From 219a01f147cab7ae4fb19a9d380cf3ed40288380 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 11 May 2020 11:12:02 -0500 Subject: Linux v5.6.12 --- kernel.spec | 5 ++++- sources | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index d25e1487f..754ec6f03 100644 --- a/kernel.spec +++ b/kernel.spec @@ -56,7 +56,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 11 +%define stable_update 12 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -1842,6 +1842,9 @@ fi # # %changelog +* Mon May 11 2020 Justin M. Forbes - 5.6.12-100 +- Linux v5.6.12 + * Wed May 06 2020 Justin M. Forbes - 5.6.11-100 - Linux v5.6.11 diff --git a/sources b/sources index 3244f95a5..ebd905da4 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.6.tar.xz) = 80846fe2b4e4a7ff471d2dde28a8216ae807a3209f959e93d39ea4fc9a189ea28ec3db9d303b3fe15a28c2cb90e7446876678e93e23353c2d6f262e364a06bc9 -SHA512 (patch-5.6.11.xz) = 0e9bda5aea7617e1d1ec6aa906a7845dd498a30a0e1018583561f3af64d7e67afee3bfffdea2e7eab81d100054aa49b8cfaa0fbfc4e308e7f8b70f21dfdb7908 +SHA512 (patch-5.6.12.xz) = e057961567d8482482ce8e27467b4fc47ddff604a3fd47f5e4f4092a29cc9ef5d180dd739f3edff91ab373108b699c04e55131722e8d4f153f4dd7e7833b48cd -- cgit From 364418124060eb317c531a5b6c94bdedbc455968 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 12 May 2020 17:29:20 -0500 Subject: Fix CVE-2020-10711 (rhbz 1825116 1834778) Signed-off-by: Justin M. Forbes --- kernel.spec | 6 ++ net-netlabel-cope-with-NULL-catmap.patch | 95 ++++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100644 net-netlabel-cope-with-NULL-catmap.patch diff --git a/kernel.spec b/kernel.spec index 754ec6f03..25e3fbecc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -612,6 +612,9 @@ Patch511: e1000e-bump-up-timeout-to-wait-when-ME-un-configure-ULP-mode.patch Patch512: drm-dp_mst-Fix-drm_dp_send_dpcd_write-return-code.patch +# CVE-2020-10711 rhbz 1825116 1834778 +Patch513: net-netlabel-cope-with-NULL-catmap.patch + # END OF PATCH DEFINITIONS %endif @@ -1842,6 +1845,9 @@ fi # # %changelog +* Tue May 12 2020 Justin M. Forbes +- Fix CVE-2020-10711 (rhbz 1825116 1834778) + * Mon May 11 2020 Justin M. Forbes - 5.6.12-100 - Linux v5.6.12 diff --git a/net-netlabel-cope-with-NULL-catmap.patch b/net-netlabel-cope-with-NULL-catmap.patch new file mode 100644 index 000000000..06a915121 --- /dev/null +++ b/net-netlabel-cope-with-NULL-catmap.patch @@ -0,0 +1,95 @@ +From MAILER-DAEMON Tue May 12 19:31:23 2020 +From: Paolo Abeni +To: netdev@vger.kernel.org +Cc: "David S. Miller" , Jakub Kicinski , linux-security-module@vger.kernel.org, Paul Moore , ppandit@redhat.com, Matthew Sheets +Subject: [PATCH net] netlabel: cope with NULL catmap +Date: Tue, 12 May 2020 14:43:14 +0200 +Message-Id: <07d99ae197bfdb2964931201db67b6cd0b38db5b.1589276729.git.pabeni@redhat.com> +Sender: owner-linux-security-module@vger.kernel.org +List-ID: +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +The cipso and calipso code can set the MLS_CAT attribute on +successful parsing, even if the corresponding catmap has +not been allocated, as per current configuration and external +input. + +Later, selinux code tries to access the catmap if the MLS_CAT flag +is present via netlbl_catmap_getlong(). That may cause null ptr +dereference while processing incoming network traffic. + +Address the issue setting the MLS_CAT flag only if the catmap is +really allocated. Additionally let netlbl_catmap_getlong() cope +with NULL catmap. + +Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") +Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions") +Reported-by: Matthew Sheets +Signed-off-by: Paolo Abeni +--- + net/ipv4/cipso_ipv4.c | 6 ++++-- + net/ipv6/calipso.c | 3 ++- + net/netlabel/netlabel_kapi.c | 6 ++++++ + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index 0bd10a1f477f..a23094b050f8 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1258,7 +1258,8 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def, + return ret_val; + } + +- secattr->flags |= NETLBL_SECATTR_MLS_CAT; ++ if (secattr->attr.mls.cat) ++ secattr->flags |= NETLBL_SECATTR_MLS_CAT; + } + + return 0; +@@ -1439,7 +1440,8 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def, + return ret_val; + } + +- secattr->flags |= NETLBL_SECATTR_MLS_CAT; ++ if (secattr->attr.mls.cat) ++ secattr->flags |= NETLBL_SECATTR_MLS_CAT; + } + + return 0; +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index 221c81f85cbf..8d3f66c310db 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1047,7 +1047,8 @@ static int calipso_opt_getattr(const unsigned char *calipso, + goto getattr_return; + } + +- secattr->flags |= NETLBL_SECATTR_MLS_CAT; ++ if (secattr->attr.mls.cat) ++ secattr->flags |= NETLBL_SECATTR_MLS_CAT; + } + + secattr->type = NETLBL_NLTYPE_CALIPSO; +diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c +index 409a3ae47ce2..5e1239cef000 100644 +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -734,6 +734,12 @@ int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap, + if ((off & (BITS_PER_LONG - 1)) != 0) + return -EINVAL; + ++ /* a null catmap is equivalent to an empty one */ ++ if (!catmap) { ++ *offset = (u32)-1; ++ return 0; ++ } ++ + if (off < catmap->startbit) { + off = catmap->startbit; + *offset = off; +-- +2.21.3 + + -- cgit