Change-Id: If43e03d0c781ae9598e8f2af9b7a56483611cf62
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4732
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
Summary: Linux API header files |
2 | 2 |
Name: linux-api-headers |
3 |
-Version: 4.9.78 |
|
3 |
+Version: 4.9.79 |
|
4 | 4 |
Release: 1%{?dist} |
5 | 5 |
License: GPLv2 |
6 | 6 |
URL: http://www.kernel.org/ |
... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
11 |
-%define sha1 linux=57f67ae03ca89feed08302c2c47d1a385d727cc2 |
|
11 |
+%define sha1 linux=edbd6a3f738b304242a358bdae7872699401403d |
|
12 | 12 |
BuildArch: noarch |
13 | 13 |
%description |
14 | 14 |
The Linux API Headers expose the kernel's API for use by Glibc. |
... | ... |
@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de |
25 | 25 |
%defattr(-,root,root) |
26 | 26 |
%{_includedir}/* |
27 | 27 |
%changelog |
28 |
+* Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1 |
|
29 |
+- Update version to 4.9.79 |
|
28 | 30 |
* Fri Jan 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.78-1 |
29 | 31 |
- Update version to 4.9.78. |
30 | 32 |
* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1 |
... | ... |
@@ -14431,7 +14431,7 @@ index d9d52c0..e38856d 100644 |
14431 | 14431 |
|
14432 | 14432 |
extern struct hlist_nulls_head *nf_conntrack_hash; |
14433 | 14433 |
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c |
14434 |
-index aa6d981..ed2389d 100644 |
|
14434 |
+index 879ca84..d893396 100644 |
|
14435 | 14435 |
--- a/kernel/bpf/core.c |
14436 | 14436 |
+++ b/kernel/bpf/core.c |
14437 | 14437 |
@@ -208,6 +208,8 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off, |
... | ... |
@@ -14468,7 +14468,7 @@ index aa6d981..ed2389d 100644 |
14468 | 14468 |
return hdr; |
14469 | 14469 |
} |
14470 | 14470 |
|
14471 |
-@@ -465,7 +480,7 @@ EXPORT_SYMBOL_GPL(__bpf_call_base); |
|
14471 |
+@@ -466,7 +481,7 @@ EXPORT_SYMBOL_GPL(__bpf_call_base); |
|
14472 | 14472 |
* |
14473 | 14473 |
* Decode and execute eBPF instructions. |
14474 | 14474 |
*/ |
... | ... |
@@ -14477,15 +14477,27 @@ index aa6d981..ed2389d 100644 |
14477 | 14477 |
{ |
14478 | 14478 |
u64 stack[MAX_BPF_STACK / sizeof(u64)]; |
14479 | 14479 |
u64 regs[MAX_BPF_REG], tmp; |
14480 |
-@@ -970,7 +985,7 @@ static int bpf_check_tail_call(const struct bpf_prog *fp) |
|
14481 |
- */ |
|
14480 |
+@@ -925,7 +940,7 @@ static unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn) |
|
14481 |
+ STACK_FRAME_NON_STANDARD(__bpf_prog_run); /* jump table */ |
|
14482 |
+ |
|
14483 |
+ #else |
|
14484 |
+-static unsigned int __bpf_prog_ret0(void *ctx, const struct bpf_insn *insn) |
|
14485 |
++static unsigned int __bpf_prog_ret0(const struct sk_buff *ctx, const struct bpf_insn *insn) |
|
14486 |
+ { |
|
14487 |
+ return 0; |
|
14488 |
+ } |
|
14489 |
+@@ -979,9 +994,9 @@ static int bpf_check_tail_call(const struct bpf_prog *fp) |
|
14482 | 14490 |
struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err) |
14483 | 14491 |
{ |
14492 |
+ #ifndef CONFIG_BPF_JIT_ALWAYS_ON |
|
14484 | 14493 |
- fp->bpf_func = (void *) __bpf_prog_run; |
14485 | 14494 |
+ fp->bpf_func = __bpf_prog_run; |
14495 |
+ #else |
|
14496 |
+- fp->bpf_func = (void *) __bpf_prog_ret0; |
|
14497 |
++ fp->bpf_func = __bpf_prog_ret0; |
|
14498 |
+ #endif |
|
14486 | 14499 |
|
14487 | 14500 |
/* eBPF JITs can rewrite the program in case constant |
14488 |
- * blinding is active. However, in case of error during |
|
14489 | 14501 |
diff --git a/kernel/events/core.c b/kernel/events/core.c |
14490 | 14502 |
index b1cfd74..b7608ec 100644 |
14491 | 14503 |
--- a/kernel/events/core.c |
14492 | 14504 |
deleted file mode 100644 |
... | ... |
@@ -1,110 +0,0 @@ |
1 |
-From 3b2d69114fefa474fca542e51119036dceb4aa6f Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Seunghun Han <kkamagui@gmail.com> |
|
3 |
-Date: Wed, 26 Apr 2017 16:18:08 +0800 |
|
4 |
-Subject: [PATCH] ACPICA: Namespace: fix operand cache leak |
|
5 |
- |
|
6 |
-ACPICA commit a23325b2e583556eae88ed3f764e457786bf4df6 |
|
7 |
- |
|
8 |
-I found some ACPI operand cache leaks in ACPI early abort cases. |
|
9 |
- |
|
10 |
-Boot log of ACPI operand cache leak is as follows: |
|
11 |
->[ 0.174332] ACPI: Added _OSI(Module Device) |
|
12 |
->[ 0.175504] ACPI: Added _OSI(Processor Device) |
|
13 |
->[ 0.176010] ACPI: Added _OSI(3.0 _SCP Extensions) |
|
14 |
->[ 0.177032] ACPI: Added _OSI(Processor Aggregator Device) |
|
15 |
->[ 0.178284] ACPI: SCI (IRQ16705) allocation failed |
|
16 |
->[ 0.179352] ACPI Exception: AE_NOT_ACQUIRED, Unable to install |
|
17 |
-System Control Interrupt handler (20160930/evevent-131) |
|
18 |
->[ 0.180008] ACPI: Unable to start the ACPI Interpreter |
|
19 |
->[ 0.181125] ACPI Error: Could not remove SCI handler |
|
20 |
-(20160930/evmisc-281) |
|
21 |
->[ 0.184068] kmem_cache_destroy Acpi-Operand: Slab cache still has |
|
22 |
-objects |
|
23 |
->[ 0.185358] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc3 #2 |
|
24 |
->[ 0.186820] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS |
|
25 |
-virtual_box 12/01/2006 |
|
26 |
->[ 0.188000] Call Trace: |
|
27 |
->[ 0.188000] ? dump_stack+0x5c/0x7d |
|
28 |
->[ 0.188000] ? kmem_cache_destroy+0x224/0x230 |
|
29 |
->[ 0.188000] ? acpi_sleep_proc_init+0x22/0x22 |
|
30 |
->[ 0.188000] ? acpi_os_delete_cache+0xa/0xd |
|
31 |
->[ 0.188000] ? acpi_ut_delete_caches+0x3f/0x7b |
|
32 |
->[ 0.188000] ? acpi_terminate+0x5/0xf |
|
33 |
->[ 0.188000] ? acpi_init+0x288/0x32e |
|
34 |
->[ 0.188000] ? __class_create+0x4c/0x80 |
|
35 |
->[ 0.188000] ? video_setup+0x7a/0x7a |
|
36 |
->[ 0.188000] ? do_one_initcall+0x4e/0x1b0 |
|
37 |
->[ 0.188000] ? kernel_init_freeable+0x194/0x21a |
|
38 |
->[ 0.188000] ? rest_init+0x80/0x80 |
|
39 |
->[ 0.188000] ? kernel_init+0xa/0x100 |
|
40 |
->[ 0.188000] ? ret_from_fork+0x25/0x30 |
|
41 |
- |
|
42 |
-When early abort is occurred due to invalid ACPI information, Linux kernel |
|
43 |
-terminates ACPI by calling acpi_terminate() function. The function calls |
|
44 |
-acpi_ns_terminate() function to delete namespace data and ACPI operand cache |
|
45 |
-(acpi_gbl_module_code_list). |
|
46 |
- |
|
47 |
-But the deletion code in acpi_ns_terminate() function is wrapped in |
|
48 |
-ACPI_EXEC_APP definition, therefore the code is only executed when the |
|
49 |
-definition exists. If the define doesn't exist, ACPI operand cache |
|
50 |
-(acpi_gbl_module_code_list) is leaked, and stack dump is shown in kernel log. |
|
51 |
- |
|
52 |
-This causes a security threat because the old kernel (<= 4.9) shows memory |
|
53 |
-locations of kernel functions in stack dump, therefore kernel ASLR can be |
|
54 |
-neutralized. |
|
55 |
- |
|
56 |
-To fix ACPI operand leak for enhancing security, I made a patch which |
|
57 |
-removes the ACPI_EXEC_APP define in acpi_ns_terminate() function for |
|
58 |
-executing the deletion code unconditionally. |
|
59 |
- |
|
60 |
-Link: https://github.com/acpica/acpica/commit/a23325b2 |
|
61 |
-Signed-off-by: Seunghun Han <kkamagui@gmail.com> |
|
62 |
-Signed-off-by: Lv Zheng <lv.zheng@intel.com> |
|
63 |
-Signed-off-by: Bob Moore <robert.moore@intel.com> |
|
64 |
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> |
|
65 |
- drivers/acpi/acpica/nsutils.c | 23 +++++++++-------------- |
|
66 |
- 1 file changed, 9 insertions(+), 14 deletions(-) |
|
67 |
- |
|
68 |
-diff --git a/drivers/acpi/acpica/nsutils.c b/drivers/acpi/acpica/nsutils.c |
|
69 |
-index 6616767..b5a2914 100644 |
|
70 |
-+++ b/drivers/acpi/acpica/nsutils.c |
|
71 |
-@@ -594,25 +594,20 @@ struct acpi_namespace_node *acpi_ns_validate_handle(acpi_handle handle) |
|
72 |
- void acpi_ns_terminate(void) |
|
73 |
- { |
|
74 |
- acpi_status status; |
|
75 |
-+ union acpi_operand_object *prev; |
|
76 |
-+ union acpi_operand_object *next; |
|
77 |
- |
|
78 |
- ACPI_FUNCTION_TRACE(ns_terminate); |
|
79 |
- |
|
80 |
--#ifdef ACPI_EXEC_APP |
|
81 |
-- { |
|
82 |
-- union acpi_operand_object *prev; |
|
83 |
-- union acpi_operand_object *next; |
|
84 |
-+ /* Delete any module-level code blocks */ |
|
85 |
- |
|
86 |
-- /* Delete any module-level code blocks */ |
|
87 |
-- |
|
88 |
-- next = acpi_gbl_module_code_list; |
|
89 |
-- while (next) { |
|
90 |
-- prev = next; |
|
91 |
-- next = next->method.mutex; |
|
92 |
-- prev->method.mutex = NULL; /* Clear the Mutex (cheated) field */ |
|
93 |
-- acpi_ut_remove_reference(prev); |
|
94 |
-- } |
|
95 |
-+ next = acpi_gbl_module_code_list; |
|
96 |
-+ while (next) { |
|
97 |
-+ prev = next; |
|
98 |
-+ next = next->method.mutex; |
|
99 |
-+ prev->method.mutex = NULL; /* Clear the Mutex (cheated) field */ |
|
100 |
-+ acpi_ut_remove_reference(prev); |
|
101 |
- } |
|
102 |
--#endif |
|
103 |
- |
|
104 |
- /* |
|
105 |
- * Free the entire namespace -- all nodes and all objects |
|
106 |
-2.7.4 |
|
107 |
- |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 |
-Version: 4.9.78 |
|
4 |
+Version: 4.9.79 |
|
5 | 5 |
Release: 1%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=57f67ae03ca89feed08302c2c47d1a385d727cc2 |
|
12 |
+%define sha1 linux=edbd6a3f738b304242a358bdae7872699401403d |
|
13 | 13 |
Source1: config-esx |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
# common |
... | ... |
@@ -36,17 +36,11 @@ Patch19: 06-pv-ops-boot_clock.patch |
36 | 36 |
Patch20: 07-vmware-only.patch |
37 | 37 |
Patch21: vmware-balloon-late-initcall.patch |
38 | 38 |
Patch22: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
39 |
-# Fix CVE-2017-11472 |
|
40 |
-Patch23: ACPICA-Namespace-fix-operand-cache-leak.patch |
|
41 | 39 |
# Fix CVE-2017-1000252 |
42 | 40 |
Patch24: kvm-dont-accept-wrong-gsi-values.patch |
43 | 41 |
Patch25: init-do_mounts-recreate-dev-root.patch |
44 | 42 |
# Fix CVE-2017-8824 |
45 | 43 |
Patch26: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
46 |
-# Fix CVE-2017-17448 |
|
47 |
-Patch27: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
|
48 |
-# Fix CVE-2017-17450 |
|
49 |
-Patch28: netfilter-xt_osf-Add-missing-permission-checks.patch |
|
50 | 44 |
Patch29: revert-SMB-validate-negotiate-even-if-signing-off.patch |
51 | 45 |
# For Spectre |
52 | 46 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
... | ... |
@@ -125,12 +119,9 @@ The Linux package contains the Linux kernel doc files |
125 | 125 |
%patch20 -p1 |
126 | 126 |
%patch21 -p1 |
127 | 127 |
%patch22 -p1 |
128 |
-%patch23 -p1 |
|
129 | 128 |
%patch24 -p1 |
130 | 129 |
%patch25 -p1 |
131 | 130 |
%patch26 -p1 |
132 |
-%patch27 -p1 |
|
133 |
-%patch28 -p1 |
|
134 | 131 |
%patch29 -p1 |
135 | 132 |
|
136 | 133 |
%patch52 -p1 |
... | ... |
@@ -246,6 +237,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
246 | 246 |
/usr/src/linux-headers-%{uname_r} |
247 | 247 |
|
248 | 248 |
%changelog |
249 |
+* Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1 |
|
250 |
+- Update version to 4.9.79 |
|
249 | 251 |
* Fri Jan 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.78-1 |
250 | 252 |
- Update version to 4.9.78. |
251 | 253 |
* Wed Jan 10 2018 Bo Gan <ganb@vmware.com> 4.9.76-1 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 |
-Version: 4.9.78 |
|
4 |
+Version: 4.9.79 |
|
5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=57f67ae03ca89feed08302c2c47d1a385d727cc2 |
|
12 |
+%define sha1 linux=edbd6a3f738b304242a358bdae7872699401403d |
|
13 | 13 |
Source1: config-secure |
14 | 14 |
Source2: aufs4.9.tar.gz |
15 | 15 |
%define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906 |
... | ... |
@@ -46,16 +46,10 @@ Patch26: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
46 | 46 |
Patch27: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
47 | 47 |
Patch28: 0002-allow-also-ecb-cipher_null.patch |
48 | 48 |
Patch29: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
49 |
-# Fix CVE-2017-11472 |
|
50 |
-Patch30: ACPICA-Namespace-fix-operand-cache-leak.patch |
|
51 | 49 |
# Fix CVE-2017-1000252 |
52 | 50 |
Patch31: kvm-dont-accept-wrong-gsi-values.patch |
53 | 51 |
# Fix CVE-2017-8824 |
54 | 52 |
Patch32: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
55 |
-# Fix CVE-2017-17448 |
|
56 |
-Patch33: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
|
57 |
-# Fix CVE-2017-17450 |
|
58 |
-Patch34: netfilter-xt_osf-Add-missing-permission-checks.patch |
|
59 | 53 |
Patch35: revert-SMB-validate-negotiate-even-if-signing-off.patch |
60 | 54 |
# For Spectre |
61 | 55 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
... | ... |
@@ -179,11 +173,8 @@ EOF |
179 | 179 |
%patch27 -p1 |
180 | 180 |
%patch28 -p1 |
181 | 181 |
%patch29 -p1 |
182 |
-%patch30 -p1 |
|
183 | 182 |
%patch31 -p1 |
184 | 183 |
%patch32 -p1 |
185 |
-%patch33 -p1 |
|
186 |
-%patch34 -p1 |
|
187 | 184 |
%patch35 -p1 |
188 | 185 |
|
189 | 186 |
# spectre |
... | ... |
@@ -335,6 +326,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
335 | 335 |
/usr/src/linux-headers-%{uname_r} |
336 | 336 |
|
337 | 337 |
%changelog |
338 |
+* Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1 |
|
339 |
+- Update version to 4.9.79 |
|
338 | 340 |
* Fri Jan 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.78-1 |
339 | 341 |
- Update version to 4.9.78. |
340 | 342 |
* Wed Jan 10 2018 Bo Gan <ganb@vmware.com> 4.9.76-1 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 |
-Version: 4.9.78 |
|
4 |
+Version: 4.9.79 |
|
5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=57f67ae03ca89feed08302c2c47d1a385d727cc2 |
|
12 |
+%define sha1 linux=edbd6a3f738b304242a358bdae7872699401403d |
|
13 | 13 |
Source1: config |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
%define ena_version 1.1.3 |
... | ... |
@@ -43,16 +43,10 @@ Patch23: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
43 | 43 |
Patch24: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
44 | 44 |
Patch25: 0002-allow-also-ecb-cipher_null.patch |
45 | 45 |
Patch26: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
46 |
-# Fix CVE-2017-11472 |
|
47 |
-Patch27: ACPICA-Namespace-fix-operand-cache-leak.patch |
|
48 | 46 |
# Fix CVE-2017-1000252 |
49 | 47 |
Patch28: kvm-dont-accept-wrong-gsi-values.patch |
50 | 48 |
# Fix CVE-2017-8824 |
51 | 49 |
Patch29: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
52 |
-# Fix CVE-2017-17448 |
|
53 |
-Patch30: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
|
54 |
-# Fix CVE-2017-17450 |
|
55 |
-Patch31: netfilter-xt_osf-Add-missing-permission-checks.patch |
|
56 | 50 |
Patch32: revert-SMB-validate-negotiate-even-if-signing-off.patch |
57 | 51 |
# For Spectre |
58 | 52 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
... | ... |
@@ -169,11 +163,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
169 | 169 |
%patch24 -p1 |
170 | 170 |
%patch25 -p1 |
171 | 171 |
%patch26 -p1 |
172 |
-%patch27 -p1 |
|
173 | 172 |
%patch28 -p1 |
174 | 173 |
%patch29 -p1 |
175 |
-%patch30 -p1 |
|
176 |
-%patch31 -p1 |
|
177 | 174 |
%patch32 -p1 |
178 | 175 |
|
179 | 176 |
%patch52 -p1 |
... | ... |
@@ -360,6 +351,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
360 | 360 |
/usr/share/doc/* |
361 | 361 |
|
362 | 362 |
%changelog |
363 |
+* Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1 |
|
364 |
+- Update version to 4.9.79 |
|
363 | 365 |
* Fri Jan 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.78-1 |
364 | 366 |
- Update version to 4.9.78. |
365 | 367 |
* Wed Jan 10 2018 Bo Gan <ganb@vmware.com> 4.9.76-1 |
366 | 368 |
deleted file mode 100644 |
... | ... |
@@ -1,73 +0,0 @@ |
1 |
-commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 |
|
2 |
-Author: Kevin Cernekee <cernekee@chromium.org> |
|
3 |
-Date: Sun Dec 3 12:12:45 2017 -0800 |
|
4 |
- |
|
5 |
- netfilter: nfnetlink_cthelper: Add missing permission checks |
|
6 |
- |
|
7 |
- The capability check in nfnetlink_rcv() verifies that the caller |
|
8 |
- has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. |
|
9 |
- However, nfnl_cthelper_list is shared by all net namespaces on the |
|
10 |
- system. An unprivileged user can create user and net namespaces |
|
11 |
- in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() |
|
12 |
- check: |
|
13 |
- |
|
14 |
- $ nfct helper list |
|
15 |
- nfct v1.4.4: netlink error: Operation not permitted |
|
16 |
- $ vpnns -- nfct helper list |
|
17 |
- { |
|
18 |
- .name = ftp, |
|
19 |
- .queuenum = 0, |
|
20 |
- .l3protonum = 2, |
|
21 |
- .l4protonum = 6, |
|
22 |
- .priv_data_len = 24, |
|
23 |
- .status = enabled, |
|
24 |
- }; |
|
25 |
- |
|
26 |
- Add capable() checks in nfnetlink_cthelper, as this is cleaner than |
|
27 |
- trying to generalize the solution. |
|
28 |
- |
|
29 |
- Signed-off-by: Kevin Cernekee <cernekee@chromium.org> |
|
30 |
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
|
31 |
- |
|
32 |
-diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c |
|
33 |
-index 41628b3..d33ce6d 100644 |
|
34 |
-+++ b/net/netfilter/nfnetlink_cthelper.c |
|
35 |
-@@ -17,6 +17,7 @@ |
|
36 |
- #include <linux/types.h> |
|
37 |
- #include <linux/list.h> |
|
38 |
- #include <linux/errno.h> |
|
39 |
-+#include <linux/capability.h> |
|
40 |
- #include <net/netlink.h> |
|
41 |
- #include <net/sock.h> |
|
42 |
- |
|
43 |
-@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, |
|
44 |
- struct nfnl_cthelper *nlcth; |
|
45 |
- int ret = 0; |
|
46 |
- |
|
47 |
-+ if (!capable(CAP_NET_ADMIN)) |
|
48 |
-+ return -EPERM; |
|
49 |
-+ |
|
50 |
- if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) |
|
51 |
- return -EINVAL; |
|
52 |
- |
|
53 |
-@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, |
|
54 |
- struct nfnl_cthelper *nlcth; |
|
55 |
- bool tuple_set = false; |
|
56 |
- |
|
57 |
-+ if (!capable(CAP_NET_ADMIN)) |
|
58 |
-+ return -EPERM; |
|
59 |
-+ |
|
60 |
- if (nlh->nlmsg_flags & NLM_F_DUMP) { |
|
61 |
- struct netlink_dump_control c = { |
|
62 |
- .dump = nfnl_cthelper_dump_table, |
|
63 |
-@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, |
|
64 |
- struct nfnl_cthelper *nlcth, *n; |
|
65 |
- int j = 0, ret; |
|
66 |
- |
|
67 |
-+ if (!capable(CAP_NET_ADMIN)) |
|
68 |
-+ return -EPERM; |
|
69 |
-+ |
|
70 |
- if (tb[NFCTH_NAME]) |
|
71 |
- helper_name = nla_data(tb[NFCTH_NAME]); |
|
72 |
- |
73 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,55 +0,0 @@ |
1 |
-commit 916a27901de01446bcf57ecca4783f6cff493309 |
|
2 |
-Author: Kevin Cernekee <cernekee@chromium.org> |
|
3 |
-Date: Tue Dec 5 15:42:41 2017 -0800 |
|
4 |
- |
|
5 |
- netfilter: xt_osf: Add missing permission checks |
|
6 |
- |
|
7 |
- The capability check in nfnetlink_rcv() verifies that the caller |
|
8 |
- has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. |
|
9 |
- However, xt_osf_fingers is shared by all net namespaces on the |
|
10 |
- system. An unprivileged user can create user and net namespaces |
|
11 |
- in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() |
|
12 |
- check: |
|
13 |
- |
|
14 |
- vpnns -- nfnl_osf -f /tmp/pf.os |
|
15 |
- |
|
16 |
- vpnns -- nfnl_osf -f /tmp/pf.os -d |
|
17 |
- |
|
18 |
- These non-root operations successfully modify the systemwide OS |
|
19 |
- fingerprint list. Add new capable() checks so that they can't. |
|
20 |
- |
|
21 |
- Signed-off-by: Kevin Cernekee <cernekee@chromium.org> |
|
22 |
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
|
23 |
- |
|
24 |
-diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c |
|
25 |
-index 36e14b1..a34f314 100644 |
|
26 |
-+++ b/net/netfilter/xt_osf.c |
|
27 |
-@@ -19,6 +19,7 @@ |
|
28 |
- #include <linux/module.h> |
|
29 |
- #include <linux/kernel.h> |
|
30 |
- |
|
31 |
-+#include <linux/capability.h> |
|
32 |
- #include <linux/if.h> |
|
33 |
- #include <linux/inetdevice.h> |
|
34 |
- #include <linux/ip.h> |
|
35 |
-@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl, |
|
36 |
- struct xt_osf_finger *kf = NULL, *sf; |
|
37 |
- int err = 0; |
|
38 |
- |
|
39 |
-+ if (!capable(CAP_NET_ADMIN)) |
|
40 |
-+ return -EPERM; |
|
41 |
-+ |
|
42 |
- if (!osf_attrs[OSF_ATTR_FINGER]) |
|
43 |
- return -EINVAL; |
|
44 |
- |
|
45 |
-@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl, |
|
46 |
- struct xt_osf_finger *sf; |
|
47 |
- int err = -ENOENT; |
|
48 |
- |
|
49 |
-+ if (!capable(CAP_NET_ADMIN)) |
|
50 |
-+ return -EPERM; |
|
51 |
-+ |
|
52 |
- if (!osf_attrs[OSF_ATTR_FINGER]) |
|
53 |
- return -EINVAL; |
|
54 |
- |