diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-07-21 20:00:30 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-07-21 20:00:30 +0200 |
commit | e72e8cc438783932e6affbf6c4b5fc7f7f326d8e (patch) | |
tree | 5d2c4a1b53495e0286f13edf3eefee66b2533b59 | |
parent | 4e8f61f99908bcf1b1f9bc928bb4106ab9b3e00d (diff) | |
parent | 3fa8616de389c66cc07be1d078e12fe59a8464f1 (diff) | |
download | kernel-e72e8cc438783932e6affbf6c4b5fc7f7f326d8e.tar.gz kernel-e72e8cc438783932e6affbf6c4b5fc7f7f326d8e.tar.xz kernel-e72e8cc438783932e6affbf6c4b5fc7f7f326d8e.zip |
Merge remote-tracking branch 'origin/f24' into f24-user-thl-vanilla-fedorakernel-4.11.12-100.vanilla.knurd.1.fc24
-rw-r--r-- | 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch | 54 | ||||
-rw-r--r-- | CVE-2017-11473.patch | 48 | ||||
-rw-r--r-- | kernel.spec | 17 | ||||
-rw-r--r-- | sources | 2 |
4 files changed, 118 insertions, 3 deletions
diff --git a/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch new file mode 100644 index 000000000..be8b6c6a0 --- /dev/null +++ b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch @@ -0,0 +1,54 @@ +From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca <sd@queasysnail.net> +Date: Wed, 19 Jul 2017 22:28:55 +0200 +Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt + +In some cases, offset can overflow and can cause an infinite loop in +ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and +cap it at IPV6_MAXPLEN, since packets larger than that should be invalid. + +This problem has been here since before the beginning of git history. + +Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> +Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/output_core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index e9065b8..abb2c30 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident); + + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { +- u16 offset = sizeof(struct ipv6hdr); ++ unsigned int offset = sizeof(struct ipv6hdr); + unsigned int packet_len = skb_tail_pointer(skb) - + skb_network_header(skb); + int found_rhdr = 0; +@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + + while (offset <= packet_len) { + struct ipv6_opt_hdr *exthdr; ++ unsigned int len; + + switch (**nexthdr) { + +@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + + offset); +- offset += ipv6_optlen(exthdr); ++ len = ipv6_optlen(exthdr); ++ if (len + offset >= IPV6_MAXPLEN) ++ return -EINVAL; ++ offset += len; + *nexthdr = &exthdr->nexthdr; + } + +-- +2.9.4 + diff --git a/CVE-2017-11473.patch b/CVE-2017-11473.patch new file mode 100644 index 000000000..e3e0658a4 --- /dev/null +++ b/CVE-2017-11473.patch @@ -0,0 +1,48 @@ +From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001 +From: Seunghun Han <kkamagui@gmail.com> +Date: Tue, 18 Jul 2017 20:03:51 +0900 +Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables + +The bus_irq argument of mp_override_legacy_irq() is used as the index into +the isa_irq_to_gsi[] array. The bus_irq argument originates from +ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI +tables, but is nowhere sanity checked. + +That allows broken or malicious ACPI tables to overwrite memory, which +might cause malfunction, panic or arbitrary code execution. + +Add a sanity check and emit a warning when that triggers. + +[ tglx: Added warning and rewrote changelog ] + +Signed-off-by: Seunghun Han <kkamagui@gmail.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: security@kernel.org +Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net> +Cc: stable@vger.kernel.org +--- + arch/x86/kernel/acpi/boot.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c +index 6bb6806..7491e73 100644 +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, + struct mpc_intsrc mp_irq; + + /* ++ * Check bus_irq boundary. ++ */ ++ if (bus_irq >= NR_IRQS_LEGACY) { ++ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq); ++ return; ++ } ++ ++ /* + * Convert 'gsi' to 'ioapic.pin'. + */ + ioapic = mp_find_ioapic(gsi); +-- +cgit v1.1 + diff --git a/kernel.spec b/kernel.spec index d2dcdee4f..9e8251109 100644 --- a/kernel.spec +++ b/kernel.spec @@ -59,7 +59,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 11 +%define stable_update 12 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -652,6 +652,12 @@ Patch683: RFC-audit-fix-a-race-condition-with-the-auditd-tracking-code.patch # rhbz 1458599 Patch685: 0001-ACPI-LPSS-Only-call-pwm_add_table-for-the-first-PWM-.patch +# CVE-2017-7542 rhbz 1473649 1473650 +Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch + +# CVE-2017-11473 rhbz 1473209 147310 +Patch702: CVE-2017-11473.patch + # END OF PATCH DEFINITIONS %endif @@ -2219,7 +2225,14 @@ fi # # %changelog -* Mon Jul 17 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.11-200 +* Fri Jul 21 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.12-100 +- Linux v4.11.12 + +* Fri Jul 21 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2017-7542 (rhbz 1473649 1473650) +- Fix CVE-2017-11473 (rhbz 1473209 147310) + +* Mon Jul 17 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.11-100 - Linux v4.11.11 - Bring back /dev/port (rhbz 1471429 1451220) @@ -1,3 +1,3 @@ SHA512 (perf-man-4.11.tar.gz) = 0b070d2f10a743329de2f532e2d7e19ef385a3e6ef3c700b591ae2697604dbe542b36e31121b3e37517ee8071ab800386fa8663c24a5b36520a18e096c6eefc8 SHA512 (linux-4.11.tar.xz) = 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3 -SHA512 (patch-4.11.11.xz) = 63b7ce0446de9b4651d795e172dc3aa07189b6bc888c25767e313a6f4aa5459a09985e65f06a6c795230899d6aa64e905249775b45261823a1907e3fa18a3974 +SHA512 (patch-4.11.12.xz) = ee9c5ac45896d84739c679834fcd15dfc46f9e939dcefd54ba049ac47168d71f0af680153615de002a2073ba79e44a9214f74af17ed16aa97d85e6df157fc6e8 |