Linux v4.10.7
This commit is contained in:
parent
ad101ecee0
commit
793f3df674
|
@ -0,0 +1,154 @@
|
|||
From c282222a45cb9503cbfbebfdb60491f06ae84b49 Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Wed, 8 Feb 2017 11:52:29 +0100
|
||||
Subject: xfrm: policy: init locks early
|
||||
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
|
||||
commit c282222a45cb9503cbfbebfdb60491f06ae84b49 upstream.
|
||||
|
||||
Dmitry reports following splat:
|
||||
INFO: trying to register non-static key.
|
||||
the code is fine but needs lockdep annotation.
|
||||
turning off the locking correctness validator.
|
||||
CPU: 0 PID: 13059 Comm: syz-executor1 Not tainted 4.10.0-rc7-next-20170207 #1
|
||||
[..]
|
||||
spin_lock_bh include/linux/spinlock.h:304 [inline]
|
||||
xfrm_policy_flush+0x32/0x470 net/xfrm/xfrm_policy.c:963
|
||||
xfrm_policy_fini+0xbf/0x560 net/xfrm/xfrm_policy.c:3041
|
||||
xfrm_net_init+0x79f/0x9e0 net/xfrm/xfrm_policy.c:3091
|
||||
ops_init+0x10a/0x530 net/core/net_namespace.c:115
|
||||
setup_net+0x2ed/0x690 net/core/net_namespace.c:291
|
||||
copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
|
||||
create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
|
||||
unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
|
||||
SYSC_unshare kernel/fork.c:2281 [inline]
|
||||
|
||||
Problem is that when we get error during xfrm_net_init we will call
|
||||
xfrm_policy_fini which will acquire xfrm_policy_lock before it was
|
||||
initialized. Just move it around so locks get set up first.
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Fixes: 283bc9f35bbbcb0e9 ("xfrm: Namespacify xfrm state/policy locks")
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
net/xfrm/xfrm_policy.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/net/xfrm/xfrm_policy.c
|
||||
+++ b/net/xfrm/xfrm_policy.c
|
||||
@@ -3062,6 +3062,11 @@ static int __net_init xfrm_net_init(stru
|
||||
{
|
||||
int rv;
|
||||
|
||||
+ /* Initialize the per-net locks here */
|
||||
+ spin_lock_init(&net->xfrm.xfrm_state_lock);
|
||||
+ spin_lock_init(&net->xfrm.xfrm_policy_lock);
|
||||
+ mutex_init(&net->xfrm.xfrm_cfg_mutex);
|
||||
+
|
||||
rv = xfrm_statistics_init(net);
|
||||
if (rv < 0)
|
||||
goto out_statistics;
|
||||
@@ -3078,11 +3083,6 @@ static int __net_init xfrm_net_init(stru
|
||||
if (rv < 0)
|
||||
goto out;
|
||||
|
||||
- /* Initialize the per-net locks here */
|
||||
- spin_lock_init(&net->xfrm.xfrm_state_lock);
|
||||
- spin_lock_init(&net->xfrm.xfrm_policy_lock);
|
||||
- mutex_init(&net->xfrm.xfrm_cfg_mutex);
|
||||
-
|
||||
return 0;
|
||||
|
||||
out:
|
||||
From 677e806da4d916052585301785d847c3b3e6186a Mon Sep 17 00:00:00 2001
|
||||
From: Andy Whitcroft <apw@canonical.com>
|
||||
Date: Wed, 22 Mar 2017 07:29:31 +0000
|
||||
Subject: xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
|
||||
|
||||
From: Andy Whitcroft <apw@canonical.com>
|
||||
|
||||
commit 677e806da4d916052585301785d847c3b3e6186a upstream.
|
||||
|
||||
When a new xfrm state is created during an XFRM_MSG_NEWSA call we
|
||||
validate the user supplied replay_esn to ensure that the size is valid
|
||||
and to ensure that the replay_window size is within the allocated
|
||||
buffer. However later it is possible to update this replay_esn via a
|
||||
XFRM_MSG_NEWAE call. There we again validate the size of the supplied
|
||||
buffer matches the existing state and if so inject the contents. We do
|
||||
not at this point check that the replay_window is within the allocated
|
||||
memory. This leads to out-of-bounds reads and writes triggered by
|
||||
netlink packets. This leads to memory corruption and the potential for
|
||||
priviledge escalation.
|
||||
|
||||
We already attempt to validate the incoming replay information in
|
||||
xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user
|
||||
is not trying to change the size of the replay state buffer which
|
||||
includes the replay_esn. It however does not check the replay_window
|
||||
remains within that buffer. Add validation of the contained
|
||||
replay_window.
|
||||
|
||||
CVE-2017-7184
|
||||
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
||||
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
net/xfrm/xfrm_user.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/net/xfrm/xfrm_user.c
|
||||
+++ b/net/xfrm/xfrm_user.c
|
||||
@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len
|
||||
if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
|
||||
return -EINVAL;
|
||||
|
||||
+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
From f843ee6dd019bcece3e74e76ad9df0155655d0df Mon Sep 17 00:00:00 2001
|
||||
From: Andy Whitcroft <apw@canonical.com>
|
||||
Date: Thu, 23 Mar 2017 07:45:44 +0000
|
||||
Subject: xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
|
||||
|
||||
From: Andy Whitcroft <apw@canonical.com>
|
||||
|
||||
commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.
|
||||
|
||||
Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
|
||||
wrapping issues. To ensure we are correctly ensuring that the two ESN
|
||||
structures are the same size compare both the overall size as reported
|
||||
by xfrm_replay_state_esn_len() and the internal length are the same.
|
||||
|
||||
CVE-2017-7184
|
||||
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
||||
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
net/xfrm/xfrm_user.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/net/xfrm/xfrm_user.c
|
||||
+++ b/net/xfrm/xfrm_user.c
|
||||
@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len
|
||||
up = nla_data(rp);
|
||||
ulen = xfrm_replay_state_esn_len(up);
|
||||
|
||||
- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
|
||||
+ /* Check the overall length and the internal bitmap length to avoid
|
||||
+ * potential overflow. */
|
||||
+ if (nla_len(rp) < ulen ||
|
||||
+ xfrm_replay_state_esn_len(replay_esn) != ulen ||
|
||||
+ replay_esn->bmp_len != up->bmp_len)
|
||||
return -EINVAL;
|
||||
|
||||
if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
|
|
@ -1,55 +0,0 @@
|
|||
From: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
Date: 2017-03-22 15:08:33
|
||||
Subject: [PATCH 4.11] genetlink: fix counting regression on ctrl_dumpfamily()
|
||||
|
||||
Commit 2ae0f17df1cd ("genetlink: use idr to track families") replaced
|
||||
|
||||
if (++n < fams_to_skip)
|
||||
continue;
|
||||
into:
|
||||
|
||||
if (n++ < fams_to_skip)
|
||||
continue;
|
||||
|
||||
This subtle change cause that on retry ctrl_dumpfamily() call we omit
|
||||
one family that failed to do ctrl_fill_info() on previous call, because
|
||||
cb->args[0] = n number counts also family that failed to do
|
||||
ctrl_fill_info().
|
||||
|
||||
Patch fixes the problem and avoid confusion in the future just decrease
|
||||
n counter when ctrl_fill_info() fail.
|
||||
|
||||
User visible problem caused by this bug is failure to get access to
|
||||
some genetlink family i.e. nl80211. However problem is reproducible
|
||||
only if number of registered genetlink families is big enough to
|
||||
cause second call of ctrl_dumpfamily().
|
||||
|
||||
Cc: Xose Vazquez Perez <xose.vazquez@gmail.com>
|
||||
Cc: Larry Finger <Larry.Finger@lwfinger.net>
|
||||
Cc: Johannes Berg <johannes@sipsolutions.net>
|
||||
Fixes: 2ae0f17df1cd ("genetlink: use idr to track families")
|
||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
---
|
||||
Dave, please also target this for 4.10+ -stable.
|
||||
|
||||
net/netlink/genetlink.c | 4 +++-
|
||||
1 files changed, 3 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
|
||||
index fb6e10f..92e0981 100644
|
||||
--- a/net/netlink/genetlink.c
|
||||
+++ b/net/netlink/genetlink.c
|
||||
@@ -783,8 +783,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb)
|
||||
|
||||
if (ctrl_fill_info(rt, NETLINK_CB(cb->skb).portid,
|
||||
cb->nlh->nlmsg_seq, NLM_F_MULTI,
|
||||
- skb, CTRL_CMD_NEWFAMILY) < 0)
|
||||
+ skb, CTRL_CMD_NEWFAMILY) < 0) {
|
||||
+ n--;
|
||||
break;
|
||||
+ }
|
||||
}
|
||||
|
||||
cb->args[0] = n;
|
||||
--
|
||||
1.7.1
|
12
kernel.spec
12
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 6
|
||||
%define stable_update 7
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -605,15 +605,15 @@ Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
|
|||
#CVE-2017-2596 rhbz 1417812 1417813
|
||||
Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
|
||||
|
||||
#Fix crda rhbz 1422247
|
||||
Patch856: genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch
|
||||
|
||||
#CVE-2017-7261 rhbz 1435719 1435740
|
||||
Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
|
||||
|
||||
#CVE-2017-7277 rhbz 1436629 1436661
|
||||
Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
|
||||
|
||||
#CVE-2017-7184 rhbz 1435153 1437469
|
||||
Patch859: CVE-2017-7184.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2183,6 +2183,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Mar 30 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.7-200
|
||||
- Linux v4.10.7
|
||||
- CVE-2017-7184 Out-of-bounds heap access in xfrm (rhbz 1435153 1437469)
|
||||
|
||||
* Tue Mar 28 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- CVE-2017-7277 SCM_TIMESTAMPING_OPT_STATS feature causes out-of-bounds read (rhbz 1436629 1436661)
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90
|
||||
SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8
|
||||
SHA512 (patch-4.10.6.xz) = 801a5a95b99fbfcfc969384161fe90ddd3edfbc76300e29279b0fe9dfb20d2a084bd0e80a5dfe67e77bfbb402cc1f61683cd0cc4ca0463dd83cda063bb62da78
|
||||
SHA512 (patch-4.10.7.xz) = 80482c78a38c71d186cb6f90667c96b01027cce448473225ffc44f59fb6ce8226424ece54197081241837df9db410fd93dc8d6e6666ee2bbf53b2bc5c80aba93
|
||||
|
|
Loading…
Reference in New Issue