[arch-commits] Commit in linux-hardened/trunk (4 files)

2020-05-28 Thread Levente Polyak via arch-commits 
Date: Thursday, May 28, 2020 @ 07:11:59
  Author: anthraxx
Revision: 387749

upgpkg: linux-hardened 5.6.15.b-1

Modified:
  linux-hardened/trunk/0001-gcc-plugins-drop-support-for-GCC-4.7.patch
  linux-hardened/trunk/PKGBUILD
  linux-hardened/trunk/config
Deleted:
  linux-hardened/trunk/0002-gcc-common.h-Update-for-GCC-10.patch

-+
 0001-gcc-plugins-drop-support-for-GCC-4.7.patch |4 
 0002-gcc-common.h-Update-for-GCC-10.patch   |   92 --
 PKGBUILD|   12 +-
 config  |8 -
 4 files changed, 12 insertions(+), 104 deletions(-)

Modified: 0001-gcc-plugins-drop-support-for-GCC-4.7.patch
===
--- 0001-gcc-plugins-drop-support-for-GCC-4.7.patch 2020-05-28 06:08:34 UTC 
(rev 387748)
+++ 0001-gcc-plugins-drop-support-for-GCC-4.7.patch 2020-05-28 07:11:59 UTC 
(rev 387749)
@@ -264,7 +264,7 @@
 index f2ee8bd7abc6..f22858b2c3d6 100644
 --- a/scripts/gcc-plugins/Makefile
 +++ b/scripts/gcc-plugins/Makefile
-@@ -1,30 +1,21 @@
+@@ -1,31 +1,22 @@
  # SPDX-License-Identifier: GPL-2.0
 -PLUGINCC := $(CONFIG_PLUGIN_HOSTCC:"%"=%)
  GCC_PLUGINS_DIR := $(shell $(CC) -print-file-name=plugin)
@@ -278,11 +278,13 @@
 -  HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 
-fno-rtti
 -  HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb
 -  HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable
+-  HOST_EXTRACXXFLAGS += -Wno-format-diag
 -  export HOST_EXTRACXXFLAGS
 -endif
 +HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 
-fno-rtti
 +HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb
 +HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable -Wno-c++11-compat
++HOST_EXTRACXXFLAGS += -Wno-format-diag
  
  $(obj)/randomize_layout_plugin.o: $(objtree)/$(obj)/randomize_layout_seed.h
  quiet_cmd_create_randomize_layout_seed = GENSEED $@

Deleted: 0002-gcc-common.h-Update-for-GCC-10.patch
===
--- 0002-gcc-common.h-Update-for-GCC-10.patch   2020-05-28 06:08:34 UTC (rev 
387748)
+++ 0002-gcc-common.h-Update-for-GCC-10.patch   2020-05-28 07:11:59 UTC (rev 
387749)
@@ -1,92 +0,0 @@
-From 41e53fdbbf5121960fd44427c2ae7536d8fdd701 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?=
- 
-Date: Tue, 7 Apr 2020 13:32:59 +0200
-Subject: [PATCH 2/4] gcc-common.h: Update for GCC 10
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Remove "params.h" include, which has been dropped in GCC 10.
-
-Remove is_a_helper() macro, which is now defined in gimple.h, as seen
-when running './scripts/gcc-plugin.sh g++ g++ gcc':
-
-In file included from :1:
-./gcc-plugins/gcc-common.h:852:13: error: redefinition of ‘static bool 
is_a_helper::test(U*) [with U = const gimple; T = const ggoto*]’
-  852 | inline bool is_a_helper::test(const_gimple gs)
-  | ^~
-In file included from ./gcc-plugins/gcc-common.h:125,
- from :1:
-/usr/lib/gcc/x86_64-redhat-linux/10/plugin/include/gimple.h:1037:1: note: 
‘static bool is_a_helper::test(U*) [with U = const gimple; T = const 
ggoto*]’ previously declared here
- 1037 | is_a_helper ::test (const gimple *gs)
-  | ^~~
-
-Add -Wno-format-diag to scripts/gcc-plugins/Makefile to avoid
-meaningless warnings from error() formats used by plugins:
-
-scripts/gcc-plugins/structleak_plugin.c: In function ‘int 
plugin_init(plugin_name_args*, plugin_gcc_version*)’:
-scripts/gcc-plugins/structleak_plugin.c:253:12: warning: unquoted sequence of 
2 consecutive punctuation characters ‘'-’ in format [-Wformat-diag]
-  253 |   error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, 
argv[i].key);
-  |^
-
-Signed-off-by: Frédéric Pierret (fepitre) 
-Link: 
https://lore.kernel.org/r/20200407113259.270172-1-frederic.pier...@qubes-os.org
-[kees: include -Wno-format-diag for plugin builds]
-Signed-off-by: Kees Cook 

- scripts/gcc-plugins/Makefile | 1 +
- scripts/gcc-plugins/gcc-common.h | 4 
- 2 files changed, 5 insertions(+)
-
-diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile
-index f22858b2c3d6..80f354289eeb 100644
 a/scripts/gcc-plugins/Makefile
-+++ b/scripts/gcc-plugins/Makefile
-@@ -4,6 +4,7 @@ GCC_PLUGINS_DIR := $(shell $(CC) -print-file-name=plugin)
- HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 
-fno-rtti
- HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb
- HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable -Wno-c++11-compat
-+HOST_EXTRACXXFLAGS += -Wno-format-diag
- 
- $(obj)/randomize_layout_plugin.o:

[arch-commits] Commit in linux-hardened/trunk (4 files)

2018-11-29 Thread Levente Polyak via arch-commits 
Date: Friday, November 30, 2018 @ 07:56:24
  Author: anthraxx
Revision: 340654

upgpkg: linux-hardened 4.19.5.a-1

Modified:
  linux-hardened/trunk/90-linux.hook
  linux-hardened/trunk/PKGBUILD
  linux-hardened/trunk/config.x86_64
  linux-hardened/trunk/linux.install

---+
 90-linux.hook |2 +-
 PKGBUILD  |   23 ++-
 config.x86_64 |2 +-
 linux.install |2 ++
 4 files changed, 14 insertions(+), 15 deletions(-)

Modified: 90-linux.hook
===
--- 90-linux.hook   2018-11-30 07:42:31 UTC (rev 340653)
+++ 90-linux.hook   2018-11-30 07:56:24 UTC (rev 340654)
@@ -2,7 +2,7 @@
 Type = File
 Operation = Install
 Operation = Upgrade
-Target = boot/vmlinuz-%PKGBASE%
+Target = usr/lib/modules/%KERNVER%/vmlinuz
 Target = usr/lib/initcpio/*
 
 [Action]

Modified: PKGBUILD
===
--- PKGBUILD2018-11-30 07:42:31 UTC (rev 340653)
+++ PKGBUILD2018-11-30 07:56:24 UTC (rev 340654)
@@ -4,7 +4,7 @@
 # Contributor: Thomas Baechler 
 
 pkgbase=linux-hardened
-_pkgver=4.19.4
+_pkgver=4.19.5
 _hardenedver=a
 _srcname=linux-${_pkgver}
 pkgver=${_pkgver}.${_hardenedver}
@@ -23,13 +23,13 @@
 linux.preset   # standard config files for mkinitcpio ramdisk
 )
 replaces=('linux-grsec')
-sha256sums=('a38f5606bba1f5611c798541f6c3d43267b8599d9e3167471d4b662e33ff47aa'
+sha256sums=('8c839ec29cce7eb0e8ef7eaa10d1eb9d84d2be2521e352fb4f9414e76856ef75'
 'SKIP'
-'2779c1dc568958f54b012c5bef9e1e6e0bc714e02910e831a916c5f4d2ad43ce'
+'8eb32a90c0c632ac20f2aed88c3914511ccb30d3ddc7630a2c493d8f4669c8c6'
 'SKIP'
-'3fcaa87fd4da7f155c9c7b3284b5b4a9cf9b5a459e4b278cc1ebc4e9943579ff'
+'684c4e47f04970d78948720109905a63ef31097b5ef6d447f9a5dbe94169ed11'
 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
-'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
+'c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636'
 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65')
 validpgpkeys=(
   'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -82,22 +82,19 @@
   install=linux.install
 
   local kernver="$(https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
+  install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"
+  install -Dm644 "$modulesdir/vmlinuz" "$pkgdir/boot/vmlinuz-$pkgbase"
 
   msg2 "Installing modules..."
-  local modulesdir="$pkgdir/usr/lib/modules/$kernver"
-  mkdir -p "$modulesdir"
   make INSTALL_MOD_PATH="$pkgdir/usr" modules_install
 
-  # systemd expects to find the kernel here to allow hibernation
-  # 
https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
-  ln -sr "$image" "$modulesdir/vmlinuz"
-
   # a place for external modules,
   # with version file for building modules and running depmod from hook
   local extramodules="extramodules$_kernelname"

Modified: config.x86_64
===
--- config.x86_64   2018-11-30 07:42:31 UTC (rev 340653)
+++ config.x86_64   2018-11-30 07:56:24 UTC (rev 340654)
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.19.4 Kernel Configuration
+# Linux/x86 4.19.5 Kernel Configuration
 #
 
 #

Modified: linux.install
===
--- linux.install   2018-11-30 07:42:31 UTC (rev 340653)
+++ linux.install   2018-11-30 07:56:24 UTC (rev 340654)
@@ -9,3 +9,5 @@
   rm -f boot/initramfs-%PKGBASE%.img
   rm -f boot/initramfs-%PKGBASE%-fallback.img
 }
+
+# vim:set ft=sh ts=8 sts=2 sw=2 et:

[arch-commits] Commit in linux-hardened/trunk (4 files)

2018-08-03 Thread Levente Polyak via arch-commits 
Date: Friday, August 3, 2018 @ 14:06:40
  Author: anthraxx
Revision: 330486

upgpkg: linux-hardened 4.17.12.a-1

Modified:
  linux-hardened/trunk/60-linux.hook
  linux-hardened/trunk/PKGBUILD
  linux-hardened/trunk/config.x86_64
Deleted:
  
linux-hardened/trunk/ACPICA-AML-Parser-ignore-control-method-status-in-module-level-code.patch

---+
 60-linux.hook |
2 
 ACPICA-AML-Parser-ignore-control-method-status-in-module-level-code.patch |   
53 --
 PKGBUILD  |  
254 +-
 config.x86_64 |
4 
 4 files changed, 133 insertions(+), 180 deletions(-)

Modified: 60-linux.hook
===
--- 60-linux.hook   2018-08-03 12:01:19 UTC (rev 330485)
+++ 60-linux.hook   2018-08-03 14:06:40 UTC (rev 330486)
@@ -9,4 +9,4 @@
 [Action]
 Description = Updating %PKGBASE% module dependencies...
 When = PostTransaction
-Exec = /usr/bin/depmod %KERNVER%
+Exec = /usr/bin/depmod --quick %KERNVER%

Deleted: 
ACPICA-AML-Parser-ignore-control-method-status-in-module-level-code.patch
===
--- ACPICA-AML-Parser-ignore-control-method-status-in-module-level-code.patch   
2018-08-03 12:01:19 UTC (rev 330485)
+++ ACPICA-AML-Parser-ignore-control-method-status-in-module-level-code.patch   
2018-08-03 14:06:40 UTC (rev 330486)
@@ -1,53 +0,0 @@
-From f51d7e02375963169fb1c1148ac3f96d54e97ec4 Mon Sep 17 00:00:00 2001
-From: Erik Schmauss 
-Date: Sat, 28 Jul 2018 14:49:55 +0200
-Subject: [PATCH] ACPICA: AML Parser: ignore control method status in
- module-level code
-
-Previous change in the AML parser code blindly set all non-successful
-dispatcher statuses to AE_OK. This approach is incorrect because
-successful control method invocations from module-level return
-AE_CTRL_TRANSFER. Overwriting AE_OK to this status causes the AML
-parser to think that there was no return value from the control
-method invocation.
-
-fixes: 73c2a01c52b6 (ACPICA: AML Parser: ignore dispatcher error status during 
table load)
-
-Reported-by: Linus Torvalds 
-Signed-off-by: Erik Schmauss 

- drivers/acpi/acpica/psloop.c | 19 ---
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/acpi/acpica/psloop.c b/drivers/acpi/acpica/psloop.c
-index ee840be150b5e..44f35ab3347d1 100644
 a/drivers/acpi/acpica/psloop.c
-+++ b/drivers/acpi/acpica/psloop.c
-@@ -709,15 +709,20 @@ acpi_status acpi_ps_parse_loop(struct acpi_walk_state 
*walk_state)
-   } else
-   if ((walk_state->
-parse_flags & ACPI_PARSE_MODULE_LEVEL)
-+  && status != AE_CTRL_TRANSFER
-   && ACPI_FAILURE(status)) {
-   /*
--   * ACPI_PARSE_MODULE_LEVEL means that we are 
loading a table by
--   * executing it as a control method. However, 
if we encounter
--   * an error while loading the table, we need to 
keep trying to
--   * load the table rather than aborting the 
table load. Set the
--   * status to AE_OK to proceed with the table 
load. If we get a
--   * failure at this point, it means that the 
dispatcher got an
--   * error while processing Op (most likely an 
AML operand error.
-+   * ACPI_PARSE_MODULE_LEVEL flag means that we 
are currently
-+   * loading a table by executing it as a control 
method.
-+   * However, if we encounter an error while 
loading the table,
-+   * we need to keep trying to load the table 
rather than
-+   * aborting the table load (setting the status 
to AE_OK
-+   * continues the table load). If we get a 
failure at this
-+   * point, it means that the dispatcher got an 
error while
-+   * processing Op (most likely an AML operand 
error) or a
-+   * control method was called from module level 
and the
-+   * dispatcher returned AE_CTRL_TRANSFER. In the 
latter case,
-+   * leave the status alone, there's nothing 
wrong with it.
-*/
-   status = AE_OK;
-   }

Modified: PKGBUILD
===
--- PKGBUILD2018-08-03 12:01:19 UTC (rev 330485)
+++ PKGBUILD

[arch-commits] Commit in linux-hardened/trunk (4 files)

2018-06-19 Thread Levente Polyak via arch-commits 
Date: Wednesday, June 20, 2018 @ 00:52:57
  Author: anthraxx
Revision: 327312

upgpkg: linux-hardened 4.17.2.a-1

Added:
  
linux-hardened/trunk/ACPI-watchdog-Prefer-iTCO_wdt-always-when-WDAT-table.patch
Modified:
  linux-hardened/trunk/PKGBUILD
  linux-hardened/trunk/config.x86_64
Deleted:
  linux-hardened/trunk/ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch

+
 ACPI-watchdog-Prefer-iTCO_wdt-always-when-WDAT-table.patch |  129 
 ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch   |  117 ---
 PKGBUILD   |   16 
 config.x86_64  |  326 ---
 4 files changed, 275 insertions(+), 313 deletions(-)

Added: ACPI-watchdog-Prefer-iTCO_wdt-always-when-WDAT-table.patch
===
--- ACPI-watchdog-Prefer-iTCO_wdt-always-when-WDAT-table.patch  
(rev 0)
+++ ACPI-watchdog-Prefer-iTCO_wdt-always-when-WDAT-table.patch  2018-06-20 
00:52:57 UTC (rev 327312)
@@ -0,0 +1,129 @@
+From a0a37862a4e1844793d39aca9ccb8fecbdcb8659 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg 
+Date: Tue, 22 May 2018 14:16:50 +0300
+Subject: [PATCH 3/3] ACPI / watchdog: Prefer iTCO_wdt always when WDAT table
+ uses RTC SRAM
+
+After we added quirk for Lenovo Z50-70 it turns out there are at least
+two more systems where WDAT table includes instructions accessing RTC
+SRAM. Instead of quirking each system separately, look for such
+instructions in the table and automatically prefer iTCO_wdt if found.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199033
+Reported-by: Arnold Guy 
+Reported-by: Alois Nespor 
+Reported-by: Yury Pakin 
+Reported-by: Ihor Chyhin 
+Signed-off-by: Mika Westerberg 
+Acked-by: Guenter Roeck 
+---
+ drivers/acpi/acpi_watchdog.c | 72 ++--
+ 1 file changed, 45 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/acpi/acpi_watchdog.c b/drivers/acpi/acpi_watchdog.c
+index 4bde16fb97d8..95600309ce42 100644
+--- a/drivers/acpi/acpi_watchdog.c
 b/drivers/acpi/acpi_watchdog.c
+@@ -12,54 +12,72 @@
+ #define pr_fmt(fmt) "ACPI: watchdog: " fmt
+ 
+ #include 
+-#include 
+ #include 
+ #include 
+ 
+ #include "internal.h"
+ 
+-static const struct dmi_system_id acpi_watchdog_skip[] = {
+-  {
+-  /*
+-   * On Lenovo Z50-70 there are two issues with the WDAT
+-   * table. First some of the instructions use RTC SRAM
+-   * to store persistent information. This does not work well
+-   * with Linux RTC driver. Second, more important thing is
+-   * that the instructions do not actually reset the system.
+-   *
+-   * On this particular system iTCO_wdt seems to work just
+-   * fine so we prefer that over WDAT for now.
+-   *
+-   * See also https://bugzilla.kernel.org/show_bug.cgi?id=199033.
+-   */
+-  .ident = "Lenovo Z50-70",
+-  .matches = {
+-  DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+-  DMI_MATCH(DMI_PRODUCT_NAME, "20354"),
+-  DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Z50-70"),
+-  },
+-  },
+-  {}
+-};
++#ifdef CONFIG_RTC_MC146818_LIB
++#include 
++
++/*
++ * There are several systems where the WDAT table is accessing RTC SRAM to
++ * store persistent information. This does not work well with the Linux RTC
++ * driver so on those systems we skip WDAT driver and prefer iTCO_wdt
++ * instead.
++ *
++ * See also https://bugzilla.kernel.org/show_bug.cgi?id=199033.
++ */
++static bool acpi_watchdog_uses_rtc(const struct acpi_table_wdat *wdat)
++{
++  const struct acpi_wdat_entry *entries;
++  int i;
++
++  entries = (struct acpi_wdat_entry *)(wdat + 1);
++  for (i = 0; i < wdat->entries; i++) {
++  const struct acpi_generic_address *gas;
++
++  gas = [i].register_region;
++  if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO) {
++  switch (gas->address) {
++  case RTC_PORT(0):
++  case RTC_PORT(1):
++  case RTC_PORT(2):
++  case RTC_PORT(3):
++  return true;
++  }
++  }
++  }
++
++  return false;
++}
++#else
++static bool acpi_watchdog_uses_rtc(const struct acpi_table_wdat *wdat)
++{
++  return false;
++}
++#endif
+ 
+ static const struct acpi_table_wdat *acpi_watchdog_get_wdat(void)
+ {
+   const struct acpi_table_wdat *wdat = NULL;
+   acpi_status status;
+ 
+   if (acpi_disabled)
+   return NULL;
+ 
+-  if (dmi_check_system(acpi_watchdog_skip))
+-  return NULL;
+-
+   status = acpi_get_table(ACPI_SIG_WDAT, 0,
+

[arch-commits] Commit in linux-hardened/trunk (4 files)

2018-02-05 Thread Levente Polyak via arch-commits 
Date: Tuesday, February 6, 2018 @ 00:39:19
  Author: anthraxx
Revision: 289327

upgpkg: linux-hardened 4.14.17.a-1

- remove applied security patches

Modified:
  linux-hardened/trunk/PKGBUILD
  linux-hardened/trunk/config.x86_64
Deleted:
  
linux-hardened/trunk/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
  
linux-hardened/trunk/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch

-+
 
CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch 
|   78 --
 CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
 |   60 ---
 PKGBUILD   
 |   14 -
 config.x86_64  
 |4 
 4 files changed, 8 insertions(+), 148 deletions(-)

Deleted: 
CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
===
--- 
CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch 
2018-02-05 23:46:52 UTC (rev 289326)
+++ 
CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch 
2018-02-06 00:39:19 UTC (rev 289327)
@@ -1,78 +0,0 @@
-From 4b380c42f7d00a395feede754f0bc2292eebe6e5 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee 
-Date: Sun, 3 Dec 2017 12:12:45 -0800
-Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, nfnl_cthelper_list is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-$ nfct helper list
-nfct v1.4.4: netlink error: Operation not permitted
-$ vpnns -- nfct helper list
-{
-.name = ftp,
-.queuenum = 0,
-.l3protonum = 2,
-.l4protonum = 6,
-.priv_data_len = 24,
-.status = enabled,
-};
-
-Add capable() checks in nfnetlink_cthelper, as this is cleaner than
-trying to generalize the solution.
-
-Signed-off-by: Kevin Cernekee 
-Signed-off-by: Pablo Neira Ayuso 

- net/netfilter/nfnetlink_cthelper.c | 10 ++
- 1 file changed, 10 insertions(+)
-
-diff --git a/net/netfilter/nfnetlink_cthelper.c 
b/net/netfilter/nfnetlink_cthelper.c
-index 41628b393673..d33ce6d5ebce 100644
 a/net/netfilter/nfnetlink_cthelper.c
-+++ b/net/netfilter/nfnetlink_cthelper.c
-@@ -17,6 +17,7 @@
- #include 
- #include 
- #include 
-+#include 
- #include 
- #include 
- 
-@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock 
*nfnl,
-   struct nfnl_cthelper *nlcth;
-   int ret = 0;
- 
-+  if (!capable(CAP_NET_ADMIN))
-+  return -EPERM;
-+
-   if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
-   return -EINVAL;
- 
-@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock 
*nfnl,
-   struct nfnl_cthelper *nlcth;
-   bool tuple_set = false;
- 
-+  if (!capable(CAP_NET_ADMIN))
-+  return -EPERM;
-+
-   if (nlh->nlmsg_flags & NLM_F_DUMP) {
-   struct netlink_dump_control c = {
-   .dump = nfnl_cthelper_dump_table,
-@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock 
*nfnl,
-   struct nfnl_cthelper *nlcth, *n;
-   int j = 0, ret;
- 
-+  if (!capable(CAP_NET_ADMIN))
-+  return -EPERM;
-+
-   if (tb[NFCTH_NAME])
-   helper_name = nla_data(tb[NFCTH_NAME]);
- 
--- 
-2.15.1
-

Deleted: CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
===
--- CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch 
2018-02-05 23:46:52 UTC (rev 289326)
+++ CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch 
2018-02-06 00:39:19 UTC (rev 289327)
@@ -1,60 +0,0 @@
-From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee 
-Date: Tue, 5 Dec 2017 15:42:41 -0800
-Subject: [PATCH] netfilter: xt_osf: Add missing permission checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, xt_osf_fingers is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-vpnns -- nfnl_osf -f /tmp/pf.os
-
-vpnns -- nfnl_osf -f /tmp/pf.os -d
-
-These non-root operations successfully modify the

[arch-commits] Commit in linux-hardened/trunk (4 files)

2017-12-14 Thread Levente Polyak via arch-commits 
Date: Friday, December 15, 2017 @ 01:51:34
  Author: anthraxx
Revision: 274476

upgpkg: linux-hardened 4.14.6.a-1

Added:
  
linux-hardened/trunk/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
  linux-hardened/trunk/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
Modified:
  linux-hardened/trunk/PKGBUILD
  linux-hardened/trunk/config.x86_64

-+
 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch |   73 
++
 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch   |   57 +++
 PKGBUILD|   27 ++-
 config.x86_64   |   70 
+
 4 files changed, 163 insertions(+), 64 deletions(-)

Added: 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
===
--- 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch 
(rev 0)
+++ 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch 
2017-12-15 01:51:34 UTC (rev 274476)
@@ -0,0 +1,73 @@
+From c3c1af44db713ac6624e729ea4832d0ce70685e0 Mon Sep 17 00:00:00 2001
+Message-Id: 

+From: Benjamin Poirier 
+Date: Mon, 11 Dec 2017 16:26:40 +0900
+Subject: [PATCH 1/2] e1000e: Fix e1000_check_for_copper_link_ich8lan return
+ value.
+
+e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
+are the two functions that may be assigned to mac.ops.check_for_link when
+phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
+Separate signaling for link check/link up") changed the meaning of the
+return value of check_for_link for copper media but only adjusted the first
+function. This patch adjusts the second function likewise.
+
+Reported-by: Christian Hesse 
+Reported-by: Gabriel C 
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
+Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
+Tested-by: Christian Hesse 
+Signed-off-by: Benjamin Poirier 
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c 
b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+index d6d4ed7acf031172..31277d3bb7dc1241 100644
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
 b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1367,22 +1367,25 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw 
*hw, bool force)
+  *  Checks to see of the link status of the hardware has changed.  If a
+  *  change in link status has been detected, then we read the PHY registers
+  *  to get the current speed/duplex if link exists.
++ *
++ *  Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
++ *  up).
+  **/
+ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ {
+   struct e1000_mac_info *mac = >mac;
+   s32 ret_val, tipg_reg = 0;
+   u16 emi_addr, emi_val = 0;
+   bool link;
+   u16 phy_reg;
+ 
+   /* We only want to go out to the PHY registers to see if Auto-Neg
+* has completed and/or if our link status has changed.  The
+* get_link_status flag is set upon receiving a Link Status
+* Change or Rx Sequence Error interrupt.
+*/
+   if (!mac->get_link_status)
+-  return 0;
++  return 1;
+ 
+   /* First we want to see if the MII Status Register reports
+* link.  If so, then we want to get the current speed/duplex
+@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct 
e1000_hw *hw)
+* different link partner.
+*/
+   ret_val = e1000e_config_fc_after_link_up(hw);
+-  if (ret_val)
++  if (ret_val) {
+   e_dbg("Error configuring flow control\n");
++  return ret_val;
++  }
+ 
+-  return ret_val;
++  return 1;
+ }
+ 
+ static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
+-- 
+2.15.1
+

Added: 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
===
--- 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch   
(rev 0)
+++ 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch   2017-12-15 
01:51:34 UTC (rev 274476)
@@ -0,0 +1,57 @@
+From 80d3e994e0631d9135cadf20a0b5ad483d7e9bbb Mon Sep 17 00:00:00 2001
+Message-Id: 
<80d3e994e0631d9135cadf20a0b5ad483d7e9bbb.1513282811.git.jan.steff...@gmail.com>
+In-Reply-To: 

+References: 

+From: Mohamed