Don't print MCEs and fix ping CVE

2017-04-05 11:51:43 -05:00 · 2017-04-05 11:51:43 -05:00 · 090bfba49c
parent 85f80332e4
commit 090bfba49c
3 changed files with 128 additions and 0 deletions
--- a/0001-ping-implement-proper-locking.patch
+++ b/0001-ping-implement-proper-locking.patch
@ -0,0 +1,53 @@
+From 43a6684519ab0a6c52024b5e25322476cabad893 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 24 Mar 2017 19:36:13 -0700
+Subject: [PATCH] ping: implement proper locking
+
+We got a report of yet another bug in ping
+
+http://www.openwall.com/lists/oss-security/2017/03/24/6
+
+->disconnect() is not called with socket lock held.
+
+Fix this by acquiring ping rwlock earlier.
+
+Thanks to Daniel, Alexander and Andrey for letting us know this problem.
+
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
+Reported-by: Solar Designer <solar@openwall.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv4/ping.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 2af6244..ccfbce1 100644
+--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
+@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
+ void ping_unhash(struct sock *sk)
+ {
+ 	struct inet_sock *isk = inet_sk(sk);
+
+ 	pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
+	write_lock_bh(&ping_table.lock);
+ 	if (sk_hashed(sk)) {
+-		write_lock_bh(&ping_table.lock);
+ 		hlist_nulls_del(&sk->sk_nulls_node);
+ 		sk_nulls_node_init(&sk->sk_nulls_node);
+ 		sock_put(sk);
+ 		isk->inet_num = 0;
+ 		isk->inet_sport = 0;
+ 		sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+-		write_unlock_bh(&ping_table.lock);
+ 	}
+	write_unlock_bh(&ping_table.lock);
+ }
+ EXPORT_SYMBOL_GPL(ping_unhash);
+
+-- 
+2.9.3
+
--- a/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
+++ b/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
@ -0,0 +1,65 @@
+From cc66afea58f858ff6da7f79b8a595a67bbb4f9a9 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <ak@linux.intel.com>
+Date: Mon, 27 Mar 2017 11:32:59 +0200
+Subject: [PATCH] x86/mce: Don't print MCEs when mcelog is active
+
+Since:
+
+  cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers")
+
+all MCEs are printed even when mcelog is running. Fix the regression to
+not print to dmesg when mcelog is running as it is a consumer too.
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+[ Massage commit message. ]
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: stable@vger.kernel.org # 4.10..
+Fixes: cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers")
+Link: http://lkml.kernel.org/r/20170327093304.10683-2-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
+index 8e9725c..5accfbd 100644
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -54,6 +54,8 @@
+
+ static DEFINE_MUTEX(mce_chrdev_read_mutex);
+
+static int mce_chrdev_open_count;	/* #times opened */
+
+ #define mce_log_get_idx_check(p) \
+ ({ \
+ 	RCU_LOCKDEP_WARN(!rcu_read_lock_sched_held() && \
+@@ -598,6 +600,10 @@ static int mce_default_notifier(struct notifier_block *nb, unsigned long val,
+ 	if (atomic_read(&num_notifiers) > 2)
+ 		return NOTIFY_DONE;
+
+	/* Don't print when mcelog is running */
+	if (mce_chrdev_open_count > 0)
+		return NOTIFY_DONE;
+
+ 	__print_mce(m);
+
+ 	return NOTIFY_DONE;
+@@ -1828,7 +1834,6 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c)
+  */
+
+ static DEFINE_SPINLOCK(mce_chrdev_state_lock);
+-static int mce_chrdev_open_count;	/* #times opened */
+ static int mce_chrdev_open_exclu;	/* already open exclusive? */
+
+ static int mce_chrdev_open(struct inode *inode, struct file *file)
+-- 
+2.9.3
+
--- a/kernel.spec
+++ b/kernel.spec
@ -611,6 +611,12 @@ Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
 #CVE-2017-7277 rhbz 1436629 1436661
 Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch

+# rhbz 1438316
+Patch859: 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
+
+# CVE-2017-2671 rhbz 1436649 1436663
+Patch860: 0001-ping-implement-proper-locking.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -2180,6 +2186,10 @@ fi
 #
 #
 %changelog
+* Wed Apr 05 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Don't print MCEs when mcelog is running (rhbz 1438316)
+- CVE-2017-2671 Fix ping locking (rhbz 1436649 1436663)
+
 * Tue Apr 04 2017 Justin M. Forbes <jforbes@fedoraproject.org>
 - redisable CONFIG_IWLWIFI_PCIE_RTPM (rhbz 1429135)