diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2015-12-15 21:04:50 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2015-12-15 21:04:50 +0100 |
commit | 2ac2f0738dc7886fc389c65e27ea5c0a1eb8cb95 (patch) | |
tree | 8f320a0e0ca816dd69c01afbc3a7b64db89b3183 | |
parent | f3e9b0be742c982704b3cdd2f38c150c9c25276f (diff) | |
parent | c3ab74ee6c843b8938850b66b7fd17d215078c81 (diff) | |
download | kernel-2ac2f0738dc7886fc389c65e27ea5c0a1eb8cb95.tar.gz kernel-2ac2f0738dc7886fc389c65e27ea5c0a1eb8cb95.tar.xz kernel-2ac2f0738dc7886fc389c65e27ea5c0a1eb8cb95.zip |
Merge remote branch 'origin/master'
-rw-r--r-- | KEYS-Fix-race-between-read-and-revoke.patch | 108 | ||||
-rw-r--r-- | alua_fix.patch | 41 | ||||
-rw-r--r-- | config-generic | 6 | ||||
-rw-r--r-- | config-nodebug | 112 | ||||
-rw-r--r-- | config-x86-generic | 2 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch | 40 | ||||
-rw-r--r-- | kernel.spec | 46 | ||||
-rw-r--r-- | net-add-validation-for-the-socket-syscall-protocol-a.patch | 139 | ||||
-rw-r--r-- | sources | 3 |
10 files changed, 432 insertions, 67 deletions
diff --git a/KEYS-Fix-race-between-read-and-revoke.patch b/KEYS-Fix-race-between-read-and-revoke.patch new file mode 100644 index 000000000..df0d9376b --- /dev/null +++ b/KEYS-Fix-race-between-read-and-revoke.patch @@ -0,0 +1,108 @@ +From f144220f72062ed5359e0211f130670c915a12dd Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Mon, 14 Dec 2015 10:36:31 -0500 +Subject: [PATCH] KEYS: Fix race between read and revoke + +There's a race between keyctl_read() and keyctl_revoke(). If the revoke +happens between keyctl_read() checking the validity of a key and the key's +semaphore being taken, then the key type read method will see a revoked key. + +This causes a problem for the user-defined key type because it assumes in +its read method that there will always be a payload in a non-revoked key +and doesn't check for a NULL pointer. + +Fix this by making keyctl_read() check the validity of a key after taking +semaphore instead of before. + +This was discovered by a multithreaded test program generated by syzkaller +(http://github.com/google/syzkaller). Here's a cleaned up version: + + #include <sys/types.h> + #include <keyutils.h> + #include <pthread.h> + void *thr0(void *arg) + { + key_serial_t key = (unsigned long)arg; + keyctl_revoke(key); + return 0; + } + void *thr1(void *arg) + { + key_serial_t key = (unsigned long)arg; + char buffer[16]; + keyctl_read(key, buffer, 16); + return 0; + } + int main() + { + key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); + pthread_t th[5]; + pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); + pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); + pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); + pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); + pthread_join(th[0], 0); + pthread_join(th[1], 0); + pthread_join(th[2], 0); + pthread_join(th[3], 0); + return 0; + } + +Build as: + + cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread + +Run as: + + while keyctl-race; do :; done + +as it may need several iterations to crash the kernel. The crash can be +summarised as: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 + IP: [<ffffffff81279b08>] user_read+0x56/0xa3 + ... + Call Trace: + [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7 + [<ffffffff81277815>] SyS_keyctl+0x83/0xe0 + [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f + +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + security/keys/keyctl.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index fb111eafcb89..1c3872aeed14 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -751,16 +751,16 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + + /* the key is probably readable - now try to read it */ + can_read_key: +- ret = key_validate(key); +- if (ret == 0) { +- ret = -EOPNOTSUPP; +- if (key->type->read) { +- /* read the data with the semaphore held (since we +- * might sleep) */ +- down_read(&key->sem); ++ ret = -EOPNOTSUPP; ++ if (key->type->read) { ++ /* Read the data with the semaphore held (since we might sleep) ++ * to protect against the key being updated or revoked. ++ */ ++ down_read(&key->sem); ++ ret = key_validate(key); ++ if (ret == 0) + ret = key->type->read(key, buffer, buflen); +- up_read(&key->sem); +- } ++ up_read(&key->sem); + } + + error2: +-- +2.5.0 + diff --git a/alua_fix.patch b/alua_fix.patch new file mode 100644 index 000000000..eb278fabb --- /dev/null +++ b/alua_fix.patch @@ -0,0 +1,41 @@ +From 221255aee67ec1c752001080aafec0c4e9390d95 Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke <hare@suse.de> +Date: Tue, 1 Dec 2015 10:16:42 +0100 +Subject: scsi: ignore errors from scsi_dh_add_device() + +device handler initialisation might fail due to a number of +reasons. But as device_handlers are optional this shouldn't +cause us to disable the device entirely. +So just ignore errors from scsi_dh_add_device(). + +Reviewed-by: Johannes Thumshirn <jthumshirn@suse.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Hannes Reinecke <hare@suse.de> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +--- + drivers/scsi/scsi_sysfs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index fc3cd26..d015374 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -1120,11 +1120,12 @@ int scsi_sysfs_add_sdev(struct scsi_device *sdev) + } + + error = scsi_dh_add_device(sdev); +- if (error) { ++ if (error) ++ /* ++ * device_handler is optional, so any error can be ignored ++ */ + sdev_printk(KERN_INFO, sdev, + "failed to add device handler: %d\n", error); +- return error; +- } + + device_enable_async_suspend(&sdev->sdev_dev); + error = device_add(&sdev->sdev_dev); +-- +cgit v0.11.2 + diff --git a/config-generic b/config-generic index e2d4da5ee..e1e17b0b1 100644 --- a/config-generic +++ b/config-generic @@ -1794,13 +1794,13 @@ CONFIG_B43_PCMCIA=y CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y CONFIG_B43_BCMA_PIO=y -CONFIG_B43_DEBUG=y +# CONFIG_B43_DEBUG is not set CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y CONFIG_B43_PHY_G=y CONFIG_B43LEGACY=m -CONFIG_B43LEGACY_DEBUG=y +# CONFIG_B43LEGACY_DEBUG is not set CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -5041,7 +5041,7 @@ CONFIG_PM_DEBUG=y # CONFIG_DPM_WATCHDOG is not set # revisit this in debug CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -CONFIG_PM_TEST_SUSPEND=y +# CONFIG_PM_TEST_SUSPEND is not set # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set # CONFIG_PM_WAKELOCKS is not set diff --git a/config-nodebug b/config-nodebug index 1b93255c0..65e8accd1 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,101 +2,101 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -CONFIG_DEBUG_ATOMIC_SLEEP=y - -CONFIG_DEBUG_MUTEXES=y -CONFIG_DEBUG_RT_MUTEXES=y -CONFIG_DEBUG_LOCK_ALLOC=y -CONFIG_LOCK_TORTURE_TEST=m -CONFIG_PROVE_LOCKING=y -CONFIG_DEBUG_SPINLOCK=y -CONFIG_PROVE_RCU=y +# CONFIG_DEBUG_ATOMIC_SLEEP is not set + +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_PROVE_RCU is not set # CONFIG_PROVE_RCU_REPEATEDLY is not set -CONFIG_DEBUG_PER_CPU_MAPS=y +# CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_CPUMASK_OFFSTACK=y -CONFIG_CPU_NOTIFIER_ERROR_INJECT=m +# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set -CONFIG_FAULT_INJECTION=y -CONFIG_FAILSLAB=y -CONFIG_FAIL_PAGE_ALLOC=y -CONFIG_FAIL_MAKE_REQUEST=y -CONFIG_FAULT_INJECTION_DEBUG_FS=y -CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y -CONFIG_FAIL_IO_TIMEOUT=y -CONFIG_FAIL_MMC_REQUEST=y +# CONFIG_FAULT_INJECTION is not set +# CONFIG_FAILSLAB is not set +# CONFIG_FAIL_PAGE_ALLOC is not set +# CONFIG_FAIL_MAKE_REQUEST is not set +# CONFIG_FAULT_INJECTION_DEBUG_FS is not set +# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set +# CONFIG_FAIL_IO_TIMEOUT is not set +# CONFIG_FAIL_MMC_REQUEST is not set -CONFIG_LOCK_STAT=y +# CONFIG_LOCK_STAT is not set -CONFIG_DEBUG_STACK_USAGE=y +# CONFIG_DEBUG_STACK_USAGE is not set -CONFIG_ACPI_DEBUG=y +# CONFIG_ACPI_DEBUG is not set # CONFIG_ACPI_DEBUGGER is not set -CONFIG_DEBUG_SG=y -CONFIG_DEBUG_PI_LIST=y +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_PI_LIST is not set # CONFIG_PAGE_EXTENSION is not set # CONFIG_PAGE_OWNER is not set # CONFIG_DEBUG_PAGEALLOC is not set -CONFIG_DEBUG_OBJECTS=y +# CONFIG_DEBUG_OBJECTS is not set # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -CONFIG_DEBUG_OBJECTS_FREE=y -CONFIG_DEBUG_OBJECTS_TIMERS=y -CONFIG_DEBUG_OBJECTS_RCU_HEAD=y +# CONFIG_DEBUG_OBJECTS_FREE is not set +# CONFIG_DEBUG_OBJECTS_TIMERS is not set +# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 CONFIG_X86_PTDUMP=y -CONFIG_ARM64_PTDUMP=y -CONFIG_EFI_PGT_DUMP=y +# CONFIG_ARM64_PTDUMP is not set +# CONFIG_EFI_PGT_DUMP is not set -CONFIG_CAN_DEBUG_DEVICES=y +# CONFIG_CAN_DEBUG_DEVICES is not set -CONFIG_MODULE_FORCE_UNLOAD=y +# CONFIG_MODULE_FORCE_UNLOAD is not set -CONFIG_DEBUG_NOTIFIERS=y +# CONFIG_DEBUG_NOTIFIERS is not set -CONFIG_DMA_API_DEBUG=y +# CONFIG_DMA_API_DEBUG is not set -CONFIG_MMIOTRACE=y +# CONFIG_MMIOTRACE is not set -CONFIG_DEBUG_CREDENTIALS=y +# CONFIG_DEBUG_CREDENTIALS is not set # off in both production debug and nodebug builds, # on in rawhide nodebug builds -CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set -CONFIG_EXT4_DEBUG=y +# CONFIG_EXT4_DEBUG is not set # CONFIG_XFS_WARN is not set -CONFIG_DEBUG_PERF_USE_VMALLOC=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set -CONFIG_JBD2_DEBUG=y +# CONFIG_JBD2_DEBUG is not set -CONFIG_NFSD_FAULT_INJECTION=y +# CONFIG_NFSD_FAULT_INJECTION is not set -CONFIG_DEBUG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set -CONFIG_DRBD_FAULT_INJECTION=y +# CONFIG_DRBD_FAULT_INJECTION is not set -CONFIG_ATH_DEBUG=y -CONFIG_CARL9170_DEBUGFS=y -CONFIG_IWLWIFI_DEVICE_TRACING=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_CARL9170_DEBUGFS is not set +# CONFIG_IWLWIFI_DEVICE_TRACING is not set # CONFIG_RTLWIFI_DEBUG is not set -CONFIG_DEBUG_OBJECTS_WORK=y +# CONFIG_DEBUG_OBJECTS_WORK is not set -CONFIG_DMADEVICES_DEBUG=y +# CONFIG_DMADEVICES_DEBUG is not set # CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y -CONFIG_CEPH_LIB_PRETTYDEBUG=y -CONFIG_QUOTA_DEBUG=y +# CONFIG_CEPH_LIB_PRETTYDEBUG is not set +# CONFIG_QUOTA_DEBUG is not set CONFIG_KGDB_KDB=y @@ -104,18 +104,18 @@ CONFIG_KDB_DEFAULT_ENABLE=0x0 CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y +# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set # CONFIG_PERCPU_TEST is not set -CONFIG_TEST_LIST_SORT=y +# CONFIG_TEST_LIST_SORT is not set # CONFIG_TEST_STRING_HELPERS is not set -CONFIG_DETECT_HUNG_TASK=y +# CONFIG_DETECT_HUNG_TASK is not set CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y +# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set -CONFIG_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y @@ -126,4 +126,4 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_SPI_DEBUG is not set -CONFIG_X86_DEBUG_STATIC_CPU_HAS=y +# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set diff --git a/config-x86-generic b/config-x86-generic index 0f3896753..760e4674c 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -363,7 +363,7 @@ CONFIG_SP5100_TCO=m # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -CONFIG_MAXSMP=y +# CONFIG_MAXSMP is not set CONFIG_HP_ILO=m @@ -1 +1 @@ -aa53685549a2cfb5f175b0c4a20bc9aa1e5a1b85 +0bd0f1e6d40aa16c4d507b1fff27163a7e7711f5 diff --git a/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch b/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch new file mode 100644 index 000000000..16788f756 --- /dev/null +++ b/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch @@ -0,0 +1,40 @@ +From 14b627c610f93c2700f9a3825ac10c35d51acfe4 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Mon, 7 Dec 2015 13:50:38 -0500 +Subject: [PATCH] ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill + dmi list + +One of the newest ideapad models also lacks a physical hw rfkill switch, +and trying to read the hw rfkill switch through the ideapad module +causes it to always reported blocking breaking wifi. + +Fix it by adding this model to the DMI list. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1286293 +Cc: stable@vger.kernel.org +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + drivers/platform/x86/ideapad-laptop.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c +index a313dfc0245f..d28db0e793df 100644 +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -865,6 +865,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = { + }, + }, + { ++ .ident = "Lenovo ideapad Y700-17ISK", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-17ISK"), ++ }, ++ }, ++ { + .ident = "Lenovo Yoga 2 11 / 13 / Pro", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index a9c5df8eb..24360910e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -73,9 +73,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 4 +%define rcrev 5 # The git snapshot level -%define gitrev 2 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -130,7 +130,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_without_vanilla: 0} %{?!_without_vanilla: 1} @@ -401,8 +401,12 @@ BuildRequires: rpm-build, elfutils %define debuginfo_args --strict-build-id -r %endif -%if %{signmodules} +%ifarch %{ix86} x86_64 +# MODULE_SIG is enabled in config-x86-generic and needs these: BuildRequires: openssl openssl-devel +%endif + +%if %{signmodules} BuildRequires: pesign >= 0.10-4 %endif @@ -608,6 +612,18 @@ Patch568: Input-aiptek-fix-crash-on-detecting-device-without-e.patch #rhbz 1287819 Patch570: HID-multitouch-enable-palm-rejection-if-device-imple.patch +#rhbz 1286293 +Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch + +#rhbz 1288687 +Patch572: alua_fix.patch + +#CVE-2015-7550 rhbz 1291197 1291198 +Patch575: KEYS-Fix-race-between-read-and-revoke.patch + +#CVE-2015-8543 rhbz 1290475 1290477 +Patch576: net-add-validation-for-the-socket-syscall-protocol-a.patch + # END OF PATCH DEFINITIONS %endif @@ -2054,6 +2070,28 @@ fi # # %changelog +* Tue Dec 15 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-8543 ipv6: DoS via NULL pointer dereference (rhbz 1290475 1290477) + +* Mon Dec 14 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc5.git0.1 +- Linux v4.4-rc5 +- Disable debugging options. + +* Mon Dec 14 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2015-7550 Race between read and revoke keys (rhbz 1291197 1291198) + +* Fri Dec 11 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc4.git4.1 +- Linux v4.4-rc4-113-g0bd0f1e + +* Thu Dec 10 2015 Laura Abbott <labbott@redhat.com> +- Ignore errors from scsi_dh_add_device (rhbz 1288687) + +* Thu Dec 10 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc4.git3.1 +- Linux v4.4-rc4-86-g6764e5e + +* Thu Dec 10 2015 Josh Boyer <jwboyer@fedoraproject.org> +- Fix rfkill issues on ideapad Y700-17ISK (rhbz 1286293) + * Wed Dec 09 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc4.git2.1 - Linux v4.4-rc4-48-gaa53685 diff --git a/net-add-validation-for-the-socket-syscall-protocol-a.patch b/net-add-validation-for-the-socket-syscall-protocol-a.patch new file mode 100644 index 000000000..ce387ea42 --- /dev/null +++ b/net-add-validation-for-the-socket-syscall-protocol-a.patch @@ -0,0 +1,139 @@ +From 4da7dc22c91ad2c3144cb1d0d96e9611bc86da47 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa <hannes@stressinduktion.org> +Date: Mon, 14 Dec 2015 22:03:39 +0100 +Subject: [PATCH] net: add validation for the socket syscall protocol argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +郭永刚 reported that one could simply crash the kernel as root by +using a simple program: + + int socket_fd; + struct sockaddr_in addr; + addr.sin_port = 0; + addr.sin_addr.s_addr = INADDR_ANY; + addr.sin_family = 10; + + socket_fd = socket(10,3,0x40000000); + connect(socket_fd , &addr,16); + +AF_INET, AF_INET6 sockets actually only support 8-bit protocol +identifiers. inet_sock's skc_protocol field thus is sized accordingly, +thus larger protocol identifiers simply cut off the higher bits and +store a zero in the protocol fields. + +This could lead to e.g. NULL function pointer because as a result of +the cut off inet_num is zero and we call down to inet_autobind, which +is NULL for raw sockets. + +kernel: Call Trace: +kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70 +kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80 +kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110 +kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80 +kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200 +kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10 +kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89 + +I found no particular commit which introduced this problem. + +CVE: CVE-2015-8543 +Cc: Cong Wang <cwang@twopensource.com> +Reported-by: 郭永刚 <guoyonggang@360.cn> +Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/net/sock.h | 1 + + net/ax25/af_ax25.c | 3 +++ + net/decnet/af_decnet.c | 3 +++ + net/ipv4/af_inet.c | 3 +++ + net/ipv6/af_inet6.c | 3 +++ + net/irda/af_irda.c | 3 +++ + 6 files changed, 16 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 52d27ee924f4..2fa1fc00e8cb 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -403,6 +403,7 @@ struct sock { + sk_no_check_rx : 1, + sk_userlocks : 4, + sk_protocol : 8, ++#define SK_PROTOCOL_MAX U8_MAX + sk_type : 16; + kmemcheck_bitfield_end(flags); + int sk_wmem_queued; +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index ae3a47f9d1d5..fbd0acf80b13 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + ax25_cb *ax25; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index eebf5ac8ce18..13d6b1a6e0fc 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol, + { + struct sock *sk; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 11c4ca13ec3b..5c5db6636704 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + sock->state = SS_UNCONNECTED; + + /* Look for the requested type/protocol pair. */ +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 8ec0df75f1c4..9f5137cd604e 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, + int try_loading_module = 0; + int err; + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + /* Look for the requested type/protocol pair. */ + lookup_protocol: + err = -ESOCKTNOSUPPORT; +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index e6aa48b5395c..923abd6b3064 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + struct irda_sock *self; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (net != &init_net) + return -EAFNOSUPPORT; + +-- +2.5.0 + @@ -1,4 +1,3 @@ 58b35794eee3b6d52ce7be39357801e7 linux-4.3.tar.xz 7c516c9528b9f9aac0136944b0200b7e perf-man-4.3.tar.gz -7c6ce32cc26bcb02cc46410c94ee7ad0 patch-4.4-rc4.xz -bd056e6315d489b1ddd15303bae282e4 patch-4.4-rc4-git2.xz +c00e702d178da6eead9bd089a96bbba5 patch-4.4-rc5.xz |