diff options
author | graysky | 2019-03-18 14:41:25 -0400 |
---|---|---|
committer | graysky | 2019-03-18 14:41:25 -0400 |
commit | 395165b5464531198413504394c5c9c785705184 (patch) | |
tree | 033db0beeaac7e9d5757818de255a7b25281784f | |
parent | dac5108d78e20c1c2efb7d2068248b22015d0c07 (diff) | |
download | aur-395165b5464531198413504394c5c9c785705184.tar.gz |
Update to 5.0.3rc1-1
-rw-r--r-- | .SRCINFO | 18 | ||||
-rw-r--r-- | 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch | 131 | ||||
-rw-r--r-- | PKGBUILD | 12 |
3 files changed, 148 insertions, 13 deletions
@@ -1,7 +1,7 @@ # Generated by mksrcinfo v8 -# Tue Mar 12 21:27:33 UTC 2019 +# Mon Mar 18 18:41:25 UTC 2019 pkgbase = linux-rc - pkgver = 5.0.2rc1 + pkgver = 5.0.3rc1 pkgrel = 1 url = https://www.kernel.org/ arch = x86_64 @@ -11,24 +11,26 @@ pkgbase = linux-rc makedepends = bc makedepends = libelf options = !strip - source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.1.tar.xz - source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.1.tar.sign - source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.2-rc1.xz - source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.2-rc1.sign + source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.2.tar.xz + source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.2.tar.sign + source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.3-rc1.xz + source = https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.3-rc1.sign source = config source = 60-linux.hook source = 90-linux.hook source = linux.preset source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - sha256sums = 3466214779db5bad716eb1c0a16747b5683009011ba3030bf942bba9640c333e + source = 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch + sha256sums = 43bfea3a6b24b4e5f63190409a199bee8cb93dbea01c52ad7f017078ebdf7c9b sha256sums = SKIP - sha256sums = 30f3b514b24078ae645f2a4ca8367b50084141c2328920d8544c461cd7a4d83a + sha256sums = 89fd5156407774a7d6b67939bfe73a797e4f8520904d7145a8776972c8486eaf sha256sums = SKIP sha256sums = df2ce998b050c707950c555f7f6ec0efcb8498fca10b4bce45f681844c8aa0ab sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919 sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 sha256sums = 4fb1ddb2d03db2f6d9d11ba5b4dbc6abcdf5a9a6dd94c94634aa032690c48629 + sha256sums = 87e88d199d8e9beb89d8e5f7ce6a4bf8db18ccec169323c9b6fda563719d76ba pkgname = linux-rc pkgdesc = The release candidate kernel and modules diff --git a/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch b/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch new file mode 100644 index 000000000000..e5797a8c2314 --- /dev/null +++ b/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch @@ -0,0 +1,131 @@ +From 7a6c88347cc6dd3b0ade3be5e45cb932a07cec82 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Fri, 8 Mar 2019 00:58:53 +0100 +Subject: [PATCH 2/3] netfilter: nf_tables: fix set double-free in abort path + +The abort path can cause a double-free of an anonymous set. +Added-and-to-be-aborted rule looks like this: + +udp dport { 137, 138 } drop + +The to-be-aborted transaction list looks like this: + +newset +newsetelem +newsetelem +rule + +This gets walked in reverse order, so first pass disables the rule, the +set elements, then the set. + +After synchronize_rcu(), we then destroy those in same order: rule, set +element, set element, newset. + +Problem is that the anonymous set has already been bound to the rule, so +the rule (lookup expression destructor) already frees the set, when then +cause use-after-free when trying to delete the elements from this set, +then try to free the set again when handling the newset expression. + +Rule releases the bound set in first place from the abort path, this +causes the use-after-free on set element removal when undoing the new +element transactions. To handle this, skip new element transaction if +set is bound from the abort path. + +This is still causes the use-after-free on set element removal. To +handle this, remove transaction from the list when the set is already +bound. + +Joint work with Florian Westphal. + +Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path") +Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325 +Acked-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + include/net/netfilter/nf_tables.h | 6 ++---- + net/netfilter/nf_tables_api.c | 17 +++++++++++------ + 2 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index b4984bbbe157..3d58acf94dd2 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -416,7 +416,8 @@ struct nft_set { + unsigned char *udata; + /* runtime data below here */ + const struct nft_set_ops *ops ____cacheline_aligned; +- u16 flags:14, ++ u16 flags:13, ++ bound:1, + genmask:2; + u8 klen; + u8 dlen; +@@ -1329,15 +1330,12 @@ struct nft_trans_rule { + struct nft_trans_set { + struct nft_set *set; + u32 set_id; +- bool bound; + }; + + #define nft_trans_set(trans) \ + (((struct nft_trans_set *)trans->data)->set) + #define nft_trans_set_id(trans) \ + (((struct nft_trans_set *)trans->data)->set_id) +-#define nft_trans_set_bound(trans) \ +- (((struct nft_trans_set *)trans->data)->bound) + + struct nft_trans_chain { + bool update; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 4893f248dfdc..e1724f9d8b9d 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) + list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { + if (trans->msg_type == NFT_MSG_NEWSET && + nft_trans_set(trans) == set) { +- nft_trans_set_bound(trans) = true; ++ set->bound = true; + break; + } + } +@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans) + nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); + break; + case NFT_MSG_NEWSET: +- if (!nft_trans_set_bound(trans)) +- nft_set_destroy(nft_trans_set(trans)); ++ nft_set_destroy(nft_trans_set(trans)); + break; + case NFT_MSG_NEWSETELEM: + nft_set_elem_destroy(nft_trans_elem_set(trans), +@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net) + break; + case NFT_MSG_NEWSET: + trans->ctx.table->use--; +- if (!nft_trans_set_bound(trans)) +- list_del_rcu(&nft_trans_set(trans)->list); ++ if (nft_trans_set(trans)->bound) { ++ nft_trans_destroy(trans); ++ break; ++ } ++ list_del_rcu(&nft_trans_set(trans)->list); + break; + case NFT_MSG_DELSET: + trans->ctx.table->use++; +@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net) + nft_trans_destroy(trans); + break; + case NFT_MSG_NEWSETELEM: ++ if (nft_trans_elem_set(trans)->bound) { ++ nft_trans_destroy(trans); ++ break; ++ } + te = (struct nft_trans_elem *)trans->data; +- + te->set->ops->remove(net, te->set, &te->elem); + atomic_dec(&te->set->nelems); + break; +-- +2.21.0 + @@ -5,8 +5,8 @@ pkgbase=linux-rc pkgrel=1 _srcname=linux-5.0 -_stable=5.0.1 -_patchver=5.0.2 +_stable=5.0.2 +_patchver=5.0.3 _rcver=1 pkgver=${_patchver}rc${_rcver} _rcpatch=patch-${_patchver}-rc${_rcver} @@ -23,21 +23,23 @@ source=( 90-linux.hook # pacman hook for initramfs regeneration linux.preset # standard config files for mkinitcpio ramdisk 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch # Arch-Linux-kernel-vx.xx.x-arch1.patch is not needed for rc1 ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) -sha256sums=('3466214779db5bad716eb1c0a16747b5683009011ba3030bf942bba9640c333e' +sha256sums=('43bfea3a6b24b4e5f63190409a199bee8cb93dbea01c52ad7f017078ebdf7c9b' 'SKIP' - '30f3b514b24078ae645f2a4ca8367b50084141c2328920d8544c461cd7a4d83a' + '89fd5156407774a7d6b67939bfe73a797e4f8520904d7145a8776972c8486eaf' 'SKIP' 'df2ce998b050c707950c555f7f6ec0efcb8498fca10b4bce45f681844c8aa0ab' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' - '4fb1ddb2d03db2f6d9d11ba5b4dbc6abcdf5a9a6dd94c94634aa032690c48629') + '4fb1ddb2d03db2f6d9d11ba5b4dbc6abcdf5a9a6dd94c94634aa032690c48629' + '87e88d199d8e9beb89d8e5f7ce6a4bf8db18ccec169323c9b6fda563719d76ba') _kernelname=${pkgbase#linux} |