mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-21 22:41:09 +02:00
Merge pull request #2788 from bgilbert/4.13.3-r1
sys-kernel/coreos-*: add patch for CVE-2017-14489
This commit is contained in:
Benjamin Gilbert
GitHub
commit
a4ca2934ba
@ -2,7 +2,7 @@
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=5
|
||||
COREOS_SOURCE_REVISION=""
|
||||
COREOS_SOURCE_REVISION="-r1"
|
||||
inherit coreos-kernel
|
||||
|
||||
DESCRIPTION="CoreOS Linux kernel"
|
||||
@ -2,7 +2,7 @@
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=5
|
||||
COREOS_SOURCE_REVISION=""
|
||||
COREOS_SOURCE_REVISION="-r1"
|
||||
inherit coreos-kernel savedconfig
|
||||
|
||||
DESCRIPTION="CoreOS Linux kernel modules"
|
||||
@ -55,4 +55,5 @@ UNIPATCH_LIST="
|
||||
${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
|
||||
${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
|
||||
${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
|
||||
${PATCH_DIR}/z0025-scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nl.patch \
|
||||
"
|
||||
@ -1,7 +1,7 @@
|
||||
From 24ac5fe9afc189ba0488ad4e2cc0599695927c94 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 21 Nov 2016 23:55:55 +0000
|
||||
Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
|
||||
Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
that can be passed to efi_enabled() to find out whether secure boot is
|
||||
@ -42,5 +42,5 @@ index 8269bcb8ccf7..7952dd3ffa73 100644
|
||||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e294d94b1ae46e18f86fdd85bd8082d63de67f51 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 23:36:17 +0000
|
||||
Subject: [PATCH 02/24] Add the ability to lock down access to the running
|
||||
Subject: [PATCH 02/25] Add the ability to lock down access to the running
|
||||
kernel image
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
@ -145,5 +145,5 @@ index 000000000000..5788c60ff4e1
|
||||
+}
|
||||
+EXPORT_SYMBOL(kernel_is_locked_down);
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From eec55ac2d53ae41b5b37a5d377083a691227467f Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 23:55:55 +0000
|
||||
Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
|
||||
Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
only load signed bootloaders and kernels. Certain use cases may also
|
||||
@ -65,5 +65,5 @@ index 319995f58345..d0128aef43ce 100644
|
||||
default:
|
||||
pr_info("Secure boot could not be determined\n");
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 7594a2244c02195356042096c1dd3ea5f1accc8e Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 23 Nov 2016 13:22:22 +0000
|
||||
Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
|
||||
Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down
|
||||
|
||||
If the kernel is locked down, require that all modules have valid
|
||||
signatures that we can verify.
|
||||
@ -25,5 +25,5 @@ index 40f983cbea81..e5b878b26906 100644
|
||||
|
||||
return err;
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From a894549647270203ea88874614c9f6448ac71e5a Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
|
||||
Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is
|
||||
locked down
|
||||
|
||||
Allowing users to write to address space makes it possible for the kernel to
|
||||
@ -39,5 +39,5 @@ index 593a8818aca9..ba68add9677f 100644
|
||||
unsigned long to_write = min_t(unsigned long, count,
|
||||
(unsigned long)high_memory - p);
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 2c45e9276090de762bdf1fdfa2075f664d4952fb Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
|
||||
Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
is something that lock-down is meant to prevent. It makes sense to disable
|
||||
@ -20,20 +20,20 @@ diff --git a/kernel/kexec.c b/kernel/kexec.c
|
||||
index e62ec4dc6620..37f75d0b75de 100644
|
||||
--- a/kernel/kexec.c
|
||||
+++ b/kernel/kexec.c
|
||||
@@ -201,6 +201,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
|
||||
@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
return -EPERM;
|
||||
|
||||
+ /*
|
||||
/*
|
||||
+ * kexec can be used to circumvent module loading restrictions, so
|
||||
+ * prevent loading in that case
|
||||
+ */
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
/*
|
||||
+ /*
|
||||
* Verify we have a legal set of flags
|
||||
* This leaves us room for future extensions.
|
||||
*/
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From c1f02b6ef93af49992ea0fcd5a9032e60a6051dc Mon Sep 17 00:00:00 2001
|
||||
From: Dave Young <dyoung@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
|
||||
Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec
|
||||
reboot
|
||||
|
||||
Kexec reboot in case secure boot being enabled does not keep the secure
|
||||
@ -34,5 +34,5 @@ index fb095ba0c02f..7d0fac5bcbbe 100644
|
||||
ei->efi_systab = current_ei->efi_systab;
|
||||
ei->efi_systab_hi = current_ei->efi_systab_hi;
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 1b3967a9aef85898b7bf0ba16f724522d81c86f0 Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:49:19 +0000
|
||||
Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
|
||||
Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been
|
||||
set
|
||||
|
||||
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
|
||||
@ -35,5 +35,5 @@ index 9f48f4412297..7da87007c202 100644
|
||||
if (flags != (flags & KEXEC_FILE_FLAGS))
|
||||
return -EINVAL;
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 0dcdb925193cdf62471a8eceae7a8d33f064d5fb Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
|
||||
Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
@ -28,5 +28,5 @@ index e1914c7b85b1..7859ba79e181 100644
|
||||
|
||||
/**
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 8caca6fe945e6f67526b45ad1ef401e36bb34f73 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@srcf.ucam.org>
|
||||
Date: Wed, 23 Nov 2016 13:28:17 +0000
|
||||
Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
|
||||
Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down
|
||||
|
||||
uswsusp allows a user process to dump and then restore kernel state, which
|
||||
makes it possible to modify the running kernel. Disable this if the kernel
|
||||
@ -28,5 +28,5 @@ index 22df9f7ff672..e4b926d329b7 100644
|
||||
|
||||
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 36512d31a0a50c9be471f719ef91f9f0788d2b4f Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
|
||||
Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked
|
||||
down
|
||||
|
||||
Any hardware that can potentially generate DMA has to be locked down in
|
||||
@ -99,5 +99,5 @@ index 9bf993e1f71e..c09524738ceb 100644
|
||||
|
||||
dev = pci_get_bus_and_slot(bus, dfn);
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 08d7db127c47a2f5563db63894c533f2826195ac Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
|
||||
Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked
|
||||
down
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
@ -55,5 +55,5 @@ index ba68add9677f..5e2a260fb89f 100644
|
||||
}
|
||||
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b9860ec9018c67336aab681e18b0ebdd20a7ba32 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:17 +0000
|
||||
Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
|
||||
Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down
|
||||
|
||||
Writing to MSRs should not be allowed if the kernel is locked down, since
|
||||
it could lead to execution of arbitrary code in kernel mode. Based on a
|
||||
@ -40,5 +40,5 @@ index ef688804f80d..fbcce028e502 100644
|
||||
err = -EFAULT;
|
||||
break;
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f25d9d9652b00f37f7b92642cc48b268b683ac9e Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
|
||||
Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is
|
||||
locked down
|
||||
|
||||
We have no way of validating what all of the Asus WMI methods do on a given
|
||||
@ -51,5 +51,5 @@ index 709e3a67391a..2d8db47698b2 100644
|
||||
1, asus->debug.method_id,
|
||||
&input, &output);
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 23845c3c7ae804a97934d32381db5c564de27ce9 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
|
||||
Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is
|
||||
locked down
|
||||
|
||||
custom_method effectively allows arbitrary access to system memory, making
|
||||
@ -29,5 +29,5 @@ index c68e72414a67..e4d721c330c0 100644
|
||||
/* parse the table header to get the table length */
|
||||
if (count <= sizeof(struct acpi_table_header))
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From d6c8e80e0e35ed883094e60cdeaf63cbecc8cfff Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
|
||||
Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has
|
||||
been locked down
|
||||
|
||||
This option allows userspace to pass the RSDP address to the kernel, which
|
||||
@ -28,5 +28,5 @@ index db78d353bab1..d4d4ba348451 100644
|
||||
#endif
|
||||
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From ab3d740ef513f539d373f7dcbe7578f562380092 Mon Sep 17 00:00:00 2001
|
||||
From: Linn Crosetto <linn@hpe.com>
|
||||
Date: Wed, 23 Nov 2016 13:32:27 +0000
|
||||
Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
|
||||
Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is
|
||||
locked down
|
||||
|
||||
From the kernel documentation (initrd_table_override.txt):
|
||||
@ -37,5 +37,5 @@ index ff425390bfa8..c72bfa97888a 100644
|
||||
memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
|
||||
all_tables_size, PAGE_SIZE);
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From a567ee9cbbd0748d4e5cd15d8f9d8b683929adc8 Mon Sep 17 00:00:00 2001
|
||||
From: Linn Crosetto <linn@hpe.com>
|
||||
Date: Wed, 23 Nov 2016 13:39:41 +0000
|
||||
Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
|
||||
Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is
|
||||
locked down
|
||||
|
||||
ACPI provides an error injection mechanism, EINJ, for debugging and testing
|
||||
@ -40,5 +40,5 @@ index ec50c32ea3da..e082718d01c2 100644
|
||||
if (flags && (flags &
|
||||
~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b35ffb0b950ab4bf184ba257e9595c7ef3a10a05 Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
Date: Wed, 23 Nov 2016 13:52:16 +0000
|
||||
Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
|
||||
Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the
|
||||
kernel is locked down
|
||||
|
||||
There are some bpf functions can be used to read kernel memory:
|
||||
@ -53,5 +53,5 @@ index dc498b605d5d..fb240222b89b 100644
|
||||
for (i = 0; i < fmt_size; i++) {
|
||||
if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From c0ea02ed8cea11aece036c99d09272f93b1d07e0 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 10:10:34 +0000
|
||||
Subject: [PATCH 20/24] scsi: Lock down the eata driver
|
||||
Subject: [PATCH 20/25] scsi: Lock down the eata driver
|
||||
|
||||
When the kernel is running in secure boot mode, we lock down the kernel to
|
||||
prevent userspace from modifying the running kernel image. Whilst this
|
||||
@ -43,5 +43,5 @@ index 227dd2c2ec2f..5c036d10c18b 100644
|
||||
#if defined(MODULE)
|
||||
/* io_port could have been modified when loading as a module */
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 07ed21cac5d6e65ae0ba686455007c7dd43942c4 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 25 Nov 2016 14:37:45 +0000
|
||||
Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
|
||||
Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked
|
||||
down
|
||||
|
||||
Prohibit replacement of the PCMCIA Card Information Structure when the
|
||||
@ -29,5 +29,5 @@ index 55ef7d1fd8da..193e4f7b73b1 100644
|
||||
|
||||
if (off)
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f7452e58686ef325e666deb63510f193fef718e1 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 7 Dec 2016 10:28:39 +0000
|
||||
Subject: [PATCH 22/24] Lock down TIOCSSERIAL
|
||||
Subject: [PATCH 22/25] Lock down TIOCSSERIAL
|
||||
|
||||
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
|
||||
settings on a serial port. This only appears to be an issue for the serial
|
||||
@ -32,5 +32,5 @@ index f534a40aebde..e32c0179f423 100644
|
||||
retval = -EPERM;
|
||||
if (change_irq || change_port ||
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From d0d433798e20cc9e29d091d0f55aa7e987d000e1 Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Wed, 25 Nov 2015 02:59:45 -0800
|
||||
Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
|
||||
This enables relocating source and build trees to different roots,
|
||||
provided they stay reachable relative to one another. Useful for
|
||||
@ -26,5 +26,5 @@ index 0f31ef4aea7b..9456c4def17f 100644
|
||||
|
||||
# Leave processing to above invocation of make
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From fe4ad5f7bc5dd42ae943d8eb431a0307a60b839f Mon Sep 17 00:00:00 2001
|
||||
From: Geoff Levand <geoff@infradead.org>
|
||||
Date: Fri, 11 Nov 2016 17:28:52 -0800
|
||||
Subject: [PATCH 24/24] Add arm64 coreos verity hash
|
||||
Subject: [PATCH 24/25] Add arm64 coreos verity hash
|
||||
|
||||
Signed-off-by: Geoff Levand <geoff@infradead.org>
|
||||
---
|
||||
@ -25,5 +25,5 @@ index 613fc3000677..fdaf86c78332 100644
|
||||
/*
|
||||
* The debug table is referenced via its Relative Virtual Address (RVA),
|
||||
--
|
||||
2.14.1
|
||||
2.13.5
|
||||
|
||||
|
||||
@ -0,0 +1,60 @@
|
||||
From d08d44a08c8d3a9a60e415b155401f2f03661b6e Mon Sep 17 00:00:00 2001
|
||||
From: Xin Long <lucien.xin@gmail.com>
|
||||
Date: Sun, 27 Aug 2017 20:25:26 +0800
|
||||
Subject: [PATCH 25/25] scsi: fix the issue that iscsi_if_rx doesn't parse
|
||||
nlmsg properly
|
||||
|
||||
ChunYu found a kernel crash by syzkaller:
|
||||
|
||||
[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
|
||||
[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
|
||||
[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
|
||||
[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
|
||||
[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
|
||||
[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
|
||||
[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
|
||||
[...]
|
||||
[ 651.627260] Call Trace:
|
||||
[ 651.629156] skb_release_all+0x4f/0x60
|
||||
[ 651.629450] consume_skb+0x1a5/0x600
|
||||
[ 651.630705] netlink_unicast+0x505/0x720
|
||||
[ 651.632345] netlink_sendmsg+0xab2/0xe70
|
||||
[ 651.633704] sock_sendmsg+0xcf/0x110
|
||||
[ 651.633942] ___sys_sendmsg+0x833/0x980
|
||||
[ 651.637117] __sys_sendmsg+0xf3/0x240
|
||||
[ 651.638820] SyS_sendmsg+0x32/0x50
|
||||
[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
|
||||
|
||||
It's caused by skb_shared_info at the end of sk_buff was overwritten by
|
||||
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
|
||||
|
||||
During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
|
||||
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
|
||||
new value to skb_shinfo(SKB)->nr_frags by ev->type.
|
||||
|
||||
This patch is to fix it by checking nlh->nlmsg_len properly there to
|
||||
avoid over accessing sk_buff.
|
||||
|
||||
Reported-by: ChunYu Wang <chunwang@redhat.com>
|
||||
Signed-off-by: Xin Long <lucien.xin@gmail.com>
|
||||
Acked-by: Chris Leech <cleech@redhat.com>
|
||||
---
|
||||
drivers/scsi/scsi_transport_iscsi.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
|
||||
index a424eaeafeb0..c55c6f3147ae 100644
|
||||
--- a/drivers/scsi/scsi_transport_iscsi.c
|
||||
+++ b/drivers/scsi/scsi_transport_iscsi.c
|
||||
@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
|
||||
uint32_t group;
|
||||
|
||||
nlh = nlmsg_hdr(skb);
|
||||
- if (nlh->nlmsg_len < sizeof(*nlh) ||
|
||||
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
|
||||
skb->len < nlh->nlmsg_len) {
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.13.5
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user