update fix for CVE-2017-7979 to final version
cherry-picked from Ubuntu Zesty's master-next
This commit is contained in:
parent
95cebd4144
commit
7f0f6370be
5 changed files with 186 additions and 102 deletions
|
@ -1,33 +0,0 @@
|
||||||
From 45f4251eac81036e2532b16d13f1ad421813eca9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
|
||||||
Date: Thu, 13 Apr 2017 10:13:31 +0200
|
|
||||||
Subject: [Zesty][PATCH 1/2] UBUNTU: SAUCE: net sched actions: fix access to uninitialized data
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
|
|
||||||
|
|
||||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
|
||||||
(cherry-picked from http://marc.info/?l=linux-netdev&m=149200746116365 )
|
|
||||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
||||||
---
|
|
||||||
net/sched/act_api.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
|
|
||||||
index 501c42d..32f12f5 100644
|
|
||||||
--- a/net/sched/act_api.c
|
|
||||||
+++ b/net/sched/act_api.c
|
|
||||||
@@ -607,7 +607,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
|
||||||
if (err < 0)
|
|
||||||
goto err_mod;
|
|
||||||
|
|
||||||
- if (tb[TCA_ACT_COOKIE]) {
|
|
||||||
+ if (name == NULL && tb[TCA_ACT_COOKIE]) {
|
|
||||||
int cklen = nla_len(tb[TCA_ACT_COOKIE]);
|
|
||||||
|
|
||||||
if (cklen > TC_COOKIE_MAX_SIZE) {
|
|
||||||
--
|
|
||||||
2.1.4
|
|
||||||
|
|
|
@ -1,67 +0,0 @@
|
||||||
From b3c6f3b25edface1ece9b30aa1fe5d6f9abae098 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
|
||||||
Date: Thu, 13 Apr 2017 10:13:32 +0200
|
|
||||||
Subject: [Zesty][PATCH 2/2] UBUNTU: SAUCE: net sched actions: decrement module refcount earlier
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
|
|
||||||
|
|
||||||
Whether the reference count has to be decremented depends
|
|
||||||
on whether the policy was created. If TCA_ACT_COOKIE is
|
|
||||||
passed and an error occurs there, the same condition still
|
|
||||||
has to be honored.
|
|
||||||
|
|
||||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
|
||||||
(cherry-picked from http://marc.info/?l=linux-netdev&m=149200742616349)
|
|
||||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
||||||
---
|
|
||||||
net/sched/act_api.c | 17 +++++++++--------
|
|
||||||
1 file changed, 9 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
|
|
||||||
index 32f12f5..07068ca 100644
|
|
||||||
--- a/net/sched/act_api.c
|
|
||||||
+++ b/net/sched/act_api.c
|
|
||||||
@@ -607,28 +607,29 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
|
||||||
if (err < 0)
|
|
||||||
goto err_mod;
|
|
||||||
|
|
||||||
+ /* module count goes up only when brand new policy is created
|
|
||||||
+ * if it exists and is only bound to in a_o->init() then
|
|
||||||
+ * ACT_P_CREATED is not returned (a zero is).
|
|
||||||
+ */
|
|
||||||
+ if (err != ACT_P_CREATED)
|
|
||||||
+ module_put(a_o->owner);
|
|
||||||
+
|
|
||||||
if (name == NULL && tb[TCA_ACT_COOKIE]) {
|
|
||||||
int cklen = nla_len(tb[TCA_ACT_COOKIE]);
|
|
||||||
|
|
||||||
if (cklen > TC_COOKIE_MAX_SIZE) {
|
|
||||||
err = -EINVAL;
|
|
||||||
tcf_hash_release(a, bind);
|
|
||||||
- goto err_mod;
|
|
||||||
+ goto err_out;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (nla_memdup_cookie(a, tb) < 0) {
|
|
||||||
err = -ENOMEM;
|
|
||||||
tcf_hash_release(a, bind);
|
|
||||||
- goto err_mod;
|
|
||||||
+ goto err_out;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* module count goes up only when brand new policy is created
|
|
||||||
- * if it exists and is only bound to in a_o->init() then
|
|
||||||
- * ACT_P_CREATED is not returned (a zero is).
|
|
||||||
- */
|
|
||||||
- if (err != ACT_P_CREATED)
|
|
||||||
- module_put(a_o->owner);
|
|
||||||
|
|
||||||
return a;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.1.4
|
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
From e18cf144f49054fa79d43689accdd2766618953d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wei Yongjun <weiyongjun1@huawei.com>
|
||||||
|
Date: Mon, 24 Apr 2017 16:26:00 +0200
|
||||||
|
Subject: [PATCH 1/2] net_sched: nla_memdup_cookie() can be static
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
|
||||||
|
|
||||||
|
Fixes the following sparse warning:
|
||||||
|
|
||||||
|
net/sched/act_api.c:532:5: warning:
|
||||||
|
symbol 'nla_memdup_cookie' was not declared. Should it be static?
|
||||||
|
|
||||||
|
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
(cherry picked from commit 6f2e3f7d9785dacb358b48b44950182b5c13e4bc)
|
||||||
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||||
|
Acked-by: Kamal Mostafa <kamal@canonical.com>
|
||||||
|
Acked-by: Seth Forshee <seth.forshee@canonical.com>
|
||||||
|
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
|
||||||
|
---
|
||||||
|
net/sched/act_api.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
|
||||||
|
index 501c42d..e336f30 100644
|
||||||
|
--- a/net/sched/act_api.c
|
||||||
|
+++ b/net/sched/act_api.c
|
||||||
|
@@ -532,7 +532,7 @@ int tcf_action_dump(struct sk_buff *skb, struct list_head *actions,
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
|
||||||
|
+static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
|
||||||
|
{
|
||||||
|
a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
|
||||||
|
if (!a->act_cookie)
|
||||||
|
--
|
||||||
|
2.1.4
|
||||||
|
|
|
@ -0,0 +1,142 @@
|
||||||
|
From 3fe083491bf6c688d34c6e300f14d775a5b8a443 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||||
|
Date: Mon, 24 Apr 2017 16:26:00 +0200
|
||||||
|
Subject: [PATCH 2/2] net sched actions: allocate act cookie early
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
|
||||||
|
|
||||||
|
Policing filters do not use the TCA_ACT_* enum and the tb[]
|
||||||
|
nlattr array in tcf_action_init_1() doesn't get filled for
|
||||||
|
them so we should not try to look for a TCA_ACT_COOKIE
|
||||||
|
attribute in the then uninitialized array.
|
||||||
|
The error handling in cookie allocation then calls
|
||||||
|
tcf_hash_release() leading to invalid memory access later
|
||||||
|
on.
|
||||||
|
Additionally, if cookie allocation fails after an already
|
||||||
|
existing non-policing filter has successfully been changed,
|
||||||
|
tcf_action_release() should not be called, also we would
|
||||||
|
have to roll back the changes in the error handling, so
|
||||||
|
instead we now allocate the cookie early and assign it on
|
||||||
|
success at the end.
|
||||||
|
|
||||||
|
CVE-2017-7979
|
||||||
|
Fixes: 1045ba77a596 ("net sched actions: Add support for user cookies")
|
||||||
|
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||||
|
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
(cherry picked from commit e0535ce58b92d7baf0b33284a6c4f8f0338f943e)
|
||||||
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||||
|
Acked-by: Kamal Mostafa <kamal@canonical.com>
|
||||||
|
Acked-by: Seth Forshee <seth.forshee@canonical.com>
|
||||||
|
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
|
||||||
|
|
||||||
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||||
|
---
|
||||||
|
net/sched/act_api.c | 55 +++++++++++++++++++++++++++++++----------------------
|
||||||
|
1 file changed, 32 insertions(+), 23 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
|
||||||
|
index e336f30..bdbc7a9 100644
|
||||||
|
--- a/net/sched/act_api.c
|
||||||
|
+++ b/net/sched/act_api.c
|
||||||
|
@@ -532,20 +532,20 @@ int tcf_action_dump(struct sk_buff *skb, struct list_head *actions,
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
|
||||||
|
+static struct tc_cookie *nla_memdup_cookie(struct nlattr **tb)
|
||||||
|
{
|
||||||
|
- a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
|
||||||
|
- if (!a->act_cookie)
|
||||||
|
- return -ENOMEM;
|
||||||
|
+ struct tc_cookie *c = kzalloc(sizeof(*c), GFP_KERNEL);
|
||||||
|
+ if (!c)
|
||||||
|
+ return NULL;
|
||||||
|
|
||||||
|
- a->act_cookie->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
|
||||||
|
- if (!a->act_cookie->data) {
|
||||||
|
- kfree(a->act_cookie);
|
||||||
|
- return -ENOMEM;
|
||||||
|
+ c->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
|
||||||
|
+ if (!c->data) {
|
||||||
|
+ kfree(c);
|
||||||
|
+ return NULL;
|
||||||
|
}
|
||||||
|
- a->act_cookie->len = nla_len(tb[TCA_ACT_COOKIE]);
|
||||||
|
+ c->len = nla_len(tb[TCA_ACT_COOKIE]);
|
||||||
|
|
||||||
|
- return 0;
|
||||||
|
+ return c;
|
||||||
|
}
|
||||||
|
|
||||||
|
struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||||
|
@@ -554,6 +554,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||||
|
{
|
||||||
|
struct tc_action *a;
|
||||||
|
struct tc_action_ops *a_o;
|
||||||
|
+ struct tc_cookie *cookie = NULL;
|
||||||
|
char act_name[IFNAMSIZ];
|
||||||
|
struct nlattr *tb[TCA_ACT_MAX + 1];
|
||||||
|
struct nlattr *kind;
|
||||||
|
@@ -569,6 +570,18 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||||
|
goto err_out;
|
||||||
|
if (nla_strlcpy(act_name, kind, IFNAMSIZ) >= IFNAMSIZ)
|
||||||
|
goto err_out;
|
||||||
|
+ if (tb[TCA_ACT_COOKIE]) {
|
||||||
|
+ int cklen = nla_len(tb[TCA_ACT_COOKIE]);
|
||||||
|
+
|
||||||
|
+ if (cklen > TC_COOKIE_MAX_SIZE)
|
||||||
|
+ goto err_out;
|
||||||
|
+
|
||||||
|
+ cookie = nla_memdup_cookie(tb);
|
||||||
|
+ if (!cookie) {
|
||||||
|
+ err = -ENOMEM;
|
||||||
|
+ goto err_out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
err = -EINVAL;
|
||||||
|
if (strlcpy(act_name, name, IFNAMSIZ) >= IFNAMSIZ)
|
||||||
|
@@ -607,20 +620,12 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||||
|
if (err < 0)
|
||||||
|
goto err_mod;
|
||||||
|
|
||||||
|
- if (tb[TCA_ACT_COOKIE]) {
|
||||||
|
- int cklen = nla_len(tb[TCA_ACT_COOKIE]);
|
||||||
|
-
|
||||||
|
- if (cklen > TC_COOKIE_MAX_SIZE) {
|
||||||
|
- err = -EINVAL;
|
||||||
|
- tcf_hash_release(a, bind);
|
||||||
|
- goto err_mod;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (nla_memdup_cookie(a, tb) < 0) {
|
||||||
|
- err = -ENOMEM;
|
||||||
|
- tcf_hash_release(a, bind);
|
||||||
|
- goto err_mod;
|
||||||
|
+ if (name == NULL && tb[TCA_ACT_COOKIE]) {
|
||||||
|
+ if (a->act_cookie) {
|
||||||
|
+ kfree(a->act_cookie->data);
|
||||||
|
+ kfree(a->act_cookie);
|
||||||
|
}
|
||||||
|
+ a->act_cookie = cookie;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* module count goes up only when brand new policy is created
|
||||||
|
@@ -635,6 +640,10 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
|
||||||
|
err_mod:
|
||||||
|
module_put(a_o->owner);
|
||||||
|
err_out:
|
||||||
|
+ if (cookie) {
|
||||||
|
+ kfree(cookie->data);
|
||||||
|
+ kfree(cookie);
|
||||||
|
+ }
|
||||||
|
return ERR_PTR(err);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.1.4
|
||||||
|
|
4
Makefile
4
Makefile
|
@ -227,8 +227,8 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNEL_SRC_SUBMODULE} | submodules
|
||||||
cd ${KERNEL_SRC}; patch -p1 < ../cgroup-cpuset-add-cpuset.remap_cpus.patch
|
cd ${KERNEL_SRC}; patch -p1 < ../cgroup-cpuset-add-cpuset.remap_cpus.patch
|
||||||
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch
|
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch
|
||||||
cd ${KERNEL_SRC}; patch -p1 < ../openvswitch-Set-internal-device-max-mtu-to-ETH_MAX_M.patch
|
cd ${KERNEL_SRC}; patch -p1 < ../openvswitch-Set-internal-device-max-mtu-to-ETH_MAX_M.patch
|
||||||
cd ${KERNEL_SRC}; patch -p1 < ../0001-net-sched-actions-fix-access-to-uninitialized-data.patch
|
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch
|
||||||
cd ${KERNEL_SRC}; patch -p1 < ../0002-net-sched-actions-decrement-module-refcount-earlier.patch
|
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch
|
||||||
sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
|
sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
|
||||||
touch $@
|
touch $@
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue