[arch-commits] Commit in linux-hardened/trunk (5 files)
Levente Polyak
anthraxx at archlinux.org
Wed Jan 3 19:37:04 UTC 2018
Date: Wednesday, January 3, 2018 @ 19:37:03
Author: anthraxx
Revision: 278365
upgpkg: linux-hardened 4.14.11.a-1 (enable PTI)
- drop patches added in upstream 4.11 release
- add AMD patch for PTI
Added:
linux-hardened/trunk/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
Modified:
linux-hardened/trunk/PKGBUILD
linux-hardened/trunk/config.x86_64
Deleted:
linux-hardened/trunk/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
linux-hardened/trunk/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
-----------------------------------------------------------------------+
CVE-2017-17449-netlink-Add-netns-check-on-taps.patch | 43 -----
CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch | 74 ----------
PKGBUILD | 19 +-
config.x86_64 | 3
x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch | 15 ++
5 files changed, 26 insertions(+), 128 deletions(-)
Deleted: CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
===================================================================
--- CVE-2017-17449-netlink-Add-netns-check-on-taps.patch 2018-01-03 19:32:54 UTC (rev 278364)
+++ CVE-2017-17449-netlink-Add-netns-check-on-taps.patch 2018-01-03 19:37:03 UTC (rev 278365)
@@ -1,43 +0,0 @@
-From 93c647643b48f0131f02e45da3bd367d80443291 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee at chromium.org>
-Date: Wed, 6 Dec 2017 12:12:27 -0800
-Subject: [PATCH] netlink: Add netns check on taps
-
-Currently, a nlmon link inside a child namespace can observe systemwide
-netlink activity. Filter the traffic so that nlmon can only sniff
-netlink messages from its own netns.
-
-Test case:
-
- vpnns -- bash -c "ip link add nlmon0 type nlmon; \
- ip link set nlmon0 up; \
- tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
- sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
- spi 0x1 mode transport \
- auth sha1 0x6162633132330000000000000000000000000000 \
- enc aes 0x00000000000000000000000000000000
- grep --binary abc123 /tmp/nlmon.pcap
-
-Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/netlink/af_netlink.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index b9e0ee4e22f5..79cc1bf36e4a 100644
---- a/net/netlink/af_netlink.c
-+++ b/net/netlink/af_netlink.c
-@@ -253,6 +253,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
- struct sock *sk = skb->sk;
- int ret = -ENOMEM;
-
-+ if (!net_eq(dev_net(dev), sock_net(sk)))
-+ return 0;
-+
- dev_hold(dev);
-
- if (is_vmalloc_addr(skb->head))
---
-2.15.1
-
Deleted: CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
===================================================================
--- CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch 2018-01-03 19:32:54 UTC (rev 278364)
+++ CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch 2018-01-03 19:37:03 UTC (rev 278365)
@@ -1,74 +0,0 @@
-From 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 Mon Sep 17 00:00:00 2001
-From: Mohamed Ghannam <simo.ghannam at gmail.com>
-Date: Sun, 10 Dec 2017 03:50:58 +0000
-Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg
-
-inet->hdrincl is racy, and could lead to uninitialized stack pointer
-usage, so its value should be read only once.
-
-Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
-Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
-Reviewed-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv4/raw.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
-index 33b70bfd1122..125c1eab3eaa 100644
---- a/net/ipv4/raw.c
-+++ b/net/ipv4/raw.c
-@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- int err;
- struct ip_options_data opt_copy;
- struct raw_frag_vec rfv;
-+ int hdrincl;
-
- err = -EMSGSIZE;
- if (len > 0xFFFF)
- goto out;
-
-+ /* hdrincl should be READ_ONCE(inet->hdrincl)
-+ * but READ_ONCE() doesn't work with bit fields
-+ */
-+ hdrincl = inet->hdrincl;
- /*
- * Check the flags.
- */
-@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- /* Linux does not mangle headers on raw sockets,
- * so that IP options + IP_HDRINCL is non-sense.
- */
-- if (inet->hdrincl)
-+ if (hdrincl)
- goto done;
- if (ipc.opt->opt.srr) {
- if (!daddr)
-@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
-
- flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
- RT_SCOPE_UNIVERSE,
-- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
-+ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
- inet_sk_flowi_flags(sk) |
-- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
-+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
- daddr, saddr, 0, 0, sk->sk_uid);
-
-- if (!inet->hdrincl) {
-+ if (!hdrincl) {
- rfv.msg = msg;
- rfv.hlen = 0;
-
-@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- goto do_confirm;
- back_from_confirm:
-
-- if (inet->hdrincl)
-+ if (hdrincl)
- err = raw_send_hdrinc(sk, &fl4, msg, len,
- &rt, msg->msg_flags, &ipc.sockc);
-
---
-2.15.1
-
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2018-01-03 19:32:54 UTC (rev 278364)
+++ PKGBUILD 2018-01-03 19:37:03 UTC (rev 278365)
@@ -5,7 +5,7 @@
pkgbase=linux-hardened
_srcname=linux-4.14
-_pkgver=4.14.10
+_pkgver=4.14.11
pkgver=${_pkgver}.a
pkgrel=1
url='https://github.com/copperhead/linux-hardened'
@@ -31,21 +31,21 @@
# https://bugs.archlinux.org/task/56846
cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+ x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+
CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
- CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
- CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
)
replaces=('linux-grsec')
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'SKIP'
- '16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74'
+ 'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9'
'SKIP'
- '24279be4a0e809c77255183eaa5f077ba457b17e057bd662631d5b9efd46588a'
+ '7bf093ee625cf97560bb57b01fc7ddb1bfb705377cc6b68994911cceb23126d5'
'SKIP'
- '2f6a205a228fceb1d25dd673ba9d7352f97285f36eb6ecf2ad43a8e4dca3049a'
+ '1dd1c470a8df028cf9c9db13e64263bdcff47f890d629ed9c81321fab7a57a05'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
@@ -53,11 +53,10 @@
'f7c86f7aa4c7d671a5ff80bcd92a33db2fa6e95b78188261db0ef260a7d75cd8'
'294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45'
'721c387db986d883a6df6b0da17941ce6d59811b0647ae6653b978c5ee144f19'
+ '086f6ab16a6894db5444007d195f779322f3a5792e7ca0e91a61d4e633ad8f26'
'6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9'
'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5'
- '830ef08edbf98153ff13a573270cb714605582ef19fb0c3e6eadb8876edd247f'
'72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435'
- '0ee6eae96743dca76dc018c354dd82e820fba0cb310618131e178684d85fd8c9'
'ee125179fdd295266aba52e1aebaef97cb41f4a05d9cd1c2b11b4ce83746e197')
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -71,7 +70,7 @@
# add upstream patch
msg2 "Applying upstream patch"
- patch -Np1 -i ../patch-${_pkgver}
+ patch -Np1 < ../patch-${_pkgver}
# XXX: GNU patch doesn't support git-style file mode
chmod +x tools/objtool/sync-check.sh
@@ -88,7 +87,7 @@
# linux hardened patch
msg2 "Applying hardened patch"
- patch -Np1 -i ../${pkgbase}-${pkgver}.patch
+ patch -Np1 < ../${pkgbase}-${pkgver}.patch
# add latest fixes from stable queue, if needed
# http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
Modified: config.x86_64
===================================================================
--- config.x86_64 2018-01-03 19:32:54 UTC (rev 278364)
+++ config.x86_64 2018-01-03 19:37:03 UTC (rev 278365)
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.10 Kernel Configuration
+# Linux/x86 4.14.11 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -8099,6 +8099,7 @@
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
+CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_SECURITY_INFINIBAND=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
Added: x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
===================================================================
--- x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch (rev 0)
+++ x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch 2018-01-03 19:37:03 UTC (rev 278365)
@@ -0,0 +1,15 @@
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index c47de4e..7d9e3b0 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
+
+ setup_force_cpu_cap(X86_FEATURE_ALWAYS);
+
+- /* Assume for now that ALL x86 CPUs are insecure */
+- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
++ if (c->x86_vendor != X86_VENDOR_AMD)
++ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+
+ fpu__init_system(c);
+
More information about the arch-commits
mailing list