diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-03-30 11:56:25 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-03-30 11:56:25 +0200 |
commit | b8094f7be45cadc6c57f46e5e24af6d1a5d78ccf (patch) | |
tree | c0ded9121ad16ced020ca6d00e4f6541fe961d88 | |
parent | 7d859f9a40a55ed84e9c575bfd253d308d3b8755 (diff) | |
parent | ad101ecee0496d943cce55e4e34e9fd2da397ba0 (diff) | |
download | kernel-b8094f7be45cadc6c57f46e5e24af6d1a5d78ccf.tar.gz kernel-b8094f7be45cadc6c57f46e5e24af6d1a5d78ccf.tar.xz kernel-b8094f7be45cadc6c57f46e5e24af6d1a5d78ccf.zip |
Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedora
-rw-r--r-- | kernel.spec | 12 | ||||
-rw-r--r-- | tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch | 119 | ||||
-rw-r--r-- | vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch | 33 |
3 files changed, 164 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 380697376..5117a1c81 100644 --- a/kernel.spec +++ b/kernel.spec @@ -625,6 +625,12 @@ Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch #Fix crda rhbz 1422247 Patch856: genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch +#CVE-2017-7261 rhbz 1435719 1435740 +Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch + +#CVE-2017-7277 rhbz 1436629 1436661 +Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch + # END OF PATCH DEFINITIONS %endif @@ -2197,6 +2203,12 @@ fi # # %changelog +* Tue Mar 28 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- CVE-2017-7277 SCM_TIMESTAMPING_OPT_STATS feature causes out-of-bounds read (rhbz 1436629 1436661) + +* Mon Mar 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- CVE-2017-7261 vmwgfx: check that number of mip levels is above zero (rhbz 1435719 1435740) + * Mon Mar 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.6-200 - Linux v4.10.6 diff --git a/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch b/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch new file mode 100644 index 000000000..9eabfc098 --- /dev/null +++ b/tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch @@ -0,0 +1,119 @@ +From 4ef1b2869447411ad3ef91ad7d4891a83c1a509a Mon Sep 17 00:00:00 2001 +From: Soheil Hassas Yeganeh <soheil@google.com> +Date: Sat, 18 Mar 2017 17:03:00 -0400 +Subject: [PATCH] tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS + +SOF_TIMESTAMPING_OPT_STATS can be enabled and disabled +while packets are collected on the error queue. +So, checking SOF_TIMESTAMPING_OPT_STATS in sk->sk_tsflags +is not enough to safely assume that the skb contains +OPT_STATS data. + +Add a bit in sock_exterr_skb to indicate whether the +skb contains opt_stats data. + +Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING") +Reported-by: JongHwan Kim <zzoru007@gmail.com> +Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/linux/errqueue.h | 2 ++ + net/core/skbuff.c | 17 +++++++++++------ + net/socket.c | 2 +- + 3 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/include/linux/errqueue.h b/include/linux/errqueue.h +index 9ca23fc..6fdfc88 100644 +--- a/include/linux/errqueue.h ++++ b/include/linux/errqueue.h +@@ -20,6 +20,8 @@ struct sock_exterr_skb { + struct sock_extended_err ee; + u16 addr_offset; + __be16 port; ++ u8 opt_stats:1, ++ unused:7; + }; + + #endif +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index b1fbd19..9f78109 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3793,16 +3793,20 @@ EXPORT_SYMBOL(skb_clone_sk); + + static void __skb_complete_tx_timestamp(struct sk_buff *skb, + struct sock *sk, +- int tstype) ++ int tstype, ++ bool opt_stats) + { + struct sock_exterr_skb *serr; + int err; + ++ BUILD_BUG_ON(sizeof(struct sock_exterr_skb) > sizeof(skb->cb)); ++ + serr = SKB_EXT_ERR(skb); + memset(serr, 0, sizeof(*serr)); + serr->ee.ee_errno = ENOMSG; + serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING; + serr->ee.ee_info = tstype; ++ serr->opt_stats = opt_stats; + if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) { + serr->ee.ee_data = skb_shinfo(skb)->tskey; + if (sk->sk_protocol == IPPROTO_TCP && +@@ -3843,7 +3847,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb, + */ + if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) { + *skb_hwtstamps(skb) = *hwtstamps; +- __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND); ++ __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false); + sock_put(sk); + } + } +@@ -3854,7 +3858,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, + struct sock *sk, int tstype) + { + struct sk_buff *skb; +- bool tsonly; ++ bool tsonly, opt_stats = false; + + if (!sk) + return; +@@ -3867,9 +3871,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, + #ifdef CONFIG_INET + if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) && + sk->sk_protocol == IPPROTO_TCP && +- sk->sk_type == SOCK_STREAM) ++ sk->sk_type == SOCK_STREAM) { + skb = tcp_get_timestamping_opt_stats(sk); +- else ++ opt_stats = true; ++ } else + #endif + skb = alloc_skb(0, GFP_ATOMIC); + } else { +@@ -3888,7 +3893,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, + else + skb->tstamp = ktime_get_real(); + +- __skb_complete_tx_timestamp(skb, sk, tstype); ++ __skb_complete_tx_timestamp(skb, sk, tstype, opt_stats); + } + EXPORT_SYMBOL_GPL(__skb_tstamp_tx); + + +diff --git a/net/socket.c b/net/socket.c +index 02bd924..84e3f85 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -697,7 +697,7 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk, + put_cmsg(msg, SOL_SOCKET, + SCM_TIMESTAMPING, sizeof(tss), &tss); + +- if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS)) ++ if (skb->len && SKB_EXT_ERR(skb)->opt_stats) + put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS, + skb->len, skb->data); + } diff --git a/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch new file mode 100644 index 000000000..1ede96c60 --- /dev/null +++ b/vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch @@ -0,0 +1,33 @@ +From: Vladis Dronov <vdronov@redhat.com> +Subject: [PATCH] drm/vmwgfx: Check check that number of mip levels is above zero in vmw_surface_define_ioctl() +Date: 2017-03-24 15:37:10 + +In vmw_surface_define_ioctl(), a num_sizes parameter is assigned a +user-controlled value which is not checked for zero. It is used in +a call to kmalloc() which returns ZERO_SIZE_PTR. Later ZERO_SIZE_PTR +is dereferenced which leads to a GPF and possibly to a kernel panic. +Add the check for zero to avoid this. + +Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1435719 +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +index b445ce9..42840cc 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, + for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) + num_sizes += req->mip_levels[i]; + +- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * +- DRM_VMW_MAX_MIP_LEVELS) ++ if (num_sizes <= 0 || ++ num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS) + return -EINVAL; + + size = vmw_user_surface_size + 128 + +-- +2.9.3 |