Linux v4.8.14
This commit is contained in:
parent
045c9968a7
commit
719deefc78
|
@ -1,42 +0,0 @@
|
|||
From a0ac402cfcdc904f9772e1762b3fda112dcc56a0 Mon Sep 17 00:00:00 2001
|
||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Tue, 6 Dec 2016 16:18:14 -0800
|
||||
Subject: [PATCH] Don't feed anything but regular iovec's to
|
||||
blk_rq_map_user_iov
|
||||
|
||||
In theory we could map other things, but there's a reason that function
|
||||
is called "user_iov". Using anything else (like splice can do) just
|
||||
confuses it.
|
||||
|
||||
Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
|
||||
Cc: Al Viro <viro@ZenIV.linux.org.uk>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
block/blk-map.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/block/blk-map.c b/block/blk-map.c
|
||||
index b8657fa..27fd8d92 100644
|
||||
--- a/block/blk-map.c
|
||||
+++ b/block/blk-map.c
|
||||
@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||
struct iov_iter i;
|
||||
int ret;
|
||||
|
||||
+ if (!iter_is_iovec(iter))
|
||||
+ goto fail;
|
||||
+
|
||||
if (map_data)
|
||||
copy = true;
|
||||
else if (iov_iter_alignment(iter) & align)
|
||||
@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||
|
||||
unmap_rq:
|
||||
__blk_rq_unmap_user(bio);
|
||||
+fail:
|
||||
rq->bio = NULL;
|
||||
return -EINVAL;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
From b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Fri, 2 Dec 2016 09:44:53 -0800
|
||||
Subject: [PATCH] net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
|
||||
|
||||
CAP_NET_ADMIN users should not be allowed to set negative
|
||||
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
|
||||
corruptions, crashes, OOM...
|
||||
|
||||
Note that before commit 82981930125a ("net: cleanups in
|
||||
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
|
||||
and SO_RCVBUF were vulnerable.
|
||||
|
||||
This needs to be backported to all known linux kernels.
|
||||
|
||||
Again, many thanks to syzkaller team for discovering this gem.
|
||||
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/core/sock.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/core/sock.c b/net/core/sock.c
|
||||
index 5e3ca41..00a074d 100644
|
||||
--- a/net/core/sock.c
|
||||
+++ b/net/core/sock.c
|
||||
@@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
|
||||
val = min_t(u32, val, sysctl_wmem_max);
|
||||
set_sndbuf:
|
||||
sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
|
||||
- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
|
||||
+ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
|
||||
/* Wake up sending tasks if we upped the value. */
|
||||
sk->sk_write_space(sk);
|
||||
break;
|
||||
@@ -751,7 +751,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
|
||||
* returning the value we actually used in getsockopt
|
||||
* is the most desirable behavior.
|
||||
*/
|
||||
- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
|
||||
+ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
|
||||
break;
|
||||
|
||||
case SO_RCVBUFFORCE:
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -1,92 +0,0 @@
|
|||
From 84ac7260236a49c79eede91617700174c2c19b0c Mon Sep 17 00:00:00 2001
|
||||
From: Philip Pettersson <philip.pettersson@gmail.com>
|
||||
Date: Wed, 30 Nov 2016 14:55:36 -0800
|
||||
Subject: [PATCH] packet: fix race condition in packet_set_ring
|
||||
|
||||
When packet_set_ring creates a ring buffer it will initialize a
|
||||
struct timer_list if the packet version is TPACKET_V3. This value
|
||||
can then be raced by a different thread calling setsockopt to
|
||||
set the version to TPACKET_V1 before packet_set_ring has finished.
|
||||
|
||||
This leads to a use-after-free on a function pointer in the
|
||||
struct timer_list when the socket is closed as the previously
|
||||
initialized timer will not be deleted.
|
||||
|
||||
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
|
||||
changing the packet version while also taking the lock at the start
|
||||
of packet_set_ring.
|
||||
|
||||
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
|
||||
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/packet/af_packet.c | 18 ++++++++++++------
|
||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
|
||||
index d2238b2..dd23323 100644
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
|
||||
|
||||
if (optlen != sizeof(val))
|
||||
return -EINVAL;
|
||||
- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
|
||||
- return -EBUSY;
|
||||
if (copy_from_user(&val, optval, sizeof(val)))
|
||||
return -EFAULT;
|
||||
switch (val) {
|
||||
case TPACKET_V1:
|
||||
case TPACKET_V2:
|
||||
case TPACKET_V3:
|
||||
- po->tp_version = val;
|
||||
- return 0;
|
||||
+ break;
|
||||
default:
|
||||
return -EINVAL;
|
||||
}
|
||||
+ lock_sock(sk);
|
||||
+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
|
||||
+ ret = -EBUSY;
|
||||
+ } else {
|
||||
+ po->tp_version = val;
|
||||
+ ret = 0;
|
||||
+ }
|
||||
+ release_sock(sk);
|
||||
+ return ret;
|
||||
}
|
||||
case PACKET_RESERVE:
|
||||
{
|
||||
@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
|
||||
/* Added to avoid minimal code churn */
|
||||
struct tpacket_req *req = &req_u->req;
|
||||
|
||||
+ lock_sock(sk);
|
||||
/* Opening a Tx-ring is NOT supported in TPACKET_V3 */
|
||||
if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
|
||||
net_warn_ratelimited("Tx-ring is not supported.\n");
|
||||
@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- lock_sock(sk);
|
||||
|
||||
/* Detach socket from network */
|
||||
spin_lock(&po->bind_lock);
|
||||
@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
|
||||
if (!tx_ring)
|
||||
prb_shutdown_retire_blk_timer(po, rb_queue);
|
||||
}
|
||||
- release_sock(sk);
|
||||
|
||||
if (pg_vec)
|
||||
free_pg_vec(pg_vec, order, req->tp_block_nr);
|
||||
out:
|
||||
+ release_sock(sk);
|
||||
return err;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
15
kernel.spec
15
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 13
|
||||
%define stable_update 14
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -640,15 +640,6 @@ Patch855: 0001-platform-x86-ideapad-laptop-Add-Lenovo-Yoga-910-13IK.patch
|
|||
# CVE-2016-9755 rhbz 1400904 1400905
|
||||
Patch856: 0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
|
||||
|
||||
# CVE-2016-8655 rhbz 1400019 1401820
|
||||
Patch857: 0001-packet-fix-race-condition-in-packet_set_ring.patch
|
||||
|
||||
# CVE-2016-9793 rhbz 1402013 1402014
|
||||
Patch858: 0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
|
||||
|
||||
# CVE-2016-9576 rhbz 1403145 1403146
|
||||
Patch859: 0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2176,6 +2167,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Dec 12 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.14-200
|
||||
- Linux v4.8.14
|
||||
- CVE-2016-8399 Fix out OOB stack read in memcpy_fromiovec (rhbz 1403833 1403834)
|
||||
|
||||
* Fri Dec 09 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.13-200
|
||||
- Linux v4.8.13
|
||||
- CVE-2016-9576 fix use after free in SCSI generic device interface (rhbz 1403145 1403146)
|
||||
|
|
6
sources
6
sources
|
@ -1,3 +1,3 @@
|
|||
c1af0afbd3df35c1ccdc7a5118cd2d07 linux-4.8.tar.xz
|
||||
0dad03f586e835d538d3e0d2cbdb9a28 perf-man-4.8.tar.gz
|
||||
bc208ac66340464839ee61a4621d9384 patch-4.8.13.xz
|
||||
SHA512 (linux-4.8.tar.xz) = a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358
|
||||
SHA512 (perf-man-4.8.tar.gz) = 1e9707f1e11808178c1953d4f46e1789a138e9aca7bec89af7a6e209cd91e5301bc582db72cf889baa31dcba8cd3d3b1ceb4e8999ac1544ef17d513e861f2b59
|
||||
SHA512 (patch-4.8.14.xz) = 374b849aac6736f3a8d7afd224d51a5f4bab5c0fefaa8738982bae7188687149b7775e53878efe25466b4c0d40769b284e8af55c1d3bae500bccdbf565c0453a
|
||||
|
|
Loading…
Reference in New Issue