Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedorakernel-4.10.14-200.vanilla.knurd.1.fc25

6 files changed, 6 insertions, 439 deletions

diff --git a/0001-ping-implement-proper-locking.patch b/0001-ping-implement-proper-locking.patch
deleted file mode 100644
index 1fad1a8cb..000000000
--- a/0001-ping-implement-proper-locking.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 43a6684519ab0a6c52024b5e25322476cabad893 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 24 Mar 2017 19:36:13 -0700
-Subject: [PATCH] ping: implement proper locking
-
-We got a report of yet another bug in ping
-
-http://www.openwall.com/lists/oss-security/2017/03/24/6
-
-->disconnect() is not called with socket lock held.
-
-Fix this by acquiring ping rwlock earlier.
-
-Thanks to Daniel, Alexander and Andrey for letting us know this problem.
-
-Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
-Reported-by: Solar Designer <solar@openwall.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/ping.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index 2af6244..ccfbce1 100644
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
- void ping_unhash(struct sock *sk)
- {
- 	struct inet_sock *isk = inet_sk(sk);
-+
- 	pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
-+	write_lock_bh(&ping_table.lock);
- 	if (sk_hashed(sk)) {
--		write_lock_bh(&ping_table.lock);
- 		hlist_nulls_del(&sk->sk_nulls_node);
- 		sk_nulls_node_init(&sk->sk_nulls_node);
- 		sock_put(sk);
- 		isk->inet_num = 0;
- 		isk->inet_sport = 0;
- 		sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
--		write_unlock_bh(&ping_table.lock);
- 	}
-+	write_unlock_bh(&ping_table.lock);
- }
- EXPORT_SYMBOL_GPL(ping_unhash);
-
--- 
-2.9.3
-
diff --git a/CVE-2017-7477.patch b/CVE-2017-7477.patch
deleted file mode 100644
index 6405614cc..000000000
--- a/CVE-2017-7477.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Fri, 21 Apr 2017 23:14:48 +0200
-Subject: macsec: avoid heap overflow in skb_to_sgvec
-
-While this may appear as a humdrum one line change, it's actually quite
-important. An sk_buff stores data in three places:
-
-1. A linear chunk of allocated memory in skb->data. This is the easiest
-   one to work with, but it precludes using scatterdata since the memory
-   must be linear.
-2. The array skb_shinfo(skb)->frags, which is of maximum length
-   MAX_SKB_FRAGS. This is nice for scattergather, since these fragments
-   can point to different pages.
-3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff,
-   which in turn can have data in either (1) or (2).
-
-The first two are rather easy to deal with, since they're of a fixed
-maximum length, while the third one is not, since there can be
-potentially limitless chains of fragments. Fortunately dealing with
-frag_list is opt-in for drivers, so drivers don't actually have to deal
-with this mess. For whatever reason, macsec decided it wanted pain, and
-so it explicitly specified NETIF_F_FRAGLIST.
-
-Because dealing with (1), (2), and (3) is insane, most users of sk_buff
-doing any sort of crypto or paging operation calls a convenient function
-called skb_to_sgvec (which happens to be recursive if (3) is in use!).
-This takes a sk_buff as input, and writes into its output pointer an
-array of scattergather list items. Sometimes people like to declare a
-fixed size scattergather list on the stack; othertimes people like to
-allocate a fixed size scattergather list on the heap. However, if you're
-doing it in a fixed-size fashion, you really shouldn't be using
-NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its
-frag_list children arent't shared and then you check the number of
-fragments in total required.)
-
-Macsec specifically does this:
-
-        size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
-        tmp = kmalloc(size, GFP_ATOMIC);
-        *sg = (struct scatterlist *)(tmp + sg_offset);
-	...
-        sg_init_table(sg, MAX_SKB_FRAGS + 1);
-        skb_to_sgvec(skb, sg, 0, skb->len);
-
-Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're
-using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will
-overflow the heap, and disaster ensues.
-
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Cc: stable@vger.kernel.org
-Cc: security@kernel.org
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/macsec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
-index ff0a5ed..dbab05a 100644
---- a/drivers/net/macsec.c
-+++ b/drivers/net/macsec.c
-@@ -2716,7 +2716,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
- }
- 
- #define MACSEC_FEATURES \
--	(NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
-+	(NETIF_F_SG | NETIF_F_HIGHDMA)
- static struct lock_class_key macsec_netdev_addr_lock_key;
- 
- static int macsec_dev_init(struct net_device *dev)
--- 
-cgit v1.1
-
diff --git a/CVE-2017-7645.patch b/CVE-2017-7645.patch
deleted file mode 100644
index 0be019cc3..000000000
--- a/CVE-2017-7645.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-From: "J. Bruce Fields" <bfields@redhat.com>
-Date:       2017-04-14 15:04:40
-Subject:    [PATCH] nfsd: check for oversized NFSv2/v3 arguments
-
-A client can append random data to the end of an NFSv2 or NFSv3 RPC call
-without our complaining; we'll just stop parsing at the end of the
-expected data and ignore the rest.
-
-Encoded arguments and replies are stored together in an array of pages,
-and if a call is too large it could leave inadequate space for the
-reply.  This is normally OK because NFS RPC's typically have either
-short arguments and long replies (like READ) or long arguments and short
-replies (like WRITE).  But a client that sends an incorrectly long reply
-can violate those assumptions.  This was observed to cause crashes.
-
-So, insist that the argument not be any longer than we expect.
-
-Also, several operations increment rq_next_page in the decode routine
-before checking the argument size, which can leave rq_next_page pointing
-well past the end of the page array, causing trouble later in
-svc_free_pages.
-
-As followup we may also want to rewrite the encoding routines to check
-more carefully that they aren't running off the end of the page array.
-
-Reported-by: Tuomas Haanpää <thaan@synopsys.com>
-Reported-by: Ari Kauppi <ari@synopsys.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields@redhat.com>
----
- fs/nfsd/nfs3xdr.c          | 23 +++++++++++++++++------
- fs/nfsd/nfsxdr.c           | 13 ++++++++++---
- include/linux/sunrpc/svc.h |  3 +--
- 3 files changed, 28 insertions(+), 11 deletions(-)
-
-diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
-index dba2ff8eaa68..be66bcadfaea 100644
---- a/fs/nfsd/nfs3xdr.c
-+++ b/fs/nfsd/nfs3xdr.c
-@@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
- 	if (!p)
- 		return 0;
- 	p = xdr_decode_hyper(p, &args->offset);
--
- 	args->count = ntohl(*p++);
-+
-+	if (!xdr_argsize_check(rqstp, p))
-+		return 0;
-+
- 	len = min(args->count, max_blocksize);
- 
- 	/* set up the kvec */
-@@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
- 		v++;
- 	}
- 	args->vlen = v;
--	return xdr_argsize_check(rqstp, p);
-+	return 1;
- }
- 
- int
-@@ -536,9 +539,11 @@ nfs3svc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p,
- 	p = decode_fh(p, &args->fh);
- 	if (!p)
- 		return 0;
-+	if (!xdr_argsize_check(rqstp, p))
-+		return 0;
- 	args->buffer = page_address(*(rqstp->rq_next_page++));
- 
--	return xdr_argsize_check(rqstp, p);
-+	return 1;
- }
- 
- int
-@@ -564,10 +569,14 @@ nfs3svc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p,
- 	args->verf   = p; p += 2;
- 	args->dircount = ~0;
- 	args->count  = ntohl(*p++);
-+
-+	if (!xdr_argsize_check(rqstp, p))
-+		return 0;
-+
- 	args->count  = min_t(u32, args->count, PAGE_SIZE);
- 	args->buffer = page_address(*(rqstp->rq_next_page++));
- 
--	return xdr_argsize_check(rqstp, p);
-+	return 1;
- }
- 
- int
-@@ -585,6 +594,9 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p,
- 	args->dircount = ntohl(*p++);
- 	args->count    = ntohl(*p++);
- 
-+	if (!xdr_argsize_check(rqstp, p))
-+		return 0;
-+
- 	len = args->count = min(args->count, max_blocksize);
- 	while (len > 0) {
- 		struct page *p = *(rqstp->rq_next_page++);
-@@ -592,8 +604,7 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p,
- 			args->buffer = page_address(p);
- 		len -= PAGE_SIZE;
- 	}
--
--	return xdr_argsize_check(rqstp, p);
-+	return 1;
- }
- 
- int
-diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
-index 41b468a6a90f..79268369f7b3 100644
---- a/fs/nfsd/nfsxdr.c
-+++ b/fs/nfsd/nfsxdr.c
-@@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
- 	len = args->count     = ntohl(*p++);
- 	p++; /* totalcount - unused */
- 
-+	if (!xdr_argsize_check(rqstp, p))
-+		return 0;
-+
- 	len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2);
- 
- 	/* set up somewhere to store response.
-@@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
- 		v++;
- 	}
- 	args->vlen = v;
--	return xdr_argsize_check(rqstp, p);
-+	return 1;
- }
- 
- int
-@@ -360,9 +363,11 @@ nfssvc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, struct nfsd_readli
- 	p = decode_fh(p, &args->fh);
- 	if (!p)
- 		return 0;
-+	if (!xdr_argsize_check(rqstp, p))
-+		return 0;
- 	args->buffer = page_address(*(rqstp->rq_next_page++));
- 
--	return xdr_argsize_check(rqstp, p);
-+	return 1;
- }
- 
- int
-@@ -400,9 +405,11 @@ nfssvc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p,
- 	args->cookie = ntohl(*p++);
- 	args->count  = ntohl(*p++);
- 	args->count  = min_t(u32, args->count, PAGE_SIZE);
-+	if (!xdr_argsize_check(rqstp, p))
-+		return 0;
- 	args->buffer = page_address(*(rqstp->rq_next_page++));
- 
--	return xdr_argsize_check(rqstp, p);
-+	return 1;
- }
- 
- /*
-diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
-index e770abeed32d..6ef19cf658b4 100644
---- a/include/linux/sunrpc/svc.h
-+++ b/include/linux/sunrpc/svc.h
-@@ -336,8 +336,7 @@ xdr_argsize_check(struct svc_rqst *rqstp, __be32 *p)
- {
- 	char *cp = (char *)p;
- 	struct kvec *vec = &rqstp->rq_arg.head[0];
--	return cp >= (char*)vec->iov_base
--		&& cp <= (char*)vec->iov_base + vec->iov_len;
-+	return cp == (char *)vec->iov_base + vec->iov_len;
- }
- 
- static inline int
--- 
-2.9.3
-
---
-To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff --git a/kernel.spec b/kernel.spec
index 70069b762..e99a748d5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -58,7 +58,7 @@ Summary: The Linux kernel
 %define stable_rc 0
 
 # Do we have a -stable update to apply?
-%define stable_update 13
+%define stable_update 14
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -616,23 +616,11 @@ Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch
 # selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
 Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
 
-#CVE-2017-7277 rhbz 1436629 1436661
-Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
-
-# CVE-2017-2671 rhbz 1436649 1436663
-Patch860: 0001-ping-implement-proper-locking.patch
-
 Patch861: 0001-efi-libstub-Treat-missing-SecureBoot-variable-as-Sec.patch
 
 #rhbz 1441310
 Patch863: rhbz_1441310.patch
 
-# CVE-2017-7645 rhbz 1443615 1443617
-Patch866: CVE-2017-7645.patch
-
-# CVE-2017-7477 rhbz 1445207 1445208
-Patch867: CVE-2017-7477.patch
-
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2205,6 +2193,10 @@ fi
 #
 #
 %changelog
+* Wed May 03 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.14-200
+- Linux v4.10.14
+- Fixes CVE-2017-7895 (rhbz 1446103 1446541)
+
 * Thu Apr 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.13-200
 - Linux v4.10.13
 
diff --git a/sources b/sources
index f6fee9a69..68383b974 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90
 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8
-SHA512 (patch-4.10.13.xz) = 8ada730b91ffd0ab35f619e2dd1b29cbcc090f94a2d8de04178af0b7e303abb5393090888506bf6f1f3899c27bbe50f132a42186193203fa1214130623b2e050
+SHA512 (patch-4.10.14.xz) = 0979d6a503ac1f094914f56c0aed9cbcd949f68b3cc649fe6664460b9da68cb80d024c40859864d17c97de25b77c02bf08f9ab04d00d636dd6e336f32f74cdd9
diff --git a/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch b/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
deleted file mode 100644
index 9eabfc098..000000000
--- a/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 4ef1b2869447411ad3ef91ad7d4891a83c1a509a Mon Sep 17 00:00:00 2001
-From: Soheil Hassas Yeganeh <soheil@google.com>
-Date: Sat, 18 Mar 2017 17:03:00 -0400
-Subject: [PATCH] tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS
-
-SOF_TIMESTAMPING_OPT_STATS can be enabled and disabled
-while packets are collected on the error queue.
-So, checking SOF_TIMESTAMPING_OPT_STATS in sk->sk_tsflags
-is not enough to safely assume that the skb contains
-OPT_STATS data.
-
-Add a bit in sock_exterr_skb to indicate whether the
-skb contains opt_stats data.
-
-Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
-Reported-by: JongHwan Kim <zzoru007@gmail.com>
-Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Willem de Bruijn <willemb@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/linux/errqueue.h |  2 ++
- net/core/skbuff.c        | 17 +++++++++++------
- net/socket.c             |  2 +-
- 3 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/include/linux/errqueue.h b/include/linux/errqueue.h
-index 9ca23fc..6fdfc88 100644
---- a/include/linux/errqueue.h
-+++ b/include/linux/errqueue.h
-@@ -20,6 +20,8 @@ struct sock_exterr_skb {
- 	struct sock_extended_err	ee;
- 	u16				addr_offset;
- 	__be16				port;
-+	u8				opt_stats:1,
-+					unused:7;
- };
-
- #endif
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index b1fbd19..9f78109 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -3793,16 +3793,20 @@ EXPORT_SYMBOL(skb_clone_sk);
-
- static void __skb_complete_tx_timestamp(struct sk_buff *skb,
- 					struct sock *sk,
--					int tstype)
-+					int tstype,
-+					bool opt_stats)
- {
- 	struct sock_exterr_skb *serr;
- 	int err;
-
-+	BUILD_BUG_ON(sizeof(struct sock_exterr_skb) > sizeof(skb->cb));
-+
- 	serr = SKB_EXT_ERR(skb);
- 	memset(serr, 0, sizeof(*serr));
- 	serr->ee.ee_errno = ENOMSG;
- 	serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
- 	serr->ee.ee_info = tstype;
-+	serr->opt_stats = opt_stats;
- 	if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
- 		serr->ee.ee_data = skb_shinfo(skb)->tskey;
- 		if (sk->sk_protocol == IPPROTO_TCP &&
-@@ -3843,7 +3847,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
- 	 */
- 	if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
- 		*skb_hwtstamps(skb) = *hwtstamps;
--		__skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
-+		__skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
- 		sock_put(sk);
- 	}
- }
-@@ -3854,7 +3858,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
- 		     struct sock *sk, int tstype)
- {
- 	struct sk_buff *skb;
--	bool tsonly;
-+	bool tsonly, opt_stats = false;
-
- 	if (!sk)
- 		return;
-@@ -3867,9 +3871,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
- #ifdef CONFIG_INET
- 		if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
- 		    sk->sk_protocol == IPPROTO_TCP &&
--		    sk->sk_type == SOCK_STREAM)
-+		    sk->sk_type == SOCK_STREAM) {
- 			skb = tcp_get_timestamping_opt_stats(sk);
--		else
-+			opt_stats = true;
-+		} else
- #endif
- 			skb = alloc_skb(0, GFP_ATOMIC);
- 	} else {
-@@ -3888,7 +3893,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
- 	else
- 		skb->tstamp = ktime_get_real();
-
--	__skb_complete_tx_timestamp(skb, sk, tstype);
-+	__skb_complete_tx_timestamp(skb, sk, tstype, opt_stats);
- }
- EXPORT_SYMBOL_GPL(__skb_tstamp_tx);
-
-
-diff --git a/net/socket.c b/net/socket.c
-index 02bd924..84e3f85 100644
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -697,7 +697,7 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
- 		put_cmsg(msg, SOL_SOCKET,
- 			 SCM_TIMESTAMPING, sizeof(tss), &tss);
-
--		if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
-+		if (skb->len && SKB_EXT_ERR(skb)->opt_stats)
- 			put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
- 				 skb->len, skb->data);
- 	}