Add currently queued networking stable patches
- Add a couple btrfs patches cc'd to stable upstream - Add SCSI patches to avoid blacklist false positives (rhbz 1299810)
This commit is contained in:
parent
f86650b158
commit
a319c5cce5
|
@ -1,27 +0,0 @@
|
|||
From 5233252fce714053f0151680933571a2da9cbfb4 Mon Sep 17 00:00:00 2001
|
||||
From: "David S. Miller" <davem@davemloft.net>
|
||||
Date: Tue, 15 Dec 2015 15:39:08 -0500
|
||||
Subject: [PATCH] bluetooth: Validate socket address length in sco_sock_bind().
|
||||
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/bluetooth/sco.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
|
||||
index fe129663bd3f..f52bcbf2e58c 100644
|
||||
--- a/net/bluetooth/sco.c
|
||||
+++ b/net/bluetooth/sco.c
|
||||
@@ -526,6 +526,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
|
||||
if (!addr || addr->sa_family != AF_BLUETOOTH)
|
||||
return -EINVAL;
|
||||
|
||||
+ if (addr_len < sizeof(struct sockaddr_sco))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
lock_sock(sk);
|
||||
|
||||
if (sk->sk_state != BT_OPEN) {
|
||||
--
|
||||
2.5.0
|
||||
|
12
kernel.spec
12
kernel.spec
|
@ -634,17 +634,8 @@ Patch574: ovl-fix-permission-checking-for-setattr.patch
|
|||
#CVE-2015-7550 rhbz 1291197 1291198
|
||||
Patch575: KEYS-Fix-race-between-read-and-revoke.patch
|
||||
|
||||
#CVE-2015-8543 rhbz 1290475 1290477
|
||||
Patch576: net-add-validation-for-the-socket-syscall-protocol-a.patch
|
||||
|
||||
#CVE-2015-8569 rhbz 1292045 1292047
|
||||
Patch600: pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
|
||||
|
||||
Patch601: vrf-fix-memory-leak-on-registration.patch
|
||||
|
||||
#CVE-2015-8575 rhbz 1292840 1292841
|
||||
Patch602: bluetooth-Validate-socket-address-length-in-sco_sock.patch
|
||||
|
||||
#CVE-2015-8709 rhbz 1295287 1295288
|
||||
Patch603: ptrace-being-capable-wrt-a-process-requires-mapped-u.patch
|
||||
|
||||
|
@ -689,6 +680,8 @@ Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
|
|||
Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch
|
||||
Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
|
||||
|
||||
Patch633: net_43.mbox
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2133,6 +2126,7 @@ fi
|
|||
#
|
||||
%changelog
|
||||
* Tue Jan 19 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Add currently queued networking stable patches
|
||||
- Add a couple btrfs patches cc'd to stable upstream
|
||||
- Add SCSI patches to avoid blacklist false positives (rhbz 1299810)
|
||||
|
||||
|
|
|
@ -1,139 +0,0 @@
|
|||
From 4da7dc22c91ad2c3144cb1d0d96e9611bc86da47 Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Mon, 14 Dec 2015 22:03:39 +0100
|
||||
Subject: [PATCH] net: add validation for the socket syscall protocol argument
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
郭永刚 reported that one could simply crash the kernel as root by
|
||||
using a simple program:
|
||||
|
||||
int socket_fd;
|
||||
struct sockaddr_in addr;
|
||||
addr.sin_port = 0;
|
||||
addr.sin_addr.s_addr = INADDR_ANY;
|
||||
addr.sin_family = 10;
|
||||
|
||||
socket_fd = socket(10,3,0x40000000);
|
||||
connect(socket_fd , &addr,16);
|
||||
|
||||
AF_INET, AF_INET6 sockets actually only support 8-bit protocol
|
||||
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
|
||||
thus larger protocol identifiers simply cut off the higher bits and
|
||||
store a zero in the protocol fields.
|
||||
|
||||
This could lead to e.g. NULL function pointer because as a result of
|
||||
the cut off inet_num is zero and we call down to inet_autobind, which
|
||||
is NULL for raw sockets.
|
||||
|
||||
kernel: Call Trace:
|
||||
kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
|
||||
kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
|
||||
kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
|
||||
kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
|
||||
kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
|
||||
kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
|
||||
kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
|
||||
|
||||
I found no particular commit which introduced this problem.
|
||||
|
||||
CVE: CVE-2015-8543
|
||||
Cc: Cong Wang <cwang@twopensource.com>
|
||||
Reported-by: 郭永刚 <guoyonggang@360.cn>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/net/sock.h | 1 +
|
||||
net/ax25/af_ax25.c | 3 +++
|
||||
net/decnet/af_decnet.c | 3 +++
|
||||
net/ipv4/af_inet.c | 3 +++
|
||||
net/ipv6/af_inet6.c | 3 +++
|
||||
net/irda/af_irda.c | 3 +++
|
||||
6 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/include/net/sock.h b/include/net/sock.h
|
||||
index 52d27ee924f4..2fa1fc00e8cb 100644
|
||||
--- a/include/net/sock.h
|
||||
+++ b/include/net/sock.h
|
||||
@@ -403,6 +403,7 @@ struct sock {
|
||||
sk_no_check_rx : 1,
|
||||
sk_userlocks : 4,
|
||||
sk_protocol : 8,
|
||||
+#define SK_PROTOCOL_MAX U8_MAX
|
||||
sk_type : 16;
|
||||
kmemcheck_bitfield_end(flags);
|
||||
int sk_wmem_queued;
|
||||
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
|
||||
index ae3a47f9d1d5..fbd0acf80b13 100644
|
||||
--- a/net/ax25/af_ax25.c
|
||||
+++ b/net/ax25/af_ax25.c
|
||||
@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
|
||||
struct sock *sk;
|
||||
ax25_cb *ax25;
|
||||
|
||||
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (!net_eq(net, &init_net))
|
||||
return -EAFNOSUPPORT;
|
||||
|
||||
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
|
||||
index eebf5ac8ce18..13d6b1a6e0fc 100644
|
||||
--- a/net/decnet/af_decnet.c
|
||||
+++ b/net/decnet/af_decnet.c
|
||||
@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
|
||||
{
|
||||
struct sock *sk;
|
||||
|
||||
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (!net_eq(net, &init_net))
|
||||
return -EAFNOSUPPORT;
|
||||
|
||||
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
|
||||
index 11c4ca13ec3b..5c5db6636704 100644
|
||||
--- a/net/ipv4/af_inet.c
|
||||
+++ b/net/ipv4/af_inet.c
|
||||
@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
|
||||
int try_loading_module = 0;
|
||||
int err;
|
||||
|
||||
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
sock->state = SS_UNCONNECTED;
|
||||
|
||||
/* Look for the requested type/protocol pair. */
|
||||
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
|
||||
index 8ec0df75f1c4..9f5137cd604e 100644
|
||||
--- a/net/ipv6/af_inet6.c
|
||||
+++ b/net/ipv6/af_inet6.c
|
||||
@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
|
||||
int try_loading_module = 0;
|
||||
int err;
|
||||
|
||||
+ if (protocol < 0 || protocol >= IPPROTO_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
/* Look for the requested type/protocol pair. */
|
||||
lookup_protocol:
|
||||
err = -ESOCKTNOSUPPORT;
|
||||
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
|
||||
index e6aa48b5395c..923abd6b3064 100644
|
||||
--- a/net/irda/af_irda.c
|
||||
+++ b/net/irda/af_irda.c
|
||||
@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
|
||||
struct sock *sk;
|
||||
struct irda_sock *self;
|
||||
|
||||
+ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (net != &init_net)
|
||||
return -EAFNOSUPPORT;
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -1,39 +0,0 @@
|
|||
From 16c5a158e97d5b1f6c8bf86b006c1349f025d4e0 Mon Sep 17 00:00:00 2001
|
||||
From: WANG Cong <xiyou.wangcong@gmail.com>
|
||||
Date: Mon, 14 Dec 2015 13:48:36 -0800
|
||||
Subject: [PATCH] pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
|
||||
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/ppp/pptp.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
|
||||
index fc69e41d0950..597c53e0a2ec 100644
|
||||
--- a/drivers/net/ppp/pptp.c
|
||||
+++ b/drivers/net/ppp/pptp.c
|
||||
@@ -419,6 +419,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
|
||||
struct pptp_opt *opt = &po->proto.pptp;
|
||||
int error = 0;
|
||||
|
||||
+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
lock_sock(sk);
|
||||
|
||||
opt->src_addr = sp->sa_addr.pptp;
|
||||
@@ -440,6 +443,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
|
||||
struct flowi4 fl4;
|
||||
int error = 0;
|
||||
|
||||
+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (sp->sa_protocol != PX_PROTO_PPTP)
|
||||
return -EINVAL;
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
Loading…
Reference in New Issue