diff options
author | Justin M. Forbes <jforbes@redhat.com> | 2017-04-05 11:51:43 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@redhat.com> | 2017-04-05 11:51:43 -0500 |
commit | 090bfba49cf37ee6020c2beda8d8df12ba81ba44 (patch) | |
tree | 8008b52869d38e2d0225c4c090b5d522bedfcfed | |
parent | 85f80332e48ee6176a517098d86bc2b0b50c803a (diff) | |
download | kernel-090bfba49cf37ee6020c2beda8d8df12ba81ba44.tar.gz kernel-090bfba49cf37ee6020c2beda8d8df12ba81ba44.tar.xz kernel-090bfba49cf37ee6020c2beda8d8df12ba81ba44.zip |
Don't print MCEs and fix ping CVE
-rw-r--r-- | 0001-ping-implement-proper-locking.patch | 53 | ||||
-rw-r--r-- | 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch | 65 | ||||
-rw-r--r-- | kernel.spec | 10 |
3 files changed, 128 insertions, 0 deletions
diff --git a/0001-ping-implement-proper-locking.patch b/0001-ping-implement-proper-locking.patch new file mode 100644 index 000000000..1fad1a8cb --- /dev/null +++ b/0001-ping-implement-proper-locking.patch @@ -0,0 +1,53 @@ +From 43a6684519ab0a6c52024b5e25322476cabad893 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 24 Mar 2017 19:36:13 -0700 +Subject: [PATCH] ping: implement proper locking + +We got a report of yet another bug in ping + +http://www.openwall.com/lists/oss-security/2017/03/24/6 + +->disconnect() is not called with socket lock held. + +Fix this by acquiring ping rwlock earlier. + +Thanks to Daniel, Alexander and Andrey for letting us know this problem. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: Daniel Jiang <danieljiang0415@gmail.com> +Reported-by: Solar Designer <solar@openwall.com> +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv4/ping.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 2af6244..ccfbce1 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk) + void ping_unhash(struct sock *sk) + { + struct inet_sock *isk = inet_sk(sk); ++ + pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num); ++ write_lock_bh(&ping_table.lock); + if (sk_hashed(sk)) { +- write_lock_bh(&ping_table.lock); + hlist_nulls_del(&sk->sk_nulls_node); + sk_nulls_node_init(&sk->sk_nulls_node); + sock_put(sk); + isk->inet_num = 0; + isk->inet_sport = 0; + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); +- write_unlock_bh(&ping_table.lock); + } ++ write_unlock_bh(&ping_table.lock); + } + EXPORT_SYMBOL_GPL(ping_unhash); + +-- +2.9.3 + diff --git a/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch b/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch new file mode 100644 index 000000000..d682dcc42 --- /dev/null +++ b/0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch @@ -0,0 +1,65 @@ +From cc66afea58f858ff6da7f79b8a595a67bbb4f9a9 Mon Sep 17 00:00:00 2001 +From: Andi Kleen <ak@linux.intel.com> +Date: Mon, 27 Mar 2017 11:32:59 +0200 +Subject: [PATCH] x86/mce: Don't print MCEs when mcelog is active + +Since: + + cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers") + +all MCEs are printed even when mcelog is running. Fix the regression to +not print to dmesg when mcelog is running as it is a consumer too. + +Signed-off-by: Andi Kleen <ak@linux.intel.com> +[ Massage commit message. ] +Signed-off-by: Borislav Petkov <bp@suse.de> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Tony Luck <tony.luck@intel.com> +Cc: linux-edac <linux-edac@vger.kernel.org> +Cc: stable@vger.kernel.org # 4.10.. +Fixes: cd9c57cad3fe ("x86/MCE: Dump MCE to dmesg if no consumers") +Link: http://lkml.kernel.org/r/20170327093304.10683-2-bp@alien8.de +Signed-off-by: Ingo Molnar <mingo@kernel.org> + +Signed-off-by: Ingo Molnar <mingo@kernel.org> +--- + arch/x86/kernel/cpu/mcheck/mce.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index 8e9725c..5accfbd 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -54,6 +54,8 @@ + + static DEFINE_MUTEX(mce_chrdev_read_mutex); + ++static int mce_chrdev_open_count; /* #times opened */ ++ + #define mce_log_get_idx_check(p) \ + ({ \ + RCU_LOCKDEP_WARN(!rcu_read_lock_sched_held() && \ +@@ -598,6 +600,10 @@ static int mce_default_notifier(struct notifier_block *nb, unsigned long val, + if (atomic_read(&num_notifiers) > 2) + return NOTIFY_DONE; + ++ /* Don't print when mcelog is running */ ++ if (mce_chrdev_open_count > 0) ++ return NOTIFY_DONE; ++ + __print_mce(m); + + return NOTIFY_DONE; +@@ -1828,7 +1834,6 @@ void mcheck_cpu_clear(struct cpuinfo_x86 *c) + */ + + static DEFINE_SPINLOCK(mce_chrdev_state_lock); +-static int mce_chrdev_open_count; /* #times opened */ + static int mce_chrdev_open_exclu; /* already open exclusive? */ + + static int mce_chrdev_open(struct inode *inode, struct file *file) +-- +2.9.3 + diff --git a/kernel.spec b/kernel.spec index f02aa1812..203bf13c8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -611,6 +611,12 @@ Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch #CVE-2017-7277 rhbz 1436629 1436661 Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch +# rhbz 1438316 +Patch859: 0001-x86-mce-Don-t-print-MCEs-when-mcelog-is-active.patch + +# CVE-2017-2671 rhbz 1436649 1436663 +Patch860: 0001-ping-implement-proper-locking.patch + # END OF PATCH DEFINITIONS %endif @@ -2180,6 +2186,10 @@ fi # # %changelog +* Wed Apr 05 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- Don't print MCEs when mcelog is running (rhbz 1438316) +- CVE-2017-2671 Fix ping locking (rhbz 1436649 1436663) + * Tue Apr 04 2017 Justin M. Forbes <jforbes@fedoraproject.org> - redisable CONFIG_IWLWIFI_PCIE_RTPM (rhbz 1429135) |