Extras:
linux,linux-secure: do not panic on `modprobe tcrypt` in fips mode
linux-esx: add vclock capatability to clocksource_vmware
Change-Id: I5ae7c581714f4c94890bc68e0404197d31f8c49f
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3462
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
... | ... |
@@ -11,7 +11,7 @@ diff --git a/arch/x86/kernel/cpu/vmware.c b/arch/x86/kernel/cpu/vmware.c |
11 | 11 |
index 70b8c4614e22..987ac571d16c 100644 |
12 | 12 |
--- a/arch/x86/kernel/cpu/vmware.c |
13 | 13 |
+++ b/arch/x86/kernel/cpu/vmware.c |
14 |
-@@ -155,6 +155,26 @@ static void __init vmware_cyc2ns_setup(void) |
|
14 |
+@@ -155,6 +155,27 @@ static void __init vmware_cyc2ns_setup(void) |
|
15 | 15 |
pr_info("using clock offset of %llu ns\n", d->cyc2ns_offset); |
16 | 16 |
} |
17 | 17 |
|
... | ... |
@@ -26,6 +26,7 @@ index 70b8c4614e22..987ac571d16c 100644 |
26 | 26 |
+ .rating = 400, |
27 | 27 |
+ .mask = CLOCKSOURCE_MASK(64), |
28 | 28 |
+ .flags = CLOCK_SOURCE_IS_CONTINUOUS, |
29 |
++ .archdata = { .vclock_mode = VCLOCK_TSC }, |
|
29 | 30 |
+}; |
30 | 31 |
+ |
31 | 32 |
+/* We want to use clocksource_vmware from the beginning to avoid drifting in |
... | ... |
@@ -4501,8 +4501,8 @@ CONFIG_CRYPTO_GLUE_HELPER_X86=m |
4501 | 4501 |
# |
4502 | 4502 |
# Authenticated Encryption with Associated Data |
4503 | 4503 |
# |
4504 |
-# CONFIG_CRYPTO_CCM is not set |
|
4505 |
-# CONFIG_CRYPTO_GCM is not set |
|
4504 |
+CONFIG_CRYPTO_CCM=m |
|
4505 |
+CONFIG_CRYPTO_GCM=m |
|
4506 | 4506 |
# CONFIG_CRYPTO_CHACHA20POLY1305 is not set |
4507 | 4507 |
CONFIG_CRYPTO_SEQIV=m |
4508 | 4508 |
CONFIG_CRYPTO_ECHAINIV=m |
... | ... |
@@ -4536,7 +4536,7 @@ CONFIG_CRYPTO_CRC32C_INTEL=m |
4536 | 4536 |
# CONFIG_CRYPTO_CRC32_PCLMUL is not set |
4537 | 4537 |
CONFIG_CRYPTO_CRCT10DIF=y |
4538 | 4538 |
# CONFIG_CRYPTO_CRCT10DIF_PCLMUL is not set |
4539 |
-# CONFIG_CRYPTO_GHASH is not set |
|
4539 |
+CONFIG_CRYPTO_GHASH=m |
|
4540 | 4540 |
# CONFIG_CRYPTO_POLY1305 is not set |
4541 | 4541 |
# CONFIG_CRYPTO_POLY1305_X86_64 is not set |
4542 | 4542 |
CONFIG_CRYPTO_MD4=m |
... | ... |
@@ -4601,7 +4601,7 @@ CONFIG_CRYPTO_DES=m |
4601 | 4601 |
# Compression |
4602 | 4602 |
# |
4603 | 4603 |
CONFIG_CRYPTO_DEFLATE=m |
4604 |
-# CONFIG_CRYPTO_LZO is not set |
|
4604 |
+CONFIG_CRYPTO_LZO=m |
|
4605 | 4605 |
# CONFIG_CRYPTO_842 is not set |
4606 | 4606 |
# CONFIG_CRYPTO_LZ4 is not set |
4607 | 4607 |
# CONFIG_CRYPTO_LZ4HC is not set |
... | ... |
@@ -4437,8 +4437,8 @@ CONFIG_CRYPTO_GLUE_HELPER_X86=m |
4437 | 4437 |
# |
4438 | 4438 |
# Authenticated Encryption with Associated Data |
4439 | 4439 |
# |
4440 |
-# CONFIG_CRYPTO_CCM is not set |
|
4441 |
-# CONFIG_CRYPTO_GCM is not set |
|
4440 |
+CONFIG_CRYPTO_CCM=m |
|
4441 |
+CONFIG_CRYPTO_GCM=m |
|
4442 | 4442 |
# CONFIG_CRYPTO_CHACHA20POLY1305 is not set |
4443 | 4443 |
CONFIG_CRYPTO_SEQIV=m |
4444 | 4444 |
CONFIG_CRYPTO_ECHAINIV=m |
... | ... |
@@ -4472,7 +4472,7 @@ CONFIG_CRYPTO_CRC32C_INTEL=m |
4472 | 4472 |
# CONFIG_CRYPTO_CRC32_PCLMUL is not set |
4473 | 4473 |
CONFIG_CRYPTO_CRCT10DIF=y |
4474 | 4474 |
# CONFIG_CRYPTO_CRCT10DIF_PCLMUL is not set |
4475 |
-# CONFIG_CRYPTO_GHASH is not set |
|
4475 |
+CONFIG_CRYPTO_GHASH=m |
|
4476 | 4476 |
# CONFIG_CRYPTO_POLY1305 is not set |
4477 | 4477 |
# CONFIG_CRYPTO_POLY1305_X86_64 is not set |
4478 | 4478 |
CONFIG_CRYPTO_MD4=m |
... | ... |
@@ -4537,7 +4537,7 @@ CONFIG_CRYPTO_DES=m |
4537 | 4537 |
# Compression |
4538 | 4538 |
# |
4539 | 4539 |
CONFIG_CRYPTO_DEFLATE=m |
4540 |
-# CONFIG_CRYPTO_LZO is not set |
|
4540 |
+CONFIG_CRYPTO_LZO=m |
|
4541 | 4541 |
# CONFIG_CRYPTO_842 is not set |
4542 | 4542 |
# CONFIG_CRYPTO_LZ4 is not set |
4543 | 4543 |
# CONFIG_CRYPTO_LZ4HC is not set |
4544 | 4544 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,51 @@ |
0 |
+From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Sabrina Dubroca <sd@queasysnail.net> |
|
2 |
+Date: Wed, 19 Jul 2017 22:28:55 +0200 |
|
3 |
+Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt |
|
4 |
+ |
|
5 |
+In some cases, offset can overflow and can cause an infinite loop in |
|
6 |
+ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and |
|
7 |
+cap it at IPV6_MAXPLEN, since packets larger than that should be invalid. |
|
8 |
+ |
|
9 |
+This problem has been here since before the beginning of git history. |
|
10 |
+ |
|
11 |
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> |
|
12 |
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> |
|
13 |
+Signed-off-by: David S. Miller <davem@davemloft.net> |
|
14 |
+--- |
|
15 |
+ net/ipv6/output_core.c | 8 ++++++-- |
|
16 |
+ 1 file changed, 6 insertions(+), 2 deletions(-) |
|
17 |
+ |
|
18 |
+diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c |
|
19 |
+index e9065b8d3af85..abb2c307fbe83 100644 |
|
20 |
+--- a/net/ipv6/output_core.c |
|
21 |
+@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident); |
|
22 |
+ |
|
23 |
+ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) |
|
24 |
+ { |
|
25 |
+- u16 offset = sizeof(struct ipv6hdr); |
|
26 |
++ unsigned int offset = sizeof(struct ipv6hdr); |
|
27 |
+ unsigned int packet_len = skb_tail_pointer(skb) - |
|
28 |
+ skb_network_header(skb); |
|
29 |
+ int found_rhdr = 0; |
|
30 |
+@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) |
|
31 |
+ |
|
32 |
+ while (offset <= packet_len) { |
|
33 |
+ struct ipv6_opt_hdr *exthdr; |
|
34 |
++ unsigned int len; |
|
35 |
+ |
|
36 |
+ switch (**nexthdr) { |
|
37 |
+ |
|
38 |
+@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) |
|
39 |
+ |
|
40 |
+ exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + |
|
41 |
+ offset); |
|
42 |
+- offset += ipv6_optlen(exthdr); |
|
43 |
++ len = ipv6_optlen(exthdr); |
|
44 |
++ if (len + offset >= IPV6_MAXPLEN) |
|
45 |
++ return -EINVAL; |
|
46 |
++ offset += len; |
|
47 |
+ *nexthdr = &exthdr->nexthdr; |
|
48 |
+ } |
|
49 |
+ |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.9.41 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -35,6 +35,8 @@ Patch18: 05-pv-ops-clocksource.patch |
35 | 35 |
Patch19: 06-pv-ops-boot_clock.patch |
36 | 36 |
Patch20: 07-vmware-only.patch |
37 | 37 |
Patch21: vmware-balloon-late-initcall.patch |
38 |
+# Fix CVE-2017-7542 |
|
39 |
+Patch22: ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch |
|
38 | 40 |
BuildRequires: bc |
39 | 41 |
BuildRequires: kbd |
40 | 42 |
BuildRequires: kmod-devel |
... | ... |
@@ -91,6 +93,7 @@ The Linux package contains the Linux kernel doc files |
91 | 91 |
%patch19 -p1 |
92 | 92 |
%patch20 -p1 |
93 | 93 |
%patch21 -p1 |
94 |
+%patch22 -p1 |
|
94 | 95 |
|
95 | 96 |
%build |
96 | 97 |
# patch vmw_balloon driver |
... | ... |
@@ -187,6 +190,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
187 | 187 |
/usr/src/linux-headers-%{uname_r} |
188 | 188 |
|
189 | 189 |
%changelog |
190 |
+* Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2 |
|
191 |
+- [bugfix] Do not fallback to syscall from VDSO on clock_gettime(MONOTONIC) |
|
192 |
+- Fix CVE-2017-7542 |
|
190 | 193 |
* Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-1 |
191 | 194 |
- Version update |
192 | 195 |
* Wed Jul 26 2017 Bo Gan <ganb@vmware.com> 4.9.38-3 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 | 4 |
Version: 4.9.41 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -46,6 +46,8 @@ Patch26: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
46 | 46 |
#FIPS patches - allow some algorithms |
47 | 47 |
Patch27: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
48 | 48 |
Patch28: 0002-allow-also-ecb-cipher_null.patch |
49 |
+# Fix CVE-2017-7542 |
|
50 |
+Patch29: ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch |
|
49 | 51 |
# NSX requirements (should be removed) |
50 | 52 |
Patch99: LKCM.patch |
51 | 53 |
BuildRequires: bc |
... | ... |
@@ -140,6 +142,7 @@ EOF |
140 | 140 |
%patch26 -p1 |
141 | 141 |
%patch27 -p1 |
142 | 142 |
%patch28 -p1 |
143 |
+%patch29 -p1 |
|
143 | 144 |
|
144 | 145 |
pushd .. |
145 | 146 |
%patch99 -p0 |
... | ... |
@@ -255,6 +258,10 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
255 | 255 |
/usr/src/linux-headers-%{uname_r} |
256 | 256 |
|
257 | 257 |
%changelog |
258 |
+* Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2 |
|
259 |
+- Fix CVE-2017-7542 |
|
260 |
+- [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid |
|
261 |
+ panic on modprobe tcrypt |
|
258 | 262 |
* Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-1 |
259 | 263 |
- Version update |
260 | 264 |
* Fri Aug 04 2017 Bo Gan <ganb@vmware.com> 4.9.38-6 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.9.41 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -43,6 +43,8 @@ Patch23: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
43 | 43 |
#FIPS patches - allow some algorithms |
44 | 44 |
Patch24: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
45 | 45 |
Patch25: 0002-allow-also-ecb-cipher_null.patch |
46 |
+# Fix CVE-2017-7542 |
|
47 |
+Patch26: ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch |
|
46 | 48 |
|
47 | 49 |
BuildRequires: bc |
48 | 50 |
BuildRequires: kbd |
... | ... |
@@ -136,6 +138,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
136 | 136 |
%patch23 -p1 |
137 | 137 |
%patch24 -p1 |
138 | 138 |
%patch25 -p1 |
139 |
+%patch26 -p1 |
|
139 | 140 |
|
140 | 141 |
%build |
141 | 142 |
make mrproper |
... | ... |
@@ -295,6 +298,10 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
295 | 295 |
/usr/share/doc/* |
296 | 296 |
|
297 | 297 |
%changelog |
298 |
+* Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2 |
|
299 |
+- Fix CVE-2017-7542 |
|
300 |
+- [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid |
|
301 |
+ panic on modprobe tcrypt |
|
298 | 302 |
* Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-1 |
299 | 303 |
- Version update |
300 | 304 |
* Fri Aug 04 2017 Bo Gan <ganb@vmware.com> 4.9.38-6 |