Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedora

3 files changed, 164 insertions, 0 deletions

diff --git a/kernel.spec b/kernel.spec
index 380697376..5117a1c81 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -625,6 +625,12 @@ Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
 #Fix crda rhbz 1422247
 Patch856: genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch
 
+#CVE-2017-7261 rhbz 1435719 1435740
+Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
+
+#CVE-2017-7277 rhbz 1436629 1436661
+Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2197,6 +2203,12 @@ fi
 #
 #
 %changelog
+* Tue Mar 28 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2017-7277 SCM_TIMESTAMPING_OPT_STATS feature causes out-of-bounds read (rhbz 1436629 1436661)
+
+* Mon Mar 27 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2017-7261 vmwgfx: check that number of mip levels is above zero (rhbz 1435719 1435740)
+
 * Mon Mar 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.6-200
 - Linux v4.10.6
 
diff --git a/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch b/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
new file mode 100644
index 000000000..9eabfc098
--- /dev/null
+++ b/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
@@ -0,0 +1,119 @@
+From 4ef1b2869447411ad3ef91ad7d4891a83c1a509a Mon Sep 17 00:00:00 2001
+From: Soheil Hassas Yeganeh <soheil@google.com>
+Date: Sat, 18 Mar 2017 17:03:00 -0400
+Subject: [PATCH] tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS
+
+SOF_TIMESTAMPING_OPT_STATS can be enabled and disabled
+while packets are collected on the error queue.
+So, checking SOF_TIMESTAMPING_OPT_STATS in sk->sk_tsflags
+is not enough to safely assume that the skb contains
+OPT_STATS data.
+
+Add a bit in sock_exterr_skb to indicate whether the
+skb contains opt_stats data.
+
+Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
+Reported-by: JongHwan Kim <zzoru007@gmail.com>
+Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/linux/errqueue.h |  2 ++
+ net/core/skbuff.c        | 17 +++++++++++------
+ net/socket.c             |  2 +-
+ 3 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/errqueue.h b/include/linux/errqueue.h
+index 9ca23fc..6fdfc88 100644
+--- a/include/linux/errqueue.h
++++ b/include/linux/errqueue.h
+@@ -20,6 +20,8 @@ struct sock_exterr_skb {
+ 	struct sock_extended_err	ee;
+ 	u16				addr_offset;
+ 	__be16				port;
++	u8				opt_stats:1,
++					unused:7;
+ };
+
+ #endif
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index b1fbd19..9f78109 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3793,16 +3793,20 @@ EXPORT_SYMBOL(skb_clone_sk);
+
+ static void __skb_complete_tx_timestamp(struct sk_buff *skb,
+ 					struct sock *sk,
+-					int tstype)
++					int tstype,
++					bool opt_stats)
+ {
+ 	struct sock_exterr_skb *serr;
+ 	int err;
+
++	BUILD_BUG_ON(sizeof(struct sock_exterr_skb) > sizeof(skb->cb));
++
+ 	serr = SKB_EXT_ERR(skb);
+ 	memset(serr, 0, sizeof(*serr));
+ 	serr->ee.ee_errno = ENOMSG;
+ 	serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
+ 	serr->ee.ee_info = tstype;
++	serr->opt_stats = opt_stats;
+ 	if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
+ 		serr->ee.ee_data = skb_shinfo(skb)->tskey;
+ 		if (sk->sk_protocol == IPPROTO_TCP &&
+@@ -3843,7 +3847,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
+ 	 */
+ 	if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
+ 		*skb_hwtstamps(skb) = *hwtstamps;
+-		__skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
++		__skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
+ 		sock_put(sk);
+ 	}
+ }
+@@ -3854,7 +3858,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
+ 		     struct sock *sk, int tstype)
+ {
+ 	struct sk_buff *skb;
+-	bool tsonly;
++	bool tsonly, opt_stats = false;
+
+ 	if (!sk)
+ 		return;
+@@ -3867,9 +3871,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
+ #ifdef CONFIG_INET
+ 		if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
+ 		    sk->sk_protocol == IPPROTO_TCP &&
+-		    sk->sk_type == SOCK_STREAM)
++		    sk->sk_type == SOCK_STREAM) {
+ 			skb = tcp_get_timestamping_opt_stats(sk);
+-		else
++			opt_stats = true;
++		} else
+ #endif
+ 			skb = alloc_skb(0, GFP_ATOMIC);
+ 	} else {
+@@ -3888,7 +3893,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
+ 	else
+ 		skb->tstamp = ktime_get_real();
+
+-	__skb_complete_tx_timestamp(skb, sk, tstype);
++	__skb_complete_tx_timestamp(skb, sk, tstype, opt_stats);
+ }
+ EXPORT_SYMBOL_GPL(__skb_tstamp_tx);
+
+
+diff --git a/net/socket.c b/net/socket.c
+index 02bd924..84e3f85 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -697,7 +697,7 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
+ 		put_cmsg(msg, SOL_SOCKET,
+ 			 SCM_TIMESTAMPING, sizeof(tss), &tss);
+
+-		if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
++		if (skb->len && SKB_EXT_ERR(skb)->opt_stats)
+ 			put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
+ 				 skb->len, skb->data);
+ 	}
diff --git a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
new file mode 100644
index 000000000..1ede96c60
--- /dev/null
+++ b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
@@ -0,0 +1,33 @@
+From:       Vladis Dronov <vdronov@redhat.com>
+Subject:    [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl()
+Date:       2017-03-24 15:37:10
+
+In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a
+user-controlled value which is not checked for zero. It is used in
+a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR
+is dereferenced which leads to a GPF and possibly to a kernel panic.
+Add the check for zero to avoid this.
+
+Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+index b445ce9..42840cc 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
+ 	for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
+ 		num_sizes += req->mip_levels[i];
+ 
+-	if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
+-	    DRM_VMW_MAX_MIP_LEVELS)
++	if (num_sizes <= 0 ||
++	    num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS)
+ 		return -EINVAL;
+ 
+ 	size = vmw_user_surface_size + 128 +
+-- 
+2.9.3