summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorgraysky2018-01-05 15:32:20 -0500
committergraysky2018-01-05 15:32:20 -0500
commita807f264d1ca65a552bbd967fe85a729afaa4a51 (patch)
tree55830ed78bf1ff52341d9e8ae10505fa4682c079
parent2315c7af563002ed2792e6cf9327529002226581 (diff)
downloadaur-a807f264d1ca65a552bbd967fe85a729afaa4a51.tar.gz
Update to 4.14.12-1
-rw-r--r--.SRCINFO24
-rw-r--r--0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch74
-rw-r--r--0004-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch (renamed from 0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch)0
-rw-r--r--0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch49
-rw-r--r--0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch42
-rw-r--r--PKGBUILD23
6 files changed, 14 insertions, 198 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 84bb9694588..409119cd001 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
# Generated by mksrcinfo v8
-# Fri Jan 5 20:17:22 UTC 2018
+# Fri Jan 5 20:32:20 UTC 2018
pkgbase = linux-ck
- pkgver = 4.14.11
+ pkgver = 4.14.12
pkgrel = 1
url = https://wiki.archlinux.org/index.php/Linux-ck
arch = x86_64
@@ -13,8 +13,8 @@ pkgbase = linux-ck
options = !strip
source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz
source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign
- source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.11.xz
- source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.11.sign
+ source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.12.xz
+ source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.12.sign
source = config
source = 60-linux.hook
source = 90-linux.hook
@@ -29,13 +29,10 @@ pkgbase = linux-ck
source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
source = 0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
source = 0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
- source = 0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
- source = 0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
- source = 0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
- source = 0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+ source = 0004-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7
sha256sums = SKIP
- sha256sums = f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9
+ sha256sums = da5d8db44b0988e4c45346899d3f5a51f8bd6c25f14e729615ca9ff9f17bdefd
sha256sums = SKIP
sha256sums = 67030bc59cfe1c2d57a1284905e61a03b9aaa1516e1831dd3b74528ff7999ca3
sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
@@ -51,10 +48,7 @@ pkgbase = linux-ck
sha256sums = 06bc1d8b1cd153c3146a4376d833f5769b980e5ef5eae99ddaaeb48bf514dae2
sha256sums = b90bef87574f30ec66c0f10d089bea56a9e974b6d052fee3071b1ff21360724b
sha256sums = f38531dee9fd8a59202ce96ac5b40446f1f035b89788ea9ecb2fb3909f703a25
- sha256sums = 705d5fbfce00ccc20490bdfb5853d67d86ac00c845de6ecb13e414214b48daeb
- sha256sums = 0a249248534a17f14fab7e14994811ae81fe324668a82ff41f3bcabeeae1460f
sha256sums = 8e1b303957ddd829c0c9ad7c012cd32f2354ff3c8c1b85da3d7f8a54524f3711
- sha256sums = 914a0a019545ad7d14ed8d5c58d417eb0a8ec12a756beec79a545aabda343b31
pkgname = linux-ck
pkgdesc = The Linux-ck kernel and modules with the ck1 patchset featuring MuQSS CPU scheduler v0.162
@@ -64,12 +58,12 @@ pkgname = linux-ck
depends = kmod
depends = mkinitcpio>=0.7
optdepends = crda: to set the correct wireless channels of your country
- provides = linux-ck=4.14.11
+ provides = linux-ck=4.14.12
backup = etc/mkinitcpio.d/linux-ck.preset
pkgname = linux-ck-headers
pkgdesc = Header files and scripts for building modules for Linux-ck kernel
depends = linux-ck
- provides = linux-ck-headers=4.14.11
- provides = linux-headers=4.14.11
+ provides = linux-ck-headers=4.14.12
+ provides = linux-headers=4.14.12
diff --git a/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch b/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
deleted file mode 100644
index 4dca618a8c0..00000000000
--- a/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From d03c0ef520f40c6de691c37e0f168c87b3423015 Mon Sep 17 00:00:00 2001
-Message-Id: <d03c0ef520f40c6de691c37e0f168c87b3423015.1514959852.git.jan.steffens@gmail.com>
-In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
-References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
-From: Steffen Klassert <steffen.klassert@secunet.com>
-Date: Wed, 15 Nov 2017 06:40:57 +0100
-Subject: [PATCH 4/7] Revert "xfrm: Fix stack-out-of-bounds read in
- xfrm_state_find."
-
-This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
-
-This commit breaks transport mode when the policy template
-has widlcard addresses configured, so revert it.
-
-Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
----
- net/xfrm/xfrm_policy.c | 29 ++++++++++++++++++-----------
- 1 file changed, 18 insertions(+), 11 deletions(-)
-
-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 2a6093840e7e856e..6bc16bb61b5533ef 100644
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -1362,29 +1362,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
- struct net *net = xp_net(policy);
- int nx;
- int i, error;
-+ xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
-+ xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
- xfrm_address_t tmp;
-
- for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
- struct xfrm_state *x;
-- xfrm_address_t *local;
-- xfrm_address_t *remote;
-+ xfrm_address_t *remote = daddr;
-+ xfrm_address_t *local = saddr;
- struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
-
-- remote = &tmpl->id.daddr;
-- local = &tmpl->saddr;
-- if (xfrm_addr_any(local, tmpl->encap_family)) {
-- error = xfrm_get_saddr(net, fl->flowi_oif,
-- &tmp, remote,
-- tmpl->encap_family, 0);
-- if (error)
-- goto fail;
-- local = &tmp;
-+ if (tmpl->mode == XFRM_MODE_TUNNEL ||
-+ tmpl->mode == XFRM_MODE_BEET) {
-+ remote = &tmpl->id.daddr;
-+ local = &tmpl->saddr;
-+ if (xfrm_addr_any(local, tmpl->encap_family)) {
-+ error = xfrm_get_saddr(net, fl->flowi_oif,
-+ &tmp, remote,
-+ tmpl->encap_family, 0);
-+ if (error)
-+ goto fail;
-+ local = &tmp;
-+ }
- }
-
- x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
-
- if (x && x->km.state == XFRM_STATE_VALID) {
- xfrm[nx++] = x;
-+ daddr = remote;
-+ saddr = local;
- continue;
- }
- if (x) {
---
-2.15.1
-
diff --git a/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch b/0004-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
index 0a54ce129b3..0a54ce129b3 100644
--- a/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+++ b/0004-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
diff --git a/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch b/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
deleted file mode 100644
index edd7b24a32d..00000000000
--- a/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 3721d64246982f91a5bf863fc17ac60ff722e0c4 Mon Sep 17 00:00:00 2001
-Message-Id: <3721d64246982f91a5bf863fc17ac60ff722e0c4.1514959852.git.jan.steffens@gmail.com>
-In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
-References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
-From: Steffen Klassert <steffen.klassert@secunet.com>
-Date: Fri, 22 Dec 2017 10:44:57 +0100
-Subject: [PATCH 5/7] xfrm: Fix stack-out-of-bounds read on socket policy
- lookup.
-
-When we do tunnel or beet mode, we pass saddr and daddr from the
-template to xfrm_state_find(), this is ok. On transport mode,
-we pass the addresses from the flowi, assuming that the IP
-addresses (and address family) don't change during transformation.
-This assumption is wrong in the IPv4 mapped IPv6 case, packet
-is IPv4 and template is IPv6.
-
-Fix this by catching address family missmatches of the policy
-and the flow already before we do the lookup.
-
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
----
- net/xfrm/xfrm_policy.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 6bc16bb61b5533ef..50c5f46b5cca942e 100644
---- a/net/xfrm/xfrm_policy.c
-+++ b/net/xfrm/xfrm_policy.c
-@@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
- again:
- pol = rcu_dereference(sk->sk_policy[dir]);
- if (pol != NULL) {
-- bool match = xfrm_selector_match(&pol->selector, fl, family);
-+ bool match;
- int err = 0;
-
-+ if (pol->family != family) {
-+ pol = NULL;
-+ goto out;
-+ }
-+
-+ match = xfrm_selector_match(&pol->selector, fl, family);
- if (match) {
- if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
- pol = NULL;
---
-2.15.1
-
diff --git a/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch b/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
deleted file mode 100644
index f3af870c788..00000000000
--- a/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 51786b65797aed683ca72293a3cb86a2cab987c0 Mon Sep 17 00:00:00 2001
-Message-Id: <51786b65797aed683ca72293a3cb86a2cab987c0.1514959852.git.jan.steffens@gmail.com>
-In-Reply-To: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
-References: <fb89d912d5f7289d3a922c77b671e36e1c740f5e.1514959852.git.jan.steffens@gmail.com>
-From: Tom Lendacky <thomas.lendacky@amd.com>
-Date: Tue, 26 Dec 2017 23:43:54 -0600
-Subject: [PATCH 7/7] x86/cpu, x86/pti: Do not enable PTI on AMD processors
-
-AMD processors are not subject to the types of attacks that the kernel
-page table isolation feature protects against. The AMD microarchitecture
-does not allow memory references, including speculative references, that
-access higher privileged data when running in a lesser privileged mode
-when that access would result in a page fault.
-
-Disable page table isolation by default on AMD processors by not setting
-the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
-is set.
-
-Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
-Reviewed-by: Borislav Petkov <bp@suse.de>
----
- arch/x86/kernel/cpu/common.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index f2a94dfb434e9a7c..b1be494ab4e8badf 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
-
- setup_force_cpu_cap(X86_FEATURE_ALWAYS);
-
-- /* Assume for now that ALL x86 CPUs are insecure */
-- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
-+ if (c->x86_vendor != X86_VENDOR_AMD)
-+ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
-
- fpu__init_system(c);
-
---
-2.15.1
-
diff --git a/PKGBUILD b/PKGBUILD
index 98030a70083..d66ea9e078e 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -62,7 +62,7 @@ _use_current=
pkgbase=linux-ck
_srcname=linux-4.14
-pkgver=4.14.11
+pkgver=4.14.12
pkgrel=1
_ckpatchversion=1
arch=('x86_64')
@@ -93,10 +93,7 @@ source=(
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
- 0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
- 0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
- 0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
- 0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+ 0004-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -104,7 +101,7 @@ validpgpkeys=(
)
sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'SKIP'
- 'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9'
+ 'da5d8db44b0988e4c45346899d3f5a51f8bd6c25f14e729615ca9ff9f17bdefd'
'SKIP'
'67030bc59cfe1c2d57a1284905e61a03b9aaa1516e1831dd3b74528ff7999ca3'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
@@ -120,10 +117,7 @@ sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
'06bc1d8b1cd153c3146a4376d833f5769b980e5ef5eae99ddaaeb48bf514dae2'
'b90bef87574f30ec66c0f10d089bea56a9e974b6d052fee3071b1ff21360724b'
'f38531dee9fd8a59202ce96ac5b40446f1f035b89788ea9ecb2fb3909f703a25'
- '705d5fbfce00ccc20490bdfb5853d67d86ac00c845de6ecb13e414214b48daeb'
- '0a249248534a17f14fab7e14994811ae81fe324668a82ff41f3bcabeeae1460f'
- '8e1b303957ddd829c0c9ad7c012cd32f2354ff3c8c1b85da3d7f8a54524f3711'
- '914a0a019545ad7d14ed8d5c58d417eb0a8ec12a756beec79a545aabda343b31')
+ '8e1b303957ddd829c0c9ad7c012cd32f2354ff3c8c1b85da3d7f8a54524f3711')
_kernelname=${pkgbase#linux}
@@ -143,15 +137,8 @@ prepare() {
# https://nvd.nist.gov/vuln/detail/CVE-2017-8824
patch -Np1 -i ../0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
- # https://bugs.archlinux.org/task/56605
- patch -Np1 -i ../0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch
- patch -Np1 -i ../0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
-
# https://bugs.archlinux.org/task/56846
- patch -Np1 -i ../0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
-
- # For AMD processors, keep PTI off by default
- patch -Np1 -i ../0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+ patch -Np1 -i ../0004-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
# fix naming schema in EXTRAVERSION of ck patch set
sed -i -re "s/^(.EXTRAVERSION).*$/\1 = /" "../${_ckpatchname}"