Change-Id: Iea86fb69b89256d0c7a038171e0de0bc4d6ec5d2
Reviewed-on: http://photon-jenkins.eng.vmware.com/499
Tested-by: jenkins-photon <wangnan2015@hotmail.com>
Reviewed-by: suezzelur <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,53 @@ |
0 |
+From Quentin Casasnovas <> |
|
1 |
+Subject [PATCH] RDS: fix race condition when sending a message on unbound socket. |
|
2 |
+Date Fri, 16 Oct 2015 17:11:42 +0200 |
|
3 |
+ |
|
4 |
+ |
|
5 |
+Sasha's found a NULL pointer dereference in the RDS connection code when |
|
6 |
+sending a message to an apparently unbound socket. The problem is caused |
|
7 |
+by the code checking if the socket is bound in rds_sendmsg(), which checks |
|
8 |
+the rs_bound_addr field without taking a lock on the socket. This opens a |
|
9 |
+race where rs_bound_addr is temporarily set but where the transport is not |
|
10 |
+in rds_bind(), leading to a NULL pointer dereference when trying to |
|
11 |
+dereference 'trans' in __rds_conn_create(). |
|
12 |
+ |
|
13 |
+Vegard wrote a reproducer for this issue, so kindly ask him to share if |
|
14 |
+you're interested. |
|
15 |
+ |
|
16 |
+I cannot reproduce the NULL pointer dereference using Vegard's reproducer |
|
17 |
+with this patch, whereas I could without. |
|
18 |
+ |
|
19 |
+Complete earlier incomplete fix to CVE-2015-6937: |
|
20 |
+ |
|
21 |
+ 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection") |
|
22 |
+ |
|
23 |
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> |
|
24 |
+Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com> |
|
25 |
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com> |
|
26 |
+Cc: Vegard Nossum <vegard.nossum@oracle.com> |
|
27 |
+Cc: Sasha Levin <sasha.levin@oracle.com> |
|
28 |
+Cc: Chien Yen <chien.yen@oracle.com> |
|
29 |
+Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com> |
|
30 |
+Cc: David S. Miller <davem@davemloft.net> |
|
31 |
+Cc: stable@vger.kernel.org |
|
32 |
+--- |
|
33 |
+diff -ru a/net/rds/send.c b/net/rds/send.c |
|
34 |
+--- a/net/rds/send.c 2015-08-30 11:34:09.000000000 -0700 |
|
35 |
+@@ -986,11 +986,13 @@ |
|
36 |
+ release_sock(sk); |
|
37 |
+ } |
|
38 |
+ |
|
39 |
+- /* racing with another thread binding seems ok here */ |
|
40 |
++ lock_sock(sk); |
|
41 |
+ if (daddr == 0 || rs->rs_bound_addr == 0) { |
|
42 |
++ release_sock(sk); |
|
43 |
+ ret = -ENOTCONN; /* XXX not a great errno */ |
|
44 |
+ goto out; |
|
45 |
+ } |
|
46 |
++ release_sock(sk); |
|
47 |
+ |
|
48 |
+ /* size of rm including all sgs */ |
|
49 |
+ ret = rds_rm_size(msg, payload_len); |
|
50 |
+-- |
|
51 |
+2.4.9 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.2.0 |
5 |
-Release: 13%{?dist} |
|
5 |
+Release: 14%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -11,12 +11,14 @@ Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-4.2.tar.xz |
12 | 12 |
%define sha1 linux=5e65d0dc94298527726fcd7458b6126e60fb2a8a |
13 | 13 |
Source1: config-esx-%{version} |
14 |
-patch1: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch |
|
15 |
-patch2: 01-clear-linux.patch |
|
16 |
-patch3: 02-pci-probe.patch |
|
17 |
-patch4: 03-poweroff.patch |
|
18 |
-patch5: 04-quiet-boot.patch |
|
19 |
-patch6: 05-pv-ops.patch |
|
14 |
+Patch0: RDS-race-condition-on-unbound-socket-null-deref.patch |
|
15 |
+Patch1: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch |
|
16 |
+Patch2: 01-clear-linux.patch |
|
17 |
+Patch3: 02-pci-probe.patch |
|
18 |
+Patch4: 03-poweroff.patch |
|
19 |
+Patch5: 04-quiet-boot.patch |
|
20 |
+Patch6: 05-pv-ops.patch |
|
21 |
+Patch7: ovl-fix-permission-checking-for-setattr.patch |
|
20 | 22 |
BuildRequires: bc |
21 | 23 |
BuildRequires: kbd |
22 | 24 |
BuildRequires: kmod |
... | ... |
@@ -51,12 +53,14 @@ The Linux package contains the Linux kernel doc files |
51 | 51 |
|
52 | 52 |
%prep |
53 | 53 |
%setup -q -n linux-4.2 |
54 |
+%patch0 -p1 |
|
54 | 55 |
%patch1 -p1 |
55 | 56 |
%patch2 -p1 |
56 | 57 |
%patch3 -p1 |
57 | 58 |
%patch4 -p1 |
58 | 59 |
%patch5 -p1 |
59 | 60 |
%patch6 -p1 |
61 |
+%patch7 -p1 |
|
60 | 62 |
|
61 | 63 |
%build |
62 | 64 |
make mrproper |
... | ... |
@@ -122,6 +126,8 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg |
122 | 122 |
/usr/src/%{name}-headers-%{version}-%{release} |
123 | 123 |
|
124 | 124 |
%changelog |
125 |
+* Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> 4.2.0-14 |
|
126 |
+- Fixes for CVE-2015-7990/6937 and CVE-2015-8660. |
|
125 | 127 |
* Fri Jan 22 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-13 |
126 | 128 |
- Fix for CVE-2016-0728 |
127 | 129 |
* Wed Jan 13 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-12 |
... | ... |
@@ -1,29 +1,31 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 |
-Name: linux |
|
4 |
-Version: 4.2.0 |
|
5 |
-Release: 11%{?dist} |
|
6 |
-License: GPLv2 |
|
7 |
-URL: http://www.kernel.org/ |
|
8 |
-Group: System Environment/Kernel |
|
9 |
-Vendor: VMware, Inc. |
|
10 |
-Distribution: Photon |
|
11 |
-Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-4.2.tar.xz |
|
3 |
+Name: linux |
|
4 |
+Version: 4.2.0 |
|
5 |
+Release: 12%{?dist} |
|
6 |
+License: GPLv2 |
|
7 |
+URL: http://www.kernel.org/ |
|
8 |
+Group: System Environment/Kernel |
|
9 |
+Vendor: VMware, Inc. |
|
10 |
+Distribution: Photon |
|
11 |
+Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-4.2.tar.xz |
|
12 | 12 |
%define sha1 linux=5e65d0dc94298527726fcd7458b6126e60fb2a8a |
13 | 13 |
Source1: config-%{version} |
14 |
-patch1: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch |
|
15 |
-BuildRequires: bc |
|
16 |
-BuildRequires: kbd |
|
17 |
-BuildRequires: kmod |
|
18 |
-BuildRequires: glib-devel |
|
19 |
-BuildRequires: xerces-c-devel |
|
20 |
-BuildRequires: xml-security-c-devel |
|
21 |
-BuildRequires: libdnet |
|
22 |
-BuildRequires: libmspack |
|
23 |
-BuildRequires: Linux-PAM |
|
24 |
-BuildRequires: openssl-devel |
|
25 |
-BuildRequires: procps-ng-devel |
|
26 |
-Requires: filesystem kmod coreutils |
|
14 |
+Patch0: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch |
|
15 |
+Patch1: RDS-race-condition-on-unbound-socket-null-deref.patch |
|
16 |
+Patch2: ovl-fix-permission-checking-for-setattr.patch |
|
17 |
+BuildRequires: bc |
|
18 |
+BuildRequires: kbd |
|
19 |
+BuildRequires: kmod |
|
20 |
+BuildRequires: glib-devel |
|
21 |
+BuildRequires: xerces-c-devel |
|
22 |
+BuildRequires: xml-security-c-devel |
|
23 |
+BuildRequires: libdnet |
|
24 |
+BuildRequires: libmspack |
|
25 |
+BuildRequires: Linux-PAM |
|
26 |
+BuildRequires: openssl-devel |
|
27 |
+BuildRequires: procps-ng-devel |
|
28 |
+Requires: filesystem kmod coreutils |
|
27 | 29 |
|
28 | 30 |
%description |
29 | 31 |
The Linux package contains the Linux kernel. |
... | ... |
@@ -67,7 +69,9 @@ Kernel driver for oprofile, a statistical profiler for Linux systems |
67 | 67 |
|
68 | 68 |
%prep |
69 | 69 |
%setup -q -n linux-4.2 |
70 |
+%patch0 -p1 |
|
70 | 71 |
%patch1 -p1 |
72 |
+%patch2 -p1 |
|
71 | 73 |
|
72 | 74 |
%build |
73 | 75 |
make mrproper |
... | ... |
@@ -155,6 +159,8 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg |
155 | 155 |
/lib/modules/%{version}/kernel/arch/x86/oprofile/ |
156 | 156 |
|
157 | 157 |
%changelog |
158 |
+* Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> 4.2.0-12 |
|
159 |
+- Fixes for CVE-2015-7990/6937 and CVE-2015-8660. |
|
158 | 160 |
* Tue Jan 26 2016 Anish Swaminathan <anishs@vmware.com> 4.2.0-11 |
159 | 161 |
- Revert CONFIG_HZ=250 |
160 | 162 |
* Fri Jan 22 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-10 |
161 | 163 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,43 @@ |
0 |
+From acff81ec2c79492b180fade3c2894425cd35a545 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Miklos Szeredi <miklos@szeredi.hu> |
|
2 |
+Date: Fri, 4 Dec 2015 19:18:48 +0100 |
|
3 |
+Subject: [PATCH] ovl: fix permission checking for setattr |
|
4 |
+ |
|
5 |
+[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr() |
|
6 |
+away - instead of "copy verbatim with metadata" + "chmod/chown/utimes" |
|
7 |
+(with the former being always safe and the latter failing in case of |
|
8 |
+insufficient permissions) it tries to combine these two. Note that copyup |
|
9 |
+itself will have to do ->setattr() anyway; _that_ is where the elevated |
|
10 |
+capabilities are right. Having these two ->setattr() (one to set verbatim |
|
11 |
+copy of metadata, another to do what overlayfs ->setattr() had been asked |
|
12 |
+to do in the first place) combined is where it breaks. |
|
13 |
+ |
|
14 |
+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu> |
|
15 |
+Cc: <stable@vger.kernel.org> |
|
16 |
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
|
17 |
+--- |
|
18 |
+ fs/overlayfs/inode.c | 8 ++++---- |
|
19 |
+ 1 file changed, 4 insertions(+), 4 deletions(-) |
|
20 |
+ |
|
21 |
+diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c |
|
22 |
+index ec0c2a050..9612849 100644 |
|
23 |
+--- a/fs/overlayfs/inode.c |
|
24 |
+@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr) |
|
25 |
+ if (err) |
|
26 |
+ goto out; |
|
27 |
+ |
|
28 |
+- upperdentry = ovl_dentry_upper(dentry); |
|
29 |
+- if (upperdentry) { |
|
30 |
++ err = ovl_copy_up(dentry); |
|
31 |
++ if (!err) { |
|
32 |
++ upperdentry = ovl_dentry_upper(dentry); |
|
33 |
++ |
|
34 |
+ mutex_lock(&upperdentry->d_inode->i_mutex); |
|
35 |
+ err = notify_change(upperdentry, attr, NULL); |
|
36 |
+ mutex_unlock(&upperdentry->d_inode->i_mutex); |
|
37 |
+- } else { |
|
38 |
+- err = ovl_copy_up_last(dentry, attr, false); |
|
39 |
+ } |
|
40 |
+ ovl_drop_write(dentry); |
|
41 |
+ out: |