Merge remote-tracking branch 'origin/f24' into f24-user-thl-vanilla-fedorakernel-4.11.12-100.vanilla.knurd.1.fc24

4 files changed, 118 insertions, 3 deletions

diff --git a/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
new file mode 100644
index 000000000..be8b6c6a0
--- /dev/null
+++ b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
@@ -0,0 +1,54 @@
+From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 19 Jul 2017 22:28:55 +0200
+Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt
+
+In some cases, offset can overflow and can cause an infinite loop in
+ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
+cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
+
+This problem has been here since before the beginning of git history.
+
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/output_core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
+index e9065b8..abb2c30 100644
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
+
+ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+ {
+-	u16 offset = sizeof(struct ipv6hdr);
++	unsigned int offset = sizeof(struct ipv6hdr);
+ 	unsigned int packet_len = skb_tail_pointer(skb) -
+ 		skb_network_header(skb);
+ 	int found_rhdr = 0;
+@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+
+ 	while (offset <= packet_len) {
+ 		struct ipv6_opt_hdr *exthdr;
++		unsigned int len;
+
+ 		switch (**nexthdr) {
+
+@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+
+ 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
+ 						 offset);
+-		offset += ipv6_optlen(exthdr);
++		len = ipv6_optlen(exthdr);
++		if (len + offset >= IPV6_MAXPLEN)
++			return -EINVAL;
++		offset += len;
+ 		*nexthdr = &exthdr->nexthdr;
+ 	}
+
+-- 
+2.9.4
+
diff --git a/CVE-2017-11473.patch b/CVE-2017-11473.patch
new file mode 100644
index 000000000..e3e0658a4
--- /dev/null
+++ b/CVE-2017-11473.patch
@@ -0,0 +1,48 @@
+From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 18 Jul 2017 20:03:51 +0900
+Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables
+
+The bus_irq argument of mp_override_legacy_irq() is used as the index into
+the isa_irq_to_gsi[] array. The bus_irq argument originates from
+ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
+tables, but is nowhere sanity checked.
+
+That allows broken or malicious ACPI tables to overwrite memory, which
+might cause malfunction, panic or arbitrary code execution.
+
+Add a sanity check and emit a warning when that triggers.
+
+[ tglx: Added warning and rewrote changelog ]
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: security@kernel.org
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: stable@vger.kernel.org
+---
+ arch/x86/kernel/acpi/boot.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
+index 6bb6806..7491e73 100644
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger,
+ 	struct mpc_intsrc mp_irq;
+ 
+ 	/*
++	 * Check bus_irq boundary.
++	 */
++	if (bus_irq >= NR_IRQS_LEGACY) {
++		pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
++		return;
++	}
++
++	/*
+ 	 * Convert 'gsi' to 'ioapic.pin'.
+ 	 */
+ 	ioapic = mp_find_ioapic(gsi);
+-- 
+cgit v1.1
+
diff --git a/kernel.spec b/kernel.spec
index d2dcdee4f..9e8251109 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -59,7 +59,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 11
+%define stable_update 12
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -652,6 +652,12 @@ Patch683: RFC-audit-fix-a-race-condition-with-the-auditd-tracking-code.patch
 # rhbz 1458599
 Patch685: 0001-ACPI-LPSS-Only-call-pwm_add_table-for-the-first-PWM-.patch
 
+# CVE-2017-7542 rhbz 1473649 1473650
+Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+
+# CVE-2017-11473 rhbz 1473209 147310
+Patch702: CVE-2017-11473.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2219,7 +2225,14 @@ fi
 #
 # 
 %changelog
-* Mon Jul 17 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.11-200
+* Fri Jul 21 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.12-100
+- Linux v4.11.12
+
+* Fri Jul 21 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2017-7542 (rhbz 1473649 1473650)
+- Fix CVE-2017-11473 (rhbz 1473209 147310)
+
+* Mon Jul 17 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.11-100
 - Linux v4.11.11
 - Bring back /dev/port (rhbz 1471429 1451220)
 
diff --git a/sources b/sources
index f0afac622..f43c1bc1c 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (perf-man-4.11.tar.gz) = 0b070d2f10a743329de2f532e2d7e19ef385a3e6ef3c700b591ae2697604dbe542b36e31121b3e37517ee8071ab800386fa8663c24a5b36520a18e096c6eefc8
 SHA512 (linux-4.11.tar.xz) = 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3
-SHA512 (patch-4.11.11.xz) = 63b7ce0446de9b4651d795e172dc3aa07189b6bc888c25767e313a6f4aa5459a09985e65f06a6c795230899d6aa64e905249775b45261823a1907e3fa18a3974
+SHA512 (patch-4.11.12.xz) = ee9c5ac45896d84739c679834fcd15dfc46f9e939dcefd54ba049ac47168d71f0af680153615de002a2073ba79e44a9214f74af17ed16aa97d85e6df157fc6e8