From 5c32531b12fbf6e9d7848090bd521b7a260da511 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Fri, 22 Sep 2017 16:34:52 -0700 Subject: [PATCH] sys-kernel/coreos-*: add patch for CVE-2017-14489 --- ....ebuild => coreos-kernel-4.13.3-r1.ebuild} | 2 +- ...ebuild => coreos-modules-4.13.3-r1.ebuild} | 2 +- ...ebuild => coreos-sources-4.13.3-r1.ebuild} | 1 + .../z0001-efi-Add-EFI_SECURE_BOOT-bit.patch | 4 +- ...to-lock-down-access-to-the-running-k.patch | 4 +- ...e-kernel-if-booted-in-secure-boot-mo.patch | 4 +- ...ignatures-if-the-kernel-is-locked-do.patch | 4 +- ...-and-dev-kmem-when-the-kernel-is-loc.patch | 4 +- ...-runtime-if-the-kernel-is-locked-dow.patch | 12 ++-- ...-flag-in-boot-params-across-kexec-re.patch | 4 +- ...le-at-runtime-if-securelevel-has-bee.patch | 4 +- ...sable-when-the-kernel-is-locked-down.patch | 4 +- ...sable-when-the-kernel-is-locked-down.patch | 4 +- ...R-access-when-the-kernel-is-locked-d.patch | 4 +- ...-port-access-when-the-kernel-is-lock.patch | 4 +- ...-access-when-the-kernel-is-locked-do.patch | 4 +- ...t-debugfs-interface-when-the-kernel-.patch | 4 +- ...s-to-custom_method-when-the-kernel-i.patch | 4 +- ..._rsdp-kernel-param-when-the-kernel-h.patch | 4 +- ...I-table-override-if-the-kernel-is-lo.patch | 4 +- ...I-error-injection-if-the-kernel-is-l.patch | 4 +- ...nel-image-access-functions-when-the-.patch | 4 +- ...z0020-scsi-Lock-down-the-eata-driver.patch | 4 +- ...CIS-storage-when-the-kernel-is-locke.patch | 4 +- .../4.13/z0022-Lock-down-TIOCSSERIAL.patch | 4 +- ...lative-path-for-KBUILD_SRC-from-CURD.patch | 4 +- .../z0024-Add-arm64-coreos-verity-hash.patch | 4 +- ...ue-that-iscsi_if_rx-doesn-t-parse-nl.patch | 60 +++++++++++++++++++ 28 files changed, 115 insertions(+), 54 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.13.3.ebuild => coreos-kernel-4.13.3-r1.ebuild} (98%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.13.3.ebuild => coreos-modules-4.13.3-r1.ebuild} (98%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.13.3.ebuild => coreos-sources-4.13.3-r1.ebuild} (97%) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nl.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.3-r1.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.3.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.3-r1.ebuild index abc3b4ff57..2a177741dd 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.3-r1.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="" +COREOS_SOURCE_REVISION="-r1" inherit coreos-kernel DESCRIPTION="CoreOS Linux kernel" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.3-r1.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.3.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.3-r1.ebuild index 685aa802e6..6c70281dca 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.3-r1.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="" +COREOS_SOURCE_REVISION="-r1" inherit coreos-kernel savedconfig DESCRIPTION="CoreOS Linux kernel modules" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.3-r1.ebuild similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.3.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.3-r1.ebuild index abab10dc9f..67d749636e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.3-r1.ebuild @@ -55,4 +55,5 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \ ${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ ${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \ + ${PATCH_DIR}/z0025-scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nl.patch \ " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch index 8e5999f447..37c0de9401 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ From 24ac5fe9afc189ba0488ad4e2cc0599695927c94 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit that can be passed to efi_enabled() to find out whether secure boot is @@ -42,5 +42,5 @@ index 8269bcb8ccf7..7952dd3ffa73 100644 #ifdef CONFIG_EFI /* -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch index 7818e1f674..c95ed951f8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -1,7 +1,7 @@ From e294d94b1ae46e18f86fdd85bd8082d63de67f51 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:36:17 +0000 -Subject: [PATCH 02/24] Add the ability to lock down access to the running +Subject: [PATCH 02/25] Add the ability to lock down access to the running kernel image Provide a single call to allow kernel code to determine whether the system @@ -145,5 +145,5 @@ index 000000000000..5788c60ff4e1 +} +EXPORT_SYMBOL(kernel_is_locked_down); -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index 5e155a77c9..ff41298d5a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -1,7 +1,7 @@ From eec55ac2d53ae41b5b37a5d377083a691227467f Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode +Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also @@ -65,5 +65,5 @@ index 319995f58345..d0128aef43ce 100644 default: pr_info("Secure boot could not be determined\n"); -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch index a74d25487a..ace82bac91 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch @@ -1,7 +1,7 @@ From 7594a2244c02195356042096c1dd3ea5f1accc8e Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 23 Nov 2016 13:22:22 +0000 -Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down +Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down If the kernel is locked down, require that all modules have valid signatures that we can verify. @@ -25,5 +25,5 @@ index 40f983cbea81..e5b878b26906 100644 return err; -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch index ca618c4b94..fa8687e1d6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch @@ -1,7 +1,7 @@ From a894549647270203ea88874614c9f6448ac71e5a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is +Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is locked down Allowing users to write to address space makes it possible for the kernel to @@ -39,5 +39,5 @@ index 593a8818aca9..ba68add9677f 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch index 8e3a4a16d2..677fabc179 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch @@ -1,7 +1,7 @@ From 2c45e9276090de762bdf1fdfa2075f664d4952fb Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down +Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down kexec permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable @@ -20,20 +20,20 @@ diff --git a/kernel/kexec.c b/kernel/kexec.c index e62ec4dc6620..37f75d0b75de 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c -@@ -201,6 +201,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, - if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) +@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; -+ /* + /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down()) + return -EPERM; + - /* ++ /* * Verify we have a legal set of flags * This leaves us room for future extensions. + */ -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch index f5529e890f..1cb6cfe5ac 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch @@ -1,7 +1,7 @@ From c1f02b6ef93af49992ea0fcd5a9032e60a6051dc Mon Sep 17 00:00:00 2001 From: Dave Young Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec +Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec reboot Kexec reboot in case secure boot being enabled does not keep the secure @@ -34,5 +34,5 @@ index fb095ba0c02f..7d0fac5bcbbe 100644 ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch index c00f75589c..c63f70d87a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch @@ -1,7 +1,7 @@ From 1b3967a9aef85898b7bf0ba16f724522d81c86f0 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:49:19 +0000 -Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been +Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been set When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image @@ -35,5 +35,5 @@ index 9f48f4412297..7da87007c202 100644 if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL; -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch index bed113dc01..df81b59adb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch @@ -1,7 +1,7 @@ From 0dcdb925193cdf62471a8eceae7a8d33f064d5fb Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down +Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -28,5 +28,5 @@ index e1914c7b85b1..7859ba79e181 100644 /** -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch index 09c4be666f..192c69ef38 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch @@ -1,7 +1,7 @@ From 8caca6fe945e6f67526b45ad1ef401e36bb34f73 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 23 Nov 2016 13:28:17 +0000 -Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down +Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel @@ -28,5 +28,5 @@ index 22df9f7ff672..e4b926d329b7 100644 if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch index 80f8b674ee..102e8401c3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch @@ -1,7 +1,7 @@ From 36512d31a0a50c9be471f719ef91f9f0788d2b4f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked +Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked down Any hardware that can potentially generate DMA has to be locked down in @@ -99,5 +99,5 @@ index 9bf993e1f71e..c09524738ceb 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch index bd142b2e58..84cf2ae23c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch @@ -1,7 +1,7 @@ From 08d7db127c47a2f5563db63894c533f2826195ac Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked +Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked down IO port access would permit users to gain access to PCI configuration @@ -55,5 +55,5 @@ index ba68add9677f..5e2a260fb89f 100644 } -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch index bccf234ce5..a317a3bc8d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch @@ -1,7 +1,7 @@ From b9860ec9018c67336aab681e18b0ebdd20a7ba32 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:17 +0000 -Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down +Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a @@ -40,5 +40,5 @@ index ef688804f80d..fbcce028e502 100644 err = -EFAULT; break; -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch index 734b55e2ed..427b79be10 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch @@ -1,7 +1,7 @@ From f25d9d9652b00f37f7b92642cc48b268b683ac9e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is +Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is locked down We have no way of validating what all of the Asus WMI methods do on a given @@ -51,5 +51,5 @@ index 709e3a67391a..2d8db47698b2 100644 1, asus->debug.method_id, &input, &output); -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch index 55eda0b14a..330d82eca7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch @@ -1,7 +1,7 @@ From 23845c3c7ae804a97934d32381db5c564de27ce9 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is +Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is locked down custom_method effectively allows arbitrary access to system memory, making @@ -29,5 +29,5 @@ index c68e72414a67..e4d721c330c0 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch index c45d4fc4ef..49852a5a83 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch @@ -1,7 +1,7 @@ From d6c8e80e0e35ed883094e60cdeaf63cbecc8cfff Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has +Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down This option allows userspace to pass the RSDP address to the kernel, which @@ -28,5 +28,5 @@ index db78d353bab1..d4d4ba348451 100644 #endif -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch index 40241cc5fb..92d190885d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch @@ -1,7 +1,7 @@ From ab3d740ef513f539d373f7dcbe7578f562380092 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:32:27 +0000 -Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is +Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is locked down From the kernel documentation (initrd_table_override.txt): @@ -37,5 +37,5 @@ index ff425390bfa8..c72bfa97888a 100644 memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch index 6962e51935..90a735b8de 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch @@ -1,7 +1,7 @@ From a567ee9cbbd0748d4e5cd15d8f9d8b683929adc8 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:39:41 +0000 -Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is +Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is locked down ACPI provides an error injection mechanism, EINJ, for debugging and testing @@ -40,5 +40,5 @@ index ec50c32ea3da..e082718d01c2 100644 if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch index 34fb1730f5..f6a60a863b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch @@ -1,7 +1,7 @@ From b35ffb0b950ab4bf184ba257e9595c7ef3a10a05 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:52:16 +0000 -Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the +Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the kernel is locked down There are some bpf functions can be used to read kernel memory: @@ -53,5 +53,5 @@ index dc498b605d5d..fb240222b89b 100644 for (i = 0; i < fmt_size; i++) { if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch index 6b42874110..29c6ed98fb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch @@ -1,7 +1,7 @@ From c0ea02ed8cea11aece036c99d09272f93b1d07e0 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 22 Nov 2016 10:10:34 +0000 -Subject: [PATCH 20/24] scsi: Lock down the eata driver +Subject: [PATCH 20/25] scsi: Lock down the eata driver When the kernel is running in secure boot mode, we lock down the kernel to prevent userspace from modifying the running kernel image. Whilst this @@ -43,5 +43,5 @@ index 227dd2c2ec2f..5c036d10c18b 100644 #if defined(MODULE) /* io_port could have been modified when loading as a module */ -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch index 54deb6eacc..9594fca109 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch @@ -1,7 +1,7 @@ From 07ed21cac5d6e65ae0ba686455007c7dd43942c4 Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 25 Nov 2016 14:37:45 +0000 -Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked +Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked down Prohibit replacement of the PCMCIA Card Information Structure when the @@ -29,5 +29,5 @@ index 55ef7d1fd8da..193e4f7b73b1 100644 if (off) -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch index bff91e7edf..3554a35805 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch @@ -1,7 +1,7 @@ From f7452e58686ef325e666deb63510f193fef718e1 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 7 Dec 2016 10:28:39 +0000 -Subject: [PATCH 22/24] Lock down TIOCSSERIAL +Subject: [PATCH 22/25] Lock down TIOCSSERIAL Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial @@ -32,5 +32,5 @@ index f534a40aebde..e32c0179f423 100644 retval = -EPERM; if (change_irq || change_port || -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index f3896fcf5a..60e5470c4e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ From d0d433798e20cc9e29d091d0f55aa7e987d000e1 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -26,5 +26,5 @@ index 0f31ef4aea7b..9456c4def17f 100644 # Leave processing to above invocation of make -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch index b4f657b581..061d2f0eac 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch @@ -1,7 +1,7 @@ From fe4ad5f7bc5dd42ae943d8eb431a0307a60b839f Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Fri, 11 Nov 2016 17:28:52 -0800 -Subject: [PATCH 24/24] Add arm64 coreos verity hash +Subject: [PATCH 24/25] Add arm64 coreos verity hash Signed-off-by: Geoff Levand --- @@ -25,5 +25,5 @@ index 613fc3000677..fdaf86c78332 100644 /* * The debug table is referenced via its Relative Virtual Address (RVA), -- -2.14.1 +2.13.5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nl.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nl.patch new file mode 100644 index 0000000000..35c979a801 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nl.patch @@ -0,0 +1,60 @@ +From d08d44a08c8d3a9a60e415b155401f2f03661b6e Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 27 Aug 2017 20:25:26 +0800 +Subject: [PATCH 25/25] scsi: fix the issue that iscsi_if_rx doesn't parse + nlmsg properly + +ChunYu found a kernel crash by syzkaller: + +[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled +[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access +[ 651.618731] general protection fault: 0000 [#1] SMP KASAN +[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32 +[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000 +[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590 +[...] +[ 651.627260] Call Trace: +[ 651.629156] skb_release_all+0x4f/0x60 +[ 651.629450] consume_skb+0x1a5/0x600 +[ 651.630705] netlink_unicast+0x505/0x720 +[ 651.632345] netlink_sendmsg+0xab2/0xe70 +[ 651.633704] sock_sendmsg+0xcf/0x110 +[ 651.633942] ___sys_sendmsg+0x833/0x980 +[ 651.637117] __sys_sendmsg+0xf3/0x240 +[ 651.638820] SyS_sendmsg+0x32/0x50 +[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2 + +It's caused by skb_shared_info at the end of sk_buff was overwritten by +ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx. + +During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh), +ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a +new value to skb_shinfo(SKB)->nr_frags by ev->type. + +This patch is to fix it by checking nlh->nlmsg_len properly there to +avoid over accessing sk_buff. + +Reported-by: ChunYu Wang +Signed-off-by: Xin Long +Acked-by: Chris Leech +--- + drivers/scsi/scsi_transport_iscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index a424eaeafeb0..c55c6f3147ae 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb) + uint32_t group; + + nlh = nlmsg_hdr(skb); +- if (nlh->nlmsg_len < sizeof(*nlh) || ++ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) || + skb->len < nlh->nlmsg_len) { + break; + } +-- +2.13.5 +