diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-10-05 13:46:01 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-10-05 13:46:01 +0200 |
commit | 1e8bb73ca1c43cf8cd9c8ed5ce32f9e89ba1376d (patch) | |
tree | b215a059917c2cf07af302bb34a816b7e4790822 | |
parent | c76517982f9a013a71786a3f84054fe6bbd3c83c (diff) | |
parent | f84d7d7b5bcdbd25a02d23aa617cb672574a7929 (diff) | |
download | kernel-1e8bb73ca1c43cf8cd9c8ed5ce32f9e89ba1376d.tar.gz kernel-1e8bb73ca1c43cf8cd9c8ed5ce32f9e89ba1376d.tar.xz kernel-1e8bb73ca1c43cf8cd9c8ed5ce32f9e89ba1376d.zip |
Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora
-rw-r--r-- | efi-lockdown.patch | 18 | ||||
-rw-r--r-- | enforce-CAP_NET_RAW-for-raw-sockets.patch | 171 | ||||
-rw-r--r-- | kernel.spec | 8 |
3 files changed, 190 insertions, 7 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index 25c143fd3..297cb7015 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -1871,16 +1871,20 @@ index fa0ce7dd9e24..06c60fed7656 100644 op_p = __sysrq_get_key_op(key); if (op_p) { +- /* +- * Should we check for enabled operations (/proc/sysrq-trigger +- * should not) and is the invoked operation enabled? +- */ +- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) { + /* Ban synthetic events from some sysrq functionality */ + if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && -+ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) ++ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) { + printk("This sysrq operation is disabled from userspace.\n"); - /* - * Should we check for enabled operations (/proc/sysrq-trigger - * should not) and is the invoked operation enabled? - */ -- if (!check_mask || sysrq_on_mask(op_p->enable_mask)) { -+ if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { ++ } else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { ++ /* ++ * Should we check for enabled operations (/proc/sysrq-trigger ++ * should not) and is the invoked operation enabled? ++ */ pr_info("%s\n", op_p->action_msg); console_loglevel = orig_log_level; op_p->handler(key); diff --git a/enforce-CAP_NET_RAW-for-raw-sockets.patch b/enforce-CAP_NET_RAW-for-raw-sockets.patch new file mode 100644 index 000000000..f253a35af --- /dev/null +++ b/enforce-CAP_NET_RAW-for-raw-sockets.patch @@ -0,0 +1,171 @@ +From b91ee4aa2a2199ba4d4650706c272985a5a32d80 Mon Sep 17 00:00:00 2001 +From: Ori Nimron <orinimron123@gmail.com> +Date: Fri, 20 Sep 2019 09:35:45 +0200 +Subject: mISDN: enforce CAP_NET_RAW for raw sockets + +When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron <orinimron123@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/isdn/mISDN/socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c +index c6ba37df4b9d..dff4132b3702 100644 +--- a/drivers/isdn/mISDN/socket.c ++++ b/drivers/isdn/mISDN/socket.c +@@ -754,6 +754,8 @@ base_sock_create(struct net *net, struct socket *sock, int protocol, int kern) + + if (sock->type != SOCK_RAW) + return -ESOCKTNOSUPPORT; ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + + sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto, kern); + if (!sk) +-- +cgit 1.2-0.3.lf.el7 + + +From 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac Mon Sep 17 00:00:00 2001 +From: Ori Nimron <orinimron123@gmail.com> +Date: Fri, 20 Sep 2019 09:35:46 +0200 +Subject: appletalk: enforce CAP_NET_RAW for raw sockets + +When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron <orinimron123@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/appletalk/ddp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 4072e9d394d6..b41375d4d295 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1023,6 +1023,11 @@ static int atalk_create(struct net *net, struct socket *sock, int protocol, + */ + if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM) + goto out; ++ ++ rc = -EPERM; ++ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) ++ goto out; ++ + rc = -ENOMEM; + sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern); + if (!sk) +-- +cgit 1.2-0.3.lf.el7 + + +From 0614e2b73768b502fc32a75349823356d98aae2c Mon Sep 17 00:00:00 2001 +From: Ori Nimron <orinimron123@gmail.com> +Date: Fri, 20 Sep 2019 09:35:47 +0200 +Subject: ax25: enforce CAP_NET_RAW for raw sockets + +When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron <orinimron123@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ax25/af_ax25.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index ca5207767dc2..bb222b882b67 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -855,6 +855,8 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, + break; + + case SOCK_RAW: ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + break; + default: + return -ESOCKTNOSUPPORT; +-- +cgit 1.2-0.3.lf.el7 + + +From e69dbd4619e7674c1679cba49afd9dd9ac347eef Mon Sep 17 00:00:00 2001 +From: Ori Nimron <orinimron123@gmail.com> +Date: Fri, 20 Sep 2019 09:35:48 +0200 +Subject: ieee802154: enforce CAP_NET_RAW for raw sockets + +When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be +checked first. + +Signed-off-by: Ori Nimron <orinimron123@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Acked-by: Stefan Schmidt <stefan@datenfreihafen.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ieee802154/socket.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c +index badc5cfe4dc6..d93d4531aa9b 100644 +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -1008,6 +1008,9 @@ static int ieee802154_create(struct net *net, struct socket *sock, + + switch (sock->type) { + case SOCK_RAW: ++ rc = -EPERM; ++ if (!capable(CAP_NET_RAW)) ++ goto out; + proto = &ieee802154_raw_prot; + ops = &ieee802154_raw_ops; + break; +-- +cgit 1.2-0.3.lf.el7 + + +From 3a359798b176183ef09efb7a3dc59abad1cc7104 Mon Sep 17 00:00:00 2001 +From: Ori Nimron <orinimron123@gmail.com> +Date: Fri, 20 Sep 2019 09:35:49 +0200 +Subject: nfc: enforce CAP_NET_RAW for raw sockets + +When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked +first. + +Signed-off-by: Ori Nimron <orinimron123@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/nfc/llcp_sock.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index 9b8742947aff..8dfea26536c9 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -1004,10 +1004,13 @@ static int llcp_sock_create(struct net *net, struct socket *sock, + sock->type != SOCK_RAW) + return -ESOCKTNOSUPPORT; + +- if (sock->type == SOCK_RAW) ++ if (sock->type == SOCK_RAW) { ++ if (!capable(CAP_NET_RAW)) ++ return -EPERM; + sock->ops = &llcp_rawsock_ops; +- else ++ } else { + sock->ops = &llcp_sock_ops; ++ } + + sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern); + if (sk == NULL) +-- +cgit 1.2-0.3.lf.el7 + diff --git a/kernel.spec b/kernel.spec index a7ca0a165..9bb64b0dc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -607,6 +607,10 @@ Patch506: dwc3-fix.patch # https://patchwork.kernel.org/patch/11158395/ Patch507: iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch +# CVE-2019-17052 CVE-2019-17053 CVE-2019-17054 CVE-2019-17055 CVE-2019-17056 +# rhbz 1758239 1758240 1758242 1758243 1758245 1758246 1758248 1758249 1758256 1758257 +Patch508: enforce-CAP_NET_RAW-for-raw-sockets.patch + # END OF PATCH DEFINITIONS %endif @@ -1847,6 +1851,10 @@ fi # # %changelog +* Wed Oct 03 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2019-17052 CVE-2019-17053 CVE-2019-17054 CVE-2019-17055 CVE-2019-17056 + (rhbz 1758239 1758240 1758242 1758243 1758245 1758246 1758248 1758249 1758256 1758257) + * Tue Oct 01 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.18-200 - Linux v5.2.18 |