diff options
-rw-r--r-- | .SRCINFO | 20 | ||||
-rw-r--r-- | 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch | 12 | ||||
-rw-r--r-- | 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch | 131 | ||||
-rw-r--r-- | PKGBUILD | 8 |
4 files changed, 153 insertions, 18 deletions
@@ -1,7 +1,7 @@ # Generated by mksrcinfo v8 -# Thu Mar 14 17:22:23 UTC 2019 +# Thu Mar 21 19:38:08 UTC 2019 pkgbase = linux-ck - pkgver = 5.0.2 + pkgver = 5.0.3 pkgrel = 1 url = https://wiki.archlinux.org/index.php/Linux-ck arch = x86_64 @@ -11,8 +11,8 @@ pkgbase = linux-ck makedepends = bc makedepends = libelf options = !strip - source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.2.tar.xz - source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.2.tar.sign + source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.3.tar.xz + source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.3.tar.sign source = config source = 60-linux.hook source = 90-linux.hook @@ -20,7 +20,8 @@ pkgbase = linux-ck source = enable_additional_cpu_optimizations-20180509.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/20180509.tar.gz source = http://ck.kolivas.org/patches/5.0/5.0/5.0-ck1/patch-5.0-ck1.xz source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - sha256sums = 43bfea3a6b24b4e5f63190409a199bee8cb93dbea01c52ad7f017078ebdf7c9b + source = 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch + sha256sums = 40d533792a784bfd519cfc2eab7fe98bbafeb283eb31f17a99f6bf39cabfff89 sha256sums = SKIP sha256sums = cc8341a0f4b25ee98238d90faa75338c3ed9ae882d3982464b239960ce5b187f sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 @@ -28,7 +29,8 @@ pkgbase = linux-ck sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 sha256sums = 226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d sha256sums = 661f64bbd8bf49afcc7c760c4148b2e2108511a1eadcae917cfe6056a83d8476 - sha256sums = 55823bb3ca652d917ba79860d595b479ec20c22a7c6854cbef901d44b4196316 + sha256sums = 91fafa76bf9cb32159ac7f22191b3589278b91e65bc4505cf2fc6013b8037bf3 + sha256sums = 87e88d199d8e9beb89d8e5f7ce6a4bf8db18ccec169323c9b6fda563719d76ba pkgname = linux-ck pkgdesc = The Linux-ck kernel and modules with the ck1 patchset featuring MuQSS CPU scheduler v0.190 @@ -38,12 +40,12 @@ pkgname = linux-ck depends = kmod depends = mkinitcpio optdepends = crda: to set the correct wireless channels of your country - provides = linux-ck=5.0.2 + provides = linux-ck=5.0.3 backup = etc/mkinitcpio.d/linux-ck.preset pkgname = linux-ck-headers pkgdesc = Header files and scripts for building modules for Linux-ck kernel depends = linux-ck - provides = linux-ck-headers=5.0.2 - provides = linux-headers=5.0.2 + provides = linux-ck-headers=5.0.3 + provides = linux-headers=5.0.3 diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch index 4a24f9ce9682..e7432e3242f2 100644 --- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -1,4 +1,4 @@ -From 884528c4629b0b333061c191d9b26081431dbfd3 Mon Sep 17 00:00:00 2001 +From e71668257d1353a7bd428ec90f0871b038db813b Mon Sep 17 00:00:00 2001 From: Serge Hallyn <serge.hallyn@canonical.com> Date: Fri, 31 May 2013 19:12:12 +0100 Subject: [PATCH 1/3] add sysctl to disallow unprivileged CLONE_NEWUSER by @@ -14,7 +14,7 @@ Signed-off-by: Daniel Micay <danielmicay@gmail.com> 3 files changed, 30 insertions(+) diff --git a/kernel/fork.c b/kernel/fork.c -index 906cd0c13d15..0d1d30ad91e7 100644 +index b69248e6f0e0..3b1cd11dc6dc 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -104,6 +104,11 @@ @@ -29,7 +29,7 @@ index 906cd0c13d15..0d1d30ad91e7 100644 /* * Minimum number of threads to boot the kernel -@@ -1699,6 +1704,10 @@ static __latent_entropy struct task_struct *copy_process( +@@ -1695,6 +1700,10 @@ static __latent_entropy struct task_struct *copy_process( if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -40,7 +40,7 @@ index 906cd0c13d15..0d1d30ad91e7 100644 /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -2532,6 +2541,12 @@ int ksys_unshare(unsigned long unshare_flags) +@@ -2528,6 +2537,12 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; @@ -54,7 +54,7 @@ index 906cd0c13d15..0d1d30ad91e7 100644 if (err) goto bad_unshare_out; diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 9ee261fce89e..ab26ddeab33d 100644 +index ba4d9e85feb8..e88b93a850df 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -106,6 +106,9 @@ extern int core_uses_pid; @@ -98,5 +98,5 @@ index 923414a246e9..6b9dbc257e34 100644 static DEFINE_MUTEX(userns_state_mutex); -- -2.20.1 +2.21.0 diff --git a/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch b/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch new file mode 100644 index 000000000000..e5797a8c2314 --- /dev/null +++ b/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch @@ -0,0 +1,131 @@ +From 7a6c88347cc6dd3b0ade3be5e45cb932a07cec82 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Fri, 8 Mar 2019 00:58:53 +0100 +Subject: [PATCH 2/3] netfilter: nf_tables: fix set double-free in abort path + +The abort path can cause a double-free of an anonymous set. +Added-and-to-be-aborted rule looks like this: + +udp dport { 137, 138 } drop + +The to-be-aborted transaction list looks like this: + +newset +newsetelem +newsetelem +rule + +This gets walked in reverse order, so first pass disables the rule, the +set elements, then the set. + +After synchronize_rcu(), we then destroy those in same order: rule, set +element, set element, newset. + +Problem is that the anonymous set has already been bound to the rule, so +the rule (lookup expression destructor) already frees the set, when then +cause use-after-free when trying to delete the elements from this set, +then try to free the set again when handling the newset expression. + +Rule releases the bound set in first place from the abort path, this +causes the use-after-free on set element removal when undoing the new +element transactions. To handle this, skip new element transaction if +set is bound from the abort path. + +This is still causes the use-after-free on set element removal. To +handle this, remove transaction from the list when the set is already +bound. + +Joint work with Florian Westphal. + +Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path") +Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325 +Acked-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + include/net/netfilter/nf_tables.h | 6 ++---- + net/netfilter/nf_tables_api.c | 17 +++++++++++------ + 2 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index b4984bbbe157..3d58acf94dd2 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -416,7 +416,8 @@ struct nft_set { + unsigned char *udata; + /* runtime data below here */ + const struct nft_set_ops *ops ____cacheline_aligned; +- u16 flags:14, ++ u16 flags:13, ++ bound:1, + genmask:2; + u8 klen; + u8 dlen; +@@ -1329,15 +1330,12 @@ struct nft_trans_rule { + struct nft_trans_set { + struct nft_set *set; + u32 set_id; +- bool bound; + }; + + #define nft_trans_set(trans) \ + (((struct nft_trans_set *)trans->data)->set) + #define nft_trans_set_id(trans) \ + (((struct nft_trans_set *)trans->data)->set_id) +-#define nft_trans_set_bound(trans) \ +- (((struct nft_trans_set *)trans->data)->bound) + + struct nft_trans_chain { + bool update; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 4893f248dfdc..e1724f9d8b9d 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) + list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { + if (trans->msg_type == NFT_MSG_NEWSET && + nft_trans_set(trans) == set) { +- nft_trans_set_bound(trans) = true; ++ set->bound = true; + break; + } + } +@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans) + nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); + break; + case NFT_MSG_NEWSET: +- if (!nft_trans_set_bound(trans)) +- nft_set_destroy(nft_trans_set(trans)); ++ nft_set_destroy(nft_trans_set(trans)); + break; + case NFT_MSG_NEWSETELEM: + nft_set_elem_destroy(nft_trans_elem_set(trans), +@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net) + break; + case NFT_MSG_NEWSET: + trans->ctx.table->use--; +- if (!nft_trans_set_bound(trans)) +- list_del_rcu(&nft_trans_set(trans)->list); ++ if (nft_trans_set(trans)->bound) { ++ nft_trans_destroy(trans); ++ break; ++ } ++ list_del_rcu(&nft_trans_set(trans)->list); + break; + case NFT_MSG_DELSET: + trans->ctx.table->use++; +@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net) + nft_trans_destroy(trans); + break; + case NFT_MSG_NEWSETELEM: ++ if (nft_trans_elem_set(trans)->bound) { ++ nft_trans_destroy(trans); ++ break; ++ } + te = (struct nft_trans_elem *)trans->data; +- + te->set->ops->remove(net, te->set, &te->elem); + atomic_dec(&te->set->nelems); + break; +-- +2.21.0 + @@ -61,7 +61,7 @@ _localmodcfg= ### IMPORTANT: Do no edit below this line unless you know what you're doing pkgbase=linux-ck -_srcver=5.0.2-arch1 +_srcver=5.0.3-arch1 pkgver=${_srcver%-*} pkgrel=1 _ckpatchversion=1 @@ -81,12 +81,13 @@ source=( "enable_additional_cpu_optimizations-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/$_gcc_more_v.tar.gz" "http://ck.kolivas.org/patches/5.0/5.0/5.0-ck${_ckpatchversion}/$_ckpatch.xz" 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) -sha256sums=('43bfea3a6b24b4e5f63190409a199bee8cb93dbea01c52ad7f017078ebdf7c9b' +sha256sums=('40d533792a784bfd519cfc2eab7fe98bbafeb283eb31f17a99f6bf39cabfff89' 'SKIP' 'cc8341a0f4b25ee98238d90faa75338c3ed9ae882d3982464b239960ce5b187f' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' @@ -94,7 +95,8 @@ sha256sums=('43bfea3a6b24b4e5f63190409a199bee8cb93dbea01c52ad7f017078ebdf7c9b' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' '226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d' '661f64bbd8bf49afcc7c760c4148b2e2108511a1eadcae917cfe6056a83d8476' - '55823bb3ca652d917ba79860d595b479ec20c22a7c6854cbef901d44b4196316') + '91fafa76bf9cb32159ac7f22191b3589278b91e65bc4505cf2fc6013b8037bf3' + '87e88d199d8e9beb89d8e5f7ce6a4bf8db18ccec169323c9b6fda563719d76ba') _kernelname=${pkgbase#linux} : ${_kernelname:=-ARCH} |