Update to 5.0.3rc1-1

author: graysky 2019-03-18 14:41:25 -0400
committer: graysky 2019-03-18 14:41:25 -0400
commit: 395165b5464531198413504394c5c9c785705184 (patch)
tree: 033db0beeaac7e9d5757818de255a7b25281784f
parent: dac5108d78e20c1c2efb7d2068248b22015d0c07 (diff)
download: aur-395165b5464531198413504394c5c9c785705184.tar.gz
3 files changed, 148 insertions, 13 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 083a496fc92f..7489d06c4780 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 # Generated by mksrcinfo v8
-# Tue Mar 12 21:27:33 UTC 2019
+# Mon Mar 18 18:41:25 UTC 2019
 pkgbase = linux-rc
-	pkgver = 5.0.2rc1
+	pkgver = 5.0.3rc1
 	pkgrel = 1
 	url = https://www.kernel.org/
 	arch = x86_64
@@ -11,24 +11,26 @@ pkgbase = linux-rc
 	makedepends = bc
 	makedepends = libelf
 	options = !strip
-	source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.1.tar.xz
-	source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.1.tar.sign
-	source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.2-rc1.xz
-	source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.2-rc1.sign
+	source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.2.tar.xz
+	source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.2.tar.sign
+	source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.3-rc1.xz
+	source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.3-rc1.sign
 	source = config
 	source = 60-linux.hook
 	source = 90-linux.hook
 	source = linux.preset
 	source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
-	sha256sums = 3466214779db5bad716eb1c0a16747b5683009011ba3030bf942bba9640c333e
+	source = 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
+	sha256sums = 43bfea3a6b24b4e5f63190409a199bee8cb93dbea01c52ad7f017078ebdf7c9b
 	sha256sums = SKIP
-	sha256sums = 30f3b514b24078ae645f2a4ca8367b50084141c2328920d8544c461cd7a4d83a
+	sha256sums = 89fd5156407774a7d6b67939bfe73a797e4f8520904d7145a8776972c8486eaf
 	sha256sums = SKIP
 	sha256sums = df2ce998b050c707950c555f7f6ec0efcb8498fca10b4bce45f681844c8aa0ab
 	sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
 	sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919
 	sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65
 	sha256sums = 4fb1ddb2d03db2f6d9d11ba5b4dbc6abcdf5a9a6dd94c94634aa032690c48629
+	sha256sums = 87e88d199d8e9beb89d8e5f7ce6a4bf8db18ccec169323c9b6fda563719d76ba
 
 pkgname = linux-rc
 	pkgdesc = The release candidate kernel and modules
diff --git a/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch b/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
new file mode 100644
index 000000000000..e5797a8c2314
--- /dev/null
+++ b/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
@@ -0,0 +1,131 @@
+From 7a6c88347cc6dd3b0ade3be5e45cb932a07cec82 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 8 Mar 2019 00:58:53 +0100
+Subject: [PATCH 2/3] netfilter: nf_tables: fix set double-free in abort path
+
+The abort path can cause a double-free of an anonymous set.
+Added-and-to-be-aborted rule looks like this:
+
+udp dport { 137, 138 } drop
+
+The to-be-aborted transaction list looks like this:
+
+newset
+newsetelem
+newsetelem
+rule
+
+This gets walked in reverse order, so first pass disables the rule, the
+set elements, then the set.
+
+After synchronize_rcu(), we then destroy those in same order: rule, set
+element, set element, newset.
+
+Problem is that the anonymous set has already been bound to the rule, so
+the rule (lookup expression destructor) already frees the set, when then
+cause use-after-free when trying to delete the elements from this set,
+then try to free the set again when handling the newset expression.
+
+Rule releases the bound set in first place from the abort path, this
+causes the use-after-free on set element removal when undoing the new
+element transactions. To handle this, skip new element transaction if
+set is bound from the abort path.
+
+This is still causes the use-after-free on set element removal.  To
+handle this, remove transaction from the list when the set is already
+bound.
+
+Joint work with Florian Westphal.
+
+Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
+Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/net/netfilter/nf_tables.h |  6 ++----
+ net/netfilter/nf_tables_api.c     | 17 +++++++++++------
+ 2 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index b4984bbbe157..3d58acf94dd2 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -416,7 +416,8 @@ struct nft_set {
+ 	unsigned char			*udata;
+ 	/* runtime data below here */
+ 	const struct nft_set_ops	*ops ____cacheline_aligned;
+-	u16				flags:14,
++	u16				flags:13,
++					bound:1,
+ 					genmask:2;
+ 	u8				klen;
+ 	u8				dlen;
+@@ -1329,15 +1330,12 @@ struct nft_trans_rule {
+ struct nft_trans_set {
+ 	struct nft_set			*set;
+ 	u32				set_id;
+-	bool				bound;
+ };
+ 
+ #define nft_trans_set(trans)	\
+ 	(((struct nft_trans_set *)trans->data)->set)
+ #define nft_trans_set_id(trans)	\
+ 	(((struct nft_trans_set *)trans->data)->set_id)
+-#define nft_trans_set_bound(trans)	\
+-	(((struct nft_trans_set *)trans->data)->bound)
+ 
+ struct nft_trans_chain {
+ 	bool				update;
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4893f248dfdc..e1724f9d8b9d 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
+ 	list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
+ 		if (trans->msg_type == NFT_MSG_NEWSET &&
+ 		    nft_trans_set(trans) == set) {
+-			nft_trans_set_bound(trans) = true;
++			set->bound = true;
+ 			break;
+ 		}
+ 	}
+@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans)
+ 		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
+ 		break;
+ 	case NFT_MSG_NEWSET:
+-		if (!nft_trans_set_bound(trans))
+-			nft_set_destroy(nft_trans_set(trans));
++		nft_set_destroy(nft_trans_set(trans));
+ 		break;
+ 	case NFT_MSG_NEWSETELEM:
+ 		nft_set_elem_destroy(nft_trans_elem_set(trans),
+@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net)
+ 			break;
+ 		case NFT_MSG_NEWSET:
+ 			trans->ctx.table->use--;
+-			if (!nft_trans_set_bound(trans))
+-				list_del_rcu(&nft_trans_set(trans)->list);
++			if (nft_trans_set(trans)->bound) {
++				nft_trans_destroy(trans);
++				break;
++			}
++			list_del_rcu(&nft_trans_set(trans)->list);
+ 			break;
+ 		case NFT_MSG_DELSET:
+ 			trans->ctx.table->use++;
+@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net)
+ 			nft_trans_destroy(trans);
+ 			break;
+ 		case NFT_MSG_NEWSETELEM:
++			if (nft_trans_elem_set(trans)->bound) {
++				nft_trans_destroy(trans);
++				break;
++			}
+ 			te = (struct nft_trans_elem *)trans->data;
+-
+ 			te->set->ops->remove(net, te->set, &te->elem);
+ 			atomic_dec(&te->set->nelems);
+ 			break;
+-- 
+2.21.0
+
diff --git a/PKGBUILD b/PKGBUILD
index bbd6d0e11a79..e0f9ed833018 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,8 +5,8 @@
 pkgbase=linux-rc
 pkgrel=1
 _srcname=linux-5.0
-_stable=5.0.1
-_patchver=5.0.2
+_stable=5.0.2
+_patchver=5.0.3
 _rcver=1
 pkgver=${_patchver}rc${_rcver}
 _rcpatch=patch-${_patchver}-rc${_rcver}
@@ -23,21 +23,23 @@ source=(
   90-linux.hook  # pacman hook for initramfs regeneration
   linux.preset   # standard config files for mkinitcpio ramdisk
   0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+  0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
   # Arch-Linux-kernel-vx.xx.x-arch1.patch is not needed for rc1
 )
 validpgpkeys=(
   'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
   '647F28654894E3BD457199BE38DBBDC86092693E'  # Greg Kroah-Hartman
 )
-sha256sums=('3466214779db5bad716eb1c0a16747b5683009011ba3030bf942bba9640c333e'
+sha256sums=('43bfea3a6b24b4e5f63190409a199bee8cb93dbea01c52ad7f017078ebdf7c9b'
             'SKIP'
-            '30f3b514b24078ae645f2a4ca8367b50084141c2328920d8544c461cd7a4d83a'
+            '89fd5156407774a7d6b67939bfe73a797e4f8520904d7145a8776972c8486eaf'
             'SKIP'
             'df2ce998b050c707950c555f7f6ec0efcb8498fca10b4bce45f681844c8aa0ab'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
             '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
-            '4fb1ddb2d03db2f6d9d11ba5b4dbc6abcdf5a9a6dd94c94634aa032690c48629')
+            '4fb1ddb2d03db2f6d9d11ba5b4dbc6abcdf5a9a6dd94c94634aa032690c48629'
+            '87e88d199d8e9beb89d8e5f7ce6a4bf8db18ccec169323c9b6fda563719d76ba')
 
 _kernelname=${pkgbase#linux}
author	graysky	2019-03-18 14:41:25 -0400
committer	graysky	2019-03-18 14:41:25 -0400
commit	395165b5464531198413504394c5c9c785705184 (patch)
tree	033db0beeaac7e9d5757818de255a7b25281784f
parent	dac5108d78e20c1c2efb7d2068248b22015d0c07 (diff)
download	aur-395165b5464531198413504394c5c9c785705184.tar.gz