summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch54
-rw-r--r--CVE-2017-11473.patch48
-rw-r--r--kernel.spec14
-rw-r--r--sources2
4 files changed, 116 insertions, 2 deletions
diff --git a/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
new file mode 100644
index 000000000..be8b6c6a0
--- /dev/null
+++ b/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
@@ -0,0 +1,54 @@
+From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 19 Jul 2017 22:28:55 +0200
+Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt
+
+In some cases, offset can overflow and can cause an infinite loop in
+ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
+cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
+
+This problem has been here since before the beginning of git history.
+
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/output_core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
+index e9065b8..abb2c30 100644
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
+
+ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+ {
+- u16 offset = sizeof(struct ipv6hdr);
++ unsigned int offset = sizeof(struct ipv6hdr);
+ unsigned int packet_len = skb_tail_pointer(skb) -
+ skb_network_header(skb);
+ int found_rhdr = 0;
+@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+
+ while (offset <= packet_len) {
+ struct ipv6_opt_hdr *exthdr;
++ unsigned int len;
+
+ switch (**nexthdr) {
+
+@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+
+ exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
+ offset);
+- offset += ipv6_optlen(exthdr);
++ len = ipv6_optlen(exthdr);
++ if (len + offset >= IPV6_MAXPLEN)
++ return -EINVAL;
++ offset += len;
+ *nexthdr = &exthdr->nexthdr;
+ }
+
+--
+2.9.4
+
diff --git a/CVE-2017-11473.patch b/CVE-2017-11473.patch
new file mode 100644
index 000000000..e3e0658a4
--- /dev/null
+++ b/CVE-2017-11473.patch
@@ -0,0 +1,48 @@
+From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 18 Jul 2017 20:03:51 +0900
+Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables
+
+The bus_irq argument of mp_override_legacy_irq() is used as the index into
+the isa_irq_to_gsi[] array. The bus_irq argument originates from
+ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
+tables, but is nowhere sanity checked.
+
+That allows broken or malicious ACPI tables to overwrite memory, which
+might cause malfunction, panic or arbitrary code execution.
+
+Add a sanity check and emit a warning when that triggers.
+
+[ tglx: Added warning and rewrote changelog ]
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: security@kernel.org
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: stable@vger.kernel.org
+---
+ arch/x86/kernel/acpi/boot.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
+index 6bb6806..7491e73 100644
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger,
+ struct mpc_intsrc mp_irq;
+
+ /*
++ * Check bus_irq boundary.
++ */
++ if (bus_irq >= NR_IRQS_LEGACY) {
++ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
++ return;
++ }
++
++ /*
+ * Convert 'gsi' to 'ioapic.pin'.
+ */
+ ioapic = mp_find_ioapic(gsi);
+--
+cgit v1.1
+
diff --git a/kernel.spec b/kernel.spec
index 1b9b4ae65..fdbeb2f73 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
-%define stable_update 2
+%define stable_update 3
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@@ -657,6 +657,12 @@ Patch615: 0015-i2c-cht-wc-Add-Intel-Cherry-Trail-Whiskey-Cove-SMBUS.patch
# Small workaround patches for issues with a more comprehensive fix in -next
Patch616: 0016-Input-silead-Do-not-try-to-directly-access-the-GPIO-.patch
+# CVE-2017-7542 rhbz 1473649 1473650
+Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+
+# CVE-2017-11473 rhbz 1473209 147310
+Patch702: CVE-2017-11473.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -2230,6 +2236,12 @@ fi
#
#
%changelog
+* Fri Jul 21 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.3-100
+- Linux v4.12.3
+- Fixes CVE-2017-7541 (rhbz 1473198 1473199)
+- Fix CVE-2017-7542 (rhbz 1473649 1473650)
+- Fix CVE-2017-11473 (rhbz 1473209 147310)
+
* Tue Jul 18 2017 Peter Robinson <pbrobinson@fedoraproject.org>
- Add fix for Tegra GPU display with IOMMU
- Add QCom IOMMU for Dragonboard display
diff --git a/sources b/sources
index 81af3ab5a..700a46c92 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
SHA512 (perf-man-4.12.tar.gz) = 4d3bbda1f520dba0007c351af46f45085fe4842074eb2e01aee736fd369df595f8f72ed6c1192715f1120bf3353279777f9dca1178fe93bffe5be2de700d409c
SHA512 (linux-4.12.tar.xz) = 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728
-SHA512 (patch-4.12.2.xz) = 3d3e7cea82b20ba841d74f6f63e635143a52ee1428017792aa210ee591fcccf7ee1475c1576257722f0f5891547b69a192d48723ab6f4c189841e17ed8013300
+SHA512 (patch-4.12.3.xz) = a6ace68b6387665a1f77420b415a72032465fae6d99ec409487765ecf7cfb8a8458fe09f844662249f14e5739db3f82b28cdac705b0d54d4c6e268719d350c0d