Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedora

4 files changed, 162 insertions, 59 deletions

diff --git a/CVE-2017-7184.patch b/CVE-2017-7184.patch
new file mode 100644
index 000000000..b2d48b0a7
--- /dev/null
+++ b/CVE-2017-7184.patch
@@ -0,0 +1,154 @@
+From c282222a45cb9503cbfbebfdb60491f06ae84b49 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 8 Feb 2017 11:52:29 +0100
+Subject: xfrm: policy: init locks early
+
+From: Florian Westphal <fw@strlen.de>
+
+commit c282222a45cb9503cbfbebfdb60491f06ae84b49 upstream.
+
+Dmitry reports following splat:
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+ CPU: 0 PID: 13059 Comm: syz-executor1 Not tainted 4.10.0-rc7-next-20170207 #1
+[..]
+ spin_lock_bh include/linux/spinlock.h:304 [inline]
+ xfrm_policy_flush+0x32/0x470 net/xfrm/xfrm_policy.c:963
+ xfrm_policy_fini+0xbf/0x560 net/xfrm/xfrm_policy.c:3041
+ xfrm_net_init+0x79f/0x9e0 net/xfrm/xfrm_policy.c:3091
+ ops_init+0x10a/0x530 net/core/net_namespace.c:115
+ setup_net+0x2ed/0x690 net/core/net_namespace.c:291
+ copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
+ create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
+ unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
+ SYSC_unshare kernel/fork.c:2281 [inline]
+
+Problem is that when we get error during xfrm_net_init we will call
+xfrm_policy_fini which will acquire xfrm_policy_lock before it was
+initialized.  Just move it around so locks get set up first.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: 283bc9f35bbbcb0e9 ("xfrm: Namespacify xfrm state/policy locks")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_policy.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3062,6 +3062,11 @@ static int __net_init xfrm_net_init(stru
+ {
+ 	int rv;
+ 
++	/* Initialize the per-net locks here */
++	spin_lock_init(&net->xfrm.xfrm_state_lock);
++	spin_lock_init(&net->xfrm.xfrm_policy_lock);
++	mutex_init(&net->xfrm.xfrm_cfg_mutex);
++
+ 	rv = xfrm_statistics_init(net);
+ 	if (rv < 0)
+ 		goto out_statistics;
+@@ -3078,11 +3083,6 @@ static int __net_init xfrm_net_init(stru
+ 	if (rv < 0)
+ 		goto out;
+ 
+-	/* Initialize the per-net locks here */
+-	spin_lock_init(&net->xfrm.xfrm_state_lock);
+-	spin_lock_init(&net->xfrm.xfrm_policy_lock);
+-	mutex_init(&net->xfrm.xfrm_cfg_mutex);
+-
+ 	return 0;
+ 
+ out:
+From 677e806da4d916052585301785d847c3b3e6186a Mon Sep 17 00:00:00 2001
+From: Andy Whitcroft <apw@canonical.com>
+Date: Wed, 22 Mar 2017 07:29:31 +0000
+Subject: xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
+
+From: Andy Whitcroft <apw@canonical.com>
+
+commit 677e806da4d916052585301785d847c3b3e6186a upstream.
+
+When a new xfrm state is created during an XFRM_MSG_NEWSA call we
+validate the user supplied replay_esn to ensure that the size is valid
+and to ensure that the replay_window size is within the allocated
+buffer.  However later it is possible to update this replay_esn via a
+XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
+buffer matches the existing state and if so inject the contents.  We do
+not at this point check that the replay_window is within the allocated
+memory.  This leads to out-of-bounds reads and writes triggered by
+netlink packets.  This leads to memory corruption and the potential for
+priviledge escalation.
+
+We already attempt to validate the incoming replay information in
+xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
+is not trying to change the size of the replay state buffer which
+includes the replay_esn.  It however does not check the replay_window
+remains within that buffer.  Add validation of the contained
+replay_window.
+
+CVE-2017-7184
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_user.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len
+ 	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+ 		return -EINVAL;
+ 
++	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
++		return -EINVAL;
++
+ 	return 0;
+ }
+ 
+From f843ee6dd019bcece3e74e76ad9df0155655d0df Mon Sep 17 00:00:00 2001
+From: Andy Whitcroft <apw@canonical.com>
+Date: Thu, 23 Mar 2017 07:45:44 +0000
+Subject: xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
+
+From: Andy Whitcroft <apw@canonical.com>
+
+commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.
+
+Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
+wrapping issues.  To ensure we are correctly ensuring that the two ESN
+structures are the same size compare both the overall size as reported
+by xfrm_replay_state_esn_len() and the internal length are the same.
+
+CVE-2017-7184
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_user.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len
+ 	up = nla_data(rp);
+ 	ulen = xfrm_replay_state_esn_len(up);
+ 
+-	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
++	/* Check the overall length and the internal bitmap length to avoid
++	 * potential overflow. */
++	if (nla_len(rp) < ulen ||
++	    xfrm_replay_state_esn_len(replay_esn) != ulen ||
++	    replay_esn->bmp_len != up->bmp_len)
+ 		return -EINVAL;
+ 
+ 	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
diff --git a/genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch b/genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch
deleted file mode 100644
index ab048d1c9..000000000
--- a/genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Stanislaw Gruszka <sgruszka@redhat.com>
-Date: 2017-03-22 15:08:33
-Subject: [PATCH 4.11] genetlink: fix counting regression on ctrl_dumpfamily()
-
-Commit 2ae0f17df1cd ("genetlink: use idr to track families") replaced
-
-	if (++n < fams_to_skip)
-		continue;
-into:
-
-	if (n++ < fams_to_skip)
-		continue;
-
-This subtle change cause that on retry ctrl_dumpfamily() call we omit
-one family that failed to do ctrl_fill_info() on previous call, because
-cb->args[0] = n number counts also family that failed to do
-ctrl_fill_info().
-
-Patch fixes the problem and avoid confusion in the future just decrease
-n counter when ctrl_fill_info() fail.
-
-User visible problem caused by this bug is failure to get access to
-some genetlink family i.e. nl80211. However problem is reproducible
-only if number of registered genetlink families is big enough to
-cause second call of ctrl_dumpfamily().
-
-Cc: Xose Vazquez Perez <xose.vazquez@gmail.com>
-Cc: Larry Finger <Larry.Finger@lwfinger.net>
-Cc: Johannes Berg <johannes@sipsolutions.net>
-Fixes: 2ae0f17df1cd ("genetlink: use idr to track families")
-Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
----
-Dave, please also target this for 4.10+ -stable.
-
- net/netlink/genetlink.c |    4 +++-
- 1 files changed, 3 insertions(+), 1 deletions(-)
-
-diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
-index fb6e10f..92e0981 100644
---- a/net/netlink/genetlink.c
-+++ b/net/netlink/genetlink.c
-@@ -783,8 +783,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb)
- 
- 		if (ctrl_fill_info(rt, NETLINK_CB(cb->skb).portid,
- 				   cb->nlh->nlmsg_seq, NLM_F_MULTI,
--				   skb, CTRL_CMD_NEWFAMILY) < 0)
-+				   skb, CTRL_CMD_NEWFAMILY) < 0) {
-+			n--;
- 			break;
-+		}
- 	}
- 
- 	cb->args[0] = n;
--- 
-1.7.1
diff --git a/kernel.spec b/kernel.spec
index d741a131f..f8c4f209d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -622,15 +622,15 @@ Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch
 #CVE-2017-2596 rhbz 1417812 1417813
 Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
 
-#Fix crda rhbz 1422247
-Patch856: genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch
-
 #CVE-2017-7261 rhbz 1435719 1435740
 Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
 
 #CVE-2017-7277 rhbz 1436629 1436661
 Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
 
+#CVE-2017-7184 rhbz 1435153 1437469
+Patch859: CVE-2017-7184.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2203,6 +2203,10 @@ fi
 #
 #
 %changelog
+* Thu Mar 30 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.7-200
+- Linux v4.10.7
+- CVE-2017-7184 Out-of-bounds heap access in xfrm (rhbz 1435153 1437469)
+
 * Tue Mar 28 2017 Justin M. Forbes <jforbes@fedoraproject.org>
 - CVE-2017-7277 SCM_TIMESTAMPING_OPT_STATS feature causes out-of-bounds read (rhbz 1436629 1436661)
 
diff --git a/sources b/sources
index fc8592d97..b077c3d8f 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90
 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8
-SHA512 (patch-4.10.6.xz) = 801a5a95b99fbfcfc969384161fe90ddd3edfbc76300e29279b0fe9dfb20d2a084bd0e80a5dfe67e77bfbb402cc1f61683cd0cc4ca0463dd83cda063bb62da78
+SHA512 (patch-4.10.7.xz) = 80482c78a38c71d186cb6f90667c96b01027cce448473225ffc44f59fb6ce8226424ece54197081241837df9db410fd93dc8d6e6666ee2bbf53b2bc5c80aba93