diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-03-30 20:29:41 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-03-30 20:29:41 +0200 |
commit | e8741c85835c1d0b529fd127e0929bd95ee043a0 (patch) | |
tree | 531d992510c146a015b02737cabcebd26190f908 | |
parent | 4e290ec2cf36c869b7fb97d61b766538f81f2f20 (diff) | |
parent | 793f3df674647e27c1445caea772af6f91d6f39b (diff) | |
download | kernel-e8741c85835c1d0b529fd127e0929bd95ee043a0.tar.gz kernel-e8741c85835c1d0b529fd127e0929bd95ee043a0.tar.xz kernel-e8741c85835c1d0b529fd127e0929bd95ee043a0.zip |
Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedora
-rw-r--r-- | CVE-2017-7184.patch | 154 | ||||
-rw-r--r-- | genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch | 55 | ||||
-rw-r--r-- | kernel.spec | 10 | ||||
-rw-r--r-- | sources | 2 |
4 files changed, 162 insertions, 59 deletions
diff --git a/CVE-2017-7184.patch b/CVE-2017-7184.patch new file mode 100644 index 000000000..b2d48b0a7 --- /dev/null +++ b/CVE-2017-7184.patch @@ -0,0 +1,154 @@ +From c282222a45cb9503cbfbebfdb60491f06ae84b49 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Wed, 8 Feb 2017 11:52:29 +0100 +Subject: xfrm: policy: init locks early + +From: Florian Westphal <fw@strlen.de> + +commit c282222a45cb9503cbfbebfdb60491f06ae84b49 upstream. + +Dmitry reports following splat: + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + CPU: 0 PID: 13059 Comm: syz-executor1 Not tainted 4.10.0-rc7-next-20170207 #1 +[..] + spin_lock_bh include/linux/spinlock.h:304 [inline] + xfrm_policy_flush+0x32/0x470 net/xfrm/xfrm_policy.c:963 + xfrm_policy_fini+0xbf/0x560 net/xfrm/xfrm_policy.c:3041 + xfrm_net_init+0x79f/0x9e0 net/xfrm/xfrm_policy.c:3091 + ops_init+0x10a/0x530 net/core/net_namespace.c:115 + setup_net+0x2ed/0x690 net/core/net_namespace.c:291 + copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396 + create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106 + unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205 + SYSC_unshare kernel/fork.c:2281 [inline] + +Problem is that when we get error during xfrm_net_init we will call +xfrm_policy_fini which will acquire xfrm_policy_lock before it was +initialized. Just move it around so locks get set up first. + +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Fixes: 283bc9f35bbbcb0e9 ("xfrm: Namespacify xfrm state/policy locks") +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + net/xfrm/xfrm_policy.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3062,6 +3062,11 @@ static int __net_init xfrm_net_init(stru + { + int rv; + ++ /* Initialize the per-net locks here */ ++ spin_lock_init(&net->xfrm.xfrm_state_lock); ++ spin_lock_init(&net->xfrm.xfrm_policy_lock); ++ mutex_init(&net->xfrm.xfrm_cfg_mutex); ++ + rv = xfrm_statistics_init(net); + if (rv < 0) + goto out_statistics; +@@ -3078,11 +3083,6 @@ static int __net_init xfrm_net_init(stru + if (rv < 0) + goto out; + +- /* Initialize the per-net locks here */ +- spin_lock_init(&net->xfrm.xfrm_state_lock); +- spin_lock_init(&net->xfrm.xfrm_policy_lock); +- mutex_init(&net->xfrm.xfrm_cfg_mutex); +- + return 0; + + out: +From 677e806da4d916052585301785d847c3b3e6186a Mon Sep 17 00:00:00 2001 +From: Andy Whitcroft <apw@canonical.com> +Date: Wed, 22 Mar 2017 07:29:31 +0000 +Subject: xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window + +From: Andy Whitcroft <apw@canonical.com> + +commit 677e806da4d916052585301785d847c3b3e6186a upstream. + +When a new xfrm state is created during an XFRM_MSG_NEWSA call we +validate the user supplied replay_esn to ensure that the size is valid +and to ensure that the replay_window size is within the allocated +buffer. However later it is possible to update this replay_esn via a +XFRM_MSG_NEWAE call. There we again validate the size of the supplied +buffer matches the existing state and if so inject the contents. We do +not at this point check that the replay_window is within the allocated +memory. This leads to out-of-bounds reads and writes triggered by +netlink packets. This leads to memory corruption and the potential for +priviledge escalation. + +We already attempt to validate the incoming replay information in +xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user +is not trying to change the size of the replay state buffer which +includes the replay_esn. It however does not check the replay_window +remains within that buffer. Add validation of the contained +replay_window. + +CVE-2017-7184 +Signed-off-by: Andy Whitcroft <apw@canonical.com> +Acked-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len + if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) + return -EINVAL; + ++ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) ++ return -EINVAL; ++ + return 0; + } + +From f843ee6dd019bcece3e74e76ad9df0155655d0df Mon Sep 17 00:00:00 2001 +From: Andy Whitcroft <apw@canonical.com> +Date: Thu, 23 Mar 2017 07:45:44 +0000 +Subject: xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder + +From: Andy Whitcroft <apw@canonical.com> + +commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream. + +Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to +wrapping issues. To ensure we are correctly ensuring that the two ESN +structures are the same size compare both the overall size as reported +by xfrm_replay_state_esn_len() and the internal length are the same. + +CVE-2017-7184 +Signed-off-by: Andy Whitcroft <apw@canonical.com> +Acked-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + net/xfrm/xfrm_user.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len + up = nla_data(rp); + ulen = xfrm_replay_state_esn_len(up); + +- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) ++ /* Check the overall length and the internal bitmap length to avoid ++ * potential overflow. */ ++ if (nla_len(rp) < ulen || ++ xfrm_replay_state_esn_len(replay_esn) != ulen || ++ replay_esn->bmp_len != up->bmp_len) + return -EINVAL; + + if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) diff --git a/genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch b/genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch deleted file mode 100644 index ab048d1c9..000000000 --- a/genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Stanislaw Gruszka <sgruszka@redhat.com> -Date: 2017-03-22 15:08:33 -Subject: [PATCH 4.11] genetlink: fix counting regression on ctrl_dumpfamily() - -Commit 2ae0f17df1cd ("genetlink: use idr to track families") replaced - - if (++n < fams_to_skip) - continue; -into: - - if (n++ < fams_to_skip) - continue; - -This subtle change cause that on retry ctrl_dumpfamily() call we omit -one family that failed to do ctrl_fill_info() on previous call, because -cb->args[0] = n number counts also family that failed to do -ctrl_fill_info(). - -Patch fixes the problem and avoid confusion in the future just decrease -n counter when ctrl_fill_info() fail. - -User visible problem caused by this bug is failure to get access to -some genetlink family i.e. nl80211. However problem is reproducible -only if number of registered genetlink families is big enough to -cause second call of ctrl_dumpfamily(). - -Cc: Xose Vazquez Perez <xose.vazquez@gmail.com> -Cc: Larry Finger <Larry.Finger@lwfinger.net> -Cc: Johannes Berg <johannes@sipsolutions.net> -Fixes: 2ae0f17df1cd ("genetlink: use idr to track families") -Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> ---- -Dave, please also target this for 4.10+ -stable. - - net/netlink/genetlink.c | 4 +++- - 1 files changed, 3 insertions(+), 1 deletions(-) - -diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c -index fb6e10f..92e0981 100644 ---- a/net/netlink/genetlink.c -+++ b/net/netlink/genetlink.c -@@ -783,8 +783,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb) - - if (ctrl_fill_info(rt, NETLINK_CB(cb->skb).portid, - cb->nlh->nlmsg_seq, NLM_F_MULTI, -- skb, CTRL_CMD_NEWFAMILY) < 0) -+ skb, CTRL_CMD_NEWFAMILY) < 0) { -+ n--; - break; -+ } - } - - cb->args[0] = n; --- -1.7.1 diff --git a/kernel.spec b/kernel.spec index d741a131f..f8c4f209d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -622,15 +622,15 @@ Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch #CVE-2017-2596 rhbz 1417812 1417813 Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch -#Fix crda rhbz 1422247 -Patch856: genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch - #CVE-2017-7261 rhbz 1435719 1435740 Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch #CVE-2017-7277 rhbz 1436629 1436661 Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch +#CVE-2017-7184 rhbz 1435153 1437469 +Patch859: CVE-2017-7184.patch + # END OF PATCH DEFINITIONS %endif @@ -2203,6 +2203,10 @@ fi # # %changelog +* Thu Mar 30 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.7-200 +- Linux v4.10.7 +- CVE-2017-7184 Out-of-bounds heap access in xfrm (rhbz 1435153 1437469) + * Tue Mar 28 2017 Justin M. Forbes <jforbes@fedoraproject.org> - CVE-2017-7277 SCM_TIMESTAMPING_OPT_STATS feature causes out-of-bounds read (rhbz 1436629 1436661) @@ -1,3 +1,3 @@ SHA512 (linux-4.10.tar.xz) = c3690125a8402df638095bd98a613fcf1a257b81de7611c84711d315cd11e2634ab4636302b3742aedf1e3ba9ce0fea53fe8c7d48e37865d8ee5db3565220d90 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8 -SHA512 (patch-4.10.6.xz) = 801a5a95b99fbfcfc969384161fe90ddd3edfbc76300e29279b0fe9dfb20d2a084bd0e80a5dfe67e77bfbb402cc1f61683cd0cc4ca0463dd83cda063bb62da78 +SHA512 (patch-4.10.7.xz) = 80482c78a38c71d186cb6f90667c96b01027cce448473225ffc44f59fb6ce8226424ece54197081241837df9db410fd93dc8d6e6666ee2bbf53b2bc5c80aba93 |