Don't print MCEs and fix ping CVE
This commit is contained in:
parent
85f80332e4
commit
090bfba49c
|
@ -0,0 +1,53 @@
|
|||
From 43a6684519ab0a6c52024b5e25322476cabad893 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Fri, 24 Mar 2017 19:36:13 -0700
|
||||
Subject: [PATCH] ping: implement proper locking
|
||||
|
||||
We got a report of yet another bug in ping
|
||||
|
||||
http://www.openwall.com/lists/oss-security/2017/03/24/6
|
||||
|
||||
->disconnect() is not called with socket lock held.
|
||||
|
||||
Fix this by acquiring ping rwlock earlier.
|
||||
|
||||
Thanks to Daniel, Alexander and Andrey for letting us know this problem.
|
||||
|
||||
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
|
||||
Reported-by: Solar Designer <solar@openwall.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv4/ping.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
|
||||
index 2af6244..ccfbce1 100644
|
||||
--- a/net/ipv4/ping.c
|
||||
+++ b/net/ipv4/ping.c
|
||||
@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
|
||||
void ping_unhash(struct sock *sk)
|
||||
{
|
||||
struct inet_sock *isk = inet_sk(sk);
|
||||
+
|
||||
pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
|
||||
+ write_lock_bh(&ping_table.lock);
|
||||
if (sk_hashed(sk)) {
|
||||
- write_lock_bh(&ping_table.lock);
|
||||
hlist_nulls_del(&sk->sk_nulls_node);
|
||||
sk_nulls_node_init(&sk->sk_nulls_node);
|
||||
sock_put(sk);
|
||||
isk->inet_num = 0;
|
||||
isk->inet_sport = 0;
|
||||
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
|
||||
- write_unlock_bh(&ping_table.lock);
|
||||
}
|
||||
+ write_unlock_bh(&ping_table.lock);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(ping_unhash);
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -0,0 +1,65 @@
|
|||
From cc66afea58f858ff6da7f79b8a595a67bbb4f9a9 Mon Sep 17 00:00:00 2001
|
||||
From: Andi Kleen <ak@linux.intel.com>
|
||||
Date: Mon, 27 Mar 2017 11:32:59 +0200
|
||||
Subject: [PATCH] x86/mce: Don't print MCEs when mcelog is active
|
||||
|
||||
Since:
|
||||
|
||||
cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers")
|
||||
|
||||
all MCEs are printed even when mcelog is running. Fix the regression to
|
||||
not print to dmesg when mcelog is running as it is a consumer too.
|
||||
|
||||
Signed-off-by: Andi Kleen <ak@linux.intel.com>
|
||||
[ Massage commit message. ]
|
||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Tony Luck <tony.luck@intel.com>
|
||||
Cc: linux-edac <linux-edac@vger.kernel.org>
|
||||
Cc: stable@vger.kernel.org # 4.10..
|
||||
Fixes: cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers")
|
||||
Link: http://lkml.kernel.org/r/20170327093304.10683-2-bp@alien8.de
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
---
|
||||
arch/x86/kernel/cpu/mcheck/mce.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
index 8e9725c..5accfbd 100644
|
||||
--- a/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
|
||||
@@ -54,6 +54,8 @@
|
||||
|
||||
static DEFINE_MUTEX(mce_chrdev_read_mutex);
|
||||
|
||||
+static int mce_chrdev_open_count; /* #times opened */
|
||||
+
|
||||
#define mce_log_get_idx_check(p) \
|
||||
({ \
|
||||
RCU_LOCKDEP_WARN(!rcu_read_lock_sched_held() && \
|
||||
@@ -598,6 +600,10 @@ static int mce_default_notifier(struct notifier_block *nb, unsigned long val,
|
||||
if (atomic_read(&num_notifiers) > 2)
|
||||
return NOTIFY_DONE;
|
||||
|
||||
+ /* Don't print when mcelog is running */
|
||||
+ if (mce_chrdev_open_count > 0)
|
||||
+ return NOTIFY_DONE;
|
||||
+
|
||||
__print_mce(m);
|
||||
|
||||
return NOTIFY_DONE;
|
||||
@@ -1828,7 +1834,6 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c)
|
||||
*/
|
||||
|
||||
static DEFINE_SPINLOCK(mce_chrdev_state_lock);
|
||||
-static int mce_chrdev_open_count; /* #times opened */
|
||||
static int mce_chrdev_open_exclu; /* already open exclusive? */
|
||||
|
||||
static int mce_chrdev_open(struct inode *inode, struct file *file)
|
||||
--
|
||||
2.9.3
|
||||
|
10
kernel.spec
10
kernel.spec
|
@ -611,6 +611,12 @@ Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
|
|||
#CVE-2017-7277 rhbz 1436629 1436661
|
||||
Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
|
||||
|
||||
# rhbz 1438316
|
||||
Patch859: 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch
|
||||
|
||||
# CVE-2017-2671 rhbz 1436649 1436663
|
||||
Patch860: 0001-ping-implement-proper-locking.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2180,6 +2186,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Apr 05 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Don't print MCEs when mcelog is running (rhbz 1438316)
|
||||
- CVE-2017-2671 Fix ping locking (rhbz 1436649 1436663)
|
||||
|
||||
* Tue Apr 04 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- redisable CONFIG_IWLWIFI_PCIE_RTPM (rhbz 1429135)
|
||||
|
||||
|
|
Loading…
Reference in New Issue