Change-Id: I131b272256524c589ca5a3189f6c29f20ca5372e
Reviewed-on: http://photon-jenkins.eng.vmware.com/979
Tested-by: jenkins-photon <wangnan2015@hotmail.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.4.8 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -22,6 +22,10 @@ Patch7: 03-poweroff.patch |
22 | 22 |
Patch8: 04-quiet-boot.patch |
23 | 23 |
Patch9: 05-pv-ops.patch |
24 | 24 |
Patch10: 06-sunrpc.patch |
25 |
+#fixes CVE-2016-3134 |
|
26 |
+Patch11: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch |
|
27 |
+#fixes CVE-2016-3135 |
|
28 |
+Patch12: netfilter-x_tables-check-for-size-overflow.patch |
|
25 | 29 |
BuildRequires: bc |
26 | 30 |
BuildRequires: kbd |
27 | 31 |
BuildRequires: kmod |
... | ... |
@@ -67,6 +71,8 @@ The Linux package contains the Linux kernel doc files |
67 | 67 |
%patch8 -p1 |
68 | 68 |
%patch9 -p1 |
69 | 69 |
%patch10 -p1 |
70 |
+%patch11 -p1 |
|
71 |
+%patch12 -p1 |
|
70 | 72 |
|
71 | 73 |
%build |
72 | 74 |
make mrproper |
... | ... |
@@ -132,6 +138,8 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg |
132 | 132 |
/usr/src/%{name}-headers-%{version}-%{release} |
133 | 133 |
|
134 | 134 |
%changelog |
135 |
+* Mon May 23 2016 Divya Thaluru <dthaluru@vmware.com> 4.4.8-2 |
|
136 |
+- Added patches to fix CVE-2016-3134, CVE-2016-3135 |
|
135 | 137 |
* Fri May 13 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-1 |
136 | 138 |
- Update to linux-4.4.8 |
137 | 139 |
- Added net-Drivers-Vmxnet3-set-... patch |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.4.8 |
5 |
-Release: 2%{?dist} |
|
5 |
+Release: 3%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -18,6 +18,10 @@ Patch3: SUNRPC-Do-not-reuse-srcport-for-TIME_WAIT-socket.patch |
18 | 18 |
Patch4: 06-sunrpc.patch |
19 | 19 |
Patch5: vmware-log-kmsg-dump-on-panic.patch |
20 | 20 |
Patch6: net-Driver-Vmxnet3-set-CHECKSUM_UNNECESSARY-for-IPv6-packets.patch |
21 |
+#fixes CVE-2016-3134 |
|
22 |
+Patch7: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch |
|
23 |
+#fixes CVE-2016-3135 |
|
24 |
+Patch8: netfilter-x_tables-check-for-size-overflow.patch |
|
21 | 25 |
BuildRequires: bc |
22 | 26 |
BuildRequires: kbd |
23 | 27 |
BuildRequires: kmod |
... | ... |
@@ -80,6 +84,8 @@ Kernel driver for oprofile, a statistical profiler for Linux systems |
80 | 80 |
%patch4 -p1 |
81 | 81 |
%patch5 -p1 |
82 | 82 |
%patch6 -p1 |
83 |
+%patch7 -p1 |
|
84 |
+%patch8 -p1 |
|
83 | 85 |
|
84 | 86 |
%build |
85 | 87 |
make mrproper |
... | ... |
@@ -170,8 +176,10 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg |
170 | 170 |
/lib/modules/%{version}/kernel/arch/x86/oprofile/ |
171 | 171 |
|
172 | 172 |
%changelog |
173 |
-* Wed May 18 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.8-2 |
|
174 |
-- Enabled CONFIG_UPROBES in config as needed by ktap |
|
173 |
+* Mon May 23 2016 Divya Thaluru <dthaluru@vmware.com> 4.4.8-3 |
|
174 |
+- Added patches to fix CVE-2016-3134, CVE-2016-3135 |
|
175 |
+* Wed May 18 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.8-2 |
|
176 |
+- Enabled CONFIG_UPROBES in config as needed by ktap |
|
175 | 177 |
* Wed May 04 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-1 |
176 | 178 |
- Update to linux-4.4.8 |
177 | 179 |
- Added net-Drivers-Vmxnet3-set-... patch |
178 | 180 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,31 @@ |
0 |
+Subject: [PATCH nf] netfilter: x_tables: check for size overflow |
|
1 |
+From: Florian Westphal <fw () strlen ! de> |
|
2 |
+Date: 2016-03-10 0:56:23 |
|
3 |
+ |
|
4 |
+Ben Hawkes says: |
|
5 |
+ integer overflow in xt_alloc_table_info, which on 32-bit systems can |
|
6 |
+ lead to small structure allocation and a copy_from_user based heap |
|
7 |
+ corruption. |
|
8 |
+ |
|
9 |
+Reported-by: Ben Hawkes <hawkes@google.com> |
|
10 |
+Signed-off-by: Florian Westphal <fw@strlen.de> |
|
11 |
+--- |
|
12 |
+ net/netfilter/x_tables.c | 3 +++ |
|
13 |
+ 1 file changed, 3 insertions(+) |
|
14 |
+ |
|
15 |
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c |
|
16 |
+index c8a0b7d..17a9a9f 100644 |
|
17 |
+--- a/net/netfilter/x_tables.c |
|
18 |
+@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) |
|
19 |
+ struct xt_table_info *info = NULL; |
|
20 |
+ size_t sz = sizeof(*info) + size; |
|
21 |
+ |
|
22 |
++ if (sz < sizeof(*info)) |
|
23 |
++ return NULL; |
|
24 |
++ |
|
25 |
+ /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ |
|
26 |
+ if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) |
|
27 |
+ return NULL; |
|
28 |
+-- |
|
29 |
+2.4.10 |
0 | 30 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,150 @@ |
0 |
+Subject: [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values |
|
1 |
+From: Florian Westphal <fw () strlen ! de> |
|
2 |
+Date: 2016-03-10 0:56:02 |
|
3 |
+ |
|
4 |
+Ben Hawkes says: |
|
5 |
+ |
|
6 |
+ In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it |
|
7 |
+ is possible for a user-supplied ipt_entry structure to have a large |
|
8 |
+ next_offset field. This field is not bounds checked prior to writing a |
|
9 |
+ counter value at the supplied offset. |
|
10 |
+ |
|
11 |
+Problem is that xt_entry_foreach() macro stops iterating once e->next_offset |
|
12 |
+is out of bounds, assuming this is the last entry. |
|
13 |
+ |
|
14 |
+With malformed data thats not necessarily the case so we can |
|
15 |
+write outside of allocated area later as we might not have walked the |
|
16 |
+entire blob. |
|
17 |
+ |
|
18 |
+Fix this by simplifying mark_source_chains -- it already has to check |
|
19 |
+if nextoff is in range to catch invalid jumps, so just do the check |
|
20 |
+when we move to a next entry as well. |
|
21 |
+ |
|
22 |
+Signed-off-by: Florian Westphal <fw@strlen.de> |
|
23 |
+--- |
|
24 |
+ net/ipv4/netfilter/arp_tables.c | 16 ++++++++-------- |
|
25 |
+ net/ipv4/netfilter/ip_tables.c | 15 ++++++++------- |
|
26 |
+ net/ipv6/netfilter/ip6_tables.c | 13 ++++++------- |
|
27 |
+ 3 files changed, 22 insertions(+), 22 deletions(-) |
|
28 |
+ |
|
29 |
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c |
|
30 |
+index b488cac..5a0b591 100644 |
|
31 |
+--- a/net/ipv4/netfilter/arp_tables.c |
|
32 |
+@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, |
|
33 |
+ |
|
34 |
+ /* Move along one */ |
|
35 |
+ size = e->next_offset; |
|
36 |
++ |
|
37 |
++ if (pos + size > newinfo->size - sizeof(*e)) |
|
38 |
++ return 0; |
|
39 |
++ |
|
40 |
+ e = (struct arpt_entry *) |
|
41 |
+ (entry0 + pos + size); |
|
42 |
+ e->counters.pcnt = pos; |
|
43 |
+@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, |
|
44 |
+ if (strcmp(t->target.u.user.name, |
|
45 |
+ XT_STANDARD_TARGET) == 0 && |
|
46 |
+ newpos >= 0) { |
|
47 |
+- if (newpos > newinfo->size - |
|
48 |
+- sizeof(struct arpt_entry)) { |
|
49 |
+- duprintf("mark_source_chains: " |
|
50 |
+- "bad verdict (%i)\n", |
|
51 |
+- newpos); |
|
52 |
+- return 0; |
|
53 |
+- } |
|
54 |
+- |
|
55 |
+ /* This a jump; chase it. */ |
|
56 |
+ duprintf("Jump rule %u -> %u\n", |
|
57 |
+ pos, newpos); |
|
58 |
+@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, |
|
59 |
+ /* ... this is a fallthru */ |
|
60 |
+ newpos = pos + e->next_offset; |
|
61 |
+ } |
|
62 |
++ |
|
63 |
++ if (newpos > newinfo->size - sizeof(*e)) |
|
64 |
++ return 0; |
|
65 |
++ |
|
66 |
+ e = (struct arpt_entry *) |
|
67 |
+ (entry0 + newpos); |
|
68 |
+ e->counters.pcnt = pos; |
|
69 |
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c |
|
70 |
+index b99affa..ceb995f 100644 |
|
71 |
+--- a/net/ipv4/netfilter/ip_tables.c |
|
72 |
+@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
73 |
+ |
|
74 |
+ /* Move along one */ |
|
75 |
+ size = e->next_offset; |
|
76 |
++ |
|
77 |
++ if (pos + size > newinfo->size - sizeof(*e)) |
|
78 |
++ return 0; |
|
79 |
++ |
|
80 |
+ e = (struct ipt_entry *) |
|
81 |
+ (entry0 + pos + size); |
|
82 |
+ e->counters.pcnt = pos; |
|
83 |
+@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
84 |
+ if (strcmp(t->target.u.user.name, |
|
85 |
+ XT_STANDARD_TARGET) == 0 && |
|
86 |
+ newpos >= 0) { |
|
87 |
+- if (newpos > newinfo->size - |
|
88 |
+- sizeof(struct ipt_entry)) { |
|
89 |
+- duprintf("mark_source_chains: " |
|
90 |
+- "bad verdict (%i)\n", |
|
91 |
+- newpos); |
|
92 |
+- return 0; |
|
93 |
+- } |
|
94 |
+ /* This a jump; chase it. */ |
|
95 |
+ duprintf("Jump rule %u -> %u\n", |
|
96 |
+ pos, newpos); |
|
97 |
+@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
98 |
+ /* ... this is a fallthru */ |
|
99 |
+ newpos = pos + e->next_offset; |
|
100 |
+ } |
|
101 |
++ |
|
102 |
++ if (newpos > newinfo->size - sizeof(*e)) |
|
103 |
++ return 0; |
|
104 |
++ |
|
105 |
+ e = (struct ipt_entry *) |
|
106 |
+ (entry0 + newpos); |
|
107 |
+ e->counters.pcnt = pos; |
|
108 |
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c |
|
109 |
+index 99425cf..d88a794 100644 |
|
110 |
+--- a/net/ipv6/netfilter/ip6_tables.c |
|
111 |
+@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
112 |
+ |
|
113 |
+ /* Move along one */ |
|
114 |
+ size = e->next_offset; |
|
115 |
++ if (pos + size > newinfo->size - sizeof(*e)) |
|
116 |
++ return 0; |
|
117 |
+ e = (struct ip6t_entry *) |
|
118 |
+ (entry0 + pos + size); |
|
119 |
+ e->counters.pcnt = pos; |
|
120 |
+@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
121 |
+ if (strcmp(t->target.u.user.name, |
|
122 |
+ XT_STANDARD_TARGET) == 0 && |
|
123 |
+ newpos >= 0) { |
|
124 |
+- if (newpos > newinfo->size - |
|
125 |
+- sizeof(struct ip6t_entry)) { |
|
126 |
+- duprintf("mark_source_chains: " |
|
127 |
+- "bad verdict (%i)\n", |
|
128 |
+- newpos); |
|
129 |
+- return 0; |
|
130 |
+- } |
|
131 |
+ /* This a jump; chase it. */ |
|
132 |
+ duprintf("Jump rule %u -> %u\n", |
|
133 |
+ pos, newpos); |
|
134 |
+@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
135 |
+ /* ... this is a fallthru */ |
|
136 |
+ newpos = pos + e->next_offset; |
|
137 |
+ } |
|
138 |
++ |
|
139 |
++ if (newpos > newinfo->size - sizeof(*e)) |
|
140 |
++ return 0; |
|
141 |
++ |
|
142 |
+ e = (struct ip6t_entry *) |
|
143 |
+ (entry0 + newpos); |
|
144 |
+ e->counters.pcnt = pos; |
|
145 |
+-- |
|
146 |
+2.4.10 |