aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--SOURCES/block-restore-a-specific-error-code-in-bdev_del_part.patch38
-rw-r--r--SOURCES/netfilter-ctnetlink-add-range-check-for-l3-l4-protonum.patch63
-rw-r--r--SPECS/kernel.spec19
3 files changed, 117 insertions, 3 deletions
diff --git a/SOURCES/block-restore-a-specific-error-code-in-bdev_del_part.patch b/SOURCES/block-restore-a-specific-error-code-in-bdev_del_part.patch
new file mode 100644
index 0000000..476eb1a
--- /dev/null
+++ b/SOURCES/block-restore-a-specific-error-code-in-bdev_del_part.patch
@@ -0,0 +1,38 @@
+From 10b34a18180269103dafc68f1a4257ae61c87415 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 16:15:06 +0200
+Subject: block: restore a specific error code in bdev_del_partition
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 88ce2a530cc9865a894454b2e40eba5957a60e1a ]
+
+mdadm relies on the fact that deleting an invalid partition returns
+-ENXIO or -ENOTTY to detect if a block device is a partition or a
+whole device.
+
+Fixes: 08fc1ab6d748 ("block: fix locking in bdev_del_partition")
+Reported-by: kernel test robot <rong.a.chen@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/partitions/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/partitions/core.c b/block/partitions/core.c
+index 534e11285a8d4..b45539764c994 100644
+--- a/block/partitions/core.c
++++ b/block/partitions/core.c
+@@ -529,7 +529,7 @@ int bdev_del_partition(struct block_device *bdev, int partno)
+
+ bdevp = bdget_disk(bdev->bd_disk, partno);
+ if (!bdevp)
+- return -ENOMEM;
++ return -ENXIO;
+
+ mutex_lock(&bdevp->bd_mutex);
+ mutex_lock_nested(&bdev->bd_mutex, 1);
+--
+2.25.1
+
diff --git a/SOURCES/netfilter-ctnetlink-add-range-check-for-l3-l4-protonum.patch b/SOURCES/netfilter-ctnetlink-add-range-check-for-l3-l4-protonum.patch
new file mode 100644
index 0000000..5e39014
--- /dev/null
+++ b/SOURCES/netfilter-ctnetlink-add-range-check-for-l3-l4-protonum.patch
@@ -0,0 +1,63 @@
+From 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 Mon Sep 17 00:00:00 2001
+From: Will McVicker <willmcvicker@google.com>
+Date: Mon, 24 Aug 2020 19:38:32 +0000
+Subject: netfilter: ctnetlink: add a range check for l3/l4 protonum
+
+The indexes to the nf_nat_l[34]protos arrays come from userspace. So
+check the tuple's family, e.g. l3num, when creating the conntrack in
+order to prevent an OOB memory access during setup. Here is an example
+kernel panic on 4.14.180 when userspace passes in an index greater than
+NFPROTO_NUMPROTO.
+
+Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+Modules linked in:...
+Process poc (pid: 5614, stack limit = 0x00000000a3933121)
+CPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483
+Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM
+task: 000000002a3dfffe task.stack: 00000000a3933121
+pc : __cfi_check_fail+0x1c/0x24
+lr : __cfi_check_fail+0x1c/0x24
+...
+Call trace:
+__cfi_check_fail+0x1c/0x24
+name_to_dev_t+0x0/0x468
+nfnetlink_parse_nat_setup+0x234/0x258
+ctnetlink_parse_nat_setup+0x4c/0x228
+ctnetlink_new_conntrack+0x590/0xc40
+nfnetlink_rcv_msg+0x31c/0x4d4
+netlink_rcv_skb+0x100/0x184
+nfnetlink_rcv+0xf4/0x180
+netlink_unicast+0x360/0x770
+netlink_sendmsg+0x5a0/0x6a4
+___sys_sendmsg+0x314/0x46c
+SyS_sendmsg+0xb4/0x108
+el0_svc_naked+0x34/0x38
+
+This crash is not happening since 5.4+, however, ctnetlink still
+allows for creating entries with unsupported layer 3 protocol number.
+
+Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack")
+Signed-off-by: Will McVicker <willmcvicker@google.com>
+[pablo@netfilter.org: rebased original patch on top of nf.git]
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 832eabecfbddc..d65846aa80591 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -1404,7 +1404,8 @@ ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
+ if (err < 0)
+ return err;
+
+-
++ if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
++ return -EOPNOTSUPP;
+ tuple->src.l3num = l3num;
+
+ if (flags & CTA_FILTER_FLAG(CTA_IP_DST) ||
+--
+cgit 1.2.3-1.el7
+
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 3b0e2d3..167512b 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
-%define stable_update 8
+%define stable_update 9
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@@ -869,6 +869,12 @@ Patch107: 0001-drivers-perf-xgene_pmu-Fix-uninitialized-resource-st.patch
Patch110: memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch
+# CVE-2020-25211 rhbz 1877571 1877572
+Patch111: netfilter-ctnetlink-add-range-check-for-l3-l4-protonum.patch
+
+# rhbz 1878858
+Patch112: block-restore-a-specific-error-code-in-bdev_del_part.patch
+
# Linux-tkg patches - https://github.com/Frogging-Family/linux-tkg/blob/master/linux57-tkg
Patch200: 0007-v5.8-fsync.patch
@@ -2976,8 +2982,15 @@ fi
#
#
%changelog
-* Tue Sep 15 2020 Jan Drögehoff <sentrycraft123@gmail.com> - 5.8.8-201.fsync
-- Linux v5.8.8 fsync
+* Thu Sep 17 2020 Jan Drögehoff <sentrycraft123@gmail.com> - 5.8.9-201.fsync
+- Linux v5.8.9 fsync
+
+* Mon Sep 14 08:51:46 CDT 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.9-200
+- Linux v5.8.9
+- Fix error code in bdev_del_part (rhbz 1878858)
+
+* Thu Sep 10 2020 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2020-25211 (rhbz 1877571 1877572)
* Wed Sep 9 13:39:22 CDT 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.8-200
- Linux v5.8.8