update fix for CVE-2017-7979 to final version
cherry-picked from Ubuntu Zesty's master-next
This commit is contained in:
parent
95cebd4144
commit
7f0f6370be
5 changed files with 186 additions and 102 deletions
|
@ -1,33 +0,0 @@
|
|||
From 45f4251eac81036e2532b16d13f1ad421813eca9 Mon Sep 17 00:00:00 2001
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Thu, 13 Apr 2017 10:13:31 +0200
|
||||
Subject: [Zesty][PATCH 1/2] UBUNTU: SAUCE: net sched actions: fix access to uninitialized data
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
|
||||
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
(cherry-picked from http://marc.info/?l=linux-netdev&m=149200746116365 )
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
---
|
||||
net/sched/act_api.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
|
||||
index 501c42d..32f12f5 100644
|
||||
--- a/net/sched/act_api.c
|
||||
+++ b/net/sched/act_api.c
|
||||
@@ -607,7 +607,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||
if (err < 0)
|
||||
goto err_mod;
|
||||
|
||||
- if (tb[TCA_ACT_COOKIE]) {
|
||||
+ if (name == NULL && tb[TCA_ACT_COOKIE]) {
|
||||
int cklen = nla_len(tb[TCA_ACT_COOKIE]);
|
||||
|
||||
if (cklen > TC_COOKIE_MAX_SIZE) {
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,67 +0,0 @@
|
|||
From b3c6f3b25edface1ece9b30aa1fe5d6f9abae098 Mon Sep 17 00:00:00 2001
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Thu, 13 Apr 2017 10:13:32 +0200
|
||||
Subject: [Zesty][PATCH 2/2] UBUNTU: SAUCE: net sched actions: decrement module refcount earlier
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
|
||||
|
||||
Whether the reference count has to be decremented depends
|
||||
on whether the policy was created. If TCA_ACT_COOKIE is
|
||||
passed and an error occurs there, the same condition still
|
||||
has to be honored.
|
||||
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
(cherry-picked from http://marc.info/?l=linux-netdev&m=149200742616349)
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
---
|
||||
net/sched/act_api.c | 17 +++++++++--------
|
||||
1 file changed, 9 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
|
||||
index 32f12f5..07068ca 100644
|
||||
--- a/net/sched/act_api.c
|
||||
+++ b/net/sched/act_api.c
|
||||
@@ -607,28 +607,29 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||
if (err < 0)
|
||||
goto err_mod;
|
||||
|
||||
+ /* module count goes up only when brand new policy is created
|
||||
+ * if it exists and is only bound to in a_o->init() then
|
||||
+ * ACT_P_CREATED is not returned (a zero is).
|
||||
+ */
|
||||
+ if (err != ACT_P_CREATED)
|
||||
+ module_put(a_o->owner);
|
||||
+
|
||||
if (name == NULL && tb[TCA_ACT_COOKIE]) {
|
||||
int cklen = nla_len(tb[TCA_ACT_COOKIE]);
|
||||
|
||||
if (cklen > TC_COOKIE_MAX_SIZE) {
|
||||
err = -EINVAL;
|
||||
tcf_hash_release(a, bind);
|
||||
- goto err_mod;
|
||||
+ goto err_out;
|
||||
}
|
||||
|
||||
if (nla_memdup_cookie(a, tb) < 0) {
|
||||
err = -ENOMEM;
|
||||
tcf_hash_release(a, bind);
|
||||
- goto err_mod;
|
||||
+ goto err_out;
|
||||
}
|
||||
}
|
||||
|
||||
- /* module count goes up only when brand new policy is created
|
||||
- * if it exists and is only bound to in a_o->init() then
|
||||
- * ACT_P_CREATED is not returned (a zero is).
|
||||
- */
|
||||
- if (err != ACT_P_CREATED)
|
||||
- module_put(a_o->owner);
|
||||
|
||||
return a;
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From e18cf144f49054fa79d43689accdd2766618953d Mon Sep 17 00:00:00 2001
|
||||
From: Wei Yongjun <weiyongjun1@huawei.com>
|
||||
Date: Mon, 24 Apr 2017 16:26:00 +0200
|
||||
Subject: [PATCH 1/2] net_sched: nla_memdup_cookie() can be static
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
|
||||
|
||||
Fixes the following sparse warning:
|
||||
|
||||
net/sched/act_api.c:532:5: warning:
|
||||
symbol 'nla_memdup_cookie' was not declared. Should it be static?
|
||||
|
||||
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
(cherry picked from commit 6f2e3f7d9785dacb358b48b44950182b5c13e4bc)
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
Acked-by: Kamal Mostafa <kamal@canonical.com>
|
||||
Acked-by: Seth Forshee <seth.forshee@canonical.com>
|
||||
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
|
||||
---
|
||||
net/sched/act_api.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
|
||||
index 501c42d..e336f30 100644
|
||||
--- a/net/sched/act_api.c
|
||||
+++ b/net/sched/act_api.c
|
||||
@@ -532,7 +532,7 @@ int tcf_action_dump(struct sk_buff *skb, struct list_head *actions,
|
||||
return err;
|
||||
}
|
||||
|
||||
-int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
|
||||
+static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
|
||||
{
|
||||
a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
|
||||
if (!a->act_cookie)
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -0,0 +1,142 @@
|
|||
From 3fe083491bf6c688d34c6e300f14d775a5b8a443 Mon Sep 17 00:00:00 2001
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Mon, 24 Apr 2017 16:26:00 +0200
|
||||
Subject: [PATCH 2/2] net sched actions: allocate act cookie early
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
|
||||
|
||||
Policing filters do not use the TCA_ACT_* enum and the tb[]
|
||||
nlattr array in tcf_action_init_1() doesn't get filled for
|
||||
them so we should not try to look for a TCA_ACT_COOKIE
|
||||
attribute in the then uninitialized array.
|
||||
The error handling in cookie allocation then calls
|
||||
tcf_hash_release() leading to invalid memory access later
|
||||
on.
|
||||
Additionally, if cookie allocation fails after an already
|
||||
existing non-policing filter has successfully been changed,
|
||||
tcf_action_release() should not be called, also we would
|
||||
have to roll back the changes in the error handling, so
|
||||
instead we now allocate the cookie early and assign it on
|
||||
success at the end.
|
||||
|
||||
CVE-2017-7979
|
||||
Fixes: 1045ba77a596 ("net sched actions: Add support for user cookies")
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
(cherry picked from commit e0535ce58b92d7baf0b33284a6c4f8f0338f943e)
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
Acked-by: Kamal Mostafa <kamal@canonical.com>
|
||||
Acked-by: Seth Forshee <seth.forshee@canonical.com>
|
||||
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
|
||||
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
---
|
||||
net/sched/act_api.c | 55 +++++++++++++++++++++++++++++++----------------------
|
||||
1 file changed, 32 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
|
||||
index e336f30..bdbc7a9 100644
|
||||
--- a/net/sched/act_api.c
|
||||
+++ b/net/sched/act_api.c
|
||||
@@ -532,20 +532,20 @@ int tcf_action_dump(struct sk_buff *skb, struct list_head *actions,
|
||||
return err;
|
||||
}
|
||||
|
||||
-static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
|
||||
+static struct tc_cookie *nla_memdup_cookie(struct nlattr **tb)
|
||||
{
|
||||
- a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
|
||||
- if (!a->act_cookie)
|
||||
- return -ENOMEM;
|
||||
+ struct tc_cookie *c = kzalloc(sizeof(*c), GFP_KERNEL);
|
||||
+ if (!c)
|
||||
+ return NULL;
|
||||
|
||||
- a->act_cookie->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
|
||||
- if (!a->act_cookie->data) {
|
||||
- kfree(a->act_cookie);
|
||||
- return -ENOMEM;
|
||||
+ c->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
|
||||
+ if (!c->data) {
|
||||
+ kfree(c);
|
||||
+ return NULL;
|
||||
}
|
||||
- a->act_cookie->len = nla_len(tb[TCA_ACT_COOKIE]);
|
||||
+ c->len = nla_len(tb[TCA_ACT_COOKIE]);
|
||||
|
||||
- return 0;
|
||||
+ return c;
|
||||
}
|
||||
|
||||
struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||
@@ -554,6 +554,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||
{
|
||||
struct tc_action *a;
|
||||
struct tc_action_ops *a_o;
|
||||
+ struct tc_cookie *cookie = NULL;
|
||||
char act_name[IFNAMSIZ];
|
||||
struct nlattr *tb[TCA_ACT_MAX + 1];
|
||||
struct nlattr *kind;
|
||||
@@ -569,6 +570,18 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||
goto err_out;
|
||||
if (nla_strlcpy(act_name, kind, IFNAMSIZ) >= IFNAMSIZ)
|
||||
goto err_out;
|
||||
+ if (tb[TCA_ACT_COOKIE]) {
|
||||
+ int cklen = nla_len(tb[TCA_ACT_COOKIE]);
|
||||
+
|
||||
+ if (cklen > TC_COOKIE_MAX_SIZE)
|
||||
+ goto err_out;
|
||||
+
|
||||
+ cookie = nla_memdup_cookie(tb);
|
||||
+ if (!cookie) {
|
||||
+ err = -ENOMEM;
|
||||
+ goto err_out;
|
||||
+ }
|
||||
+ }
|
||||
} else {
|
||||
err = -EINVAL;
|
||||
if (strlcpy(act_name, name, IFNAMSIZ) >= IFNAMSIZ)
|
||||
@@ -607,20 +620,12 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||
if (err < 0)
|
||||
goto err_mod;
|
||||
|
||||
- if (tb[TCA_ACT_COOKIE]) {
|
||||
- int cklen = nla_len(tb[TCA_ACT_COOKIE]);
|
||||
-
|
||||
- if (cklen > TC_COOKIE_MAX_SIZE) {
|
||||
- err = -EINVAL;
|
||||
- tcf_hash_release(a, bind);
|
||||
- goto err_mod;
|
||||
- }
|
||||
-
|
||||
- if (nla_memdup_cookie(a, tb) < 0) {
|
||||
- err = -ENOMEM;
|
||||
- tcf_hash_release(a, bind);
|
||||
- goto err_mod;
|
||||
+ if (name == NULL && tb[TCA_ACT_COOKIE]) {
|
||||
+ if (a->act_cookie) {
|
||||
+ kfree(a->act_cookie->data);
|
||||
+ kfree(a->act_cookie);
|
||||
}
|
||||
+ a->act_cookie = cookie;
|
||||
}
|
||||
|
||||
/* module count goes up only when brand new policy is created
|
||||
@@ -635,6 +640,10 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||
err_mod:
|
||||
module_put(a_o->owner);
|
||||
err_out:
|
||||
+ if (cookie) {
|
||||
+ kfree(cookie->data);
|
||||
+ kfree(cookie);
|
||||
+ }
|
||||
return ERR_PTR(err);
|
||||
}
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
4
Makefile
4
Makefile
|
@ -227,8 +227,8 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNEL_SRC_SUBMODULE} | submodules
|
|||
cd ${KERNEL_SRC}; patch -p1 < ../cgroup-cpuset-add-cpuset.remap_cpus.patch
|
||||
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch
|
||||
cd ${KERNEL_SRC}; patch -p1 < ../openvswitch-Set-internal-device-max-mtu-to-ETH_MAX_M.patch
|
||||
cd ${KERNEL_SRC}; patch -p1 < ../0001-net-sched-actions-fix-access-to-uninitialized-data.patch
|
||||
cd ${KERNEL_SRC}; patch -p1 < ../0002-net-sched-actions-decrement-module-refcount-earlier.patch
|
||||
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch
|
||||
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch
|
||||
sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
|
||||
touch $@
|
||||
|
||||
|
|
Loading…
Reference in a new issue