From 2ca4e0f07d85ab6f67dac9b6cc2c2458101ae30e Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 18 Dec 2017 07:40:53 -0600 Subject: Linux v4.14.7 --- allwinner-net-emac.patch | 40 -------------------------- arm64-thunderX-fix-ipv6-checksum-offload.patch | 39 ------------------------- kernel.spec | 7 +++-- sources | 2 +- 4 files changed, 5 insertions(+), 83 deletions(-) delete mode 100644 arm64-thunderX-fix-ipv6-checksum-offload.patch diff --git a/allwinner-net-emac.patch b/allwinner-net-emac.patch index bad1e4490..c9c7cd0ec 100644 --- a/allwinner-net-emac.patch +++ b/allwinner-net-emac.patch @@ -1932,43 +1932,3 @@ index e5ff734..9eb7f65 100644 -- cgit v1.1 -From 45ab4b13e46325d00f4acdb365d406e941a15f81 Mon Sep 17 00:00:00 2001 -From: Lars Persson -Date: Fri, 1 Dec 2017 11:12:44 +0100 -Subject: stmmac: reset last TSO segment size after device open - -The mss variable tracks the last max segment size sent to the TSO -engine. We do not update the hardware as long as we receive skb:s with -the same value in gso_size. - -During a network device down/up cycle (mapped to stmmac_release() and -stmmac_open() callbacks) we issue a reset to the hardware and it -forgets the setting for mss. However we did not zero out our mss -variable so the next transmission of a gso packet happens with an -undefined hardware setting. - -This triggers a hang in the TSO engine and eventuelly the netdev -watchdog will bark. - -Fixes: f748be531d70 ("stmmac: support new GMAC4") -Signed-off-by: Lars Persson -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c -index f63c2dd..d725053 100644 ---- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c -+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c -@@ -2588,6 +2588,7 @@ static int stmmac_open(struct net_device *dev) - - priv->dma_buf_sz = STMMAC_ALIGN(buf_sz); - priv->rx_copybreak = STMMAC_RX_COPYBREAK; -+ priv->mss = 0; - - ret = alloc_dma_desc_resources(priv); - if (ret < 0) { --- -cgit v1.1 - diff --git a/arm64-thunderX-fix-ipv6-checksum-offload.patch b/arm64-thunderX-fix-ipv6-checksum-offload.patch deleted file mode 100644 index 221189997..000000000 --- a/arm64-thunderX-fix-ipv6-checksum-offload.patch +++ /dev/null @@ -1,39 +0,0 @@ -From fa6d7cb5d76cf0467c61420fc9238045aedfd379 Mon Sep 17 00:00:00 2001 -From: Sunil Goutham -Date: Thu, 23 Nov 2017 22:34:31 +0300 -Subject: net: thunderx: Fix TCP/UDP checksum offload for IPv6 pkts - -Don't offload IP header checksum to NIC. - -This fixes a previous patch which enabled checksum offloading -for both IPv4 and IPv6 packets. So L3 checksum offload was -getting enabled for IPv6 pkts. And HW is dropping these pkts -as it assumes the pkt is IPv4 when IP csum offload is set -in the SQ descriptor. - -Fixes: 3a9024f52c2e ("net: thunderx: Enable TSO and checksum offloads for ipv6") -Signed-off-by: Sunil Goutham -Signed-off-by: Aleksey Makarov -Reviewed-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 1 - - 1 file changed, 1 deletion(-) - -(limited to 'drivers/net/ethernet/cavium/thunder/nicvf_queues.c') - -diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c -index d4496e9..8b2c31e 100644 ---- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c -+++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c -@@ -1355,7 +1355,6 @@ nicvf_sq_add_hdr_subdesc(struct nicvf *nic, struct snd_queue *sq, int qentry, - - /* Offload checksum calculation to HW */ - if (skb->ip_summed == CHECKSUM_PARTIAL) { -- hdr->csum_l3 = 1; /* Enable IP csum calculation */ - hdr->l3_offset = skb_network_offset(skb); - hdr->l4_offset = skb_transport_offset(skb); - --- -cgit v1.1 - diff --git a/kernel.spec b/kernel.spec index 50b492bca..a96b62474 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -620,8 +620,6 @@ Patch332: arm64-socionext-96b-enablement.patch Patch335: arm-exynos-fix-usb3.patch -Patch399: arm64-thunderX-fix-ipv6-checksum-offload.patch - # 400 - IBM (ppc/s390x) patches # 500 - Temp fixes/CVEs etc @@ -2226,6 +2224,9 @@ fi # # %changelog +* Mon Dec 18 2017 Justin M. Forbes - 4.14.7-300 +- Linux v4.14.7 + * Thu Dec 14 2017 Jeremy Cline - 4.14.6-300 - Linux v4.14.6 - Security fix for CVE-2017-17449 (rhbz 1525762 1525763) diff --git a/sources b/sources index 760740837..bd0037952 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8 -SHA512 (patch-4.14.6.xz) = c37b437f740fbb480766149ca1c6ddb5ee763b88b034b9b4eaf3ce000f299545ee19a93638d1a4161ab0c76ec73e1a53b2264b94213d53d6ad7dcda6bee45b8c +SHA512 (patch-4.14.7.xz) = 7a0aa00af73fbac34a0f96ebbd977688275538f8f2f3e0ba32ac3f9eb0d02498dd75d4d6481cfdd1236d45616231dd376a453ce8c04663ceaeb5ccc553996251 -- cgit From 18f6ac2854ac8c0df5f615d06380cffcd1826bbe Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 18 Dec 2017 08:17:57 -0600 Subject: Fix CVE-2017-17712 (rhbz 1526427 1526933) --- kernel.spec | 4 ++ ...4-fix-for-a-race-condition-in-raw_sendmsg.patch | 81 ++++++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch diff --git a/kernel.spec b/kernel.spec index a96b62474..09b1b1f36 100644 --- a/kernel.spec +++ b/kernel.spec @@ -670,6 +670,9 @@ Patch627: qxl-fixes.patch # rhbz 1462175 Patch628: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch +# CVE-2017-17712 rhbz 1526427 1526933 +Patch629: net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch + # END OF PATCH DEFINITIONS %endif @@ -2226,6 +2229,7 @@ fi %changelog * Mon Dec 18 2017 Justin M. Forbes - 4.14.7-300 - Linux v4.14.7 +- Fix CVE-2017-17712 (rhbz 1526427 1526933) * Thu Dec 14 2017 Jeremy Cline - 4.14.6-300 - Linux v4.14.6 diff --git a/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch new file mode 100644 index 000000000..41ad4af16 --- /dev/null +++ b/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch @@ -0,0 +1,81 @@ +From patchwork Sun Dec 10 03:50:58 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: net: ipv4: fix for a race condition in raw_sendmsg +X-Patchwork-Submitter: simo.ghannam@gmail.com +X-Patchwork-Id: 846641 +X-Patchwork-Delegate: davem@davemloft.net +Message-Id: <5a2caf2e.4ce61c0a.5017a.575f@mx.google.com> +To: netdev@vger.kernel.org +Cc: Mohamed Ghannam +Date: Sun, 10 Dec 2017 03:50:58 +0000 +From: simo.ghannam@gmail.com +List-Id: + +From: Mohamed Ghannam + +inet->hdrincl is racy, and could lead to uninitialized stack pointer +usage, so its value should be read only once. + +Signed-off-by: Mohamed Ghannam +Reviewed-by: Eric Dumazet +--- + net/ipv4/raw.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 33b70bfd1122..125c1eab3eaa 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + int err; + struct ip_options_data opt_copy; + struct raw_frag_vec rfv; ++ int hdrincl; + + err = -EMSGSIZE; + if (len > 0xFFFF) + goto out; + ++ /* hdrincl should be READ_ONCE(inet->hdrincl) ++ * but READ_ONCE() doesn't work with bit fields ++ */ ++ hdrincl = inet->hdrincl; + /* + * Check the flags. + */ +@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + /* Linux does not mangle headers on raw sockets, + * so that IP options + IP_HDRINCL is non-sense. + */ +- if (inet->hdrincl) ++ if (hdrincl) + goto done; + if (ipc.opt->opt.srr) { + if (!daddr) +@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + + flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, + RT_SCOPE_UNIVERSE, +- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, ++ hdrincl ? IPPROTO_RAW : sk->sk_protocol, + inet_sk_flowi_flags(sk) | +- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), ++ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), + daddr, saddr, 0, 0, sk->sk_uid); + +- if (!inet->hdrincl) { ++ if (!hdrincl) { + rfv.msg = msg; + rfv.hlen = 0; + +@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + goto do_confirm; + back_from_confirm: + +- if (inet->hdrincl) ++ if (hdrincl) + err = raw_send_hdrinc(sk, &fl4, msg, len, + &rt, msg->msg_flags, &ipc.sockc); + -- cgit From 32faf667281ae4dd26b9a1dc9973b5183cae52c5 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 19 Dec 2017 09:35:24 -0600 Subject: Fix CVE-2017-17741 (rhbz 1527112 1527113) --- kernel.spec | 6 + ...ix-stack-out-of-bounds-read-in-write_mmio.patch | 215 +++++++++++++++++++++ 2 files changed, 221 insertions(+) create mode 100644 v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch diff --git a/kernel.spec b/kernel.spec index 09b1b1f36..ca0947b88 100644 --- a/kernel.spec +++ b/kernel.spec @@ -673,6 +673,9 @@ Patch628: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch # CVE-2017-17712 rhbz 1526427 1526933 Patch629: net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch +# CVE-2017-17741 rhbz 1527112 1527113 +Patch630: v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch + # END OF PATCH DEFINITIONS %endif @@ -2227,6 +2230,9 @@ fi # # %changelog +* Tue Dec 19 2017 Justin M. Forbes +- Fix CVE-2017-17741 (rhbz 1527112 1527113) + * Mon Dec 18 2017 Justin M. Forbes - 4.14.7-300 - Linux v4.14.7 - Fix CVE-2017-17712 (rhbz 1526427 1526933) diff --git a/v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch b/v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch new file mode 100644 index 000000000..f3767cda5 --- /dev/null +++ b/v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch @@ -0,0 +1,215 @@ +From patchwork Fri Dec 15 01:40:50 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Subject: [v4] KVM: Fix stack-out-of-bounds read in write_mmio +From: Wanpeng Li +X-Patchwork-Id: 10113513 +Message-Id: <1513302050-14253-1-git-send-email-wanpeng.li@hotmail.com> +To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org +Cc: Paolo Bonzini , + =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , + Wanpeng Li , Marc Zyngier , + Christoffer Dall +Date: Thu, 14 Dec 2017 17:40:50 -0800 + +From: Wanpeng Li + +Reported by syzkaller: + + BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm] + Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298 + + CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18 + Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016 + Call Trace: + dump_stack+0xab/0xe1 + print_address_description+0x6b/0x290 + kasan_report+0x28a/0x370 + write_mmio+0x11e/0x270 [kvm] + emulator_read_write_onepage+0x311/0x600 [kvm] + emulator_read_write+0xef/0x240 [kvm] + emulator_fix_hypercall+0x105/0x150 [kvm] + em_hypercall+0x2b/0x80 [kvm] + x86_emulate_insn+0x2b1/0x1640 [kvm] + x86_emulate_instruction+0x39a/0xb90 [kvm] + handle_exception+0x1b4/0x4d0 [kvm_intel] + vcpu_enter_guest+0x15a0/0x2640 [kvm] + kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm] + kvm_vcpu_ioctl+0x479/0x880 [kvm] + do_vfs_ioctl+0x142/0x9a0 + SyS_ioctl+0x74/0x80 + entry_SYSCALL_64_fastpath+0x23/0x9a + +The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall) +to the guest memory, however, write_mmio tracepoint always prints 8 bytes +through *(u64 *)val since kvm splits the mmio access into 8 bytes. This +can result in stack-out-of-bounds read due to access the extra 5 bytes. +This patch fixes it by just accessing the bytes which we operates on. + +Before patch: + +syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f + +After patch: + +syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f + +Reported-by: Dmitry Vyukov +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Marc Zyngier +Cc: Christoffer Dall +Signed-off-by: Wanpeng Li +Reviewed-by: Darren Kenny +Reviewed-by: Marc Zyngier +Tested-by: Marc Zyngier +--- +v3 -> v4: + * fix the arm tracepoint +v2 -> v3: + * fix sparse warning +v1 -> v2: + * do the memcpy in kvm_mmio tracepoint + + arch/x86/kvm/x86.c | 8 ++++---- + include/trace/events/kvm.h | 6 ++++-- + virt/kvm/arm/mmio.c | 6 +++--- + 3 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 0f82e2c..c7071e7 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4456,7 +4456,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v) + addr, n, v)) + && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v)) + break; +- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v); ++ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v); + handled += n; + addr += n; + len -= n; +@@ -4715,7 +4715,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes) + { + if (vcpu->mmio_read_completed) { + trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes, +- vcpu->mmio_fragments[0].gpa, *(u64 *)val); ++ vcpu->mmio_fragments[0].gpa, val); + vcpu->mmio_read_completed = 0; + return 1; + } +@@ -4737,14 +4737,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa, + + static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val) + { +- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val); ++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val); + return vcpu_mmio_write(vcpu, gpa, bytes, val); + } + + static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, + void *val, int bytes) + { +- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0); ++ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL); + return X86EMUL_IO_NEEDED; + } + +diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h +index e4b0b8e..dfd2170 100644 +--- a/include/trace/events/kvm.h ++++ b/include/trace/events/kvm.h +@@ -211,7 +211,7 @@ TRACE_EVENT(kvm_ack_irq, + { KVM_TRACE_MMIO_WRITE, "write" } + + TRACE_EVENT(kvm_mmio, +- TP_PROTO(int type, int len, u64 gpa, u64 val), ++ TP_PROTO(int type, int len, u64 gpa, void *val), + TP_ARGS(type, len, gpa, val), + + TP_STRUCT__entry( +@@ -225,7 +225,9 @@ TRACE_EVENT(kvm_mmio, + __entry->type = type; + __entry->len = len; + __entry->gpa = gpa; +- __entry->val = val; ++ __entry->val = 0; ++ if (val) ++ memcpy(&__entry->val, val, min(8, len)); + ), + + TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx", +diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c +index b6e715f..dac7ceb 100644 +--- a/virt/kvm/arm/mmio.c ++++ b/virt/kvm/arm/mmio.c +@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) + } + + trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr, +- data); ++ &data); + data = vcpu_data_host_to_guest(vcpu, data, len); + vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data); + } +@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run, + data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt), + len); + +- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data); ++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data); + kvm_mmio_write_buf(data_buf, len, data); + + ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len, + data_buf); + } else { + trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len, +- fault_ipa, 0); ++ fault_ipa, NULL); + + ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len, + data_buf); +From patchwork Mon Dec 18 11:55:05 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [v4] KVM: Fix stack-out-of-bounds read in write_mmio +From: Paolo Bonzini +X-Patchwork-Id: 10118879 +Message-Id: <17d27b8d-908b-a740-1d2d-e92a8507f25b@redhat.com> +To: Marc Zyngier , + Wanpeng Li , linux-kernel@vger.kernel.org, + kvm@vger.kernel.org +Cc: =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , + Wanpeng Li , + Christoffer Dall +Date: Mon, 18 Dec 2017 12:55:05 +0100 + +On 15/12/2017 12:06, Marc Zyngier wrote: +> Assuming you address the above: +> +> Reviewed-by: Marc Zyngier +> Tested-by: Marc Zyngier + +Done as follows: + + +Thanks, + +Paolo + +diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h +index dfd21708694f..0a016bd14c2d 100644 +--- a/include/trace/events/kvm.h ++++ b/include/trace/events/kvm.h +@@ -227,7 +227,8 @@ + __entry->gpa = gpa; + __entry->val = 0; + if (val) +- memcpy(&__entry->val, val, min(8, len)); ++ memcpy(&__entry->val, val, ++ min_t(u32, sizeof(__entry->val), len)); + ), + + TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx", -- cgit