Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora

3 files changed, 190 insertions, 7 deletions

diff --git a/efi-lockdown.patch b/efi-lockdown.patch
index 25c143fd3..297cb7015 100644
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@@ -1871,16 +1871,20 @@ index fa0ce7dd9e24..06c60fed7656 100644
  
          op_p = __sysrq_get_key_op(key);
          if (op_p) {
+-		/*
+-		 * Should we check for enabled operations (/proc/sysrq-trigger
+-		 * should not) and is the invoked operation enabled?
+-		 */
+-		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
 +		/* Ban synthetic events from some sysrq functionality */
 +		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
-+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
++		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) {
 +			printk("This sysrq operation is disabled from userspace.\n");
- 		/*
- 		 * Should we check for enabled operations (/proc/sysrq-trigger
- 		 * should not) and is the invoked operation enabled?
- 		 */
--		if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
-+		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
++		} else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
++			/*
++			 * Should we check for enabled operations (/proc/sysrq-trigger
++			 * should not) and is the invoked operation enabled?
++			 */
  			pr_info("%s\n", op_p->action_msg);
  			console_loglevel = orig_log_level;
  			op_p->handler(key);
diff --git a/enforce-CAP_NET_RAW-for-raw-sockets.patch b/enforce-CAP_NET_RAW-for-raw-sockets.patch
new file mode 100644
index 000000000..f253a35af
--- /dev/null
+++ b/enforce-CAP_NET_RAW-for-raw-sockets.patch
@@ -0,0 +1,171 @@
+From b91ee4aa2a2199ba4d4650706c272985a5a32d80 Mon Sep 17 00:00:00 2001
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:45 +0200
+Subject: mISDN: enforce CAP_NET_RAW for raw sockets
+
+When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/isdn/mISDN/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
+index c6ba37df4b9d..dff4132b3702 100644
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -754,6 +754,8 @@ base_sock_create(struct net *net, struct socket *sock, int protocol, int kern)
+ 
+ 	if (sock->type != SOCK_RAW)
+ 		return -ESOCKTNOSUPPORT;
++	if (!capable(CAP_NET_RAW))
++		return -EPERM;
+ 
+ 	sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto, kern);
+ 	if (!sk)
+-- 
+cgit 1.2-0.3.lf.el7
+
+
+From 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac Mon Sep 17 00:00:00 2001
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:46 +0200
+Subject: appletalk: enforce CAP_NET_RAW for raw sockets
+
+When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/appletalk/ddp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index 4072e9d394d6..b41375d4d295 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1023,6 +1023,11 @@ static int atalk_create(struct net *net, struct socket *sock, int protocol,
+ 	 */
+ 	if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
+ 		goto out;
++
++	rc = -EPERM;
++	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
++		goto out;
++
+ 	rc = -ENOMEM;
+ 	sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern);
+ 	if (!sk)
+-- 
+cgit 1.2-0.3.lf.el7
+
+
+From 0614e2b73768b502fc32a75349823356d98aae2c Mon Sep 17 00:00:00 2001
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:47 +0200
+Subject: ax25: enforce CAP_NET_RAW for raw sockets
+
+When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ax25/af_ax25.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index ca5207767dc2..bb222b882b67 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -855,6 +855,8 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
+ 		break;
+ 
+ 	case SOCK_RAW:
++		if (!capable(CAP_NET_RAW))
++			return -EPERM;
+ 		break;
+ 	default:
+ 		return -ESOCKTNOSUPPORT;
+-- 
+cgit 1.2-0.3.lf.el7
+
+
+From e69dbd4619e7674c1679cba49afd9dd9ac347eef Mon Sep 17 00:00:00 2001
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:48 +0200
+Subject: ieee802154: enforce CAP_NET_RAW for raw sockets
+
+When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be
+checked first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ieee802154/socket.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
+index badc5cfe4dc6..d93d4531aa9b 100644
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -1008,6 +1008,9 @@ static int ieee802154_create(struct net *net, struct socket *sock,
+ 
+ 	switch (sock->type) {
+ 	case SOCK_RAW:
++		rc = -EPERM;
++		if (!capable(CAP_NET_RAW))
++			goto out;
+ 		proto = &ieee802154_raw_prot;
+ 		ops = &ieee802154_raw_ops;
+ 		break;
+-- 
+cgit 1.2-0.3.lf.el7
+
+
+From 3a359798b176183ef09efb7a3dc59abad1cc7104 Mon Sep 17 00:00:00 2001
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:49 +0200
+Subject: nfc: enforce CAP_NET_RAW for raw sockets
+
+When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/nfc/llcp_sock.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
+index 9b8742947aff..8dfea26536c9 100644
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -1004,10 +1004,13 @@ static int llcp_sock_create(struct net *net, struct socket *sock,
+ 	    sock->type != SOCK_RAW)
+ 		return -ESOCKTNOSUPPORT;
+ 
+-	if (sock->type == SOCK_RAW)
++	if (sock->type == SOCK_RAW) {
++		if (!capable(CAP_NET_RAW))
++			return -EPERM;
+ 		sock->ops = &llcp_rawsock_ops;
+-	else
++	} else {
+ 		sock->ops = &llcp_sock_ops;
++	}
+ 
+ 	sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern);
+ 	if (sk == NULL)
+-- 
+cgit 1.2-0.3.lf.el7
+
diff --git a/kernel.spec b/kernel.spec
index a7ca0a165..9bb64b0dc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -607,6 +607,10 @@ Patch506: dwc3-fix.patch
 # https://patchwork.kernel.org/patch/11158395/
 Patch507: iwlwifi-fw-don-t-send-GEO_TX_POWER_LIMIT-command-to-FW-version-36.patch
 
+# CVE-2019-17052 CVE-2019-17053 CVE-2019-17054 CVE-2019-17055 CVE-2019-17056
+# rhbz 1758239 1758240 1758242 1758243 1758245 1758246 1758248 1758249 1758256 1758257
+Patch508: enforce-CAP_NET_RAW-for-raw-sockets.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1847,6 +1851,10 @@ fi
 #
 #
 %changelog
+* Wed Oct 03 2019 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2019-17052 CVE-2019-17053 CVE-2019-17054 CVE-2019-17055 CVE-2019-17056
+  (rhbz 1758239 1758240 1758242 1758243 1758245 1758246 1758248 1758249 1758256 1758257)
+
 * Tue Oct 01 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.18-200
 - Linux v5.2.18