@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.4.153

+Version:	4.4.157

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=fad45d4f6016373ee19e702517640e5c43610bd7

+%define sha1 linux=6ba64a589f986cc8353794e5ead36892e5da7a40

 BuildArch:	noarch

 # From SPECS/linux and used by linux-esx only

 # It provides f*xattrat syscalls

@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Mon Sep 24 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.157-1

+-   Update to version 4.4.157

 *   Tue Sep 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.153-1

 -   Update to version 4.4.153

 *   Tue Aug 28 2018 Anish Swaminathan <anishs@vmware.com> 4.4.152-1

new file mode 100644

@@ -0,0 +1,50 @@

+From daf84a529fa3a1e79cfa2eb0afb7e054a5a468d4 Mon Sep 17 00:00:00 2001

+From: Theodore Ts'o <tytso@mit.edu>

+Date: Wed, 13 Jun 2018 00:23:11 -0400

+Subject: [PATCH 1/2] ext4: add corruption check in ext4_xattr_set_entry()

+

+commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream.

+

+In theory this should have been caught earlier when the xattr list was

+verified, but in case it got missed, it's simple enough to add check

+to make sure we don't overrun the xattr buffer.

+

+This addresses CVE-2018-10879.

+

+https://bugzilla.kernel.org/show_bug.cgi?id=200001

+

+Signed-off-by: Theodore Ts'o <tytso@mit.edu>

+Reviewed-by: Andreas Dilger <adilger@dilger.ca>

+Cc: stable@kernel.org

+[ Srivatsa: Backported to 4.4.y ]

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/ext4/xattr.c | 8 ++++++--

+ 1 file changed, 6 insertions(+), 2 deletions(-)

+

+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c

+index 9fb2a75..eff07b9 100644

+--- a/fs/ext4/xattr.c

+@@ -640,12 +640,16 @@ static size_t ext4_xattr_free_space(struct ext4_xattr_entry *last,

+ static int

+ ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s)

+ {

+-	struct ext4_xattr_entry *last;

++	struct ext4_xattr_entry *last, *next;

+ 	size_t free, min_offs = s->end - s->base, name_len = strlen(i->name);

+ 

+ 	/* Compute min_offs and last. */

+ 	last = s->first;

+-	for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {

++	for (; !IS_LAST_ENTRY(last); last = next) {

++		next = EXT4_XATTR_NEXT(last);

++		if ((void *)next >= s->end)

++			return -EFSCORRUPTED;

++

+ 		if (!last->e_value_block && last->e_value_size) {

+ 			size_t offs = le16_to_cpu(last->e_value_offs);

+ 			if (offs < min_offs)

+-- 

+2.7.4

+

new file mode 100644

@@ -0,0 +1,53 @@

+From b1c76346e194bf9390efec9bc00088650c2552e9 Mon Sep 17 00:00:00 2001

+From: Theodore Ts'o <tytso@mit.edu>

+Date: Wed, 13 Jun 2018 00:51:28 -0400

+Subject: [PATCH 2/2] ext4: always verify the magic number in xattr blocks

+

+commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream.

+

+If there an inode points to a block which is also some other type of

+metadata block (such as a block allocation bitmap), the

+buffer_verified flag can be set when it was validated as that other

+metadata block type; however, it would make a really terrible external

+attribute block.  The reason why we use the verified flag is to avoid

+constantly reverifying the block.  However, it doesn't take much

+overhead to make sure the magic number of the xattr block is correct,

+and this will avoid potential crashes.

+

+This addresses CVE-2018-10879.

+

+https://bugzilla.kernel.org/show_bug.cgi?id=200001

+

+Signed-off-by: Theodore Ts'o <tytso@mit.edu>

+Reviewed-by: Andreas Dilger <adilger@dilger.ca>

+Cc: stable@kernel.org

+[ Srivatsa: Backported to 4.4.y ]

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ fs/ext4/xattr.c | 7 ++++---

+ 1 file changed, 4 insertions(+), 3 deletions(-)

+

+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c

+index eff07b9..7293f0b 100644

+--- a/fs/ext4/xattr.c

+@@ -220,12 +220,13 @@ ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh)

+ {

+ 	int error;

+ 

+-	if (buffer_verified(bh))

+-		return 0;

+-

+ 	if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||

+ 	    BHDR(bh)->h_blocks != cpu_to_le32(1))

+ 		return -EFSCORRUPTED;

++

++	if (buffer_verified(bh))

++		return 0;

++

+ 	if (!ext4_xattr_block_csum_verify(inode, bh->b_blocknr, BHDR(bh)))

+ 		return -EFSBADCRC;

+ 	error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size,

+-- 

+2.7.4

+

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:       Kernel

 Name:          linux-esx

-Version:       4.4.153

-Release:       3%{?dist}

+Version:       4.4.157

+Release:       1%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

 Vendor:        VMware, Inc.

 Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=fad45d4f6016373ee19e702517640e5c43610bd7

+%define sha1 linux=6ba64a589f986cc8353794e5ead36892e5da7a40

 Source1:       config-esx

 Patch0:        double-tcp_mem-limits.patch

 Patch1:        linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch

@@ -64,6 +64,9 @@ Patch47:        0007-xfs-move-inode-fork-verifiers-to-xfs_dinode_verify.patch

 Patch48:        0008-xfs-enhance-dinode-verifier.patch

 # Fix for CVE-2018-13053

 Patch49:        0001-alarmtimer-Prevent-overflow-for-relative-nanosleep.patch

+# Fix for CVE-2018-10879

+Patch50:        0001-ext4-add-corruption-check-in-ext4_xattr_set_entry.patch

+Patch51:        0002-ext4-always-verify-the-magic-number-in-xattr-blocks.patch

 # For Spectre

 Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

@@ -148,6 +151,8 @@ The Linux package contains the Linux kernel doc files

 %patch47 -p1

 %patch48 -p1

 %patch49 -p1

+%patch50 -p1

+%patch51 -p1

 %patch67 -p1

@@ -238,6 +243,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Sep 24 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.157-1

+-   Update to version 4.4.157 and fix CVE-2018-10879

 *   Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.153-3

 -   Improve error-handling of rdrand-rng kernel driver.

 *   Fri Sep 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.153-2

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:    	4.4.153

-Release:        3%{?kat_build:.%kat_build}%{?dist}

+Version:    	4.4.157

+Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz

-%define sha1 linux=fad45d4f6016373ee19e702517640e5c43610bd7

+%define sha1 linux=6ba64a589f986cc8353794e5ead36892e5da7a40

 Source1:	config

 %define ena_version 1.1.3

 Source2:    	https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz

@@ -64,6 +64,9 @@ Patch40:        0007-xfs-move-inode-fork-verifiers-to-xfs_dinode_verify.patch

 Patch41:        0008-xfs-enhance-dinode-verifier.patch

 # Fix for CVE-2018-13053

 Patch42:        0001-alarmtimer-Prevent-overflow-for-relative-nanosleep.patch

+# Fix for CVE-2018-10879

+Patch43:        0001-ext4-add-corruption-check-in-ext4_xattr_set_entry.patch

+Patch44:        0002-ext4-always-verify-the-magic-number-in-xattr-blocks.patch

 # For Spectre

 Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

@@ -181,6 +184,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch40 -p1

 %patch41 -p1

 %patch42 -p1

+%patch43 -p1

+%patch44 -p1

 %patch67 -p1

@@ -339,6 +344,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Mon Sep 24 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.157-1

+-   Update to version 4.4.157 and fix CVE-2018-10879

 *   Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.153-3

 -   Improve error-handling of rdrand-rng kernel driver.

 *   Fri Sep 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.153-2