Browse code
kernels: Fix CVE-2018-1000026
Change-Id: Id74b883d15904f9a5320c7536d7680c37f4f47a5
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5110
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
Srivatsa S. Bhat authored on 2018/05/02 15:40:26Showing 6 changed files
- SPECS/linux/0001-net-create-skb_gso_validate_mac_len.patch
- SPECS/linux/0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch
- SPECS/linux/linux-aws.spec
- SPECS/linux/linux-esx.spec
- SPECS/linux/linux-secure.spec
- SPECS/linux/linux.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,172 @@ |
| 0 |
+From 2b16f048729bf35e6c28a40cbfad07239f9dcd90 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Axtens <dja@axtens.net> |
|
| 2 |
+Date: Wed, 31 Jan 2018 14:15:33 +1100 |
|
| 3 |
+Subject: [PATCH] net: create skb_gso_validate_mac_len() |
|
| 4 |
+ |
|
| 5 |
+If you take a GSO skb, and split it into packets, will the MAC |
|
| 6 |
+length (L2 + L3 + L4 headers + payload) of those packets be small |
|
| 7 |
+enough to fit within a given length? |
|
| 8 |
+ |
|
| 9 |
+Move skb_gso_mac_seglen() to skbuff.h with other related functions |
|
| 10 |
+like skb_gso_network_seglen() so we can use it, and then create |
|
| 11 |
+skb_gso_validate_mac_len to do the full calculation. |
|
| 12 |
+ |
|
| 13 |
+Signed-off-by: Daniel Axtens <dja@axtens.net> |
|
| 14 |
+Signed-off-by: David S. Miller <davem@davemloft.net> |
|
| 15 |
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu> |
|
| 16 |
+--- |
|
| 17 |
+ include/linux/skbuff.h | 16 +++++++++++++ |
|
| 18 |
+ net/core/skbuff.c | 63 +++++++++++++++++++++++++++++++++++++++----------- |
|
| 19 |
+ net/sched/sch_tbf.c | 10 -------- |
|
| 20 |
+ 3 files changed, 66 insertions(+), 23 deletions(-) |
|
| 21 |
+ |
|
| 22 |
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h |
|
| 23 |
+index 1b3a2f9..5d34da2 100644 |
|
| 24 |
+--- a/include/linux/skbuff.h |
|
| 25 |
+@@ -3077,6 +3077,7 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen); |
|
| 26 |
+ void skb_scrub_packet(struct sk_buff *skb, bool xnet); |
|
| 27 |
+ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb); |
|
| 28 |
+ bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu); |
|
| 29 |
++bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len); |
|
| 30 |
+ struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features); |
|
| 31 |
+ struct sk_buff *skb_vlan_untag(struct sk_buff *skb); |
|
| 32 |
+ int skb_ensure_writable(struct sk_buff *skb, int write_len); |
|
| 33 |
+@@ -3855,6 +3856,21 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb) |
|
| 34 |
+ return hdr_len + skb_gso_transport_seglen(skb); |
|
| 35 |
+ } |
|
| 36 |
+ |
|
| 37 |
++/** |
|
| 38 |
++ * skb_gso_mac_seglen - Return length of individual segments of a gso packet |
|
| 39 |
++ * |
|
| 40 |
++ * @skb: GSO skb |
|
| 41 |
++ * |
|
| 42 |
++ * skb_gso_mac_seglen is used to determine the real size of the |
|
| 43 |
++ * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4 |
|
| 44 |
++ * headers (TCP/UDP). |
|
| 45 |
++ */ |
|
| 46 |
++static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb) |
|
| 47 |
++{
|
|
| 48 |
++ unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb); |
|
| 49 |
++ return hdr_len + skb_gso_transport_seglen(skb); |
|
| 50 |
++} |
|
| 51 |
++ |
|
| 52 |
+ /* Local Checksum Offload. |
|
| 53 |
+ * Compute outer checksum based on the assumption that the |
|
| 54 |
+ * inner checksum will be offloaded later. |
|
| 55 |
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c |
|
| 56 |
+index fb422df..40f966e 100644 |
|
| 57 |
+--- a/net/core/skbuff.c |
|
| 58 |
+@@ -4441,37 +4441,74 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb) |
|
| 59 |
+ EXPORT_SYMBOL_GPL(skb_gso_transport_seglen); |
|
| 60 |
+ |
|
| 61 |
+ /** |
|
| 62 |
+- * skb_gso_validate_mtu - Return in case such skb fits a given MTU |
|
| 63 |
++ * skb_gso_size_check - check the skb size, considering GSO_BY_FRAGS |
|
| 64 |
+ * |
|
| 65 |
+- * @skb: GSO skb |
|
| 66 |
+- * @mtu: MTU to validate against |
|
| 67 |
++ * There are a couple of instances where we have a GSO skb, and we |
|
| 68 |
++ * want to determine what size it would be after it is segmented. |
|
| 69 |
+ * |
|
| 70 |
+- * skb_gso_validate_mtu validates if a given skb will fit a wanted MTU |
|
| 71 |
+- * once split. |
|
| 72 |
++ * We might want to check: |
|
| 73 |
++ * - L3+L4+payload size (e.g. IP forwarding) |
|
| 74 |
++ * - L2+L3+L4+payload size (e.g. sanity check before passing to driver) |
|
| 75 |
++ * |
|
| 76 |
++ * This is a helper to do that correctly considering GSO_BY_FRAGS. |
|
| 77 |
++ * |
|
| 78 |
++ * @seg_len: The segmented length (from skb_gso_*_seglen). In the |
|
| 79 |
++ * GSO_BY_FRAGS case this will be [header sizes + GSO_BY_FRAGS]. |
|
| 80 |
++ * |
|
| 81 |
++ * @max_len: The maximum permissible length. |
|
| 82 |
++ * |
|
| 83 |
++ * Returns true if the segmented length <= max length. |
|
| 84 |
+ */ |
|
| 85 |
+-bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu) |
|
| 86 |
+-{
|
|
| 87 |
++static inline bool skb_gso_size_check(const struct sk_buff *skb, |
|
| 88 |
++ unsigned int seg_len, |
|
| 89 |
++ unsigned int max_len) {
|
|
| 90 |
+ const struct skb_shared_info *shinfo = skb_shinfo(skb); |
|
| 91 |
+ const struct sk_buff *iter; |
|
| 92 |
+- unsigned int hlen; |
|
| 93 |
+- |
|
| 94 |
+- hlen = skb_gso_network_seglen(skb); |
|
| 95 |
+ |
|
| 96 |
+ if (shinfo->gso_size != GSO_BY_FRAGS) |
|
| 97 |
+- return hlen <= mtu; |
|
| 98 |
++ return seg_len <= max_len; |
|
| 99 |
+ |
|
| 100 |
+ /* Undo this so we can re-use header sizes */ |
|
| 101 |
+- hlen -= GSO_BY_FRAGS; |
|
| 102 |
++ seg_len -= GSO_BY_FRAGS; |
|
| 103 |
+ |
|
| 104 |
+ skb_walk_frags(skb, iter) {
|
|
| 105 |
+- if (hlen + skb_headlen(iter) > mtu) |
|
| 106 |
++ if (seg_len + skb_headlen(iter) > max_len) |
|
| 107 |
+ return false; |
|
| 108 |
+ } |
|
| 109 |
+ |
|
| 110 |
+ return true; |
|
| 111 |
+ } |
|
| 112 |
++ |
|
| 113 |
++/** |
|
| 114 |
++ * skb_gso_validate_mtu - Return in case such skb fits a given MTU |
|
| 115 |
++ * |
|
| 116 |
++ * @skb: GSO skb |
|
| 117 |
++ * @mtu: MTU to validate against |
|
| 118 |
++ * |
|
| 119 |
++ * skb_gso_validate_mtu validates if a given skb will fit a wanted MTU |
|
| 120 |
++ * once split. |
|
| 121 |
++ */ |
|
| 122 |
++bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu) |
|
| 123 |
++{
|
|
| 124 |
++ return skb_gso_size_check(skb, skb_gso_network_seglen(skb), mtu); |
|
| 125 |
++} |
|
| 126 |
+ EXPORT_SYMBOL_GPL(skb_gso_validate_mtu); |
|
| 127 |
+ |
|
| 128 |
++/** |
|
| 129 |
++ * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length? |
|
| 130 |
++ * |
|
| 131 |
++ * @skb: GSO skb |
|
| 132 |
++ * @len: length to validate against |
|
| 133 |
++ * |
|
| 134 |
++ * skb_gso_validate_mac_len validates if a given skb will fit a wanted |
|
| 135 |
++ * length once split, including L2, L3 and L4 headers and the payload. |
|
| 136 |
++ */ |
|
| 137 |
++bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len) |
|
| 138 |
++{
|
|
| 139 |
++ return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len); |
|
| 140 |
++} |
|
| 141 |
++EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len); |
|
| 142 |
++ |
|
| 143 |
+ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) |
|
| 144 |
+ {
|
|
| 145 |
+ if (skb_cow(skb, skb_headroom(skb)) < 0) {
|
|
| 146 |
+diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c |
|
| 147 |
+index 303355c..ad60a45 100644 |
|
| 148 |
+--- a/net/sched/sch_tbf.c |
|
| 149 |
+@@ -142,16 +142,6 @@ static u64 psched_ns_t2l(const struct psched_ratecfg *r, |
|
| 150 |
+ return len; |
|
| 151 |
+ } |
|
| 152 |
+ |
|
| 153 |
+-/* |
|
| 154 |
+- * Return length of individual segments of a gso packet, |
|
| 155 |
+- * including all headers (MAC, IP, TCP/UDP) |
|
| 156 |
+- */ |
|
| 157 |
+-static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb) |
|
| 158 |
+-{
|
|
| 159 |
+- unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb); |
|
| 160 |
+- return hdr_len + skb_gso_transport_seglen(skb); |
|
| 161 |
+-} |
|
| 162 |
+- |
|
| 163 |
+ /* GSO packet is too big, segment it so that tbf can transmit |
|
| 164 |
+ * each segment in time |
|
| 165 |
+ */ |
|
| 166 |
+-- |
|
| 167 |
+2.7.4 |
|
| 168 |
+ |
| 0 | 169 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,58 @@ |
| 0 |
+From 8914a595110a6eca69a5e275b323f5d09e18f4f9 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Daniel Axtens <dja@axtens.net> |
|
| 2 |
+Date: Wed, 31 Jan 2018 14:15:34 +1100 |
|
| 3 |
+Subject: [PATCH] bnx2x: disable GSO where gso_size is too big for hardware |
|
| 4 |
+ |
|
| 5 |
+If a bnx2x card is passed a GSO packet with a gso_size larger than |
|
| 6 |
+~9700 bytes, it will cause a firmware error that will bring the card |
|
| 7 |
+down: |
|
| 8 |
+ |
|
| 9 |
+bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert! |
|
| 10 |
+bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2 |
|
| 11 |
+bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052 |
|
| 12 |
+bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1 |
|
| 13 |
+... (dump of values continues) ... |
|
| 14 |
+ |
|
| 15 |
+Detect when the mac length of a GSO packet is greater than the maximum |
|
| 16 |
+packet size (9700 bytes) and disable GSO. |
|
| 17 |
+ |
|
| 18 |
+Signed-off-by: Daniel Axtens <dja@axtens.net> |
|
| 19 |
+Reviewed-by: Eric Dumazet <edumazet@google.com> |
|
| 20 |
+Signed-off-by: David S. Miller <davem@davemloft.net> |
|
| 21 |
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu> |
|
| 22 |
+--- |
|
| 23 |
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++++++++++++++++ |
|
| 24 |
+ 1 file changed, 18 insertions(+) |
|
| 25 |
+ |
|
| 26 |
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |
|
| 27 |
+index 554c408..72d90b2 100644 |
|
| 28 |
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |
|
| 29 |
+@@ -12930,6 +12930,24 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb, |
|
| 30 |
+ struct net_device *dev, |
|
| 31 |
+ netdev_features_t features) |
|
| 32 |
+ {
|
|
| 33 |
++ /* |
|
| 34 |
++ * A skb with gso_size + header length > 9700 will cause a |
|
| 35 |
++ * firmware panic. Drop GSO support. |
|
| 36 |
++ * |
|
| 37 |
++ * Eventually the upper layer should not pass these packets down. |
|
| 38 |
++ * |
|
| 39 |
++ * For speed, if the gso_size is <= 9000, assume there will |
|
| 40 |
++ * not be 700 bytes of headers and pass it through. Only do a |
|
| 41 |
++ * full (slow) validation if the gso_size is > 9000. |
|
| 42 |
++ * |
|
| 43 |
++ * (Due to the way SKB_BY_FRAGS works this will also do a full |
|
| 44 |
++ * validation in that case.) |
|
| 45 |
++ */ |
|
| 46 |
++ if (unlikely(skb_is_gso(skb) && |
|
| 47 |
++ (skb_shinfo(skb)->gso_size > 9000) && |
|
| 48 |
++ !skb_gso_validate_mac_len(skb, 9700))) |
|
| 49 |
++ features &= ~NETIF_F_GSO_MASK; |
|
| 50 |
++ |
|
| 51 |
+ features = vlan_features_check(skb, features); |
|
| 52 |
+ return vxlan_features_check(skb, features); |
|
| 53 |
+ } |
|
| 54 |
+-- |
|
| 55 |
+2.7.4 |
|
| 56 |
+ |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-aws |
| 4 | 4 |
Version: 4.9.97 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -46,6 +46,9 @@ Patch30: vmxnet3-avoid-xmit-reset-due-to-a-race-in-vmxnet3.patch |
| 46 | 46 |
Patch31: vmxnet3-use-correct-flag-to-indicate-LRO-feature.patch |
| 47 | 47 |
Patch32: netfilter-ipset-pernet-ops-must-be-unregistered-last.patch |
| 48 | 48 |
Patch33: vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch |
| 49 |
+# Fixes for CVE-2018-1000026 |
|
| 50 |
+Patch34: 0001-net-create-skb_gso_validate_mac_len.patch |
|
| 51 |
+Patch35: 0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch |
|
| 49 | 52 |
|
| 50 | 53 |
# For Spectre |
| 51 | 54 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
| ... | ... |
@@ -209,6 +212,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 209 | 209 |
%patch31 -p1 |
| 210 | 210 |
%patch32 -p1 |
| 211 | 211 |
%patch33 -p1 |
| 212 |
+%patch34 -p1 |
|
| 213 |
+%patch35 -p1 |
|
| 212 | 214 |
|
| 213 | 215 |
%patch52 -p1 |
| 214 | 216 |
%patch53 -p1 |
| ... | ... |
@@ -428,6 +433,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 428 | 428 |
/usr/share/doc/* |
| 429 | 429 |
|
| 430 | 430 |
%changelog |
| 431 |
+* Tue May 01 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-2 |
|
| 432 |
+- Fix CVE-2018-1000026. |
|
| 431 | 433 |
* Mon Apr 30 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.97-1 |
| 432 | 434 |
- Update to version 4.9.97. Apply 3rd vmxnet3 patch. |
| 433 | 435 |
* Mon Apr 23 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.94-2 |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-esx |
| 4 | 4 |
Version: 4.9.97 |
| 5 |
-Release: 1%{?dist}
|
|
| 5 |
+Release: 2%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -43,6 +43,10 @@ Patch30: vmxnet3-avoid-xmit-reset-due-to-a-race-in-vmxnet3.patch |
| 43 | 43 |
Patch31: vmxnet3-use-correct-flag-to-indicate-LRO-feature.patch |
| 44 | 44 |
Patch32: netfilter-ipset-pernet-ops-must-be-unregistered-last.patch |
| 45 | 45 |
Patch33: vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch |
| 46 |
+# Fixes for CVE-2018-1000026 |
|
| 47 |
+Patch34: 0001-net-create-skb_gso_validate_mac_len.patch |
|
| 48 |
+Patch35: 0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch |
|
| 49 |
+ |
|
| 46 | 50 |
# For Spectre |
| 47 | 51 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
| 48 | 52 |
Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch |
| ... | ... |
@@ -123,6 +127,8 @@ The Linux package contains the Linux kernel doc files |
| 123 | 123 |
%patch31 -p1 |
| 124 | 124 |
%patch32 -p1 |
| 125 | 125 |
%patch33 -p1 |
| 126 |
+%patch34 -p1 |
|
| 127 |
+%patch35 -p1 |
|
| 126 | 128 |
|
| 127 | 129 |
%patch52 -p1 |
| 128 | 130 |
%patch53 -p1 |
| ... | ... |
@@ -234,6 +240,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 234 | 234 |
/usr/src/linux-headers-%{uname_r}
|
| 235 | 235 |
|
| 236 | 236 |
%changelog |
| 237 |
+* Tue May 01 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-2 |
|
| 238 |
+- Fix CVE-2018-1000026. |
|
| 237 | 239 |
* Mon Apr 30 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.97-1 |
| 238 | 240 |
- Update to version 4.9.97. Apply 3rd vmxnet3 patch. |
| 239 | 241 |
* Mon Apr 23 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.94-2 |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-secure |
| 4 | 4 |
Version: 4.9.97 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -52,6 +52,10 @@ Patch32: vmxnet3-avoid-xmit-reset-due-to-a-race-in-vmxnet3.patch |
| 52 | 52 |
Patch33: vmxnet3-use-correct-flag-to-indicate-LRO-feature.patch |
| 53 | 53 |
Patch34: netfilter-ipset-pernet-ops-must-be-unregistered-last.patch |
| 54 | 54 |
Patch35: vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch |
| 55 |
+# Fixes for CVE-2018-1000026 |
|
| 56 |
+Patch36: 0001-net-create-skb_gso_validate_mac_len.patch |
|
| 57 |
+Patch37: 0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch |
|
| 58 |
+ |
|
| 55 | 59 |
# For Spectre |
| 56 | 60 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
| 57 | 61 |
Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch |
| ... | ... |
@@ -176,6 +180,8 @@ EOF |
| 176 | 176 |
%patch33 -p1 |
| 177 | 177 |
%patch34 -p1 |
| 178 | 178 |
%patch35 -p1 |
| 179 |
+%patch36 -p1 |
|
| 180 |
+%patch37 -p1 |
|
| 179 | 181 |
|
| 180 | 182 |
# spectre |
| 181 | 183 |
%patch52 -p1 |
| ... | ... |
@@ -323,6 +329,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 323 | 323 |
/usr/src/linux-headers-%{uname_r}
|
| 324 | 324 |
|
| 325 | 325 |
%changelog |
| 326 |
+* Tue May 01 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-2 |
|
| 327 |
+- Fix CVE-2018-1000026. |
|
| 326 | 328 |
* Mon Apr 30 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.97-1 |
| 327 | 329 |
- Update to version 4.9.97. Apply 3rd vmxnet3 patch. |
| 328 | 330 |
* Mon Apr 23 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.94-2 |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux |
| 4 | 4 |
Version: 4.9.97 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -50,6 +50,9 @@ Patch31: vmxnet3-use-correct-flag-to-indicate-LRO-feature.patch |
| 50 | 50 |
# To fix kernel PANIC in cascade |
| 51 | 51 |
Patch32: netfilter-ipset-pernet-ops-must-be-unregistered-last.patch |
| 52 | 52 |
Patch33: vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch |
| 53 |
+# Fixes for CVE-2018-1000026 |
|
| 54 |
+Patch34: 0001-net-create-skb_gso_validate_mac_len.patch |
|
| 55 |
+Patch35: 0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch |
|
| 53 | 56 |
|
| 54 | 57 |
# For Spectre |
| 55 | 58 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
| ... | ... |
@@ -168,6 +171,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 168 | 168 |
%patch31 -p1 |
| 169 | 169 |
%patch32 -p1 |
| 170 | 170 |
%patch33 -p1 |
| 171 |
+%patch34 -p1 |
|
| 172 |
+%patch35 -p1 |
|
| 171 | 173 |
|
| 172 | 174 |
%patch52 -p1 |
| 173 | 175 |
%patch53 -p1 |
| ... | ... |
@@ -350,6 +355,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 350 | 350 |
/usr/share/doc/* |
| 351 | 351 |
|
| 352 | 352 |
%changelog |
| 353 |
+* Tue May 01 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-2 |
|
| 354 |
+- Fix CVE-2018-1000026. |
|
| 353 | 355 |
* Mon Apr 30 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.97-1 |
| 354 | 356 |
- Update to version 4.9.97. Apply 3rd vmxnet3 patch. |
| 355 | 357 |
* Mon Apr 23 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.94-2 |