Linux v4.12.3
This commit is contained in:
parent
cd872e7a3e
commit
79d288fe2c
|
@ -0,0 +1,54 @@
|
|||
From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001
|
||||
From: Sabrina Dubroca <sd@queasysnail.net>
|
||||
Date: Wed, 19 Jul 2017 22:28:55 +0200
|
||||
Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt
|
||||
|
||||
In some cases, offset can overflow and can cause an infinite loop in
|
||||
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
|
||||
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
|
||||
|
||||
This problem has been here since before the beginning of git history.
|
||||
|
||||
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/output_core.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
|
||||
index e9065b8..abb2c30 100644
|
||||
--- a/net/ipv6/output_core.c
|
||||
+++ b/net/ipv6/output_core.c
|
||||
@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
|
||||
|
||||
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
{
|
||||
- u16 offset = sizeof(struct ipv6hdr);
|
||||
+ unsigned int offset = sizeof(struct ipv6hdr);
|
||||
unsigned int packet_len = skb_tail_pointer(skb) -
|
||||
skb_network_header(skb);
|
||||
int found_rhdr = 0;
|
||||
@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
|
||||
while (offset <= packet_len) {
|
||||
struct ipv6_opt_hdr *exthdr;
|
||||
+ unsigned int len;
|
||||
|
||||
switch (**nexthdr) {
|
||||
|
||||
@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
|
||||
exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
|
||||
offset);
|
||||
- offset += ipv6_optlen(exthdr);
|
||||
+ len = ipv6_optlen(exthdr);
|
||||
+ if (len + offset >= IPV6_MAXPLEN)
|
||||
+ return -EINVAL;
|
||||
+ offset += len;
|
||||
*nexthdr = &exthdr->nexthdr;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.4
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001
|
||||
From: Seunghun Han <kkamagui@gmail.com>
|
||||
Date: Tue, 18 Jul 2017 20:03:51 +0900
|
||||
Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables
|
||||
|
||||
The bus_irq argument of mp_override_legacy_irq() is used as the index into
|
||||
the isa_irq_to_gsi[] array. The bus_irq argument originates from
|
||||
ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
|
||||
tables, but is nowhere sanity checked.
|
||||
|
||||
That allows broken or malicious ACPI tables to overwrite memory, which
|
||||
might cause malfunction, panic or arbitrary code execution.
|
||||
|
||||
Add a sanity check and emit a warning when that triggers.
|
||||
|
||||
[ tglx: Added warning and rewrote changelog ]
|
||||
|
||||
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: security@kernel.org
|
||||
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
arch/x86/kernel/acpi/boot.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
|
||||
index 6bb6806..7491e73 100644
|
||||
--- a/arch/x86/kernel/acpi/boot.c
|
||||
+++ b/arch/x86/kernel/acpi/boot.c
|
||||
@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger,
|
||||
struct mpc_intsrc mp_irq;
|
||||
|
||||
/*
|
||||
+ * Check bus_irq boundary.
|
||||
+ */
|
||||
+ if (bus_irq >= NR_IRQS_LEGACY) {
|
||||
+ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
* Convert 'gsi' to 'ioapic.pin'.
|
||||
*/
|
||||
ioapic = mp_find_ioapic(gsi);
|
||||
--
|
||||
cgit v1.1
|
||||
|
14
kernel.spec
14
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 2
|
||||
%define stable_update 3
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -657,6 +657,12 @@ Patch615: 0015-i2c-cht-wc-Add-Intel-Cherry-Trail-Whiskey-Cove-SMBUS.patch
|
|||
# Small workaround patches for issues with a more comprehensive fix in -next
|
||||
Patch616: 0016-Input-silead-Do-not-try-to-directly-access-the-GPIO-.patch
|
||||
|
||||
# CVE-2017-7542 rhbz 1473649 1473650
|
||||
Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
|
||||
|
||||
# CVE-2017-11473 rhbz 1473209 147310
|
||||
Patch702: CVE-2017-11473.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2230,6 +2236,12 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Jul 21 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.3-100
|
||||
- Linux v4.12.3
|
||||
- Fixes CVE-2017-7541 (rhbz 1473198 1473199)
|
||||
- Fix CVE-2017-7542 (rhbz 1473649 1473650)
|
||||
- Fix CVE-2017-11473 (rhbz 1473209 147310)
|
||||
|
||||
* Tue Jul 18 2017 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Add fix for Tegra GPU display with IOMMU
|
||||
- Add QCom IOMMU for Dragonboard display
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (perf-man-4.12.tar.gz) = 4d3bbda1f520dba0007c351af46f45085fe4842074eb2e01aee736fd369df595f8f72ed6c1192715f1120bf3353279777f9dca1178fe93bffe5be2de700d409c
|
||||
SHA512 (linux-4.12.tar.xz) = 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728
|
||||
SHA512 (patch-4.12.2.xz) = 3d3e7cea82b20ba841d74f6f63e635143a52ee1428017792aa210ee591fcccf7ee1475c1576257722f0f5891547b69a192d48723ab6f4c189841e17ed8013300
|
||||
SHA512 (patch-4.12.3.xz) = a6ace68b6387665a1f77420b415a72032465fae6d99ec409487765ecf7cfb8a8458fe09f844662249f14e5739db3f82b28cdac705b0d54d4c6e268719d350c0d
|
||||
|
|
Loading…
Reference in New Issue