diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-07-21 20:00:09 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-07-21 20:00:09 +0200 |
commit | ac94a4c4bf442567c9a2330d56732b6185319b4c (patch) | |
tree | 89b5ac140514bcd1324c3dc44efee4887d0a9361 | |
parent | b2d0497534f2778ca8da58a15e83f2c6f1044bab (diff) | |
parent | 75638e4e226b3c42b33ce1d950ab721812e6f316 (diff) | |
download | kernel-ac94a4c4bf442567c9a2330d56732b6185319b4c.tar.gz kernel-ac94a4c4bf442567c9a2330d56732b6185319b4c.tar.xz kernel-ac94a4c4bf442567c9a2330d56732b6185319b4c.zip |
Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedorakernel-4.11.12-200.vanilla.knurd.1.fc25
-rw-r--r-- | 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch | 54 | ||||
-rw-r--r-- | CVE-2017-11473.patch | 48 | ||||
-rw-r--r-- | kernel.spec | 15 | ||||
-rw-r--r-- | sources | 2 |
4 files changed, 117 insertions, 2 deletions
diff --git a/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch new file mode 100644 index 000000000..be8b6c6a0 --- /dev/null +++ b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch @@ -0,0 +1,54 @@ +From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca <sd@queasysnail.net> +Date: Wed, 19 Jul 2017 22:28:55 +0200 +Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt + +In some cases, offset can overflow and can cause an infinite loop in +ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and +cap it at IPV6_MAXPLEN, since packets larger than that should be invalid. + +This problem has been here since before the beginning of git history. + +Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> +Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/output_core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index e9065b8..abb2c30 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident); + + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { +- u16 offset = sizeof(struct ipv6hdr); ++ unsigned int offset = sizeof(struct ipv6hdr); + unsigned int packet_len = skb_tail_pointer(skb) - + skb_network_header(skb); + int found_rhdr = 0; +@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + + while (offset <= packet_len) { + struct ipv6_opt_hdr *exthdr; ++ unsigned int len; + + switch (**nexthdr) { + +@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + + offset); +- offset += ipv6_optlen(exthdr); ++ len = ipv6_optlen(exthdr); ++ if (len + offset >= IPV6_MAXPLEN) ++ return -EINVAL; ++ offset += len; + *nexthdr = &exthdr->nexthdr; + } + +-- +2.9.4 + diff --git a/CVE-2017-11473.patch b/CVE-2017-11473.patch new file mode 100644 index 000000000..e3e0658a4 --- /dev/null +++ b/CVE-2017-11473.patch @@ -0,0 +1,48 @@ +From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001 +From: Seunghun Han <kkamagui@gmail.com> +Date: Tue, 18 Jul 2017 20:03:51 +0900 +Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables + +The bus_irq argument of mp_override_legacy_irq() is used as the index into +the isa_irq_to_gsi[] array. The bus_irq argument originates from +ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI +tables, but is nowhere sanity checked. + +That allows broken or malicious ACPI tables to overwrite memory, which +might cause malfunction, panic or arbitrary code execution. + +Add a sanity check and emit a warning when that triggers. + +[ tglx: Added warning and rewrote changelog ] + +Signed-off-by: Seunghun Han <kkamagui@gmail.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: security@kernel.org +Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net> +Cc: stable@vger.kernel.org +--- + arch/x86/kernel/acpi/boot.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c +index 6bb6806..7491e73 100644 +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, + struct mpc_intsrc mp_irq; + + /* ++ * Check bus_irq boundary. ++ */ ++ if (bus_irq >= NR_IRQS_LEGACY) { ++ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq); ++ return; ++ } ++ ++ /* + * Convert 'gsi' to 'ioapic.pin'. + */ + ioapic = mp_find_ioapic(gsi); +-- +cgit v1.1 + diff --git a/kernel.spec b/kernel.spec index c611893e6..3557ba83b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 11 +%define stable_update 12 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -651,6 +651,12 @@ Patch683: RFC-audit-fix-a-race-condition-with-the-auditd-tracking-code.patch # rhbz 1458599 Patch685: 0001-ACPI-LPSS-Only-call-pwm_add_table-for-the-first-PWM-.patch +# CVE-2017-7542 rhbz 1473649 1473650 +Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch + +# CVE-2017-11473 rhbz 1473209 147310 +Patch702: CVE-2017-11473.patch + # END OF PATCH DEFINITIONS %endif @@ -2218,6 +2224,13 @@ fi # # %changelog +* Fri Jul 21 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.12-200 +- Linux v4.11.12 + +* Fri Jul 21 2017 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2017-7542 (rhbz 1473649 1473650) +- Fix CVE-2017-11473 (rhbz 1473209 147310) + * Mon Jul 17 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.11-200 - Linux v4.11.11 - Bring back /dev/port (rhbz 1471429 1451220) @@ -1,3 +1,3 @@ SHA512 (perf-man-4.11.tar.gz) = 0b070d2f10a743329de2f532e2d7e19ef385a3e6ef3c700b591ae2697604dbe542b36e31121b3e37517ee8071ab800386fa8663c24a5b36520a18e096c6eefc8 SHA512 (linux-4.11.tar.xz) = 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3 -SHA512 (patch-4.11.11.xz) = 63b7ce0446de9b4651d795e172dc3aa07189b6bc888c25767e313a6f4aa5459a09985e65f06a6c795230899d6aa64e905249775b45261823a1907e3fa18a3974 +SHA512 (patch-4.11.12.xz) = ee9c5ac45896d84739c679834fcd15dfc46f9e939dcefd54ba049ac47168d71f0af680153615de002a2073ba79e44a9214f74af17ed16aa97d85e6df157fc6e8 |