diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-12-09 16:34:20 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2016-12-09 16:34:20 +0100 |
commit | f410c5b74393fb851803e608670c57150d107d3d (patch) | |
tree | 392902928d54138a1dfccdc49b5be8b85f6108f4 | |
parent | f95c16a92db56a85125f0aa6d440a448d5e1b1a6 (diff) | |
parent | 23b914572b6307dcf4389e537375d26d8477658a (diff) | |
download | kernel-4.8.13-100.vanilla.knurd.1.fc23.tar.gz kernel-4.8.13-100.vanilla.knurd.1.fc23.tar.xz kernel-4.8.13-100.vanilla.knurd.1.fc23.zip |
Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.8.13-100.vanilla.knurd.1.fc23
-rw-r--r-- | 0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch | 42 | ||||
-rw-r--r-- | 0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch | 49 | ||||
-rw-r--r-- | 0001-packet-fix-race-condition-in-packet_set_ring.patch | 92 | ||||
-rw-r--r-- | config-generic | 2 | ||||
-rw-r--r-- | kernel.spec | 24 | ||||
-rw-r--r-- | sources | 2 |
6 files changed, 208 insertions, 3 deletions
diff --git a/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch b/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch new file mode 100644 index 000000000..8c3795439 --- /dev/null +++ b/0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch @@ -0,0 +1,42 @@ +From a0ac402cfcdc904f9772e1762b3fda112dcc56a0 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Tue, 6 Dec 2016 16:18:14 -0800 +Subject: [PATCH] Don't feed anything but regular iovec's to + blk_rq_map_user_iov + +In theory we could map other things, but there's a reason that function +is called "user_iov". Using anything else (like splice can do) just +confuses it. + +Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de> +Cc: Al Viro <viro@ZenIV.linux.org.uk> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + block/blk-map.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/block/blk-map.c b/block/blk-map.c +index b8657fa..27fd8d92 100644 +--- a/block/blk-map.c ++++ b/block/blk-map.c +@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, + struct iov_iter i; + int ret; + ++ if (!iter_is_iovec(iter)) ++ goto fail; ++ + if (map_data) + copy = true; + else if (iov_iter_alignment(iter) & align) +@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, + + unmap_rq: + __blk_rq_unmap_user(bio); ++fail: + rq->bio = NULL; + return -EINVAL; + } +-- +2.9.3 + diff --git a/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch b/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch new file mode 100644 index 000000000..6d5771ccd --- /dev/null +++ b/0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch @@ -0,0 +1,49 @@ +From b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 2 Dec 2016 09:44:53 -0800 +Subject: [PATCH] net: avoid signed overflows for SO_{SND|RCV}BUFFORCE + +CAP_NET_ADMIN users should not be allowed to set negative +sk_sndbuf or sk_rcvbuf values, as it can lead to various memory +corruptions, crashes, OOM... + +Note that before commit 82981930125a ("net: cleanups in +sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF +and SO_RCVBUF were vulnerable. + +This needs to be backported to all known linux kernels. + +Again, many thanks to syzkaller team for discovering this gem. + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/core/sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 5e3ca41..00a074d 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + val = min_t(u32, val, sysctl_wmem_max); + set_sndbuf: + sk->sk_userlocks |= SOCK_SNDBUF_LOCK; +- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF); ++ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF); + /* Wake up sending tasks if we upped the value. */ + sk->sk_write_space(sk); + break; +@@ -751,7 +751,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + * returning the value we actually used in getsockopt + * is the most desirable behavior. + */ +- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF); ++ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF); + break; + + case SO_RCVBUFFORCE: +-- +2.9.3 + diff --git a/0001-packet-fix-race-condition-in-packet_set_ring.patch b/0001-packet-fix-race-condition-in-packet_set_ring.patch new file mode 100644 index 000000000..ba7da62e7 --- /dev/null +++ b/0001-packet-fix-race-condition-in-packet_set_ring.patch @@ -0,0 +1,92 @@ +From 84ac7260236a49c79eede91617700174c2c19b0c Mon Sep 17 00:00:00 2001 +From: Philip Pettersson <philip.pettersson@gmail.com> +Date: Wed, 30 Nov 2016 14:55:36 -0800 +Subject: [PATCH] packet: fix race condition in packet_set_ring + +When packet_set_ring creates a ring buffer it will initialize a +struct timer_list if the packet version is TPACKET_V3. This value +can then be raced by a different thread calling setsockopt to +set the version to TPACKET_V1 before packet_set_ring has finished. + +This leads to a use-after-free on a function pointer in the +struct timer_list when the socket is closed as the previously +initialized timer will not be deleted. + +The bug is fixed by taking lock_sock(sk) in packet_setsockopt when +changing the packet version while also taking the lock at the start +of packet_set_ring. + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/packet/af_packet.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index d2238b2..dd23323 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + switch (val) { + case TPACKET_V1: + case TPACKET_V2: + case TPACKET_V3: +- po->tp_version = val; +- return 0; ++ break; + default: + return -EINVAL; + } ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_version = val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_RESERVE: + { +@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + /* Added to avoid minimal code churn */ + struct tpacket_req *req = &req_u->req; + ++ lock_sock(sk); + /* Opening a Tx-ring is NOT supported in TPACKET_V3 */ + if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) { + net_warn_ratelimited("Tx-ring is not supported.\n"); +@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + goto out; + } + +- lock_sock(sk); + + /* Detach socket from network */ + spin_lock(&po->bind_lock); +@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + if (!tx_ring) + prb_shutdown_retire_blk_timer(po, rb_queue); + } +- release_sock(sk); + + if (pg_vec) + free_pg_vec(pg_vec, order, req->tp_block_nr); + out: ++ release_sock(sk); + return err; + } + +-- +2.9.3 + diff --git a/config-generic b/config-generic index 744489577..5b15dc4d1 100644 --- a/config-generic +++ b/config-generic @@ -1406,7 +1406,7 @@ CONFIG_L2TP_ETH=m # CONFIG_CAIF is not set -CONFIG_AF_KCM=m +# CONFIG_AF_KCM is not set CONFIG_LWTUNNEL=y CONFIG_NET_DEVLINK=m diff --git a/kernel.spec b/kernel.spec index d93540b30..0a10582a3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -60,7 +60,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 12 +%define stable_update 13 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -656,6 +656,15 @@ Patch854: nouveau-add-maxwell-to-backlight-init.patch # CVE-2016-9755 rhbz 1400904 1400905 Patch856: 0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch +# CVE-2016-8655 rhbz 1400019 1401820 +Patch857: 0001-packet-fix-race-condition-in-packet_set_ring.patch + +# CVE-2016-9793 rhbz 1402013 1402014 +Patch858: 0001-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch + +# CVE-2016-9576 rhbz 1403145 1403146 +Patch859: 0001-Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch + # END OF PATCH DEFINITIONS %endif @@ -2181,6 +2190,19 @@ fi # # %changelog +* Fri Dec 09 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.13-100 +- Linux v4.8.13 +- CVE-2016-9576 fix use after free in SCSI generic device interface (rhbz 1403145 1403146) + +* Wed Dec 07 2016 Laura Abbott <labbott@fedoraproject.org> +- Disable CONFIG_AF_KCM (rhbz 1402489) + +* Wed Dec 07 2016 Justin M. Forbes <jforbes@fedoraproject.org> +- CVE-2016-9793 avoid signed overflows for SO_{SND|RCV}BUFFORCE (rhbz 1402013 1402014) + +* Tue Dec 06 2016 Justin M. Forbes <jforbes@fedoraproject.org> +- CVE-2016-8655 fix race condition in packet_set_ring (rhbz 1400019 1401820) + * Fri Dec 02 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.12-100 - Linux v4.8.12 - CVE-2016-9755 Fix Out-of-bounds write issue when defragmenting ipv6 packets (rhbz 1400904 1400905) @@ -1,3 +1,3 @@ c1af0afbd3df35c1ccdc7a5118cd2d07 linux-4.8.tar.xz 0dad03f586e835d538d3e0d2cbdb9a28 perf-man-4.8.tar.gz -9a938fd7a82d8b390f957657947fe673 patch-4.8.12.xz +bc208ac66340464839ee61a4621d9384 patch-4.8.13.xz |