This commit is contained in:
Jan Alexander Steffens 2018-01-29 05:32:00 +00:00
parent e3d2d1a12a
commit 77f03fcad0
6 changed files with 1879 additions and 963 deletions

View File

@ -1,8 +1,8 @@
From 4e54373158caa50df5402fdd3db1794c5394026b Mon Sep 17 00:00:00 2001
Message-Id: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
From 4aefcc4253233dce6ac5938e01371074958b8f1c Mon Sep 17 00:00:00 2001
Message-Id: <4aefcc4253233dce6ac5938e01371074958b8f1c.1517188106.git.jan.steffens@gmail.com>
From: Serge Hallyn <serge.hallyn@canonical.com>
Date: Fri, 31 May 2013 19:12:12 +0100
Subject: [PATCH 1/4] add sysctl to disallow unprivileged CLONE_NEWUSER by
Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by
default
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
@ -15,7 +15,7 @@ Signed-off-by: Daniel Micay <danielmicay@gmail.com>
3 files changed, 30 insertions(+)
diff --git a/kernel/fork.c b/kernel/fork.c
index 500ce64517d9..35f5860958b4 100644
index 2295fc69717f..6f320a216e7d 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -102,6 +102,11 @@
@ -30,7 +30,7 @@ index 500ce64517d9..35f5860958b4 100644
/*
* Minimum number of threads to boot the kernel
@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process(
@@ -1550,6 +1555,10 @@ static __latent_entropy struct task_struct *copy_process(
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
@ -41,7 +41,7 @@ index 500ce64517d9..35f5860958b4 100644
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
@@ -2343,6 +2352,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
@ -55,7 +55,7 @@ index 500ce64517d9..35f5860958b4 100644
if (err)
goto bad_unshare_out;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 56aca862c4f5..e8402ba393c1 100644
index 557d46728577..c19d7a828913 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -105,6 +105,9 @@ extern int core_uses_pid;
@ -85,12 +85,12 @@ index 56aca862c4f5..e8402ba393c1 100644
{
.procname = "tainted",
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index c490f1e4313b..dd03bd39d7bf 100644
index 246d4d4ce5c7..f64432b45cec 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -24,6 +24,9 @@
#include <linux/projid.h>
#include <linux/fs_struct.h>
@@ -26,6 +26,9 @@
#include <linux/bsearch.h>
#include <linux/sort.h>
+/* sysctl */
+int unprivileged_userns_clone;
@ -99,5 +99,5 @@ index c490f1e4313b..dd03bd39d7bf 100644
static DEFINE_MUTEX(userns_state_mutex);
--
2.15.1
2.16.1

View File

@ -1,57 +0,0 @@
From 8514970bf07bd1cc522f50e882e0159a51a39264 Mon Sep 17 00:00:00 2001
Message-Id: <8514970bf07bd1cc522f50e882e0159a51a39264.1516188238.git.jan.steffens@gmail.com>
In-Reply-To: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
References: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
From: Mohamed Ghannam <simo.ghannam@gmail.com>
Date: Tue, 5 Dec 2017 20:58:35 +0000
Subject: [PATCH 2/4] dccp: CVE-2017-8824: use-after-free in DCCP code
Whenever the sock object is in DCCP_CLOSED state,
dccp_disconnect() must free dccps_hc_tx_ccid and
dccps_hc_rx_ccid and set to NULL.
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/dccp/proto.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index b68168fcc06a..9d43c1f40274 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -259,25 +259,30 @@ int dccp_disconnect(struct sock *sk, int flags)
{
struct inet_connection_sock *icsk = inet_csk(sk);
struct inet_sock *inet = inet_sk(sk);
+ struct dccp_sock *dp = dccp_sk(sk);
int err = 0;
const int old_state = sk->sk_state;
if (old_state != DCCP_CLOSED)
dccp_set_state(sk, DCCP_CLOSED);
/*
* This corresponds to the ABORT function of RFC793, sec. 3.8
* TCP uses a RST segment, DCCP a Reset packet with Code 2, "Aborted".
*/
if (old_state == DCCP_LISTEN) {
inet_csk_listen_stop(sk);
} else if (dccp_need_reset(old_state)) {
dccp_send_reset(sk, DCCP_RESET_CODE_ABORTED);
sk->sk_err = ECONNRESET;
} else if (old_state == DCCP_REQUESTING)
sk->sk_err = ECONNRESET;
dccp_clear_xmit_timers(sk);
+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
+ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
+ dp->dccps_hc_rx_ccid = NULL;
+ dp->dccps_hc_tx_ccid = NULL;
__skb_queue_purge(&sk->sk_receive_queue);
__skb_queue_purge(&sk->sk_write_queue);
--
2.15.1

View File

@ -1,10 +1,10 @@
From e722c8d112f0aa9621d7d4da5223cfc7aeb45e88 Mon Sep 17 00:00:00 2001
Message-Id: <e722c8d112f0aa9621d7d4da5223cfc7aeb45e88.1516188238.git.jan.steffens@gmail.com>
In-Reply-To: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
References: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
From 3383f4060f7fe25afd5f863fe169fd2f286ab237 Mon Sep 17 00:00:00 2001
Message-Id: <3383f4060f7fe25afd5f863fe169fd2f286ab237.1517188106.git.jan.steffens@gmail.com>
In-Reply-To: <4aefcc4253233dce6ac5938e01371074958b8f1c.1517188106.git.jan.steffens@gmail.com>
References: <4aefcc4253233dce6ac5938e01371074958b8f1c.1517188106.git.jan.steffens@gmail.com>
From: Jim Bride <jim.bride@linux.intel.com>
Date: Mon, 6 Nov 2017 13:38:57 -0800
Subject: [PATCH 4/4] drm/i915/edp: Only use the alternate fixed mode if it's
Subject: [PATCH 2/2] drm/i915/edp: Only use the alternate fixed mode if it's
asked for
In commit dc911f5bd8aa ("drm/i915/edp: Allow alternate fixed mode for
@ -24,10 +24,10 @@ Signed-off-by: Jim Bride <jim.bride@linux.intel.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
index 09f274419eea..838cee312e8e 100644
index 158438bb0389..69b16df868ea 100644
--- a/drivers/gpu/drm/i915/intel_dp.c
+++ b/drivers/gpu/drm/i915/intel_dp.c
@@ -1632,7 +1632,8 @@ static bool intel_edp_compare_alt_mode(struct drm_display_mode *m1,
@@ -1616,7 +1616,8 @@ static bool intel_edp_compare_alt_mode(struct drm_display_mode *m1,
m1->vdisplay == m2->vdisplay &&
m1->vsync_start == m2->vsync_start &&
m1->vsync_end == m2->vsync_end &&
@ -38,5 +38,5 @@ index 09f274419eea..838cee312e8e 100644
}
--
2.15.1
2.16.1

View File

@ -1,49 +0,0 @@
From c9c8995fc83b476fdf3fc0c4b498feef2949ec75 Mon Sep 17 00:00:00 2001
Message-Id: <c9c8995fc83b476fdf3fc0c4b498feef2949ec75.1516188238.git.jan.steffens@gmail.com>
In-Reply-To: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
References: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Fri, 22 Dec 2017 10:44:57 +0100
Subject: [PATCH 3/4] xfrm: Fix stack-out-of-bounds read on socket policy
lookup.
When we do tunnel or beet mode, we pass saddr and daddr from the
template to xfrm_state_find(), this is ok. On transport mode,
we pass the addresses from the flowi, assuming that the IP
addresses (and address family) don't change during transformation.
This assumption is wrong in the IPv4 mapped IPv6 case, packet
is IPv4 and template is IPv6.
Fix this by catching address family missmatches of the policy
and the flow already before we do the lookup.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_policy.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6bc16bb61b55..50c5f46b5cca 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
again:
pol = rcu_dereference(sk->sk_policy[dir]);
if (pol != NULL) {
- bool match = xfrm_selector_match(&pol->selector, fl, family);
+ bool match;
int err = 0;
+ if (pol->family != family) {
+ pol = NULL;
+ goto out;
+ }
+
+ match = xfrm_selector_match(&pol->selector, fl, family);
if (match) {
if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
pol = NULL;
--
2.15.1

View File

@ -3,8 +3,8 @@
pkgbase=linux # Build stock -ARCH kernel
#pkgbase=linux-custom # Build kernel with a different name
_srcname=linux-4.14
pkgver=4.14.15
_srcname=linux-4.15
pkgver=4.15
pkgrel=1
arch=('x86_64')
url="https://www.kernel.org/"
@ -14,33 +14,27 @@ options=('!strip')
source=(
"https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
"https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.sign"
"https://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.xz"
"https://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.sign"
#"https://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.xz"
#"https://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.sign"
'config' # the main kernel config file
'60-linux.hook' # pacman hook for depmod
'90-linux.hook' # pacman hook for initramfs regeneration
'linux.preset' # standard config files for mkinitcpio ramdisk
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
0004-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
0002-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
)
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
sha256sums=('5a26478906d5005f4f809402e981518d2b8844949199f60c4b6e1f986ca2a769'
'SKIP'
'54a6359ed333e619db8c5c88020ff20f1e25635337f01f50a7488ec2fc0fe030'
'SKIP'
'edaf7bebcaf3032e3bf15353e0773e39872c73fc024ca4d23383195a13745b2e'
'8e80162a2d8952b7e0a4967647eed940b2b983e950bfe630918bd90cb1107a25'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
'36b1118c8dedadc4851150ddd4eb07b1c58ac5bbf3022cc2501a27c2b476da98'
'5694022613bb49a77d3dfafdd2e635e9015e0a9069c58a07e99bdc5df6520311'
'2f46093fde72eabc0fd25eff5065d780619fc5e7d2143d048877a8220d6291b0'
'6364edabad4182dcf148ae7c14d8f45d61037d4539e76486f978f1af3a090794')
'7b7363b53c68f52b119df994c9c08d4f29271b408f021366ab23f862518bd9bc'
'ac996455cddccc312d93e63845d92b2d8ab8fb53208a221948d28c76c678d215')
_kernelname=${pkgbase#linux}
@ -48,8 +42,7 @@ prepare() {
cd ${_srcname}
# add upstream patch
patch -p1 -i ../patch-${pkgver}
chmod +x tools/objtool/sync-check.sh # GNU patch doesn't support git-style file mode
#patch -p1 -i ../patch-${pkgver}
# security patches
@ -59,14 +52,8 @@ prepare() {
# disable USER_NS for non-root users by default
patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
# https://nvd.nist.gov/vuln/detail/CVE-2017-8824
patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
# https://bugs.archlinux.org/task/56605
patch -Np1 -i ../0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
# https://bugs.archlinux.org/task/56711
patch -Np1 -i ../0004-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
patch -Np1 -i ../0002-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
cp -Tf ../config .config

2661
config

File diff suppressed because it is too large Load Diff