diff options
| author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-02-27 10:30:57 +0100 |
|---|---|---|
| committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-02-27 10:30:57 +0100 |
| commit | 0474f2bbfa49bb76d85b33761dfda762f32ef165 (patch) | |
| tree | ebe3e30f3a8e8304ba53cc11a719aaeef4f4ba09 | |
| parent | 811739ffd82ce06e2d64f3a03cbb7ceb06949210 (diff) | |
| parent | 484b5a559001f1b7927855072f82e5914c0c4707 (diff) | |
| download | kernel-0474f2bbfa49bb76d85b33761dfda762f32ef165.tar.gz kernel-0474f2bbfa49bb76d85b33761dfda762f32ef165.tar.xz kernel-0474f2bbfa49bb76d85b33761dfda762f32ef165.zip | |
Merge remote-tracking branch 'origin/f28' into f28-user-thl-vanilla-fedora
| -rw-r--r-- | efi-secureboot.patch | 8 | ||||
| -rw-r--r-- | kernel.spec | 6 | ||||
| -rw-r--r-- | net-crypto-set-sk-to-NULL-when-af_alg_release.patch | 127 |
3 files changed, 7 insertions, 134 deletions
diff --git a/efi-secureboot.patch b/efi-secureboot.patch index 1476abab3..48bcb5302 100644 --- a/efi-secureboot.patch +++ b/efi-secureboot.patch @@ -165,17 +165,17 @@ index 100ce4a4aff6..62361b647a75 100644 #ifdef CONFIG_EFI /* @@ -1169,6 +1177,8 @@ extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused); - extern bool efi_is_table_address(unsigned long phys_addr); + extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused); - extern int efi_apply_persistent_mem_reservations(void); + extern bool efi_is_table_address(unsigned long phys_addr); + +extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode); #else static inline bool efi_enabled(int feature) { -@@ -1192,6 +1202,8 @@ static inline int efi_apply_persistent_mem_reservations(void) +@@ -1192,6 +1202,8 @@ static inline bool efi_is_table_address(unsigned long phys_addr) { - return 0; + return false; } + +static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {} diff --git a/kernel.spec b/kernel.spec index 6bfee578b..9ddbe3042 100644 --- a/kernel.spec +++ b/kernel.spec @@ -655,9 +655,6 @@ Patch507: CVE-2019-3459-and-CVE-2019-3460.patch # rhbz 1663613 patch merged into 5.0-rc# Patch508: 0001-drm-nouveau-register-backlight-on-pascal-and-newer.patch -# CVE-2019-8912 rhbz 1678685 1678686 -Patch509: net-crypto-set-sk-to-NULL-when-af_alg_release.patch - # CVE-2019-8980 rhbz 1679972 1679974 Patch510: CVE-2019-8980.patch @@ -1949,6 +1946,9 @@ fi # # %changelog +* Mon Feb 25 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 4.20.12-100 +- Linux v4.20.12 + * Fri Feb 22 2019 Justin M. Forbes <jforbes@fedoraproject.org> - Fix CVE-2019-8980 (rhbz 1679972 1679974) diff --git a/net-crypto-set-sk-to-NULL-when-af_alg_release.patch b/net-crypto-set-sk-to-NULL-when-af_alg_release.patch deleted file mode 100644 index dffeac0bb..000000000 --- a/net-crypto-set-sk-to-NULL-when-af_alg_release.patch +++ /dev/null @@ -1,127 +0,0 @@ -From patchwork Fri Feb 15 14:24:15 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -Subject: [net-next] net: crypto set sk to NULL when af_alg_release. -X-Patchwork-Submitter: Mao Wenan <maowenan@huawei.com> -X-Patchwork-Id: 1042902 -X-Patchwork-Delegate: davem@davemloft.net -Message-Id: <20190215142415.149153-1-maowenan@huawei.com> -To: <netdev@vger.kernel.org>, <davem@davemloft.net>, - <xiyou.wangcong@gmail.com>, <linux-kernel@vger.kernel.org> -Date: Fri, 15 Feb 2019 22:24:15 +0800 -From: Mao Wenan <maowenan@huawei.com> -List-Id: <netdev.vger.kernel.org> - -KASAN has found use-after-free in sockfs_setattr. -The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close() -and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore -that crypto module forgets to set the sk to NULL after af_alg_release. - -KASAN report details as below: -BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150 -Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186 - -CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS -1.10.2-1ubuntu1 04/01/2014 -Call Trace: - dump_stack+0xca/0x13e - print_address_description+0x79/0x330 - ? vprintk_func+0x5e/0xf0 - kasan_report+0x18a/0x2e0 - ? sockfs_setattr+0x120/0x150 - sockfs_setattr+0x120/0x150 - ? sock_register+0x2d0/0x2d0 - notify_change+0x90c/0xd40 - ? chown_common+0x2ef/0x510 - chown_common+0x2ef/0x510 - ? chmod_common+0x3b0/0x3b0 - ? __lock_is_held+0xbc/0x160 - ? __sb_start_write+0x13d/0x2b0 - ? __mnt_want_write+0x19a/0x250 - do_fchownat+0x15c/0x190 - ? __ia32_sys_chmod+0x80/0x80 - ? trace_hardirqs_on_thunk+0x1a/0x1c - __x64_sys_fchownat+0xbf/0x160 - ? lockdep_hardirqs_on+0x39a/0x5e0 - do_syscall_64+0xc8/0x580 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x462589 -Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 -f7 48 89 d6 48 89 -ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 -48 c7 c1 bc ff ff -ff f7 d8 64 89 01 48 -RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104 -RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589 -RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007 -RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc -R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff - -Allocated by task 4185: - kasan_kmalloc+0xa0/0xd0 - __kmalloc+0x14a/0x350 - sk_prot_alloc+0xf6/0x290 - sk_alloc+0x3d/0xc00 - af_alg_accept+0x9e/0x670 - hash_accept+0x4a3/0x650 - __sys_accept4+0x306/0x5c0 - __x64_sys_accept4+0x98/0x100 - do_syscall_64+0xc8/0x580 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Freed by task 4184: - __kasan_slab_free+0x12e/0x180 - kfree+0xeb/0x2f0 - __sk_destruct+0x4e6/0x6a0 - sk_destruct+0x48/0x70 - __sk_free+0xa9/0x270 - sk_free+0x2a/0x30 - af_alg_release+0x5c/0x70 - __sock_release+0xd3/0x280 - sock_close+0x1a/0x20 - __fput+0x27f/0x7f0 - task_work_run+0x136/0x1b0 - exit_to_usermode_loop+0x1a7/0x1d0 - do_syscall_64+0x461/0x580 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Syzkaller reproducer: -r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, -0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, -0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, -0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, -0xffffffffffffffff, 0x0) -r1 = socket$alg(0x26, 0x5, 0x0) -getrusage(0x0, 0x0) -bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0, -'sha256-ssse3\x00'}, 0x80) -r2 = accept(r1, 0x0, 0x0) -r3 = accept4$unix(r2, 0x0, 0x0, 0x0) -r4 = dup3(r3, r0, 0x0) -fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000) - -Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()") -Signed-off-by: Mao Wenan <maowenan@huawei.com> ---- - crypto/af_alg.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/crypto/af_alg.c b/crypto/af_alg.c -index 17eb09d222ff..ec78a04eb136 100644 ---- a/crypto/af_alg.c -+++ b/crypto/af_alg.c -@@ -122,8 +122,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private) - - int af_alg_release(struct socket *sock) - { -- if (sock->sk) -+ if (sock->sk) { - sock_put(sock->sk); -+ sock->sk = NULL; -+ } - return 0; - } - EXPORT_SYMBOL_GPL(af_alg_release); |