From 72fe281bee0915ba313ae847a16e3559f4f149a3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 12 Jul 2016 07:01:11 -0400 Subject: CVE-2016-5389 CVE-2016-5969 tcp challenge ack info leak (rhbz 1354708 1355615) --- kernel.spec | 6 ++ tcp-make-challenge-acks-less-predictable.patch | 81 ++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 tcp-make-challenge-acks-less-predictable.patch diff --git a/kernel.spec b/kernel.spec index 2a1e32ac1..17fc9033d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -627,6 +627,9 @@ Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch #Workaround for glibc update Patch835: 0001-Work-around-for-addition-of-metag-def-but-not-reloca.patch +#CVE-2016-5389 CVE-2016-5969 rhbz 1354708 1355615 +Patch836: tcp-make-challenge-acks-less-predictable.patch + # END OF PATCH DEFINITIONS %endif @@ -2152,6 +2155,9 @@ fi # # %changelog +* Tue Jul 12 2016 Josh Boyer +- CVE-2016-5389 CVE-2016-5969 tcp challenge ack info leak (rhbz 1354708 1355615) + * Mon Jul 11 2016 Justin M. Forbes - 4.7.0-0.rc7.git0.1 - Disable debugging options. - linux v4.7-rc7 diff --git a/tcp-make-challenge-acks-less-predictable.patch b/tcp-make-challenge-acks-less-predictable.patch new file mode 100644 index 000000000..6837cff0b --- /dev/null +++ b/tcp-make-challenge-acks-less-predictable.patch @@ -0,0 +1,81 @@ +From 0af29b4f03b40fe0980c31d18e352f2ef19ec703 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sun, 10 Jul 2016 10:04:02 +0200 +Subject: [PATCH] tcp: make challenge acks less predictable + +Yue Cao claims that current host rate limiting of challenge ACKS +(RFC 5961) could leak enough information to allow a patient attacker +to hijack TCP sessions. He will soon provide details in an academic +paper. + +This patch increases the default limit from 100 to 1000, and adds +some randomization so that the attacker can no longer hijack +sessions without spending a considerable amount of probes. + +Based on initial analysis and patch from Linus. + +Note that we also have per socket rate limiting, so it is tempting +to remove the host limit in the future. + +v2: randomize the count of challenge acks per second, not the period. + +Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") +Reported-by: Yue Cao +Signed-off-by: Eric Dumazet +Suggested-by: Linus Torvalds +Cc: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Neal Cardwell +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +--- + net/ipv4/tcp_input.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index d6c8f4cd0800..91868bb17818 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1; + EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); + + /* rfc5961 challenge ack rate limiting */ +-int sysctl_tcp_challenge_ack_limit = 100; ++int sysctl_tcp_challenge_ack_limit = 1000; + + int sysctl_tcp_stdurg __read_mostly; + int sysctl_tcp_rfc1337 __read_mostly; +@@ -3458,7 +3458,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) + static u32 challenge_timestamp; + static unsigned int challenge_count; + struct tcp_sock *tp = tcp_sk(sk); +- u32 now; ++ u32 count, now; + + /* First check our per-socket dupack rate limit. */ + if (tcp_oow_rate_limited(sock_net(sk), skb, +@@ -3466,13 +3466,18 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) + &tp->last_oow_ack_time)) + return; + +- /* Then check the check host-wide RFC 5961 rate limit. */ ++ /* Then check host-wide RFC 5961 rate limit. */ + now = jiffies / HZ; + if (now != challenge_timestamp) { ++ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; ++ + challenge_timestamp = now; +- challenge_count = 0; ++ WRITE_ONCE(challenge_count, half + ++ prandom_u32_max(sysctl_tcp_challenge_ack_limit)); + } +- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { ++ count = READ_ONCE(challenge_count); ++ if (count > 0) { ++ WRITE_ONCE(challenge_count, count - 1); + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); + tcp_send_ack(sk); + } +-- +2.5.5 + -- cgit From 68a6779060429dec83ee55647556057e4c64ab64 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 12 Jul 2016 16:38:39 -0500 Subject: Linux v4.7-rc7-6-g63bab22 --- config-generic | 6 +-- config-nodebug | 114 ++++++++++++++++++++++++++--------------------------- config-x86-generic | 2 +- gitrev | 2 +- kernel.spec | 8 +++- sources | 1 + 6 files changed, 69 insertions(+), 64 deletions(-) diff --git a/config-generic b/config-generic index 82db0f623..32832687f 100644 --- a/config-generic +++ b/config-generic @@ -1837,13 +1837,13 @@ CONFIG_B43=m CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y CONFIG_B43_BCMA_PIO=y -# CONFIG_B43_DEBUG is not set +CONFIG_B43_DEBUG=y CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y CONFIG_B43_PHY_G=y CONFIG_B43LEGACY=m -# CONFIG_B43LEGACY_DEBUG is not set +CONFIG_B43LEGACY_DEBUG=y CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -5218,7 +5218,7 @@ CONFIG_PM_DEBUG=y # CONFIG_DPM_WATCHDOG is not set # revisit this in debug CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -# CONFIG_PM_TEST_SUSPEND is not set +CONFIG_PM_TEST_SUSPEND=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set # CONFIG_PM_WAKELOCKS is not set diff --git a/config-nodebug b/config-nodebug index 4bd461d8f..0dc864752 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,102 +2,102 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -# CONFIG_DEBUG_ATOMIC_SLEEP is not set - -# CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_RT_MUTEXES is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -# CONFIG_LOCK_TORTURE_TEST is not set -# CONFIG_PROVE_LOCKING is not set -# CONFIG_DEBUG_SPINLOCK is not set -# CONFIG_PROVE_RCU is not set +CONFIG_DEBUG_ATOMIC_SLEEP=y + +CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_RT_MUTEXES=y +CONFIG_DEBUG_LOCK_ALLOC=y +CONFIG_LOCK_TORTURE_TEST=m +CONFIG_PROVE_LOCKING=y +CONFIG_DEBUG_SPINLOCK=y +CONFIG_PROVE_RCU=y # CONFIG_PROVE_RCU_REPEATEDLY is not set -# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_DEBUG_PER_CPU_MAPS=y CONFIG_CPUMASK_OFFSTACK=y -# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set +CONFIG_CPU_NOTIFIER_ERROR_INJECT=m -# CONFIG_FAULT_INJECTION is not set -# CONFIG_FAILSLAB is not set -# CONFIG_FAIL_PAGE_ALLOC is not set -# CONFIG_FAIL_MAKE_REQUEST is not set -# CONFIG_FAULT_INJECTION_DEBUG_FS is not set -# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set -# CONFIG_FAIL_IO_TIMEOUT is not set -# CONFIG_FAIL_MMC_REQUEST is not set +CONFIG_FAULT_INJECTION=y +CONFIG_FAILSLAB=y +CONFIG_FAIL_PAGE_ALLOC=y +CONFIG_FAIL_MAKE_REQUEST=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y +CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y +CONFIG_FAIL_IO_TIMEOUT=y +CONFIG_FAIL_MMC_REQUEST=y # CONFIG_F2FS_FAULT_INJECTION is not set -# CONFIG_LOCK_STAT is not set +CONFIG_LOCK_STAT=y -# CONFIG_DEBUG_STACK_USAGE is not set +CONFIG_DEBUG_STACK_USAGE=y -# CONFIG_ACPI_DEBUG is not set +CONFIG_ACPI_DEBUG=y # CONFIG_ACPI_DEBUGGER is not set -# CONFIG_DEBUG_SG is not set -# CONFIG_DEBUG_PI_LIST is not set +CONFIG_DEBUG_SG=y +CONFIG_DEBUG_PI_LIST=y # CONFIG_PAGE_EXTENSION is not set # CONFIG_PAGE_OWNER is not set # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_DEBUG_OBJECTS is not set +CONFIG_DEBUG_OBJECTS=y # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -# CONFIG_DEBUG_OBJECTS_FREE is not set -# CONFIG_DEBUG_OBJECTS_TIMERS is not set -# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set +CONFIG_DEBUG_OBJECTS_FREE=y +CONFIG_DEBUG_OBJECTS_TIMERS=y +CONFIG_DEBUG_OBJECTS_RCU_HEAD=y CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 CONFIG_X86_PTDUMP=y -# CONFIG_ARM64_PTDUMP is not set -# CONFIG_EFI_PGT_DUMP is not set +CONFIG_ARM64_PTDUMP=y +CONFIG_EFI_PGT_DUMP=y -# CONFIG_CAN_DEBUG_DEVICES is not set +CONFIG_CAN_DEBUG_DEVICES=y -# CONFIG_MODULE_FORCE_UNLOAD is not set +CONFIG_MODULE_FORCE_UNLOAD=y -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_NOTIFIERS=y -# CONFIG_DMA_API_DEBUG is not set +CONFIG_DMA_API_DEBUG=y -# CONFIG_MMIOTRACE is not set +CONFIG_MMIOTRACE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # off in both production debug and nodebug builds, # on in rawhide nodebug builds -# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y -# CONFIG_EXT4_DEBUG is not set +CONFIG_EXT4_DEBUG=y # CONFIG_XFS_WARN is not set -# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_DEBUG_PERF_USE_VMALLOC=y -# CONFIG_JBD2_DEBUG is not set +CONFIG_JBD2_DEBUG=y -# CONFIG_NFSD_FAULT_INJECTION is not set +CONFIG_NFSD_FAULT_INJECTION=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y -# CONFIG_DRBD_FAULT_INJECTION is not set +CONFIG_DRBD_FAULT_INJECTION=y -# CONFIG_ATH_DEBUG is not set -# CONFIG_CARL9170_DEBUGFS is not set -# CONFIG_IWLWIFI_DEVICE_TRACING is not set +CONFIG_ATH_DEBUG=y +CONFIG_CARL9170_DEBUGFS=y +CONFIG_IWLWIFI_DEVICE_TRACING=y # CONFIG_RTLWIFI_DEBUG is not set -# CONFIG_DEBUG_OBJECTS_WORK is not set +CONFIG_DEBUG_OBJECTS_WORK=y -# CONFIG_DMADEVICES_DEBUG is not set +CONFIG_DMADEVICES_DEBUG=y # CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y -# CONFIG_CEPH_LIB_PRETTYDEBUG is not set -# CONFIG_QUOTA_DEBUG is not set +CONFIG_CEPH_LIB_PRETTYDEBUG=y +CONFIG_QUOTA_DEBUG=y CONFIG_KGDB_KDB=y @@ -105,19 +105,19 @@ CONFIG_KDB_DEFAULT_ENABLE=0x0 CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set +CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y # CONFIG_PERCPU_TEST is not set -# CONFIG_TEST_LIST_SORT is not set +CONFIG_TEST_LIST_SORT=y # CONFIG_TEST_STRING_HELPERS is not set -# CONFIG_DETECT_HUNG_TASK is not set +CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -# CONFIG_WQ_WATCHDOG is not set +CONFIG_WQ_WATCHDOG=y -# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set +CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y -# CONFIG_DEBUG_KMEMLEAK is not set +CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y @@ -128,4 +128,4 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_SPI_DEBUG is not set -# CONFIG_DEBUG_VM_PGFLAGS is not set +CONFIG_DEBUG_VM_PGFLAGS=y diff --git a/config-x86-generic b/config-x86-generic index 8ae20bab7..ae80650a4 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -381,7 +381,7 @@ CONFIG_SP5100_TCO=m # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -# CONFIG_MAXSMP is not set +CONFIG_MAXSMP=y CONFIG_HP_ILO=m diff --git a/gitrev b/gitrev index 40fc6946b..d4b9303af 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -cc23c619f8da3ccbe6a856c79fb5a3d245b68daf +63bab2203d54529ff1a7181b0575b58a9f3575cd diff --git a/kernel.spec b/kernel.spec index 17fc9033d..248279173 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 7 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -125,7 +125,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -2155,6 +2155,10 @@ fi # # %changelog +* Tue Jul 12 2016 Justin M. Forbes - 4.7.0-0.rc7.git1.1 +- Linux v4.7-rc7-6-g63bab22 +- Reenable debugging options. + * Tue Jul 12 2016 Josh Boyer - CVE-2016-5389 CVE-2016-5969 tcp challenge ack info leak (rhbz 1354708 1355615) diff --git a/sources b/sources index 0ebc06979..4f9ec13d8 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ d2927020e24a76da4ab482a8bc3e9ef3 linux-4.6.tar.xz fd23b14b9d474c3dfacb6e8ee82d3a51 perf-man-4.6.tar.gz 1ec96a040683561e53e983cfdb09bab8 patch-4.7-rc7.xz +db26234012c105aea198d0a920eeaf23 patch-4.7-rc7-git1.xz -- cgit