mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-22 06:51:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-kernel/coreos-sources: bump to 4.12.7

Browse Source
This commit is contained in:
Benjamin Gilbert 2017-08-14 13:57:33 -07:00
parent 3fd6aa7ed1
commit c2dadca24c
30 changed files with 106 additions and 245 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.6.ebuild → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.7.ebuild vendored
View File

0
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.6.ebuild → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.7.ebuild vendored
View File

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest vendored
View File

@ -1,2 +1,2 @@
DIST linux-4.12.tar.xz 99186576 SHA256 a45c3becd4d08ce411c14628a949d08e2433d8cdeca92036c7013980e93858ab SHA512 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728 WHIRLPOOL 3b97da251c2ba4ace4a27b708f2b1dcf94cb1b59aaeded6acb74bd98f0d3e33f1df83670665e4186d99a55daa84c88d539d93e20f0ff18a6d46ef326c48dd375
DIST patch-4.12.6.xz 139284 SHA256 60938af0f95ae794f879294f2393c48077c01bdba851e80b085fdc0418eeca44 SHA512 78d480b3ad51028c129b1e3d63e3179f754bc8ab9987aa8e5815b105c8cb270c88673babee4124431861f769bc6f42c848391b065f7a3e02bec9b6a5290e2836 WHIRLPOOL 7fc728e35dbb5f64fa4328abb99d55e3c449e3e09ba9963475595914f2f575e153e29451364935569bf7a2109b66da0f54976b0853c828941dbd293fa392299e
DIST patch-4.12.7.xz 144316 SHA256 fe0a0b7c071978839f4b941d655df93e3c0e60bd3e49237f7e7a8635cb38ff8e SHA512 22d6b937796298e9bb83d216b5cfa8b6910c8efe7bf5c4628c5fac42f73f916a5ba29b519fed1007542faa033c39d34175961731dfae88cd36c29fc6177fddcf WHIRLPOOL 11864cd062a84ca50e0783617304253082dc196371a2af51a143f44221e120460e2a65bf77dc463a19b2ac081cedfa0e315137ce8dc2db7fc88e9b21f3b0275b

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.6.ebuild → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.7.ebuild vendored
View File

@ -44,6 +44,4 @@ UNIPATCH_LIST="
${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
${PATCH_DIR}/z0025-udp-consistently-apply-ufo-or-fragmentation.patch \
${PATCH_DIR}/z0026-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch \
"

10
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch vendored
View File

@ -1,7 +1,7 @@
From c151f946444d3dcfb7f8cfdc4870df3a15f42df5 Mon Sep 17 00:00:00 2001
From 5399a52c0ee144f7a15307131b25b005341f9bb6 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mon, 21 Nov 2016 23:55:55 +0000
Subject: [PATCH 01/26] efi: Add EFI_SECURE_BOOT bit
Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
that can be passed to efi_enabled() to find out whether secure boot is
@ -18,7 +18,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
2 files changed, 2 insertions(+)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 36646f1..87ef54e 100644
index 36646f19d40b..87ef54e64842 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1190,6 +1190,7 @@ void __init setup_arch(char **cmdline_p)
@ -30,7 +30,7 @@ index 36646f1..87ef54e 100644
break;
default:
diff --git a/include/linux/efi.h b/include/linux/efi.h
index ec36f42..381b3f6 100644
index ec36f42a2add..381b3f6670d3 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
@ -42,5 +42,5 @@ index ec36f42..381b3f6 100644
#ifdef CONFIG_EFI
/*
--
2.10.2
2.13.4

16
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch vendored
View File

@ -1,7 +1,7 @@
From ea6016c096ff9456eb6091fc576ec9e9231f4178 Mon Sep 17 00:00:00 2001
From b44f162401351534bb7914ca4efc0bd2e4eadf2e Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Mon, 21 Nov 2016 23:36:17 +0000
Subject: [PATCH 02/26] Add the ability to lock down access to the running
Subject: [PATCH 02/24] Add the ability to lock down access to the running
kernel image
Provide a single call to allow kernel code to determine whether the system
@ -21,7 +21,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
create mode 100644 security/lock_down.c
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 13bc08a..282a168 100644
index 13bc08aba704..282a1684d6e8 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -276,6 +276,15 @@ extern int oops_may_print(void);
@ -41,7 +41,7 @@ index 13bc08a..282a168 100644
int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
int __must_check _kstrtol(const char *s, unsigned int base, long *res);
diff --git a/include/linux/security.h b/include/linux/security.h
index af675b5..68bab18 100644
index af675b576645..68bab18ddd57 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata)
@ -62,7 +62,7 @@ index af675b5..68bab18 100644
#endif /* ! __LINUX_SECURITY_H */
diff --git a/security/Kconfig b/security/Kconfig
index 93027fd..4baac4a 100644
index 93027fdf47d1..4baac4aab277 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -189,6 +189,21 @@ config STATIC_USERMODEHELPER_PATH
@ -88,7 +88,7 @@ index 93027fd..4baac4a 100644
source security/smack/Kconfig
source security/tomoyo/Kconfig
diff --git a/security/Makefile b/security/Makefile
index f2d71cd..8c4a43e 100644
index f2d71cdb8e19..8c4a43e3d4e0 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
@ -100,7 +100,7 @@ index f2d71cd..8c4a43e 100644
+obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o
diff --git a/security/lock_down.c b/security/lock_down.c
new file mode 100644
index 0000000..5788c60
index 000000000000..5788c60ff4e1
--- /dev/null
+++ b/security/lock_down.c
@@ -0,0 +1,40 @@
@ -145,5 +145,5 @@ index 0000000..5788c60
+}
+EXPORT_SYMBOL(kernel_is_locked_down);
--
2.10.2
2.13.4

10
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch vendored
View File

@ -1,7 +1,7 @@
From e67684f7e503057ad9009e97598e6676306d010e Mon Sep 17 00:00:00 2001
From fb4e29f6ef6927590b788b802b8a3b4ddeb4442d Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Mon, 21 Nov 2016 23:55:55 +0000
Subject: [PATCH 03/26] efi: Lock down the kernel if booted in secure boot mode
Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
@ -16,7 +16,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 0efb4c9..4d1c53b 100644
index 0efb4c9497bc..4d1c53bb8411 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1827,6 +1827,18 @@ config EFI_MIXED
@ -39,7 +39,7 @@ index 0efb4c9..4d1c53b 100644
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 87ef54e..4c4d758 100644
index 87ef54e64842..4c4d758d4be1 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -69,6 +69,7 @@
@ -65,5 +65,5 @@ index 87ef54e..4c4d758 100644
default:
pr_info("Secure boot could not be determined\n");
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch vendored
View File

@ -1,7 +1,7 @@
From be50c7445109a745324a5cceb1da9af2c19a311e Mon Sep 17 00:00:00 2001
From 1642935f9d310e474266ede79ee53ed2f3812f36 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 23 Nov 2016 13:22:22 +0000
Subject: [PATCH 04/26] Enforce module signatures if the kernel is locked down
Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
If the kernel is locked down, require that all modules have valid
signatures that we can verify.
@ -12,7 +12,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index 4a3665f..3f1de34 100644
index 4a3665f8f837..3f1de34c6d10 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2777,7 +2777,7 @@ static int module_sig_check(struct load_info *info, int flags)
@ -25,5 +25,5 @@ index 4a3665f..3f1de34 100644
return err;
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch vendored
View File

@ -1,7 +1,7 @@
From 102327107d69a66d415f2b87a1ec381659209e1c Mon Sep 17 00:00:00 2001
From 1edaa110730f45ba745ba5c1d7f4dee3f216c055 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 05/26] Restrict /dev/mem and /dev/kmem when the kernel is
Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
locked down
Allowing users to write to address space makes it possible for the kernel to
@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 593a881..ba68add 100644
index 593a8818aca9..ba68add9677f 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@ -39,5 +39,5 @@ index 593a881..ba68add 100644
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch vendored
View File

@ -1,7 +1,7 @@
From 3f2e52c7b93e8d5b3edfa6439e4519d66602f247 Mon Sep 17 00:00:00 2001
From c789e8f60cfc490ba89519a5fc3d7dec1272c909 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 06/26] kexec: Disable at runtime if the kernel is locked down
Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable
@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 7 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 980936a..46de8e6 100644
index 980936a90ee6..46de8e6b42f4 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
@ -35,5 +35,5 @@ index 980936a..46de8e6 100644
* This leaves us room for future extensions.
*/
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch vendored
View File

@ -1,7 +1,7 @@
From 572dfe80789fccbe8b94461bfceabacb40852e07 Mon Sep 17 00:00:00 2001
From d85876dd641ec9fea002ddf0426f08cee13ae5ed Mon Sep 17 00:00:00 2001
From: Dave Young <dyoung@redhat.com>
Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 07/26] Copy secure_boot flag in boot params across kexec
Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
reboot
Kexec reboot in case secure boot being enabled does not keep the secure
@ -22,7 +22,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 9d7fd5e..7e6f00a 100644
index 9d7fd5e6689a..7e6f00ae8322 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
@ -34,5 +34,5 @@ index 9d7fd5e..7e6f00a 100644
ei->efi_systab = current_ei->efi_systab;
ei->efi_systab_hi = current_ei->efi_systab_hi;
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch vendored
View File

@ -1,7 +1,7 @@
From f8779b5166b0ba1efe85923913ebfc6c179be953 Mon Sep 17 00:00:00 2001
From 22e71ee96f7221f6c1cc863655adbcd46d8ec0cd Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Wed, 23 Nov 2016 13:49:19 +0000
Subject: [PATCH 08/26] kexec_file: Disable at runtime if securelevel has been
Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
set
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
@ -18,7 +18,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735..f6937ee 100644
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
@ -35,5 +35,5 @@ index b118735..f6937ee 100644
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch vendored
View File

@ -1,7 +1,7 @@
From 0cdbcc1e92c0f61b0e70d414cbee882e591eabe1 Mon Sep 17 00:00:00 2001
From ccc595e605c37108cd97f23cab2836011a47fe4b Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 09/26] hibernate: Disable when the kernel is locked down
Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index a8b978c..50cca5d 100644
index a8b978c35a6a..50cca5dcb62f 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
@ -28,5 +28,5 @@ index a8b978c..50cca5d 100644
/**
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch vendored
View File

@ -1,7 +1,7 @@
From e24f1a7b1c6cbf19fe62b769b1ad1953e90774b7 Mon Sep 17 00:00:00 2001
From becbe9882ae9da6eaabddf7bc07f4e5ad8600e60 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Wed, 23 Nov 2016 13:28:17 +0000
Subject: [PATCH 10/26] uswsusp: Disable when the kernel is locked down
Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
@ -14,7 +14,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 3 insertions(+)
diff --git a/kernel/power/user.c b/kernel/power/user.c
index 22df9f7..e4b926d 100644
index 22df9f7ff672..e4b926d329b7 100644
--- a/kernel/power/user.c
+++ b/kernel/power/user.c
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
@ -28,5 +28,5 @@ index 22df9f7..e4b926d 100644
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
--
2.10.2
2.13.4

12
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch vendored
View File

@ -1,7 +1,7 @@
From 888408b5e10a8c86d04a1eba78f3e6de8559ff7f Mon Sep 17 00:00:00 2001
From 0d542e53695f58cf5368a0c0441a50429574b7bf Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:15 +0000
Subject: [PATCH 11/26] PCI: Lock down BAR access when the kernel is locked
Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
down
Any hardware that can potentially generate DMA has to be locked down in
@ -19,7 +19,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 31e9961..5595560 100644
index 31e99613a12e..559556047d66 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -754,6 +754,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
@ -53,7 +53,7 @@ index 31e9961..5595560 100644
}
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 098360d..ef16fcc 100644
index 098360d7ff81..ef16fccb1923 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
@ -86,7 +86,7 @@ index 098360d..ef16fcc 100644
if (fpriv->mmap_state == pci_mmap_io) {
diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
index 9bf993e..c095247 100644
index 9bf993e1f71e..c09524738ceb 100644
--- a/drivers/pci/syscall.c
+++ b/drivers/pci/syscall.c
@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
@ -99,5 +99,5 @@ index 9bf993e..c095247 100644
dev = pci_get_bus_and_slot(bus, dfn);
--
2.10.2
2.13.4

10
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch vendored
View File

@ -1,7 +1,7 @@
From 34f5006c012e4f072ca4d5739788f14cc8e77518 Mon Sep 17 00:00:00 2001
From 6b243c98630fb4291f610ad04c7176145b48faed Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 12/26] x86: Lock down IO port access when the kernel is locked
Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
down
IO port access would permit users to gain access to PCI configuration
@ -20,7 +20,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 9c3cf09..4a613fe 100644
index 9c3cf0944bce..4a613fed94b6 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
@ -42,7 +42,7 @@ index 9c3cf09..4a613fe 100644
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index ba68add..5e2a260 100644
index ba68add9677f..5e2a260fb89f 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
@ -55,5 +55,5 @@ index ba68add..5e2a260 100644
}
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch vendored
View File

@ -1,7 +1,7 @@
From 92da241449df225e6c5db92dcc5a416619060ef7 Mon Sep 17 00:00:00 2001
From fbbf9d01e58110cce3be4d5ebb5c5b43ccdeca01 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:17 +0000
Subject: [PATCH 13/26] x86: Restrict MSR access when the kernel is locked down
Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode. Based on a
@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 7 insertions(+)
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index ef68880..fbcce02 100644
index ef688804f80d..fbcce028e502 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
@ -40,5 +40,5 @@ index ef68880..fbcce02 100644
err = -EFAULT;
break;
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch vendored
View File

@ -1,7 +1,7 @@
From 4ae96184f96b41f805ea08eb944403f50896c7db Mon Sep 17 00:00:00 2001
From d6533f050c7cca6bcdfdc439d2e0ef98e260a78d Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 14/26] asus-wmi: Restrict debugfs interface when the kernel is
Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
locked down
We have no way of validating what all of the Asus WMI methods do on a given
@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 9 insertions(+)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index 6c7d860..57b82cb 100644
index 6c7d86074b38..57b82cbc9a6b 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data)
@ -51,5 +51,5 @@ index 6c7d860..57b82cb 100644
1, asus->debug.method_id,
&input, &output);
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch vendored
View File

@ -1,7 +1,7 @@
From 1f170f847c8637bf6aa53415a5ada4871fb99352 Mon Sep 17 00:00:00 2001
From 5a19ceeda4df04b37490a9cd79929d01598fcf2e Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 15/26] ACPI: Limit access to custom_method when the kernel is
Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
locked down
custom_method effectively allows arbitrary access to system memory, making
@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index c68e724..e4d721c 100644
index c68e72414a67..e4d721c330c0 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
@ -29,5 +29,5 @@ index c68e724..e4d721c 100644
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch vendored
View File

@ -1,7 +1,7 @@
From 55313fd4ce12323c6b5568e7bf78b260b99858da Mon Sep 17 00:00:00 2001
From 3e8654136365669cc91a2428e7d4930c91bafe11 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Tue, 22 Nov 2016 08:46:16 +0000
Subject: [PATCH 16/26] acpi: Ignore acpi_rsdp kernel param when the kernel has
Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
been locked down
This option allows userspace to pass the RSDP address to the kernel, which
@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index db78d35..d4d4ba3 100644
index db78d353bab1..d4d4ba348451 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
@ -28,5 +28,5 @@ index db78d35..d4d4ba3 100644
#endif
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch vendored
View File

@ -1,7 +1,7 @@
From 9d89af85b5aa6a3f4b2b5eed66523dad03a6aba0 Mon Sep 17 00:00:00 2001
From 03fbe544eae5e02f40418ae5789795e5bb1f48a5 Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com>
Date: Wed, 23 Nov 2016 13:32:27 +0000
Subject: [PATCH 17/26] acpi: Disable ACPI table override if the kernel is
Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
locked down
From the kernel documentation (initrd_table_override.txt):
@ -21,7 +21,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 5 insertions(+)
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
index ff42539..c72bfa9 100644
index ff425390bfa8..c72bfa97888a 100644
--- a/drivers/acpi/tables.c
+++ b/drivers/acpi/tables.c
@@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void)
@ -37,5 +37,5 @@ index ff42539..c72bfa9 100644
memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
all_tables_size, PAGE_SIZE);
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch vendored
View File

@ -1,7 +1,7 @@
From 07487cd303209f3a99d7eb25e37fa09a4a2c2c73 Mon Sep 17 00:00:00 2001
From 493aaae45aca76a1dcad82a71baeef9a1875783d Mon Sep 17 00:00:00 2001
From: Linn Crosetto <linn@hpe.com>
Date: Wed, 23 Nov 2016 13:39:41 +0000
Subject: [PATCH 18/26] acpi: Disable APEI error injection if the kernel is
Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
locked down
ACPI provides an error injection mechanism, EINJ, for debugging and testing
@ -26,7 +26,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
index ec50c32..e082718 100644
index ec50c32ea3da..e082718d01c2 100644
--- a/drivers/acpi/apei/einj.c
+++ b/drivers/acpi/apei/einj.c
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
@ -40,5 +40,5 @@ index ec50c32..e082718 100644
if (flags && (flags &
~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch vendored
View File

@ -1,7 +1,7 @@
From c2f660328cd669d2f0d5a46d182f70ad01950009 Mon Sep 17 00:00:00 2001
From ce933ae1a94cf0ab432bdd919460c2cd125948f8 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Wed, 23 Nov 2016 13:52:16 +0000
Subject: [PATCH 19/26] bpf: Restrict kernel image access functions when the
Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
kernel is locked down
There are some bpf functions can be used to read kernel memory:
@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 11 insertions(+)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 460a031..58eb33d 100644
index 460a031c77e5..58eb33d5d6ae 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
@ -53,5 +53,5 @@ index 460a031..58eb33d 100644
for (i = 0; i < fmt_size; i++) {
if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch vendored
View File

@ -1,7 +1,7 @@
From c0fc636f2353986110221040b2793d6862314d3f Mon Sep 17 00:00:00 2001
From 06bce719f7b0001840a6881a19214852078e1007 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 22 Nov 2016 10:10:34 +0000
Subject: [PATCH 20/26] scsi: Lock down the eata driver
Subject: [PATCH 20/24] scsi: Lock down the eata driver
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
@ -24,7 +24,7 @@ cc: linux-scsi@vger.kernel.org
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
index 227dd2c..5c036d1 100644
index 227dd2c2ec2f..5c036d10c18b 100644
--- a/drivers/scsi/eata.c
+++ b/drivers/scsi/eata.c
@@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
@ -43,5 +43,5 @@ index 227dd2c..5c036d1 100644
#if defined(MODULE)
/* io_port could have been modified when loading as a module */
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch vendored
View File

@ -1,7 +1,7 @@
From fc5badf0296ae38b74c4d8a7a6e703c7e858d12f Mon Sep 17 00:00:00 2001
From 3c7e170559884cfc9f4bc92e038aa3676bfacca6 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 25 Nov 2016 14:37:45 +0000
Subject: [PATCH 21/26] Prohibit PCMCIA CIS storage when the kernel is locked
Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
down
Prohibit replacement of the PCMCIA Card Information Structure when the
@ -13,7 +13,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 5 insertions(+)
diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
index 55ef7d1..193e4f7 100644
index 55ef7d1fd8da..193e4f7b73b1 100644
--- a/drivers/pcmcia/cistpl.c
+++ b/drivers/pcmcia/cistpl.c
@@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
@ -29,5 +29,5 @@ index 55ef7d1..193e4f7 100644
if (off)
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch vendored
View File

@ -1,7 +1,7 @@
From e70949285ce3c7db9d4a11227f1961a83610ec96 Mon Sep 17 00:00:00 2001
From 88ccec7a5ad506fe97a55fb11a1373d0744e6099 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 7 Dec 2016 10:28:39 +0000
Subject: [PATCH 22/26] Lock down TIOCSSERIAL
Subject: [PATCH 22/24] Lock down TIOCSSERIAL
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
settings on a serial port. This only appears to be an issue for the serial
@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
index 13bfd5d..45fb768 100644
index 13bfd5dcffce..45fb7689bc1c 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
@ -32,5 +32,5 @@ index 13bfd5d..45fb768 100644
retval = -EPERM;
if (change_irq || change_port ||
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch vendored
View File

@ -1,7 +1,7 @@
From eff86357a5494081d560b73c007f6d89da350816 Mon Sep 17 00:00:00 2001
From 42f6fef780fe1b49724a9d289f0b195f4ccd48da Mon Sep 17 00:00:00 2001
From: Vito Caputo <vito.caputo@coreos.com>
Date: Wed, 25 Nov 2015 02:59:45 -0800
Subject: [PATCH 23/26] kbuild: derive relative path for KBUILD_SRC from CURDIR
Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
This enables relocating source and build trees to different roots,
provided they stay reachable relative to one another. Useful for
@ -12,7 +12,7 @@ by some undesirable path component.
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index c8d80b5..6bafb67 100644
index ebe69a704bca..5e290fd0f639 100644
--- a/Makefile
+++ b/Makefile
@@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
@ -26,5 +26,5 @@ index c8d80b5..6bafb67 100644
# Leave processing to above invocation of make
--
2.10.2
2.13.4

8
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch vendored
View File

@ -1,7 +1,7 @@
From 2b2a0f2afd2f05b3f8e9e61561ce176d881c384a Mon Sep 17 00:00:00 2001
From 4958cc96a215c001beb215b3eb9d28e5791bbaf7 Mon Sep 17 00:00:00 2001
From: Geoff Levand <geoff@infradead.org>
Date: Fri, 11 Nov 2016 17:28:52 -0800
Subject: [PATCH 24/26] Add arm64 coreos verity hash
Subject: [PATCH 24/24] Add arm64 coreos verity hash
Signed-off-by: Geoff Levand <geoff@infradead.org>
---
@ -9,7 +9,7 @@ Signed-off-by: Geoff Levand <geoff@infradead.org>
1 file changed, 5 insertions(+)
diff --git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S
index 613fc30..fdaf86c 100644
index 613fc3000677..fdaf86c78332 100644
--- a/arch/arm64/kernel/efi-header.S
+++ b/arch/arm64/kernel/efi-header.S
@@ -103,6 +103,11 @@ section_table:
@ -25,5 +25,5 @@ index 613fc30..fdaf86c 100644
/*
* The debug table is referenced via its Relative Virtual Address (RVA),
--
2.10.2
2.13.4

74
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-udp-consistently-apply-ufo-or-fragmentation.patch vendored
View File

@ -1,74 +0,0 @@
From c0e5883e09e5a226baadb06d790e5b20c3d3a547 Mon Sep 17 00:00:00 2001
From: Willem de Bruijn <willemb@google.com>
Date: Fri, 14 Jul 2017 10:19:00 -0700
Subject: [PATCH 25/26] udp: consistently apply ufo or fragmentation
When iteratively building a UDP datagram with MSG_MORE and that
datagram exceeds MTU, consistently choose UFO or fragmentation.
Once skb_is_gso, always apply ufo. Conversely, once a datagram is
split across multiple skbs, do not consider ufo.
Sendpage already maintains the first invariant, only add the second.
IPv6 does not have a sendpage implementation to modify.
Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
CVE: CVE-2017-1000112
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
net/ipv4/ip_output.c | 8 +++++---
net/ipv6/ip6_output.c | 7 ++++---
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 532b36e..e5948c0 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -964,11 +964,12 @@ static int __ip_append_data(struct sock *sk,
csummode = CHECKSUM_PARTIAL;
cork->length += length;
- if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) ||
- (skb && skb_is_gso(skb))) &&
+ if ((skb && skb_is_gso(skb)) ||
+ (((length + (skb ? skb->len : fragheaderlen)) > mtu) &&
+ (skb_queue_len(queue) <= 1) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
- (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
+ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) {
err = ip_ufo_append_data(sk, queue, getfrag, from, length,
hh_len, fragheaderlen, transhdrlen,
maxfraglen, flags);
@@ -1287,6 +1288,7 @@ ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
return -EINVAL;
if ((size + skb->len > mtu) &&
+ (skb_queue_len(&sk->sk_write_queue) == 1) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO)) {
if (skb->ip_summed != CHECKSUM_PARTIAL)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index be03067..365d510 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1386,11 +1386,12 @@ static int __ip6_append_data(struct sock *sk,
*/
cork->length += length;
- if ((((length + (skb ? skb->len : headersize)) > mtu) ||
- (skb && skb_is_gso(skb))) &&
+ if ((skb && skb_is_gso(skb)) ||
+ (((length + (skb ? skb->len : headersize)) > mtu) &&
+ (skb_queue_len(queue) <= 1) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
- (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
+ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) {
err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
hh_len, fragheaderlen, exthdrlen,
transhdrlen, mtu, flags, fl6);
--
2.10.2

63
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch vendored
View File

@ -1,63 +0,0 @@
From 4ebbab6018792779607c8e1c17786bfeb573a210 Mon Sep 17 00:00:00 2001
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date: Fri, 4 Aug 2017 12:48:20 -0400
Subject: [PATCH 26/26] net-packet: fix race in packet_set_ring on
PACKET_RESERVE
PACKET_RESERVE reserves headroom in memory mapped packet ring frames.
The value po->tp_reserve must is verified to be safe in packet_set_ring
if (unlikely(req->tp_frame_size < po->tp_hdrlen + po->tp_reserve))
and the setsockopt fails once a ring is set.
if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
return -EBUSY;
This operation does not take the socket lock. This leads to a race
similar to the one with PACKET_VERSION fixed in commit 84ac7260236a
("packet: fix race condition in packet_set_ring").
Fix this issue in the same manner: take the socket lock, which as of
that patch is held for the duration of packet_set_ring.
This bug was discovered with syzkaller.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
CVE: CVE-2017-1000111
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
net/packet/af_packet.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 0880e0a..b84110e 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3705,14 +3705,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
if (optlen != sizeof(val))
return -EINVAL;
- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
- return -EBUSY;
if (copy_from_user(&val, optval, sizeof(val)))
return -EFAULT;
if (val > INT_MAX)
return -EINVAL;
- po->tp_reserve = val;
- return 0;
+ lock_sock(sk);
+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+ ret = -EBUSY;
+ else {
+ po->tp_reserve = val;
+ ret = 0;
+ }
+ release_sock(sk);
+ return ret;
}
case PACKET_LOSS:
{
--
2.10.2