@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.9.78

+Version:	4.9.79

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=57f67ae03ca89feed08302c2c47d1a385d727cc2

+%define sha1 linux=edbd6a3f738b304242a358bdae7872699401403d

 BuildArch:	noarch

 %description

 The Linux API Headers expose the kernel's API for use by Glibc.

@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1

+-   Update version to 4.9.79

 *   Fri Jan 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.78-1

 -   Update version to 4.9.78.

 *   Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1

@@ -14431,7 +14431,7 @@ index d9d52c0..e38856d 100644

  extern struct hlist_nulls_head *nf_conntrack_hash;

 diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c

-index aa6d981..ed2389d 100644

+index 879ca84..d893396 100644

 --- a/kernel/bpf/core.c

 +++ b/kernel/bpf/core.c

 @@ -208,6 +208,8 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,

@@ -14468,7 +14468,7 @@ index aa6d981..ed2389d 100644

  	return hdr;

  }

-@@ -465,7 +480,7 @@ EXPORT_SYMBOL_GPL(__bpf_call_base);

+@@ -466,7 +481,7 @@ EXPORT_SYMBOL_GPL(__bpf_call_base);

   *

   * Decode and execute eBPF instructions.

   */

@@ -14477,15 +14477,27 @@ index aa6d981..ed2389d 100644

  {

  	u64 stack[MAX_BPF_STACK / sizeof(u64)];

  	u64 regs[MAX_BPF_REG], tmp;

-@@ -970,7 +985,7 @@ static int bpf_check_tail_call(const struct bpf_prog *fp)

-  */

+@@ -925,7 +940,7 @@ static unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn)

+ STACK_FRAME_NON_STANDARD(__bpf_prog_run); /* jump table */

+ 

+ #else

+-static unsigned int __bpf_prog_ret0(void *ctx, const struct bpf_insn *insn)

++static unsigned int __bpf_prog_ret0(const struct sk_buff *ctx, const struct bpf_insn *insn)

+ {

+ 	return 0;

+ }

+@@ -979,9 +994,9 @@ static int bpf_check_tail_call(const struct bpf_prog *fp)

  struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)

  {

+ #ifndef CONFIG_BPF_JIT_ALWAYS_ON

 -	fp->bpf_func = (void *) __bpf_prog_run;

 +	fp->bpf_func = __bpf_prog_run;

+ #else

+-	fp->bpf_func = (void *) __bpf_prog_ret0;

++	fp->bpf_func = __bpf_prog_ret0;

+ #endif

  	/* eBPF JITs can rewrite the program in case constant

- 	 * blinding is active. However, in case of error during

 diff --git a/kernel/events/core.c b/kernel/events/core.c

 index b1cfd74..b7608ec 100644

 --- a/kernel/events/core.c

deleted file mode 100644

@@ -1,110 +0,0 @@

-From 3b2d69114fefa474fca542e51119036dceb4aa6f Mon Sep 17 00:00:00 2001

-From: Seunghun Han <kkamagui@gmail.com>

-Date: Wed, 26 Apr 2017 16:18:08 +0800

-Subject: [PATCH] ACPICA: Namespace: fix operand cache leak

-

-ACPICA commit a23325b2e583556eae88ed3f764e457786bf4df6

-

-I found some ACPI operand cache leaks in ACPI early abort cases.

-

-Boot log of ACPI operand cache leak is as follows:

->[    0.174332] ACPI: Added _OSI(Module Device)

->[    0.175504] ACPI: Added _OSI(Processor Device)

->[    0.176010] ACPI: Added _OSI(3.0 _SCP Extensions)

->[    0.177032] ACPI: Added _OSI(Processor Aggregator Device)

->[    0.178284] ACPI: SCI (IRQ16705) allocation failed

->[    0.179352] ACPI Exception: AE_NOT_ACQUIRED, Unable to install

-System Control Interrupt handler (20160930/evevent-131)

->[    0.180008] ACPI: Unable to start the ACPI Interpreter

->[    0.181125] ACPI Error: Could not remove SCI handler

-(20160930/evmisc-281)

->[    0.184068] kmem_cache_destroy Acpi-Operand: Slab cache still has

-objects

->[    0.185358] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc3 #2

->[    0.186820] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS

-virtual_box 12/01/2006

->[    0.188000] Call Trace:

->[    0.188000]  ? dump_stack+0x5c/0x7d

->[    0.188000]  ? kmem_cache_destroy+0x224/0x230

->[    0.188000]  ? acpi_sleep_proc_init+0x22/0x22

->[    0.188000]  ? acpi_os_delete_cache+0xa/0xd

->[    0.188000]  ? acpi_ut_delete_caches+0x3f/0x7b

->[    0.188000]  ? acpi_terminate+0x5/0xf

->[    0.188000]  ? acpi_init+0x288/0x32e

->[    0.188000]  ? __class_create+0x4c/0x80

->[    0.188000]  ? video_setup+0x7a/0x7a

->[    0.188000]  ? do_one_initcall+0x4e/0x1b0

->[    0.188000]  ? kernel_init_freeable+0x194/0x21a

->[    0.188000]  ? rest_init+0x80/0x80

->[    0.188000]  ? kernel_init+0xa/0x100

->[    0.188000]  ? ret_from_fork+0x25/0x30

-

-When early abort is occurred due to invalid ACPI information, Linux kernel

-terminates ACPI by calling acpi_terminate() function. The function calls

-acpi_ns_terminate() function to delete namespace data and ACPI operand cache

-(acpi_gbl_module_code_list).

-

-But the deletion code in acpi_ns_terminate() function is wrapped in

-ACPI_EXEC_APP definition, therefore the code is only executed when the

-definition exists. If the define doesn't exist, ACPI operand cache

-(acpi_gbl_module_code_list) is leaked, and stack dump is shown in kernel log.

-

-This causes a security threat because the old kernel (<= 4.9) shows memory

-locations of kernel functions in stack dump, therefore kernel ASLR can be

-neutralized.

-

-To fix ACPI operand leak for enhancing security, I made a patch which

-removes the ACPI_EXEC_APP define in acpi_ns_terminate() function for

-executing the deletion code unconditionally.

-

-Link: https://github.com/acpica/acpica/commit/a23325b2

-Signed-off-by: Seunghun Han <kkamagui@gmail.com>

-Signed-off-by: Lv Zheng <lv.zheng@intel.com>

-Signed-off-by: Bob Moore <robert.moore@intel.com>

-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

- drivers/acpi/acpica/nsutils.c | 23 +++++++++--------------

- 1 file changed, 9 insertions(+), 14 deletions(-)

-

-diff --git a/drivers/acpi/acpica/nsutils.c b/drivers/acpi/acpica/nsutils.c

-index 6616767..b5a2914 100644

-+++ b/drivers/acpi/acpica/nsutils.c

-@@ -594,25 +594,20 @@ struct acpi_namespace_node *acpi_ns_validate_handle(acpi_handle handle)

- void acpi_ns_terminate(void)

- {

- 	acpi_status status;

-+	union acpi_operand_object *prev;

-+	union acpi_operand_object *next;

- 

- 	ACPI_FUNCTION_TRACE(ns_terminate);

- 

--#ifdef ACPI_EXEC_APP

--	{

--		union acpi_operand_object *prev;

--		union acpi_operand_object *next;

-+	/* Delete any module-level code blocks */

- 

--		/* Delete any module-level code blocks */

--

--		next = acpi_gbl_module_code_list;

--		while (next) {

--			prev = next;

--			next = next->method.mutex;

--			prev->method.mutex = NULL;	/* Clear the Mutex (cheated) field */

--			acpi_ut_remove_reference(prev);

--		}

-+	next = acpi_gbl_module_code_list;

-+	while (next) {

-+		prev = next;

-+		next = next->method.mutex;

-+		prev->method.mutex = NULL;	/* Clear the Mutex (cheated) field */

-+		acpi_ut_remove_reference(prev);

- 	}

--#endif

- 

- 	/*

- 	 * Free the entire namespace -- all nodes and all objects

-2.7.4

-

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-esx

-Version:        4.9.78

+Version:        4.9.79

 Release:        1%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:          System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=57f67ae03ca89feed08302c2c47d1a385d727cc2

+%define sha1 linux=edbd6a3f738b304242a358bdae7872699401403d

 Source1:        config-esx

 Source2:        initramfs.trigger

 # common

@@ -36,17 +36,11 @@ Patch19:        06-pv-ops-boot_clock.patch

 Patch20:        07-vmware-only.patch

 Patch21:        vmware-balloon-late-initcall.patch

 Patch22:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

-# Fix CVE-2017-11472

-Patch23:        ACPICA-Namespace-fix-operand-cache-leak.patch

 # Fix CVE-2017-1000252

 Patch24:        kvm-dont-accept-wrong-gsi-values.patch

 Patch25:        init-do_mounts-recreate-dev-root.patch

 # Fix CVE-2017-8824

 Patch26:        dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

-# Fix CVE-2017-17448

-Patch27:        netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch

-# Fix CVE-2017-17450

-Patch28:        netfilter-xt_osf-Add-missing-permission-checks.patch

 Patch29:        revert-SMB-validate-negotiate-even-if-signing-off.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -125,12 +119,9 @@ The Linux package contains the Linux kernel doc files

 %patch20 -p1

 %patch21 -p1

 %patch22 -p1

-%patch23 -p1

 %patch24 -p1

 %patch25 -p1

 %patch26 -p1

-%patch27 -p1

-%patch28 -p1

 %patch29 -p1

 %patch52 -p1

@@ -246,6 +237,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1

+-   Update version to 4.9.79

 *   Fri Jan 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.78-1

 -   Update version to 4.9.78.

 *   Wed Jan 10 2018 Bo Gan <ganb@vmware.com> 4.9.76-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-secure

-Version:        4.9.78

+Version:        4.9.79

 Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:          System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=57f67ae03ca89feed08302c2c47d1a385d727cc2

+%define sha1 linux=edbd6a3f738b304242a358bdae7872699401403d

 Source1:        config-secure

 Source2:        aufs4.9.tar.gz

 %define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906

@@ -46,16 +46,10 @@ Patch26:        0014-hv_sock-introduce-Hyper-V-Sockets.patch

 Patch27:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch28:        0002-allow-also-ecb-cipher_null.patch

 Patch29:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

-# Fix CVE-2017-11472

-Patch30:        ACPICA-Namespace-fix-operand-cache-leak.patch

 # Fix CVE-2017-1000252

 Patch31:        kvm-dont-accept-wrong-gsi-values.patch

 # Fix CVE-2017-8824

 Patch32:        dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

-# Fix CVE-2017-17448

-Patch33:        netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch

-# Fix CVE-2017-17450

-Patch34:        netfilter-xt_osf-Add-missing-permission-checks.patch

 Patch35:        revert-SMB-validate-negotiate-even-if-signing-off.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -179,11 +173,8 @@ EOF

 %patch27 -p1

 %patch28 -p1

 %patch29 -p1

-%patch30 -p1

 %patch31 -p1

 %patch32 -p1

-%patch33 -p1

-%patch34 -p1

 %patch35 -p1

 # spectre

@@ -335,6 +326,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1

+-   Update version to 4.9.79

 *   Fri Jan 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.78-1

 -   Update version to 4.9.78.

 *   Wed Jan 10 2018 Bo Gan <ganb@vmware.com> 4.9.76-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:        4.9.78

+Version:        4.9.79

 Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=57f67ae03ca89feed08302c2c47d1a385d727cc2

+%define sha1 linux=edbd6a3f738b304242a358bdae7872699401403d

 Source1:	config

 Source2:	initramfs.trigger

 %define ena_version 1.1.3

@@ -43,16 +43,10 @@ Patch23:        0014-hv_sock-introduce-Hyper-V-Sockets.patch

 Patch24:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch25:        0002-allow-also-ecb-cipher_null.patch

 Patch26:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

-# Fix CVE-2017-11472

-Patch27:        ACPICA-Namespace-fix-operand-cache-leak.patch

 # Fix CVE-2017-1000252

 Patch28:        kvm-dont-accept-wrong-gsi-values.patch

 # Fix CVE-2017-8824

 Patch29:        dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

-# Fix CVE-2017-17448

-Patch30:        netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch

-# Fix CVE-2017-17450

-Patch31:        netfilter-xt_osf-Add-missing-permission-checks.patch

 Patch32:        revert-SMB-validate-negotiate-even-if-signing-off.patch

 # For Spectre

 Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch

@@ -169,11 +163,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch24 -p1

 %patch25 -p1

 %patch26 -p1

-%patch27 -p1

 %patch28 -p1

 %patch29 -p1

-%patch30 -p1

-%patch31 -p1

 %patch32 -p1

 %patch52 -p1

@@ -360,6 +351,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1

+-   Update version to 4.9.79

 *   Fri Jan 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.78-1

 -   Update version to 4.9.78.

 *   Wed Jan 10 2018 Bo Gan <ganb@vmware.com> 4.9.76-1

deleted file mode 100644

@@ -1,73 +0,0 @@

-commit 4b380c42f7d00a395feede754f0bc2292eebe6e5

-Author: Kevin Cernekee <cernekee@chromium.org>

-Date:   Sun Dec 3 12:12:45 2017 -0800

-

-    netfilter: nfnetlink_cthelper: Add missing permission checks

-    

-    The capability check in nfnetlink_rcv() verifies that the caller

-    has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.

-    However, nfnl_cthelper_list is shared by all net namespaces on the

-    system.  An unprivileged user can create user and net namespaces

-    in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()

-    check:

-    

-        $ nfct helper list

-        nfct v1.4.4: netlink error: Operation not permitted

-        $ vpnns -- nfct helper list

-        {

-                .name = ftp,

-                .queuenum = 0,

-                .l3protonum = 2,

-                .l4protonum = 6,

-                .priv_data_len = 24,

-                .status = enabled,

-        };

-    

-    Add capable() checks in nfnetlink_cthelper, as this is cleaner than

-    trying to generalize the solution.

-    

-    Signed-off-by: Kevin Cernekee <cernekee@chromium.org>

-    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

-

-diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c

-index 41628b3..d33ce6d 100644

-+++ b/net/netfilter/nfnetlink_cthelper.c

-@@ -17,6 +17,7 @@

- #include <linux/types.h>

- #include <linux/list.h>

- #include <linux/errno.h>

-+#include <linux/capability.h>

- #include <net/netlink.h>

- #include <net/sock.h>

- 

-@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,

- 	struct nfnl_cthelper *nlcth;

- 	int ret = 0;

- 

-+	if (!capable(CAP_NET_ADMIN))

-+		return -EPERM;

-+

- 	if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])

- 		return -EINVAL;

- 

-@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,

- 	struct nfnl_cthelper *nlcth;

- 	bool tuple_set = false;

- 

-+	if (!capable(CAP_NET_ADMIN))

-+		return -EPERM;

-+

- 	if (nlh->nlmsg_flags & NLM_F_DUMP) {

- 		struct netlink_dump_control c = {

- 			.dump = nfnl_cthelper_dump_table,

-@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,

- 	struct nfnl_cthelper *nlcth, *n;

- 	int j = 0, ret;

- 

-+	if (!capable(CAP_NET_ADMIN))

-+		return -EPERM;

-+

- 	if (tb[NFCTH_NAME])

- 		helper_name = nla_data(tb[NFCTH_NAME]);

- 

deleted file mode 100644

@@ -1,55 +0,0 @@

-commit 916a27901de01446bcf57ecca4783f6cff493309

-Author: Kevin Cernekee <cernekee@chromium.org>

-Date:   Tue Dec 5 15:42:41 2017 -0800

-

-    netfilter: xt_osf: Add missing permission checks

-    

-    The capability check in nfnetlink_rcv() verifies that the caller

-    has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.

-    However, xt_osf_fingers is shared by all net namespaces on the

-    system.  An unprivileged user can create user and net namespaces

-    in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()

-    check:

-    

-        vpnns -- nfnl_osf -f /tmp/pf.os

-    

-        vpnns -- nfnl_osf -f /tmp/pf.os -d

-    

-    These non-root operations successfully modify the systemwide OS

-    fingerprint list.  Add new capable() checks so that they can't.

-    

-    Signed-off-by: Kevin Cernekee <cernekee@chromium.org>

-    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

-

-diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c

-index 36e14b1..a34f314 100644

-+++ b/net/netfilter/xt_osf.c

-@@ -19,6 +19,7 @@

- #include <linux/module.h>

- #include <linux/kernel.h>

- 

-+#include <linux/capability.h>

- #include <linux/if.h>

- #include <linux/inetdevice.h>

- #include <linux/ip.h>

-@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,

- 	struct xt_osf_finger *kf = NULL, *sf;

- 	int err = 0;

- 

-+	if (!capable(CAP_NET_ADMIN))

-+		return -EPERM;

-+

- 	if (!osf_attrs[OSF_ATTR_FINGER])

- 		return -EINVAL;

- 

-@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,

- 	struct xt_osf_finger *sf;

- 	int err = -ENOENT;

- 

-+	if (!capable(CAP_NET_ADMIN))

-+		return -EPERM;

-+

- 	if (!osf_attrs[OSF_ATTR_FINGER])

- 		return -EINVAL;

-