[arch-commits] Commit in linux-hardened/trunk (15 files)

Levente Polyak anthraxx at archlinux.org
Tue Dec 26 01:48:42 UTC 2017


    Date: Tuesday, December 26, 2017 @ 01:48:41
  Author: anthraxx
Revision: 276080

upgpkg: linux-hardened 4.14.9.a-1

disable CONFIG_FB_UDL duo conflict with CONFIG_DRM_UDL

Added:
  linux-hardened/trunk/ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch
  linux-hardened/trunk/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
  linux-hardened/trunk/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
  linux-hardened/trunk/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
  linux-hardened/trunk/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
  linux-hardened/trunk/CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
  linux-hardened/trunk/CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
  linux-hardened/trunk/Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
  linux-hardened/trunk/cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
  linux-hardened/trunk/e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
  linux-hardened/trunk/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch
Modified:
  linux-hardened/trunk/PKGBUILD
  linux-hardened/trunk/config.x86_64
Deleted:
  linux-hardened/trunk/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
  linux-hardened/trunk/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch

---------------------------------------------------------------------------------+
 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch                 |   73 ----
 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch                       |   57 ---
 ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch                      |   76 ++++
 CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch |   78 ++++
 CVE-2017-17449-netlink-Add-netns-check-on-taps.patch                            |   43 ++
 CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch             |   60 +++
 CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch           |   74 ++++
 CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch             |  161 ++++++++++
 CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch                            |   42 ++
 PKGBUILD                                                                        |   59 ++-
 Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch               |   71 ++++
 cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch                      |  132 ++++++++
 config.x86_64                                                                   |    8 
 e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch                      |   73 ++++
 xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch                 |   53 +++
 15 files changed, 911 insertions(+), 149 deletions(-)

Deleted: 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
===================================================================
--- 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch	2017-12-26 01:23:32 UTC (rev 276079)
+++ 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -1,73 +0,0 @@
-From c3c1af44db713ac6624e729ea4832d0ce70685e0 Mon Sep 17 00:00:00 2001
-Message-Id: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens at gmail.com>
-From: Benjamin Poirier <bpoirier at suse.com>
-Date: Mon, 11 Dec 2017 16:26:40 +0900
-Subject: [PATCH 1/2] e1000e: Fix e1000_check_for_copper_link_ich8lan return
- value.
-
-e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
-are the two functions that may be assigned to mac.ops.check_for_link when
-phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
-Separate signaling for link check/link up") changed the meaning of the
-return value of check_for_link for copper media but only adjusted the first
-function. This patch adjusts the second function likewise.
-
-Reported-by: Christian Hesse <list at eworm.de>
-Reported-by: Gabriel C <nix.or.die at gmail.com>
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
-Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
-Tested-by: Christian Hesse <list at eworm.de>
-Signed-off-by: Benjamin Poirier <bpoirier at suse.com>
----
- drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
-index d6d4ed7acf031172..31277d3bb7dc1241 100644
---- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
-+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
-@@ -1367,22 +1367,25 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force)
-  *  Checks to see of the link status of the hardware has changed.  If a
-  *  change in link status has been detected, then we read the PHY registers
-  *  to get the current speed/duplex if link exists.
-+ *
-+ *  Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
-+ *  up).
-  **/
- static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
- {
- 	struct e1000_mac_info *mac = &hw->mac;
- 	s32 ret_val, tipg_reg = 0;
- 	u16 emi_addr, emi_val = 0;
- 	bool link;
- 	u16 phy_reg;
- 
- 	/* We only want to go out to the PHY registers to see if Auto-Neg
- 	 * has completed and/or if our link status has changed.  The
- 	 * get_link_status flag is set upon receiving a Link Status
- 	 * Change or Rx Sequence Error interrupt.
- 	 */
- 	if (!mac->get_link_status)
--		return 0;
-+		return 1;
- 
- 	/* First we want to see if the MII Status Register reports
- 	 * link.  If so, then we want to get the current speed/duplex
-@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
- 	 * different link partner.
- 	 */
- 	ret_val = e1000e_config_fc_after_link_up(hw);
--	if (ret_val)
-+	if (ret_val) {
- 		e_dbg("Error configuring flow control\n");
-+		return ret_val;
-+	}
- 
--	return ret_val;
-+	return 1;
- }
- 
- static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
--- 
-2.15.1
-

Deleted: 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
===================================================================
--- 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch	2017-12-26 01:23:32 UTC (rev 276079)
+++ 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -1,57 +0,0 @@
-From 80d3e994e0631d9135cadf20a0b5ad483d7e9bbb Mon Sep 17 00:00:00 2001
-Message-Id: <80d3e994e0631d9135cadf20a0b5ad483d7e9bbb.1513282811.git.jan.steffens at gmail.com>
-In-Reply-To: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens at gmail.com>
-References: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens at gmail.com>
-From: Mohamed Ghannam <simo.ghannam at gmail.com>
-Date: Tue, 5 Dec 2017 20:58:35 +0000
-Subject: [PATCH 2/2] dccp: CVE-2017-8824: use-after-free in DCCP code
-
-Whenever the sock object is in DCCP_CLOSED state,
-dccp_disconnect() must free dccps_hc_tx_ccid and
-dccps_hc_rx_ccid and set to NULL.
-
-Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
-Reviewed-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/dccp/proto.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/net/dccp/proto.c b/net/dccp/proto.c
-index b68168fcc06aa198..9d43c1f4027408f3 100644
---- a/net/dccp/proto.c
-+++ b/net/dccp/proto.c
-@@ -259,25 +259,30 @@ int dccp_disconnect(struct sock *sk, int flags)
- {
- 	struct inet_connection_sock *icsk = inet_csk(sk);
- 	struct inet_sock *inet = inet_sk(sk);
-+	struct dccp_sock *dp = dccp_sk(sk);
- 	int err = 0;
- 	const int old_state = sk->sk_state;
- 
- 	if (old_state != DCCP_CLOSED)
- 		dccp_set_state(sk, DCCP_CLOSED);
- 
- 	/*
- 	 * This corresponds to the ABORT function of RFC793, sec. 3.8
- 	 * TCP uses a RST segment, DCCP a Reset packet with Code 2, "Aborted".
- 	 */
- 	if (old_state == DCCP_LISTEN) {
- 		inet_csk_listen_stop(sk);
- 	} else if (dccp_need_reset(old_state)) {
- 		dccp_send_reset(sk, DCCP_RESET_CODE_ABORTED);
- 		sk->sk_err = ECONNRESET;
- 	} else if (old_state == DCCP_REQUESTING)
- 		sk->sk_err = ECONNRESET;
- 
- 	dccp_clear_xmit_timers(sk);
-+	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
-+	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
-+	dp->dccps_hc_rx_ccid = NULL;
-+	dp->dccps_hc_tx_ccid = NULL;
- 
- 	__skb_queue_purge(&sk->sk_receive_queue);
- 	__skb_queue_purge(&sk->sk_write_queue);
--- 
-2.15.1
-

Added: ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch
===================================================================
--- ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch	                        (rev 0)
+++ ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,76 @@
+From 5a15f289ee87eaf33f13f08a4909ec99d837ec5f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai at suse.de>
+Date: Mon, 18 Dec 2017 23:36:57 +0100
+Subject: [PATCH] ALSA: usb-audio: Fix the missing ctl name suffix at parsing
+ SU
+
+The commit 89b89d121ffc ("ALSA: usb-audio: Add check return value for
+usb_string()") added the check of the return value from
+snd_usb_copy_string_desc(), which is correct per se, but it introduced
+a regression.  In the original code, either the "Clock Source",
+"Playback Source" or "Capture Source" suffix is added after the
+terminal string, while the commit changed it to add the suffix only
+when get_term_name() is failing.  It ended up with an incorrect ctl
+name like "PCM" instead of "PCM Capture Source".
+
+Also, even the original code has a similar bug: when the ctl name is
+generated from snd_usb_copy_string_desc() for the given iSelector, it
+also doesn't put the suffix.
+
+This patch addresses these issues: the suffix is added always when no
+static mapping is found.  Also the patch tries to put more comments
+and cleans up the if/else block for better readability in order to
+avoid the same pitfall again.
+
+Fixes: 89b89d121ffc ("ALSA: usb-audio: Add check return value for usb_string()")
+Reported-and-tested-by: Mauro Santos <registo.mailling at gmail.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/usb/mixer.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
+index afc208e1c756..60ebc99ae323 100644
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2173,20 +2173,25 @@ static int parse_audio_selector_unit(struct mixer_build *state, int unitid,
+ 	kctl->private_value = (unsigned long)namelist;
+ 	kctl->private_free = usb_mixer_selector_elem_free;
+ 
+-	nameid = uac_selector_unit_iSelector(desc);
++	/* check the static mapping table at first */
+ 	len = check_mapped_name(map, kctl->id.name, sizeof(kctl->id.name));
+-	if (len)
+-		;
+-	else if (nameid)
+-		len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
+-					 sizeof(kctl->id.name));
+-	else
+-		len = get_term_name(state, &state->oterm,
+-				    kctl->id.name, sizeof(kctl->id.name), 0);
+-
+ 	if (!len) {
+-		strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
++		/* no mapping ? */
++		/* if iSelector is given, use it */
++		nameid = uac_selector_unit_iSelector(desc);
++		if (nameid)
++			len = snd_usb_copy_string_desc(state, nameid,
++						       kctl->id.name,
++						       sizeof(kctl->id.name));
++		/* ... or pick up the terminal name at next */
++		if (!len)
++			len = get_term_name(state, &state->oterm,
++				    kctl->id.name, sizeof(kctl->id.name), 0);
++		/* ... or use the fixed string "USB" as the last resort */
++		if (!len)
++			strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+ 
++		/* and add the proper suffix */
+ 		if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
+ 			append_ctl_name(kctl, " Clock Source");
+ 		else if ((state->oterm.type & 0xff00) == 0x0100)
+-- 
+2.15.1
+

Added: CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
===================================================================
--- CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch	                        (rev 0)
+++ CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,78 @@
+From 4b380c42f7d00a395feede754f0bc2292eebe6e5 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Sun, 3 Dec 2017 12:12:45 -0800
+Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, nfnl_cthelper_list is shared by all net namespaces on the
+system.  An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+    $ nfct helper list
+    nfct v1.4.4: netlink error: Operation not permitted
+    $ vpnns -- nfct helper list
+    {
+            .name = ftp,
+            .queuenum = 0,
+            .l3protonum = 2,
+            .l4protonum = 6,
+            .priv_data_len = 24,
+            .status = enabled,
+    };
+
+Add capable() checks in nfnetlink_cthelper, as this is cleaner than
+trying to generalize the solution.
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
+index 41628b393673..d33ce6d5ebce 100644
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -17,6 +17,7 @@
+ #include <linux/types.h>
+ #include <linux/list.h>
+ #include <linux/errno.h>
++#include <linux/capability.h>
+ #include <net/netlink.h>
+ #include <net/sock.h>
+ 
+@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
+ 	struct nfnl_cthelper *nlcth;
+ 	int ret = 0;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
+ 		return -EINVAL;
+ 
+@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
+ 	struct nfnl_cthelper *nlcth;
+ 	bool tuple_set = false;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ 		struct netlink_dump_control c = {
+ 			.dump = nfnl_cthelper_dump_table,
+@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
+ 	struct nfnl_cthelper *nlcth, *n;
+ 	int j = 0, ret;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (tb[NFCTH_NAME])
+ 		helper_name = nla_data(tb[NFCTH_NAME]);
+ 
+-- 
+2.15.1
+

Added: CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
===================================================================
--- CVE-2017-17449-netlink-Add-netns-check-on-taps.patch	                        (rev 0)
+++ CVE-2017-17449-netlink-Add-netns-check-on-taps.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,43 @@
+From 93c647643b48f0131f02e45da3bd367d80443291 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Wed, 6 Dec 2017 12:12:27 -0800
+Subject: [PATCH] netlink: Add netns check on taps
+
+Currently, a nlmon link inside a child namespace can observe systemwide
+netlink activity.  Filter the traffic so that nlmon can only sniff
+netlink messages from its own netns.
+
+Test case:
+
+    vpnns -- bash -c "ip link add nlmon0 type nlmon; \
+                      ip link set nlmon0 up; \
+                      tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
+    sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
+        spi 0x1 mode transport \
+        auth sha1 0x6162633132330000000000000000000000000000 \
+        enc aes 0x00000000000000000000000000000000
+    grep --binary abc123 /tmp/nlmon.pcap
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/netlink/af_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index b9e0ee4e22f5..79cc1bf36e4a 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -253,6 +253,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
+ 	struct sock *sk = skb->sk;
+ 	int ret = -ENOMEM;
+ 
++	if (!net_eq(dev_net(dev), sock_net(sk)))
++		return 0;
++
+ 	dev_hold(dev);
+ 
+ 	if (is_vmalloc_addr(skb->head))
+-- 
+2.15.1
+

Added: CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
===================================================================
--- CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch	                        (rev 0)
+++ CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,60 @@
+From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Tue, 5 Dec 2017 15:42:41 -0800
+Subject: [PATCH] netfilter: xt_osf: Add missing permission checks
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, xt_osf_fingers is shared by all net namespaces on the
+system.  An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+    vpnns -- nfnl_osf -f /tmp/pf.os
+
+    vpnns -- nfnl_osf -f /tmp/pf.os -d
+
+These non-root operations successfully modify the systemwide OS
+fingerprint list.  Add new capable() checks so that they can't.
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/xt_osf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
+index 36e14b1f061d..a34f314a8c23 100644
+--- a/net/netfilter/xt_osf.c
++++ b/net/netfilter/xt_osf.c
+@@ -19,6 +19,7 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ 
++#include <linux/capability.h>
+ #include <linux/if.h>
+ #include <linux/inetdevice.h>
+ #include <linux/ip.h>
+@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
+ 	struct xt_osf_finger *kf = NULL, *sf;
+ 	int err = 0;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (!osf_attrs[OSF_ATTR_FINGER])
+ 		return -EINVAL;
+ 
+@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
+ 	struct xt_osf_finger *sf;
+ 	int err = -ENOENT;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (!osf_attrs[OSF_ATTR_FINGER])
+ 		return -EINVAL;
+ 
+-- 
+2.15.1
+

Added: CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
===================================================================
--- CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch	                        (rev 0)
+++ CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,74 @@
+From 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 Mon Sep 17 00:00:00 2001
+From: Mohamed Ghannam <simo.ghannam at gmail.com>
+Date: Sun, 10 Dec 2017 03:50:58 +0000
+Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg
+
+inet->hdrincl is racy, and could lead to uninitialized stack pointer
+usage, so its value should be read only once.
+
+Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
+Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
+Reviewed-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/raw.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index 33b70bfd1122..125c1eab3eaa 100644
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 	int err;
+ 	struct ip_options_data opt_copy;
+ 	struct raw_frag_vec rfv;
++	int hdrincl;
+ 
+ 	err = -EMSGSIZE;
+ 	if (len > 0xFFFF)
+ 		goto out;
+ 
++	/* hdrincl should be READ_ONCE(inet->hdrincl)
++	 * but READ_ONCE() doesn't work with bit fields
++	 */
++	hdrincl = inet->hdrincl;
+ 	/*
+ 	 *	Check the flags.
+ 	 */
+@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 		/* Linux does not mangle headers on raw sockets,
+ 		 * so that IP options + IP_HDRINCL is non-sense.
+ 		 */
+-		if (inet->hdrincl)
++		if (hdrincl)
+ 			goto done;
+ 		if (ipc.opt->opt.srr) {
+ 			if (!daddr)
+@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 
+ 	flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
+ 			   RT_SCOPE_UNIVERSE,
+-			   inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
++			   hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+ 			   inet_sk_flowi_flags(sk) |
+-			    (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
++			    (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+ 			   daddr, saddr, 0, 0, sk->sk_uid);
+ 
+-	if (!inet->hdrincl) {
++	if (!hdrincl) {
+ 		rfv.msg = msg;
+ 		rfv.hlen = 0;
+ 
+@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 		goto do_confirm;
+ back_from_confirm:
+ 
+-	if (inet->hdrincl)
++	if (hdrincl)
+ 		err = raw_send_hdrinc(sk, &fl4, msg, len,
+ 				      &rt, msg->msg_flags, &ipc.sockc);
+ 
+-- 
+2.15.1
+

Added: CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
===================================================================
--- CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch	                        (rev 0)
+++ CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,161 @@
+From e39d200fa5bf5b94a0948db0dae44c1b73b84a56 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li at hotmail.com>
+Date: Thu, 14 Dec 2017 17:40:50 -0800
+Subject: [PATCH] KVM: Fix stack-out-of-bounds read in write_mmio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by syzkaller:
+
+  BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
+  Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
+
+  CPU: 6 PID: 32298 Comm: syz-executor Tainted: G           OE    4.15.0-rc2+ #18
+  Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
+  Call Trace:
+   dump_stack+0xab/0xe1
+   print_address_description+0x6b/0x290
+   kasan_report+0x28a/0x370
+   write_mmio+0x11e/0x270 [kvm]
+   emulator_read_write_onepage+0x311/0x600 [kvm]
+   emulator_read_write+0xef/0x240 [kvm]
+   emulator_fix_hypercall+0x105/0x150 [kvm]
+   em_hypercall+0x2b/0x80 [kvm]
+   x86_emulate_insn+0x2b1/0x1640 [kvm]
+   x86_emulate_instruction+0x39a/0xb90 [kvm]
+   handle_exception+0x1b4/0x4d0 [kvm_intel]
+   vcpu_enter_guest+0x15a0/0x2640 [kvm]
+   kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
+   kvm_vcpu_ioctl+0x479/0x880 [kvm]
+   do_vfs_ioctl+0x142/0x9a0
+   SyS_ioctl+0x74/0x80
+   entry_SYSCALL_64_fastpath+0x23/0x9a
+
+The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
+to the guest memory, however, write_mmio tracepoint always prints 8 bytes
+through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
+leaks 5 bytes from the kernel stack (CVE-2017-17741).  This patch fixes
+it by just accessing the bytes which we operate on.
+
+Before patch:
+
+syz-executor-5567  [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
+
+After patch:
+
+syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Reviewed-by: Darren Kenny <darren.kenny at oracle.com>
+Reviewed-by: Marc Zyngier <marc.zyngier at arm.com>
+Tested-by: Marc Zyngier <marc.zyngier at arm.com>
+Cc: Paolo Bonzini <pbonzini at redhat.com>
+Cc: Radim Krčmář <rkrcmar at redhat.com>
+Cc: Marc Zyngier <marc.zyngier at arm.com>
+Cc: Christoffer Dall <christoffer.dall at linaro.org>
+Signed-off-by: Wanpeng Li <wanpeng.li at hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/x86.c         | 8 ++++----
+ include/trace/events/kvm.h | 7 +++++--
+ virt/kvm/arm/mmio.c        | 6 +++---
+ 3 files changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 3a82f2d4333b..1cec2c62a0b0 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4384,7 +4384,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v)
+ 					 addr, n, v))
+ 		    && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
+ 			break;
+-		trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
++		trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
+ 		handled += n;
+ 		addr += n;
+ 		len -= n;
+@@ -4643,7 +4643,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
+ {
+ 	if (vcpu->mmio_read_completed) {
+ 		trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
+-			       vcpu->mmio_fragments[0].gpa, *(u64 *)val);
++			       vcpu->mmio_fragments[0].gpa, val);
+ 		vcpu->mmio_read_completed = 0;
+ 		return 1;
+ 	}
+@@ -4665,14 +4665,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
+ 
+ static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
+ {
+-	trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
++	trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
+ 	return vcpu_mmio_write(vcpu, gpa, bytes, val);
+ }
+ 
+ static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
+ 			  void *val, int bytes)
+ {
+-	trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
++	trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
+ 	return X86EMUL_IO_NEEDED;
+ }
+ 
+diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h
+index e4b0b8e09932..2c735a3e6613 100644
+--- a/include/trace/events/kvm.h
++++ b/include/trace/events/kvm.h
+@@ -211,7 +211,7 @@ TRACE_EVENT(kvm_ack_irq,
+ 	{ KVM_TRACE_MMIO_WRITE, "write" }
+ 
+ TRACE_EVENT(kvm_mmio,
+-	TP_PROTO(int type, int len, u64 gpa, u64 val),
++	TP_PROTO(int type, int len, u64 gpa, void *val),
+ 	TP_ARGS(type, len, gpa, val),
+ 
+ 	TP_STRUCT__entry(
+@@ -225,7 +225,10 @@ TRACE_EVENT(kvm_mmio,
+ 		__entry->type		= type;
+ 		__entry->len		= len;
+ 		__entry->gpa		= gpa;
+-		__entry->val		= val;
++		__entry->val		= 0;
++		if (val)
++			memcpy(&__entry->val, val,
++			       min_t(u32, sizeof(__entry->val), len));
+ 	),
+ 
+ 	TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
+diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c
+index b6e715fd3c90..dac7ceb1a677 100644
+--- a/virt/kvm/arm/mmio.c
++++ b/virt/kvm/arm/mmio.c
+@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
+ 		}
+ 
+ 		trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
+-			       data);
++			       &data);
+ 		data = vcpu_data_host_to_guest(vcpu, data, len);
+ 		vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
+ 	}
+@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
+ 		data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt),
+ 					       len);
+ 
+-		trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data);
++		trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
+ 		kvm_mmio_write_buf(data_buf, len, data);
+ 
+ 		ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
+ 				       data_buf);
+ 	} else {
+ 		trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len,
+-			       fault_ipa, 0);
++			       fault_ipa, NULL);
+ 
+ 		ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len,
+ 				      data_buf);
+-- 
+2.15.1
+

Added: CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
===================================================================
--- CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch	                        (rev 0)
+++ CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,42 @@
+From 69c64866ce072dea1d1e59a0d61e0f66c0dffb76 Mon Sep 17 00:00:00 2001
+From: Mohamed Ghannam <simo.ghannam at gmail.com>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: [PATCH] dccp: CVE-2017-8824: use-after-free in DCCP code
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
+Reviewed-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c
+index b68168fcc06a..9d43c1f40274 100644
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
+ {
+ 	struct inet_connection_sock *icsk = inet_csk(sk);
+ 	struct inet_sock *inet = inet_sk(sk);
++	struct dccp_sock *dp = dccp_sk(sk);
+ 	int err = 0;
+ 	const int old_state = sk->sk_state;
+ 
+@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
+ 		sk->sk_err = ECONNRESET;
+ 
+ 	dccp_clear_xmit_timers(sk);
++	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++	dp->dccps_hc_rx_ccid = NULL;
++	dp->dccps_hc_tx_ccid = NULL;
+ 
+ 	__skb_queue_purge(&sk->sk_receive_queue);
+ 	__skb_queue_purge(&sk->sk_write_queue);
+-- 
+2.15.1
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-12-26 01:23:32 UTC (rev 276079)
+++ PKGBUILD	2017-12-26 01:48:41 UTC (rev 276080)
@@ -5,8 +5,8 @@
 
 pkgbase=linux-hardened
 _srcname=linux-4.14
-_pkgver=4.14.8
-pkgver=${_pkgver}.b
+_pkgver=4.14.9
+pkgver=${_pkgver}.a
 pkgrel=1
 url='https://github.com/copperhead/linux-hardened'
 arch=('x86_64')
@@ -22,22 +22,46 @@
         60-linux.hook  # pacman hook for depmod
         90-linux.hook  # pacman hook for initramfs regeneration
         linux.preset   # standard config files for mkinitcpio ramdisk
-        0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
-        0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+
+        # https://bugs.archlinux.org/task/56575
+        e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+        # https://bugs.archlinux.org/task/56830
+        ALSA-usb-audio-Fix-the-missing-ctl-name-suffix-at-pa.patch
+        # https://bugs.archlinux.org/task/56605
+        Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
+        xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch
+        # https://bugs.archlinux.org/task/56846
+        cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+
+        CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
+        CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
+        CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
+        CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
+        CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
+        CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
 )
 replaces=('linux-grsec')
 sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
             'SKIP'
-            '42eaed731b716244514b765c199e8f675d79287d7630e5c2911053ad52a1fa0a'
+            '5edc955bb67b04c7ed426b1df17a3e322e32ad9fdda9c6abb53ab6eca7faf704'
             'SKIP'
-            '21741edf5b909b06acb7cd76a78deb144f831e97db450d569cad62b5161aef7a'
+            'befa19a5aae4feca5c81b312ae382fcb2674fa55fa9cb1e9e744866fb7783116'
             'SKIP'
-            '4c862b4bf215922a9802a7deb40f3e1a16886b4b7f288838d3b981d24332bf9f'
+            '107edfa9b1866d0ab4648485bcce0982f039f2b82f88fe5c05b9090b787a5d64'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
             '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
             'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3'
-            '1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2')
+            'cbf586270595a89835dc02602983028f4cea80c40a43be3d4871dae4fdb46b84'
+            'f7c86f7aa4c7d671a5ff80bcd92a33db2fa6e95b78188261db0ef260a7d75cd8'
+            '294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45'
+            '721c387db986d883a6df6b0da17941ce6d59811b0647ae6653b978c5ee144f19'
+            '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9'
+            'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5'
+            '830ef08edbf98153ff13a573270cb714605582ef19fb0c3e6eadb8876edd247f'
+            '72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435'
+            '0ee6eae96743dca76dc018c354dd82e820fba0cb310618131e178684d85fd8c9'
+            'ee125179fdd295266aba52e1aebaef97cb41f4a05d9cd1c2b11b4ce83746e197')
 validpgpkeys=(
               'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
               '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
@@ -49,22 +73,27 @@
   cd ${_srcname}
 
   # add upstream patch
+  msg2 "Applying upstream patch"
   patch -Np1 -i ../patch-${_pkgver}
 
-  # security patches
+  # apply all patches
+  for _patch in "${source[@]}"; do
+    _patch=${_patch%%::*}
+    _patch=${_patch##*/}
+    if [[ "${_patch}" =~ \.patch$ ]] &&
+       [[ "${_patch}" != "${pkgbase}-${pkgver}.patch" ]]; then
+      msg2 "Applying patch ${_patch}"
+      patch -Np1 < "../${_patch}"
+    fi
+  done
 
-  # https://nvd.nist.gov/vuln/detail/CVE-2017-8824
-  patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
-
   # linux hardened patch
+  msg2 "Applying hardened patch"
   patch -Np1 -i ../${pkgbase}-${pkgver}.patch
 
   # add latest fixes from stable queue, if needed
   # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
 
-  # https://bugs.archlinux.org/task/56575
-  patch -Np1 -i ../0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
-
   cp -Tf ../config.${CARCH} .config
 
   if [ "${_kernelname}" != "" ]; then

Added: Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
===================================================================
--- Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch	                        (rev 0)
+++ Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,71 @@
+From 94802151894d482e82c324edf2c658f8e6b96508 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert at secunet.com>
+Date: Wed, 15 Nov 2017 06:40:57 +0100
+Subject: [PATCH] Revert "xfrm: Fix stack-out-of-bounds read in
+ xfrm_state_find."
+
+This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
+
+This commit breaks transport mode when the policy template
+has widlcard addresses configured, so revert it.
+
+Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
+---
+ net/xfrm/xfrm_policy.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 2a6093840e7e..6bc16bb61b55 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1362,29 +1362,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
+ 	struct net *net = xp_net(policy);
+ 	int nx;
+ 	int i, error;
++	xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
++	xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
+ 	xfrm_address_t tmp;
+ 
+ 	for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
+ 		struct xfrm_state *x;
+-		xfrm_address_t *local;
+-		xfrm_address_t *remote;
++		xfrm_address_t *remote = daddr;
++		xfrm_address_t *local  = saddr;
+ 		struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
+ 
+-		remote = &tmpl->id.daddr;
+-		local = &tmpl->saddr;
+-		if (xfrm_addr_any(local, tmpl->encap_family)) {
+-			error = xfrm_get_saddr(net, fl->flowi_oif,
+-					       &tmp, remote,
+-					       tmpl->encap_family, 0);
+-			if (error)
+-				goto fail;
+-			local = &tmp;
++		if (tmpl->mode == XFRM_MODE_TUNNEL ||
++		    tmpl->mode == XFRM_MODE_BEET) {
++			remote = &tmpl->id.daddr;
++			local = &tmpl->saddr;
++			if (xfrm_addr_any(local, tmpl->encap_family)) {
++				error = xfrm_get_saddr(net, fl->flowi_oif,
++						       &tmp, remote,
++						       tmpl->encap_family, 0);
++				if (error)
++					goto fail;
++				local = &tmp;
++			}
+ 		}
+ 
+ 		x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
+ 
+ 		if (x && x->km.state == XFRM_STATE_VALID) {
+ 			xfrm[nx++] = x;
++			daddr = remote;
++			saddr = local;
+ 			continue;
+ 		}
+ 		if (x) {
+-- 
+2.15.1
+

Added: cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
===================================================================
--- cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch	                        (rev 0)
+++ cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,132 @@
+From patchwork Wed Dec 20 15:13:31 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [cgroup/for-4.15-fixes] cgroup: fix css_task_iter crash on
+ CSS_TASK_ITER_PROC
+From: Tejun Heo <tj at kernel.org>
+X-Patchwork-Id: 10125801
+Message-Id: <20171220151331.GA3413940 at devbig577.frc2.facebook.com>
+To: Laura Abbott <labbott at redhat.com>
+Cc: Zefan Li <lizefan at huawei.com>, linux-kernel at vger.kernel.org,
+ cgroups at vger.kernel.org, regressions at leemhuis.info,
+ Bronek Kozicki <brok at incorrekt.com>, George Amanakis <gamanakis at gmail.com>
+Date: Wed, 20 Dec 2017 07:13:31 -0800
+
+Hello,
+
+Applied the following to cgroup/for-4.15-fixes.  Will push out to
+linus later this week.  I could reproduce the problem reliably and am
+pretty sure this is the right fix but I'd greatly appreciate if you
+guys can confirm the fix too.
+
+Thank you very much.
+
+------ 8< ------
+>From 74d0833c659a8a54735e5efdd44f4b225af68586 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj at kernel.org>
+Date: Wed, 20 Dec 2017 07:09:19 -0800
+
+While teaching css_task_iter to handle skipping over tasks which
+aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
+css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a
+silly bug.
+
+CSS_TASK_ITER_PROCS is implemented by repeating
+css_task_iter_advance() while the advanced cursor is pointing to a
+non-leader thread.  However, the cursor variable, @l, wasn't updated
+when the iteration has to advance to the next css_set and the
+following repetition would operate on the terminal @l from the
+previous iteration which isn't pointing to a valid task leading to
+oopses like the following or infinite looping.
+
+  BUG: unable to handle kernel NULL pointer dereference at 0000000000000254
+  IP: __task_pid_nr_ns+0xc7/0xf0
+  PGD 0 P4D 0
+  Oops: 0000 [#1] SMP
+  ...
+  CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1
+  Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS 3203 11/09/2017
+  task: ffff88c4baee8000 task.stack: ffff96d5c3158000
+  RIP: 0010:__task_pid_nr_ns+0xc7/0xf0
+  RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206
+  RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250
+  RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00
+  RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005
+  R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18
+  R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000
+  FS:  00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000
+  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+  CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0
+  Call Trace:
+   cgroup_procs_show+0x19/0x30
+   cgroup_seqfile_show+0x4c/0xb0
+   kernfs_seq_show+0x21/0x30
+   seq_read+0x2ec/0x3f0
+   kernfs_fop_read+0x134/0x180
+   __vfs_read+0x37/0x160
+   ? security_file_permission+0x9b/0xc0
+   vfs_read+0x8e/0x130
+   SyS_read+0x55/0xc0
+   entry_SYSCALL_64_fastpath+0x1a/0xa5
+  RIP: 0033:0x7f94455f942d
+  RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
+  RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d
+  RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b
+  RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60
+  R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0
+  R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560
+  Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00 00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48 c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b
+  RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50
+
+Fix it by moving the initialization of the cursor below the repeat
+label.  While at it, rename it to @next for readability.
+
+Signed-off-by: Tejun Heo <tj at kernel.org>
+Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and implement CSS_TASK_ITER_PROCS")
+Cc: stable at vger.kernel.org # v4.14+
+Reported-by: Laura Abbott <labbott at redhat.com>
+Reported-by: Bronek Kozicki <brok at incorrekt.com>
+Reported-by: George Amanakis <gamanakis at gmail.com>
+Signed-off-by: Tejun Heo <tj at kernel.org>
+---
+ kernel/cgroup/cgroup.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index f4c2f8c..2cf06c2 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -4125,26 +4125,24 @@ static void css_task_iter_advance_css_set(struct css_task_iter *it)
+ 
+ static void css_task_iter_advance(struct css_task_iter *it)
+ {
+-	struct list_head *l = it->task_pos;
++	struct list_head *next;
+ 
+ 	lockdep_assert_held(&css_set_lock);
+-	WARN_ON_ONCE(!l);
+-
+ repeat:
+ 	/*
+ 	 * Advance iterator to find next entry.  cset->tasks is consumed
+ 	 * first and then ->mg_tasks.  After ->mg_tasks, we move onto the
+ 	 * next cset.
+ 	 */
+-	l = l->next;
++	next = it->task_pos->next;
+ 
+-	if (l == it->tasks_head)
+-		l = it->mg_tasks_head->next;
++	if (next == it->tasks_head)
++		next = it->mg_tasks_head->next;
+ 
+-	if (l == it->mg_tasks_head)
++	if (next == it->mg_tasks_head)
+ 		css_task_iter_advance_css_set(it);
+ 	else
+-		it->task_pos = l;
++		it->task_pos = next;
+ 
+ 	/* if PROCS, skip over tasks which aren't group leaders */
+ 	if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&

Modified: config.x86_64
===================================================================
--- config.x86_64	2017-12-26 01:23:32 UTC (rev 276079)
+++ config.x86_64	2017-12-26 01:48:41 UTC (rev 276080)
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.8 Kernel Configuration
+# Linux/x86 4.14.9 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -5304,7 +5304,7 @@
 # CONFIG_FB_CARMINE is not set
 # CONFIG_FB_SM501 is not set
 # CONFIG_FB_SMSCUFX is not set
-CONFIG_FB_UDL=m
+# CONFIG_FB_UDL is not set
 # CONFIG_FB_IBM_GXT4500 is not set
 # CONFIG_FB_VIRTUAL is not set
 CONFIG_XEN_FBDEV_FRONTEND=m
@@ -8079,8 +8079,8 @@
 # CONFIG_DEBUG_NMI_SELFTEST is not set
 # CONFIG_X86_DEBUG_FPU is not set
 # CONFIG_PUNIT_ATOM_DEBUG is not set
-# CONFIG_FRAME_POINTER_UNWINDER is not set
-CONFIG_ORC_UNWINDER=y
+CONFIG_UNWINDER_ORC=y
+# CONFIG_UNWINDER_FRAME_POINTER is not set
 
 #
 # Security options

Added: e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
===================================================================
--- e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch	                        (rev 0)
+++ e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,73 @@
+From c3c1af44db713ac6624e729ea4832d0ce70685e0 Mon Sep 17 00:00:00 2001
+Message-Id: <c3c1af44db713ac6624e729ea4832d0ce70685e0.1513282811.git.jan.steffens at gmail.com>
+From: Benjamin Poirier <bpoirier at suse.com>
+Date: Mon, 11 Dec 2017 16:26:40 +0900
+Subject: [PATCH 1/2] e1000e: Fix e1000_check_for_copper_link_ich8lan return
+ value.
+
+e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
+are the two functions that may be assigned to mac.ops.check_for_link when
+phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
+Separate signaling for link check/link up") changed the meaning of the
+return value of check_for_link for copper media but only adjusted the first
+function. This patch adjusts the second function likewise.
+
+Reported-by: Christian Hesse <list at eworm.de>
+Reported-by: Gabriel C <nix.or.die at gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
+Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
+Tested-by: Christian Hesse <list at eworm.de>
+Signed-off-by: Benjamin Poirier <bpoirier at suse.com>
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+index d6d4ed7acf031172..31277d3bb7dc1241 100644
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1367,22 +1367,25 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force)
+  *  Checks to see of the link status of the hardware has changed.  If a
+  *  change in link status has been detected, then we read the PHY registers
+  *  to get the current speed/duplex if link exists.
++ *
++ *  Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
++ *  up).
+  **/
+ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ {
+ 	struct e1000_mac_info *mac = &hw->mac;
+ 	s32 ret_val, tipg_reg = 0;
+ 	u16 emi_addr, emi_val = 0;
+ 	bool link;
+ 	u16 phy_reg;
+ 
+ 	/* We only want to go out to the PHY registers to see if Auto-Neg
+ 	 * has completed and/or if our link status has changed.  The
+ 	 * get_link_status flag is set upon receiving a Link Status
+ 	 * Change or Rx Sequence Error interrupt.
+ 	 */
+ 	if (!mac->get_link_status)
+-		return 0;
++		return 1;
+ 
+ 	/* First we want to see if the MII Status Register reports
+ 	 * link.  If so, then we want to get the current speed/duplex
+@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ 	 * different link partner.
+ 	 */
+ 	ret_val = e1000e_config_fc_after_link_up(hw);
+-	if (ret_val)
++	if (ret_val) {
+ 		e_dbg("Error configuring flow control\n");
++		return ret_val;
++	}
+ 
+-	return ret_val;
++	return 1;
+ }
+ 
+ static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
+-- 
+2.15.1
+

Added: xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch
===================================================================
--- xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch	                        (rev 0)
+++ xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch	2017-12-26 01:48:41 UTC (rev 276080)
@@ -0,0 +1,53 @@
+From patchwork Fri Dec 22 09:44:57 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [4/8] xfrm: Fix stack-out-of-bounds read on socket policy lookup.
+X-Patchwork-Submitter: Steffen Klassert <steffen.klassert at secunet.com>
+X-Patchwork-Id: 852277
+X-Patchwork-Delegate: davem at davemloft.net
+Message-Id: <20171222094501.23345-5-steffen.klassert at secunet.com>
+To: David Miller <davem at davemloft.net>
+Cc: Herbert Xu <herbert at gondor.apana.org.au>,
+ Steffen Klassert <steffen.klassert at secunet.com>, <netdev at vger.kernel.org>
+Date: Fri, 22 Dec 2017 10:44:57 +0100
+From: Steffen Klassert <steffen.klassert at secunet.com>
+List-Id: <netdev.vger.kernel.org>
+
+When we do tunnel or beet mode, we pass saddr and daddr from the
+template to xfrm_state_find(), this is ok. On transport mode,
+we pass the addresses from the flowi, assuming that the IP
+addresses (and address family) don't change during transformation.
+This assumption is wrong in the IPv4 mapped IPv6 case, packet
+is IPv4 and template is IPv6.
+
+Fix this by catching address family missmatches of the policy
+and the flow already before we do the lookup.
+
+Reported-by: syzbot <syzkaller at googlegroups.com>
+Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
+---
+ net/xfrm/xfrm_policy.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 9542975eb2f9..038ec68f6901 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1168,9 +1168,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
+  again:
+ 	pol = rcu_dereference(sk->sk_policy[dir]);
+ 	if (pol != NULL) {
+-		bool match = xfrm_selector_match(&pol->selector, fl, family);
++		bool match;
+ 		int err = 0;
+ 
++		if (pol->family != family) {
++			pol = NULL;
++			goto out;
++		}
++
++		match = xfrm_selector_match(&pol->selector, fl, family);
+ 		if (match) {
+ 			if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
+ 				pol = NULL;



More information about the arch-commits mailing list