diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-03-15 08:03:52 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-03-15 08:03:52 +0100 |
commit | 12173dc023671008255dc7468299cbb80d9419a1 (patch) | |
tree | efce22e57a6c45cabf0bbed94472c65f3b39bea8 | |
parent | cb7f5a5232534f0bc90fd50639cf935b3b0bb759 (diff) | |
parent | de5f58c120991b9fccefd5ef4dfc7532a93d5d45 (diff) | |
download | kernel-4.5.0-1.vanilla.knurd.1.fc22.tar.gz kernel-4.5.0-1.vanilla.knurd.1.fc22.tar.xz kernel-4.5.0-1.vanilla.knurd.1.fc22.zip |
Merge remote-tracking branch 'origin/master' into f22-user-thl-vanilla-rawhidekernel-4.5.0-1.vanilla.knurd.1.fc22
-rw-r--r-- | USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch | 59 | ||||
-rw-r--r-- | config-generic | 6 | ||||
-rw-r--r-- | config-nodebug | 114 | ||||
-rw-r--r-- | config-x86-generic | 2 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | kernel.spec | 33 | ||||
-rw-r--r-- | netfilter-x_tables-check-for-size-overflow.patch | 31 | ||||
-rw-r--r-- | netfilter-x_tables-deal-with-bogus-nextoffset-values.patch | 150 | ||||
-rw-r--r-- | sources | 6 |
9 files changed, 332 insertions, 71 deletions
diff --git a/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch b/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch new file mode 100644 index 000000000..ac8e71c72 --- /dev/null +++ b/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch @@ -0,0 +1,59 @@ +From 94c78c81df3056e573fb84000a32512e9c16e555 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Thu, 10 Mar 2016 08:49:02 -0500 +Subject: [PATCH] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU + devices + +A Fedora user reports that the ftdi_sio driver works properly for the +ICP DAS I-7561U device. Further, the user manual for these devices +instructs users to load the driver and add the ids using the sysfs +interface. + +Add support for these in the driver directly so that the devices work +out of the box instead of needing manual configuration. + +Reported-by: <thesource@mail.ru> +CC: stable <stable@vger.kernel.org> +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + drivers/usb/serial/ftdi_sio.c | 4 ++++ + drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 8c660ae401d8..b61f12160d37 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1004,6 +1004,10 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) }, + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) }, + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) }, ++ /* ICP DAS I-756xU devices */ ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) }, ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) }, ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) }, + { } /* Terminating entry */ + }; + +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index a84df2513994..a4ec24ce6a11 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -872,6 +872,14 @@ + #define NOVITUS_BONO_E_PID 0x6010 + + /* ++ * ICPDAS I-756*U devices ++ */ ++#define ICPDAS_VID 0x1b5c ++#define ICPDAS_I7560U_PID 0x0103 ++#define ICPDAS_I7561U_PID 0x0104 ++#define ICPDAS_I7563U_PID 0x0105 ++ ++/* + * RT Systems programming cables for various ham radios + */ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ +-- +2.5.0 + diff --git a/config-generic b/config-generic index 0e8f19219..a970c6577 100644 --- a/config-generic +++ b/config-generic @@ -1825,13 +1825,13 @@ CONFIG_B43_PCMCIA=y CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y CONFIG_B43_BCMA_PIO=y -CONFIG_B43_DEBUG=y +# CONFIG_B43_DEBUG is not set CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y CONFIG_B43_PHY_G=y CONFIG_B43LEGACY=m -CONFIG_B43LEGACY_DEBUG=y +# CONFIG_B43LEGACY_DEBUG is not set CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -5132,7 +5132,7 @@ CONFIG_PM_DEBUG=y # CONFIG_DPM_WATCHDOG is not set # revisit this in debug CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -CONFIG_PM_TEST_SUSPEND=y +# CONFIG_PM_TEST_SUSPEND is not set # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set # CONFIG_PM_WAKELOCKS is not set diff --git a/config-nodebug b/config-nodebug index 3a2eee381..c173637a2 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,101 +2,101 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -CONFIG_DEBUG_ATOMIC_SLEEP=y - -CONFIG_DEBUG_MUTEXES=y -CONFIG_DEBUG_RT_MUTEXES=y -CONFIG_DEBUG_LOCK_ALLOC=y -CONFIG_LOCK_TORTURE_TEST=m -CONFIG_PROVE_LOCKING=y -CONFIG_DEBUG_SPINLOCK=y -CONFIG_PROVE_RCU=y +# CONFIG_DEBUG_ATOMIC_SLEEP is not set + +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_PROVE_RCU is not set # CONFIG_PROVE_RCU_REPEATEDLY is not set -CONFIG_DEBUG_PER_CPU_MAPS=y +# CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_CPUMASK_OFFSTACK=y -CONFIG_CPU_NOTIFIER_ERROR_INJECT=m +# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set -CONFIG_FAULT_INJECTION=y -CONFIG_FAILSLAB=y -CONFIG_FAIL_PAGE_ALLOC=y -CONFIG_FAIL_MAKE_REQUEST=y -CONFIG_FAULT_INJECTION_DEBUG_FS=y -CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y -CONFIG_FAIL_IO_TIMEOUT=y -CONFIG_FAIL_MMC_REQUEST=y +# CONFIG_FAULT_INJECTION is not set +# CONFIG_FAILSLAB is not set +# CONFIG_FAIL_PAGE_ALLOC is not set +# CONFIG_FAIL_MAKE_REQUEST is not set +# CONFIG_FAULT_INJECTION_DEBUG_FS is not set +# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set +# CONFIG_FAIL_IO_TIMEOUT is not set +# CONFIG_FAIL_MMC_REQUEST is not set -CONFIG_LOCK_STAT=y +# CONFIG_LOCK_STAT is not set -CONFIG_DEBUG_STACK_USAGE=y +# CONFIG_DEBUG_STACK_USAGE is not set -CONFIG_ACPI_DEBUG=y +# CONFIG_ACPI_DEBUG is not set # CONFIG_ACPI_DEBUGGER is not set -CONFIG_DEBUG_SG=y -CONFIG_DEBUG_PI_LIST=y +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_PI_LIST is not set # CONFIG_PAGE_EXTENSION is not set # CONFIG_PAGE_OWNER is not set # CONFIG_DEBUG_PAGEALLOC is not set -CONFIG_DEBUG_OBJECTS=y +# CONFIG_DEBUG_OBJECTS is not set # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -CONFIG_DEBUG_OBJECTS_FREE=y -CONFIG_DEBUG_OBJECTS_TIMERS=y -CONFIG_DEBUG_OBJECTS_RCU_HEAD=y +# CONFIG_DEBUG_OBJECTS_FREE is not set +# CONFIG_DEBUG_OBJECTS_TIMERS is not set +# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 CONFIG_X86_PTDUMP=y -CONFIG_ARM64_PTDUMP=y -CONFIG_EFI_PGT_DUMP=y +# CONFIG_ARM64_PTDUMP is not set +# CONFIG_EFI_PGT_DUMP is not set -CONFIG_CAN_DEBUG_DEVICES=y +# CONFIG_CAN_DEBUG_DEVICES is not set -CONFIG_MODULE_FORCE_UNLOAD=y +# CONFIG_MODULE_FORCE_UNLOAD is not set -CONFIG_DEBUG_NOTIFIERS=y +# CONFIG_DEBUG_NOTIFIERS is not set -CONFIG_DMA_API_DEBUG=y +# CONFIG_DMA_API_DEBUG is not set -CONFIG_MMIOTRACE=y +# CONFIG_MMIOTRACE is not set -CONFIG_DEBUG_CREDENTIALS=y +# CONFIG_DEBUG_CREDENTIALS is not set # off in both production debug and nodebug builds, # on in rawhide nodebug builds -CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set -CONFIG_EXT4_DEBUG=y +# CONFIG_EXT4_DEBUG is not set # CONFIG_XFS_WARN is not set -CONFIG_DEBUG_PERF_USE_VMALLOC=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set -CONFIG_JBD2_DEBUG=y +# CONFIG_JBD2_DEBUG is not set -CONFIG_NFSD_FAULT_INJECTION=y +# CONFIG_NFSD_FAULT_INJECTION is not set -CONFIG_DEBUG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set -CONFIG_DRBD_FAULT_INJECTION=y +# CONFIG_DRBD_FAULT_INJECTION is not set -CONFIG_ATH_DEBUG=y -CONFIG_CARL9170_DEBUGFS=y -CONFIG_IWLWIFI_DEVICE_TRACING=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_CARL9170_DEBUGFS is not set +# CONFIG_IWLWIFI_DEVICE_TRACING is not set # CONFIG_RTLWIFI_DEBUG is not set -CONFIG_DEBUG_OBJECTS_WORK=y +# CONFIG_DEBUG_OBJECTS_WORK is not set -CONFIG_DMADEVICES_DEBUG=y +# CONFIG_DMADEVICES_DEBUG is not set # CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y -CONFIG_CEPH_LIB_PRETTYDEBUG=y -CONFIG_QUOTA_DEBUG=y +# CONFIG_CEPH_LIB_PRETTYDEBUG is not set +# CONFIG_QUOTA_DEBUG is not set CONFIG_KGDB_KDB=y @@ -104,19 +104,19 @@ CONFIG_KDB_DEFAULT_ENABLE=0x0 CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y +# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set # CONFIG_PERCPU_TEST is not set -CONFIG_TEST_LIST_SORT=y +# CONFIG_TEST_LIST_SORT is not set # CONFIG_TEST_STRING_HELPERS is not set -CONFIG_DETECT_HUNG_TASK=y +# CONFIG_DETECT_HUNG_TASK is not set CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -CONFIG_WQ_WATCHDOG=y +# CONFIG_WQ_WATCHDOG is not set -CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y +# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set -CONFIG_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y @@ -127,4 +127,4 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_SPI_DEBUG is not set -CONFIG_X86_DEBUG_STATIC_CPU_HAS=y +# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set diff --git a/config-x86-generic b/config-x86-generic index 4815913be..10a3a126b 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -377,7 +377,7 @@ CONFIG_SP5100_TCO=m # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -CONFIG_MAXSMP=y +# CONFIG_MAXSMP is not set CONFIG_HP_ILO=m @@ -1 +1 @@ -7f02bf6b5f5de90b7a331759b5364e41c0f39bf9 +f2c1242194c7af9b26f53359ab2b23df36d3a643 diff --git a/kernel.spec b/kernel.spec index 977a60ff3..2bf270c6d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -6,7 +6,7 @@ Summary: The Linux kernel # For a stable, released kernel, released_kernel should be 1. For rawhide # and/or a kernel built from an rc or git snapshot, released_kernel should # be 0. -%global released_kernel 0 +%global released_kernel 1 # Sign modules on x86. Make sure the config files match this setting if more # architectures are added. @@ -50,7 +50,7 @@ Summary: The Linux kernel # base_sublevel is the kernel version we're starting with and patching # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base, # which yields a base_sublevel of 0. -%define base_sublevel 4 +%define base_sublevel 5 ## If this is a released kernel ## %if 0%{?released_kernel} @@ -75,9 +75,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 7 +%define rcrev 0 # The git snapshot level -%define gitrev 2 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -133,7 +133,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_without_vanilla: 0} %{?!_without_vanilla: 1} @@ -630,6 +630,15 @@ Patch648: 0001-mm-CONFIG_NR_ZONES_EXTENDED.patch #rhbz 1312102 Patch649: perf-tools-Fix-python-extension-build.patch +#rhbz 1316136 +Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch + +#CVE-2016-3135 rhbz 1317386 1317387 +Patch664: netfilter-x_tables-check-for-size-overflow.patch + +#CVE-2016-3134 rhbz 1317383 1317384 +Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch + # END OF PATCH DEFINITIONS %endif @@ -2154,6 +2163,20 @@ fi # # %changelog +* Mon Mar 14 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-1 +- Linux v4.5 +- Disable debugging options. + +* Mon Mar 14 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3134 netfilter: missing bounds check in ipt_entry struct (rhbz 1317383 1317384) +- CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387) + +* Fri Mar 11 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Add patch for ICP DAS I-756xU devices (rhbz 1316136) + +* Thu Mar 10 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc7.git3.1 +- Linux v4.5-rc7-215-gf2c1242 + * Wed Mar 09 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc7.git2.1 - Linux v4.5-rc7-159-g7f02bf6 diff --git a/netfilter-x_tables-check-for-size-overflow.patch b/netfilter-x_tables-check-for-size-overflow.patch new file mode 100644 index 000000000..81e3d36fa --- /dev/null +++ b/netfilter-x_tables-check-for-size-overflow.patch @@ -0,0 +1,31 @@ +Subject: [PATCH nf] netfilter: x_tables: check for size overflow +From: Florian Westphal <fw () strlen ! de> +Date: 2016-03-10 0:56:23 + +Ben Hawkes says: + integer overflow in xt_alloc_table_info, which on 32-bit systems can + lead to small structure allocation and a copy_from_user based heap + corruption. + +Reported-by: Ben Hawkes <hawkes@google.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + net/netfilter/x_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index c8a0b7d..17a9a9f 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) + struct xt_table_info *info = NULL; + size_t sz = sizeof(*info) + size; + ++ if (sz < sizeof(*info)) ++ return NULL; ++ + /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ + if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) + return NULL; +-- +2.4.10 diff --git a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch new file mode 100644 index 000000000..ebfe1716f --- /dev/null +++ b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch @@ -0,0 +1,150 @@ +Subject: [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values +From: Florian Westphal <fw () strlen ! de> +Date: 2016-03-10 0:56:02 + +Ben Hawkes says: + + In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it + is possible for a user-supplied ipt_entry structure to have a large + next_offset field. This field is not bounds checked prior to writing a + counter value at the supplied offset. + +Problem is that xt_entry_foreach() macro stops iterating once e->next_offset +is out of bounds, assuming this is the last entry. + +With malformed data thats not necessarily the case so we can +write outside of allocated area later as we might not have walked the +entire blob. + +Fix this by simplifying mark_source_chains -- it already has to check +if nextoff is in range to catch invalid jumps, so just do the check +when we move to a next entry as well. + +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + net/ipv4/netfilter/arp_tables.c | 16 ++++++++-------- + net/ipv4/netfilter/ip_tables.c | 15 ++++++++------- + net/ipv6/netfilter/ip6_tables.c | 13 ++++++------- + 3 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index b488cac..5a0b591 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + + /* Move along one */ + size = e->next_offset; ++ ++ if (pos + size > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct arpt_entry *) + (entry0 + pos + size); + e->counters.pcnt = pos; +@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + if (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0 && + newpos >= 0) { +- if (newpos > newinfo->size - +- sizeof(struct arpt_entry)) { +- duprintf("mark_source_chains: " +- "bad verdict (%i)\n", +- newpos); +- return 0; +- } +- + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); +@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + /* ... this is a fallthru */ + newpos = pos + e->next_offset; + } ++ ++ if (newpos > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct arpt_entry *) + (entry0 + newpos); + e->counters.pcnt = pos; +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index b99affa..ceb995f 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + + /* Move along one */ + size = e->next_offset; ++ ++ if (pos + size > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct ipt_entry *) + (entry0 + pos + size); + e->counters.pcnt = pos; +@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo, + if (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0 && + newpos >= 0) { +- if (newpos > newinfo->size - +- sizeof(struct ipt_entry)) { +- duprintf("mark_source_chains: " +- "bad verdict (%i)\n", +- newpos); +- return 0; +- } + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); +@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + /* ... this is a fallthru */ + newpos = pos + e->next_offset; + } ++ ++ if (newpos > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct ipt_entry *) + (entry0 + newpos); + e->counters.pcnt = pos; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 99425cf..d88a794 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo, + + /* Move along one */ + size = e->next_offset; ++ if (pos + size > newinfo->size - sizeof(*e)) ++ return 0; + e = (struct ip6t_entry *) + (entry0 + pos + size); + e->counters.pcnt = pos; +@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo, + if (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0 && + newpos >= 0) { +- if (newpos > newinfo->size - +- sizeof(struct ip6t_entry)) { +- duprintf("mark_source_chains: " +- "bad verdict (%i)\n", +- newpos); +- return 0; +- } + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); +@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + /* ... this is a fallthru */ + newpos = pos + e->next_offset; + } ++ ++ if (newpos > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct ip6t_entry *) + (entry0 + newpos); + e->counters.pcnt = pos; +-- +2.4.10 @@ -1,4 +1,2 @@ -9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz -dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -78a23c8a117f99bbe8f45bdd0183cf18 patch-4.5-rc7.xz -6fb09377dd2cd1acddc7f23dadbfafa5 patch-4.5-rc7-git2.xz +a60d48eee08ec0536d5efb17ca819aef linux-4.5.tar.xz +6f557fe90b800b615c85c2ca04da6154 perf-man-4.5.tar.gz |