Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2017-05-31 12:12:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Wed May 31 12:12:08 2017 rev:366 rq:498347 version:4.11.3 Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/dtb-aarch64.changes 2017-05-24 16:46:10.290004909 +0200 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/dtb-aarch64.changes 2017-05-31 12:12:10.076551223 +0200 @@ -1,0 +2,65 @@ +Thu May 25 19:55:04 CEST 2017 - [email protected] + +- Linux 4.11.3 (CVE-2017-7487 bnc#1012628 bsc#1038879). +- Delete + patches.fixes/ipx-call-ipxitf_put-in-ioctl-error-path.patch. +- commit 7262353 + +------------------------------------------------------------------- +Thu May 25 18:39:12 CEST 2017 - [email protected] + +- Refresh patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork. + Update patch-mainline and git-commit tags. +- commit 2182e18 + +------------------------------------------------------------------- +Wed May 24 13:34:41 CEST 2017 - [email protected] + +- ipv6/dccp: do not inherit ipv6_mc_list from parent + (CVE-2017-9076 CVE-2017-9077 bsc#1039885 bsc#1040069). +- commit fcae12e + +------------------------------------------------------------------- +Wed May 24 13:30:56 CEST 2017 - [email protected] + +- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent + (CVE-2017-9075 bsc#1039883). +- commit 9f0e1bf + +------------------------------------------------------------------- +Wed May 24 13:22:36 CEST 2017 - [email protected] + +- ipv6: Check ip6_find_1stfragopt() return value properly + (CVE-2017-9074 bsc#1039882). +- ipv6: Prevent overrun when parsing v6 header options + (CVE-2017-9074 bsc#1039882). +- commit 1862833 + +------------------------------------------------------------------- +Wed May 24 13:17:31 CEST 2017 - [email protected] + +- ipx: call ipxitf_put() in ioctl error path (CVE-2017-7487 + bsc#1038879). +- commit 01283ea + +------------------------------------------------------------------- +Wed May 24 11:36:31 CEST 2017 - [email protected] + +- dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890 + bsc#1038544). +- commit cedfd44 + +------------------------------------------------------------------- +Tue May 23 16:57:08 CEST 2017 - [email protected] + +- crypto: skcipher - Add missing API setkey checks + (bsc#1040389,CVE-2017-9211). +- commit a536fda + +------------------------------------------------------------------- +Tue May 23 07:52:52 CEST 2017 - [email protected] + +- ptrace: Properly initialize ptracer_cred on fork (bsc#1040041). +- commit 24082da + +------------------------------------------------------------------- dtb-armv6l.changes: same change dtb-armv7l.changes: same change kernel-64kb.changes: same change kernel-debug.changes: same change kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-syzkaller.changes: same change kernel-vanilla.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dtb-aarch64.spec ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.051143258 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.055142694 +0200 @@ -17,7 +17,7 @@ %define srcversion 4.11 -%define patchversion 4.11.2 +%define patchversion 4.11.3 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -29,9 +29,9 @@ %(chmod +x %_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,find-provides,find-requires,split-modules,modversions,kabi.pl,mkspec,compute-PATCHVERSION.sh,arch-symbols,log.sh,try-disable-staging-driver,compress-vmlinux.sh,mkspec-dtb}) Name: dtb-aarch64 -Version: 4.11.2 +Version: 4.11.3 %if 0%{?is_kotd} -Release: <RELEASE>.g03903d8 +Release: <RELEASE>.g7262353 %else Release: 0 %endif dtb-armv6l.spec: same change dtb-armv7l.spec: same change ++++++ kernel-64kb.spec ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.143130274 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.143130274 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.11 -%define patchversion 4.11.2 +%define patchversion 4.11.3 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with 64kb PAGE_SIZE License: GPL-2.0 Group: System/Kernel -Version: 4.11.2 +Version: 4.11.3 %if 0%{?is_kotd} -Release: <RELEASE>.g03903d8 +Release: <RELEASE>.g7262353 %else Release: 0 %endif kernel-debug.spec: same change kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.215120112 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.219119548 +0200 @@ -16,7 +16,7 @@ # -%define patchversion 4.11.2 +%define patchversion 4.11.3 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -42,9 +42,9 @@ Summary: Kernel Documentation (man pages) License: GPL-2.0 Group: Documentation/Man -Version: 4.11.2 +Version: 4.11.3 %if 0%{?is_kotd} -Release: <RELEASE>.g03903d8 +Release: <RELEASE>.g7262353 %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.239116725 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.243116161 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.11 -%define patchversion 4.11.2 +%define patchversion 4.11.3 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.11.2 +Version: 4.11.3 %if 0%{?is_kotd} -Release: <RELEASE>.g03903d8 +Release: <RELEASE>.g7262353 %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.267112773 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.271112209 +0200 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.11.2 +%define patchversion 4.11.3 %define variant %{nil} %define vanilla_only 0 @@ -57,9 +57,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.11.2 +Version: 4.11.3 %if 0%{?is_kotd} -Release: <RELEASE>.g03903d8 +Release: <RELEASE>.g7262353 %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.295108822 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.299108257 +0200 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.11.2 +%define patchversion 4.11.3 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.11.2 +Version: 4.11.3 %if 0%{?is_kotd} -Release: <RELEASE>.g03903d8 +Release: <RELEASE>.g7262353 %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.327104305 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.331103741 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.11 -%define patchversion 4.11.2 +%define patchversion 4.11.3 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.11.2 +Version: 4.11.3 %if 0%{?is_kotd} -Release: <RELEASE>.g03903d8 +Release: <RELEASE>.g7262353 %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.351100918 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.355100354 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.11 -%define patchversion 4.11.2 +%define patchversion 4.11.3 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.11.2 +Version: 4.11.3 %if 0%{?is_kotd} -Release: <RELEASE>.g03903d8 +Release: <RELEASE>.g7262353 %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.379096966 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.379096966 +0200 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.11.2 +Version: 4.11.3 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.g03903d8 +Release: <RELEASE>.g7262353 %else Release: 0 %endif ++++++ kernel-syzkaller.spec ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.407093015 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.407093015 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.11 -%define patchversion 4.11.2 +%define patchversion 4.11.3 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel used for fuzzing by syzkaller License: GPL-2.0 Group: System/Kernel -Version: 4.11.2 +Version: 4.11.3 %if 0%{?is_kotd} -Release: <RELEASE>.g03903d8 +Release: <RELEASE>.g7262353 %else Release: 0 %endif kernel-vanilla.spec: same change ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks new/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks --- old/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks 2017-05-25 19:55:04.000000000 +0200 @@ -0,0 +1,77 @@ +From 9933e113c2e87a9f46a40fde8dafbf801dca1ab9 Mon Sep 17 00:00:00 2001 +From: Herbert Xu <[email protected]> +Date: Wed, 10 May 2017 03:48:23 +0800 +Subject: [PATCH] crypto: skcipher - Add missing API setkey checks +Git-commit: 9933e113c2e87a9f46a40fde8dafbf801dca1ab9 +Patch-mainline: 4.12-rc3 +References: bsc#1040389,CVE-2017-9211 + +The API setkey checks for key sizes and alignment went AWOL during the +skcipher conversion. This patch restores them. + +Cc: <[email protected]> +Fixes: 4e6c3df4d729 ("crypto: skcipher - Add low-level skcipher...") +Reported-by: Baozeng <[email protected]> +Signed-off-by: Herbert Xu <[email protected]> +Acked-by: Takashi Iwai <[email protected]> + +--- + crypto/skcipher.c | 40 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 39 insertions(+), 1 deletion(-) + +--- a/crypto/skcipher.c ++++ b/crypto/skcipher.c +@@ -764,6 +764,44 @@ static int crypto_init_skcipher_ops_ablk + return 0; + } + ++static int skcipher_setkey_unaligned(struct crypto_skcipher *tfm, ++ const u8 *key, unsigned int keylen) ++{ ++ unsigned long alignmask = crypto_skcipher_alignmask(tfm); ++ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm); ++ u8 *buffer, *alignbuffer; ++ unsigned long absize; ++ int ret; ++ ++ absize = keylen + alignmask; ++ buffer = kmalloc(absize, GFP_ATOMIC); ++ if (!buffer) ++ return -ENOMEM; ++ ++ alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); ++ memcpy(alignbuffer, key, keylen); ++ ret = cipher->setkey(tfm, alignbuffer, keylen); ++ kzfree(buffer); ++ return ret; ++} ++ ++static int skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key, ++ unsigned int keylen) ++{ ++ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm); ++ unsigned long alignmask = crypto_skcipher_alignmask(tfm); ++ ++ if (keylen < cipher->min_keysize || keylen > cipher->max_keysize) { ++ crypto_skcipher_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); ++ return -EINVAL; ++ } ++ ++ if ((unsigned long)key & alignmask) ++ return skcipher_setkey_unaligned(tfm, key, keylen); ++ ++ return cipher->setkey(tfm, key, keylen); ++} ++ + static void crypto_skcipher_exit_tfm(struct crypto_tfm *tfm) + { + struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm); +@@ -784,7 +822,7 @@ static int crypto_skcipher_init_tfm(stru + tfm->__crt_alg->cra_type == &crypto_givcipher_type) + return crypto_init_skcipher_ops_ablkcipher(tfm); + +- skcipher->setkey = alg->setkey; ++ skcipher->setkey = skcipher_setkey; + skcipher->encrypt = alg->encrypt; + skcipher->decrypt = alg->decrypt; + skcipher->ivsize = alg->ivsize; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch new/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch --- old/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch 2017-05-25 19:55:04.000000000 +0200 @@ -0,0 +1,45 @@ +From: Eric Dumazet <[email protected]> +Date: Tue, 9 May 2017 06:29:19 -0700 +Subject: dccp/tcp: do not inherit mc_list from parent +Patch-mainline: v4.12-rc1 +Git-commit: 657831ffc38e30092a2d5f03d385d710eb88b09a +References: CVE-2017-8890 bsc#1038544 + +syzkaller found a way to trigger double frees from ip_mc_drop_socket() + +It turns out that leave a copy of parent mc_list at accept() time, +which is very bad. + +Very similar to commit 8b485ce69876 ("tcp: do not inherit +fastopen_req from parent") + +Initial report from Pray3r, completed by Andrey one. +Thanks a lot to them ! + +Signed-off-by: Eric Dumazet <[email protected]> +Reported-by: Pray3r <[email protected]> +Reported-by: Andrey Konovalov <[email protected]> +Tested-by: Andrey Konovalov <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Acked-by: Michal Kubecek <[email protected]> + +--- + net/ipv4/inet_connection_sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 5e313c1ac94f..1054d330bf9d 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -794,6 +794,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk, + /* listeners have SOCK_RCU_FREE, not the children */ + sock_reset_flag(newsk, SOCK_RCU_FREE); + ++ inet_sk(newsk)->mc_list = NULL; ++ + newsk->sk_mark = inet_rsk(req)->ir_mark; + atomic64_set(&newsk->sk_cookie, + atomic64_read(&inet_rsk(req)->ir_cookie)); +-- +2.13.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch new/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch --- old/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch 2017-05-25 19:55:04.000000000 +0200 @@ -0,0 +1,96 @@ +From: "David S. Miller" <[email protected]> +Date: Wed, 17 May 2017 22:54:11 -0400 +Subject: ipv6: Check ip6_find_1stfragopt() return value properly. +Patch-mainline: v4.12-rc2 +Git-commit: 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 +References: CVE-2017-9074 bsc#1039882 + +Do not use unsigned variables to see if it returns a negative +error or not. + +Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options") +Reported-by: Julia Lawall <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Acked-by: Michal Kubecek <[email protected]> + +--- + net/ipv6/ip6_offload.c | 9 ++++----- + net/ipv6/ip6_output.c | 7 +++---- + net/ipv6/udp_offload.c | 8 +++++--- + 3 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c +index eab36abc9f22..280268f1dd7b 100644 +--- a/net/ipv6/ip6_offload.c ++++ b/net/ipv6/ip6_offload.c +@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, + const struct net_offload *ops; + int proto; + struct frag_hdr *fptr; +- unsigned int unfrag_ip6hlen; + unsigned int payload_len; + u8 *prevhdr; + int offset = 0; +@@ -116,10 +115,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, + skb->network_header = (u8 *)ipv6h - skb->head; + + if (udpfrag) { +- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); +- if (unfrag_ip6hlen < 0) +- return ERR_PTR(unfrag_ip6hlen); +- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen); ++ int err = ip6_find_1stfragopt(skb, &prevhdr); ++ if (err < 0) ++ return ERR_PTR(err); ++ fptr = (struct frag_hdr *)((u8 *)ipv6h + err); + fptr->frag_off = htons(offset); + if (skb->next) + fptr->frag_off |= htons(IP6_MF); +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 01deecda2f84..d4a31becbd25 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -597,11 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + int ptr, offset = 0, err = 0; + u8 *prevhdr, nexthdr = 0; + +- hlen = ip6_find_1stfragopt(skb, &prevhdr); +- if (hlen < 0) { +- err = hlen; ++ err = ip6_find_1stfragopt(skb, &prevhdr); ++ if (err < 0) + goto fail; +- } ++ hlen = err; + nexthdr = *prevhdr; + + mtu = ip6_skb_dst_mtu(skb); +diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c +index b348cff47395..a2267f80febb 100644 +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, + u8 frag_hdr_sz = sizeof(struct frag_hdr); + __wsum csum; + int tnl_hlen; ++ int err; + + mss = skb_shinfo(skb)->gso_size; + if (unlikely(skb->len <= mss)) +@@ -90,9 +91,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, + /* Find the unfragmentable header and shift it left by frag_hdr_sz + * bytes to insert fragment header. + */ +- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); +- if (unfrag_ip6hlen < 0) +- return ERR_PTR(unfrag_ip6hlen); ++ err = ip6_find_1stfragopt(skb, &prevhdr); ++ if (err < 0) ++ return ERR_PTR(err); ++ unfrag_ip6hlen = err; + nexthdr = *prevhdr; + *prevhdr = NEXTHDR_FRAGMENT; + unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) + +-- +2.13.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch new/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch --- old/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch 2017-05-25 19:55:04.000000000 +0200 @@ -0,0 +1,235 @@ +From: Craig Gallek <[email protected]> +Date: Tue, 16 May 2017 14:36:23 -0400 +Subject: ipv6: Prevent overrun when parsing v6 header options +Patch-mainline: v4.12-rc2 +Git-commit: 2423496af35d94a87156b063ea5cedffc10a70a1 +References: CVE-2017-9074 bsc#1039882 + +The KASAN warning repoted below was discovered with a syzkaller +program. The reproducer is basically: + int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP); + send(s, &one_byte_of_data, 1, MSG_MORE); + send(s, &more_than_mtu_bytes_data, 2000, 0); + +The socket() call sets the nexthdr field of the v6 header to +NEXTHDR_HOP, the first send call primes the payload with a non zero +byte of data, and the second send call triggers the fragmentation path. + +The fragmentation code tries to parse the header options in order +to figure out where to insert the fragment option. Since nexthdr points +to an invalid option, the calculation of the size of the network header +can made to be much larger than the linear section of the skb and data +is read outside of it. + +This fix makes ip6_find_1stfrag return an error if it detects +running out-of-bounds. + +[ 42.361487] ================================================================== +[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730 +[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789 +[ 42.366469] +[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41 +[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014 +[ 42.368824] Call Trace: +[ 42.369183] dump_stack+0xb3/0x10b +[ 42.369664] print_address_description+0x73/0x290 +[ 42.370325] kasan_report+0x252/0x370 +[ 42.370839] ? ip6_fragment+0x11c8/0x3730 +[ 42.371396] check_memory_region+0x13c/0x1a0 +[ 42.371978] memcpy+0x23/0x50 +[ 42.372395] ip6_fragment+0x11c8/0x3730 +[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110 +[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0 +[ 42.374263] ? ip6_forward+0x2e30/0x2e30 +[ 42.374803] ip6_finish_output+0x584/0x990 +[ 42.375350] ip6_output+0x1b7/0x690 +[ 42.375836] ? ip6_finish_output+0x990/0x990 +[ 42.376411] ? ip6_fragment+0x3730/0x3730 +[ 42.376968] ip6_local_out+0x95/0x160 +[ 42.377471] ip6_send_skb+0xa1/0x330 +[ 42.377969] ip6_push_pending_frames+0xb3/0xe0 +[ 42.378589] rawv6_sendmsg+0x2051/0x2db0 +[ 42.379129] ? rawv6_bind+0x8b0/0x8b0 +[ 42.379633] ? _copy_from_user+0x84/0xe0 +[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290 +[ 42.380878] ? ___sys_sendmsg+0x162/0x930 +[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120 +[ 42.382074] ? sock_has_perm+0x1f6/0x290 +[ 42.382614] ? ___sys_sendmsg+0x167/0x930 +[ 42.383173] ? lock_downgrade+0x660/0x660 +[ 42.383727] inet_sendmsg+0x123/0x500 +[ 42.384226] ? inet_sendmsg+0x123/0x500 +[ 42.384748] ? inet_recvmsg+0x540/0x540 +[ 42.385263] sock_sendmsg+0xca/0x110 +[ 42.385758] SYSC_sendto+0x217/0x380 +[ 42.386249] ? SYSC_connect+0x310/0x310 +[ 42.386783] ? __might_fault+0x110/0x1d0 +[ 42.387324] ? lock_downgrade+0x660/0x660 +[ 42.387880] ? __fget_light+0xa1/0x1f0 +[ 42.388403] ? __fdget+0x18/0x20 +[ 42.388851] ? sock_common_setsockopt+0x95/0xd0 +[ 42.389472] ? SyS_setsockopt+0x17f/0x260 +[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe +[ 42.390650] SyS_sendto+0x40/0x50 +[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe +[ 42.391731] RIP: 0033:0x7fbbb711e383 +[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383 +[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003 +[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018 +[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad +[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00 +[ 42.397257] +[ 42.397411] Allocated by task 3789: +[ 42.397702] save_stack_trace+0x16/0x20 +[ 42.398005] save_stack+0x46/0xd0 +[ 42.398267] kasan_kmalloc+0xad/0xe0 +[ 42.398548] kasan_slab_alloc+0x12/0x20 +[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380 +[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0 +[ 42.399654] __alloc_skb+0xf8/0x580 +[ 42.400003] sock_wmalloc+0xab/0xf0 +[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0 +[ 42.400813] ip6_append_data+0x1a8/0x2f0 +[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0 +[ 42.401505] inet_sendmsg+0x123/0x500 +[ 42.401860] sock_sendmsg+0xca/0x110 +[ 42.402209] ___sys_sendmsg+0x7cb/0x930 +[ 42.402582] __sys_sendmsg+0xd9/0x190 +[ 42.402941] SyS_sendmsg+0x2d/0x50 +[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe +[ 42.403718] +[ 42.403871] Freed by task 1794: +[ 42.404146] save_stack_trace+0x16/0x20 +[ 42.404515] save_stack+0x46/0xd0 +[ 42.404827] kasan_slab_free+0x72/0xc0 +[ 42.405167] kfree+0xe8/0x2b0 +[ 42.405462] skb_free_head+0x74/0xb0 +[ 42.405806] skb_release_data+0x30e/0x3a0 +[ 42.406198] skb_release_all+0x4a/0x60 +[ 42.406563] consume_skb+0x113/0x2e0 +[ 42.406910] skb_free_datagram+0x1a/0xe0 +[ 42.407288] netlink_recvmsg+0x60d/0xe40 +[ 42.407667] sock_recvmsg+0xd7/0x110 +[ 42.408022] ___sys_recvmsg+0x25c/0x580 +[ 42.408395] __sys_recvmsg+0xd6/0x190 +[ 42.408753] SyS_recvmsg+0x2d/0x50 +[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe +[ 42.409513] +[ 42.409665] The buggy address belongs to the object at ffff88000969e780 +[ 42.409665] which belongs to the cache kmalloc-512 of size 512 +[ 42.410846] The buggy address is located 24 bytes inside of +[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980) +[ 42.411941] The buggy address belongs to the page: +[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 +[ 42.413298] flags: 0x100000000008100(slab|head) +[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c +[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000 +[ 42.415074] page dumped because: kasan: bad access detected +[ 42.415604] +[ 42.415757] Memory state around the buggy address: +[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 42.418273] ^ +[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 42.419882] ================================================================== + +Reported-by: Andrey Konovalov <[email protected]> +Signed-off-by: Craig Gallek <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Acked-by: Michal Kubecek <[email protected]> + +--- + net/ipv6/ip6_offload.c | 2 ++ + net/ipv6/ip6_output.c | 4 ++++ + net/ipv6/output_core.c | 14 ++++++++------ + net/ipv6/udp_offload.c | 2 ++ + 4 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c +index 93e58a5e1837..eab36abc9f22 100644 +--- a/net/ipv6/ip6_offload.c ++++ b/net/ipv6/ip6_offload.c +@@ -117,6 +117,8 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, + + if (udpfrag) { + unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); ++ if (unfrag_ip6hlen < 0) ++ return ERR_PTR(unfrag_ip6hlen); + fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen); + fptr->frag_off = htons(offset); + if (skb->next) +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 58f6288e9ba5..01deecda2f84 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -598,6 +598,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + u8 *prevhdr, nexthdr = 0; + + hlen = ip6_find_1stfragopt(skb, &prevhdr); ++ if (hlen < 0) { ++ err = hlen; ++ goto fail; ++ } + nexthdr = *prevhdr; + + mtu = ip6_skb_dst_mtu(skb); +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index cd4252346a32..e9065b8d3af8 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -79,14 +79,13 @@ EXPORT_SYMBOL(ipv6_select_ident); + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { + u16 offset = sizeof(struct ipv6hdr); +- struct ipv6_opt_hdr *exthdr = +- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1); + unsigned int packet_len = skb_tail_pointer(skb) - + skb_network_header(skb); + int found_rhdr = 0; + *nexthdr = &ipv6_hdr(skb)->nexthdr; + +- while (offset + 1 <= packet_len) { ++ while (offset <= packet_len) { ++ struct ipv6_opt_hdr *exthdr; + + switch (**nexthdr) { + +@@ -107,13 +106,16 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + return offset; + } + +- offset += ipv6_optlen(exthdr); +- *nexthdr = &exthdr->nexthdr; ++ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len) ++ return -EINVAL; ++ + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + + offset); ++ offset += ipv6_optlen(exthdr); ++ *nexthdr = &exthdr->nexthdr; + } + +- return offset; ++ return -EINVAL; + } + EXPORT_SYMBOL(ip6_find_1stfragopt); + +diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c +index ac858c480f2f..b348cff47395 100644 +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -91,6 +91,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, + * bytes to insert fragment header. + */ + unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); ++ if (unfrag_ip6hlen < 0) ++ return ERR_PTR(unfrag_ip6hlen); + nexthdr = *prevhdr; + *prevhdr = NEXTHDR_FRAGMENT; + unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) + +-- +2.13.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch new/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch --- old/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch 2017-05-25 19:55:04.000000000 +0200 @@ -0,0 +1,68 @@ +From: WANG Cong <[email protected]> +Date: Tue, 9 May 2017 16:59:54 -0700 +Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent +Patch-mainline: v4.12-rc2 +Git-commit: 83eaddab4378db256d00d295bda6ca997cd13a52 +References: CVE-2017-9076 CVE-2017-9077 bsc#1039885 bsc#1040069 + +Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent") +we should clear ipv6_mc_list etc. for IPv6 sockets too. + +Cc: Eric Dumazet <[email protected]> +Signed-off-by: Cong Wang <[email protected]> +Acked-by: Eric Dumazet <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Acked-by: Michal Kubecek <[email protected]> + +--- + net/dccp/ipv6.c | 6 ++++++ + net/ipv6/tcp_ipv6.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index d9b6a4e403e7..b6bbb71e713e 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, + newsk->sk_backlog_rcv = dccp_v4_do_rcv; + newnp->pktoptions = NULL; + newnp->opt = NULL; ++ newnp->ipv6_mc_list = NULL; ++ newnp->ipv6_ac_list = NULL; ++ newnp->ipv6_fl_list = NULL; + newnp->mcast_oif = inet6_iif(skb); + newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; + +@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, + /* Clone RX bits */ + newnp->rxopt.all = np->rxopt.all; + ++ newnp->ipv6_mc_list = NULL; ++ newnp->ipv6_ac_list = NULL; ++ newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; + newnp->opt = NULL; + newnp->mcast_oif = inet6_iif(skb); +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 4c4afdca41ff..ff5f87641651 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1070,6 +1070,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + newtp->af_specific = &tcp_sock_ipv6_mapped_specific; + #endif + ++ newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; +@@ -1139,6 +1140,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + First: no IPv4 options. + */ + newinet->inet_opt = NULL; ++ newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; + +-- +2.13.0 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork new/patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork --- old/patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork 2017-05-25 19:55:04.000000000 +0200 @@ -0,0 +1,114 @@ +From: "Eric W. Biederman" <[email protected]> +Date: Mon, 22 May 2017 16:04:48 -0500 +Subject: [PATCH] ptrace: Properly initialize ptracer_cred on fork +Message-ID: <[email protected]> +Patch-mainline: 4.12-rc3 +Git-commit: c70d9d809fdeecedb96972457ee45c49a232d97f +References: bsc#1040041 + +When I introduced ptracer_cred I failed to consider the weirdness of +fork where the task_struct copies the old value by default. This +winds up leaving ptracer_cred set even when a process forks and +the child process does not wind up being ptraced. + +Because ptracer_cred is not set on non-ptraced processes whose +parents were ptraced this has broken the ability of the enlightenment +window manager to start setuid children. + +Fix this by properly initializing ptracer_cred in ptrace_init_task + +This must be done with a little bit of care to preserve the current value +of ptracer_cred when ptrace carries through fork. Re-reading the +ptracer_cred from the ptracing process at this point is inconsistent +with how PT_PTRACE_CAP has been maintained all of these years. + +Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP") +Signed-off-by: "Eric W. Biederman" <[email protected]> +Signed-off-by: Takashi Iwai <[email protected]> + +--- + include/linux/ptrace.h | 7 +++++-- + kernel/ptrace.c | 20 +++++++++++++------- + 2 files changed, 18 insertions(+), 9 deletions(-) + +--- a/include/linux/ptrace.h ++++ b/include/linux/ptrace.h +@@ -54,7 +54,8 @@ extern int ptrace_request(struct task_st + unsigned long addr, unsigned long data); + extern void ptrace_notify(int exit_code); + extern void __ptrace_link(struct task_struct *child, +- struct task_struct *new_parent); ++ struct task_struct *new_parent, ++ const struct cred *ptracer_cred); + extern void __ptrace_unlink(struct task_struct *child); + extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead); + #define PTRACE_MODE_READ 0x01 +@@ -206,7 +207,7 @@ static inline void ptrace_init_task(stru + + if (unlikely(ptrace) && current->ptrace) { + child->ptrace = current->ptrace; +- __ptrace_link(child, current->parent); ++ __ptrace_link(child, current->parent, current->ptracer_cred); + + if (child->ptrace & PT_SEIZED) + task_set_jobctl_pending(child, JOBCTL_TRAP_STOP); +@@ -215,6 +216,8 @@ static inline void ptrace_init_task(stru + + set_tsk_thread_flag(child, TIF_SIGPENDING); + } ++ else ++ child->ptracer_cred = NULL; + } + + /** +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -60,19 +60,25 @@ int ptrace_access_vm(struct task_struct + } + + ++void __ptrace_link(struct task_struct *child, struct task_struct *new_parent, ++ const struct cred *ptracer_cred) ++{ ++ BUG_ON(!list_empty(&child->ptrace_entry)); ++ list_add(&child->ptrace_entry, &new_parent->ptraced); ++ child->parent = new_parent; ++ child->ptracer_cred = get_cred(ptracer_cred); ++} ++ + /* + * ptrace a task: make the debugger its new parent and + * move it to the ptrace list. + * + * Must be called with the tasklist lock write-held. + */ +-void __ptrace_link(struct task_struct *child, struct task_struct *new_parent) ++static void ptrace_link(struct task_struct *child, struct task_struct *new_parent) + { +- BUG_ON(!list_empty(&child->ptrace_entry)); +- list_add(&child->ptrace_entry, &new_parent->ptraced); +- child->parent = new_parent; + rcu_read_lock(); +- child->ptracer_cred = get_cred(__task_cred(new_parent)); ++ __ptrace_link(child, new_parent, __task_cred(new_parent)); + rcu_read_unlock(); + } + +@@ -386,7 +392,7 @@ static int ptrace_attach(struct task_str + flags |= PT_SEIZED; + task->ptrace = flags; + +- __ptrace_link(task, current); ++ ptrace_link(task, current); + + /* SEIZE doesn't trap tracee on attach */ + if (!seize) +@@ -459,7 +465,7 @@ static int ptrace_traceme(void) + */ + if (!ret && !(current->real_parent->flags & PF_EXITING)) { + current->ptrace = PT_PTRACED; +- __ptrace_link(current, current->real_parent); ++ ptrace_link(current, current->real_parent); + } + } + write_unlock_irq(&tasklist_lock); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch new/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch --- old/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch 2017-05-25 19:55:04.000000000 +0200 @@ -0,0 +1,37 @@ +From: Eric Dumazet <[email protected]> +Date: Wed, 17 May 2017 07:16:40 -0700 +Subject: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent +Patch-mainline: v4.12-rc2 +Git-commit: fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 +References: CVE-2017-9075 bsc#1039883 + +SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit +ipv6_mc_list from parent"), otherwise bad things can happen. + +Signed-off-by: Eric Dumazet <[email protected]> +Reported-by: Andrey Konovalov <[email protected]> +Tested-by: Andrey Konovalov <[email protected]> +Signed-off-by: David S. Miller <[email protected]> +Acked-by: Michal Kubecek <[email protected]> + +--- + net/sctp/ipv6.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 961ee59f696a..6d2349bc71a6 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -665,6 +665,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, + newnp = inet6_sk(newsk); + + memcpy(newnp, np, sizeof(struct ipv6_pinfo)); ++ newnp->ipv6_mc_list = NULL; ++ newnp->ipv6_ac_list = NULL; ++ newnp->ipv6_fl_list = NULL; + + rcu_read_lock(); + opt = rcu_dereference(np->opt); +-- +2.13.0 + ++++++ patches.kernel.org.tar.bz2 ++++++ ++++ 7337 lines of diff (skipped) ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:21.406951879 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:21.410951314 +0200 @@ -29,6 +29,7 @@ ######################################################## patches.kernel.org/patch-4.11.1 patches.kernel.org/patch-4.11.1-2 + patches.kernel.org/patch-4.11.2-3 ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -212,6 +213,11 @@ ######################################################## # Networking, IPv6 ######################################################## + patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch + patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch + patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch + patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch + patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch ######################################################## # Netfilter @@ -445,6 +451,8 @@ # Security stuff # ########################################################## + patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork + patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks ########################################################## # Audit ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:21.450945669 +0200 +++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:21.450945669 +0200 @@ -1,3 +1,3 @@ -2017-05-20 20:13:12 +0200 -GIT Revision: 03903d821e2bb9e4b3e4f22ed40fa0aa04789206 +2017-05-25 19:55:04 +0200 +GIT Revision: 72623535ffa1560169ca6cb8dc05802d2c18962a GIT Branch: stable
