diff options
author | Irvine | 2018-01-03 21:21:04 +0000 |
---|---|---|
committer | Irvine | 2018-01-03 21:21:04 +0000 |
commit | cb6fd9764069282d340f0b9b3fe6195dfdb93ca1 (patch) | |
tree | 63bce2ba63b7515002f867e275930423f6fe548e | |
parent | f7e74ba7a841674e7323ac15b5b85b88cebf67cb (diff) | |
download | aur-cb6fd9764069282d340f0b9b3fe6195dfdb93ca1.tar.gz |
Sync with linux-hardened-4.14.11.-1
-rw-r--r-- | .SRCINFO | 22 | ||||
-rw-r--r-- | CVE-2017-17449-netlink-Add-netns-check-on-taps.patch | 43 | ||||
-rw-r--r-- | CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch | 74 | ||||
-rw-r--r-- | PKGBUILD | 19 | ||||
-rw-r--r-- | config.x86_64 | 3 | ||||
-rw-r--r-- | x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch | 15 |
6 files changed, 36 insertions, 140 deletions
@@ -1,5 +1,5 @@ pkgbase = linux-hardened-apparmor - pkgver = 4.14.10.a + pkgver = 4.14.11.a pkgrel = 1 url = https://github.com/copperhead/linux-hardened arch = x86_64 @@ -14,10 +14,10 @@ pkgbase = linux-hardened-apparmor options = !strip source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.10.xz - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.10.sign - source = https://github.com/thestinger/linux-hardened/releases/download/4.14.10.a/linux-hardened-4.14.10.a.patch - source = https://github.com/thestinger/linux-hardened/releases/download/4.14.10.a/linux-hardened-4.14.10.a.patch.sig + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.11.xz + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.11.sign + source = https://github.com/thestinger/linux-hardened/releases/download/4.14.11.a/linux-hardened-4.14.11.a.patch + source = https://github.com/thestinger/linux-hardened/releases/download/4.14.11.a/linux-hardened-4.14.11.a.patch.sig source = config.x86_64 source = 60-linux.hook source = 90-linux.hook @@ -26,22 +26,21 @@ pkgbase = linux-hardened-apparmor source = Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch source = xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch source = cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch + source = x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch source = CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch source = CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch - source = CVE-2017-17449-netlink-Add-netns-check-on-taps.patch source = CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch - source = CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch source = CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E validpgpkeys = 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7 sha256sums = SKIP - sha256sums = 16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74 + sha256sums = f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9 sha256sums = SKIP - sha256sums = 24279be4a0e809c77255183eaa5f077ba457b17e057bd662631d5b9efd46588a + sha256sums = 7bf093ee625cf97560bb57b01fc7ddb1bfb705377cc6b68994911cceb23126d5 sha256sums = SKIP - sha256sums = 2e52d9c0238d3343193c22df8864faa1d9ec50fa00bab1bd8e9f82c57e2ac0d2 + sha256sums = 152d0e8cb3971f651357f209c03f697bd4e484d5fcc38bd2611d115124d8b425 sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919 sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 @@ -49,11 +48,10 @@ pkgbase = linux-hardened-apparmor sha256sums = f7c86f7aa4c7d671a5ff80bcd92a33db2fa6e95b78188261db0ef260a7d75cd8 sha256sums = 294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45 sha256sums = 721c387db986d883a6df6b0da17941ce6d59811b0647ae6653b978c5ee144f19 + sha256sums = 086f6ab16a6894db5444007d195f779322f3a5792e7ca0e91a61d4e633ad8f26 sha256sums = 6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9 sha256sums = b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5 - sha256sums = 830ef08edbf98153ff13a573270cb714605582ef19fb0c3e6eadb8876edd247f sha256sums = 72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435 - sha256sums = 0ee6eae96743dca76dc018c354dd82e820fba0cb310618131e178684d85fd8c9 sha256sums = ee125179fdd295266aba52e1aebaef97cb41f4a05d9cd1c2b11b4ce83746e197 pkgname = linux-hardened-apparmor diff --git a/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch b/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch deleted file mode 100644 index 1d54f0bb44aa..000000000000 --- a/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 93c647643b48f0131f02e45da3bd367d80443291 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee <cernekee@chromium.org> -Date: Wed, 6 Dec 2017 12:12:27 -0800 -Subject: [PATCH] netlink: Add netns check on taps - -Currently, a nlmon link inside a child namespace can observe systemwide -netlink activity. Filter the traffic so that nlmon can only sniff -netlink messages from its own netns. - -Test case: - - vpnns -- bash -c "ip link add nlmon0 type nlmon; \ - ip link set nlmon0 up; \ - tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & - sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ - spi 0x1 mode transport \ - auth sha1 0x6162633132330000000000000000000000000000 \ - enc aes 0x00000000000000000000000000000000 - grep --binary abc123 /tmp/nlmon.pcap - -Signed-off-by: Kevin Cernekee <cernekee@chromium.org> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/netlink/af_netlink.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index b9e0ee4e22f5..79cc1bf36e4a 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -253,6 +253,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb, - struct sock *sk = skb->sk; - int ret = -ENOMEM; - -+ if (!net_eq(dev_net(dev), sock_net(sk))) -+ return 0; -+ - dev_hold(dev); - - if (is_vmalloc_addr(skb->head)) --- -2.15.1 - diff --git a/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch deleted file mode 100644 index fe1fb10929bb..000000000000 --- a/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 Mon Sep 17 00:00:00 2001 -From: Mohamed Ghannam <simo.ghannam@gmail.com> -Date: Sun, 10 Dec 2017 03:50:58 +0000 -Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg - -inet->hdrincl is racy, and could lead to uninitialized stack pointer -usage, so its value should be read only once. - -Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") -Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> -Reviewed-by: Eric Dumazet <edumazet@google.com> -Signed-off-by: David S. Miller <davem@davemloft.net> ---- - net/ipv4/raw.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index 33b70bfd1122..125c1eab3eaa 100644 ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - int err; - struct ip_options_data opt_copy; - struct raw_frag_vec rfv; -+ int hdrincl; - - err = -EMSGSIZE; - if (len > 0xFFFF) - goto out; - -+ /* hdrincl should be READ_ONCE(inet->hdrincl) -+ * but READ_ONCE() doesn't work with bit fields -+ */ -+ hdrincl = inet->hdrincl; - /* - * Check the flags. - */ -@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - /* Linux does not mangle headers on raw sockets, - * so that IP options + IP_HDRINCL is non-sense. - */ -- if (inet->hdrincl) -+ if (hdrincl) - goto done; - if (ipc.opt->opt.srr) { - if (!daddr) -@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - - flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, - RT_SCOPE_UNIVERSE, -- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, -+ hdrincl ? IPPROTO_RAW : sk->sk_protocol, - inet_sk_flowi_flags(sk) | -- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), -+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), - daddr, saddr, 0, 0, sk->sk_uid); - -- if (!inet->hdrincl) { -+ if (!hdrincl) { - rfv.msg = msg; - rfv.hlen = 0; - -@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - goto do_confirm; - back_from_confirm: - -- if (inet->hdrincl) -+ if (hdrincl) - err = raw_send_hdrinc(sk, &fl4, msg, len, - &rt, msg->msg_flags, &ipc.sockc); - --- -2.15.1 - @@ -2,7 +2,7 @@ pkgbase=linux-hardened-apparmor _srcname=linux-4.14 -_pkgver=4.14.10 +_pkgver=4.14.11 pkgver=${_pkgver}.a pkgrel=1 url='https://github.com/copperhead/linux-hardened' @@ -28,21 +28,21 @@ source=(https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz # https://bugs.archlinux.org/task/56846 cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch + x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch + CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch - CVE-2017-17449-netlink-Add-netns-check-on-taps.patch CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch - CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch ) replaces=('linux-grsec') sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7' 'SKIP' - '16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74' + 'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9' 'SKIP' - '24279be4a0e809c77255183eaa5f077ba457b17e057bd662631d5b9efd46588a' + '7bf093ee625cf97560bb57b01fc7ddb1bfb705377cc6b68994911cceb23126d5' 'SKIP' - '2e52d9c0238d3343193c22df8864faa1d9ec50fa00bab1bd8e9f82c57e2ac0d2' + '152d0e8cb3971f651357f209c03f697bd4e484d5fcc38bd2611d115124d8b425' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' @@ -50,11 +50,10 @@ sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7' 'f7c86f7aa4c7d671a5ff80bcd92a33db2fa6e95b78188261db0ef260a7d75cd8' '294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45' '721c387db986d883a6df6b0da17941ce6d59811b0647ae6653b978c5ee144f19' + '086f6ab16a6894db5444007d195f779322f3a5792e7ca0e91a61d4e633ad8f26' '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9' 'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5' - '830ef08edbf98153ff13a573270cb714605582ef19fb0c3e6eadb8876edd247f' '72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435' - '0ee6eae96743dca76dc018c354dd82e820fba0cb310618131e178684d85fd8c9' 'ee125179fdd295266aba52e1aebaef97cb41f4a05d9cd1c2b11b4ce83746e197') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -68,7 +67,7 @@ prepare() { # add upstream patch msg2 "Applying upstream patch" - patch -Np1 -i ../patch-${_pkgver} + patch -Np1 < ../patch-${_pkgver} # XXX: GNU patch doesn't support git-style file mode chmod +x tools/objtool/sync-check.sh @@ -85,7 +84,7 @@ prepare() { # linux hardened patch msg2 "Applying hardened patch" - patch -Np1 -i ../linux-hardened-${pkgver}.patch + patch -Np1 < ../linux-hardened-${pkgver}.patch # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git diff --git a/config.x86_64 b/config.x86_64 index b59df0892862..fb44def9d523 100644 --- a/config.x86_64 +++ b/config.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.10 Kernel Configuration +# Linux/x86 4.14.11 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -8099,6 +8099,7 @@ CONFIG_SECURITY=y # CONFIG_SECURITY_WRITABLE_HOOKS is not set CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y +CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_SECURITY_INFINIBAND=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y diff --git a/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch b/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch new file mode 100644 index 000000000000..d6ac8b188657 --- /dev/null +++ b/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch @@ -0,0 +1,15 @@ +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index c47de4e..7d9e3b0 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c) + + setup_force_cpu_cap(X86_FEATURE_ALWAYS); + +- /* Assume for now that ALL x86 CPUs are insecure */ +- setup_force_cpu_bug(X86_BUG_CPU_INSECURE); ++ if (c->x86_vendor != X86_VENDOR_AMD) ++ setup_force_cpu_bug(X86_BUG_CPU_INSECURE); + + fpu__init_system(c); + |