diff options
-rw-r--r-- | 0001-arm64-account-for-sparsemem-section-alignment-when-c.patch | 54 | ||||
-rw-r--r-- | 0001-cdc-acm-fix-NULL-pointer-reference.patch | 46 | ||||
-rw-r--r-- | USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch | 59 | ||||
-rw-r--r-- | cfg80211-wext-fix-message-ordering.patch | 83 | ||||
-rw-r--r-- | ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch | 97 | ||||
-rw-r--r-- | kernel.spec | 60 | ||||
-rw-r--r-- | netfilter-x_tables-check-for-size-overflow.patch | 31 | ||||
-rw-r--r-- | netfilter-x_tables-deal-with-bogus-nextoffset-values.patch | 150 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | wext-fix-message-delay-ordering.patch | 122 |
10 files changed, 432 insertions, 272 deletions
diff --git a/0001-arm64-account-for-sparsemem-section-alignment-when-c.patch b/0001-arm64-account-for-sparsemem-section-alignment-when-c.patch deleted file mode 100644 index 78e01defa..000000000 --- a/0001-arm64-account-for-sparsemem-section-alignment-when-c.patch +++ /dev/null @@ -1,54 +0,0 @@ -From b3ffe8a6522dd1f07c181a5f2581142776e2162d Mon Sep 17 00:00:00 2001 -From: Ard Biesheuvel <ard.biesheuvel@linaro.org> -Date: Tue, 8 Mar 2016 21:09:29 +0700 -Subject: [PATCH] arm64: account for sparsemem section alignment when choosing - vmemmap offset - -Commit dfd55ad85e4a ("arm64: vmemmap: use virtual projection of linear -region") fixed an issue where the struct page array would overflow into the -adjacent virtual memory region if system RAM was placed so high up in -physical memory that its addresses were not representable in the build time -configured virtual address size. - -However, the fix failed to take into account that the vmemmap region needs -to be relatively aligned with respect to the sparsemem section size, so that -a sequence of page structs corresponding with a sparsemem section in the -linear region appears naturally aligned in the vmemmap region. - -So round up vmemmap to sparsemem section size. Since this essentially moves -the projection of the linear region up in memory, also revert the reduction -of the size of the vmemmap region. - -Fixes: dfd55ad85e4a ("arm64: vmemmap: use virtual projection of linear region") -Tested-by: Mark Langsdorf <mlangsdo@redhat.com> -Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> ---- - arch/arm64/include/asm/pgtable.h | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h -index fc9f7ef..eaa9cab 100644 ---- a/arch/arm64/include/asm/pgtable.h -+++ b/arch/arm64/include/asm/pgtable.h -@@ -40,7 +40,7 @@ - * VMALLOC_END: extends to the available space below vmmemmap, PCI I/O space, - * fixed mappings and modules - */ --#define VMEMMAP_SIZE ALIGN((1UL << (VA_BITS - PAGE_SHIFT - 1)) * sizeof(struct page), PUD_SIZE) -+#define VMEMMAP_SIZE ALIGN((1UL << (VA_BITS - PAGE_SHIFT)) * sizeof(struct page), PUD_SIZE) - - #ifndef CONFIG_KASAN - #define VMALLOC_START (VA_START) -@@ -52,7 +52,8 @@ - #define VMALLOC_END (PAGE_OFFSET - PUD_SIZE - VMEMMAP_SIZE - SZ_64K) - - #define VMEMMAP_START (VMALLOC_END + SZ_64K) --#define vmemmap ((struct page *)VMEMMAP_START - (memstart_addr >> PAGE_SHIFT)) -+#define vmemmap ((struct page *)VMEMMAP_START - \ -+ SECTION_ALIGN_DOWN(memstart_addr >> PAGE_SHIFT)) - - #define FIRST_USER_ADDRESS 0UL - --- -2.5.0 - diff --git a/0001-cdc-acm-fix-NULL-pointer-reference.patch b/0001-cdc-acm-fix-NULL-pointer-reference.patch new file mode 100644 index 000000000..3d63411c0 --- /dev/null +++ b/0001-cdc-acm-fix-NULL-pointer-reference.patch @@ -0,0 +1,46 @@ +From 29c6dd591bbd592472247441de9fa694acdabae8 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 7 Jan 2016 11:01:00 +0100 +Subject: [PATCH] cdc-acm: fix NULL pointer reference + +The union descriptor must be checked. Its usage was conditional +before the parser was introduced. This is important, because +many RNDIS device, which also use the common parser, have +bogus extra descriptors. + +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Tested-by: Vasily Galkin <galkin-vv@yandex.ru> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/usb/cdc_ether.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c +index 3da70bf..7cba2c3 100644 +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -160,6 +160,12 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf) + info->u = header.usb_cdc_union_desc; + info->header = header.usb_cdc_header_desc; + info->ether = header.usb_cdc_ether_desc; ++ if (!info->u) { ++ if (rndis) ++ goto skip; ++ else /* in that case a quirk is mandatory */ ++ goto bad_desc; ++ } + /* we need a master/control interface (what we're + * probed with) and a slave/data interface; union + * descriptors sort this all out. +@@ -256,7 +262,7 @@ skip: + goto bad_desc; + } + +- } else if (!info->header || !info->u || (!rndis && !info->ether)) { ++ } else if (!info->header || (!rndis && !info->ether)) { + dev_dbg(&intf->dev, "missing cdc %s%s%sdescriptor\n", + info->header ? "" : "header ", + info->u ? "" : "union ", +-- +2.5.0 + diff --git a/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch b/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch new file mode 100644 index 000000000..ac8e71c72 --- /dev/null +++ b/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch @@ -0,0 +1,59 @@ +From 94c78c81df3056e573fb84000a32512e9c16e555 Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Thu, 10 Mar 2016 08:49:02 -0500 +Subject: [PATCH] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU + devices + +A Fedora user reports that the ftdi_sio driver works properly for the +ICP DAS I-7561U device. Further, the user manual for these devices +instructs users to load the driver and add the ids using the sysfs +interface. + +Add support for these in the driver directly so that the devices work +out of the box instead of needing manual configuration. + +Reported-by: <thesource@mail.ru> +CC: stable <stable@vger.kernel.org> +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + drivers/usb/serial/ftdi_sio.c | 4 ++++ + drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 8c660ae401d8..b61f12160d37 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1004,6 +1004,10 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) }, + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) }, + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) }, ++ /* ICP DAS I-756xU devices */ ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) }, ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) }, ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) }, + { } /* Terminating entry */ + }; + +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index a84df2513994..a4ec24ce6a11 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -872,6 +872,14 @@ + #define NOVITUS_BONO_E_PID 0x6010 + + /* ++ * ICPDAS I-756*U devices ++ */ ++#define ICPDAS_VID 0x1b5c ++#define ICPDAS_I7560U_PID 0x0103 ++#define ICPDAS_I7561U_PID 0x0104 ++#define ICPDAS_I7563U_PID 0x0105 ++ ++/* + * RT Systems programming cables for various ham radios + */ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ +-- +2.5.0 + diff --git a/cfg80211-wext-fix-message-ordering.patch b/cfg80211-wext-fix-message-ordering.patch deleted file mode 100644 index 8d3cdfdda..000000000 --- a/cfg80211-wext-fix-message-ordering.patch +++ /dev/null @@ -1,83 +0,0 @@ -From cb150b9d23be6ee7f3a0fff29784f1c5b5ac514d Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 27 Jan 2016 13:29:34 +0100 -Subject: cfg80211/wext: fix message ordering - -Since cfg80211 frequently takes actions from its netdev notifier -call, wireless extensions messages could still be ordered badly -since the wext netdev notifier, since wext is built into the -kernel, runs before the cfg80211 netdev notifier. For example, -the following can happen: - -5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default - link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff -5: wlan1: <BROADCAST,MULTICAST,UP> - link/ether - -when setting the interface down causes the wext message. - -To also fix this, export the wireless_nlevent_flush() function -and also call it from the cfg80211 notifier. - -Cc: stable@vger.kernel.org -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - include/net/iw_handler.h | 6 ++++++ - net/wireless/core.c | 2 ++ - net/wireless/wext-core.c | 3 ++- - 3 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/include/net/iw_handler.h b/include/net/iw_handler.h -index 8f81bbb..e0f4109 100644 ---- a/include/net/iw_handler.h -+++ b/include/net/iw_handler.h -@@ -439,6 +439,12 @@ int dev_get_wireless_info(char *buffer, char **start, off_t offset, int length); - /* Send a single event to user space */ - void wireless_send_event(struct net_device *dev, unsigned int cmd, - union iwreq_data *wrqu, const char *extra); -+#ifdef CONFIG_WEXT_CORE -+/* flush all previous wext events - if work is done from netdev notifiers */ -+void wireless_nlevent_flush(void); -+#else -+static inline void wireless_nlevent_flush(void) {} -+#endif - - /* We may need a function to send a stream of events to user space. - * More on that later... */ -diff --git a/net/wireless/core.c b/net/wireless/core.c -index b091551..8f0bac7 100644 ---- a/net/wireless/core.c -+++ b/net/wireless/core.c -@@ -1147,6 +1147,8 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb, - return NOTIFY_DONE; - } - -+ wireless_nlevent_flush(); -+ - return NOTIFY_OK; - } - -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c -index 87dd619..b50ee5d 100644 ---- a/net/wireless/wext-core.c -+++ b/net/wireless/wext-core.c -@@ -342,7 +342,7 @@ static const int compat_event_type_size[] = { - - /* IW event code */ - --static void wireless_nlevent_flush(void) -+void wireless_nlevent_flush(void) - { - struct sk_buff *skb; - struct net *net; -@@ -355,6 +355,7 @@ static void wireless_nlevent_flush(void) - GFP_KERNEL); - } - } -+EXPORT_SYMBOL_GPL(wireless_nlevent_flush); - - static int wext_netdev_notifier_call(struct notifier_block *nb, - unsigned long state, void *ptr) --- -cgit v0.12 - diff --git a/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch b/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch new file mode 100644 index 000000000..48e4762e3 --- /dev/null +++ b/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch @@ -0,0 +1,97 @@ +From fbd40ea0180a2d328c5adc61414dc8bab9335ce2 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" <davem@davemloft.net> +Date: Sun, 13 Mar 2016 23:28:00 -0400 +Subject: ipv4: Don't do expensive useless work during inetdev destroy. + +When an inetdev is destroyed, every address assigned to the interface +is removed. And in this scenerio we do two pointless things which can +be very expensive if the number of assigned interfaces is large: + +1) Address promotion. We are deleting all addresses, so there is no + point in doing this. + +2) A full nf conntrack table purge for every address. We only need to + do this once, as is already caught by the existing + masq_dev_notifier so masq_inet_event() can skip this. + +Reported-by: Solar Designer <solar@openwall.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Tested-by: Cyrill Gorcunov <gorcunov@openvz.org> +--- + net/ipv4/devinet.c | 4 ++++ + net/ipv4/fib_frontend.c | 4 ++++ + net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 12 ++++++++++-- + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 65e76a4..e333bc8 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -334,6 +334,9 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, + + ASSERT_RTNL(); + ++ if (in_dev->dead) ++ goto no_promotions; ++ + /* 1. Deleting primary ifaddr forces deletion all secondaries + * unless alias promotion is set + **/ +@@ -380,6 +383,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, + fib_del_ifaddr(ifa, ifa1); + } + ++no_promotions: + /* 2. Unlink it */ + + *ifap = ifa1->ifa_next; +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 4734475..21add55 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -922,6 +922,9 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) + subnet = 1; + } + ++ if (in_dev->dead) ++ goto no_promotions; ++ + /* Deletion is more complicated than add. + * We should take care of not to delete too much :-) + * +@@ -997,6 +1000,7 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim) + } + } + ++no_promotions: + if (!(ok & BRD_OK)) + fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim); + if (subnet && ifa->ifa_prefixlen < 31) { +diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +index c6eb421..ea91058 100644 +--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c ++++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c +@@ -108,10 +108,18 @@ static int masq_inet_event(struct notifier_block *this, + unsigned long event, + void *ptr) + { +- struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev; ++ struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev; + struct netdev_notifier_info info; + +- netdev_notifier_info_init(&info, dev); ++ /* The masq_dev_notifier will catch the case of the device going ++ * down. So if the inetdev is dead and being destroyed we have ++ * no work to do. Otherwise this is an individual address removal ++ * and we have to perform the flush. ++ */ ++ if (idev->dead) ++ return NOTIFY_DONE; ++ ++ netdev_notifier_info_init(&info, idev->dev); + return masq_device_event(this, event, &info); + } + +-- +cgit v0.12 + diff --git a/kernel.spec b/kernel.spec index 9fbc59ea4..38f802232 100644 --- a/kernel.spec +++ b/kernel.spec @@ -58,7 +58,7 @@ Summary: The Linux kernel %define stable_rc 0 # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -628,10 +628,6 @@ Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch #rhbz 1278942 Patch643: media-ivtv-avoid-going-past-input-audio-array.patch -#rhbz 1302037 -Patch644: wext-fix-message-delay-ordering.patch -Patch645: cfg80211-wext-fix-message-ordering.patch - #rhbz 1255325 Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch @@ -644,8 +640,20 @@ Patch659: pipe-limit-the-per-user-amount-of-pages-allocated-in.patch #rhbz 1310252 1313318 Patch660: 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch -#Fix for known arm64 breakage. No bugzilla becuase proactivity \o/ -Patch661: 0001-arm64-account-for-sparsemem-section-alignment-when-c.patch +#rhbz 1316719 +Patch662: 0001-cdc-acm-fix-NULL-pointer-reference.patch + +#rhbz 1316136 +Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch + +#CVE-2016-3135 rhbz 1317386 1317387 +Patch664: netfilter-x_tables-check-for-size-overflow.patch + +#CVE-2016-3134 rhbz 1317383 1317384 +Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch + +#CVE-2016-3135 rhbz 1318172 1318270 +Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch # END OF PATCH DEFINITIONS %endif @@ -1323,10 +1331,6 @@ ApplyPatch PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch #rhbz 1278942 ApplyPatch media-ivtv-avoid-going-past-input-audio-array.patch -#rhbz 1302037 -ApplyPatch wext-fix-message-delay-ordering.patch -ApplyPatch cfg80211-wext-fix-message-ordering.patch - #rhbz 1255325 ApplyPatch HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch @@ -1339,7 +1343,20 @@ ApplyPatch pipe-limit-the-per-user-amount-of-pages-allocated-in.patch #rhbz 1310252 1313318 ApplyPatch 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch -ApplyPatch 0001-arm64-account-for-sparsemem-section-alignment-when-c.patch +ApplyPatch 0001-cdc-acm-fix-NULL-pointer-reference.patch + +#rhbz 1316136 +ApplyPatch USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch + +#CVE-2016-3135 rhbz 1317386 1317387 +ApplyPatch netfilter-x_tables-check-for-size-overflow.patch + +#CVE-2016-3134 rhbz 1317383 1317384 +ApplyPatch netfilter-x_tables-deal-with-bogus-nextoffset-values.patch + +#CVE-2016-3135 rhbz 1318172 1318270 +ApplyPatch ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch + # END OF PATCH APPLICATIONS %endif @@ -2189,6 +2206,25 @@ fi # # %changelog +* Wed Mar 16 2016 Laura Abbott <labbott@redhat.com> - 4.4.6-200 +- Linux v4.4.6 + +* Wed Mar 16 2016 Laura Abbott <labbott@redhat.com> +- Revert patch causing radeon breakage (rhbz 1317300 1317179) + +* Wed Mar 16 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3135 ipv4: DoS when destroying a network interface (rhbz 1318172 1318270) + +* Mon Mar 14 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-3134 netfilter: missing bounds check in ipt_entry struct (rhbz 1317383 1317384) +- CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387) + +* Fri Mar 11 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Add patch for ICP DAS I-756xU devices (rhbz 1316136) + +* Thu Mar 10 2016 Laura Abbott <labbott@redhat.com> +- cdc-acm: fix NULL pointer reference (rhbz 1316719) + * Wed Mar 09 2016 Laura Abbott <labbott@redhat.com> - 4.4.5-200 - Linux v4.4.5 - Fix for known arm64 bootup issue diff --git a/netfilter-x_tables-check-for-size-overflow.patch b/netfilter-x_tables-check-for-size-overflow.patch new file mode 100644 index 000000000..81e3d36fa --- /dev/null +++ b/netfilter-x_tables-check-for-size-overflow.patch @@ -0,0 +1,31 @@ +Subject: [PATCH nf] netfilter: x_tables: check for size overflow +From: Florian Westphal <fw () strlen ! de> +Date: 2016-03-10 0:56:23 + +Ben Hawkes says: + integer overflow in xt_alloc_table_info, which on 32-bit systems can + lead to small structure allocation and a copy_from_user based heap + corruption. + +Reported-by: Ben Hawkes <hawkes@google.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + net/netfilter/x_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index c8a0b7d..17a9a9f 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) + struct xt_table_info *info = NULL; + size_t sz = sizeof(*info) + size; + ++ if (sz < sizeof(*info)) ++ return NULL; ++ + /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ + if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) + return NULL; +-- +2.4.10 diff --git a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch new file mode 100644 index 000000000..ebfe1716f --- /dev/null +++ b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch @@ -0,0 +1,150 @@ +Subject: [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values +From: Florian Westphal <fw () strlen ! de> +Date: 2016-03-10 0:56:02 + +Ben Hawkes says: + + In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it + is possible for a user-supplied ipt_entry structure to have a large + next_offset field. This field is not bounds checked prior to writing a + counter value at the supplied offset. + +Problem is that xt_entry_foreach() macro stops iterating once e->next_offset +is out of bounds, assuming this is the last entry. + +With malformed data thats not necessarily the case so we can +write outside of allocated area later as we might not have walked the +entire blob. + +Fix this by simplifying mark_source_chains -- it already has to check +if nextoff is in range to catch invalid jumps, so just do the check +when we move to a next entry as well. + +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + net/ipv4/netfilter/arp_tables.c | 16 ++++++++-------- + net/ipv4/netfilter/ip_tables.c | 15 ++++++++------- + net/ipv6/netfilter/ip6_tables.c | 13 ++++++------- + 3 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index b488cac..5a0b591 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + + /* Move along one */ + size = e->next_offset; ++ ++ if (pos + size > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct arpt_entry *) + (entry0 + pos + size); + e->counters.pcnt = pos; +@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + if (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0 && + newpos >= 0) { +- if (newpos > newinfo->size - +- sizeof(struct arpt_entry)) { +- duprintf("mark_source_chains: " +- "bad verdict (%i)\n", +- newpos); +- return 0; +- } +- + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); +@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, + /* ... this is a fallthru */ + newpos = pos + e->next_offset; + } ++ ++ if (newpos > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct arpt_entry *) + (entry0 + newpos); + e->counters.pcnt = pos; +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index b99affa..ceb995f 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + + /* Move along one */ + size = e->next_offset; ++ ++ if (pos + size > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct ipt_entry *) + (entry0 + pos + size); + e->counters.pcnt = pos; +@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo, + if (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0 && + newpos >= 0) { +- if (newpos > newinfo->size - +- sizeof(struct ipt_entry)) { +- duprintf("mark_source_chains: " +- "bad verdict (%i)\n", +- newpos); +- return 0; +- } + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); +@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + /* ... this is a fallthru */ + newpos = pos + e->next_offset; + } ++ ++ if (newpos > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct ipt_entry *) + (entry0 + newpos); + e->counters.pcnt = pos; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 99425cf..d88a794 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo, + + /* Move along one */ + size = e->next_offset; ++ if (pos + size > newinfo->size - sizeof(*e)) ++ return 0; + e = (struct ip6t_entry *) + (entry0 + pos + size); + e->counters.pcnt = pos; +@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo, + if (strcmp(t->target.u.user.name, + XT_STANDARD_TARGET) == 0 && + newpos >= 0) { +- if (newpos > newinfo->size - +- sizeof(struct ip6t_entry)) { +- duprintf("mark_source_chains: " +- "bad verdict (%i)\n", +- newpos); +- return 0; +- } + /* This a jump; chase it. */ + duprintf("Jump rule %u -> %u\n", + pos, newpos); +@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo, + /* ... this is a fallthru */ + newpos = pos + e->next_offset; + } ++ ++ if (newpos > newinfo->size - sizeof(*e)) ++ return 0; ++ + e = (struct ip6t_entry *) + (entry0 + newpos); + e->counters.pcnt = pos; +-- +2.4.10 @@ -1,3 +1,3 @@ 9a78fa2eb6c68ca5a40ed5af08142599 linux-4.4.tar.xz dcbc8fe378a676d5d0dd208cf524e144 perf-man-4.4.tar.gz -edddb33405ea1ab02b90eb9cecaa43f6 patch-4.4.5.xz +d48f09bf61f2500d70f839e190dc7c5a patch-4.4.6.xz diff --git a/wext-fix-message-delay-ordering.patch b/wext-fix-message-delay-ordering.patch deleted file mode 100644 index 109b68da3..000000000 --- a/wext-fix-message-delay-ordering.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 8bf862739a7786ae72409220914df960a0aa80d8 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 27 Jan 2016 12:37:52 +0100 -Subject: wext: fix message delay/ordering - -Beniamino reported that he was getting an RTM_NEWLINK message for a -given interface, after the RTM_DELLINK for it. It turns out that the -message is a wireless extensions message, which was sent because the -interface had been connected and disconnection while it was deleted -caused a wext message. - -For its netlink messages, wext uses RTM_NEWLINK, but the message is -without all the regular rtnetlink attributes, so "ip monitor link" -prints just rudimentary information: - -5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default - link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff -Deleted 5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default - link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff -5: wlan1: <BROADCAST,MULTICAST,UP> - link/ether -(from my hwsim reproduction) - -This can cause userspace to get confused since it doesn't expect an -RTM_NEWLINK message after RTM_DELLINK. - -The reason for this is that wext schedules a worker to send out the -messages, and the scheduling delay can cause the messages to get out -to userspace in different order. - -To fix this, have wext register a netdevice notifier and flush out -any pending messages when netdevice state changes. This fixes any -ordering whenever the original message wasn't sent by a notifier -itself. - -Cc: stable@vger.kernel.org -Reported-by: Beniamino Galvani <bgalvani@redhat.com> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - net/wireless/wext-core.c | 51 +++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 40 insertions(+), 11 deletions(-) - -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c -index c8717c1..87dd619 100644 ---- a/net/wireless/wext-core.c -+++ b/net/wireless/wext-core.c -@@ -342,6 +342,39 @@ static const int compat_event_type_size[] = { - - /* IW event code */ - -+static void wireless_nlevent_flush(void) -+{ -+ struct sk_buff *skb; -+ struct net *net; -+ -+ ASSERT_RTNL(); -+ -+ for_each_net(net) { -+ while ((skb = skb_dequeue(&net->wext_nlevents))) -+ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, -+ GFP_KERNEL); -+ } -+} -+ -+static int wext_netdev_notifier_call(struct notifier_block *nb, -+ unsigned long state, void *ptr) -+{ -+ /* -+ * When a netdev changes state in any way, flush all pending messages -+ * to avoid them going out in a strange order, e.g. RTM_NEWLINK after -+ * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() -+ * or similar - all of which could otherwise happen due to delays from -+ * schedule_work(). -+ */ -+ wireless_nlevent_flush(); -+ -+ return NOTIFY_OK; -+} -+ -+static struct notifier_block wext_netdev_notifier = { -+ .notifier_call = wext_netdev_notifier_call, -+}; -+ - static int __net_init wext_pernet_init(struct net *net) - { - skb_queue_head_init(&net->wext_nlevents); -@@ -360,7 +393,12 @@ static struct pernet_operations wext_pernet_ops = { - - static int __init wireless_nlevent_init(void) - { -- return register_pernet_subsys(&wext_pernet_ops); -+ int err = register_pernet_subsys(&wext_pernet_ops); -+ -+ if (err) -+ return err; -+ -+ return register_netdevice_notifier(&wext_netdev_notifier); - } - - subsys_initcall(wireless_nlevent_init); -@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init); - /* Process events generated by the wireless layer or the driver. */ - static void wireless_nlevent_process(struct work_struct *work) - { -- struct sk_buff *skb; -- struct net *net; -- - rtnl_lock(); -- -- for_each_net(net) { -- while ((skb = skb_dequeue(&net->wext_nlevents))) -- rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, -- GFP_KERNEL); -- } -- -+ wireless_nlevent_flush(); - rtnl_unlock(); - } - --- -cgit v0.12 - |