Date: Wednesday, January 3, 2018 @ 19:37:03 Author: anthraxx Revision: 278365
upgpkg: linux-hardened 4.14.11.a-1 (enable PTI) - drop patches added in upstream 4.11 release - add AMD patch for PTI Added: linux-hardened/trunk/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch Modified: linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 Deleted: linux-hardened/trunk/CVE-2017-17449-netlink-Add-netns-check-on-taps.patch linux-hardened/trunk/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch -----------------------------------------------------------------------+ CVE-2017-17449-netlink-Add-netns-check-on-taps.patch | 43 ----- CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch | 74 ---------- PKGBUILD | 19 +- config.x86_64 | 3 x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch | 15 ++ 5 files changed, 26 insertions(+), 128 deletions(-) Deleted: CVE-2017-17449-netlink-Add-netns-check-on-taps.patch =================================================================== --- CVE-2017-17449-netlink-Add-netns-check-on-taps.patch 2018-01-03 19:32:54 UTC (rev 278364) +++ CVE-2017-17449-netlink-Add-netns-check-on-taps.patch 2018-01-03 19:37:03 UTC (rev 278365) @@ -1,43 +0,0 @@ -From 93c647643b48f0131f02e45da3bd367d80443291 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee <[email protected]> -Date: Wed, 6 Dec 2017 12:12:27 -0800 -Subject: [PATCH] netlink: Add netns check on taps - -Currently, a nlmon link inside a child namespace can observe systemwide -netlink activity. Filter the traffic so that nlmon can only sniff -netlink messages from its own netns. - -Test case: - - vpnns -- bash -c "ip link add nlmon0 type nlmon; \ - ip link set nlmon0 up; \ - tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & - sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ - spi 0x1 mode transport \ - auth sha1 0x6162633132330000000000000000000000000000 \ - enc aes 0x00000000000000000000000000000000 - grep --binary abc123 /tmp/nlmon.pcap - -Signed-off-by: Kevin Cernekee <[email protected]> -Signed-off-by: David S. Miller <[email protected]> ---- - net/netlink/af_netlink.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index b9e0ee4e22f5..79cc1bf36e4a 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -253,6 +253,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb, - struct sock *sk = skb->sk; - int ret = -ENOMEM; - -+ if (!net_eq(dev_net(dev), sock_net(sk))) -+ return 0; -+ - dev_hold(dev); - - if (is_vmalloc_addr(skb->head)) --- -2.15.1 - Deleted: CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch =================================================================== --- CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch 2018-01-03 19:32:54 UTC (rev 278364) +++ CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch 2018-01-03 19:37:03 UTC (rev 278365) @@ -1,74 +0,0 @@ -From 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 Mon Sep 17 00:00:00 2001 -From: Mohamed Ghannam <[email protected]> -Date: Sun, 10 Dec 2017 03:50:58 +0000 -Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg - -inet->hdrincl is racy, and could lead to uninitialized stack pointer -usage, so its value should be read only once. - -Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") -Signed-off-by: Mohamed Ghannam <[email protected]> -Reviewed-by: Eric Dumazet <[email protected]> -Signed-off-by: David S. Miller <[email protected]> ---- - net/ipv4/raw.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index 33b70bfd1122..125c1eab3eaa 100644 ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - int err; - struct ip_options_data opt_copy; - struct raw_frag_vec rfv; -+ int hdrincl; - - err = -EMSGSIZE; - if (len > 0xFFFF) - goto out; - -+ /* hdrincl should be READ_ONCE(inet->hdrincl) -+ * but READ_ONCE() doesn't work with bit fields -+ */ -+ hdrincl = inet->hdrincl; - /* - * Check the flags. - */ -@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - /* Linux does not mangle headers on raw sockets, - * so that IP options + IP_HDRINCL is non-sense. - */ -- if (inet->hdrincl) -+ if (hdrincl) - goto done; - if (ipc.opt->opt.srr) { - if (!daddr) -@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - - flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, - RT_SCOPE_UNIVERSE, -- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, -+ hdrincl ? IPPROTO_RAW : sk->sk_protocol, - inet_sk_flowi_flags(sk) | -- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), -+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), - daddr, saddr, 0, 0, sk->sk_uid); - -- if (!inet->hdrincl) { -+ if (!hdrincl) { - rfv.msg = msg; - rfv.hlen = 0; - -@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - goto do_confirm; - back_from_confirm: - -- if (inet->hdrincl) -+ if (hdrincl) - err = raw_send_hdrinc(sk, &fl4, msg, len, - &rt, msg->msg_flags, &ipc.sockc); - --- -2.15.1 - Modified: PKGBUILD =================================================================== --- PKGBUILD 2018-01-03 19:32:54 UTC (rev 278364) +++ PKGBUILD 2018-01-03 19:37:03 UTC (rev 278365) @@ -5,7 +5,7 @@ pkgbase=linux-hardened _srcname=linux-4.14 -_pkgver=4.14.10 +_pkgver=4.14.11 pkgver=${_pkgver}.a pkgrel=1 url='https://github.com/copperhead/linux-hardened' @@ -31,21 +31,21 @@ # https://bugs.archlinux.org/task/56846 cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch + x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch + CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch - CVE-2017-17449-netlink-Add-netns-check-on-taps.patch CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch - CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch CVE-2017-17741-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch ) replaces=('linux-grsec') sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7' 'SKIP' - '16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74' + 'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9' 'SKIP' - '24279be4a0e809c77255183eaa5f077ba457b17e057bd662631d5b9efd46588a' + '7bf093ee625cf97560bb57b01fc7ddb1bfb705377cc6b68994911cceb23126d5' 'SKIP' - '2f6a205a228fceb1d25dd673ba9d7352f97285f36eb6ecf2ad43a8e4dca3049a' + '1dd1c470a8df028cf9c9db13e64263bdcff47f890d629ed9c81321fab7a57a05' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' @@ -53,11 +53,10 @@ 'f7c86f7aa4c7d671a5ff80bcd92a33db2fa6e95b78188261db0ef260a7d75cd8' '294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45' '721c387db986d883a6df6b0da17941ce6d59811b0647ae6653b978c5ee144f19' + '086f6ab16a6894db5444007d195f779322f3a5792e7ca0e91a61d4e633ad8f26' '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9' 'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5' - '830ef08edbf98153ff13a573270cb714605582ef19fb0c3e6eadb8876edd247f' '72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435' - '0ee6eae96743dca76dc018c354dd82e820fba0cb310618131e178684d85fd8c9' 'ee125179fdd295266aba52e1aebaef97cb41f4a05d9cd1c2b11b4ce83746e197') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -71,7 +70,7 @@ # add upstream patch msg2 "Applying upstream patch" - patch -Np1 -i ../patch-${_pkgver} + patch -Np1 < ../patch-${_pkgver} # XXX: GNU patch doesn't support git-style file mode chmod +x tools/objtool/sync-check.sh @@ -88,7 +87,7 @@ # linux hardened patch msg2 "Applying hardened patch" - patch -Np1 -i ../${pkgbase}-${pkgver}.patch + patch -Np1 < ../${pkgbase}-${pkgver}.patch # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git Modified: config.x86_64 =================================================================== --- config.x86_64 2018-01-03 19:32:54 UTC (rev 278364) +++ config.x86_64 2018-01-03 19:37:03 UTC (rev 278365) @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.10 Kernel Configuration +# Linux/x86 4.14.11 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -8099,6 +8099,7 @@ # CONFIG_SECURITY_WRITABLE_HOOKS is not set CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y +CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_SECURITY_INFINIBAND=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y Added: x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch =================================================================== --- x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch (rev 0) +++ x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch 2018-01-03 19:37:03 UTC (rev 278365) @@ -0,0 +1,15 @@ +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index c47de4e..7d9e3b0 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c) + + setup_force_cpu_cap(X86_FEATURE_ALWAYS); + +- /* Assume for now that ALL x86 CPUs are insecure */ +- setup_force_cpu_bug(X86_BUG_CPU_INSECURE); ++ if (c->x86_vendor != X86_VENDOR_AMD) ++ setup_force_cpu_bug(X86_BUG_CPU_INSECURE); + + fpu__init_system(c); +
