Browse code
Added security fix for linux package (CVE-2016-3134, CVE-2016-3135)
Change-Id: I131b272256524c589ca5a3189f6c29f20ca5372e
Reviewed-on: http://photon-jenkins.eng.vmware.com/979
Tested-by: jenkins-photon <wangnan2015@hotmail.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
dthaluru authored on 2016/05/24 09:24:43Showing 4 changed files
- SPECS/linux/linux-esx.spec
- SPECS/linux/linux.spec
- SPECS/linux/netfilter-x_tables-check-for-size-overflow.patch
- SPECS/linux/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-esx |
| 4 | 4 |
Version: 4.4.8 |
| 5 |
-Release: 1%{?dist}
|
|
| 5 |
+Release: 2%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -22,6 +22,10 @@ Patch7: 03-poweroff.patch |
| 22 | 22 |
Patch8: 04-quiet-boot.patch |
| 23 | 23 |
Patch9: 05-pv-ops.patch |
| 24 | 24 |
Patch10: 06-sunrpc.patch |
| 25 |
+#fixes CVE-2016-3134 |
|
| 26 |
+Patch11: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch |
|
| 27 |
+#fixes CVE-2016-3135 |
|
| 28 |
+Patch12: netfilter-x_tables-check-for-size-overflow.patch |
|
| 25 | 29 |
BuildRequires: bc |
| 26 | 30 |
BuildRequires: kbd |
| 27 | 31 |
BuildRequires: kmod |
| ... | ... |
@@ -67,6 +71,8 @@ The Linux package contains the Linux kernel doc files |
| 67 | 67 |
%patch8 -p1 |
| 68 | 68 |
%patch9 -p1 |
| 69 | 69 |
%patch10 -p1 |
| 70 |
+%patch11 -p1 |
|
| 71 |
+%patch12 -p1 |
|
| 70 | 72 |
|
| 71 | 73 |
%build |
| 72 | 74 |
make mrproper |
| ... | ... |
@@ -132,6 +138,8 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg
|
| 132 | 132 |
/usr/src/%{name}-headers-%{version}-%{release}
|
| 133 | 133 |
|
| 134 | 134 |
%changelog |
| 135 |
+* Mon May 23 2016 Divya Thaluru <dthaluru@vmware.com> 4.4.8-2 |
|
| 136 |
+- Added patches to fix CVE-2016-3134, CVE-2016-3135 |
|
| 135 | 137 |
* Fri May 13 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-1 |
| 136 | 138 |
- Update to linux-4.4.8 |
| 137 | 139 |
- Added net-Drivers-Vmxnet3-set-... patch |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux |
| 4 | 4 |
Version: 4.4.8 |
| 5 |
-Release: 2%{?dist}
|
|
| 5 |
+Release: 3%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -18,6 +18,10 @@ Patch3: SUNRPC-Do-not-reuse-srcport-for-TIME_WAIT-socket.patch |
| 18 | 18 |
Patch4: 06-sunrpc.patch |
| 19 | 19 |
Patch5: vmware-log-kmsg-dump-on-panic.patch |
| 20 | 20 |
Patch6: net-Driver-Vmxnet3-set-CHECKSUM_UNNECESSARY-for-IPv6-packets.patch |
| 21 |
+#fixes CVE-2016-3134 |
|
| 22 |
+Patch7: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch |
|
| 23 |
+#fixes CVE-2016-3135 |
|
| 24 |
+Patch8: netfilter-x_tables-check-for-size-overflow.patch |
|
| 21 | 25 |
BuildRequires: bc |
| 22 | 26 |
BuildRequires: kbd |
| 23 | 27 |
BuildRequires: kmod |
| ... | ... |
@@ -80,6 +84,8 @@ Kernel driver for oprofile, a statistical profiler for Linux systems |
| 80 | 80 |
%patch4 -p1 |
| 81 | 81 |
%patch5 -p1 |
| 82 | 82 |
%patch6 -p1 |
| 83 |
+%patch7 -p1 |
|
| 84 |
+%patch8 -p1 |
|
| 83 | 85 |
|
| 84 | 86 |
%build |
| 85 | 87 |
make mrproper |
| ... | ... |
@@ -170,8 +176,10 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg
|
| 170 | 170 |
/lib/modules/%{version}/kernel/arch/x86/oprofile/
|
| 171 | 171 |
|
| 172 | 172 |
%changelog |
| 173 |
-* Wed May 18 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.8-2 |
|
| 174 |
-- Enabled CONFIG_UPROBES in config as needed by ktap |
|
| 173 |
+* Mon May 23 2016 Divya Thaluru <dthaluru@vmware.com> 4.4.8-3 |
|
| 174 |
+- Added patches to fix CVE-2016-3134, CVE-2016-3135 |
|
| 175 |
+* Wed May 18 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.8-2 |
|
| 176 |
+- Enabled CONFIG_UPROBES in config as needed by ktap |
|
| 175 | 177 |
* Wed May 04 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-1 |
| 176 | 178 |
- Update to linux-4.4.8 |
| 177 | 179 |
- Added net-Drivers-Vmxnet3-set-... patch |
| 178 | 180 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,31 @@ |
| 0 |
+Subject: [PATCH nf] netfilter: x_tables: check for size overflow |
|
| 1 |
+From: Florian Westphal <fw () strlen ! de> |
|
| 2 |
+Date: 2016-03-10 0:56:23 |
|
| 3 |
+ |
|
| 4 |
+Ben Hawkes says: |
|
| 5 |
+ integer overflow in xt_alloc_table_info, which on 32-bit systems can |
|
| 6 |
+ lead to small structure allocation and a copy_from_user based heap |
|
| 7 |
+ corruption. |
|
| 8 |
+ |
|
| 9 |
+Reported-by: Ben Hawkes <hawkes@google.com> |
|
| 10 |
+Signed-off-by: Florian Westphal <fw@strlen.de> |
|
| 11 |
+--- |
|
| 12 |
+ net/netfilter/x_tables.c | 3 +++ |
|
| 13 |
+ 1 file changed, 3 insertions(+) |
|
| 14 |
+ |
|
| 15 |
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c |
|
| 16 |
+index c8a0b7d..17a9a9f 100644 |
|
| 17 |
+--- a/net/netfilter/x_tables.c |
|
| 18 |
+@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) |
|
| 19 |
+ struct xt_table_info *info = NULL; |
|
| 20 |
+ size_t sz = sizeof(*info) + size; |
|
| 21 |
+ |
|
| 22 |
++ if (sz < sizeof(*info)) |
|
| 23 |
++ return NULL; |
|
| 24 |
++ |
|
| 25 |
+ /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ |
|
| 26 |
+ if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) |
|
| 27 |
+ return NULL; |
|
| 28 |
+-- |
|
| 29 |
+2.4.10 |
| 0 | 30 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,150 @@ |
| 0 |
+Subject: [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values |
|
| 1 |
+From: Florian Westphal <fw () strlen ! de> |
|
| 2 |
+Date: 2016-03-10 0:56:02 |
|
| 3 |
+ |
|
| 4 |
+Ben Hawkes says: |
|
| 5 |
+ |
|
| 6 |
+ In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it |
|
| 7 |
+ is possible for a user-supplied ipt_entry structure to have a large |
|
| 8 |
+ next_offset field. This field is not bounds checked prior to writing a |
|
| 9 |
+ counter value at the supplied offset. |
|
| 10 |
+ |
|
| 11 |
+Problem is that xt_entry_foreach() macro stops iterating once e->next_offset |
|
| 12 |
+is out of bounds, assuming this is the last entry. |
|
| 13 |
+ |
|
| 14 |
+With malformed data thats not necessarily the case so we can |
|
| 15 |
+write outside of allocated area later as we might not have walked the |
|
| 16 |
+entire blob. |
|
| 17 |
+ |
|
| 18 |
+Fix this by simplifying mark_source_chains -- it already has to check |
|
| 19 |
+if nextoff is in range to catch invalid jumps, so just do the check |
|
| 20 |
+when we move to a next entry as well. |
|
| 21 |
+ |
|
| 22 |
+Signed-off-by: Florian Westphal <fw@strlen.de> |
|
| 23 |
+--- |
|
| 24 |
+ net/ipv4/netfilter/arp_tables.c | 16 ++++++++-------- |
|
| 25 |
+ net/ipv4/netfilter/ip_tables.c | 15 ++++++++------- |
|
| 26 |
+ net/ipv6/netfilter/ip6_tables.c | 13 ++++++------- |
|
| 27 |
+ 3 files changed, 22 insertions(+), 22 deletions(-) |
|
| 28 |
+ |
|
| 29 |
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c |
|
| 30 |
+index b488cac..5a0b591 100644 |
|
| 31 |
+--- a/net/ipv4/netfilter/arp_tables.c |
|
| 32 |
+@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, |
|
| 33 |
+ |
|
| 34 |
+ /* Move along one */ |
|
| 35 |
+ size = e->next_offset; |
|
| 36 |
++ |
|
| 37 |
++ if (pos + size > newinfo->size - sizeof(*e)) |
|
| 38 |
++ return 0; |
|
| 39 |
++ |
|
| 40 |
+ e = (struct arpt_entry *) |
|
| 41 |
+ (entry0 + pos + size); |
|
| 42 |
+ e->counters.pcnt = pos; |
|
| 43 |
+@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo, |
|
| 44 |
+ if (strcmp(t->target.u.user.name, |
|
| 45 |
+ XT_STANDARD_TARGET) == 0 && |
|
| 46 |
+ newpos >= 0) {
|
|
| 47 |
+- if (newpos > newinfo->size - |
|
| 48 |
+- sizeof(struct arpt_entry)) {
|
|
| 49 |
+- duprintf("mark_source_chains: "
|
|
| 50 |
+- "bad verdict (%i)\n", |
|
| 51 |
+- newpos); |
|
| 52 |
+- return 0; |
|
| 53 |
+- } |
|
| 54 |
+- |
|
| 55 |
+ /* This a jump; chase it. */ |
|
| 56 |
+ duprintf("Jump rule %u -> %u\n",
|
|
| 57 |
+ pos, newpos); |
|
| 58 |
+@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo, |
|
| 59 |
+ /* ... this is a fallthru */ |
|
| 60 |
+ newpos = pos + e->next_offset; |
|
| 61 |
+ } |
|
| 62 |
++ |
|
| 63 |
++ if (newpos > newinfo->size - sizeof(*e)) |
|
| 64 |
++ return 0; |
|
| 65 |
++ |
|
| 66 |
+ e = (struct arpt_entry *) |
|
| 67 |
+ (entry0 + newpos); |
|
| 68 |
+ e->counters.pcnt = pos; |
|
| 69 |
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c |
|
| 70 |
+index b99affa..ceb995f 100644 |
|
| 71 |
+--- a/net/ipv4/netfilter/ip_tables.c |
|
| 72 |
+@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
| 73 |
+ |
|
| 74 |
+ /* Move along one */ |
|
| 75 |
+ size = e->next_offset; |
|
| 76 |
++ |
|
| 77 |
++ if (pos + size > newinfo->size - sizeof(*e)) |
|
| 78 |
++ return 0; |
|
| 79 |
++ |
|
| 80 |
+ e = (struct ipt_entry *) |
|
| 81 |
+ (entry0 + pos + size); |
|
| 82 |
+ e->counters.pcnt = pos; |
|
| 83 |
+@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
| 84 |
+ if (strcmp(t->target.u.user.name, |
|
| 85 |
+ XT_STANDARD_TARGET) == 0 && |
|
| 86 |
+ newpos >= 0) {
|
|
| 87 |
+- if (newpos > newinfo->size - |
|
| 88 |
+- sizeof(struct ipt_entry)) {
|
|
| 89 |
+- duprintf("mark_source_chains: "
|
|
| 90 |
+- "bad verdict (%i)\n", |
|
| 91 |
+- newpos); |
|
| 92 |
+- return 0; |
|
| 93 |
+- } |
|
| 94 |
+ /* This a jump; chase it. */ |
|
| 95 |
+ duprintf("Jump rule %u -> %u\n",
|
|
| 96 |
+ pos, newpos); |
|
| 97 |
+@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
| 98 |
+ /* ... this is a fallthru */ |
|
| 99 |
+ newpos = pos + e->next_offset; |
|
| 100 |
+ } |
|
| 101 |
++ |
|
| 102 |
++ if (newpos > newinfo->size - sizeof(*e)) |
|
| 103 |
++ return 0; |
|
| 104 |
++ |
|
| 105 |
+ e = (struct ipt_entry *) |
|
| 106 |
+ (entry0 + newpos); |
|
| 107 |
+ e->counters.pcnt = pos; |
|
| 108 |
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c |
|
| 109 |
+index 99425cf..d88a794 100644 |
|
| 110 |
+--- a/net/ipv6/netfilter/ip6_tables.c |
|
| 111 |
+@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
| 112 |
+ |
|
| 113 |
+ /* Move along one */ |
|
| 114 |
+ size = e->next_offset; |
|
| 115 |
++ if (pos + size > newinfo->size - sizeof(*e)) |
|
| 116 |
++ return 0; |
|
| 117 |
+ e = (struct ip6t_entry *) |
|
| 118 |
+ (entry0 + pos + size); |
|
| 119 |
+ e->counters.pcnt = pos; |
|
| 120 |
+@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
| 121 |
+ if (strcmp(t->target.u.user.name, |
|
| 122 |
+ XT_STANDARD_TARGET) == 0 && |
|
| 123 |
+ newpos >= 0) {
|
|
| 124 |
+- if (newpos > newinfo->size - |
|
| 125 |
+- sizeof(struct ip6t_entry)) {
|
|
| 126 |
+- duprintf("mark_source_chains: "
|
|
| 127 |
+- "bad verdict (%i)\n", |
|
| 128 |
+- newpos); |
|
| 129 |
+- return 0; |
|
| 130 |
+- } |
|
| 131 |
+ /* This a jump; chase it. */ |
|
| 132 |
+ duprintf("Jump rule %u -> %u\n",
|
|
| 133 |
+ pos, newpos); |
|
| 134 |
+@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo, |
|
| 135 |
+ /* ... this is a fallthru */ |
|
| 136 |
+ newpos = pos + e->next_offset; |
|
| 137 |
+ } |
|
| 138 |
++ |
|
| 139 |
++ if (newpos > newinfo->size - sizeof(*e)) |
|
| 140 |
++ return 0; |
|
| 141 |
++ |
|
| 142 |
+ e = (struct ip6t_entry *) |
|
| 143 |
+ (entry0 + newpos); |
|
| 144 |
+ e->counters.pcnt = pos; |
|
| 145 |
+-- |
|
| 146 |
+2.4.10 |