1e305f2c994a90c9dff073151762d79359789d118307ba15f53a020426c291a8 +SHA512 (patch-4.14.16.xz) = 7ba492011915a356ea696a6ae2269ff85725f726f6dd382973ceb417ac3289c7b4384bdffbde8ddea04b386126e07a3ea3aacf18253db4fcbc461e7c7e75d371