4.14.11-1

This commit is contained in:
Jan Alexander Steffens 2018-01-03 07:21:25 +00:00
parent 227a77467e
commit 540a56c51a
9 changed files with 104 additions and 51 deletions

View File

@ -1,8 +1,9 @@
From 5ec2dd3a095442ec1a21d86042a4994f2ba24e63 Mon Sep 17 00:00:00 2001
Message-Id: <5ec2dd3a095442ec1a21d86042a4994f2ba24e63.1512651251.git.jan.steffens@gmail.com>
From fb89d912d5f7289d3a922c77b671e36e1c740f5e Mon Sep 17 00:00:00 2001
Message-Id: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
From: Serge Hallyn <serge.hallyn@canonical.com>
Date: Fri, 31 May 2013 19:12:12 +0100
Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default
Subject: [PATCH 1/7] add sysctl to disallow unprivileged CLONE_NEWUSER by
default
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
[bwh: Remove unneeded binary sysctl bits]
@ -14,7 +15,7 @@ Signed-off-by: Daniel Micay <danielmicay@gmail.com>
3 files changed, 30 insertions(+)
diff --git a/kernel/fork.c b/kernel/fork.c
index 07cc743698d3668e..4011d68a8ff9305c 100644
index 500ce64517d93e68..35f5860958b40e9b 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -102,6 +102,11 @@
@ -29,7 +30,7 @@ index 07cc743698d3668e..4011d68a8ff9305c 100644
/*
* Minimum number of threads to boot the kernel
@@ -1555,6 +1560,10 @@ static __latent_entropy struct task_struct *copy_process(
@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process(
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
@ -40,7 +41,7 @@ index 07cc743698d3668e..4011d68a8ff9305c 100644
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
@@ -2348,6 +2357,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
@ -54,7 +55,7 @@ index 07cc743698d3668e..4011d68a8ff9305c 100644
if (err)
goto bad_unshare_out;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index b86520ed3fb60fbf..f7dab3760839f1a1 100644
index 56aca862c4f584f5..e8402ba393c1915d 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -105,6 +105,9 @@ extern int core_uses_pid;

View File

@ -1,8 +1,10 @@
From c3c1af44db713ac6624e729ea4832d0ce70685e0 Mon Sep 17 00:00:00 2001
Message-Id: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens@gmail.com>
From 8c6956686606b9c3661e74a410c8cb2fc276c5ee Mon Sep 17 00:00:00 2001
Message-Id: <8c6956686606b9c3661e74a410c8cb2fc276c5ee.1514959852.git.jan.steffens@gmail.com>
In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
From: Benjamin Poirier <bpoirier@suse.com>
Date: Mon, 11 Dec 2017 16:26:40 +0900
Subject: [PATCH 1/2] e1000e: Fix e1000_check_for_copper_link_ich8lan return
Subject: [PATCH 2/7] e1000e: Fix e1000_check_for_copper_link_ich8lan return
value.
e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()

View File

@ -1,10 +1,10 @@
From 80d3e994e0631d9135cadf20a0b5ad483d7e9bbb Mon Sep 17 00:00:00 2001
Message-Id: <80d3e994e0631d9135cadf20a0b5ad483d7e9bbb.1513282811.git.jan.steffens@gmail.com>
In-Reply-To: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens@gmail.com>
References: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens@gmail.com>
From b81e273fb227373a2951c7256ab11a87d5333a9d Mon Sep 17 00:00:00 2001
Message-Id: <b81e273fb227373a2951c7256ab11a87d5333a9d.1514959852.git.jan.steffens@gmail.com>
In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
From: Mohamed Ghannam <simo.ghannam@gmail.com>
Date: Tue, 5 Dec 2017 20:58:35 +0000
Subject: [PATCH 2/2] dccp: CVE-2017-8824: use-after-free in DCCP code
Subject: [PATCH 3/7] dccp: CVE-2017-8824: use-after-free in DCCP code
Whenever the sock object is in DCCP_CLOSED state,
dccp_disconnect() must free dccps_hc_tx_ccid and

View File

@ -1,8 +1,10 @@
From b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4 Mon Sep 17 00:00:00 2001
Message-Id: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
From d03c0ef520f40c6de691c37e0f168c87b3423015 Mon Sep 17 00:00:00 2001
Message-Id: <d03c0ef520f40c6de691c37e0f168c87b3423015.1514959852.git.jan.steffens@gmail.com>
In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Wed, 15 Nov 2017 06:40:57 +0100
Subject: [PATCH 1/3] Revert "xfrm: Fix stack-out-of-bounds read in
Subject: [PATCH 4/7] Revert "xfrm: Fix stack-out-of-bounds read in
xfrm_state_find."
This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
@ -16,10 +18,10 @@ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6eb228a70131069b..a2e531bf4f976308 100644
index 2a6093840e7e856e..6bc16bb61b5533ef 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1361,29 +1361,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
@@ -1362,29 +1362,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
struct net *net = xp_net(policy);
int nx;
int i, error;

View File

@ -1,10 +1,10 @@
From 1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f Mon Sep 17 00:00:00 2001
Message-Id: <1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f.1514245012.git.jan.steffens@gmail.com>
In-Reply-To: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
References: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
From 3721d64246982f91a5bf863fc17ac60ff722e0c4 Mon Sep 17 00:00:00 2001
Message-Id: <3721d64246982f91a5bf863fc17ac60ff722e0c4.1514959852.git.jan.steffens@gmail.com>
In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Fri, 22 Dec 2017 10:44:57 +0100
Subject: [PATCH 2/3] xfrm: Fix stack-out-of-bounds read on socket policy
Subject: [PATCH 5/7] xfrm: Fix stack-out-of-bounds read on socket policy
lookup.
When we do tunnel or beet mode, we pass saddr and daddr from the
@ -24,7 +24,7 @@ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a2e531bf4f976308..c79ed3bed5d4dc2f 100644
index 6bc16bb61b5533ef..50c5f46b5cca942e 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,

View File

@ -1,10 +1,10 @@
From a3c64fe9d978f3ee8f21fac5b410c63fe7cce725 Mon Sep 17 00:00:00 2001
Message-Id: <a3c64fe9d978f3ee8f21fac5b410c63fe7cce725.1514245012.git.jan.steffens@gmail.com>
In-Reply-To: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
References: <b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4.1514245012.git.jan.steffens@gmail.com>
From a79cb4d4e540c72a601ca0494e914565c16e2893 Mon Sep 17 00:00:00 2001
Message-Id: <a79cb4d4e540c72a601ca0494e914565c16e2893.1514959852.git.jan.steffens@gmail.com>
In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
From: Tejun Heo <tj@kernel.org>
Date: Wed, 20 Dec 2017 07:09:19 -0800
Subject: [PATCH 3/3] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
Subject: [PATCH 6/7] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
While teaching css_task_iter to handle skipping over tasks which
aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to

View File

@ -0,0 +1,42 @@
From 51786b65797aed683ca72293a3cb86a2cab987c0 Mon Sep 17 00:00:00 2001
Message-Id: <51786b65797aed683ca72293a3cb86a2cab987c0.1514959852.git.jan.steffens@gmail.com>
In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: Tue, 26 Dec 2017 23:43:54 -0600
Subject: [PATCH 7/7] x86/cpu, x86/pti: Do not enable PTI on AMD processors
AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.
Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Borislav Petkov <bp@suse.de>
---
arch/x86/kernel/cpu/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index f2a94dfb434e9a7c..b1be494ab4e8badf 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
setup_force_cpu_cap(X86_FEATURE_ALWAYS);
- /* Assume for now that ALL x86 CPUs are insecure */
- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+ if (c->x86_vendor != X86_VENDOR_AMD)
+ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
fpu__init_system(c);
--
2.15.1

View File

@ -4,7 +4,7 @@
pkgbase=linux # Build stock -ARCH kernel
#pkgbase=linux-custom # Build kernel with a different name
_srcname=linux-4.14
pkgver=4.14.10
pkgver=4.14.11
pkgrel=1
arch=('x86_64')
url="https://www.kernel.org/"
@ -21,11 +21,12 @@ source=(
'90-linux.hook' # pacman hook for initramfs regeneration
'linux.preset' # standard config files for mkinitcpio ramdisk
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@ -33,18 +34,19 @@ validpgpkeys=(
)
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'SKIP'
'16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74'
'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9'
'SKIP'
'4d12ed868b05720c3d263c8454622c67bdee6969400049d7adac7b00907ad195'
'24b8cf6829dafcb2b5c76cffaae6438ad2d432f13d6551fa1c8f25e66b751ed4'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
'37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85'
'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3'
'1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2'
'ed3266ab03f836f57de0faf8a10ffd7566c909515c2649de99adaab2fac4aa32'
'64a014f7e1b4588728b3ea9538beee67ec63fb792d890c7be9cc13ddc2121b00'
'3d4c41086c077fbd515d04f5e59c0c258f700433c5da3365d960b696c2e56efb')
'06bc1d8b1cd153c3146a4376d833f5769b980e5ef5eae99ddaaeb48bf514dae2'
'b90bef87574f30ec66c0f10d089bea56a9e974b6d052fee3071b1ff21360724b'
'f38531dee9fd8a59202ce96ac5b40446f1f035b89788ea9ecb2fb3909f703a25'
'705d5fbfce00ccc20490bdfb5853d67d86ac00c845de6ecb13e414214b48daeb'
'0a249248534a17f14fab7e14994811ae81fe324668a82ff41f3bcabeeae1460f'
'8e1b303957ddd829c0c9ad7c012cd32f2354ff3c8c1b85da3d7f8a54524f3711'
'914a0a019545ad7d14ed8d5c58d417eb0a8ec12a756beec79a545aabda343b31')
_kernelname=${pkgbase#linux}
@ -64,17 +66,20 @@ prepare() {
patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
# https://bugs.archlinux.org/task/56575
patch -Np1 -i ../0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
patch -Np1 -i ../0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
# https://nvd.nist.gov/vuln/detail/CVE-2017-8824
patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
patch -Np1 -i ../0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
# https://bugs.archlinux.org/task/56605
patch -Np1 -i ../0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
patch -Np1 -i ../0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
patch -Np1 -i ../0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
patch -Np1 -i ../0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
# https://bugs.archlinux.org/task/56846
patch -Np1 -i ../0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
patch -Np1 -i ../0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
# For AMD processors, keep PTI off by default
patch -Np1 -i ../0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
cp -Tf ../config .config

3
config
View File

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86 4.14.9-1 Kernel Configuration
# Linux/x86 4.14.11-1 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@ -8130,6 +8130,7 @@ CONFIG_SECURITY=y
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_PAGE_TABLE_ISOLATION=y
# CONFIG_SECURITY_INFINIBAND is not set
# CONFIG_SECURITY_PATH is not set
# CONFIG_INTEL_TXT is not set