From 4c0708c37959ac70f139b5f4fa0926611a48df5c Mon Sep 17 00:00:00 2001 From: Jan200101 Date: Thu, 17 Sep 2020 08:17:48 +0200 Subject: kernel 5.8.9 --- ...re-a-specific-error-code-in-bdev_del_part.patch | 38 +++++++++++++ ...etlink-add-range-check-for-l3-l4-protonum.patch | 63 ++++++++++++++++++++++ SPECS/kernel.spec | 19 +++++-- 3 files changed, 117 insertions(+), 3 deletions(-) create mode 100644 SOURCES/block-restore-a-specific-error-code-in-bdev_del_part.patch create mode 100644 SOURCES/netfilter-ctnetlink-add-range-check-for-l3-l4-protonum.patch diff --git a/SOURCES/block-restore-a-specific-error-code-in-bdev_del_part.patch b/SOURCES/block-restore-a-specific-error-code-in-bdev_del_part.patch new file mode 100644 index 0000000..476eb1a --- /dev/null +++ b/SOURCES/block-restore-a-specific-error-code-in-bdev_del_part.patch @@ -0,0 +1,38 @@ +From 10b34a18180269103dafc68f1a4257ae61c87415 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 16:15:06 +0200 +Subject: block: restore a specific error code in bdev_del_partition + +From: Christoph Hellwig + +[ Upstream commit 88ce2a530cc9865a894454b2e40eba5957a60e1a ] + +mdadm relies on the fact that deleting an invalid partition returns +-ENXIO or -ENOTTY to detect if a block device is a partition or a +whole device. + +Fixes: 08fc1ab6d748 ("block: fix locking in bdev_del_partition") +Reported-by: kernel test robot +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/partitions/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/partitions/core.c b/block/partitions/core.c +index 534e11285a8d4..b45539764c994 100644 +--- a/block/partitions/core.c ++++ b/block/partitions/core.c +@@ -529,7 +529,7 @@ int bdev_del_partition(struct block_device *bdev, int partno) + + bdevp = bdget_disk(bdev->bd_disk, partno); + if (!bdevp) +- return -ENOMEM; ++ return -ENXIO; + + mutex_lock(&bdevp->bd_mutex); + mutex_lock_nested(&bdev->bd_mutex, 1); +-- +2.25.1 + diff --git a/SOURCES/netfilter-ctnetlink-add-range-check-for-l3-l4-protonum.patch b/SOURCES/netfilter-ctnetlink-add-range-check-for-l3-l4-protonum.patch new file mode 100644 index 0000000..5e39014 --- /dev/null +++ b/SOURCES/netfilter-ctnetlink-add-range-check-for-l3-l4-protonum.patch @@ -0,0 +1,63 @@ +From 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 Mon Sep 17 00:00:00 2001 +From: Will McVicker +Date: Mon, 24 Aug 2020 19:38:32 +0000 +Subject: netfilter: ctnetlink: add a range check for l3/l4 protonum + +The indexes to the nf_nat_l[34]protos arrays come from userspace. So +check the tuple's family, e.g. l3num, when creating the conntrack in +order to prevent an OOB memory access during setup. Here is an example +kernel panic on 4.14.180 when userspace passes in an index greater than +NFPROTO_NUMPROTO. + +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +Modules linked in:... +Process poc (pid: 5614, stack limit = 0x00000000a3933121) +CPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483 +Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM +task: 000000002a3dfffe task.stack: 00000000a3933121 +pc : __cfi_check_fail+0x1c/0x24 +lr : __cfi_check_fail+0x1c/0x24 +... +Call trace: +__cfi_check_fail+0x1c/0x24 +name_to_dev_t+0x0/0x468 +nfnetlink_parse_nat_setup+0x234/0x258 +ctnetlink_parse_nat_setup+0x4c/0x228 +ctnetlink_new_conntrack+0x590/0xc40 +nfnetlink_rcv_msg+0x31c/0x4d4 +netlink_rcv_skb+0x100/0x184 +nfnetlink_rcv+0xf4/0x180 +netlink_unicast+0x360/0x770 +netlink_sendmsg+0x5a0/0x6a4 +___sys_sendmsg+0x314/0x46c +SyS_sendmsg+0xb4/0x108 +el0_svc_naked+0x34/0x38 + +This crash is not happening since 5.4+, however, ctnetlink still +allows for creating entries with unsupported layer 3 protocol number. + +Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack") +Signed-off-by: Will McVicker +[pablo@netfilter.org: rebased original patch on top of nf.git] +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/nf_conntrack_netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 832eabecfbddc..d65846aa80591 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -1404,7 +1404,8 @@ ctnetlink_parse_tuple_filter(const struct nlattr * const cda[], + if (err < 0) + return err; + +- ++ if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6) ++ return -EOPNOTSUPP; + tuple->src.l3num = l3num; + + if (flags & CTA_FILTER_FLAG(CTA_IP_DST) || +-- +cgit 1.2.3-1.el7 + diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 3b0e2d3..167512b 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -92,7 +92,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 9 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -869,6 +869,12 @@ Patch107: 0001-drivers-perf-xgene_pmu-Fix-uninitialized-resource-st.patch Patch110: memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch +# CVE-2020-25211 rhbz 1877571 1877572 +Patch111: netfilter-ctnetlink-add-range-check-for-l3-l4-protonum.patch + +# rhbz 1878858 +Patch112: block-restore-a-specific-error-code-in-bdev_del_part.patch + # Linux-tkg patches - https://github.com/Frogging-Family/linux-tkg/blob/master/linux57-tkg Patch200: 0007-v5.8-fsync.patch @@ -2976,8 +2982,15 @@ fi # # %changelog -* Tue Sep 15 2020 Jan Drögehoff - 5.8.8-201.fsync -- Linux v5.8.8 fsync +* Thu Sep 17 2020 Jan Drögehoff - 5.8.9-201.fsync +- Linux v5.8.9 fsync + +* Mon Sep 14 08:51:46 CDT 2020 Justin M. Forbes - 5.8.9-200 +- Linux v5.8.9 +- Fix error code in bdev_del_part (rhbz 1878858) + +* Thu Sep 10 2020 Justin M. Forbes +- Fix CVE-2020-25211 (rhbz 1877571 1877572) * Wed Sep 9 13:39:22 CDT 2020 Justin M. Forbes - 5.8.8-200 - Linux v5.8.8 -- cgit v1.2.3