Change-Id: Icb63a2d78368800bfbc4b710b7c1173a8d5b8bc8
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5785
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Bo Gan <ganb@vmware.com>
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
Summary: Linux API header files |
2 | 2 |
Name: linux-api-headers |
3 |
-Version: 4.4.153 |
|
3 |
+Version: 4.4.157 |
|
4 | 4 |
Release: 1%{?dist} |
5 | 5 |
License: GPLv2 |
6 | 6 |
URL: http://www.kernel.org/ |
... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
11 |
-%define sha1 linux=fad45d4f6016373ee19e702517640e5c43610bd7 |
|
11 |
+%define sha1 linux=6ba64a589f986cc8353794e5ead36892e5da7a40 |
|
12 | 12 |
BuildArch: noarch |
13 | 13 |
# From SPECS/linux and used by linux-esx only |
14 | 14 |
# It provides f*xattrat syscalls |
... | ... |
@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de |
29 | 29 |
%defattr(-,root,root) |
30 | 30 |
%{_includedir}/* |
31 | 31 |
%changelog |
32 |
+* Mon Sep 24 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.157-1 |
|
33 |
+- Update to version 4.4.157 |
|
32 | 34 |
* Tue Sep 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.153-1 |
33 | 35 |
- Update to version 4.4.153 |
34 | 36 |
* Tue Aug 28 2018 Anish Swaminathan <anishs@vmware.com> 4.4.152-1 |
35 | 37 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,50 @@ |
0 |
+From daf84a529fa3a1e79cfa2eb0afb7e054a5a468d4 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Theodore Ts'o <tytso@mit.edu> |
|
2 |
+Date: Wed, 13 Jun 2018 00:23:11 -0400 |
|
3 |
+Subject: [PATCH 1/2] ext4: add corruption check in ext4_xattr_set_entry() |
|
4 |
+ |
|
5 |
+commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream. |
|
6 |
+ |
|
7 |
+In theory this should have been caught earlier when the xattr list was |
|
8 |
+verified, but in case it got missed, it's simple enough to add check |
|
9 |
+to make sure we don't overrun the xattr buffer. |
|
10 |
+ |
|
11 |
+This addresses CVE-2018-10879. |
|
12 |
+ |
|
13 |
+https://bugzilla.kernel.org/show_bug.cgi?id=200001 |
|
14 |
+ |
|
15 |
+Signed-off-by: Theodore Ts'o <tytso@mit.edu> |
|
16 |
+Reviewed-by: Andreas Dilger <adilger@dilger.ca> |
|
17 |
+Cc: stable@kernel.org |
|
18 |
+[ Srivatsa: Backported to 4.4.y ] |
|
19 |
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu> |
|
20 |
+--- |
|
21 |
+ fs/ext4/xattr.c | 8 ++++++-- |
|
22 |
+ 1 file changed, 6 insertions(+), 2 deletions(-) |
|
23 |
+ |
|
24 |
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c |
|
25 |
+index 9fb2a75..eff07b9 100644 |
|
26 |
+--- a/fs/ext4/xattr.c |
|
27 |
+@@ -640,12 +640,16 @@ static size_t ext4_xattr_free_space(struct ext4_xattr_entry *last, |
|
28 |
+ static int |
|
29 |
+ ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s) |
|
30 |
+ { |
|
31 |
+- struct ext4_xattr_entry *last; |
|
32 |
++ struct ext4_xattr_entry *last, *next; |
|
33 |
+ size_t free, min_offs = s->end - s->base, name_len = strlen(i->name); |
|
34 |
+ |
|
35 |
+ /* Compute min_offs and last. */ |
|
36 |
+ last = s->first; |
|
37 |
+- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { |
|
38 |
++ for (; !IS_LAST_ENTRY(last); last = next) { |
|
39 |
++ next = EXT4_XATTR_NEXT(last); |
|
40 |
++ if ((void *)next >= s->end) |
|
41 |
++ return -EFSCORRUPTED; |
|
42 |
++ |
|
43 |
+ if (!last->e_value_block && last->e_value_size) { |
|
44 |
+ size_t offs = le16_to_cpu(last->e_value_offs); |
|
45 |
+ if (offs < min_offs) |
|
46 |
+-- |
|
47 |
+2.7.4 |
|
48 |
+ |
0 | 49 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,53 @@ |
0 |
+From b1c76346e194bf9390efec9bc00088650c2552e9 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Theodore Ts'o <tytso@mit.edu> |
|
2 |
+Date: Wed, 13 Jun 2018 00:51:28 -0400 |
|
3 |
+Subject: [PATCH 2/2] ext4: always verify the magic number in xattr blocks |
|
4 |
+ |
|
5 |
+commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream. |
|
6 |
+ |
|
7 |
+If there an inode points to a block which is also some other type of |
|
8 |
+metadata block (such as a block allocation bitmap), the |
|
9 |
+buffer_verified flag can be set when it was validated as that other |
|
10 |
+metadata block type; however, it would make a really terrible external |
|
11 |
+attribute block. The reason why we use the verified flag is to avoid |
|
12 |
+constantly reverifying the block. However, it doesn't take much |
|
13 |
+overhead to make sure the magic number of the xattr block is correct, |
|
14 |
+and this will avoid potential crashes. |
|
15 |
+ |
|
16 |
+This addresses CVE-2018-10879. |
|
17 |
+ |
|
18 |
+https://bugzilla.kernel.org/show_bug.cgi?id=200001 |
|
19 |
+ |
|
20 |
+Signed-off-by: Theodore Ts'o <tytso@mit.edu> |
|
21 |
+Reviewed-by: Andreas Dilger <adilger@dilger.ca> |
|
22 |
+Cc: stable@kernel.org |
|
23 |
+[ Srivatsa: Backported to 4.4.y ] |
|
24 |
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu> |
|
25 |
+--- |
|
26 |
+ fs/ext4/xattr.c | 7 ++++--- |
|
27 |
+ 1 file changed, 4 insertions(+), 3 deletions(-) |
|
28 |
+ |
|
29 |
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c |
|
30 |
+index eff07b9..7293f0b 100644 |
|
31 |
+--- a/fs/ext4/xattr.c |
|
32 |
+@@ -220,12 +220,13 @@ ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh) |
|
33 |
+ { |
|
34 |
+ int error; |
|
35 |
+ |
|
36 |
+- if (buffer_verified(bh)) |
|
37 |
+- return 0; |
|
38 |
+- |
|
39 |
+ if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || |
|
40 |
+ BHDR(bh)->h_blocks != cpu_to_le32(1)) |
|
41 |
+ return -EFSCORRUPTED; |
|
42 |
++ |
|
43 |
++ if (buffer_verified(bh)) |
|
44 |
++ return 0; |
|
45 |
++ |
|
46 |
+ if (!ext4_xattr_block_csum_verify(inode, bh->b_blocknr, BHDR(bh))) |
|
47 |
+ return -EFSBADCRC; |
|
48 |
+ error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size, |
|
49 |
+-- |
|
50 |
+2.7.4 |
|
51 |
+ |
... | ... |
@@ -1,15 +1,15 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 |
-Version: 4.4.153 |
|
5 |
-Release: 3%{?dist} |
|
4 |
+Version: 4.4.157 |
|
5 |
+Release: 1%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=fad45d4f6016373ee19e702517640e5c43610bd7 |
|
12 |
+%define sha1 linux=6ba64a589f986cc8353794e5ead36892e5da7a40 |
|
13 | 13 |
Source1: config-esx |
14 | 14 |
Patch0: double-tcp_mem-limits.patch |
15 | 15 |
Patch1: linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch |
... | ... |
@@ -64,6 +64,9 @@ Patch47: 0007-xfs-move-inode-fork-verifiers-to-xfs_dinode_verify.patch |
64 | 64 |
Patch48: 0008-xfs-enhance-dinode-verifier.patch |
65 | 65 |
# Fix for CVE-2018-13053 |
66 | 66 |
Patch49: 0001-alarmtimer-Prevent-overflow-for-relative-nanosleep.patch |
67 |
+# Fix for CVE-2018-10879 |
|
68 |
+Patch50: 0001-ext4-add-corruption-check-in-ext4_xattr_set_entry.patch |
|
69 |
+Patch51: 0002-ext4-always-verify-the-magic-number-in-xattr-blocks.patch |
|
67 | 70 |
|
68 | 71 |
# For Spectre |
69 | 72 |
Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch |
... | ... |
@@ -148,6 +151,8 @@ The Linux package contains the Linux kernel doc files |
148 | 148 |
%patch47 -p1 |
149 | 149 |
%patch48 -p1 |
150 | 150 |
%patch49 -p1 |
151 |
+%patch50 -p1 |
|
152 |
+%patch51 -p1 |
|
151 | 153 |
|
152 | 154 |
%patch67 -p1 |
153 | 155 |
|
... | ... |
@@ -238,6 +243,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
238 | 238 |
/usr/src/linux-headers-%{uname_r} |
239 | 239 |
|
240 | 240 |
%changelog |
241 |
+* Mon Sep 24 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.157-1 |
|
242 |
+- Update to version 4.4.157 and fix CVE-2018-10879 |
|
241 | 243 |
* Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.153-3 |
242 | 244 |
- Improve error-handling of rdrand-rng kernel driver. |
243 | 245 |
* Fri Sep 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.153-2 |
... | ... |
@@ -1,15 +1,15 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 |
-Version: 4.4.153 |
|
5 |
-Release: 3%{?kat_build:.%kat_build}%{?dist} |
|
4 |
+Version: 4.4.157 |
|
5 |
+Release: 1%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz |
12 |
-%define sha1 linux=fad45d4f6016373ee19e702517640e5c43610bd7 |
|
12 |
+%define sha1 linux=6ba64a589f986cc8353794e5ead36892e5da7a40 |
|
13 | 13 |
Source1: config |
14 | 14 |
%define ena_version 1.1.3 |
15 | 15 |
Source2: https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz |
... | ... |
@@ -64,6 +64,9 @@ Patch40: 0007-xfs-move-inode-fork-verifiers-to-xfs_dinode_verify.patch |
64 | 64 |
Patch41: 0008-xfs-enhance-dinode-verifier.patch |
65 | 65 |
# Fix for CVE-2018-13053 |
66 | 66 |
Patch42: 0001-alarmtimer-Prevent-overflow-for-relative-nanosleep.patch |
67 |
+# Fix for CVE-2018-10879 |
|
68 |
+Patch43: 0001-ext4-add-corruption-check-in-ext4_xattr_set_entry.patch |
|
69 |
+Patch44: 0002-ext4-always-verify-the-magic-number-in-xattr-blocks.patch |
|
67 | 70 |
|
68 | 71 |
# For Spectre |
69 | 72 |
Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch |
... | ... |
@@ -181,6 +184,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
181 | 181 |
%patch40 -p1 |
182 | 182 |
%patch41 -p1 |
183 | 183 |
%patch42 -p1 |
184 |
+%patch43 -p1 |
|
185 |
+%patch44 -p1 |
|
184 | 186 |
|
185 | 187 |
%patch67 -p1 |
186 | 188 |
|
... | ... |
@@ -339,6 +344,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
339 | 339 |
/usr/share/perf-core |
340 | 340 |
|
341 | 341 |
%changelog |
342 |
+* Mon Sep 24 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.157-1 |
|
343 |
+- Update to version 4.4.157 and fix CVE-2018-10879 |
|
342 | 344 |
* Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.153-3 |
343 | 345 |
- Improve error-handling of rdrand-rng kernel driver. |
344 | 346 |
* Fri Sep 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.153-2 |