Sync with linux-hardened-4.14.11.-1

author: Irvine 2018-01-03 21:21:04 +0000
committer: Irvine 2018-01-03 21:21:04 +0000
commit: cb6fd9764069282d340f0b9b3fe6195dfdb93ca1 (patch)
tree: 63bce2ba63b7515002f867e275930423f6fe548e
parent: f7e74ba7a841674e7323ac15b5b85b88cebf67cb (diff)
download: aur-cb6fd9764069282d340f0b9b3fe6195dfdb93ca1.tar.gz
6 files changed, 36 insertions, 140 deletions
diff --git a/.SRCINFO b/.SRCINFO
index f0ff8352cbd4..2aa5e9e48fac 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,5 +1,5 @@
 pkgbase = linux-hardened-apparmor
-	pkgver = 4.14.10.a
+	pkgver = 4.14.11.a
 	pkgrel = 1
 	url = https://github.com/copperhead/linux-hardened
 	arch = x86_64
@@ -14,10 +14,10 @@ pkgbase = linux-hardened-apparmor
 	options = !strip
 	source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz
 	source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign
-	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.10.xz
-	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.10.sign
-	source = https://github.com/thestinger/linux-hardened/releases/download/4.14.10.a/linux-hardened-4.14.10.a.patch
-	source = https://github.com/thestinger/linux-hardened/releases/download/4.14.10.a/linux-hardened-4.14.10.a.patch.sig
+	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.11.xz
+	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.11.sign
+	source = https://github.com/thestinger/linux-hardened/releases/download/4.14.11.a/linux-hardened-4.14.11.a.patch
+	source = https://github.com/thestinger/linux-hardened/releases/download/4.14.11.a/linux-hardened-4.14.11.a.patch.sig
 	source = config.x86_64
 	source = 60-linux.hook
 	source = 90-linux.hook
@@ -26,22 +26,21 @@ pkgbase = linux-hardened-apparmor
 	source = Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
 	source = xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch
 	source = cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
+	source = x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
 	source = CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
 	source = CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
-	source = CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
 	source = CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
-	source = CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
 	source = CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
 	validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
 	validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
 	validpgpkeys = 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
 	sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7
 	sha256sums = SKIP
-	sha256sums = 16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74
+	sha256sums = f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9
 	sha256sums = SKIP
-	sha256sums = 24279be4a0e809c77255183eaa5f077ba457b17e057bd662631d5b9efd46588a
+	sha256sums = 7bf093ee625cf97560bb57b01fc7ddb1bfb705377cc6b68994911cceb23126d5
 	sha256sums = SKIP
-	sha256sums = 2e52d9c0238d3343193c22df8864faa1d9ec50fa00bab1bd8e9f82c57e2ac0d2
+	sha256sums = 152d0e8cb3971f651357f209c03f697bd4e484d5fcc38bd2611d115124d8b425
 	sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
 	sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919
 	sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65
@@ -49,11 +48,10 @@ pkgbase = linux-hardened-apparmor
 	sha256sums = f7c86f7aa4c7d671a5ff80bcd92a33db2fa6e95b78188261db0ef260a7d75cd8
 	sha256sums = 294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45
 	sha256sums = 721c387db986d883a6df6b0da17941ce6d59811b0647ae6653b978c5ee144f19
+	sha256sums = 086f6ab16a6894db5444007d195f779322f3a5792e7ca0e91a61d4e633ad8f26
 	sha256sums = 6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9
 	sha256sums = b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5
-	sha256sums = 830ef08edbf98153ff13a573270cb714605582ef19fb0c3e6eadb8876edd247f
 	sha256sums = 72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435
-	sha256sums = 0ee6eae96743dca76dc018c354dd82e820fba0cb310618131e178684d85fd8c9
 	sha256sums = ee125179fdd295266aba52e1aebaef97cb41f4a05d9cd1c2b11b4ce83746e197
 
 pkgname = linux-hardened-apparmor
diff --git a/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch b/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
deleted file mode 100644
index 1d54f0bb44aa..000000000000
--- a/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 93c647643b48f0131f02e45da3bd367d80443291 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@chromium.org>
-Date: Wed, 6 Dec 2017 12:12:27 -0800
-Subject: [PATCH] netlink: Add netns check on taps
-
-Currently, a nlmon link inside a child namespace can observe systemwide
-netlink activity.  Filter the traffic so that nlmon can only sniff
-netlink messages from its own netns.
-
-Test case:
-
-    vpnns -- bash -c "ip link add nlmon0 type nlmon; \
-                      ip link set nlmon0 up; \
-                      tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
-    sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
-        spi 0x1 mode transport \
-        auth sha1 0x6162633132330000000000000000000000000000 \
-        enc aes 0x00000000000000000000000000000000
-    grep --binary abc123 /tmp/nlmon.pcap
-
-Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/netlink/af_netlink.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index b9e0ee4e22f5..79cc1bf36e4a 100644
---- a/net/netlink/af_netlink.c
-+++ b/net/netlink/af_netlink.c
-@@ -253,6 +253,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
- 	struct sock *sk = skb->sk;
- 	int ret = -ENOMEM;
- 
-+	if (!net_eq(dev_net(dev), sock_net(sk)))
-+		return 0;
-+
- 	dev_hold(dev);
- 
- 	if (is_vmalloc_addr(skb->head))
--- 
-2.15.1
-
diff --git a/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
deleted file mode 100644
index fe1fb10929bb..000000000000
--- a/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 Mon Sep 17 00:00:00 2001
-From: Mohamed Ghannam <simo.ghannam@gmail.com>
-Date: Sun, 10 Dec 2017 03:50:58 +0000
-Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg
-
-inet->hdrincl is racy, and could lead to uninitialized stack pointer
-usage, so its value should be read only once.
-
-Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
-Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/raw.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
-index 33b70bfd1122..125c1eab3eaa 100644
---- a/net/ipv4/raw.c
-+++ b/net/ipv4/raw.c
-@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 	int err;
- 	struct ip_options_data opt_copy;
- 	struct raw_frag_vec rfv;
-+	int hdrincl;
- 
- 	err = -EMSGSIZE;
- 	if (len > 0xFFFF)
- 		goto out;
- 
-+	/* hdrincl should be READ_ONCE(inet->hdrincl)
-+	 * but READ_ONCE() doesn't work with bit fields
-+	 */
-+	hdrincl = inet->hdrincl;
- 	/*
- 	 *	Check the flags.
- 	 */
-@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 		/* Linux does not mangle headers on raw sockets,
- 		 * so that IP options + IP_HDRINCL is non-sense.
- 		 */
--		if (inet->hdrincl)
-+		if (hdrincl)
- 			goto done;
- 		if (ipc.opt->opt.srr) {
- 			if (!daddr)
-@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 
- 	flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
- 			   RT_SCOPE_UNIVERSE,
--			   inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
-+			   hdrincl ? IPPROTO_RAW : sk->sk_protocol,
- 			   inet_sk_flowi_flags(sk) |
--			    (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
-+			    (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
- 			   daddr, saddr, 0, 0, sk->sk_uid);
- 
--	if (!inet->hdrincl) {
-+	if (!hdrincl) {
- 		rfv.msg = msg;
- 		rfv.hlen = 0;
- 
-@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
- 		goto do_confirm;
- back_from_confirm:
- 
--	if (inet->hdrincl)
-+	if (hdrincl)
- 		err = raw_send_hdrinc(sk, &fl4, msg, len,
- 				      &rt, msg->msg_flags, &ipc.sockc);
- 
--- 
-2.15.1
-
diff --git a/PKGBUILD b/PKGBUILD
index f0691ddae0ae..637ce53024ce 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,7 +2,7 @@
 
 pkgbase=linux-hardened-apparmor
 _srcname=linux-4.14
-_pkgver=4.14.10
+_pkgver=4.14.11
 pkgver=${_pkgver}.a
 pkgrel=1
 url='https://github.com/copperhead/linux-hardened'
@@ -28,21 +28,21 @@ source=(https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz
         # https://bugs.archlinux.org/task/56846
         cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
 
+        x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+
         CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
         CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
-        CVE-2017-17449-netlink-Add-netns-check-on-taps.patch
         CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
-        CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
         CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
 )
 replaces=('linux-grsec')
 sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
             'SKIP'
-            '16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74'
+            'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9'
             'SKIP'
-            '24279be4a0e809c77255183eaa5f077ba457b17e057bd662631d5b9efd46588a'
+            '7bf093ee625cf97560bb57b01fc7ddb1bfb705377cc6b68994911cceb23126d5'
             'SKIP'
-            '2e52d9c0238d3343193c22df8864faa1d9ec50fa00bab1bd8e9f82c57e2ac0d2'
+            '152d0e8cb3971f651357f209c03f697bd4e484d5fcc38bd2611d115124d8b425'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
             '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
@@ -50,11 +50,10 @@ sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
             'f7c86f7aa4c7d671a5ff80bcd92a33db2fa6e95b78188261db0ef260a7d75cd8'
             '294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45'
             '721c387db986d883a6df6b0da17941ce6d59811b0647ae6653b978c5ee144f19'
+            '086f6ab16a6894db5444007d195f779322f3a5792e7ca0e91a61d4e633ad8f26'
             '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9'
             'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5'
-            '830ef08edbf98153ff13a573270cb714605582ef19fb0c3e6eadb8876edd247f'
             '72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435'
-            '0ee6eae96743dca76dc018c354dd82e820fba0cb310618131e178684d85fd8c9'
             'ee125179fdd295266aba52e1aebaef97cb41f4a05d9cd1c2b11b4ce83746e197')
 validpgpkeys=(
               'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -68,7 +67,7 @@ prepare() {
 
   # add upstream patch
   msg2 "Applying upstream patch"
-  patch -Np1 -i ../patch-${_pkgver}
+  patch -Np1 < ../patch-${_pkgver}
   # XXX: GNU patch doesn't support git-style file mode
   chmod +x tools/objtool/sync-check.sh
 
@@ -85,7 +84,7 @@ prepare() {
 
   # linux hardened patch
   msg2 "Applying hardened patch"
-  patch -Np1 -i ../linux-hardened-${pkgver}.patch
+  patch -Np1 < ../linux-hardened-${pkgver}.patch
 
   # add latest fixes from stable queue, if needed
   # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
diff --git a/config.x86_64 b/config.x86_64
index b59df0892862..fb44def9d523 100644
--- a/config.x86_64
+++ b/config.x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.10 Kernel Configuration
+# Linux/x86 4.14.11 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -8099,6 +8099,7 @@ CONFIG_SECURITY=y
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
+CONFIG_PAGE_TABLE_ISOLATION=y
 CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
diff --git a/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch b/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
new file mode 100644
index 000000000000..d6ac8b188657
--- /dev/null
+++ b/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
@@ -0,0 +1,15 @@
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index c47de4e..7d9e3b0 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
+ 
+ 	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
+ 
+-	/* Assume for now that ALL x86 CPUs are insecure */
+-	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
++	if (c->x86_vendor != X86_VENDOR_AMD)
++		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+ 
+ 	fpu__init_system(c);
+
author	Irvine	2018-01-03 21:21:04 +0000
committer	Irvine	2018-01-03 21:21:04 +0000
commit	cb6fd9764069282d340f0b9b3fe6195dfdb93ca1 (patch)
tree	63bce2ba63b7515002f867e275930423f6fe548e
parent	f7e74ba7a841674e7323ac15b5b85b88cebf67cb (diff)
download	aur-cb6fd9764069282d340f0b9b3fe6195dfdb93ca1.tar.gz