diff options
| author | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-08-14 07:22:23 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-08-14 07:22:23 -0500 |
| commit | 01bdf6af77afda9f7aaeca3cbf45f9b6edc7cbec (patch) | |
| tree | bad873e56ba0bae4ea1157614fe12fd3647928df | |
| parent | 4ad810e16c8efefaa94e5cf7c323157bb14064be (diff) | |
| download | kernel-01bdf6af77afda9f7aaeca3cbf45f9b6edc7cbec.tar.gz kernel-01bdf6af77afda9f7aaeca3cbf45f9b6edc7cbec.tar.xz kernel-01bdf6af77afda9f7aaeca3cbf45f9b6edc7cbec.zip | |
Linux v4.12.7
| -rw-r--r-- | bz1471302.patch | 81 | ||||
| -rw-r--r-- | kernel.spec | 14 | ||||
| -rw-r--r-- | net-packet-fix-tp_reserve-race-in-packet_set_ring.patch | 57 | ||||
| -rw-r--r-- | sources | 2 | ||||
| -rw-r--r-- | udp-consistently-apply-ufo-or-fragmentation.patch | 93 |
5 files changed, 5 insertions, 242 deletions
diff --git a/bz1471302.patch b/bz1471302.patch deleted file mode 100644 index 0a1325e78..000000000 --- a/bz1471302.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: Johannes Thumshirn <jthumshirn@suse.de> -Subject: Re: [REGRESSION] 28676d869bbb (scsi: sg: check for valid direction - before starting the request) breaks mtx tape library control -To: Jason L Tibbitts III <tibbs@math.uh.edu> -Cc: Doug Gilbert <dgilbert@interlog.com>, linux-scsi@vger.kernel.org, - linux-kernel@vger.kernel.org, dvyukov@google.com, hare@suse.com, - hch@lst.de, martin.petersen@oracle.com -Date: Wed, 26 Jul 2017 09:39:34 +0200 (6 hours, 57 minutes ago) - -On Tue, Jul 25, 2017 at 01:25:07PM -0500, Jason L Tibbitts III wrote: -> >>>>> "JT" == Johannes Thumshirn <jthumshirn@suse.de> writes: -> ioctl(3, SG_IO, {interface_id='S', dxfer_direction=SG_DXFER_TO_DEV, cmd_len=12, cmdp="\xa5\x00\x00\x00\x00\x01\x03\xe9\x00\x00\x00\x00", mx_sb_len=20, iovec_count=0, dxfer_len=0, timeout=300000, flags=0, dxferp=NULL, status=0, masked_status=0, msg_status=0, sb_len_wr=0, sbp="", host_status=0, driver_status=0, resid=0, duration=0, info=0}) = -1 EINVAL (Invalid argument) - -[...] - case SG_DXFER_TO_DEV: - case SG_DXFER_TO_FROM_DEV: - if (!hp->dxferp) - return false; - return true; - -So here we go, dxfer_direction is SG_DXFER_TO_DEV, dxfer_len is 0 and dxferp -is NULL. We bail out because dxferp is NULL here. - -I only looked at sg_write() and not sg_new_write() which is called by the -SG_IO path not the fops->write() path. - -It's probably best to just check for dxfer_len <= 2^28 to be valid as Doug -suggested: - -diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c -index 4fe606b000b4..d7ff71e0c85c 100644 ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -751,29 +751,6 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf, - return count; - } - --static bool sg_is_valid_dxfer(sg_io_hdr_t *hp) --{ -- switch (hp->dxfer_direction) { -- case SG_DXFER_NONE: -- if (hp->dxferp || hp->dxfer_len > 0) -- return false; -- return true; -- case SG_DXFER_TO_DEV: -- case SG_DXFER_FROM_DEV: -- case SG_DXFER_TO_FROM_DEV: -- if (!hp->dxferp || hp->dxfer_len == 0) -- return false; -- return true; -- case SG_DXFER_UNKNOWN: -- if ((!hp->dxferp && hp->dxfer_len) || -- (hp->dxferp && hp->dxfer_len == 0)) -- return false; -- return true; -- default: -- return false; -- } --} -- - static int - sg_common_write(Sg_fd * sfp, Sg_request * srp, - unsigned char *cmnd, int timeout, int blocking) -@@ -800,7 +771,7 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp, - "sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n", - (int) cmnd[0], (int) hp->cmd_len)); - -- if (!sg_is_valid_dxfer(hp)) -+ if (hp->dxfer_len >= SZ_256M) - return -EINVAL; - - k = sg_start_req(srp, cmnd); - --- -Johannes Thumshirn Storage -jthumshirn@suse.de +49 911 74053 689 -SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg -GF: Felix Imendörffer, Jane Smithard, Graham Norton -HRB 21284 (AG Nürnberg) -Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850 - diff --git a/kernel.spec b/kernel.spec index e1edf7d48..6e5acefa4 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -669,21 +669,12 @@ Patch616: 0016-Input-silead-Do-not-try-to-directly-access-the-GPIO-.patch Patch703: HID-rmi-Make-sure-the-HID-device-is-opened-on-resume.patch Patch704: input-rmi4-remove-the-need-for-artifical-IRQ.patch -# rhbz 1471302 -Patch705: bz1471302.patch - # rhbz 1476467 Patch706: Fix-for-module-sig-verification.patch # rhbz 1462381 Patch707: Back-out-qxl-atomic-delay.patch -# CVE-2017-1000111 rhbz 1479304 1480464 -Patch708: net-packet-fix-tp_reserve-race-in-packet_set_ring.patch - -# CVE-2017-1000112 rhbz 1479307 1480465 -Patch709: udp-consistently-apply-ufo-or-fragmentation.patch - # END OF PATCH DEFINITIONS %endif @@ -2257,6 +2248,9 @@ fi # # %changelog +* Mon Aug 14 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.7-300 +- Linux v4.12.7 + * Fri Aug 11 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.6-300 - Linux v4.12.6 - Fix CVE-2017-1000111 (rhbz 1479304 1480464) diff --git a/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch b/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch deleted file mode 100644 index da7103dbe..000000000 --- a/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch +++ /dev/null @@ -1,57 +0,0 @@ -From patchwork Thu Aug 10 16:41:58 2017 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [net] packet: fix tp_reserve race in packet_set_ring -From: Willem de Bruijn <willemdebruijn.kernel@gmail.com> -X-Patchwork-Id: 800274 -X-Patchwork-Delegate: davem@davemloft.net -Message-Id: <20170810164158.52213-1-willemdebruijn.kernel@gmail.com> -To: netdev@vger.kernel.org -Cc: davem@davemloft.net, andreyknvl@gmail.com, - Willem de Bruijn <willemb@google.com> -Date: Thu, 10 Aug 2017 12:41:58 -0400 - -From: Willem de Bruijn <willemb@google.com> - -Updates to tp_reserve can race with reads of the field in -packet_set_ring. Avoid this by holding the socket lock during -updates in setsockopt PACKET_RESERVE. - -This bug was discovered by syzkaller. - -Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") -Reported-by: Andrey Konovalov <andreyknvl@google.com> -Signed-off-by: Willem de Bruijn <willemb@google.com> ---- - net/packet/af_packet.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 0615c2a950fa..008a45ca3112 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv - - if (optlen != sizeof(val)) - return -EINVAL; -- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) -- return -EBUSY; - if (copy_from_user(&val, optval, sizeof(val))) - return -EFAULT; - if (val > INT_MAX) - return -EINVAL; -- po->tp_reserve = val; -- return 0; -+ lock_sock(sk); -+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { -+ ret = -EBUSY; -+ } else { -+ po->tp_reserve = val; -+ ret = 0; -+ } -+ release_sock(sk); -+ return ret; - } - case PACKET_LOSS: - { @@ -1,3 +1,3 @@ SHA512 (perf-man-4.12.tar.gz) = 4d3bbda1f520dba0007c351af46f45085fe4842074eb2e01aee736fd369df595f8f72ed6c1192715f1120bf3353279777f9dca1178fe93bffe5be2de700d409c SHA512 (linux-4.12.tar.xz) = 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728 -SHA512 (patch-4.12.6.xz) = 78d480b3ad51028c129b1e3d63e3179f754bc8ab9987aa8e5815b105c8cb270c88673babee4124431861f769bc6f42c848391b065f7a3e02bec9b6a5290e2836 +SHA512 (patch-4.12.7.xz) = 22d6b937796298e9bb83d216b5cfa8b6910c8efe7bf5c4628c5fac42f73f916a5ba29b519fed1007542faa033c39d34175961731dfae88cd36c29fc6177fddcf diff --git a/udp-consistently-apply-ufo-or-fragmentation.patch b/udp-consistently-apply-ufo-or-fragmentation.patch deleted file mode 100644 index 63e089b6e..000000000 --- a/udp-consistently-apply-ufo-or-fragmentation.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa Mon Sep 17 00:00:00 2001 -From: Willem de Bruijn <willemb@google.com> -Date: Thu, 10 Aug 2017 12:29:19 -0400 -Subject: udp: consistently apply ufo or fragmentation - -When iteratively building a UDP datagram with MSG_MORE and that -datagram exceeds MTU, consistently choose UFO or fragmentation. - -Once skb_is_gso, always apply ufo. Conversely, once a datagram is -split across multiple skbs, do not consider ufo. - -Sendpage already maintains the first invariant, only add the second. -IPv6 does not have a sendpage implementation to modify. - -A gso skb must have a partial checksum, do not follow sk_no_check_tx -in udp_send_skb. - -Found by syzkaller. - -Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") -Reported-by: Andrey Konovalov <andreyknvl@google.com> -Signed-off-by: Willem de Bruijn <willemb@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv4/ip_output.c | 8 +++++--- - net/ipv4/udp.c | 2 +- - net/ipv6/ip6_output.c | 7 ++++--- - 3 files changed, 10 insertions(+), 7 deletions(-) - -diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c -index 50c74cd..e153c40 100644 ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -965,11 +965,12 @@ static int __ip_append_data(struct sock *sk, - csummode = CHECKSUM_PARTIAL; - - cork->length += length; -- if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) || -- (skb && skb_is_gso(skb))) && -+ if ((skb && skb_is_gso(skb)) || -+ (((length + (skb ? skb->len : fragheaderlen)) > mtu) && -+ (skb_queue_len(queue) <= 1) && - (sk->sk_protocol == IPPROTO_UDP) && - (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) && -- (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { -+ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) { - err = ip_ufo_append_data(sk, queue, getfrag, from, length, - hh_len, fragheaderlen, transhdrlen, - maxfraglen, flags); -@@ -1288,6 +1289,7 @@ ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page, - return -EINVAL; - - if ((size + skb->len > mtu) && -+ (skb_queue_len(&sk->sk_write_queue) == 1) && - (sk->sk_protocol == IPPROTO_UDP) && - (rt->dst.dev->features & NETIF_F_UFO)) { - if (skb->ip_summed != CHECKSUM_PARTIAL) -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index e6276fa..a7c804f 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -802,7 +802,7 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4) - if (is_udplite) /* UDP-Lite */ - csum = udplite_csum(skb); - -- else if (sk->sk_no_check_tx) { /* UDP csum disabled */ -+ else if (sk->sk_no_check_tx && !skb_is_gso(skb)) { /* UDP csum off */ - - skb->ip_summed = CHECKSUM_NONE; - goto send; -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 162efba..2dfe50d 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -1381,11 +1381,12 @@ emsgsize: - */ - - cork->length += length; -- if ((((length + (skb ? skb->len : headersize)) > mtu) || -- (skb && skb_is_gso(skb))) && -+ if ((skb && skb_is_gso(skb)) || -+ (((length + (skb ? skb->len : headersize)) > mtu) && -+ (skb_queue_len(queue) <= 1) && - (sk->sk_protocol == IPPROTO_UDP) && - (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) && -- (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) { -+ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) { - err = ip6_ufo_append_data(sk, queue, getfrag, from, length, - hh_len, fragheaderlen, exthdrlen, - transhdrlen, mtu, flags, fl6); --- -cgit v1.1 - |