diff options
-rw-r--r-- | 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch | 54 | ||||
-rw-r--r-- | baseconfig/powerpc/CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE | 2 | ||||
-rw-r--r-- | baseconfig/powerpc/CONFIG_SWIOTLB | 2 | ||||
-rw-r--r-- | kernel-ppc64-debug.config | 4 | ||||
-rw-r--r-- | kernel-ppc64.config | 4 | ||||
-rw-r--r-- | kernel-ppc64le-debug.config | 4 | ||||
-rw-r--r-- | kernel-ppc64le.config | 4 | ||||
-rw-r--r-- | kernel-ppc64p7-debug.config | 4 | ||||
-rw-r--r-- | kernel-ppc64p7.config | 4 | ||||
-rw-r--r-- | kernel.spec | 26 | ||||
-rw-r--r-- | net-packet-fix-tp_reserve-race-in-packet_set_ring.patch | 57 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | udp-consistently-apply-ufo-or-fragmentation.patch | 93 |
13 files changed, 187 insertions, 73 deletions
diff --git a/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch deleted file mode 100644 index be8b6c6a0..000000000 --- a/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001 -From: Sabrina Dubroca <sd@queasysnail.net> -Date: Wed, 19 Jul 2017 22:28:55 +0200 -Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt - -In some cases, offset can overflow and can cause an infinite loop in -ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and -cap it at IPV6_MAXPLEN, since packets larger than that should be invalid. - -This problem has been here since before the beginning of git history. - -Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> -Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv6/output_core.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c -index e9065b8..abb2c30 100644 ---- a/net/ipv6/output_core.c -+++ b/net/ipv6/output_core.c -@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident); - - int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - { -- u16 offset = sizeof(struct ipv6hdr); -+ unsigned int offset = sizeof(struct ipv6hdr); - unsigned int packet_len = skb_tail_pointer(skb) - - skb_network_header(skb); - int found_rhdr = 0; -@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - - while (offset <= packet_len) { - struct ipv6_opt_hdr *exthdr; -+ unsigned int len; - - switch (**nexthdr) { - -@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - - exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + - offset); -- offset += ipv6_optlen(exthdr); -+ len = ipv6_optlen(exthdr); -+ if (len + offset >= IPV6_MAXPLEN) -+ return -EINVAL; -+ offset += len; - *nexthdr = &exthdr->nexthdr; - } - --- -2.9.4 - diff --git a/baseconfig/powerpc/CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE b/baseconfig/powerpc/CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE index bbbf7d364..e7fe50c39 100644 --- a/baseconfig/powerpc/CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE +++ b/baseconfig/powerpc/CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE @@ -1 +1 @@ -CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set diff --git a/baseconfig/powerpc/CONFIG_SWIOTLB b/baseconfig/powerpc/CONFIG_SWIOTLB index 5405b65b4..ac62bf35e 100644 --- a/baseconfig/powerpc/CONFIG_SWIOTLB +++ b/baseconfig/powerpc/CONFIG_SWIOTLB @@ -1 +1 @@ -CONFIG_SWIOTLB=y +# CONFIG_SWIOTLB is not set diff --git a/kernel-ppc64-debug.config b/kernel-ppc64-debug.config index 5c3acbfc6..a8c70bd25 100644 --- a/kernel-ppc64-debug.config +++ b/kernel-ppc64-debug.config @@ -2655,7 +2655,7 @@ CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_MEMCG_SWAP=y CONFIG_MEMCG=y CONFIG_MEMORY_FAILURE=y -CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set CONFIG_MEMORY_HOTPLUG=y CONFIG_MEMORY_HOTREMOVE=y # CONFIG_MEMORY is not set @@ -4896,7 +4896,7 @@ CONFIG_SURFACE3_WMI=m CONFIG_SUSPEND_FREEZER=y CONFIG_SUSPEND=y CONFIG_SWAP=y -CONFIG_SWIOTLB=y +# CONFIG_SWIOTLB is not set # CONFIG_SW_SYNC is not set # CONFIG_SX9500 is not set CONFIG_SYNC_FILE=y diff --git a/kernel-ppc64.config b/kernel-ppc64.config index e67962c51..4ed57e633 100644 --- a/kernel-ppc64.config +++ b/kernel-ppc64.config @@ -2634,7 +2634,7 @@ CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_MEMCG_SWAP=y CONFIG_MEMCG=y CONFIG_MEMORY_FAILURE=y -CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set CONFIG_MEMORY_HOTPLUG=y CONFIG_MEMORY_HOTREMOVE=y # CONFIG_MEMORY is not set @@ -4872,7 +4872,7 @@ CONFIG_SURFACE3_WMI=m CONFIG_SUSPEND_FREEZER=y CONFIG_SUSPEND=y CONFIG_SWAP=y -CONFIG_SWIOTLB=y +# CONFIG_SWIOTLB is not set # CONFIG_SW_SYNC is not set # CONFIG_SX9500 is not set CONFIG_SYNC_FILE=y diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index a1b849a01..61c4a2a41 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -2601,7 +2601,7 @@ CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_MEMCG_SWAP=y CONFIG_MEMCG=y CONFIG_MEMORY_FAILURE=y -CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set CONFIG_MEMORY_HOTPLUG=y CONFIG_MEMORY_HOTREMOVE=y # CONFIG_MEMORY is not set @@ -4825,7 +4825,7 @@ CONFIG_SURFACE3_WMI=m CONFIG_SUSPEND_FREEZER=y CONFIG_SUSPEND=y CONFIG_SWAP=y -CONFIG_SWIOTLB=y +# CONFIG_SWIOTLB is not set # CONFIG_SW_SYNC is not set # CONFIG_SX9500 is not set CONFIG_SYNC_FILE=y diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config index 56e21d7cf..331a336d9 100644 --- a/kernel-ppc64le.config +++ b/kernel-ppc64le.config @@ -2580,7 +2580,7 @@ CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_MEMCG_SWAP=y CONFIG_MEMCG=y CONFIG_MEMORY_FAILURE=y -CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set CONFIG_MEMORY_HOTPLUG=y CONFIG_MEMORY_HOTREMOVE=y # CONFIG_MEMORY is not set @@ -4801,7 +4801,7 @@ CONFIG_SURFACE3_WMI=m CONFIG_SUSPEND_FREEZER=y CONFIG_SUSPEND=y CONFIG_SWAP=y -CONFIG_SWIOTLB=y +# CONFIG_SWIOTLB is not set # CONFIG_SW_SYNC is not set # CONFIG_SX9500 is not set CONFIG_SYNC_FILE=y diff --git a/kernel-ppc64p7-debug.config b/kernel-ppc64p7-debug.config index 7d64e1799..30089e5d1 100644 --- a/kernel-ppc64p7-debug.config +++ b/kernel-ppc64p7-debug.config @@ -2600,7 +2600,7 @@ CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_MEMCG_SWAP=y CONFIG_MEMCG=y CONFIG_MEMORY_FAILURE=y -CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set CONFIG_MEMORY_HOTPLUG=y CONFIG_MEMORY_HOTREMOVE=y # CONFIG_MEMORY is not set @@ -4824,7 +4824,7 @@ CONFIG_SURFACE3_WMI=m CONFIG_SUSPEND_FREEZER=y CONFIG_SUSPEND=y CONFIG_SWAP=y -CONFIG_SWIOTLB=y +# CONFIG_SWIOTLB is not set # CONFIG_SW_SYNC is not set # CONFIG_SX9500 is not set CONFIG_SYNC_FILE=y diff --git a/kernel-ppc64p7.config b/kernel-ppc64p7.config index 06a307397..74dd73106 100644 --- a/kernel-ppc64p7.config +++ b/kernel-ppc64p7.config @@ -2579,7 +2579,7 @@ CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_MEMCG_SWAP=y CONFIG_MEMCG=y CONFIG_MEMORY_FAILURE=y -CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set CONFIG_MEMORY_HOTPLUG=y CONFIG_MEMORY_HOTREMOVE=y # CONFIG_MEMORY is not set @@ -4800,7 +4800,7 @@ CONFIG_SURFACE3_WMI=m CONFIG_SUSPEND_FREEZER=y CONFIG_SUSPEND=y CONFIG_SWAP=y -CONFIG_SWIOTLB=y +# CONFIG_SWIOTLB is not set # CONFIG_SW_SYNC is not set # CONFIG_SX9500 is not set CONFIG_SYNC_FILE=y diff --git a/kernel.spec b/kernel.spec index 8f5b551fa..a872f1681 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -682,9 +682,6 @@ Patch615: 0015-i2c-cht-wc-Add-Intel-Cherry-Trail-Whiskey-Cove-SMBUS.patch # Small workaround patches for issues with a more comprehensive fix in -next Patch616: 0016-Input-silead-Do-not-try-to-directly-access-the-GPIO-.patch -# CVE-2017-7542 rhbz 1473649 1473650 -Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch - # rhbz 1431375 Patch703: HID-rmi-Make-sure-the-HID-device-is-opened-on-resume.patch Patch704: input-rmi4-remove-the-need-for-artifical-IRQ.patch @@ -698,6 +695,12 @@ Patch706: Fix-for-module-sig-verification.patch # rhbz 1462381 Patch707: Back-out-qxl-atomic-delay.patch +# CVE-2017-1000111 rhbz 1479304 1480464 +Patch708: net-packet-fix-tp_reserve-race-in-packet_set_ring.patch + +# CVE-2017-1000112 rhbz 1479307 1480465 +Patch709: udp-consistently-apply-ufo-or-fragmentation.patch + # END OF PATCH DEFINITIONS %endif @@ -2274,6 +2277,21 @@ fi # # %changelog +* Fri Aug 11 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.6-300 +- Linux v4.12.6 +- Fix CVE-2017-1000111 (rhbz 1479304 1480464) +- Fix CVE-2017-1000112 (rhbz 1479307 1480465) + +* Fri Aug 11 2017 Dan Horak <dan@danny.cz> +- disable SWIOTLB on Power (#1480380) + +* Fri Aug 11 2017 Josh Boyer <jwboyer@fedoraproject.org> +- Disable MEMORY_HOTPLUG_DEFAULT_ONLINE on ppc64 (rhbz 1476380) + +* Mon Aug 07 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.5-300 +- Linux v4.12.5 +- Fixes CVE-2017-7533 (rhbz 1468283 1478086) + * Thu Aug 03 2017 Justin M. Forbes <jforbes@fedoraproject.org> - Temp fix for QXL (rhbz 1462381) - Fix for signed module loading (rhbz 1476467) diff --git a/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch b/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch new file mode 100644 index 000000000..da7103dbe --- /dev/null +++ b/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch @@ -0,0 +1,57 @@ +From patchwork Thu Aug 10 16:41:58 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [net] packet: fix tp_reserve race in packet_set_ring +From: Willem de Bruijn <willemdebruijn.kernel@gmail.com> +X-Patchwork-Id: 800274 +X-Patchwork-Delegate: davem@davemloft.net +Message-Id: <20170810164158.52213-1-willemdebruijn.kernel@gmail.com> +To: netdev@vger.kernel.org +Cc: davem@davemloft.net, andreyknvl@gmail.com, + Willem de Bruijn <willemb@google.com> +Date: Thu, 10 Aug 2017 12:41:58 -0400 + +From: Willem de Bruijn <willemb@google.com> + +Updates to tp_reserve can race with reads of the field in +packet_set_ring. Avoid this by holding the socket lock during +updates in setsockopt PACKET_RESERVE. + +This bug was discovered by syzkaller. + +Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +--- + net/packet/af_packet.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 0615c2a950fa..008a45ca3112 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + if (val > INT_MAX) + return -EINVAL; +- po->tp_reserve = val; +- return 0; ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_reserve = val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_LOSS: + { @@ -1,3 +1,3 @@ SHA512 (perf-man-4.12.tar.gz) = 4d3bbda1f520dba0007c351af46f45085fe4842074eb2e01aee736fd369df595f8f72ed6c1192715f1120bf3353279777f9dca1178fe93bffe5be2de700d409c SHA512 (linux-4.12.tar.xz) = 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728 -SHA512 (patch-4.12.4.xz) = 8a6b72524050733c166524230d85f808275a65c28f06444350ebb8c64dd4cab666f8629ef1d1d2b6c25c1f36820a1fd114510af5a38509df55f9c3071543e647 +SHA512 (patch-4.12.6.xz) = 78d480b3ad51028c129b1e3d63e3179f754bc8ab9987aa8e5815b105c8cb270c88673babee4124431861f769bc6f42c848391b065f7a3e02bec9b6a5290e2836 diff --git a/udp-consistently-apply-ufo-or-fragmentation.patch b/udp-consistently-apply-ufo-or-fragmentation.patch new file mode 100644 index 000000000..63e089b6e --- /dev/null +++ b/udp-consistently-apply-ufo-or-fragmentation.patch @@ -0,0 +1,93 @@ +From 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn <willemb@google.com> +Date: Thu, 10 Aug 2017 12:29:19 -0400 +Subject: udp: consistently apply ufo or fragmentation + +When iteratively building a UDP datagram with MSG_MORE and that +datagram exceeds MTU, consistently choose UFO or fragmentation. + +Once skb_is_gso, always apply ufo. Conversely, once a datagram is +split across multiple skbs, do not consider ufo. + +Sendpage already maintains the first invariant, only add the second. +IPv6 does not have a sendpage implementation to modify. + +A gso skb must have a partial checksum, do not follow sk_no_check_tx +in udp_send_skb. + +Found by syzkaller. + +Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") +Reported-by: Andrey Konovalov <andreyknvl@google.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv4/ip_output.c | 8 +++++--- + net/ipv4/udp.c | 2 +- + net/ipv6/ip6_output.c | 7 ++++--- + 3 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 50c74cd..e153c40 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -965,11 +965,12 @@ static int __ip_append_data(struct sock *sk, + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) || +- (skb && skb_is_gso(skb))) && ++ if ((skb && skb_is_gso(skb)) || ++ (((length + (skb ? skb->len : fragheaderlen)) > mtu) && ++ (skb_queue_len(queue) <= 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) && +- (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { ++ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) { + err = ip_ufo_append_data(sk, queue, getfrag, from, length, + hh_len, fragheaderlen, transhdrlen, + maxfraglen, flags); +@@ -1288,6 +1289,7 @@ ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page, + return -EINVAL; + + if ((size + skb->len > mtu) && ++ (skb_queue_len(&sk->sk_write_queue) == 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO)) { + if (skb->ip_summed != CHECKSUM_PARTIAL) +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index e6276fa..a7c804f 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -802,7 +802,7 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4) + if (is_udplite) /* UDP-Lite */ + csum = udplite_csum(skb); + +- else if (sk->sk_no_check_tx) { /* UDP csum disabled */ ++ else if (sk->sk_no_check_tx && !skb_is_gso(skb)) { /* UDP csum off */ + + skb->ip_summed = CHECKSUM_NONE; + goto send; +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 162efba..2dfe50d 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1381,11 +1381,12 @@ emsgsize: + */ + + cork->length += length; +- if ((((length + (skb ? skb->len : headersize)) > mtu) || +- (skb && skb_is_gso(skb))) && ++ if ((skb && skb_is_gso(skb)) || ++ (((length + (skb ? skb->len : headersize)) > mtu) && ++ (skb_queue_len(queue) <= 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) && +- (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) { ++ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) { + err = ip6_ufo_append_data(sk, queue, getfrag, from, length, + hh_len, fragheaderlen, exthdrlen, + transhdrlen, mtu, flags, fl6); +-- +cgit v1.1 + |