Linux v4.14.16
This commit is contained in:
parent
078f4c3ff6
commit
4731c682ce
|
@ -592,6 +592,7 @@ CONFIG_BONDING=m
|
|||
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -592,6 +592,7 @@ CONFIG_BONDING=m
|
|||
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -634,6 +634,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -610,6 +610,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -609,6 +609,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -633,6 +633,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -502,6 +502,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -503,6 +503,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -503,6 +503,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -502,6 +502,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -488,6 +488,7 @@ CONFIG_BONDING=m
|
|||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOOTX_TEXT=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -487,6 +487,7 @@ CONFIG_BONDING=m
|
|||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOOTX_TEXT=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -444,6 +444,7 @@ CONFIG_BONDING=m
|
|||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOOTX_TEXT=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -443,6 +443,7 @@ CONFIG_BONDING=m
|
|||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOOTX_TEXT=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -444,6 +444,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -443,6 +443,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -515,6 +515,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
|
@ -514,6 +514,7 @@ CONFIG_BONDING=m
|
|||
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
|
||||
CONFIG_BOOT_PRINTK_DELAY=y
|
||||
CONFIG_BOUNCE=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_BPF_STREAM_PARSER=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
|
|
16
kernel.spec
16
kernel.spec
|
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 301
|
||||
%global baserelease 300
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 15
|
||||
%define stable_update 16
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -632,20 +632,11 @@ Patch335: arm-exynos-fix-usb3.patch
|
|||
# rbhz 1519591 1520764
|
||||
Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
|
||||
|
||||
# CVE-2017-17450
|
||||
# rhbz 1525761 1525764
|
||||
Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch
|
||||
|
||||
# CVE-2017-17448
|
||||
# rhbz 1525768 1525769
|
||||
Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
|
||||
|
||||
# CVE-2018-5344 rhbz 1533909 1533911
|
||||
Patch507: loop-fix-concurrent-lo_open-lo_release.patch
|
||||
|
||||
# 550-600 Meltdown and Spectre Fixes
|
||||
Patch550: prevent-bounds-check-bypass-via-speculative-execution.patch
|
||||
Patch551: revert-module-add-retpoline-tag-to-vermagic.patch
|
||||
|
||||
# 600 - Patches for improved Bay and Cherry Trail device support
|
||||
# Below patches are submitted upstream, awaiting review / merging
|
||||
|
@ -2243,6 +2234,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Jan 31 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.16-300
|
||||
- Linux v4.14.16
|
||||
|
||||
* Mon Jan 29 2018 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2018-5750 (rhbz 1539706 1539708)
|
||||
- Fix softlockup (rhbz 1492664 1492665)
|
||||
|
|
|
@ -1,78 +0,0 @@
|
|||
From 56ae5f7c9230c0aa474eef638cf9bf8ae6a79ab1 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Cernekee <cernekee@chromium.org>
|
||||
Date: Sun, 3 Dec 2017 12:12:45 -0800
|
||||
Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission
|
||||
checks
|
||||
|
||||
The capability check in nfnetlink_rcv() verifies that the caller
|
||||
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
|
||||
However, nfnl_cthelper_list is shared by all net namespaces on the
|
||||
system. An unprivileged user can create user and net namespaces
|
||||
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
|
||||
check:
|
||||
|
||||
$ nfct helper list
|
||||
nfct v1.4.4: netlink error: Operation not permitted
|
||||
$ vpnns -- nfct helper list
|
||||
{
|
||||
.name = ftp,
|
||||
.queuenum = 0,
|
||||
.l3protonum = 2,
|
||||
.l4protonum = 6,
|
||||
.priv_data_len = 24,
|
||||
.status = enabled,
|
||||
};
|
||||
|
||||
Add capable() checks in nfnetlink_cthelper, as this is cleaner than
|
||||
trying to generalize the solution.
|
||||
|
||||
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
|
||||
---
|
||||
net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
|
||||
index 41628b393673..d33ce6d5ebce 100644
|
||||
--- a/net/netfilter/nfnetlink_cthelper.c
|
||||
+++ b/net/netfilter/nfnetlink_cthelper.c
|
||||
@@ -17,6 +17,7 @@
|
||||
#include <linux/types.h>
|
||||
#include <linux/list.h>
|
||||
#include <linux/errno.h>
|
||||
+#include <linux/capability.h>
|
||||
#include <net/netlink.h>
|
||||
#include <net/sock.h>
|
||||
|
||||
@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
|
||||
struct nfnl_cthelper *nlcth;
|
||||
int ret = 0;
|
||||
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
|
||||
return -EINVAL;
|
||||
|
||||
@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
|
||||
struct nfnl_cthelper *nlcth;
|
||||
bool tuple_set = false;
|
||||
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (nlh->nlmsg_flags & NLM_F_DUMP) {
|
||||
struct netlink_dump_control c = {
|
||||
.dump = nfnl_cthelper_dump_table,
|
||||
@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
|
||||
struct nfnl_cthelper *nlcth, *n;
|
||||
int j = 0, ret;
|
||||
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (tb[NFCTH_NAME])
|
||||
helper_name = nla_data(tb[NFCTH_NAME]);
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
From 2af0d441c8b1151a5d8bb46ec9c58ab575fe7d6f Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Cernekee <cernekee@chromium.org>
|
||||
Date: Tue, 5 Dec 2017 15:42:41 -0800
|
||||
Subject: [PATCH] netfilter: xt_osf: Add missing permission checks
|
||||
|
||||
The capability check in nfnetlink_rcv() verifies that the caller
|
||||
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
|
||||
However, xt_osf_fingers is shared by all net namespaces on the
|
||||
system. An unprivileged user can create user and net namespaces
|
||||
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
|
||||
check:
|
||||
|
||||
vpnns -- nfnl_osf -f /tmp/pf.os
|
||||
|
||||
vpnns -- nfnl_osf -f /tmp/pf.os -d
|
||||
|
||||
These non-root operations successfully modify the systemwide OS
|
||||
fingerprint list. Add new capable() checks so that they can't.
|
||||
|
||||
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
|
||||
---
|
||||
net/netfilter/xt_osf.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
|
||||
index 36e14b1f061d..a34f314a8c23 100644
|
||||
--- a/net/netfilter/xt_osf.c
|
||||
+++ b/net/netfilter/xt_osf.c
|
||||
@@ -19,6 +19,7 @@
|
||||
#include <linux/module.h>
|
||||
#include <linux/kernel.h>
|
||||
|
||||
+#include <linux/capability.h>
|
||||
#include <linux/if.h>
|
||||
#include <linux/inetdevice.h>
|
||||
#include <linux/ip.h>
|
||||
@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
|
||||
struct xt_osf_finger *kf = NULL, *sf;
|
||||
int err = 0;
|
||||
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!osf_attrs[OSF_ATTR_FINGER])
|
||||
return -EINVAL;
|
||||
|
||||
@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
|
||||
struct xt_osf_finger *sf;
|
||||
int err = -ENOENT;
|
||||
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!osf_attrs[OSF_ATTR_FINGER])
|
||||
return -EINVAL;
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -1,52 +0,0 @@
|
|||
From 5132ede0fe8092b043dae09a7cc32b8ae7272baa Mon Sep 17 00:00:00 2001
|
||||
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Date: Wed, 24 Jan 2018 15:28:17 +0100
|
||||
Subject: Revert "module: Add retpoline tag to VERMAGIC"
|
||||
|
||||
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
commit 5132ede0fe8092b043dae09a7cc32b8ae7272baa upstream.
|
||||
|
||||
This reverts commit 6cfb521ac0d5b97470883ff9b7facae264b7ab12.
|
||||
|
||||
Turns out distros do not want to make retpoline as part of their "ABI",
|
||||
so this patch should not have been merged. Sorry Andi, this was my
|
||||
fault, I suggested it when your original patch was the "correct" way of
|
||||
doing this instead.
|
||||
|
||||
Reported-by: Jiri Kosina <jikos@kernel.org>
|
||||
Fixes: 6cfb521ac0d5 ("module: Add retpoline tag to VERMAGIC")
|
||||
Acked-by: Andi Kleen <ak@linux.intel.com>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: David Woodhouse <dwmw@amazon.co.uk>
|
||||
Cc: rusty@rustcorp.com.au
|
||||
Cc: arjan.van.de.ven@intel.com
|
||||
Cc: jeyu@kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
include/linux/vermagic.h | 8 +-------
|
||||
1 file changed, 1 insertion(+), 7 deletions(-)
|
||||
|
||||
--- a/include/linux/vermagic.h
|
||||
+++ b/include/linux/vermagic.h
|
||||
@@ -31,17 +31,11 @@
|
||||
#else
|
||||
#define MODULE_RANDSTRUCT_PLUGIN
|
||||
#endif
|
||||
-#ifdef RETPOLINE
|
||||
-#define MODULE_VERMAGIC_RETPOLINE "retpoline "
|
||||
-#else
|
||||
-#define MODULE_VERMAGIC_RETPOLINE ""
|
||||
-#endif
|
||||
|
||||
#define VERMAGIC_STRING \
|
||||
UTS_RELEASE " " \
|
||||
MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
|
||||
MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
|
||||
MODULE_ARCH_VERMAGIC \
|
||||
- MODULE_RANDSTRUCT_PLUGIN \
|
||||
- MODULE_VERMAGIC_RETPOLINE
|
||||
+ MODULE_RANDSTRUCT_PLUGIN
|
||||
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
|
||||
SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
|
||||
SHA512 (patch-4.14.15.xz) = faf165072fcff9f6f8cec76f0c35cf422afc453dfa2fc9ab5bc918eb177ebefd1e305f2c994a90c9dff073151762d79359789d118307ba15f53a020426c291a8
|
||||
SHA512 (patch-4.14.16.xz) = 7ba492011915a356ea696a6ae2269ff85725f726f6dd382973ceb417ac3289c7b4384bdffbde8ddea04b386126e07a3ea3aacf18253db4fcbc461e7c7e75d371
|
||||
|
|
Loading…
Reference in New Issue