Linux v4.14.5

Also fixes CVE-2017-17448, CVE-2017-17449, CVE-2017-17450

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 5
+%define stable_update 6
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -636,6 +636,18 @@ Patch501: USB-core-prevent-malicious-bNumInterfaces-overflow.patch
 # https://marc.info/?l=linux-kernel&m=151307686618795
 Patch502: Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch
 
+# CVE-2017-17449
+# rhbz 1525762 1525763
+Patch503: netlink-Add-netns-check-on-taps.patch
+
+# CVE-2017-17450
+# rhbz 1525761 1525764
+Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch
+
+# CVE-2017-17448
+# rhbz 1525768 1525769
+Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
+
 # 600 - Patches for improved Bay and Cherry Trail device support
 # Below patches are submitted upstream, awaiting review / merging
 Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch
@@ -2214,6 +2226,12 @@ fi
 #
 #
 %changelog
+* Thu Dec 14 2017 Jeremy Cline <jeremy@jcline.org> - 4.14.6-300
+- Linux v4.14.6
+- Security fix for CVE-2017-17449 (rhbz 1525762 1525763)
+- Security fix for CVE-2017-17450 (rhbz 1525761 1525764)
+- Security fix for CVE-2017-17448 (rhbz 1525768 1525769)
+
 * Wed Dec 13 2017 Jeremy Cline <jeremy@jcline.org>
 - Fix CVE-2017-17558 (rhbz 1525474 1525476)
 - Revert exec: avoid RLIMIT_STACK races with prlimit()

netfilter-nfnetlink_cthelper-Add-missing-permission-.patch

@@ -0,0 +1,78 @@
+From 56ae5f7c9230c0aa474eef638cf9bf8ae6a79ab1 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sun, 3 Dec 2017 12:12:45 -0800
+Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission
+ checks
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, nfnl_cthelper_list is shared by all net namespaces on the
+system.  An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+    $ nfct helper list
+    nfct v1.4.4: netlink error: Operation not permitted
+    $ vpnns -- nfct helper list
+    {
+            .name = ftp,
+            .queuenum = 0,
+            .l3protonum = 2,
+            .l4protonum = 6,
+            .priv_data_len = 24,
+            .status = enabled,
+    };
+
+Add capable() checks in nfnetlink_cthelper, as this is cleaner than
+trying to generalize the solution.
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
+index 41628b393673..d33ce6d5ebce 100644
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -17,6 +17,7 @@
+ #include <linux/types.h>
+ #include <linux/list.h>
+ #include <linux/errno.h>
++#include <linux/capability.h>
+ #include <net/netlink.h>
+ #include <net/sock.h>
+ 
+@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
+ 	struct nfnl_cthelper *nlcth;
+ 	int ret = 0;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
+ 		return -EINVAL;
+ 
+@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
+ 	struct nfnl_cthelper *nlcth;
+ 	bool tuple_set = false;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ 		struct netlink_dump_control c = {
+ 			.dump = nfnl_cthelper_dump_table,
+@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
+ 	struct nfnl_cthelper *nlcth, *n;
+ 	int j = 0, ret;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (tb[NFCTH_NAME])
+ 		helper_name = nla_data(tb[NFCTH_NAME]);
+ 
+-- 
+2.14.3
+

netfilter-xt_osf-Add-missing-permission-checks.patch

@@ -0,0 +1,59 @@
+From 2af0d441c8b1151a5d8bb46ec9c58ab575fe7d6f Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Tue, 5 Dec 2017 15:42:41 -0800
+Subject: [PATCH] netfilter: xt_osf: Add missing permission checks
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, xt_osf_fingers is shared by all net namespaces on the
+system.  An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+    vpnns -- nfnl_osf -f /tmp/pf.os
+
+    vpnns -- nfnl_osf -f /tmp/pf.os -d
+
+These non-root operations successfully modify the systemwide OS
+fingerprint list.  Add new capable() checks so that they can't.
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+---
+ net/netfilter/xt_osf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
+index 36e14b1f061d..a34f314a8c23 100644
+--- a/net/netfilter/xt_osf.c
++++ b/net/netfilter/xt_osf.c
+@@ -19,6 +19,7 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ 
++#include <linux/capability.h>
+ #include <linux/if.h>
+ #include <linux/inetdevice.h>
+ #include <linux/ip.h>
+@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
+ 	struct xt_osf_finger *kf = NULL, *sf;
+ 	int err = 0;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (!osf_attrs[OSF_ATTR_FINGER])
+ 		return -EINVAL;
+ 
+@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
+ 	struct xt_osf_finger *sf;
+ 	int err = -ENOENT;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (!osf_attrs[OSF_ATTR_FINGER])
+ 		return -EINVAL;
+ 
+-- 
+2.14.3
+

netlink-Add-netns-check-on-taps.patch

@@ -0,0 +1,42 @@
+From 5af86b090e2f17b97c02d0bf9098f6edc3195935 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Wed, 6 Dec 2017 12:12:27 -0800
+Subject: [PATCH] netlink: Add netns check on taps
+
+Currently, a nlmon link inside a child namespace can observe systemwide
+netlink activity.  Filter the traffic so that nlmon can only sniff
+netlink messages from its own netns.
+
+Test case:
+
+    vpnns -- bash -c "ip link add nlmon0 type nlmon; \
+                      ip link set nlmon0 up; \
+                      tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
+    sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
+        spi 0x1 mode transport \
+        auth sha1 0x6162633132330000000000000000000000000000 \
+        enc aes 0x00000000000000000000000000000000
+    grep --binary abc123 /tmp/nlmon.pcap
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+---
+ net/netlink/af_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 15c99dfa3d72..aac9d68b4636 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
+ 	struct sock *sk = skb->sk;
+ 	int ret = -ENOMEM;
+ 
++	if (!net_eq(dev_net(dev), sock_net(sk)))
++		return 0;
++
+ 	dev_hold(dev);
+ 
+ 	if (is_vmalloc_addr(skb->head))
+-- 
+2.14.3
+

sources

@@ -1,3 +1,3 @@
 SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
-SHA512 (patch-4.14.5.xz) = 45a6adcc928babe53dd55a444aaae6280f57f844508a9799aada9f70b9fd6160b92b710986810c422ec3a20740f582acb3040f6d6aa883eecb58bf4c4d5918ca
+SHA512 (patch-4.14.6.xz) = c37b437f740fbb480766149ca1c6ddb5ee763b88b034b9b4eaf3ce000f299545ee19a93638d1a4161ab0c76ec73e1a53b2264b94213d53d6ad7dcda6bee45b8c