From 28a3f3480e6031244287ad1f19996748aea90f0d Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Thu, 10 Aug 2017 16:26:29 -0700 Subject: [PATCH] sys-kernel/coreos-*: apply CVE patches for CVE-2017-1000111 and CVE-2017-1000112. --- ....ebuild => coreos-kernel-4.12.5-r1.ebuild} | 2 +- ...ebuild => coreos-modules-4.12.5-r1.ebuild} | 2 +- ...ebuild => coreos-sources-4.12.5-r1.ebuild} | 2 + .../z0001-efi-Add-EFI_SECURE_BOOT-bit.patch | 8 +- ...to-lock-down-access-to-the-running-k.patch | 14 ++-- ...e-kernel-if-booted-in-secure-boot-mo.patch | 8 +- ...ignatures-if-the-kernel-is-locked-do.patch | 6 +- ...-and-dev-kmem-when-the-kernel-is-loc.patch | 6 +- ...-runtime-if-the-kernel-is-locked-dow.patch | 6 +- ...-flag-in-boot-params-across-kexec-re.patch | 6 +- ...le-at-runtime-if-securelevel-has-bee.patch | 6 +- ...sable-when-the-kernel-is-locked-down.patch | 6 +- ...sable-when-the-kernel-is-locked-down.patch | 6 +- ...R-access-when-the-kernel-is-locked-d.patch | 10 +-- ...-port-access-when-the-kernel-is-lock.patch | 8 +- ...-access-when-the-kernel-is-locked-do.patch | 6 +- ...t-debugfs-interface-when-the-kernel-.patch | 6 +- ...s-to-custom_method-when-the-kernel-i.patch | 6 +- ..._rsdp-kernel-param-when-the-kernel-h.patch | 6 +- ...I-table-override-if-the-kernel-is-lo.patch | 6 +- ...I-error-injection-if-the-kernel-is-l.patch | 6 +- ...nel-image-access-functions-when-the-.patch | 6 +- ...z0020-scsi-Lock-down-the-eata-driver.patch | 6 +- ...CIS-storage-when-the-kernel-is-locke.patch | 6 +- .../4.12/z0022-Lock-down-TIOCSSERIAL.patch | 6 +- ...lative-path-for-KBUILD_SRC-from-CURD.patch | 6 +- .../z0024-Add-arm64-coreos-verity-hash.patch | 6 +- ...mit-link-status-change-after-propose.patch | 6 +- ...t-fix-truesize-for-mergeable-buffers.patch | 6 +- ...sistently-apply-ufo-or-fragmentation.patch | 74 +++++++++++++++++++ ...ace-in-packet_set_ring-on-PACKET_RES.patch | 63 ++++++++++++++++ 31 files changed, 228 insertions(+), 89 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.12.5.ebuild => coreos-kernel-4.12.5-r1.ebuild} (98%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.12.5.ebuild => coreos-modules-4.12.5-r1.ebuild} (98%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.12.5.ebuild => coreos-sources-4.12.5-r1.ebuild} (94%) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0027-udp-consistently-apply-ufo-or-fragmentation.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.5-r1.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.5.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.5-r1.ebuild index 090cb5ec8a..9a05b45bc9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.5.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.5-r1.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="" +COREOS_SOURCE_REVISION="-r1" inherit coreos-kernel DESCRIPTION="CoreOS Linux kernel" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.5-r1.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.5.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.5-r1.ebuild index 763d6d9dfe..5f7ad1c646 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.5.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.5-r1.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="" +COREOS_SOURCE_REVISION="-r1" inherit coreos-kernel savedconfig DESCRIPTION="CoreOS Linux kernel modules" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.5-r1.ebuild similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.5.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.5-r1.ebuild index 343813cbb3..97fa614901 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.5.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.5-r1.ebuild @@ -46,4 +46,6 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \ ${PATCH_DIR}/z0025-bonding-commit-link-status-change-after-propose.patch \ ${PATCH_DIR}/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch \ + ${PATCH_DIR}/z0027-udp-consistently-apply-ufo-or-fragmentation.patch \ + ${PATCH_DIR}/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch \ " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch index 3bc8ede9f7..e97c3bb662 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ From ce3175a0cc48f722fa2cd41722e29059b71bb9a9 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 01/26] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 01/28] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit that can be passed to efi_enabled() to find out whether secure boot is @@ -18,7 +18,7 @@ Signed-off-by: David Howells 2 files changed, 2 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 36646f1..87ef54e 100644 +index 36646f19d40b..87ef54e64842 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1190,6 +1190,7 @@ void __init setup_arch(char **cmdline_p) @@ -30,7 +30,7 @@ index 36646f1..87ef54e 100644 break; default: diff --git a/include/linux/efi.h b/include/linux/efi.h -index ec36f42..381b3f6 100644 +index ec36f42a2add..381b3f6670d3 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *); @@ -42,5 +42,5 @@ index ec36f42..381b3f6 100644 #ifdef CONFIG_EFI /* -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch index 72e201273e..0ac7e1e9d1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -1,7 +1,7 @@ From 9f4e6a47c74ed8a659e0f7498d0c10482c2cfbaf Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:36:17 +0000 -Subject: [PATCH 02/26] Add the ability to lock down access to the running +Subject: [PATCH 02/28] Add the ability to lock down access to the running kernel image Provide a single call to allow kernel code to determine whether the system @@ -21,7 +21,7 @@ Signed-off-by: David Howells create mode 100644 security/lock_down.c diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 13bc08a..282a168 100644 +index 13bc08aba704..282a1684d6e8 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -276,6 +276,15 @@ extern int oops_may_print(void); @@ -41,7 +41,7 @@ index 13bc08a..282a168 100644 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); int __must_check _kstrtol(const char *s, unsigned int base, long *res); diff --git a/include/linux/security.h b/include/linux/security.h -index af675b5..68bab18 100644 +index af675b576645..68bab18ddd57 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata) @@ -62,7 +62,7 @@ index af675b5..68bab18 100644 #endif /* ! __LINUX_SECURITY_H */ diff --git a/security/Kconfig b/security/Kconfig -index 93027fd..4baac4a 100644 +index 93027fdf47d1..4baac4aab277 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -189,6 +189,21 @@ config STATIC_USERMODEHELPER_PATH @@ -88,7 +88,7 @@ index 93027fd..4baac4a 100644 source security/smack/Kconfig source security/tomoyo/Kconfig diff --git a/security/Makefile b/security/Makefile -index f2d71cd..8c4a43e 100644 +index f2d71cdb8e19..8c4a43e3d4e0 100644 --- a/security/Makefile +++ b/security/Makefile @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o @@ -100,7 +100,7 @@ index f2d71cd..8c4a43e 100644 +obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o diff --git a/security/lock_down.c b/security/lock_down.c new file mode 100644 -index 0000000..5788c60 +index 000000000000..5788c60ff4e1 --- /dev/null +++ b/security/lock_down.c @@ -0,0 +1,40 @@ @@ -145,5 +145,5 @@ index 0000000..5788c60 +} +EXPORT_SYMBOL(kernel_is_locked_down); -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index 53c09b1a57..fa09d509aa 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -1,7 +1,7 @@ From fe6eb63a38a0e5f99d73e4b4cb2f4bbd8f127723 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 03/26] efi: Lock down the kernel if booted in secure boot mode +Subject: [PATCH 03/28] efi: Lock down the kernel if booted in secure boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also @@ -16,7 +16,7 @@ Signed-off-by: David Howells 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 0efb4c9..4d1c53b 100644 +index 0efb4c9497bc..4d1c53bb8411 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1827,6 +1827,18 @@ config EFI_MIXED @@ -39,7 +39,7 @@ index 0efb4c9..4d1c53b 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 87ef54e..4c4d758 100644 +index 87ef54e64842..4c4d758d4be1 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -69,6 +69,7 @@ @@ -65,5 +65,5 @@ index 87ef54e..4c4d758 100644 default: pr_info("Secure boot could not be determined\n"); -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch index 2a985da790..b74ca92629 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch @@ -1,7 +1,7 @@ From d7e6ff962e25a9a4c7900dcae3c325d68b0b01ad Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 23 Nov 2016 13:22:22 +0000 -Subject: [PATCH 04/26] Enforce module signatures if the kernel is locked down +Subject: [PATCH 04/28] Enforce module signatures if the kernel is locked down If the kernel is locked down, require that all modules have valid signatures that we can verify. @@ -12,7 +12,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c -index 4a3665f..3f1de34 100644 +index 4a3665f8f837..3f1de34c6d10 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2777,7 +2777,7 @@ static int module_sig_check(struct load_info *info, int flags) @@ -25,5 +25,5 @@ index 4a3665f..3f1de34 100644 return err; -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch index 5acc8f1d3d..849f5e65a4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch @@ -1,7 +1,7 @@ From 4c9d9cc8455fc46e6a5171df2367cc89171894e8 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 05/26] Restrict /dev/mem and /dev/kmem when the kernel is +Subject: [PATCH 05/28] Restrict /dev/mem and /dev/kmem when the kernel is locked down Allowing users to write to address space makes it possible for the kernel to @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 593a881..ba68add 100644 +index 593a8818aca9..ba68add9677f 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, @@ -39,5 +39,5 @@ index 593a881..ba68add 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch index 8dbca78ff5..4c4d17ed5e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch @@ -1,7 +1,7 @@ From eebae3db37325d6ca57d1b006f904437a59580f6 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 06/26] kexec: Disable at runtime if the kernel is locked down +Subject: [PATCH 06/28] kexec: Disable at runtime if the kernel is locked down kexec permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable @@ -17,7 +17,7 @@ Signed-off-by: David Howells 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 980936a..46de8e6 100644 +index 980936a90ee6..46de8e6b42f4 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, @@ -35,5 +35,5 @@ index 980936a..46de8e6 100644 * This leaves us room for future extensions. */ -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch index 28ed1b9d0e..6f9b5240d6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch @@ -1,7 +1,7 @@ From cc3ff81651b05bfeeeda80928837019d67a7b1cc Mon Sep 17 00:00:00 2001 From: Dave Young Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 07/26] Copy secure_boot flag in boot params across kexec +Subject: [PATCH 07/28] Copy secure_boot flag in boot params across kexec reboot Kexec reboot in case secure boot being enabled does not keep the secure @@ -22,7 +22,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c -index 9d7fd5e..7e6f00a 100644 +index 9d7fd5e6689a..7e6f00ae8322 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, @@ -34,5 +34,5 @@ index 9d7fd5e..7e6f00a 100644 ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch index 60df4036ac..a7de58ca8c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch @@ -1,7 +1,7 @@ From 11cdd5d6f82dc648da689d0d5df80415aa6ccfdb Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:49:19 +0000 -Subject: [PATCH 08/26] kexec_file: Disable at runtime if securelevel has been +Subject: [PATCH 08/28] kexec_file: Disable at runtime if securelevel has been set When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image @@ -18,7 +18,7 @@ Signed-off-by: David Howells 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c -index b118735..f6937ee 100644 +index b118735fea9d..f6937eecd1eb 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, @@ -35,5 +35,5 @@ index b118735..f6937ee 100644 if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL; -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch index b8d994dd59..6c4dda8b84 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch @@ -1,7 +1,7 @@ From e066547b800fe128b1490bed96ce05485308a4ac Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 09/26] hibernate: Disable when the kernel is locked down +Subject: [PATCH 09/28] hibernate: Disable when the kernel is locked down There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index a8b978c..50cca5d 100644 +index a8b978c35a6a..50cca5dcb62f 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; @@ -28,5 +28,5 @@ index a8b978c..50cca5d 100644 /** -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch index 6f57b55c76..2e14cf65e9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch @@ -1,7 +1,7 @@ From 56b9aa60591fcda67ed2343781feae65d4b644e0 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 23 Nov 2016 13:28:17 +0000 -Subject: [PATCH 10/26] uswsusp: Disable when the kernel is locked down +Subject: [PATCH 10/28] uswsusp: Disable when the kernel is locked down uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel @@ -14,7 +14,7 @@ Signed-off-by: David Howells 1 file changed, 3 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c -index 22df9f7..e4b926d 100644 +index 22df9f7ff672..e4b926d329b7 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) @@ -28,5 +28,5 @@ index 22df9f7..e4b926d 100644 if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch index 28d8ceed11..d8587b0498 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch @@ -1,7 +1,7 @@ From 376f41a9e72da16e71afae479db0ddfdb3b00648 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 11/26] PCI: Lock down BAR access when the kernel is locked +Subject: [PATCH 11/28] PCI: Lock down BAR access when the kernel is locked down Any hardware that can potentially generate DMA has to be locked down in @@ -19,7 +19,7 @@ Signed-off-by: David Howells 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 31e9961..5595560 100644 +index 31e99613a12e..559556047d66 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -754,6 +754,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, @@ -53,7 +53,7 @@ index 31e9961..5595560 100644 } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 098360d..ef16fcc 100644 +index 098360d7ff81..ef16fccb1923 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, @@ -86,7 +86,7 @@ index 098360d..ef16fcc 100644 if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index 9bf993e..c095247 100644 +index 9bf993e1f71e..c09524738ceb 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, @@ -99,5 +99,5 @@ index 9bf993e..c095247 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch index 0a89b464d3..3a1827a565 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch @@ -1,7 +1,7 @@ From 95073d14a7f72af389cf7ae17967918f5fa69807 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 12/26] x86: Lock down IO port access when the kernel is locked +Subject: [PATCH 12/28] x86: Lock down IO port access when the kernel is locked down IO port access would permit users to gain access to PCI configuration @@ -20,7 +20,7 @@ Signed-off-by: David Howells 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 9c3cf09..4a613fe 100644 +index 9c3cf0944bce..4a613fed94b6 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) @@ -42,7 +42,7 @@ index 9c3cf09..4a613fe 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index ba68add..5e2a260 100644 +index ba68add9677f..5e2a260fb89f 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) @@ -55,5 +55,5 @@ index ba68add..5e2a260 100644 } -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch index 14528013ec..869b571aed 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch @@ -1,7 +1,7 @@ From 772e7b9176b7ddcce9cef71b2e79ed705916342f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:17 +0000 -Subject: [PATCH 13/26] x86: Restrict MSR access when the kernel is locked down +Subject: [PATCH 13/28] x86: Restrict MSR access when the kernel is locked down Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index ef68880..fbcce02 100644 +index ef688804f80d..fbcce028e502 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, @@ -40,5 +40,5 @@ index ef68880..fbcce02 100644 err = -EFAULT; break; -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch index 16581d0e39..7e641a0bcd 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch @@ -1,7 +1,7 @@ From e08b26f76b182ac6e12a6b9d50b493d2fedd34fc Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 14/26] asus-wmi: Restrict debugfs interface when the kernel is +Subject: [PATCH 14/28] asus-wmi: Restrict debugfs interface when the kernel is locked down We have no way of validating what all of the Asus WMI methods do on a given @@ -17,7 +17,7 @@ Signed-off-by: David Howells 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index 6c7d860..57b82cb 100644 +index 6c7d86074b38..57b82cbc9a6b 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c @@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data) @@ -51,5 +51,5 @@ index 6c7d860..57b82cb 100644 1, asus->debug.method_id, &input, &output); -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch index bd189ee4e8..af05951b9a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch @@ -1,7 +1,7 @@ From 47a2d3bcc537f52e09d195cd5ae6c1546dfb2cdc Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 15/26] ACPI: Limit access to custom_method when the kernel is +Subject: [PATCH 15/28] ACPI: Limit access to custom_method when the kernel is locked down custom_method effectively allows arbitrary access to system memory, making @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index c68e724..e4d721c 100644 +index c68e72414a67..e4d721c330c0 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, @@ -29,5 +29,5 @@ index c68e724..e4d721c 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch index 430aa1e270..c406548d6d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch @@ -1,7 +1,7 @@ From 9e4a043b792c4599a313aeb81b548e4a65b85f3f Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 16/26] acpi: Ignore acpi_rsdp kernel param when the kernel has +Subject: [PATCH 16/28] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down This option allows userspace to pass the RSDP address to the kernel, which @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index db78d35..d4d4ba3 100644 +index db78d353bab1..d4d4ba348451 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) @@ -28,5 +28,5 @@ index db78d35..d4d4ba3 100644 #endif -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch index dc3967c853..0a417731b1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch @@ -1,7 +1,7 @@ From e0ff61fba4dd9e26a6744446a6e133eac094b6ee Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:32:27 +0000 -Subject: [PATCH 17/26] acpi: Disable ACPI table override if the kernel is +Subject: [PATCH 17/28] acpi: Disable ACPI table override if the kernel is locked down From the kernel documentation (initrd_table_override.txt): @@ -21,7 +21,7 @@ Signed-off-by: David Howells 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c -index ff42539..c72bfa9 100644 +index ff425390bfa8..c72bfa97888a 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void) @@ -37,5 +37,5 @@ index ff42539..c72bfa9 100644 memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch index 30b69161d9..3611693aeb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch @@ -1,7 +1,7 @@ From 7f0ec497364d309fdddb96ced1a83a9890b86baa Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:39:41 +0000 -Subject: [PATCH 18/26] acpi: Disable APEI error injection if the kernel is +Subject: [PATCH 18/28] acpi: Disable APEI error injection if the kernel is locked down ACPI provides an error injection mechanism, EINJ, for debugging and testing @@ -26,7 +26,7 @@ Signed-off-by: David Howells 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c -index ec50c32..e082718 100644 +index ec50c32ea3da..e082718d01c2 100644 --- a/drivers/acpi/apei/einj.c +++ b/drivers/acpi/apei/einj.c @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, @@ -40,5 +40,5 @@ index ec50c32..e082718 100644 if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch index 9b774d6b07..75077af3bb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch @@ -1,7 +1,7 @@ From 1670abea3f18938e2bd3407c47e6d1b0b66d3bc2 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:52:16 +0000 -Subject: [PATCH 19/26] bpf: Restrict kernel image access functions when the +Subject: [PATCH 19/28] bpf: Restrict kernel image access functions when the kernel is locked down There are some bpf functions can be used to read kernel memory: @@ -17,7 +17,7 @@ Signed-off-by: David Howells 1 file changed, 11 insertions(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c -index 460a031..58eb33d 100644 +index 460a031c77e5..58eb33d5d6ae 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) @@ -53,5 +53,5 @@ index 460a031..58eb33d 100644 for (i = 0; i < fmt_size; i++) { if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch index e9587411e4..71002cd201 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch @@ -1,7 +1,7 @@ From 6c9effad0058286f8bb4d01ac247ef92be727b40 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 22 Nov 2016 10:10:34 +0000 -Subject: [PATCH 20/26] scsi: Lock down the eata driver +Subject: [PATCH 20/28] scsi: Lock down the eata driver When the kernel is running in secure boot mode, we lock down the kernel to prevent userspace from modifying the running kernel image. Whilst this @@ -24,7 +24,7 @@ cc: linux-scsi@vger.kernel.org 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c -index 227dd2c..5c036d1 100644 +index 227dd2c2ec2f..5c036d10c18b 100644 --- a/drivers/scsi/eata.c +++ b/drivers/scsi/eata.c @@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt) @@ -43,5 +43,5 @@ index 227dd2c..5c036d1 100644 #if defined(MODULE) /* io_port could have been modified when loading as a module */ -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch index e206543e22..64e4b4aeb0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch @@ -1,7 +1,7 @@ From df81e03770883fd556ba9591ab30e74097f0229f Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 25 Nov 2016 14:37:45 +0000 -Subject: [PATCH 21/26] Prohibit PCMCIA CIS storage when the kernel is locked +Subject: [PATCH 21/28] Prohibit PCMCIA CIS storage when the kernel is locked down Prohibit replacement of the PCMCIA Card Information Structure when the @@ -13,7 +13,7 @@ Signed-off-by: David Howells 1 file changed, 5 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c -index 55ef7d1..193e4f7 100644 +index 55ef7d1fd8da..193e4f7b73b1 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, @@ -29,5 +29,5 @@ index 55ef7d1..193e4f7 100644 if (off) -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch index b809511845..479cfcaaa8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch @@ -1,7 +1,7 @@ From d17a0012c78e29a87b949f30f175267fd91ff525 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 7 Dec 2016 10:28:39 +0000 -Subject: [PATCH 22/26] Lock down TIOCSSERIAL +Subject: [PATCH 22/28] Lock down TIOCSSERIAL Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index 13bfd5d..45fb768 100644 +index 13bfd5dcffce..45fb7689bc1c 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, @@ -32,5 +32,5 @@ index 13bfd5d..45fb768 100644 retval = -EPERM; if (change_irq || change_port || -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index 834a77ffaa..c8d07c5454 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ From d21200af07c733bfc29d16883443a5207dd623eb Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 23/26] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 23/28] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 382e967..e5aa822 100644 +index 382e967b0792..e5aa82292663 100644 --- a/Makefile +++ b/Makefile @@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -26,5 +26,5 @@ index 382e967..e5aa822 100644 # Leave processing to above invocation of make -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch index d307611203..f7a4c59f73 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch @@ -1,7 +1,7 @@ From 94f8291a354361a902bfaa9aefc9de9cbbe8bacb Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Fri, 11 Nov 2016 17:28:52 -0800 -Subject: [PATCH 24/26] Add arm64 coreos verity hash +Subject: [PATCH 24/28] Add arm64 coreos verity hash Signed-off-by: Geoff Levand --- @@ -9,7 +9,7 @@ Signed-off-by: Geoff Levand 1 file changed, 5 insertions(+) diff --git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S -index 613fc30..fdaf86c 100644 +index 613fc3000677..fdaf86c78332 100644 --- a/arch/arm64/kernel/efi-header.S +++ b/arch/arm64/kernel/efi-header.S @@ -103,6 +103,11 @@ section_table: @@ -25,5 +25,5 @@ index 613fc30..fdaf86c 100644 /* * The debug table is referenced via its Relative Virtual Address (RVA), -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch index 21038e68bf..fac3ecd68e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch @@ -1,7 +1,7 @@ From 0d1fedc72064771c52e3bd8947b9a52b81f239fb Mon Sep 17 00:00:00 2001 From: WANG Cong Date: Tue, 25 Jul 2017 09:44:25 -0700 -Subject: [PATCH 25/26] bonding: commit link status change after propose +Subject: [PATCH 25/28] bonding: commit link status change after propose Commit de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring") moves link status commitment into bond_mii_monitor(), but it still relies @@ -20,7 +20,7 @@ Signed-off-by: David S. Miller 1 file changed, 2 insertions(+) diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index 8ab6bdb..0eab2fd 100644 +index 8ab6bdbe1682..0eab2fdff8d7 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -2047,6 +2047,7 @@ static int bond_miimon_inspect(struct bonding *bond) @@ -40,5 +40,5 @@ index 8ab6bdb..0eab2fd 100644 if (slave->delay) { -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch index 5408a1854e..2697bdcd6c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch @@ -1,7 +1,7 @@ From b24f16f597586d794bb66c08f09b4e83579da916 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Mon, 31 Jul 2017 21:49:49 +0300 -Subject: [PATCH 26/26] virtio_net: fix truesize for mergeable buffers +Subject: [PATCH 26/28] virtio_net: fix truesize for mergeable buffers Seth Forshee noticed a performance degradation with some workloads. This turns out to be due to packet drops. Euan Kemp noticed that this @@ -27,7 +27,7 @@ Signed-off-by: Michael S. Tsirkin 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c -index 6633dd4..acb754e 100644 +index 6633dd4bb649..acb754eb1ccb 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -889,21 +889,20 @@ static int add_recvbuf_mergeable(struct virtnet_info *vi, @@ -55,5 +55,5 @@ index 6633dd4..acb754e 100644 if (err < 0) put_page(virt_to_head_page(buf)); -- -2.10.2 +2.13.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0027-udp-consistently-apply-ufo-or-fragmentation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0027-udp-consistently-apply-ufo-or-fragmentation.patch new file mode 100644 index 0000000000..c7a5e62582 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0027-udp-consistently-apply-ufo-or-fragmentation.patch @@ -0,0 +1,74 @@ +From 0f444da98d55b1d78467778c2db2a0fdf7a11f9d Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Fri, 14 Jul 2017 10:19:00 -0700 +Subject: [PATCH 27/28] udp: consistently apply ufo or fragmentation + +When iteratively building a UDP datagram with MSG_MORE and that +datagram exceeds MTU, consistently choose UFO or fragmentation. + +Once skb_is_gso, always apply ufo. Conversely, once a datagram is +split across multiple skbs, do not consider ufo. + +Sendpage already maintains the first invariant, only add the second. +IPv6 does not have a sendpage implementation to modify. + +Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") +CVE: CVE-2017-1000112 +Reported-by: Andrey Konovalov +Signed-off-by: Willem de Bruijn +--- + net/ipv4/ip_output.c | 8 +++++--- + net/ipv6/ip6_output.c | 7 ++++--- + 2 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 532b36e9ce2a..e5948c0c9759 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -964,11 +964,12 @@ static int __ip_append_data(struct sock *sk, + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) || +- (skb && skb_is_gso(skb))) && ++ if ((skb && skb_is_gso(skb)) || ++ (((length + (skb ? skb->len : fragheaderlen)) > mtu) && ++ (skb_queue_len(queue) <= 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) && +- (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { ++ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) { + err = ip_ufo_append_data(sk, queue, getfrag, from, length, + hh_len, fragheaderlen, transhdrlen, + maxfraglen, flags); +@@ -1287,6 +1288,7 @@ ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page, + return -EINVAL; + + if ((size + skb->len > mtu) && ++ (skb_queue_len(&sk->sk_write_queue) == 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO)) { + if (skb->ip_summed != CHECKSUM_PARTIAL) +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 1699acb2fa2c..90e8c3d57423 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1390,11 +1390,12 @@ static int __ip6_append_data(struct sock *sk, + */ + + cork->length += length; +- if ((((length + (skb ? skb->len : headersize)) > mtu) || +- (skb && skb_is_gso(skb))) && ++ if ((skb && skb_is_gso(skb)) || ++ (((length + (skb ? skb->len : headersize)) > mtu) && ++ (skb_queue_len(queue) <= 1) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) && +- (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) { ++ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) { + err = ip6_ufo_append_data(sk, queue, getfrag, from, length, + hh_len, fragheaderlen, exthdrlen, + transhdrlen, mtu, flags, fl6); +-- +2.13.4 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch new file mode 100644 index 0000000000..7594ce20b3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch @@ -0,0 +1,63 @@ +From af6054f1bf2facd5f44e4f3652f5f86ea81e7c06 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Fri, 4 Aug 2017 12:48:20 -0400 +Subject: [PATCH 28/28] net-packet: fix race in packet_set_ring on + PACKET_RESERVE + +PACKET_RESERVE reserves headroom in memory mapped packet ring frames. +The value po->tp_reserve must is verified to be safe in packet_set_ring + + if (unlikely(req->tp_frame_size < po->tp_hdrlen + po->tp_reserve)) + +and the setsockopt fails once a ring is set. + + if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) + return -EBUSY; + +This operation does not take the socket lock. This leads to a race +similar to the one with PACKET_VERSION fixed in commit 84ac7260236a +("packet: fix race condition in packet_set_ring"). + +Fix this issue in the same manner: take the socket lock, which as of +that patch is held for the duration of packet_set_ring. + +This bug was discovered with syzkaller. + +Reported-by: Andrey Konovalov +CVE: CVE-2017-1000111 +Signed-off-by: Willem de Bruijn +--- + net/packet/af_packet.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index e3eeed19cc7a..b2df3bae2de7 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3705,14 +3705,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + if (val > INT_MAX) + return -EINVAL; +- po->tp_reserve = val; +- return 0; ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) ++ ret = -EBUSY; ++ else { ++ po->tp_reserve = val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_LOSS: + { +-- +2.13.4 +