Linux v4.11.8
This commit is contained in:
parent
29e4da440b
commit
8164fce49d
|
@ -1,116 +0,0 @@
|
|||
From b1a27013a72d5744be6510c05b86e1b9dd605012 Mon Sep 17 00:00:00 2001
|
||||
From: Willem de Bruijn <willemb@google.com>
|
||||
Date: Tue, 9 May 2017 16:17:37 -0400
|
||||
Subject: [PATCH 1/2] netfilter: xtables: zero padding in data_to_user
|
||||
|
||||
When looking up an iptables rule, the iptables binary compares the
|
||||
aligned match and target data (XT_ALIGN). In some cases this can
|
||||
exceed the actual data size to include padding bytes.
|
||||
|
||||
Before commit f77bc5b23fb1 ("iptables: use match, target and data
|
||||
copy_to_user helpers") the malloc()ed bytes were overwritten by the
|
||||
kernel with kzalloced contents, zeroing the padding and making the
|
||||
comparison succeed. After this patch, the kernel copies and clears
|
||||
only data, leaving the padding bytes undefined.
|
||||
|
||||
Extend the clear operation from data size to aligned data size to
|
||||
include the padding bytes, if any.
|
||||
|
||||
Padding bytes can be observed in both match and target, and the bug
|
||||
triggered, by issuing a rule with match icmp and target ACCEPT:
|
||||
|
||||
iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
|
||||
iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
|
||||
|
||||
Fixes: f77bc5b23fb1 ("iptables: use match, target and data copy_to_user helpers")
|
||||
Reported-by: Paul Moore <pmoore@redhat.com>
|
||||
Reported-by: Richard Guy Briggs <rgb@redhat.com>
|
||||
Signed-off-by: Willem de Bruijn <willemb@google.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
include/linux/netfilter/x_tables.h | 2 +-
|
||||
net/bridge/netfilter/ebtables.c | 9 ++++++---
|
||||
net/netfilter/x_tables.c | 9 ++++++---
|
||||
3 files changed, 13 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
|
||||
index be378cf..b3044c2c 100644
|
||||
--- a/include/linux/netfilter/x_tables.h
|
||||
+++ b/include/linux/netfilter/x_tables.h
|
||||
@@ -294,7 +294,7 @@ int xt_match_to_user(const struct xt_entry_match *m,
|
||||
int xt_target_to_user(const struct xt_entry_target *t,
|
||||
struct xt_entry_target __user *u);
|
||||
int xt_data_to_user(void __user *dst, const void *src,
|
||||
- int usersize, int size);
|
||||
+ int usersize, int size, int aligned_size);
|
||||
|
||||
void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
|
||||
struct xt_counters_info *info, bool compat);
|
||||
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
|
||||
index 79b6991..656c259 100644
|
||||
--- a/net/bridge/netfilter/ebtables.c
|
||||
+++ b/net/bridge/netfilter/ebtables.c
|
||||
@@ -1358,7 +1358,8 @@ static inline int ebt_obj_to_user(char __user *um, const char *_name,
|
||||
strlcpy(name, _name, sizeof(name));
|
||||
if (copy_to_user(um, name, EBT_FUNCTION_MAXNAMELEN) ||
|
||||
put_user(datasize, (int __user *)(um + EBT_FUNCTION_MAXNAMELEN)) ||
|
||||
- xt_data_to_user(um + entrysize, data, usersize, datasize))
|
||||
+ xt_data_to_user(um + entrysize, data, usersize, datasize,
|
||||
+ XT_ALIGN(datasize)))
|
||||
return -EFAULT;
|
||||
|
||||
return 0;
|
||||
@@ -1643,7 +1644,8 @@ static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
|
||||
if (match->compat_to_user(cm->data, m->data))
|
||||
return -EFAULT;
|
||||
} else {
|
||||
- if (xt_data_to_user(cm->data, m->data, match->usersize, msize))
|
||||
+ if (xt_data_to_user(cm->data, m->data, match->usersize, msize,
|
||||
+ COMPAT_XT_ALIGN(msize)))
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
@@ -1672,7 +1674,8 @@ static int compat_target_to_user(struct ebt_entry_target *t,
|
||||
if (target->compat_to_user(cm->data, t->data))
|
||||
return -EFAULT;
|
||||
} else {
|
||||
- if (xt_data_to_user(cm->data, t->data, target->usersize, tsize))
|
||||
+ if (xt_data_to_user(cm->data, t->data, target->usersize, tsize,
|
||||
+ COMPAT_XT_ALIGN(tsize)))
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
|
||||
index 14857af..afb02fd 100644
|
||||
--- a/net/netfilter/x_tables.c
|
||||
+++ b/net/netfilter/x_tables.c
|
||||
@@ -283,12 +283,13 @@ static int xt_obj_to_user(u16 __user *psize, u16 size,
|
||||
&U->u.user.revision, K->u.kernel.TYPE->revision)
|
||||
|
||||
int xt_data_to_user(void __user *dst, const void *src,
|
||||
- int usersize, int size)
|
||||
+ int usersize, int size, int aligned_size)
|
||||
{
|
||||
usersize = usersize ? : size;
|
||||
if (copy_to_user(dst, src, usersize))
|
||||
return -EFAULT;
|
||||
- if (usersize != size && clear_user(dst + usersize, size - usersize))
|
||||
+ if (usersize != aligned_size &&
|
||||
+ clear_user(dst + usersize, aligned_size - usersize))
|
||||
return -EFAULT;
|
||||
|
||||
return 0;
|
||||
@@ -298,7 +299,9 @@ EXPORT_SYMBOL_GPL(xt_data_to_user);
|
||||
#define XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
|
||||
xt_data_to_user(U->data, K->data, \
|
||||
K->u.kernel.TYPE->usersize, \
|
||||
- C_SIZE ? : K->u.kernel.TYPE->TYPE##size)
|
||||
+ C_SIZE ? : K->u.kernel.TYPE->TYPE##size, \
|
||||
+ C_SIZE ? COMPAT_XT_ALIGN(C_SIZE) : \
|
||||
+ XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
|
||||
|
||||
int xt_match_to_user(const struct xt_entry_match *m,
|
||||
struct xt_entry_match __user *u)
|
||||
--
|
||||
2.7.5
|
||||
|
|
@ -1,92 +0,0 @@
|
|||
From d6b664f7f350dafd604fd014de20ea8e0f25b3b3 Mon Sep 17 00:00:00 2001
|
||||
From: Willem de Bruijn <willemb@google.com>
|
||||
Date: Wed, 17 May 2017 11:24:47 -0400
|
||||
Subject: [PATCH 2/2] netfilter: xtables: fix build failure from
|
||||
COMPAT_XT_ALIGN outside CONFIG_COMPAT
|
||||
|
||||
The patch in the Fixes references COMPAT_XT_ALIGN in the definition
|
||||
of XT_DATA_TO_USER, outside an #ifdef CONFIG_COMPAT block.
|
||||
|
||||
Split XT_DATA_TO_USER into separate compat and non compat variants and
|
||||
define the first inside an CONFIG_COMPAT block.
|
||||
|
||||
This simplifies both variants by removing branches inside the macro.
|
||||
|
||||
Fixes: 324318f0248c ("netfilter: xtables: zero padding in data_to_user")
|
||||
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
|
||||
Signed-off-by: Willem de Bruijn <willemb@google.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/netfilter/x_tables.c | 21 +++++++++++++--------
|
||||
1 file changed, 13 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
|
||||
index afb02fd..32488c0 100644
|
||||
--- a/net/netfilter/x_tables.c
|
||||
+++ b/net/netfilter/x_tables.c
|
||||
@@ -296,18 +296,17 @@ int xt_data_to_user(void __user *dst, const void *src,
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(xt_data_to_user);
|
||||
|
||||
-#define XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
|
||||
+#define XT_DATA_TO_USER(U, K, TYPE) \
|
||||
xt_data_to_user(U->data, K->data, \
|
||||
K->u.kernel.TYPE->usersize, \
|
||||
- C_SIZE ? : K->u.kernel.TYPE->TYPE##size, \
|
||||
- C_SIZE ? COMPAT_XT_ALIGN(C_SIZE) : \
|
||||
- XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
|
||||
+ K->u.kernel.TYPE->TYPE##size, \
|
||||
+ XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
|
||||
|
||||
int xt_match_to_user(const struct xt_entry_match *m,
|
||||
struct xt_entry_match __user *u)
|
||||
{
|
||||
return XT_OBJ_TO_USER(u, m, match, 0) ||
|
||||
- XT_DATA_TO_USER(u, m, match, 0);
|
||||
+ XT_DATA_TO_USER(u, m, match);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(xt_match_to_user);
|
||||
|
||||
@@ -315,7 +314,7 @@ int xt_target_to_user(const struct xt_entry_target *t,
|
||||
struct xt_entry_target __user *u)
|
||||
{
|
||||
return XT_OBJ_TO_USER(u, t, target, 0) ||
|
||||
- XT_DATA_TO_USER(u, t, target, 0);
|
||||
+ XT_DATA_TO_USER(u, t, target);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(xt_target_to_user);
|
||||
|
||||
@@ -614,6 +613,12 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
|
||||
|
||||
+#define COMPAT_XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \
|
||||
+ xt_data_to_user(U->data, K->data, \
|
||||
+ K->u.kernel.TYPE->usersize, \
|
||||
+ C_SIZE, \
|
||||
+ COMPAT_XT_ALIGN(C_SIZE))
|
||||
+
|
||||
int xt_compat_match_to_user(const struct xt_entry_match *m,
|
||||
void __user **dstptr, unsigned int *size)
|
||||
{
|
||||
@@ -629,7 +634,7 @@ int xt_compat_match_to_user(const struct xt_entry_match *m,
|
||||
if (match->compat_to_user((void __user *)cm->data, m->data))
|
||||
return -EFAULT;
|
||||
} else {
|
||||
- if (XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
|
||||
+ if (COMPAT_XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
@@ -984,7 +989,7 @@ int xt_compat_target_to_user(const struct xt_entry_target *t,
|
||||
if (target->compat_to_user((void __user *)ct->data, t->data))
|
||||
return -EFAULT;
|
||||
} else {
|
||||
- if (XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
|
||||
+ if (COMPAT_XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
--
|
||||
2.7.5
|
||||
|
10
kernel.spec
10
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 7
|
||||
%define stable_update 8
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -635,11 +635,6 @@ Patch681: 0002-platform-x86-thinkpad_acpi-add-mapping-for-new-hotke.patch
|
|||
# rhbz 1459326
|
||||
Patch683: RFC-audit-fix-a-race-condition-with-the-auditd-tracking-code.patch
|
||||
|
||||
# rhbz 1459676
|
||||
Patch686: 0001-netfilter-xtables-zero-padding-in-data_to_user.patch
|
||||
Patch687: 0002-netfilter-xtables-fix-build-failure-from-COMPAT_XT_A.patch
|
||||
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2204,6 +2199,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Jun 29 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.8-200
|
||||
- Linux v4.11.8
|
||||
|
||||
* Mon Jun 26 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.7-200
|
||||
- Linux v4.11.7
|
||||
- Make CONFIG_SERIAL_8250_PCI builtin (rhbz 1464709)
|
||||
|
|
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (perf-man-4.11.tar.gz) = 0b070d2f10a743329de2f532e2d7e19ef385a3e6ef3c700b591ae2697604dbe542b36e31121b3e37517ee8071ab800386fa8663c24a5b36520a18e096c6eefc8
|
||||
SHA512 (linux-4.11.tar.xz) = 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3
|
||||
SHA512 (patch-4.11.7.xz) = 8f02b3ae83cf499f59912207821d67a1e5a0cdb7d53644a2685ac8187fa43e39b0af4c64de2d299c389c4a85c011513a78f33297d8521eb99ef58b287bf9962a
|
||||
SHA512 (patch-4.11.8.xz) = 9fed139ec4658d373ea6f25b0cc0cd9384e3bf61a05d30a523c13d8b5e673b461cf3cc8d97da2c69ca3a6c718319529f7ccfd90ca38b81d68986b7e63f2db297
|
||||
|
|
Loading…
Reference in New Issue