mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-22 06:51:26 +02:00
Merge pull request #2825 from coreosbot/master-4.13.7
Upgrade Linux in master to 4.13.7
This commit is contained in:
David Michael
GitHub
commit
ae40329c2f
@ -1,2 +1,2 @@
|
||||
DIST linux-4.13.tar.xz 100579888 SHA256 2db3d6066c3ad93eb25b973a3d2951e022a7e975ee2fa7cbe5bddf84d9a49a2c SHA512 a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 WHIRLPOOL d3d332e02cd3c5056c76c28cf1f81504c6f7b8f2caed7238e7dd7866747fb03154b88d8d7aec4d0eddf5760624bc7d6c5485fb52a3e32d098a2742eba96c0d05
|
||||
DIST patch-4.13.6.xz 165096 SHA256 12d897b7f547c7d03a81be690b3dc0e0e5b9becfbd63e3dbf9f7258db861ddfb SHA512 40e111f3969b622f982bfb75f8c35aa59d9989a627a4511d8e0090b0c7bbcafcc90567434f5166ef2d17831f0beddb52762107e523414523e1877f67f66ca3f7 WHIRLPOOL 84ffb5f228a46d5551de04e8dcb8fda2ed72b40f0306198c909036610f58f6d5e6299d71bcd08e235f3c34fbfffb5d6dae805aaaa2dbef220ae94ef844a6890b
|
||||
DIST patch-4.13.7.xz 165784 SHA256 0fe89c96e956efbded576214eef0c8e43cabe41dfca245e3ebb79fff9bc8715d SHA512 4d96c655ca4c720b872e1a88ba9989a419880cb5fec2a4a9190077588066f205c5dce2591a76f26375f6f50001334ceb7631d489d3b24ca443d10e1e6879ed54 WHIRLPOOL fb192f3acb9d3a249a2ecaf6b7d6c6eca0ac684c17c01226ed1ca69f5aafefa782aeb80000bfae5753672e2d8bb93b07377e8d1c0ca66b5dbdb1332d77ae38a9
|
||||
|
||||
@ -55,5 +55,4 @@ UNIPATCH_LIST="
|
||||
${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
|
||||
${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
|
||||
${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
|
||||
${PATCH_DIR}/z0025-waitid-Add-missing-access_ok-checks.patch \
|
||||
"
|
||||
@ -1,7 +1,7 @@
|
||||
From 0ca587d266c2a08314e7e5026f4db17b2587aaae Mon Sep 17 00:00:00 2001
|
||||
From e03ef102d0cabd798b0784330e5c063e406ba69f Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 21 Nov 2016 23:55:55 +0000
|
||||
Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit
|
||||
Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
that can be passed to efi_enabled() to find out whether secure boot is
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 9488dfe7dd6c558cbf39b358b6e26c58ec728f79 Mon Sep 17 00:00:00 2001
|
||||
From 36cf82213ee6353307254117689a7ed8bd0b390c Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 23:36:17 +0000
|
||||
Subject: [PATCH 02/25] Add the ability to lock down access to the running
|
||||
Subject: [PATCH 02/24] Add the ability to lock down access to the running
|
||||
kernel image
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From d2ad9ef2777a166bf439681a6e1feb9bed15ba77 Mon Sep 17 00:00:00 2001
|
||||
From 41c69b650459b3c6493af84133a97f85218218ec Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 23:55:55 +0000
|
||||
Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode
|
||||
Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
only load signed bootloaders and kernels. Certain use cases may also
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 1f144b1dcd97473d15e939518257f05df63f25de Mon Sep 17 00:00:00 2001
|
||||
From 21703e9af75dd9c17303e3e7e8ccc54dc409fd5f Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 23 Nov 2016 13:22:22 +0000
|
||||
Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down
|
||||
Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
|
||||
|
||||
If the kernel is locked down, require that all modules have valid
|
||||
signatures that we can verify.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From ec132d88b99550cf6bd04d4b38a660e350c93648 Mon Sep 17 00:00:00 2001
|
||||
From adfa60bbc2f70b8e3af62ff2119cf335e1097a11 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is
|
||||
Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
|
||||
locked down
|
||||
|
||||
Allowing users to write to address space makes it possible for the kernel to
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 569b20893b215e18e6bd7ac866a6e768c3d6fd8d Mon Sep 17 00:00:00 2001
|
||||
From 46a1082586962eb5b323de33038f83f3cb099f14 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down
|
||||
Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
is something that lock-down is meant to prevent. It makes sense to disable
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From ab96910a663a80ec3f8121ca6d6606678a2af6a7 Mon Sep 17 00:00:00 2001
|
||||
From b79bed540e03d94c967726ed154adaaa9a853959 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Young <dyoung@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec
|
||||
Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
|
||||
reboot
|
||||
|
||||
Kexec reboot in case secure boot being enabled does not keep the secure
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e81bd7b2b8cf468648817b1495d11ea12cc17b61 Mon Sep 17 00:00:00 2001
|
||||
From 507952ee036f02987f83d4b7385be9b5dfa34d7c Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:49:19 +0000
|
||||
Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been
|
||||
Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
|
||||
set
|
||||
|
||||
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b104d0504ff5cd4f2bc55dfe50c7c7758016b50b Mon Sep 17 00:00:00 2001
|
||||
From 5c5ad91fce7da054aa83761f72601e1d56a28660 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down
|
||||
Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f2d13ff04ffccd9da300c704c47e4df944f88167 Mon Sep 17 00:00:00 2001
|
||||
From ca6b230412ab3e8546149b597cf44b767bb827c4 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@srcf.ucam.org>
|
||||
Date: Wed, 23 Nov 2016 13:28:17 +0000
|
||||
Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down
|
||||
Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
|
||||
|
||||
uswsusp allows a user process to dump and then restore kernel state, which
|
||||
makes it possible to modify the running kernel. Disable this if the kernel
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e3efec13deba479e22e02b51222868fb1ffdfb17 Mon Sep 17 00:00:00 2001
|
||||
From 431e44d46f884a411cefa7c4120d26fe738e018a Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked
|
||||
Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
|
||||
down
|
||||
|
||||
Any hardware that can potentially generate DMA has to be locked down in
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 8cf28062fa8fe09449f2a08fc653f8b67eeb6b23 Mon Sep 17 00:00:00 2001
|
||||
From 438b2fa68262a24e41e928a066a91c3b8cc732ea Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked
|
||||
Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
|
||||
down
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From aceb992e68395597c9e158db6fac1104cc8481bd Mon Sep 17 00:00:00 2001
|
||||
From 9e25efe48f3ebba5f8ae29edbac3bdd686a2e29c Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:17 +0000
|
||||
Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down
|
||||
Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
|
||||
|
||||
Writing to MSRs should not be allowed if the kernel is locked down, since
|
||||
it could lead to execution of arbitrary code in kernel mode. Based on a
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From cbf465826c9e7a903640c77abd259df18ca98525 Mon Sep 17 00:00:00 2001
|
||||
From 3711ab05c1fa894323f6ba6cf8d6ed941b71e6dd Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is
|
||||
Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
|
||||
locked down
|
||||
|
||||
We have no way of validating what all of the Asus WMI methods do on a given
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 66efb15a02ff6e631461b419b6534fbf065baa4a Mon Sep 17 00:00:00 2001
|
||||
From 9270c8dd98aac0c126bd4de8b043f7b640538158 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is
|
||||
Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
|
||||
locked down
|
||||
|
||||
custom_method effectively allows arbitrary access to system memory, making
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From ff8247261c2e520d2d86c9b1c49d6a3add0f787e Mon Sep 17 00:00:00 2001
|
||||
From 32938322a86727368913c229e651f2bc9ea232ca Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has
|
||||
Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
|
||||
been locked down
|
||||
|
||||
This option allows userspace to pass the RSDP address to the kernel, which
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 0e0436f160dc5e72da06475f47cf0f3d3eb825c2 Mon Sep 17 00:00:00 2001
|
||||
From d5daa6edc6e51072dc797b81051360b478fb5265 Mon Sep 17 00:00:00 2001
|
||||
From: Linn Crosetto <linn@hpe.com>
|
||||
Date: Wed, 23 Nov 2016 13:32:27 +0000
|
||||
Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is
|
||||
Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
|
||||
locked down
|
||||
|
||||
From the kernel documentation (initrd_table_override.txt):
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 76da8791076ba432067fe7d079ca49e0c9db7bf4 Mon Sep 17 00:00:00 2001
|
||||
From 1489fcf49abbef75b55b57b0ccbedf6fe04540c7 Mon Sep 17 00:00:00 2001
|
||||
From: Linn Crosetto <linn@hpe.com>
|
||||
Date: Wed, 23 Nov 2016 13:39:41 +0000
|
||||
Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is
|
||||
Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
|
||||
locked down
|
||||
|
||||
ACPI provides an error injection mechanism, EINJ, for debugging and testing
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 48cf308a15eb59f0ab3d7f1ca07633888008dd83 Mon Sep 17 00:00:00 2001
|
||||
From d0108763f62a685f8be631809b0930ada06e11d5 Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
Date: Wed, 23 Nov 2016 13:52:16 +0000
|
||||
Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the
|
||||
Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
|
||||
kernel is locked down
|
||||
|
||||
There are some bpf functions can be used to read kernel memory:
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f65f1cb103ada3d4df63e90259b8087218211385 Mon Sep 17 00:00:00 2001
|
||||
From d7ddac19599ea83cdd96fa49b5c63cacd5a48246 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 10:10:34 +0000
|
||||
Subject: [PATCH 20/25] scsi: Lock down the eata driver
|
||||
Subject: [PATCH 20/24] scsi: Lock down the eata driver
|
||||
|
||||
When the kernel is running in secure boot mode, we lock down the kernel to
|
||||
prevent userspace from modifying the running kernel image. Whilst this
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 7dbf7ac8f7767b2553126a6a4d99ef5d089b7ac2 Mon Sep 17 00:00:00 2001
|
||||
From 756c195d5ae03785c244ab97f69882a1e505a878 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 25 Nov 2016 14:37:45 +0000
|
||||
Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked
|
||||
Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
|
||||
down
|
||||
|
||||
Prohibit replacement of the PCMCIA Card Information Structure when the
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From d2242c4df8c05d84c7d598603b04733da930bcd3 Mon Sep 17 00:00:00 2001
|
||||
From 156c8ff989e16ed6ba8b87455f09397a09e06c63 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 7 Dec 2016 10:28:39 +0000
|
||||
Subject: [PATCH 22/25] Lock down TIOCSSERIAL
|
||||
Subject: [PATCH 22/24] Lock down TIOCSSERIAL
|
||||
|
||||
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
|
||||
settings on a serial port. This only appears to be an issue for the serial
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 8239e8a3c6a9679b4b84c60e7914fe2cb6cd9f29 Mon Sep 17 00:00:00 2001
|
||||
From 1a7f0516d79117e7e8fdf5fd4ad98cd8e33abf21 Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Wed, 25 Nov 2015 02:59:45 -0800
|
||||
Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
|
||||
This enables relocating source and build trees to different roots,
|
||||
provided they stay reachable relative to one another. Useful for
|
||||
@ -12,7 +12,7 @@ by some undesirable path component.
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 9e1af1af327b..cff814738d5e 100644
|
||||
index 0d4f1b19869d..11ab2b77f732 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -142,7 +142,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 569a5db0554a7e94aa37775be1d171b5814f03f1 Mon Sep 17 00:00:00 2001
|
||||
From 2c1a9a33846f068c75958b33bbba00a76862223a Mon Sep 17 00:00:00 2001
|
||||
From: Geoff Levand <geoff@infradead.org>
|
||||
Date: Fri, 11 Nov 2016 17:28:52 -0800
|
||||
Subject: [PATCH 24/25] Add arm64 coreos verity hash
|
||||
Subject: [PATCH 24/24] Add arm64 coreos verity hash
|
||||
|
||||
Signed-off-by: Geoff Levand <geoff@infradead.org>
|
||||
---
|
||||
|
||||
@ -1,43 +0,0 @@
|
||||
From 4e6fc257193a1d56eedc55e040d6e5c158cdaceb Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Mon, 9 Oct 2017 11:36:52 -0700
|
||||
Subject: [PATCH 25/25] waitid(): Add missing access_ok() checks
|
||||
|
||||
Adds missing access_ok() checks.
|
||||
|
||||
CVE-2017-5123
|
||||
|
||||
Reported-by: Chris Salls <chrissalls5@gmail.com>
|
||||
Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
---
|
||||
kernel/exit.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/kernel/exit.c b/kernel/exit.c
|
||||
index 6d31fc5ba50d..135b36985f8a 100644
|
||||
--- a/kernel/exit.c
|
||||
+++ b/kernel/exit.c
|
||||
@@ -1611,6 +1611,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
|
||||
if (!infop)
|
||||
return err;
|
||||
|
||||
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
|
||||
+ goto Efault;
|
||||
+
|
||||
user_access_begin();
|
||||
unsafe_put_user(signo, &infop->si_signo, Efault);
|
||||
unsafe_put_user(0, &infop->si_errno, Efault);
|
||||
@@ -1736,6 +1739,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
|
||||
if (!infop)
|
||||
return err;
|
||||
|
||||
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
|
||||
+ goto Efault;
|
||||
+
|
||||
user_access_begin();
|
||||
unsafe_put_user(signo, &infop->si_signo, Efault);
|
||||
unsafe_put_user(0, &infop->si_errno, Efault);
|
||||
--
|
||||
2.14.1
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user