Browse code
kernels: Fix CVE-2017-8824, CVE-2017-17448, CVE-2017-17450
Update to kernel version 4.4.109 and apply patches on top to fix the
above mentioned CVEs.
Change-Id: I76ea75f242213f2040cb4aea1c8d71e40e38a9d1
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4580
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Srivatsa S. Bhat authored on 2018/01/03 07:56:39Showing 6 changed files
- SPECS/linux-api-headers/linux-api-headers.spec
- SPECS/linux/dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
- SPECS/linux/linux-esx.spec
- SPECS/linux/linux.spec
- SPECS/linux/netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
- SPECS/linux/netfilter-xt_osf-Add-missing-permission-checks.patch
| ... | ... |
@@ -1,6 +1,6 @@ |
| 1 | 1 |
Summary: Linux API header files |
| 2 | 2 |
Name: linux-api-headers |
| 3 |
-Version: 4.4.106 |
|
| 3 |
+Version: 4.4.109 |
|
| 4 | 4 |
Release: 1%{?dist}
|
| 5 | 5 |
License: GPLv2 |
| 6 | 6 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
| 8 | 8 |
Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 11 |
-%define sha1 linux=a40a7f291d85f9373f024946faa8c7dcb6dc7fdb |
|
| 11 |
+%define sha1 linux=bcc074736b9ba1801d04371e0a9a4bfd8a5a2967 |
|
| 12 | 12 |
BuildArch: noarch |
| 13 | 13 |
# From SPECS/linux and used by linux-esx only |
| 14 | 14 |
# It provides f*xattrat syscalls |
| ... | ... |
@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de
|
| 29 | 29 |
%defattr(-,root,root) |
| 30 | 30 |
%{_includedir}/*
|
| 31 | 31 |
%changelog |
| 32 |
+* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.109-1 |
|
| 33 |
+- Version update |
|
| 32 | 34 |
* Tue Dec 19 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.106-1 |
| 33 | 35 |
- Version update |
| 34 | 36 |
* Fri Dec 08 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.104-1 |
| 35 | 37 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,37 @@ |
| 0 |
+commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 |
|
| 1 |
+Author: Mohamed Ghannam <simo.ghannam@gmail.com> |
|
| 2 |
+Date: Tue Dec 5 20:58:35 2017 +0000 |
|
| 3 |
+ |
|
| 4 |
+ dccp: CVE-2017-8824: use-after-free in DCCP code |
|
| 5 |
+ |
|
| 6 |
+ Whenever the sock object is in DCCP_CLOSED state, |
|
| 7 |
+ dccp_disconnect() must free dccps_hc_tx_ccid and |
|
| 8 |
+ dccps_hc_rx_ccid and set to NULL. |
|
| 9 |
+ |
|
| 10 |
+ Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> |
|
| 11 |
+ Reviewed-by: Eric Dumazet <edumazet@google.com> |
|
| 12 |
+ Signed-off-by: David S. Miller <davem@davemloft.net> |
|
| 13 |
+ |
|
| 14 |
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c |
|
| 15 |
+index b68168f..9d43c1f 100644 |
|
| 16 |
+--- a/net/dccp/proto.c |
|
| 17 |
+@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags) |
|
| 18 |
+ {
|
|
| 19 |
+ struct inet_connection_sock *icsk = inet_csk(sk); |
|
| 20 |
+ struct inet_sock *inet = inet_sk(sk); |
|
| 21 |
++ struct dccp_sock *dp = dccp_sk(sk); |
|
| 22 |
+ int err = 0; |
|
| 23 |
+ const int old_state = sk->sk_state; |
|
| 24 |
+ |
|
| 25 |
+@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags) |
|
| 26 |
+ sk->sk_err = ECONNRESET; |
|
| 27 |
+ |
|
| 28 |
+ dccp_clear_xmit_timers(sk); |
|
| 29 |
++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); |
|
| 30 |
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); |
|
| 31 |
++ dp->dccps_hc_rx_ccid = NULL; |
|
| 32 |
++ dp->dccps_hc_tx_ccid = NULL; |
|
| 33 |
+ |
|
| 34 |
+ __skb_queue_purge(&sk->sk_receive_queue); |
|
| 35 |
+ __skb_queue_purge(&sk->sk_write_queue); |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
%global security_hardening none |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-esx |
| 4 |
-Version: 4.4.106 |
|
| 4 |
+Version: 4.4.109 |
|
| 5 | 5 |
Release: 1%{?dist}
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
| 9 | 9 |
Vendor: VMware, Inc. |
| 10 | 10 |
Distribution: Photon |
| 11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 12 |
-%define sha1 linux=a40a7f291d85f9373f024946faa8c7dcb6dc7fdb |
|
| 12 |
+%define sha1 linux=bcc074736b9ba1801d04371e0a9a4bfd8a5a2967 |
|
| 13 | 13 |
Source1: config-esx |
| 14 | 14 |
Patch0: double-tcp_mem-limits.patch |
| 15 | 15 |
Patch1: linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch |
| ... | ... |
@@ -37,8 +37,14 @@ Patch22: net-9p-vsock.patch |
| 37 | 37 |
Patch23: p9fs_dir_readdir-offset-support.patch |
| 38 | 38 |
Patch24: Implement-the-f-xattrat-family-of-functions.patch |
| 39 | 39 |
# Fix CVE-2017-11472 |
| 40 |
-Patch25: ACPICA-Namespace-fix-operand-cache-leak.patch |
|
| 40 |
+Patch25: ACPICA-Namespace-fix-operand-cache-leak.patch |
|
| 41 | 41 |
Patch26: init-do_mounts-recreate-dev-root.patch |
| 42 |
+# Fix CVE-2017-8824 |
|
| 43 |
+Patch27: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
|
| 44 |
+# Fix CVE-2017-17448 |
|
| 45 |
+Patch28: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
|
| 46 |
+# Fix CVE-2017-17450 |
|
| 47 |
+Patch29: netfilter-xt_osf-Add-missing-permission-checks.patch |
|
| 42 | 48 |
|
| 43 | 49 |
BuildRequires: bc |
| 44 | 50 |
BuildRequires: kbd |
| ... | ... |
@@ -102,6 +108,9 @@ The Linux package contains the Linux kernel doc files |
| 102 | 102 |
%patch24 -p1 |
| 103 | 103 |
%patch25 -p1 |
| 104 | 104 |
%patch26 -p1 |
| 105 |
+%patch27 -p1 |
|
| 106 |
+%patch28 -p1 |
|
| 107 |
+%patch29 -p1 |
|
| 105 | 108 |
|
| 106 | 109 |
%build |
| 107 | 110 |
# patch vmw_balloon driver |
| ... | ... |
@@ -190,6 +199,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 190 | 190 |
/usr/src/linux-headers-%{uname_r}
|
| 191 | 191 |
|
| 192 | 192 |
%changelog |
| 193 |
+* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.109-1 |
|
| 194 |
+- Version update |
|
| 195 |
+- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. |
|
| 193 | 196 |
* Tue Dec 19 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.106-1 |
| 194 | 197 |
- Version update |
| 195 | 198 |
* Fri Dec 08 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.104-1 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
%global security_hardening none |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux |
| 4 |
-Version: 4.4.106 |
|
| 4 |
+Version: 4.4.109 |
|
| 5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist}
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
| 9 | 9 |
Vendor: VMware, Inc. |
| 10 | 10 |
Distribution: Photon |
| 11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz
|
| 12 |
-%define sha1 linux=a40a7f291d85f9373f024946faa8c7dcb6dc7fdb |
|
| 12 |
+%define sha1 linux=bcc074736b9ba1801d04371e0a9a4bfd8a5a2967 |
|
| 13 | 13 |
Source1: config |
| 14 | 14 |
%define ena_version 1.1.3 |
| 15 | 15 |
Source2: https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz |
| ... | ... |
@@ -38,6 +38,12 @@ Patch17: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
| 38 | 38 |
Patch18: 0002-allow-also-ecb-cipher_null.patch |
| 39 | 39 |
# Fix CVE-2017-11472 |
| 40 | 40 |
Patch20: ACPICA-Namespace-fix-operand-cache-leak.patch |
| 41 |
+# Fix CVE-2017-8824 |
|
| 42 |
+Patch21: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
|
| 43 |
+# Fix CVE-2017-17448 |
|
| 44 |
+Patch22: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
|
| 45 |
+# Fix CVE-2017-17450 |
|
| 46 |
+Patch23: netfilter-xt_osf-Add-missing-permission-checks.patch |
|
| 41 | 47 |
|
| 42 | 48 |
%if 0%{?kat_build:1}
|
| 43 | 49 |
Patch1000: %{kat_build}.patch
|
| ... | ... |
@@ -131,6 +137,9 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 131 | 131 |
%patch17 -p1 |
| 132 | 132 |
%patch18 -p1 |
| 133 | 133 |
%patch20 -p1 |
| 134 |
+%patch21 -p1 |
|
| 135 |
+%patch22 -p1 |
|
| 136 |
+%patch23 -p1 |
|
| 134 | 137 |
|
| 135 | 138 |
%if 0%{?kat_build:1}
|
| 136 | 139 |
%patch1000 -p1 |
| ... | ... |
@@ -287,6 +296,9 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 287 | 287 |
/usr/share/perf-core |
| 288 | 288 |
|
| 289 | 289 |
%changelog |
| 290 |
+* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.109-1 |
|
| 291 |
+- Version update |
|
| 292 |
+- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. |
|
| 290 | 293 |
* Tue Dec 19 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.106-1 |
| 291 | 294 |
- Version update |
| 292 | 295 |
* Tue Dec 12 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.104-2 |
| 293 | 296 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,73 @@ |
| 0 |
+commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 |
|
| 1 |
+Author: Kevin Cernekee <cernekee@chromium.org> |
|
| 2 |
+Date: Sun Dec 3 12:12:45 2017 -0800 |
|
| 3 |
+ |
|
| 4 |
+ netfilter: nfnetlink_cthelper: Add missing permission checks |
|
| 5 |
+ |
|
| 6 |
+ The capability check in nfnetlink_rcv() verifies that the caller |
|
| 7 |
+ has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. |
|
| 8 |
+ However, nfnl_cthelper_list is shared by all net namespaces on the |
|
| 9 |
+ system. An unprivileged user can create user and net namespaces |
|
| 10 |
+ in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() |
|
| 11 |
+ check: |
|
| 12 |
+ |
|
| 13 |
+ $ nfct helper list |
|
| 14 |
+ nfct v1.4.4: netlink error: Operation not permitted |
|
| 15 |
+ $ vpnns -- nfct helper list |
|
| 16 |
+ {
|
|
| 17 |
+ .name = ftp, |
|
| 18 |
+ .queuenum = 0, |
|
| 19 |
+ .l3protonum = 2, |
|
| 20 |
+ .l4protonum = 6, |
|
| 21 |
+ .priv_data_len = 24, |
|
| 22 |
+ .status = enabled, |
|
| 23 |
+ }; |
|
| 24 |
+ |
|
| 25 |
+ Add capable() checks in nfnetlink_cthelper, as this is cleaner than |
|
| 26 |
+ trying to generalize the solution. |
|
| 27 |
+ |
|
| 28 |
+ Signed-off-by: Kevin Cernekee <cernekee@chromium.org> |
|
| 29 |
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
|
| 30 |
+ |
|
| 31 |
+diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c |
|
| 32 |
+index 41628b3..d33ce6d 100644 |
|
| 33 |
+--- a/net/netfilter/nfnetlink_cthelper.c |
|
| 34 |
+@@ -17,6 +17,7 @@ |
|
| 35 |
+ #include <linux/types.h> |
|
| 36 |
+ #include <linux/list.h> |
|
| 37 |
+ #include <linux/errno.h> |
|
| 38 |
++#include <linux/capability.h> |
|
| 39 |
+ #include <net/netlink.h> |
|
| 40 |
+ #include <net/sock.h> |
|
| 41 |
+ |
|
| 42 |
+@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, |
|
| 43 |
+ struct nfnl_cthelper *nlcth; |
|
| 44 |
+ int ret = 0; |
|
| 45 |
+ |
|
| 46 |
++ if (!capable(CAP_NET_ADMIN)) |
|
| 47 |
++ return -EPERM; |
|
| 48 |
++ |
|
| 49 |
+ if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) |
|
| 50 |
+ return -EINVAL; |
|
| 51 |
+ |
|
| 52 |
+@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, |
|
| 53 |
+ struct nfnl_cthelper *nlcth; |
|
| 54 |
+ bool tuple_set = false; |
|
| 55 |
+ |
|
| 56 |
++ if (!capable(CAP_NET_ADMIN)) |
|
| 57 |
++ return -EPERM; |
|
| 58 |
++ |
|
| 59 |
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
|
|
| 60 |
+ struct netlink_dump_control c = {
|
|
| 61 |
+ .dump = nfnl_cthelper_dump_table, |
|
| 62 |
+@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, |
|
| 63 |
+ struct nfnl_cthelper *nlcth, *n; |
|
| 64 |
+ int j = 0, ret; |
|
| 65 |
+ |
|
| 66 |
++ if (!capable(CAP_NET_ADMIN)) |
|
| 67 |
++ return -EPERM; |
|
| 68 |
++ |
|
| 69 |
+ if (tb[NFCTH_NAME]) |
|
| 70 |
+ helper_name = nla_data(tb[NFCTH_NAME]); |
|
| 71 |
+ |
| 0 | 72 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,55 @@ |
| 0 |
+commit 916a27901de01446bcf57ecca4783f6cff493309 |
|
| 1 |
+Author: Kevin Cernekee <cernekee@chromium.org> |
|
| 2 |
+Date: Tue Dec 5 15:42:41 2017 -0800 |
|
| 3 |
+ |
|
| 4 |
+ netfilter: xt_osf: Add missing permission checks |
|
| 5 |
+ |
|
| 6 |
+ The capability check in nfnetlink_rcv() verifies that the caller |
|
| 7 |
+ has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. |
|
| 8 |
+ However, xt_osf_fingers is shared by all net namespaces on the |
|
| 9 |
+ system. An unprivileged user can create user and net namespaces |
|
| 10 |
+ in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() |
|
| 11 |
+ check: |
|
| 12 |
+ |
|
| 13 |
+ vpnns -- nfnl_osf -f /tmp/pf.os |
|
| 14 |
+ |
|
| 15 |
+ vpnns -- nfnl_osf -f /tmp/pf.os -d |
|
| 16 |
+ |
|
| 17 |
+ These non-root operations successfully modify the systemwide OS |
|
| 18 |
+ fingerprint list. Add new capable() checks so that they can't. |
|
| 19 |
+ |
|
| 20 |
+ Signed-off-by: Kevin Cernekee <cernekee@chromium.org> |
|
| 21 |
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
|
| 22 |
+ |
|
| 23 |
+diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c |
|
| 24 |
+index 36e14b1..a34f314 100644 |
|
| 25 |
+--- a/net/netfilter/xt_osf.c |
|
| 26 |
+@@ -19,6 +19,7 @@ |
|
| 27 |
+ #include <linux/module.h> |
|
| 28 |
+ #include <linux/kernel.h> |
|
| 29 |
+ |
|
| 30 |
++#include <linux/capability.h> |
|
| 31 |
+ #include <linux/if.h> |
|
| 32 |
+ #include <linux/inetdevice.h> |
|
| 33 |
+ #include <linux/ip.h> |
|
| 34 |
+@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl, |
|
| 35 |
+ struct xt_osf_finger *kf = NULL, *sf; |
|
| 36 |
+ int err = 0; |
|
| 37 |
+ |
|
| 38 |
++ if (!capable(CAP_NET_ADMIN)) |
|
| 39 |
++ return -EPERM; |
|
| 40 |
++ |
|
| 41 |
+ if (!osf_attrs[OSF_ATTR_FINGER]) |
|
| 42 |
+ return -EINVAL; |
|
| 43 |
+ |
|
| 44 |
+@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl, |
|
| 45 |
+ struct xt_osf_finger *sf; |
|
| 46 |
+ int err = -ENOENT; |
|
| 47 |
+ |
|
| 48 |
++ if (!capable(CAP_NET_ADMIN)) |
|
| 49 |
++ return -EPERM; |
|
| 50 |
++ |
|
| 51 |
+ if (!osf_attrs[OSF_ATTR_FINGER]) |
|
| 52 |
+ return -EINVAL; |
|
| 53 |
+ |