Browse code
Kernels: Fix for CVE-2018-13053
A vulnerability was found in kernel timer
module and the fix for this vulnerability
has been backported to kernel version 4.9.124
from Mainline.
Change-Id: I9495e6f031cbb082bcef4304d9f9fbdb6430cb48
Signed-off-by: srinidhira0 <srinidhir@vmware.com>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5629
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>
srinidhira0 authored on 2018/09/11 03:56:58Showing 5 changed files
- SPECS/linux/0001-alarmtimer-Prevent-overflow-for-relative-nanosleep.patch
- SPECS/linux/linux-aws.spec
- SPECS/linux/linux-esx.spec
- SPECS/linux/linux-secure.spec
- SPECS/linux/linux.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,59 @@ |
| 0 |
+From 8a31e7a17595db79a824e1c55f908acc3e076312 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: srinidhira0 <srinidhira0.linuxvk@gmail.com> |
|
| 2 |
+Date: Mon, 10 Sep 2018 23:50:21 +0530 |
|
| 3 |
+Subject: [PATCH] From 5f936e19cc0ef97dbe3a56e9498922ad5ba1edef Mon Sep 17 |
|
| 4 |
+ 00:00:00 2001 From: Thomas Gleixner <tglx@linutronix.de> Date: Mon, 2 Jul |
|
| 5 |
+ 2018 09:34:29 +0200 Subject: [PATCH] alarmtimer: Prevent overflow for |
|
| 6 |
+ relative nanosleep |
|
| 7 |
+ |
|
| 8 |
+Air Icy reported: |
|
| 9 |
+ |
|
| 10 |
+ UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811:7 |
|
| 11 |
+ signed integer overflow: |
|
| 12 |
+ 1529859276030040771 + 9223372036854775807 cannot be represented in type 'long long int' |
|
| 13 |
+ Call Trace: |
|
| 14 |
+ alarm_timer_nsleep+0x44c/0x510 kernel/time/alarmtimer.c:811 |
|
| 15 |
+ __do_sys_clock_nanosleep kernel/time/posix-timers.c:1235 [inline] |
|
| 16 |
+ __se_sys_clock_nanosleep kernel/time/posix-timers.c:1213 [inline] |
|
| 17 |
+ __x64_sys_clock_nanosleep+0x326/0x4e0 kernel/time/posix-timers.c:1213 |
|
| 18 |
+ do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290 |
|
| 19 |
+ |
|
| 20 |
+alarm_timer_nsleep() uses ktime_add() to add the current time and the |
|
| 21 |
+relative expiry value. ktime_add() has no sanity checks so the addition |
|
| 22 |
+can overflow when the relative timeout is large enough. |
|
| 23 |
+ |
|
| 24 |
+Use ktime_add_safe() which has the necessary sanity checks in place and |
|
| 25 |
+limits the result to the valid range. |
|
| 26 |
+ |
|
| 27 |
+Fixes: 9a7adcf5c6de ("timers: Posix interface for alarm-timers")
|
|
| 28 |
+Reported-by: Team OWL337 <icytxw@gmail.com> |
|
| 29 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
| 30 |
+Cc: John Stultz <john.stultz@linaro.org> |
|
| 31 |
+Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1807020926360.1595@nanos.tec.linutronix.de |
|
| 32 |
+--- |
|
| 33 |
+ kernel/time/alarmtimer.c | 3 ++- |
|
| 34 |
+ 1 file changed, 2 insertions(+), 1 deletion(-) |
|
| 35 |
+ |
|
| 36 |
+[ Srinidhi Rao: Backported this fix to linux-stable 4.9 branch ] |
|
| 37 |
+ |
|
| 38 |
+Signed-off-by: srinidhira0 <srinidhira0.linuxvk@gmail.com> |
|
| 39 |
+--- |
|
| 40 |
+ kernel/time/alarmtimer.c | 2 +- |
|
| 41 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
|
| 42 |
+ |
|
| 43 |
+diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c |
|
| 44 |
+index d67ef56c..ef11f63 100644 |
|
| 45 |
+--- a/kernel/time/alarmtimer.c |
|
| 46 |
+@@ -786,7 +786,7 @@ static int alarm_timer_nsleep(const clockid_t which_clock, int flags, |
|
| 47 |
+ /* Convert (if necessary) to absolute time */ |
|
| 48 |
+ if (flags != TIMER_ABSTIME) {
|
|
| 49 |
+ ktime_t now = alarm_bases[type].gettime(); |
|
| 50 |
+- exp = ktime_add(now, exp); |
|
| 51 |
++ exp = ktime_add_safe(now, exp); |
|
| 52 |
+ } |
|
| 53 |
+ |
|
| 54 |
+ if (alarmtimer_do_nsleep(&alarm, exp)) |
|
| 55 |
+-- |
|
| 56 |
+2.7.4 |
|
| 57 |
+ |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-aws |
| 4 | 4 |
Version: 4.9.124 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -65,6 +65,8 @@ Patch45: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch |
| 65 | 65 |
Patch46: 0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch |
| 66 | 66 |
Patch47: 0002-xfs-verify-dinode-header-first.patch |
| 67 | 67 |
Patch48: 0003-xfs-enhance-dinode-verifier.patch |
| 68 |
+# Fix for CVE-2018-13053 |
|
| 69 |
+Patch49: 0001-alarmtimer-Prevent-overflow-for-relative-nanosleep.patch |
|
| 68 | 70 |
|
| 69 | 71 |
# Out-of-tree patches from AppArmor: |
| 70 | 72 |
Patch71: 0001-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch |
| ... | ... |
@@ -231,6 +233,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 231 | 231 |
%patch46 -p1 |
| 232 | 232 |
%patch47 -p1 |
| 233 | 233 |
%patch48 -p1 |
| 234 |
+%patch49 -p1 |
|
| 234 | 235 |
|
| 235 | 236 |
%patch71 -p1 |
| 236 | 237 |
%patch72 -p1 |
| ... | ... |
@@ -440,6 +443,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 440 | 440 |
/usr/share/doc/* |
| 441 | 441 |
|
| 442 | 442 |
%changelog |
| 443 |
+* Mon Sep 10 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.124-2 |
|
| 444 |
+- Fix for CVE-2018-13053 |
|
| 443 | 445 |
* Fri Aug 24 2018 Bo Gan <ganb@vmware.com> 4.9.124-1 |
| 444 | 446 |
- Update to version 4.9.124 |
| 445 | 447 |
* Fri Aug 17 2018 Bo Gan <ganb@vmware.com> 4.9.120-1 |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-esx |
| 4 | 4 |
Version: 4.9.124 |
| 5 |
-Release: 1%{?dist}
|
|
| 5 |
+Release: 2%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -62,7 +62,8 @@ Patch45: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch |
| 62 | 62 |
Patch46: 0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch |
| 63 | 63 |
Patch47: 0002-xfs-verify-dinode-header-first.patch |
| 64 | 64 |
Patch48: 0003-xfs-enhance-dinode-verifier.patch |
| 65 |
- |
|
| 65 |
+# Fix for CVE-2018-13053 |
|
| 66 |
+Patch49: 0001-alarmtimer-Prevent-overflow-for-relative-nanosleep.patch |
|
| 66 | 67 |
|
| 67 | 68 |
BuildRequires: bc |
| 68 | 69 |
BuildRequires: kbd |
| ... | ... |
@@ -141,6 +142,7 @@ The Linux package contains the Linux kernel doc files |
| 141 | 141 |
%patch46 -p1 |
| 142 | 142 |
%patch47 -p1 |
| 143 | 143 |
%patch48 -p1 |
| 144 |
+%patch49 -p1 |
|
| 144 | 145 |
|
| 145 | 146 |
|
| 146 | 147 |
%build |
| ... | ... |
@@ -238,6 +240,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 238 | 238 |
/usr/src/linux-headers-%{uname_r}
|
| 239 | 239 |
|
| 240 | 240 |
%changelog |
| 241 |
+* Mon Sep 10 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.124-2 |
|
| 242 |
+- Fix for CVE-2018-13053 |
|
| 241 | 243 |
* Fri Aug 24 2018 Bo Gan <ganb@vmware.com> 4.9.124-1 |
| 242 | 244 |
- Update to version 4.9.124 |
| 243 | 245 |
* Fri Aug 17 2018 Bo Gan <ganb@vmware.com> 4.9.120-1 |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-secure |
| 4 | 4 |
Version: 4.9.124 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -71,7 +71,8 @@ Patch47: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch |
| 71 | 71 |
Patch48: 0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch |
| 72 | 72 |
Patch49: 0002-xfs-verify-dinode-header-first.patch |
| 73 | 73 |
Patch50: 0003-xfs-enhance-dinode-verifier.patch |
| 74 |
- |
|
| 74 |
+# Fix for CVE-2018-13053 |
|
| 75 |
+Patch51: 0001-alarmtimer-Prevent-overflow-for-relative-nanosleep.patch |
|
| 75 | 76 |
|
| 76 | 77 |
# Out-of-tree patches from AppArmor: |
| 77 | 78 |
Patch71: 0001-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch |
| ... | ... |
@@ -198,6 +199,7 @@ EOF |
| 198 | 198 |
%patch48 -p1 |
| 199 | 199 |
%patch49 -p1 |
| 200 | 200 |
%patch50 -p1 |
| 201 |
+%patch51 -p1 |
|
| 201 | 202 |
|
| 202 | 203 |
|
| 203 | 204 |
%patch71 -p1 |
| ... | ... |
@@ -334,6 +336,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 334 | 334 |
/usr/src/linux-headers-%{uname_r}
|
| 335 | 335 |
|
| 336 | 336 |
%changelog |
| 337 |
+* Mon Sep 10 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.124-2 |
|
| 338 |
+- Fix for CVE-2018-13053 |
|
| 337 | 339 |
* Fri Aug 24 2018 Bo Gan <ganb@vmware.com> 4.9.124-1 |
| 338 | 340 |
- Update to version 4.9.124 |
| 339 | 341 |
* Fri Aug 17 2018 Bo Gan <ganb@vmware.com> 4.9.120-1 |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux |
| 4 | 4 |
Version: 4.9.124 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -70,6 +70,8 @@ Patch45: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch |
| 70 | 70 |
Patch46: 0001-xfs-move-inode-fork-verifiers-to-xfs-dinode-verify.patch |
| 71 | 71 |
Patch47: 0002-xfs-verify-dinode-header-first.patch |
| 72 | 72 |
Patch48: 0003-xfs-enhance-dinode-verifier.patch |
| 73 |
+# Fix for CVE-2018-13053 |
|
| 74 |
+Patch49: 0001-alarmtimer-Prevent-overflow-for-relative-nanosleep.patch |
|
| 73 | 75 |
|
| 74 | 76 |
# Out-of-tree patches from AppArmor: |
| 75 | 77 |
Patch71: 0001-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch |
| ... | ... |
@@ -189,6 +191,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 189 | 189 |
%patch46 -p1 |
| 190 | 190 |
%patch47 -p1 |
| 191 | 191 |
%patch48 -p1 |
| 192 |
+%patch49 -p1 |
|
| 192 | 193 |
|
| 193 | 194 |
%patch71 -p1 |
| 194 | 195 |
%patch72 -p1 |
| ... | ... |
@@ -363,6 +366,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 363 | 363 |
/usr/share/doc/* |
| 364 | 364 |
|
| 365 | 365 |
%changelog |
| 366 |
+* Mon Sep 10 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.124-2 |
|
| 367 |
+- Fix for CVE-2018-13053 |
|
| 366 | 368 |
* Fri Aug 24 2018 Bo Gan <ganb@vmware.com> 4.9.124-1 |
| 367 | 369 |
- Update to version 4.9.124 |
| 368 | 370 |
* Fri Aug 17 2018 Bo Gan <ganb@vmware.com> 4.9.120-1 |