4.15-1
This commit is contained in:
Jan Alexander Steffens
parent
e3d2d1a12a
commit
77f03fcad0
@ -1,8 +1,8 @@
|
||||
From 4e54373158caa50df5402fdd3db1794c5394026b Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
|
||||
From 4aefcc4253233dce6ac5938e01371074958b8f1c Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <4aefcc4253233dce6ac5938e01371074958b8f1c.1517188106.git.jan.steffens@gmail.com>
|
||||
From: Serge Hallyn <serge.hallyn@canonical.com>
|
||||
Date: Fri, 31 May 2013 19:12:12 +0100
|
||||
Subject: [PATCH 1/4] add sysctl to disallow unprivileged CLONE_NEWUSER by
|
||||
Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by
|
||||
default
|
||||
|
||||
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
|
||||
@ -15,7 +15,7 @@ Signed-off-by: Daniel Micay <danielmicay@gmail.com>
|
||||
3 files changed, 30 insertions(+)
|
||||
|
||||
diff --git a/kernel/fork.c b/kernel/fork.c
|
||||
index 500ce64517d9..35f5860958b4 100644
|
||||
index 2295fc69717f..6f320a216e7d 100644
|
||||
--- a/kernel/fork.c
|
||||
+++ b/kernel/fork.c
|
||||
@@ -102,6 +102,11 @@
|
||||
@ -30,7 +30,7 @@ index 500ce64517d9..35f5860958b4 100644
|
||||
|
||||
/*
|
||||
* Minimum number of threads to boot the kernel
|
||||
@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process(
|
||||
@@ -1550,6 +1555,10 @@ static __latent_entropy struct task_struct *copy_process(
|
||||
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
|
||||
return ERR_PTR(-EINVAL);
|
||||
|
||||
@ -41,7 +41,7 @@ index 500ce64517d9..35f5860958b4 100644
|
||||
/*
|
||||
* Thread groups must share signals as well, and detached threads
|
||||
* can only be started up within the thread group.
|
||||
@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
|
||||
@@ -2343,6 +2352,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
|
||||
if (unshare_flags & CLONE_NEWNS)
|
||||
unshare_flags |= CLONE_FS;
|
||||
|
||||
@ -55,7 +55,7 @@ index 500ce64517d9..35f5860958b4 100644
|
||||
if (err)
|
||||
goto bad_unshare_out;
|
||||
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
|
||||
index 56aca862c4f5..e8402ba393c1 100644
|
||||
index 557d46728577..c19d7a828913 100644
|
||||
--- a/kernel/sysctl.c
|
||||
+++ b/kernel/sysctl.c
|
||||
@@ -105,6 +105,9 @@ extern int core_uses_pid;
|
||||
@ -85,12 +85,12 @@ index 56aca862c4f5..e8402ba393c1 100644
|
||||
{
|
||||
.procname = "tainted",
|
||||
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
|
||||
index c490f1e4313b..dd03bd39d7bf 100644
|
||||
index 246d4d4ce5c7..f64432b45cec 100644
|
||||
--- a/kernel/user_namespace.c
|
||||
+++ b/kernel/user_namespace.c
|
||||
@@ -24,6 +24,9 @@
|
||||
#include <linux/projid.h>
|
||||
#include <linux/fs_struct.h>
|
||||
@@ -26,6 +26,9 @@
|
||||
#include <linux/bsearch.h>
|
||||
#include <linux/sort.h>
|
||||
|
||||
+/* sysctl */
|
||||
+int unprivileged_userns_clone;
|
||||
@ -99,5 +99,5 @@ index c490f1e4313b..dd03bd39d7bf 100644
|
||||
static DEFINE_MUTEX(userns_state_mutex);
|
||||
|
||||
--
|
||||
2.15.1
|
||||
2.16.1
|
||||
|
||||
|
||||
@ -1,57 +0,0 @@
|
||||
From 8514970bf07bd1cc522f50e882e0159a51a39264 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <8514970bf07bd1cc522f50e882e0159a51a39264.1516188238.git.jan.steffens@gmail.com>
|
||||
In-Reply-To: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
|
||||
References: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
|
||||
From: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Date: Tue, 5 Dec 2017 20:58:35 +0000
|
||||
Subject: [PATCH 2/4] dccp: CVE-2017-8824: use-after-free in DCCP code
|
||||
|
||||
Whenever the sock object is in DCCP_CLOSED state,
|
||||
dccp_disconnect() must free dccps_hc_tx_ccid and
|
||||
dccps_hc_rx_ccid and set to NULL.
|
||||
|
||||
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Reviewed-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/dccp/proto.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
|
||||
index b68168fcc06a..9d43c1f40274 100644
|
||||
--- a/net/dccp/proto.c
|
||||
+++ b/net/dccp/proto.c
|
||||
@@ -259,25 +259,30 @@ int dccp_disconnect(struct sock *sk, int flags)
|
||||
{
|
||||
struct inet_connection_sock *icsk = inet_csk(sk);
|
||||
struct inet_sock *inet = inet_sk(sk);
|
||||
+ struct dccp_sock *dp = dccp_sk(sk);
|
||||
int err = 0;
|
||||
const int old_state = sk->sk_state;
|
||||
|
||||
if (old_state != DCCP_CLOSED)
|
||||
dccp_set_state(sk, DCCP_CLOSED);
|
||||
|
||||
/*
|
||||
* This corresponds to the ABORT function of RFC793, sec. 3.8
|
||||
* TCP uses a RST segment, DCCP a Reset packet with Code 2, "Aborted".
|
||||
*/
|
||||
if (old_state == DCCP_LISTEN) {
|
||||
inet_csk_listen_stop(sk);
|
||||
} else if (dccp_need_reset(old_state)) {
|
||||
dccp_send_reset(sk, DCCP_RESET_CODE_ABORTED);
|
||||
sk->sk_err = ECONNRESET;
|
||||
} else if (old_state == DCCP_REQUESTING)
|
||||
sk->sk_err = ECONNRESET;
|
||||
|
||||
dccp_clear_xmit_timers(sk);
|
||||
+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
|
||||
+ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
|
||||
+ dp->dccps_hc_rx_ccid = NULL;
|
||||
+ dp->dccps_hc_tx_ccid = NULL;
|
||||
|
||||
__skb_queue_purge(&sk->sk_receive_queue);
|
||||
__skb_queue_purge(&sk->sk_write_queue);
|
||||
--
|
||||
2.15.1
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
From e722c8d112f0aa9621d7d4da5223cfc7aeb45e88 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <e722c8d112f0aa9621d7d4da5223cfc7aeb45e88.1516188238.git.jan.steffens@gmail.com>
|
||||
In-Reply-To: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
|
||||
References: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
|
||||
From 3383f4060f7fe25afd5f863fe169fd2f286ab237 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <3383f4060f7fe25afd5f863fe169fd2f286ab237.1517188106.git.jan.steffens@gmail.com>
|
||||
In-Reply-To: <4aefcc4253233dce6ac5938e01371074958b8f1c.1517188106.git.jan.steffens@gmail.com>
|
||||
References: <4aefcc4253233dce6ac5938e01371074958b8f1c.1517188106.git.jan.steffens@gmail.com>
|
||||
From: Jim Bride <jim.bride@linux.intel.com>
|
||||
Date: Mon, 6 Nov 2017 13:38:57 -0800
|
||||
Subject: [PATCH 4/4] drm/i915/edp: Only use the alternate fixed mode if it's
|
||||
Subject: [PATCH 2/2] drm/i915/edp: Only use the alternate fixed mode if it's
|
||||
asked for
|
||||
|
||||
In commit dc911f5bd8aa ("drm/i915/edp: Allow alternate fixed mode for
|
||||
@ -24,10 +24,10 @@ Signed-off-by: Jim Bride <jim.bride@linux.intel.com>
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
|
||||
index 09f274419eea..838cee312e8e 100644
|
||||
index 158438bb0389..69b16df868ea 100644
|
||||
--- a/drivers/gpu/drm/i915/intel_dp.c
|
||||
+++ b/drivers/gpu/drm/i915/intel_dp.c
|
||||
@@ -1632,7 +1632,8 @@ static bool intel_edp_compare_alt_mode(struct drm_display_mode *m1,
|
||||
@@ -1616,7 +1616,8 @@ static bool intel_edp_compare_alt_mode(struct drm_display_mode *m1,
|
||||
m1->vdisplay == m2->vdisplay &&
|
||||
m1->vsync_start == m2->vsync_start &&
|
||||
m1->vsync_end == m2->vsync_end &&
|
||||
@ -38,5 +38,5 @@ index 09f274419eea..838cee312e8e 100644
|
||||
}
|
||||
|
||||
--
|
||||
2.15.1
|
||||
2.16.1
|
||||
|
||||
@ -1,49 +0,0 @@
|
||||
From c9c8995fc83b476fdf3fc0c4b498feef2949ec75 Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <c9c8995fc83b476fdf3fc0c4b498feef2949ec75.1516188238.git.jan.steffens@gmail.com>
|
||||
In-Reply-To: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
|
||||
References: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com>
|
||||
From: Steffen Klassert <steffen.klassert@secunet.com>
|
||||
Date: Fri, 22 Dec 2017 10:44:57 +0100
|
||||
Subject: [PATCH 3/4] xfrm: Fix stack-out-of-bounds read on socket policy
|
||||
lookup.
|
||||
|
||||
When we do tunnel or beet mode, we pass saddr and daddr from the
|
||||
template to xfrm_state_find(), this is ok. On transport mode,
|
||||
we pass the addresses from the flowi, assuming that the IP
|
||||
addresses (and address family) don't change during transformation.
|
||||
This assumption is wrong in the IPv4 mapped IPv6 case, packet
|
||||
is IPv4 and template is IPv6.
|
||||
|
||||
Fix this by catching address family missmatches of the policy
|
||||
and the flow already before we do the lookup.
|
||||
|
||||
Reported-by: syzbot <syzkaller@googlegroups.com>
|
||||
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
||||
---
|
||||
net/xfrm/xfrm_policy.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
|
||||
index 6bc16bb61b55..50c5f46b5cca 100644
|
||||
--- a/net/xfrm/xfrm_policy.c
|
||||
+++ b/net/xfrm/xfrm_policy.c
|
||||
@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
|
||||
again:
|
||||
pol = rcu_dereference(sk->sk_policy[dir]);
|
||||
if (pol != NULL) {
|
||||
- bool match = xfrm_selector_match(&pol->selector, fl, family);
|
||||
+ bool match;
|
||||
int err = 0;
|
||||
|
||||
+ if (pol->family != family) {
|
||||
+ pol = NULL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ match = xfrm_selector_match(&pol->selector, fl, family);
|
||||
if (match) {
|
||||
if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
|
||||
pol = NULL;
|
||||
--
|
||||
2.15.1
|
||||
|
||||
35
PKGBUILD
35
PKGBUILD
@ -3,8 +3,8 @@
|
||||
|
||||
pkgbase=linux # Build stock -ARCH kernel
|
||||
#pkgbase=linux-custom # Build kernel with a different name
|
||||
_srcname=linux-4.14
|
||||
pkgver=4.14.15
|
||||
_srcname=linux-4.15
|
||||
pkgver=4.15
|
||||
pkgrel=1
|
||||
arch=('x86_64')
|
||||
url="https://www.kernel.org/"
|
||||
@ -14,33 +14,27 @@ options=('!strip')
|
||||
source=(
|
||||
"https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
|
||||
"https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.sign"
|
||||
"https://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.xz"
|
||||
"https://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.sign"
|
||||
#"https://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.xz"
|
||||
#"https://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.sign"
|
||||
'config' # the main kernel config file
|
||||
'60-linux.hook' # pacman hook for depmod
|
||||
'90-linux.hook' # pacman hook for initramfs regeneration
|
||||
'linux.preset' # standard config files for mkinitcpio ramdisk
|
||||
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
|
||||
0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
|
||||
0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
|
||||
0004-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
|
||||
0002-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
|
||||
)
|
||||
validpgpkeys=(
|
||||
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
|
||||
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
|
||||
)
|
||||
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
|
||||
sha256sums=('5a26478906d5005f4f809402e981518d2b8844949199f60c4b6e1f986ca2a769'
|
||||
'SKIP'
|
||||
'54a6359ed333e619db8c5c88020ff20f1e25635337f01f50a7488ec2fc0fe030'
|
||||
'SKIP'
|
||||
'edaf7bebcaf3032e3bf15353e0773e39872c73fc024ca4d23383195a13745b2e'
|
||||
'8e80162a2d8952b7e0a4967647eed940b2b983e950bfe630918bd90cb1107a25'
|
||||
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
|
||||
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
|
||||
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
|
||||
'36b1118c8dedadc4851150ddd4eb07b1c58ac5bbf3022cc2501a27c2b476da98'
|
||||
'5694022613bb49a77d3dfafdd2e635e9015e0a9069c58a07e99bdc5df6520311'
|
||||
'2f46093fde72eabc0fd25eff5065d780619fc5e7d2143d048877a8220d6291b0'
|
||||
'6364edabad4182dcf148ae7c14d8f45d61037d4539e76486f978f1af3a090794')
|
||||
'7b7363b53c68f52b119df994c9c08d4f29271b408f021366ab23f862518bd9bc'
|
||||
'ac996455cddccc312d93e63845d92b2d8ab8fb53208a221948d28c76c678d215')
|
||||
|
||||
_kernelname=${pkgbase#linux}
|
||||
|
||||
@ -48,8 +42,7 @@ prepare() {
|
||||
cd ${_srcname}
|
||||
|
||||
# add upstream patch
|
||||
patch -p1 -i ../patch-${pkgver}
|
||||
chmod +x tools/objtool/sync-check.sh # GNU patch doesn't support git-style file mode
|
||||
#patch -p1 -i ../patch-${pkgver}
|
||||
|
||||
# security patches
|
||||
|
||||
@ -59,14 +52,8 @@ prepare() {
|
||||
# disable USER_NS for non-root users by default
|
||||
patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
|
||||
|
||||
# https://nvd.nist.gov/vuln/detail/CVE-2017-8824
|
||||
patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
|
||||
|
||||
# https://bugs.archlinux.org/task/56605
|
||||
patch -Np1 -i ../0003-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
|
||||
|
||||
# https://bugs.archlinux.org/task/56711
|
||||
patch -Np1 -i ../0004-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
|
||||
patch -Np1 -i ../0002-drm-i915-edp-Only-use-the-alternate-fixed-mode-if-it.patch
|
||||
|
||||
cp -Tf ../config .config
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user