Date: Friday, December 9, 2016 @ 18:20:10 Author: thestinger Revision: 198658
upgpkg: linux-grsec 1:4.8.13.r201612082118-1 Modified: linux-grsec/trunk/PKGBUILD Deleted: linux-grsec/trunk/0001-net-handle-no-dst-on-skb-in-icmp6_send.patch ---------------------------------------------------+ 0001-net-handle-no-dst-on-skb-in-icmp6_send.patch | 71 -------------------- PKGBUILD | 16 +--- 2 files changed, 6 insertions(+), 81 deletions(-) Deleted: 0001-net-handle-no-dst-on-skb-in-icmp6_send.patch =================================================================== --- 0001-net-handle-no-dst-on-skb-in-icmp6_send.patch 2016-12-09 17:47:36 UTC (rev 198657) +++ 0001-net-handle-no-dst-on-skb-in-icmp6_send.patch 2016-12-09 18:20:10 UTC (rev 198658) @@ -1,71 +0,0 @@ -From 79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2 Mon Sep 17 00:00:00 2001 -From: David Ahern <[email protected]> -Date: Sun, 27 Nov 2016 18:52:53 -0800 -Subject: [PATCH] net: handle no dst on skb in icmp6_send - -Andrey reported the following while fuzzing the kernel with syzkaller: - -kasan: CONFIG_KASAN_INLINE enabled -kasan: GPF could be caused by NULL-ptr deref or user memory access -general protection fault: 0000 [#1] SMP KASAN -Modules linked in: -CPU: 0 PID: 3859 Comm: a.out Not tainted 4.9.0-rc6+ #429 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 -task: ffff8800666d4200 task.stack: ffff880067348000 -RIP: 0010:[<ffffffff833617ec>] [<ffffffff833617ec>] -icmp6_send+0x5fc/0x1e30 net/ipv6/icmp.c:451 -RSP: 0018:ffff88006734f2c0 EFLAGS: 00010206 -RAX: ffff8800666d4200 RBX: 0000000000000000 RCX: 0000000000000000 -RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000018 -RBP: ffff88006734f630 R08: ffff880064138418 R09: 0000000000000003 -R10: dffffc0000000000 R11: 0000000000000005 R12: 0000000000000000 -R13: ffffffff84e7e200 R14: ffff880064138484 R15: ffff8800641383c0 -FS: 00007fb3887a07c0(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000020000000 CR3: 000000006b040000 CR4: 00000000000006f0 -Stack: - ffff8800666d4200 ffff8800666d49f8 ffff8800666d4200 ffffffff84c02460 - ffff8800666d4a1a 1ffff1000ccdaa2f ffff88006734f498 0000000000000046 - ffff88006734f440 ffffffff832f4269 ffff880064ba7456 0000000000000000 -Call Trace: - [<ffffffff83364ddc>] icmpv6_param_prob+0x2c/0x40 net/ipv6/icmp.c:557 - [< inline >] ip6_tlvopt_unknown net/ipv6/exthdrs.c:88 - [<ffffffff83394405>] ip6_parse_tlv+0x555/0x670 net/ipv6/exthdrs.c:157 - [<ffffffff8339a759>] ipv6_parse_hopopts+0x199/0x460 net/ipv6/exthdrs.c:663 - [<ffffffff832ee773>] ipv6_rcv+0xfa3/0x1dc0 net/ipv6/ip6_input.c:191 - ... - -icmp6_send / icmpv6_send is invoked for both rx and tx paths. In both -cases the dst->dev should be preferred for determining the L3 domain -if the dst has been set on the skb. Fallback to the skb->dev if it has -not. This covers the case reported here where icmp6_send is invoked on -Rx before the route lookup. - -Fixes: 5d41ce29e ("net: icmp6_send should use dst dev to determine L3 domain") -Reported-by: Andrey Konovalov <[email protected]> -Signed-off-by: David Ahern <[email protected]> -Signed-off-by: David S. Miller <[email protected]> ---- - net/ipv6/icmp.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c -index 7370ad2..2772004 100644 ---- a/net/ipv6/icmp.c -+++ b/net/ipv6/icmp.c -@@ -447,8 +447,10 @@ static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, - - if (__ipv6_addr_needs_scope_id(addr_type)) - iif = skb->dev->ifindex; -- else -- iif = l3mdev_master_ifindex(skb_dst(skb)->dev); -+ else { -+ dst = skb_dst(skb); -+ iif = l3mdev_master_ifindex(dst ? dst->dev : skb->dev); -+ } - - /* - * Must not send error if the source does not uniquely --- -2.10.2 - Modified: PKGBUILD =================================================================== --- PKGBUILD 2016-12-09 17:47:36 UTC (rev 198657) +++ PKGBUILD 2016-12-09 18:20:10 UTC (rev 198658) @@ -7,13 +7,13 @@ pkgbase=linux-grsec _srcname=linux-4.8 -_pkgver=4.8.12 +_pkgver=4.8.13 _grsecver=3.1 -_timestamp=201612062306 +_timestamp=201612082118 _grsec_patch="grsecurity-$_grsecver-$_pkgver-$_timestamp.patch" epoch=1 pkgver=$_pkgver.r$_timestamp -pkgrel=2 +pkgrel=1 arch=('i686' 'x86_64') url=https://grsecurity.net/ license=('GPL2') @@ -32,21 +32,19 @@ # standard config files for mkinitcpio ramdisk 'linux.preset' 'change-default-console-loglevel.patch' - '0001-net-handle-no-dst-on-skb-in-icmp6_send.patch' ) sha256sums=('3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a' 'SKIP' - '9a498761be20c10db6b30fac095e0591173d4046c19585bcdd7a72ca8503eb87' + 'f0e2f7f738e1a639956e01ba7ef8d3df40ecb5c7586eb366bcd4af70049a7a3c' 'SKIP' - 'd885a07e19358d285a23b4c0f868da48a9ee50cdc71fff4e3bc0673d3a8ead99' + 'c13a3a47f9d12f27d07512b98b386aede9f9f42423b98aaeea8c7e1b97367c33' 'SKIP' '705ef1b95c7c6c2835d7772b848d2cb25359664ff4db36d5f766a54a39fbeae6' '68ced2f2ad616724ada3e7c8ca3f5648b226554cd18541bfdf3fd1e8fdfe692e' '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0' 'ca7e718375b3790888756cc0a64a7500cd57dddb9bf7e10a0df22c860d91f74d' - '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' - 'd8187fe90a16cf1fac2f3f8be47e40d1bd2658456b09efc3b0ec998f195dff64') + '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman @@ -69,8 +67,6 @@ # (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227) patch -p1 -i "${srcdir}/change-default-console-loglevel.patch" - patch -p1 -i "${srcdir}/0001-net-handle-no-dst-on-skb-in-icmp6_send.patch" - # Add grsecurity patches patch -Np1 -i "$srcdir/$_grsec_patch" rm localversion-grsec
