diff options
-rw-r--r-- | 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch | 54 | ||||
-rw-r--r-- | CVE-2017-11473.patch | 48 | ||||
-rw-r--r-- | kernel.spec | 14 | ||||
-rw-r--r-- | sources | 2 |
4 files changed, 116 insertions, 2 deletions
diff --git a/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch new file mode 100644 index 000000000..be8b6c6a0 --- /dev/null +++ b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch @@ -0,0 +1,54 @@ +From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca <sd@queasysnail.net> +Date: Wed, 19 Jul 2017 22:28:55 +0200 +Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt + +In some cases, offset can overflow and can cause an infinite loop in +ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and +cap it at IPV6_MAXPLEN, since packets larger than that should be invalid. + +This problem has been here since before the beginning of git history. + +Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> +Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/output_core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index e9065b8..abb2c30 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident); + + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { +- u16 offset = sizeof(struct ipv6hdr); ++ unsigned int offset = sizeof(struct ipv6hdr); + unsigned int packet_len = skb_tail_pointer(skb) - + skb_network_header(skb); + int found_rhdr = 0; +@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + + while (offset <= packet_len) { + struct ipv6_opt_hdr *exthdr; ++ unsigned int len; + + switch (**nexthdr) { + +@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + + offset); +- offset += ipv6_optlen(exthdr); ++ len = ipv6_optlen(exthdr); ++ if (len + offset >= IPV6_MAXPLEN) ++ return -EINVAL; ++ offset += len; + *nexthdr = &exthdr->nexthdr; + } + +-- +2.9.4 + diff --git a/CVE-2017-11473.patch b/CVE-2017-11473.patch new file mode 100644 index 000000000..e3e0658a4 --- /dev/null +++ b/CVE-2017-11473.patch @@ -0,0 +1,48 @@ +From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001 +From: Seunghun Han <kkamagui@gmail.com> +Date: Tue, 18 Jul 2017 20:03:51 +0900 +Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables + +The bus_irq argument of mp_override_legacy_irq() is used as the index into +the isa_irq_to_gsi[] array. The bus_irq argument originates from +ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI +tables, but is nowhere sanity checked. + +That allows broken or malicious ACPI tables to overwrite memory, which +might cause malfunction, panic or arbitrary code execution. + +Add a sanity check and emit a warning when that triggers. + +[ tglx: Added warning and rewrote changelog ] + +Signed-off-by: Seunghun Han <kkamagui@gmail.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: security@kernel.org +Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net> +Cc: stable@vger.kernel.org +--- + arch/x86/kernel/acpi/boot.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c +index 6bb6806..7491e73 100644 +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, + struct mpc_intsrc mp_irq; + + /* ++ * Check bus_irq boundary. ++ */ ++ if (bus_irq >= NR_IRQS_LEGACY) { ++ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq); ++ return; ++ } ++ ++ /* + * Convert 'gsi' to 'ioapic.pin'. + */ + ioapic = mp_find_ioapic(gsi); +-- +cgit v1.1 + diff --git a/kernel.spec b/kernel.spec index 1b9b4ae65..fdbeb2f73 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 2 +%define stable_update 3 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -657,6 +657,12 @@ Patch615: 0015-i2c-cht-wc-Add-Intel-Cherry-Trail-Whiskey-Cove-SMBUS.patch # Small workaround patches for issues with a more comprehensive fix in -next Patch616: 0016-Input-silead-Do-not-try-to-directly-access-the-GPIO-.patch +# CVE-2017-7542 rhbz 1473649 1473650 +Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch + +# CVE-2017-11473 rhbz 1473209 147310 +Patch702: CVE-2017-11473.patch + # END OF PATCH DEFINITIONS %endif @@ -2230,6 +2236,12 @@ fi # # %changelog +* Fri Jul 21 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.3-100 +- Linux v4.12.3 +- Fixes CVE-2017-7541 (rhbz 1473198 1473199) +- Fix CVE-2017-7542 (rhbz 1473649 1473650) +- Fix CVE-2017-11473 (rhbz 1473209 147310) + * Tue Jul 18 2017 Peter Robinson <pbrobinson@fedoraproject.org> - Add fix for Tegra GPU display with IOMMU - Add QCom IOMMU for Dragonboard display @@ -1,3 +1,3 @@ SHA512 (perf-man-4.12.tar.gz) = 4d3bbda1f520dba0007c351af46f45085fe4842074eb2e01aee736fd369df595f8f72ed6c1192715f1120bf3353279777f9dca1178fe93bffe5be2de700d409c SHA512 (linux-4.12.tar.xz) = 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728 -SHA512 (patch-4.12.2.xz) = 3d3e7cea82b20ba841d74f6f63e635143a52ee1428017792aa210ee591fcccf7ee1475c1576257722f0f5891547b69a192d48723ab6f4c189841e17ed8013300 +SHA512 (patch-4.12.3.xz) = a6ace68b6387665a1f77420b415a72032465fae6d99ec409487765ecf7cfb8a8458fe09f844662249f14e5739db3f82b28cdac705b0d54d4c6e268719d350c0d |