summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@redhat.com>2017-02-08 10:00:13 -0600
committerJustin M. Forbes <jforbes@redhat.com>2017-02-08 10:00:13 -0600
commitfcf164c466efbed1822c5a30042cca01d9487f36 (patch)
tree59641954693f46dc3e7b0251d7c8c6e79245159c
parentcbf9a4853ae920d61ed056da9d90f6e679c74308 (diff)
downloadkernel-fcf164c466efbed1822c5a30042cca01d9487f36.tar.gz
kernel-fcf164c466efbed1822c5a30042cca01d9487f36.tar.xz
kernel-fcf164c466efbed1822c5a30042cca01d9487f36.zip
Linux v4.10-rc7-65-g926af627
-rw-r--r--gitrev2
-rw-r--r--ip6_gre-fix-ip6gre_err-invalid-reads.patch91
-rw-r--r--kernel.spec9
-rw-r--r--sources2
4 files changed, 6 insertions, 98 deletions
diff --git a/gitrev b/gitrev
index 96a03fa2c..71a596ec8 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-8b1b41ee74f9712c355d66dc105bbea663ae0afd
+926af6273fc683cd98cd0ce7bf0d04a02eed6742
diff --git a/ip6_gre-fix-ip6gre_err-invalid-reads.patch b/ip6_gre-fix-ip6gre_err-invalid-reads.patch
deleted file mode 100644
index 756663c11..000000000
--- a/ip6_gre-fix-ip6gre_err-invalid-reads.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sat, 4 Feb 2017 23:18:55 -0800
-Subject: ip6_gre: fix ip6gre_err() invalid reads
-
-Andrey Konovalov reported out of bound accesses in ip6gre_err()
-
-If GRE flags contains GRE_KEY, the following expression
-*(((__be32 *)p) + (grehlen / 4) - 1)
-
-accesses data ~40 bytes after the expected point, since
-grehlen includes the size of IPv6 headers.
-
-Let's use a "struct gre_base_hdr *greh" pointer to make this
-code more readable.
-
-p[1] becomes greh->protocol.
-grhlen is the GRE header length.
-
-Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/ip6_gre.c | 40 +++++++++++++++++++++-------------------
- 1 file changed, 21 insertions(+), 19 deletions(-)
-
-diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index 5586318..630b73b 100644
---- a/net/ipv6/ip6_gre.c
-+++ b/net/ipv6/ip6_gre.c
-@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
-
-
- static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
-- u8 type, u8 code, int offset, __be32 info)
-+ u8 type, u8 code, int offset, __be32 info)
- {
-- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data;
-- __be16 *p = (__be16 *)(skb->data + offset);
-- int grehlen = offset + 4;
-+ const struct gre_base_hdr *greh;
-+ const struct ipv6hdr *ipv6h;
-+ int grehlen = sizeof(*greh);
- struct ip6_tnl *t;
-+ int key_off = 0;
- __be16 flags;
-+ __be32 key;
-
-- flags = p[0];
-- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) {
-- if (flags&(GRE_VERSION|GRE_ROUTING))
-- return;
-- if (flags&GRE_KEY) {
-- grehlen += 4;
-- if (flags&GRE_CSUM)
-- grehlen += 4;
-- }
-+ if (!pskb_may_pull(skb, offset + grehlen))
-+ return;
-+ greh = (const struct gre_base_hdr *)(skb->data + offset);
-+ flags = greh->flags;
-+ if (flags & (GRE_VERSION | GRE_ROUTING))
-+ return;
-+ if (flags & GRE_CSUM)
-+ grehlen += 4;
-+ if (flags & GRE_KEY) {
-+ key_off = grehlen + offset;
-+ grehlen += 4;
- }
-
-- /* If only 8 bytes returned, keyed message will be dropped here */
-- if (!pskb_may_pull(skb, grehlen))
-+ if (!pskb_may_pull(skb, offset + grehlen))
- return;
- ipv6h = (const struct ipv6hdr *)skb->data;
-- p = (__be16 *)(skb->data + offset);
-+ greh = (const struct gre_base_hdr *)(skb->data + offset);
-+ key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
-
- t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
-- flags & GRE_KEY ?
-- *(((__be32 *)p) + (grehlen / 4) - 1) : 0,
-- p[1]);
-+ key, greh->protocol);
- if (!t)
- return;
-
---
-cgit v0.12
-
diff --git a/kernel.spec b/kernel.spec
index 50a71e430..17e1ba51d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -69,7 +69,7 @@ Summary: The Linux kernel
# The rc snapshot level
%global rcrev 7
# The git snapshot level
-%define gitrev 1
+%define gitrev 2
# Set rpm version accordingly
%define rpmversion 4.%{upstream_sublevel}.0
%endif
@@ -599,10 +599,6 @@ Patch853: 0001-Work-around-for-gcc7-and-arm64.patch
#CVE-2017-2596 rhbz 1417812 1417813
Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
-#CVE-2017-5897 rhbz 1419848 1419851
-Patch855: ip6_gre-fix-ip6gre_err-invalid-reads.patch
-
-
# END OF PATCH DEFINITIONS
%endif
@@ -2173,6 +2169,9 @@ fi
#
#
%changelog
+* Wed Feb 08 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc7.git2.1
+- Linux v4.10-rc7-65-g926af627
+
* Tue Feb 07 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc7.git1.1
- Linux v4.10-rc7-29-g8b1b41e
- Reenable debugging options.
diff --git a/sources b/sources
index ad4dec032..7ddd1de66 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
SHA512 (patch-4.10-rc7.xz) = 206e5e97581bb376141398b6962fbbc4ee0a58b50fae1de83f3f6f3c06502b260f006628aab738d63994a6d1c0276717d49e882a8107b8f9c24d565a2a70ea9b
-SHA512 (patch-4.10-rc7-git1.xz) = 6b71afe5c9bd79e551bcd26798284ce1d77359e8787a1861d2acfeaec7222abf08dd0bf92c842c0fa790271dbcce42c895d50b805e0a868525c8d73ff425d3b1
+SHA512 (patch-4.10-rc7-git2.xz) = eab140627e4d14eabe40b69c34e50418fa9ec5602506e2a5d80b92de11b182ef86378df64461770767e667ac0045d988ca3c22d7509786088e4bd9945d0eb233