Update to kernel version 4.4.109 and apply patches on top to fix the
above mentioned CVEs.
Change-Id: I76ea75f242213f2040cb4aea1c8d71e40e38a9d1
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4580
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
Summary: Linux API header files |
2 | 2 |
Name: linux-api-headers |
3 |
-Version: 4.4.106 |
|
3 |
+Version: 4.4.109 |
|
4 | 4 |
Release: 1%{?dist} |
5 | 5 |
License: GPLv2 |
6 | 6 |
URL: http://www.kernel.org/ |
... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
11 |
-%define sha1 linux=a40a7f291d85f9373f024946faa8c7dcb6dc7fdb |
|
11 |
+%define sha1 linux=bcc074736b9ba1801d04371e0a9a4bfd8a5a2967 |
|
12 | 12 |
BuildArch: noarch |
13 | 13 |
# From SPECS/linux and used by linux-esx only |
14 | 14 |
# It provides f*xattrat syscalls |
... | ... |
@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de |
29 | 29 |
%defattr(-,root,root) |
30 | 30 |
%{_includedir}/* |
31 | 31 |
%changelog |
32 |
+* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.109-1 |
|
33 |
+- Version update |
|
32 | 34 |
* Tue Dec 19 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.106-1 |
33 | 35 |
- Version update |
34 | 36 |
* Fri Dec 08 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.104-1 |
35 | 37 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,37 @@ |
0 |
+commit 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 |
|
1 |
+Author: Mohamed Ghannam <simo.ghannam@gmail.com> |
|
2 |
+Date: Tue Dec 5 20:58:35 2017 +0000 |
|
3 |
+ |
|
4 |
+ dccp: CVE-2017-8824: use-after-free in DCCP code |
|
5 |
+ |
|
6 |
+ Whenever the sock object is in DCCP_CLOSED state, |
|
7 |
+ dccp_disconnect() must free dccps_hc_tx_ccid and |
|
8 |
+ dccps_hc_rx_ccid and set to NULL. |
|
9 |
+ |
|
10 |
+ Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> |
|
11 |
+ Reviewed-by: Eric Dumazet <edumazet@google.com> |
|
12 |
+ Signed-off-by: David S. Miller <davem@davemloft.net> |
|
13 |
+ |
|
14 |
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c |
|
15 |
+index b68168f..9d43c1f 100644 |
|
16 |
+--- a/net/dccp/proto.c |
|
17 |
+@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags) |
|
18 |
+ { |
|
19 |
+ struct inet_connection_sock *icsk = inet_csk(sk); |
|
20 |
+ struct inet_sock *inet = inet_sk(sk); |
|
21 |
++ struct dccp_sock *dp = dccp_sk(sk); |
|
22 |
+ int err = 0; |
|
23 |
+ const int old_state = sk->sk_state; |
|
24 |
+ |
|
25 |
+@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags) |
|
26 |
+ sk->sk_err = ECONNRESET; |
|
27 |
+ |
|
28 |
+ dccp_clear_xmit_timers(sk); |
|
29 |
++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); |
|
30 |
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); |
|
31 |
++ dp->dccps_hc_rx_ccid = NULL; |
|
32 |
++ dp->dccps_hc_tx_ccid = NULL; |
|
33 |
+ |
|
34 |
+ __skb_queue_purge(&sk->sk_receive_queue); |
|
35 |
+ __skb_queue_purge(&sk->sk_write_queue); |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 |
-Version: 4.4.106 |
|
4 |
+Version: 4.4.109 |
|
5 | 5 |
Release: 1%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=a40a7f291d85f9373f024946faa8c7dcb6dc7fdb |
|
12 |
+%define sha1 linux=bcc074736b9ba1801d04371e0a9a4bfd8a5a2967 |
|
13 | 13 |
Source1: config-esx |
14 | 14 |
Patch0: double-tcp_mem-limits.patch |
15 | 15 |
Patch1: linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch |
... | ... |
@@ -37,8 +37,14 @@ Patch22: net-9p-vsock.patch |
37 | 37 |
Patch23: p9fs_dir_readdir-offset-support.patch |
38 | 38 |
Patch24: Implement-the-f-xattrat-family-of-functions.patch |
39 | 39 |
# Fix CVE-2017-11472 |
40 |
-Patch25: ACPICA-Namespace-fix-operand-cache-leak.patch |
|
40 |
+Patch25: ACPICA-Namespace-fix-operand-cache-leak.patch |
|
41 | 41 |
Patch26: init-do_mounts-recreate-dev-root.patch |
42 |
+# Fix CVE-2017-8824 |
|
43 |
+Patch27: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
|
44 |
+# Fix CVE-2017-17448 |
|
45 |
+Patch28: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
|
46 |
+# Fix CVE-2017-17450 |
|
47 |
+Patch29: netfilter-xt_osf-Add-missing-permission-checks.patch |
|
42 | 48 |
|
43 | 49 |
BuildRequires: bc |
44 | 50 |
BuildRequires: kbd |
... | ... |
@@ -102,6 +108,9 @@ The Linux package contains the Linux kernel doc files |
102 | 102 |
%patch24 -p1 |
103 | 103 |
%patch25 -p1 |
104 | 104 |
%patch26 -p1 |
105 |
+%patch27 -p1 |
|
106 |
+%patch28 -p1 |
|
107 |
+%patch29 -p1 |
|
105 | 108 |
|
106 | 109 |
%build |
107 | 110 |
# patch vmw_balloon driver |
... | ... |
@@ -190,6 +199,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
190 | 190 |
/usr/src/linux-headers-%{uname_r} |
191 | 191 |
|
192 | 192 |
%changelog |
193 |
+* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.109-1 |
|
194 |
+- Version update |
|
195 |
+- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. |
|
193 | 196 |
* Tue Dec 19 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.106-1 |
194 | 197 |
- Version update |
195 | 198 |
* Fri Dec 08 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.104-1 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 |
-Version: 4.4.106 |
|
4 |
+Version: 4.4.109 |
|
5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz |
12 |
-%define sha1 linux=a40a7f291d85f9373f024946faa8c7dcb6dc7fdb |
|
12 |
+%define sha1 linux=bcc074736b9ba1801d04371e0a9a4bfd8a5a2967 |
|
13 | 13 |
Source1: config |
14 | 14 |
%define ena_version 1.1.3 |
15 | 15 |
Source2: https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz |
... | ... |
@@ -38,6 +38,12 @@ Patch17: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
38 | 38 |
Patch18: 0002-allow-also-ecb-cipher_null.patch |
39 | 39 |
# Fix CVE-2017-11472 |
40 | 40 |
Patch20: ACPICA-Namespace-fix-operand-cache-leak.patch |
41 |
+# Fix CVE-2017-8824 |
|
42 |
+Patch21: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch |
|
43 |
+# Fix CVE-2017-17448 |
|
44 |
+Patch22: netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |
|
45 |
+# Fix CVE-2017-17450 |
|
46 |
+Patch23: netfilter-xt_osf-Add-missing-permission-checks.patch |
|
41 | 47 |
|
42 | 48 |
%if 0%{?kat_build:1} |
43 | 49 |
Patch1000: %{kat_build}.patch |
... | ... |
@@ -131,6 +137,9 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
131 | 131 |
%patch17 -p1 |
132 | 132 |
%patch18 -p1 |
133 | 133 |
%patch20 -p1 |
134 |
+%patch21 -p1 |
|
135 |
+%patch22 -p1 |
|
136 |
+%patch23 -p1 |
|
134 | 137 |
|
135 | 138 |
%if 0%{?kat_build:1} |
136 | 139 |
%patch1000 -p1 |
... | ... |
@@ -287,6 +296,9 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
287 | 287 |
/usr/share/perf-core |
288 | 288 |
|
289 | 289 |
%changelog |
290 |
+* Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.109-1 |
|
291 |
+- Version update |
|
292 |
+- Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. |
|
290 | 293 |
* Tue Dec 19 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.106-1 |
291 | 294 |
- Version update |
292 | 295 |
* Tue Dec 12 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.104-2 |
293 | 296 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,73 @@ |
0 |
+commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 |
|
1 |
+Author: Kevin Cernekee <cernekee@chromium.org> |
|
2 |
+Date: Sun Dec 3 12:12:45 2017 -0800 |
|
3 |
+ |
|
4 |
+ netfilter: nfnetlink_cthelper: Add missing permission checks |
|
5 |
+ |
|
6 |
+ The capability check in nfnetlink_rcv() verifies that the caller |
|
7 |
+ has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. |
|
8 |
+ However, nfnl_cthelper_list is shared by all net namespaces on the |
|
9 |
+ system. An unprivileged user can create user and net namespaces |
|
10 |
+ in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() |
|
11 |
+ check: |
|
12 |
+ |
|
13 |
+ $ nfct helper list |
|
14 |
+ nfct v1.4.4: netlink error: Operation not permitted |
|
15 |
+ $ vpnns -- nfct helper list |
|
16 |
+ { |
|
17 |
+ .name = ftp, |
|
18 |
+ .queuenum = 0, |
|
19 |
+ .l3protonum = 2, |
|
20 |
+ .l4protonum = 6, |
|
21 |
+ .priv_data_len = 24, |
|
22 |
+ .status = enabled, |
|
23 |
+ }; |
|
24 |
+ |
|
25 |
+ Add capable() checks in nfnetlink_cthelper, as this is cleaner than |
|
26 |
+ trying to generalize the solution. |
|
27 |
+ |
|
28 |
+ Signed-off-by: Kevin Cernekee <cernekee@chromium.org> |
|
29 |
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
|
30 |
+ |
|
31 |
+diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c |
|
32 |
+index 41628b3..d33ce6d 100644 |
|
33 |
+--- a/net/netfilter/nfnetlink_cthelper.c |
|
34 |
+@@ -17,6 +17,7 @@ |
|
35 |
+ #include <linux/types.h> |
|
36 |
+ #include <linux/list.h> |
|
37 |
+ #include <linux/errno.h> |
|
38 |
++#include <linux/capability.h> |
|
39 |
+ #include <net/netlink.h> |
|
40 |
+ #include <net/sock.h> |
|
41 |
+ |
|
42 |
+@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, |
|
43 |
+ struct nfnl_cthelper *nlcth; |
|
44 |
+ int ret = 0; |
|
45 |
+ |
|
46 |
++ if (!capable(CAP_NET_ADMIN)) |
|
47 |
++ return -EPERM; |
|
48 |
++ |
|
49 |
+ if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) |
|
50 |
+ return -EINVAL; |
|
51 |
+ |
|
52 |
+@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, |
|
53 |
+ struct nfnl_cthelper *nlcth; |
|
54 |
+ bool tuple_set = false; |
|
55 |
+ |
|
56 |
++ if (!capable(CAP_NET_ADMIN)) |
|
57 |
++ return -EPERM; |
|
58 |
++ |
|
59 |
+ if (nlh->nlmsg_flags & NLM_F_DUMP) { |
|
60 |
+ struct netlink_dump_control c = { |
|
61 |
+ .dump = nfnl_cthelper_dump_table, |
|
62 |
+@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, |
|
63 |
+ struct nfnl_cthelper *nlcth, *n; |
|
64 |
+ int j = 0, ret; |
|
65 |
+ |
|
66 |
++ if (!capable(CAP_NET_ADMIN)) |
|
67 |
++ return -EPERM; |
|
68 |
++ |
|
69 |
+ if (tb[NFCTH_NAME]) |
|
70 |
+ helper_name = nla_data(tb[NFCTH_NAME]); |
|
71 |
+ |
0 | 72 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,55 @@ |
0 |
+commit 916a27901de01446bcf57ecca4783f6cff493309 |
|
1 |
+Author: Kevin Cernekee <cernekee@chromium.org> |
|
2 |
+Date: Tue Dec 5 15:42:41 2017 -0800 |
|
3 |
+ |
|
4 |
+ netfilter: xt_osf: Add missing permission checks |
|
5 |
+ |
|
6 |
+ The capability check in nfnetlink_rcv() verifies that the caller |
|
7 |
+ has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. |
|
8 |
+ However, xt_osf_fingers is shared by all net namespaces on the |
|
9 |
+ system. An unprivileged user can create user and net namespaces |
|
10 |
+ in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() |
|
11 |
+ check: |
|
12 |
+ |
|
13 |
+ vpnns -- nfnl_osf -f /tmp/pf.os |
|
14 |
+ |
|
15 |
+ vpnns -- nfnl_osf -f /tmp/pf.os -d |
|
16 |
+ |
|
17 |
+ These non-root operations successfully modify the systemwide OS |
|
18 |
+ fingerprint list. Add new capable() checks so that they can't. |
|
19 |
+ |
|
20 |
+ Signed-off-by: Kevin Cernekee <cernekee@chromium.org> |
|
21 |
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
|
22 |
+ |
|
23 |
+diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c |
|
24 |
+index 36e14b1..a34f314 100644 |
|
25 |
+--- a/net/netfilter/xt_osf.c |
|
26 |
+@@ -19,6 +19,7 @@ |
|
27 |
+ #include <linux/module.h> |
|
28 |
+ #include <linux/kernel.h> |
|
29 |
+ |
|
30 |
++#include <linux/capability.h> |
|
31 |
+ #include <linux/if.h> |
|
32 |
+ #include <linux/inetdevice.h> |
|
33 |
+ #include <linux/ip.h> |
|
34 |
+@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl, |
|
35 |
+ struct xt_osf_finger *kf = NULL, *sf; |
|
36 |
+ int err = 0; |
|
37 |
+ |
|
38 |
++ if (!capable(CAP_NET_ADMIN)) |
|
39 |
++ return -EPERM; |
|
40 |
++ |
|
41 |
+ if (!osf_attrs[OSF_ATTR_FINGER]) |
|
42 |
+ return -EINVAL; |
|
43 |
+ |
|
44 |
+@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl, |
|
45 |
+ struct xt_osf_finger *sf; |
|
46 |
+ int err = -ENOENT; |
|
47 |
+ |
|
48 |
++ if (!capable(CAP_NET_ADMIN)) |
|
49 |
++ return -EPERM; |
|
50 |
++ |
|
51 |
+ if (!osf_attrs[OSF_ATTR_FINGER]) |
|
52 |
+ return -EINVAL; |
|
53 |
+ |