diff options
| -rw-r--r-- | 0001-mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch | 100 | ||||
| -rw-r--r-- | 0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch | 69 | ||||
| -rw-r--r-- | kernel.spec | 12 | ||||
| -rw-r--r-- | sources | 2 |
4 files changed, 79 insertions, 104 deletions
diff --git a/0001-mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch b/0001-mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch deleted file mode 100644 index f5cc8a6b5..000000000 --- a/0001-mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch +++ /dev/null @@ -1,100 +0,0 @@ -From f5527fffff3f002b0a6b376163613b82f69de073 Mon Sep 17 00:00:00 2001 -From: Andrey Ryabinin <aryabinin@virtuozzo.com> -Date: Thu, 24 Nov 2016 13:23:10 +0000 -Subject: [PATCH] mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] - -This fixes CVE-2016-8650. - -If mpi_powm() is given a zero exponent, it wants to immediately return -either 1 or 0, depending on the modulus. However, if the result was -initalised with zero limb space, no limbs space is allocated and a -NULL-pointer exception ensues. - -Fix this by allocating a minimal amount of limb space for the result when -the 0-exponent case when the result is 1 and not touching the limb space -when the result is 0. - -This affects the use of RSA keys and X.509 certificates that carry them. - -BUG: unable to handle kernel NULL pointer dereference at (null) -IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 -PGD 0 -Oops: 0002 [#1] SMP -Modules linked in: -CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278 -Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 -task: ffff8804011944c0 task.stack: ffff880401294000 -RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 -RSP: 0018:ffff880401297ad8 EFLAGS: 00010212 -RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0 -RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0 -RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000 -R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50 -FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0 -Stack: - ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4 - 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30 - ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8 -Call Trace: - [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66 - [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d - [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd - [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146 - [<ffffffff8132a95c>] rsa_verify+0x9d/0xee - [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb - [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1 - [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228 - [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4 - [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1 - [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1 - [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61 - [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399 - [<ffffffff812fe227>] SyS_add_key+0x154/0x19e - [<ffffffff81001c2b>] do_syscall_64+0x80/0x191 - [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25 -Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f -RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 - RSP <ffff880401297ad8> -CR2: 0000000000000000 ----[ end trace d82015255d4a5d8d ]--- - -Basically, this is a backport of a libgcrypt patch: - - http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526 - -Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)") -Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> -cc: linux-ima-devel@lists.sourceforge.net -cc: stable@vger.kernel.org -Signed-off-by: James Morris <james.l.morris@oracle.com> ---- - lib/mpi/mpi-pow.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c -index 5464c87..e24388a 100644 ---- a/lib/mpi/mpi-pow.c -+++ b/lib/mpi/mpi-pow.c -@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod) - if (!esize) { - /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0 - * depending on if MOD equals 1. */ -- rp[0] = 1; - res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1; -+ if (res->nlimbs) { -+ if (mpi_resize(res, 1) < 0) -+ goto enomem; -+ rp = res->d; -+ rp[0] = 1; -+ } - res->sign = 0; - goto leave; - } --- -2.9.3 - diff --git a/0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch b/0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch new file mode 100644 index 000000000..a5af1a3e9 --- /dev/null +++ b/0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch @@ -0,0 +1,69 @@ +From 9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Tue, 29 Nov 2016 02:17:34 +0100 +Subject: [PATCH] netfilter: ipv6: nf_defrag: drop mangled skb on ream error + +Dmitry Vyukov reported GPF in network stack that Andrey traced down to +negative nh offset in nf_ct_frag6_queue(). + +Problem is that all network headers before fragment header are pulled. +Normal ipv6 reassembly will drop the skb when errors occur further down +the line. + +netfilter doesn't do this, and instead passed the original fragment +along. That was also fine back when netfilter ipv6 defrag worked with +cloned fragments, as the original, pristine fragment was passed on. + +So we either have to undo the pull op, or discard such fragments. +Since they're malformed after all (e.g. overlapping fragment) it seems +preferrable to just drop them. + +Same for temporary errors -- it doesn't make sense to accept (and +perhaps forward!) only some fragments of same datagram. + +Fixes: 029f7f3b8701cc7ac ("netfilter: ipv6: nf_defrag: avoid/free clone operations") +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Debugged-by: Andrey Konovalov <andreyknvl@google.com> +Diagnosed-by: Eric Dumazet <Eric Dumazet <edumazet@google.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +Acked-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++-- + net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c +index e4347ae..9948b5c 100644 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -576,11 +576,11 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) + /* Jumbo payload inhibits frag. header */ + if (ipv6_hdr(skb)->payload_len == 0) { + pr_debug("payload len = 0\n"); +- return -EINVAL; ++ return 0; + } + + if (find_prev_fhdr(skb, &prevhdr, &nhoff, &fhoff) < 0) +- return -EINVAL; ++ return 0; + + if (!pskb_may_pull(skb, fhoff + sizeof(*fhdr))) + return -ENOMEM; +diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c +index f7aab5a..f06b047 100644 +--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c ++++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c +@@ -69,7 +69,7 @@ static unsigned int ipv6_defrag(void *priv, + if (err == -EINPROGRESS) + return NF_STOLEN; + +- return NF_ACCEPT; ++ return err == 0 ? NF_ACCEPT : NF_DROP; + } + + static struct nf_hook_ops ipv6_defrag_ops[] = { +-- +2.9.3 + diff --git a/kernel.spec b/kernel.spec index cdfb74ebe..d93540b30 100644 --- a/kernel.spec +++ b/kernel.spec @@ -60,7 +60,7 @@ Summary: The Linux kernel # Do we have a -stable update to apply? -%define stable_update 11 +%define stable_update 12 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -653,8 +653,8 @@ Patch852: 0001-HID-input-ignore-System-Control-application-usages-i.patch #rhbz 1390308 Patch854: nouveau-add-maxwell-to-backlight-init.patch -# CVE-2016-8650 rhbz 1395187 1398463 -Patch856: 0001-mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch +# CVE-2016-9755 rhbz 1400904 1400905 +Patch856: 0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch # END OF PATCH DEFINITIONS @@ -2181,6 +2181,12 @@ fi # # %changelog +* Fri Dec 02 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.12-100 +- Linux v4.8.12 +- CVE-2016-9755 Fix Out-of-bounds write issue when defragmenting ipv6 packets (rhbz 1400904 1400905) +- CVE-2016-9756 Fix kvm: stack memory information leakage (rhbz 1400468 1400469) +- Fix kvm: out of bounds memory access via vcpu_id (rhbz 1400804 1400805) + * Mon Nov 28 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.11-100 - Linux v4.8.11 - CVE-2016-8650 Fix NULL ptr dereference in mpi_powm() (rhbz 1395187 1398463) @@ -1,3 +1,3 @@ c1af0afbd3df35c1ccdc7a5118cd2d07 linux-4.8.tar.xz 0dad03f586e835d538d3e0d2cbdb9a28 perf-man-4.8.tar.gz -d999d6d294818491221f6d9789a667e8 patch-4.8.11.xz +9a938fd7a82d8b390f957657947fe673 patch-4.8.12.xz |