diff options
| -rw-r--r-- | gitrev | 2 | ||||
| -rw-r--r-- | ip6_gre-fix-ip6gre_err-invalid-reads.patch | 91 | ||||
| -rw-r--r-- | kernel.spec | 9 | ||||
| -rw-r--r-- | sources | 2 |
4 files changed, 6 insertions, 98 deletions
@@ -1 +1 @@ -8b1b41ee74f9712c355d66dc105bbea663ae0afd +926af6273fc683cd98cd0ce7bf0d04a02eed6742 diff --git a/ip6_gre-fix-ip6gre_err-invalid-reads.patch b/ip6_gre-fix-ip6gre_err-invalid-reads.patch deleted file mode 100644 index 756663c11..000000000 --- a/ip6_gre-fix-ip6gre_err-invalid-reads.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet <edumazet@google.com> -Date: Sat, 4 Feb 2017 23:18:55 -0800 -Subject: ip6_gre: fix ip6gre_err() invalid reads - -Andrey Konovalov reported out of bound accesses in ip6gre_err() - -If GRE flags contains GRE_KEY, the following expression -*(((__be32 *)p) + (grehlen / 4) - 1) - -accesses data ~40 bytes after the expected point, since -grehlen includes the size of IPv6 headers. - -Let's use a "struct gre_base_hdr *greh" pointer to make this -code more readable. - -p[1] becomes greh->protocol. -grhlen is the GRE header length. - -Fixes: c12b395a4664 ("gre: Support GRE over IPv6") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: Andrey Konovalov <andreyknvl@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv6/ip6_gre.c | 40 +++++++++++++++++++++------------------- - 1 file changed, 21 insertions(+), 19 deletions(-) - -diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index 5586318..630b73b 100644 ---- a/net/ipv6/ip6_gre.c -+++ b/net/ipv6/ip6_gre.c -@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev) - - - static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt, -- u8 type, u8 code, int offset, __be32 info) -+ u8 type, u8 code, int offset, __be32 info) - { -- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data; -- __be16 *p = (__be16 *)(skb->data + offset); -- int grehlen = offset + 4; -+ const struct gre_base_hdr *greh; -+ const struct ipv6hdr *ipv6h; -+ int grehlen = sizeof(*greh); - struct ip6_tnl *t; -+ int key_off = 0; - __be16 flags; -+ __be32 key; - -- flags = p[0]; -- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) { -- if (flags&(GRE_VERSION|GRE_ROUTING)) -- return; -- if (flags&GRE_KEY) { -- grehlen += 4; -- if (flags&GRE_CSUM) -- grehlen += 4; -- } -+ if (!pskb_may_pull(skb, offset + grehlen)) -+ return; -+ greh = (const struct gre_base_hdr *)(skb->data + offset); -+ flags = greh->flags; -+ if (flags & (GRE_VERSION | GRE_ROUTING)) -+ return; -+ if (flags & GRE_CSUM) -+ grehlen += 4; -+ if (flags & GRE_KEY) { -+ key_off = grehlen + offset; -+ grehlen += 4; - } - -- /* If only 8 bytes returned, keyed message will be dropped here */ -- if (!pskb_may_pull(skb, grehlen)) -+ if (!pskb_may_pull(skb, offset + grehlen)) - return; - ipv6h = (const struct ipv6hdr *)skb->data; -- p = (__be16 *)(skb->data + offset); -+ greh = (const struct gre_base_hdr *)(skb->data + offset); -+ key = key_off ? *(__be32 *)(skb->data + key_off) : 0; - - t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr, -- flags & GRE_KEY ? -- *(((__be32 *)p) + (grehlen / 4) - 1) : 0, -- p[1]); -+ key, greh->protocol); - if (!t) - return; - --- -cgit v0.12 - diff --git a/kernel.spec b/kernel.spec index 97613f308..1e86722d6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -77,7 +77,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 7 # The git snapshot level -%define gitrev 1 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -616,10 +616,6 @@ Patch853: 0001-Work-around-for-gcc7-and-arm64.patch #CVE-2017-2596 rhbz 1417812 1417813 Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch -#CVE-2017-5897 rhbz 1419848 1419851 -Patch855: ip6_gre-fix-ip6gre_err-invalid-reads.patch - - # END OF PATCH DEFINITIONS %endif @@ -2193,6 +2189,9 @@ fi # # %changelog +* Wed Feb 08 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc7.git2.1 +- Linux v4.10-rc7-65-g926af627 + * Tue Feb 07 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc7.git1.1 - Linux v4.10-rc7-29-g8b1b41e - Reenable debugging options. @@ -1,4 +1,4 @@ SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99 SHA512 (patch-4.10-rc7.xz) = 206e5e97581bb376141398b6962fbbc4ee0a58b50fae1de83f3f6f3c06502b260f006628aab738d63994a6d1c0276717d49e882a8107b8f9c24d565a2a70ea9b -SHA512 (patch-4.10-rc7-git1.xz) = 6b71afe5c9bd79e551bcd26798284ce1d77359e8787a1861d2acfeaec7222abf08dd0bf92c842c0fa790271dbcce42c895d50b805e0a868525c8d73ff425d3b1 +SHA512 (patch-4.10-rc7-git2.xz) = eab140627e4d14eabe40b69c34e50418fa9ec5602506e2a5d80b92de11b182ef86378df64461770767e667ac0045d988ca3c22d7509786088e4bd9945d0eb233 |