diff options
author | alegru | 2022-07-11 10:19:44 +0200 |
---|---|---|
committer | alegru | 2022-07-11 10:20:26 +0200 |
commit | 4ff03391c4dd17d91b7ff09e14c23ece57395184 (patch) | |
tree | 2a00064402d928d979e3bf6020d294dca651f0a9 | |
parent | e972260d6c57520f0516332b60999fe10c3d6eeb (diff) | |
download | aur-4ff03391c4dd17d91b7ff09e14c23ece57395184.tar.gz |
Update to 5.15.53-1
-rw-r--r-- | .SRCINFO | 14 | ||||
-rw-r--r-- | 0100-netfilter-nf_tables-stricter-validation-of-element-data.diff | 44 | ||||
-rw-r--r-- | 0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff | 123 | ||||
-rw-r--r-- | PKGBUILD | 14 | ||||
-rw-r--r-- | config | 2 |
5 files changed, 188 insertions, 9 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-vfio-lts pkgdesc = LTS Linux VFIO - pkgver = 5.15.52 + pkgver = 5.15.53 pkgrel = 1 url = https://www.kernel.org/ arch = x86_64 @@ -19,8 +19,8 @@ pkgbase = linux-vfio-lts makedepends = imagemagick makedepends = texlive-latexextra options = !strip - source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.52.tar.xz - source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.52.tar.sign + source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.53.tar.xz + source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.53.tar.sign source = config source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch source = 0002-PCI_Add_more_NVIDIA_controllers_to_the_MSI_masking_quirk.patch @@ -28,19 +28,23 @@ pkgbase = linux-vfio-lts source = 0004-Bluetooth_btintel_Fix_bdaddress_comparison_with_garbage_value.patch source = 0005-lg-laptop_Recognize_more_models.patch source = 0006_fix_NFSv4_mount_regression.diff + source = 0100-netfilter-nf_tables-stricter-validation-of-element-data.diff + source = 0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff source = add-acs-overrides.patch source = i915-vga-arbiter.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E - sha256sums = f4680a5da9f25a908ead5956935e7c05124d5f37f6e75a1e07d58641d7ab6d05 + sha256sums = f3aa717243051f3fcca90ebfe26fe5c3a596c2f6047846e8d1724ea90df77b07 sha256sums = SKIP - sha256sums = 522a85c0853ecb070f58d969ea1c65982f945d5a7d7748702116a551573aa6d9 + sha256sums = 0e605ccfafa347522c5960289aaaabe368aef98b47bc0b76baadab7ca28e833c sha256sums = 99df282c594cc269d9a5d19bb86ea887892d3654cfc53c4ce94a644cf3278423 sha256sums = c35018601f04ae81e0a2018a8597595db6ae053158c206845399cdebb2d2b706 sha256sums = 7c7707c738983f3683d76295b496f578996b7341fa39ad334ec2833bfe4b966e sha256sums = 3fa8a4af66d5a3b99b48ca979a247c61e81c9b2d3bcdffa9d3895a5532a420b4 sha256sums = 79266c6cc970733fd35881d9a8f0a74c25c00b4d81741b8d4bba6827c48f7c78 sha256sums = e9527ad81d5b1821a7b17c56cb3abaec85785563f51e448cb3c06f1c68e2966f + sha256sums = b2e03d795a67843b9898367eaf3f2b855487d7e7cbe87b43a0df22b2fb36477c + sha256sums = 08cae506648665a0a2990a690d951dd4432b6eea4ca295dbfc0a836ee63671ea sha256sums = b90be7b79652be61f7d50691000f6a8c75a240dc2eee2667b68d984f67583f77 sha256sums = 856230cfbdc2bb53a4920dfbcb6fb2d58427b7b184e5f94e21f08011d0a2fcc6 diff --git a/0100-netfilter-nf_tables-stricter-validation-of-element-data.diff b/0100-netfilter-nf_tables-stricter-validation-of-element-data.diff new file mode 100644 index 000000000000..385b9cf9634c --- /dev/null +++ b/0100-netfilter-nf_tables-stricter-validation-of-element-data.diff @@ -0,0 +1,44 @@ +From 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Sat, 2 Jul 2022 04:16:30 +0200 +Subject: netfilter: nf_tables: stricter validation of element data + +From: Pablo Neira Ayuso <pablo@netfilter.org> + +commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 upstream. + +Make sure element data type and length do not mismatch the one specified +by the set declaration. + +Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data") +Reported-by: Hugues ANGUELKOV <hanguelkov@randorisec.fr> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/netfilter/nf_tables_api.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5118,13 +5118,20 @@ static int nft_setelem_parse_data(struct + struct nft_data *data, + struct nlattr *attr) + { ++ u32 dtype; + int err; + + err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); + if (err < 0) + return err; + +- if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) { ++ if (set->dtype == NFT_DATA_VERDICT) ++ dtype = NFT_DATA_VERDICT; ++ else ++ dtype = NFT_DATA_VALUE; ++ ++ if (dtype != desc->type || ++ set->dlen != desc->len) { + nft_data_release(data, desc->type); + return -EINVAL; + } diff --git a/0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff b/0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff new file mode 100644 index 000000000000..e19d1daae73c --- /dev/null +++ b/0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff @@ -0,0 +1,123 @@ +From 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Sat, 2 Jul 2022 04:16:31 +0200 +Subject: netfilter: nft_set_pipapo: release elements in clone from abort path + +From: Pablo Neira Ayuso <pablo@netfilter.org> + +commit 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e upstream. + +New elements that reside in the clone are not released in case that the +transaction is aborted. + +[16302.231754] ------------[ cut here ]------------ +[16302.231756] WARNING: CPU: 0 PID: 100509 at net/netfilter/nf_tables_api.c:1864 nf_tables_chain_destroy+0x26/0x127 [nf_tables] +[...] +[16302.231882] CPU: 0 PID: 100509 Comm: nft Tainted: G W 5.19.0-rc3+ #155 +[...] +[16302.231887] RIP: 0010:nf_tables_chain_destroy+0x26/0x127 [nf_tables] +[16302.231899] Code: f3 fe ff ff 41 55 41 54 55 53 48 8b 6f 10 48 89 fb 48 c7 c7 82 96 d9 a0 8b 55 50 48 8b 75 58 e8 de f5 92 e0 83 7d 50 00 74 09 <0f> 0b 5b 5d 41 5c 41 5d c3 4c 8b 65 00 48 8b 7d 08 49 39 fc 74 05 +[...] +[16302.231917] Call Trace: +[16302.231919] <TASK> +[16302.231921] __nf_tables_abort.cold+0x23/0x28 [nf_tables] +[16302.231934] nf_tables_abort+0x30/0x50 [nf_tables] +[16302.231946] nfnetlink_rcv_batch+0x41a/0x840 [nfnetlink] +[16302.231952] ? __nla_validate_parse+0x48/0x190 +[16302.231959] nfnetlink_rcv+0x110/0x129 [nfnetlink] +[16302.231963] netlink_unicast+0x211/0x340 +[16302.231969] netlink_sendmsg+0x21e/0x460 + +Add nft_set_pipapo_match_destroy() helper function to release the +elements in the lookup tables. + +Stefano Brivio says: "We additionally look for elements pointers in the +cloned matching data if priv->dirty is set, because that means that +cloned data might point to additional elements we did not commit to the +working copy yet (such as the abort path case, but perhaps not limited +to it)." + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reviewed-by: Stefano Brivio <sbrivio@redhat.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/netfilter/nft_set_pipapo.c | 48 ++++++++++++++++++++++++++++------------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -2125,6 +2125,32 @@ out_scratch: + } + + /** ++ * nft_set_pipapo_match_destroy() - Destroy elements from key mapping array ++ * @set: nftables API set representation ++ * @m: matching data pointing to key mapping array ++ */ ++static void nft_set_pipapo_match_destroy(const struct nft_set *set, ++ struct nft_pipapo_match *m) ++{ ++ struct nft_pipapo_field *f; ++ int i, r; ++ ++ for (i = 0, f = m->f; i < m->field_count - 1; i++, f++) ++ ; ++ ++ for (r = 0; r < f->rules; r++) { ++ struct nft_pipapo_elem *e; ++ ++ if (r < f->rules - 1 && f->mt[r + 1].e == f->mt[r].e) ++ continue; ++ ++ e = f->mt[r].e; ++ ++ nft_set_elem_destroy(set, e, true); ++ } ++} ++ ++/** + * nft_pipapo_destroy() - Free private data for set and all committed elements + * @set: nftables API set representation + */ +@@ -2132,26 +2158,13 @@ static void nft_pipapo_destroy(const str + { + struct nft_pipapo *priv = nft_set_priv(set); + struct nft_pipapo_match *m; +- struct nft_pipapo_field *f; +- int i, r, cpu; ++ int cpu; + + m = rcu_dereference_protected(priv->match, true); + if (m) { + rcu_barrier(); + +- for (i = 0, f = m->f; i < m->field_count - 1; i++, f++) +- ; +- +- for (r = 0; r < f->rules; r++) { +- struct nft_pipapo_elem *e; +- +- if (r < f->rules - 1 && f->mt[r + 1].e == f->mt[r].e) +- continue; +- +- e = f->mt[r].e; +- +- nft_set_elem_destroy(set, e, true); +- } ++ nft_set_pipapo_match_destroy(set, m); + + #ifdef NFT_PIPAPO_ALIGN + free_percpu(m->scratch_aligned); +@@ -2165,6 +2178,11 @@ static void nft_pipapo_destroy(const str + } + + if (priv->clone) { ++ m = priv->clone; ++ ++ if (priv->dirty) ++ nft_set_pipapo_match_destroy(set, m); ++ + #ifdef NFT_PIPAPO_ALIGN + free_percpu(priv->clone->scratch_aligned); + #endif @@ -1,7 +1,7 @@ # Maintainer: Andreas Radke <andyrtr@archlinux.org> pkgbase=linux-vfio-lts -pkgver=5.15.52 +pkgver=5.15.53 pkgrel=1 pkgdesc='LTS Linux VFIO' url="https://www.kernel.org/" @@ -22,6 +22,8 @@ source=( 0004-Bluetooth_btintel_Fix_bdaddress_comparison_with_garbage_value.patch 0005-lg-laptop_Recognize_more_models.patch 0006_fix_NFSv4_mount_regression.diff + 0100-netfilter-nf_tables-stricter-validation-of-element-data.diff + 0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff add-acs-overrides.patch i915-vga-arbiter.patch ) @@ -30,15 +32,17 @@ validpgpkeys=( '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc -sha256sums=('f4680a5da9f25a908ead5956935e7c05124d5f37f6e75a1e07d58641d7ab6d05' +sha256sums=('f3aa717243051f3fcca90ebfe26fe5c3a596c2f6047846e8d1724ea90df77b07' 'SKIP' - '522a85c0853ecb070f58d969ea1c65982f945d5a7d7748702116a551573aa6d9' + '0e605ccfafa347522c5960289aaaabe368aef98b47bc0b76baadab7ca28e833c' '99df282c594cc269d9a5d19bb86ea887892d3654cfc53c4ce94a644cf3278423' 'c35018601f04ae81e0a2018a8597595db6ae053158c206845399cdebb2d2b706' '7c7707c738983f3683d76295b496f578996b7341fa39ad334ec2833bfe4b966e' '3fa8a4af66d5a3b99b48ca979a247c61e81c9b2d3bcdffa9d3895a5532a420b4' '79266c6cc970733fd35881d9a8f0a74c25c00b4d81741b8d4bba6827c48f7c78' 'e9527ad81d5b1821a7b17c56cb3abaec85785563f51e448cb3c06f1c68e2966f' + 'b2e03d795a67843b9898367eaf3f2b855487d7e7cbe87b43a0df22b2fb36477c' + '08cae506648665a0a2990a690d951dd4432b6eea4ca295dbfc0a836ee63671ea' 'b90be7b79652be61f7d50691000f6a8c75a240dc2eee2667b68d984f67583f77' '856230cfbdc2bb53a4920dfbcb6fb2d58427b7b184e5f94e21f08011d0a2fcc6') @@ -53,6 +57,10 @@ prepare() { # https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=6f2836341d8a39e1e000572b10959347d7e61fd9 patch -Rp1 -i ../0006_fix_NFSv4_mount_regression.diff + # FS#75226 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918 + patch -Np1 -i ../0100-netfilter-nf_tables-stricter-validation-of-element-data.diff + patch -Np1 -i ../0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff + echo "Setting version..." scripts/setlocalversion --save-scmversion echo "-$pkgrel" > localversion.10-pkgrel @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.15.52 Kernel Configuration +# Linux/x86 5.15.53 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0" CONFIG_CC_IS_GCC=y |