diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-02-07 17:39:29 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-02-07 17:39:29 +0100 |
commit | 454e7e6cc8f6ec1ca49611972d9f024bb3128db8 (patch) | |
tree | becd5a1fa97b93f0b8788087a0acd2283b181c43 | |
parent | 721a7ba6a26425f5c9af350f92005d89155d09f1 (diff) | |
parent | cbf9a4853ae920d61ed056da9d90f6e679c74308 (diff) | |
download | kernel-4.10.0-0.rc7.git1.1.vanilla.knurd.1.fc25.tar.gz kernel-4.10.0-0.rc7.git1.1.vanilla.knurd.1.fc25.tar.xz kernel-4.10.0-0.rc7.git1.1.vanilla.knurd.1.fc25.zip |
Merge remote-tracking branch 'origin/master'kernel-4.10.0-0.rc7.git1.1.vanilla.knurd.1.fc26kernel-4.10.0-0.rc7.git1.1.vanilla.knurd.1.fc25kernel-4.10.0-0.rc7.git1.1.vanilla.knurd.1.fc24
-rw-r--r-- | debugconfig/CONFIG_DEBUG_KMEMLEAK_EARLY | 2 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | ip6_gre-fix-ip6gre_err-invalid-reads.patch | 91 | ||||
-rw-r--r-- | kernel-aarch64-debug.config | 2 | ||||
-rw-r--r-- | kernel-armv7hl-debug.config | 2 | ||||
-rw-r--r-- | kernel-armv7hl-lpae-debug.config | 2 | ||||
-rw-r--r-- | kernel-i686-PAEdebug.config | 2 | ||||
-rw-r--r-- | kernel-i686-debug.config | 2 | ||||
-rw-r--r-- | kernel-ppc64-debug.config | 2 | ||||
-rw-r--r-- | kernel-ppc64le-debug.config | 2 | ||||
-rw-r--r-- | kernel-ppc64p7-debug.config | 2 | ||||
-rw-r--r-- | kernel-s390x-debug.config | 2 | ||||
-rw-r--r-- | kernel-x86_64-debug.config | 2 | ||||
-rw-r--r-- | kernel.spec | 17 | ||||
-rw-r--r-- | sources | 4 |
15 files changed, 120 insertions, 16 deletions
diff --git a/debugconfig/CONFIG_DEBUG_KMEMLEAK_EARLY b/debugconfig/CONFIG_DEBUG_KMEMLEAK_EARLY index dd8763fdd..48732e524 100644 --- a/debugconfig/CONFIG_DEBUG_KMEMLEAK_EARLY +++ b/debugconfig/CONFIG_DEBUG_KMEMLEAK_EARLY @@ -1 +1 @@ -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 @@ -1 +1 @@ -34e00accf612bc5448ae709245c2b408edf39f46 +8b1b41ee74f9712c355d66dc105bbea663ae0afd diff --git a/ip6_gre-fix-ip6gre_err-invalid-reads.patch b/ip6_gre-fix-ip6gre_err-invalid-reads.patch new file mode 100644 index 000000000..756663c11 --- /dev/null +++ b/ip6_gre-fix-ip6gre_err-invalid-reads.patch @@ -0,0 +1,91 @@ +From 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Sat, 4 Feb 2017 23:18:55 -0800 +Subject: ip6_gre: fix ip6gre_err() invalid reads + +Andrey Konovalov reported out of bound accesses in ip6gre_err() + +If GRE flags contains GRE_KEY, the following expression +*(((__be32 *)p) + (grehlen / 4) - 1) + +accesses data ~40 bytes after the expected point, since +grehlen includes the size of IPv6 headers. + +Let's use a "struct gre_base_hdr *greh" pointer to make this +code more readable. + +p[1] becomes greh->protocol. +grhlen is the GRE header length. + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/ip6_gre.c | 40 +++++++++++++++++++++------------------- + 1 file changed, 21 insertions(+), 19 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 5586318..630b73b 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev) + + + static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, +- u8 type, u8 code, int offset, __be32 info) ++ u8 type, u8 code, int offset, __be32 info) + { +- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data; +- __be16 *p = (__be16 *)(skb->data + offset); +- int grehlen = offset + 4; ++ const struct gre_base_hdr *greh; ++ const struct ipv6hdr *ipv6h; ++ int grehlen = sizeof(*greh); + struct ip6_tnl *t; ++ int key_off = 0; + __be16 flags; ++ __be32 key; + +- flags = p[0]; +- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) { +- if (flags&(GRE_VERSION|GRE_ROUTING)) +- return; +- if (flags&GRE_KEY) { +- grehlen += 4; +- if (flags&GRE_CSUM) +- grehlen += 4; +- } ++ if (!pskb_may_pull(skb, offset + grehlen)) ++ return; ++ greh = (const struct gre_base_hdr *)(skb->data + offset); ++ flags = greh->flags; ++ if (flags & (GRE_VERSION | GRE_ROUTING)) ++ return; ++ if (flags & GRE_CSUM) ++ grehlen += 4; ++ if (flags & GRE_KEY) { ++ key_off = grehlen + offset; ++ grehlen += 4; + } + +- /* If only 8 bytes returned, keyed message will be dropped here */ +- if (!pskb_may_pull(skb, grehlen)) ++ if (!pskb_may_pull(skb, offset + grehlen)) + return; + ipv6h = (const struct ipv6hdr *)skb->data; +- p = (__be16 *)(skb->data + offset); ++ greh = (const struct gre_base_hdr *)(skb->data + offset); ++ key = key_off ? *(__be32 *)(skb->data + key_off) : 0; + + t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr, +- flags & GRE_KEY ? +- *(((__be32 *)p) + (grehlen / 4) - 1) : 0, +- p[1]); ++ key, greh->protocol); + if (!t) + return; + +-- +cgit v0.12 + diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index 986e16c07..7526300f3 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -1072,7 +1072,7 @@ CONFIG_DEBUG_INFO_VTA=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KOBJECT is not set diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index dd5648cb7..a346a7938 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -1147,7 +1147,7 @@ CONFIG_DEBUG_INFO_VTA=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KOBJECT is not set diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index 3e92b7da9..b250ca889 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -1101,7 +1101,7 @@ CONFIG_DEBUG_INFO_VTA=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KOBJECT is not set diff --git a/kernel-i686-PAEdebug.config b/kernel-i686-PAEdebug.config index 34a24cdb7..62886b151 100644 --- a/kernel-i686-PAEdebug.config +++ b/kernel-i686-PAEdebug.config @@ -958,7 +958,7 @@ CONFIG_DEBUG_INFO_VTA=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KOBJECT is not set diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index 0ab2f1adf..6e5a684de 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -958,7 +958,7 @@ CONFIG_DEBUG_INFO_VTA=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KOBJECT is not set diff --git a/kernel-ppc64-debug.config b/kernel-ppc64-debug.config index a452d7b57..414115223 100644 --- a/kernel-ppc64-debug.config +++ b/kernel-ppc64-debug.config @@ -947,7 +947,7 @@ CONFIG_DEBUG_INFO_VTA=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KOBJECT is not set diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index 181ad231d..14c3d83c6 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -902,7 +902,7 @@ CONFIG_DEBUG_INFO_VTA=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KOBJECT is not set diff --git a/kernel-ppc64p7-debug.config b/kernel-ppc64p7-debug.config index 21c8b5551..d1cb17fb7 100644 --- a/kernel-ppc64p7-debug.config +++ b/kernel-ppc64p7-debug.config @@ -902,7 +902,7 @@ CONFIG_DEBUG_INFO_VTA=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KOBJECT is not set diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config index cc1ac3673..d040d077d 100644 --- a/kernel-s390x-debug.config +++ b/kernel-s390x-debug.config @@ -901,7 +901,7 @@ CONFIG_DEBUG_INFO_VTA=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KOBJECT is not set diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index 4a002b8d6..be3f1db20 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -986,7 +986,7 @@ CONFIG_DEBUG_INFO_VTA=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y -CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 +CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=4096 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KOBJECT is not set diff --git a/kernel.spec b/kernel.spec index 0950f1b06..97613f308 100644 --- a/kernel.spec +++ b/kernel.spec @@ -75,9 +75,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%global rcrev 6 +%global rcrev 7 # The git snapshot level -%define gitrev 3 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -616,6 +616,10 @@ Patch853: 0001-Work-around-for-gcc7-and-arm64.patch #CVE-2017-2596 rhbz 1417812 1417813 Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch +#CVE-2017-5897 rhbz 1419848 1419851 +Patch855: ip6_gre-fix-ip6gre_err-invalid-reads.patch + + # END OF PATCH DEFINITIONS %endif @@ -2189,6 +2193,15 @@ fi # # %changelog +* Tue Feb 07 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc7.git1.1 +- Linux v4.10-rc7-29-g8b1b41e +- Reenable debugging options. +- CVE-2017-5897 ip6_gre: Invalid reads in ip6gre_err (rhbz 1419848 1419851) + +* Mon Feb 06 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc7.git0.1 +- Disable debugging options. +- Linux v4.10-rc7 + * Fri Feb 03 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc6.git3.1 - Linux v4.10-rc6-110-g34e00ac @@ -1,4 +1,4 @@ SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99 -SHA512 (patch-4.10-rc6.xz) = eb6dfcdcb427d198d955b6c2146abd5c6a74d01ab10855d713f33b9c87df05f20f2688cb354d5881dfb82ebdcf4ecac37b36956ff3645977f967f021b52ad507 -SHA512 (patch-4.10-rc6-git3.xz) = 8a844c3b708926f0451931961128b485db23dac8f40978716675d9fcec5ae9a40b3ef5da50d613c9de4d3c7c15edf4942dd232b1ef7935c373e74e92c145b016 +SHA512 (patch-4.10-rc7.xz) = 206e5e97581bb376141398b6962fbbc4ee0a58b50fae1de83f3f6f3c06502b260f006628aab738d63994a6d1c0276717d49e882a8107b8f9c24d565a2a70ea9b +SHA512 (patch-4.10-rc7-git1.xz) = 6b71afe5c9bd79e551bcd26798284ce1d77359e8787a1861d2acfeaec7222abf08dd0bf92c842c0fa790271dbcce42c895d50b805e0a868525c8d73ff425d3b1 |