[arch-commits] Commit in linux-hardened/trunk (4 files)
Date: Thursday, May 28, 2020 @ 07:11:59 Author: anthraxx Revision: 387749 upgpkg: linux-hardened 5.6.15.b-1 Modified: linux-hardened/trunk/0001-gcc-plugins-drop-support-for-GCC-4.7.patch linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config Deleted: linux-hardened/trunk/0002-gcc-common.h-Update-for-GCC-10.patch -+ 0001-gcc-plugins-drop-support-for-GCC-4.7.patch |4 0002-gcc-common.h-Update-for-GCC-10.patch | 92 -- PKGBUILD| 12 +- config |8 - 4 files changed, 12 insertions(+), 104 deletions(-) Modified: 0001-gcc-plugins-drop-support-for-GCC-4.7.patch === --- 0001-gcc-plugins-drop-support-for-GCC-4.7.patch 2020-05-28 06:08:34 UTC (rev 387748) +++ 0001-gcc-plugins-drop-support-for-GCC-4.7.patch 2020-05-28 07:11:59 UTC (rev 387749) @@ -264,7 +264,7 @@ index f2ee8bd7abc6..f22858b2c3d6 100644 --- a/scripts/gcc-plugins/Makefile +++ b/scripts/gcc-plugins/Makefile -@@ -1,30 +1,21 @@ +@@ -1,31 +1,22 @@ # SPDX-License-Identifier: GPL-2.0 -PLUGINCC := $(CONFIG_PLUGIN_HOSTCC:"%"=%) GCC_PLUGINS_DIR := $(shell $(CC) -print-file-name=plugin) @@ -278,11 +278,13 @@ - HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 -fno-rtti - HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb - HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable +- HOST_EXTRACXXFLAGS += -Wno-format-diag - export HOST_EXTRACXXFLAGS -endif +HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 -fno-rtti +HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb +HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable -Wno-c++11-compat ++HOST_EXTRACXXFLAGS += -Wno-format-diag $(obj)/randomize_layout_plugin.o: $(objtree)/$(obj)/randomize_layout_seed.h quiet_cmd_create_randomize_layout_seed = GENSEED $@ Deleted: 0002-gcc-common.h-Update-for-GCC-10.patch === --- 0002-gcc-common.h-Update-for-GCC-10.patch 2020-05-28 06:08:34 UTC (rev 387748) +++ 0002-gcc-common.h-Update-for-GCC-10.patch 2020-05-28 07:11:59 UTC (rev 387749) @@ -1,92 +0,0 @@ -From 41e53fdbbf5121960fd44427c2ae7536d8fdd701 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= - -Date: Tue, 7 Apr 2020 13:32:59 +0200 -Subject: [PATCH 2/4] gcc-common.h: Update for GCC 10 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Remove "params.h" include, which has been dropped in GCC 10. - -Remove is_a_helper() macro, which is now defined in gimple.h, as seen -when running './scripts/gcc-plugin.sh g++ g++ gcc': - -In file included from :1: -./gcc-plugins/gcc-common.h:852:13: error: redefinition of ‘static bool is_a_helper::test(U*) [with U = const gimple; T = const ggoto*]’ - 852 | inline bool is_a_helper::test(const_gimple gs) - | ^~ -In file included from ./gcc-plugins/gcc-common.h:125, - from :1: -/usr/lib/gcc/x86_64-redhat-linux/10/plugin/include/gimple.h:1037:1: note: ‘static bool is_a_helper::test(U*) [with U = const gimple; T = const ggoto*]’ previously declared here - 1037 | is_a_helper ::test (const gimple *gs) - | ^~~ - -Add -Wno-format-diag to scripts/gcc-plugins/Makefile to avoid -meaningless warnings from error() formats used by plugins: - -scripts/gcc-plugins/structleak_plugin.c: In function ‘int plugin_init(plugin_name_args*, plugin_gcc_version*)’: -scripts/gcc-plugins/structleak_plugin.c:253:12: warning: unquoted sequence of 2 consecutive punctuation characters ‘'-’ in format [-Wformat-diag] - 253 | error(G_("unknown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); - |^ - -Signed-off-by: Frédéric Pierret (fepitre) -Link: https://lore.kernel.org/r/20200407113259.270172-1-frederic.pier...@qubes-os.org -[kees: include -Wno-format-diag for plugin builds] -Signed-off-by: Kees Cook - scripts/gcc-plugins/Makefile | 1 + - scripts/gcc-plugins/gcc-common.h | 4 - 2 files changed, 5 insertions(+) - -diff --git a/scripts/gcc-plugins/Makefile b/scripts/gcc-plugins/Makefile -index f22858b2c3d6..80f354289eeb 100644 a/scripts/gcc-plugins/Makefile -+++ b/scripts/gcc-plugins/Makefile -@@ -4,6 +4,7 @@ GCC_PLUGINS_DIR := $(shell $(CC) -print-file-name=plugin) - HOST_EXTRACXXFLAGS += -I$(GCC_PLUGINS_DIR)/include -I$(src) -std=gnu++98 -fno-rtti - HOST_EXTRACXXFLAGS += -fno-exceptions -fasynchronous-unwind-tables -ggdb - HOST_EXTRACXXFLAGS += -Wno-narrowing -Wno-unused-variable -Wno-c++11-compat -+HOST_EXTRACXXFLAGS += -Wno-format-diag - - $(obj)/randomize_layout_plugin.o:
[arch-commits] Commit in linux-hardened/trunk (4 files)
Date: Friday, November 30, 2018 @ 07:56:24 Author: anthraxx Revision: 340654 upgpkg: linux-hardened 4.19.5.a-1 Modified: linux-hardened/trunk/90-linux.hook linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 linux-hardened/trunk/linux.install ---+ 90-linux.hook |2 +- PKGBUILD | 23 ++- config.x86_64 |2 +- linux.install |2 ++ 4 files changed, 14 insertions(+), 15 deletions(-) Modified: 90-linux.hook === --- 90-linux.hook 2018-11-30 07:42:31 UTC (rev 340653) +++ 90-linux.hook 2018-11-30 07:56:24 UTC (rev 340654) @@ -2,7 +2,7 @@ Type = File Operation = Install Operation = Upgrade -Target = boot/vmlinuz-%PKGBASE% +Target = usr/lib/modules/%KERNVER%/vmlinuz Target = usr/lib/initcpio/* [Action] Modified: PKGBUILD === --- PKGBUILD2018-11-30 07:42:31 UTC (rev 340653) +++ PKGBUILD2018-11-30 07:56:24 UTC (rev 340654) @@ -4,7 +4,7 @@ # Contributor: Thomas Baechler pkgbase=linux-hardened -_pkgver=4.19.4 +_pkgver=4.19.5 _hardenedver=a _srcname=linux-${_pkgver} pkgver=${_pkgver}.${_hardenedver} @@ -23,13 +23,13 @@ linux.preset # standard config files for mkinitcpio ramdisk ) replaces=('linux-grsec') -sha256sums=('a38f5606bba1f5611c798541f6c3d43267b8599d9e3167471d4b662e33ff47aa' +sha256sums=('8c839ec29cce7eb0e8ef7eaa10d1eb9d84d2be2521e352fb4f9414e76856ef75' 'SKIP' -'2779c1dc568958f54b012c5bef9e1e6e0bc714e02910e831a916c5f4d2ad43ce' +'8eb32a90c0c632ac20f2aed88c3914511ccb30d3ddc7630a2c493d8f4669c8c6' 'SKIP' -'3fcaa87fd4da7f155c9c7b3284b5b4a9cf9b5a459e4b278cc1ebc4e9943579ff' +'684c4e47f04970d78948720109905a63ef31097b5ef6d447f9a5dbe94169ed11' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' -'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' +'c043f3033bb781e2688794a59f6d1f7ed49ef9b13eb77ff9a425df33a244a636' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -82,22 +82,19 @@ install=linux.install local kernver="$(https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344 + install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz" + install -Dm644 "$modulesdir/vmlinuz" "$pkgdir/boot/vmlinuz-$pkgbase" msg2 "Installing modules..." - local modulesdir="$pkgdir/usr/lib/modules/$kernver" - mkdir -p "$modulesdir" make INSTALL_MOD_PATH="$pkgdir/usr" modules_install - # systemd expects to find the kernel here to allow hibernation - # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344 - ln -sr "$image" "$modulesdir/vmlinuz" - # a place for external modules, # with version file for building modules and running depmod from hook local extramodules="extramodules$_kernelname" Modified: config.x86_64 === --- config.x86_64 2018-11-30 07:42:31 UTC (rev 340653) +++ config.x86_64 2018-11-30 07:56:24 UTC (rev 340654) @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.19.4 Kernel Configuration +# Linux/x86 4.19.5 Kernel Configuration # # Modified: linux.install === --- linux.install 2018-11-30 07:42:31 UTC (rev 340653) +++ linux.install 2018-11-30 07:56:24 UTC (rev 340654) @@ -9,3 +9,5 @@ rm -f boot/initramfs-%PKGBASE%.img rm -f boot/initramfs-%PKGBASE%-fallback.img } + +# vim:set ft=sh ts=8 sts=2 sw=2 et:
[arch-commits] Commit in linux-hardened/trunk (4 files)
Date: Friday, August 3, 2018 @ 14:06:40 Author: anthraxx Revision: 330486 upgpkg: linux-hardened 4.17.12.a-1 Modified: linux-hardened/trunk/60-linux.hook linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 Deleted: linux-hardened/trunk/ACPICA-AML-Parser-ignore-control-method-status-in-module-level-code.patch ---+ 60-linux.hook | 2 ACPICA-AML-Parser-ignore-control-method-status-in-module-level-code.patch | 53 -- PKGBUILD | 254 +- config.x86_64 | 4 4 files changed, 133 insertions(+), 180 deletions(-) Modified: 60-linux.hook === --- 60-linux.hook 2018-08-03 12:01:19 UTC (rev 330485) +++ 60-linux.hook 2018-08-03 14:06:40 UTC (rev 330486) @@ -9,4 +9,4 @@ [Action] Description = Updating %PKGBASE% module dependencies... When = PostTransaction -Exec = /usr/bin/depmod %KERNVER% +Exec = /usr/bin/depmod --quick %KERNVER% Deleted: ACPICA-AML-Parser-ignore-control-method-status-in-module-level-code.patch === --- ACPICA-AML-Parser-ignore-control-method-status-in-module-level-code.patch 2018-08-03 12:01:19 UTC (rev 330485) +++ ACPICA-AML-Parser-ignore-control-method-status-in-module-level-code.patch 2018-08-03 14:06:40 UTC (rev 330486) @@ -1,53 +0,0 @@ -From f51d7e02375963169fb1c1148ac3f96d54e97ec4 Mon Sep 17 00:00:00 2001 -From: Erik Schmauss -Date: Sat, 28 Jul 2018 14:49:55 +0200 -Subject: [PATCH] ACPICA: AML Parser: ignore control method status in - module-level code - -Previous change in the AML parser code blindly set all non-successful -dispatcher statuses to AE_OK. This approach is incorrect because -successful control method invocations from module-level return -AE_CTRL_TRANSFER. Overwriting AE_OK to this status causes the AML -parser to think that there was no return value from the control -method invocation. - -fixes: 73c2a01c52b6 (ACPICA: AML Parser: ignore dispatcher error status during table load) - -Reported-by: Linus Torvalds -Signed-off-by: Erik Schmauss - drivers/acpi/acpica/psloop.c | 19 --- - 1 file changed, 12 insertions(+), 7 deletions(-) - -diff --git a/drivers/acpi/acpica/psloop.c b/drivers/acpi/acpica/psloop.c -index ee840be150b5e..44f35ab3347d1 100644 a/drivers/acpi/acpica/psloop.c -+++ b/drivers/acpi/acpica/psloop.c -@@ -709,15 +709,20 @@ acpi_status acpi_ps_parse_loop(struct acpi_walk_state *walk_state) - } else - if ((walk_state-> -parse_flags & ACPI_PARSE_MODULE_LEVEL) -+ && status != AE_CTRL_TRANSFER - && ACPI_FAILURE(status)) { - /* -- * ACPI_PARSE_MODULE_LEVEL means that we are loading a table by -- * executing it as a control method. However, if we encounter -- * an error while loading the table, we need to keep trying to -- * load the table rather than aborting the table load. Set the -- * status to AE_OK to proceed with the table load. If we get a -- * failure at this point, it means that the dispatcher got an -- * error while processing Op (most likely an AML operand error. -+ * ACPI_PARSE_MODULE_LEVEL flag means that we are currently -+ * loading a table by executing it as a control method. -+ * However, if we encounter an error while loading the table, -+ * we need to keep trying to load the table rather than -+ * aborting the table load (setting the status to AE_OK -+ * continues the table load). If we get a failure at this -+ * point, it means that the dispatcher got an error while -+ * processing Op (most likely an AML operand error) or a -+ * control method was called from module level and the -+ * dispatcher returned AE_CTRL_TRANSFER. In the latter case, -+ * leave the status alone, there's nothing wrong with it. -*/ - status = AE_OK; - } Modified: PKGBUILD === --- PKGBUILD2018-08-03 12:01:19 UTC (rev 330485) +++ PKGBUILD
[arch-commits] Commit in linux-hardened/trunk (4 files)
Date: Wednesday, June 20, 2018 @ 00:52:57 Author: anthraxx Revision: 327312 upgpkg: linux-hardened 4.17.2.a-1 Added: linux-hardened/trunk/ACPI-watchdog-Prefer-iTCO_wdt-always-when-WDAT-table.patch Modified: linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 Deleted: linux-hardened/trunk/ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch + ACPI-watchdog-Prefer-iTCO_wdt-always-when-WDAT-table.patch | 129 ACPI-watchdog-Prefer-iTCO_wdt-on-Lenovo-Z50-70.patch | 117 --- PKGBUILD | 16 config.x86_64 | 326 --- 4 files changed, 275 insertions(+), 313 deletions(-) Added: ACPI-watchdog-Prefer-iTCO_wdt-always-when-WDAT-table.patch === --- ACPI-watchdog-Prefer-iTCO_wdt-always-when-WDAT-table.patch (rev 0) +++ ACPI-watchdog-Prefer-iTCO_wdt-always-when-WDAT-table.patch 2018-06-20 00:52:57 UTC (rev 327312) @@ -0,0 +1,129 @@ +From a0a37862a4e1844793d39aca9ccb8fecbdcb8659 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Tue, 22 May 2018 14:16:50 +0300 +Subject: [PATCH 3/3] ACPI / watchdog: Prefer iTCO_wdt always when WDAT table + uses RTC SRAM + +After we added quirk for Lenovo Z50-70 it turns out there are at least +two more systems where WDAT table includes instructions accessing RTC +SRAM. Instead of quirking each system separately, look for such +instructions in the table and automatically prefer iTCO_wdt if found. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199033 +Reported-by: Arnold Guy +Reported-by: Alois Nespor +Reported-by: Yury Pakin +Reported-by: Ihor Chyhin +Signed-off-by: Mika Westerberg +Acked-by: Guenter Roeck +--- + drivers/acpi/acpi_watchdog.c | 72 ++-- + 1 file changed, 45 insertions(+), 27 deletions(-) + +diff --git a/drivers/acpi/acpi_watchdog.c b/drivers/acpi/acpi_watchdog.c +index 4bde16fb97d8..95600309ce42 100644 +--- a/drivers/acpi/acpi_watchdog.c b/drivers/acpi/acpi_watchdog.c +@@ -12,54 +12,72 @@ + #define pr_fmt(fmt) "ACPI: watchdog: " fmt + + #include +-#include + #include + #include + + #include "internal.h" + +-static const struct dmi_system_id acpi_watchdog_skip[] = { +- { +- /* +- * On Lenovo Z50-70 there are two issues with the WDAT +- * table. First some of the instructions use RTC SRAM +- * to store persistent information. This does not work well +- * with Linux RTC driver. Second, more important thing is +- * that the instructions do not actually reset the system. +- * +- * On this particular system iTCO_wdt seems to work just +- * fine so we prefer that over WDAT for now. +- * +- * See also https://bugzilla.kernel.org/show_bug.cgi?id=199033. +- */ +- .ident = "Lenovo Z50-70", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "20354"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Z50-70"), +- }, +- }, +- {} +-}; ++#ifdef CONFIG_RTC_MC146818_LIB ++#include ++ ++/* ++ * There are several systems where the WDAT table is accessing RTC SRAM to ++ * store persistent information. This does not work well with the Linux RTC ++ * driver so on those systems we skip WDAT driver and prefer iTCO_wdt ++ * instead. ++ * ++ * See also https://bugzilla.kernel.org/show_bug.cgi?id=199033. ++ */ ++static bool acpi_watchdog_uses_rtc(const struct acpi_table_wdat *wdat) ++{ ++ const struct acpi_wdat_entry *entries; ++ int i; ++ ++ entries = (struct acpi_wdat_entry *)(wdat + 1); ++ for (i = 0; i < wdat->entries; i++) { ++ const struct acpi_generic_address *gas; ++ ++ gas = [i].register_region; ++ if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO) { ++ switch (gas->address) { ++ case RTC_PORT(0): ++ case RTC_PORT(1): ++ case RTC_PORT(2): ++ case RTC_PORT(3): ++ return true; ++ } ++ } ++ } ++ ++ return false; ++} ++#else ++static bool acpi_watchdog_uses_rtc(const struct acpi_table_wdat *wdat) ++{ ++ return false; ++} ++#endif + + static const struct acpi_table_wdat *acpi_watchdog_get_wdat(void) + { + const struct acpi_table_wdat *wdat = NULL; + acpi_status status; + + if (acpi_disabled) + return NULL; + +- if (dmi_check_system(acpi_watchdog_skip)) +- return NULL; +- + status = acpi_get_table(ACPI_SIG_WDAT, 0, +
[arch-commits] Commit in linux-hardened/trunk (4 files)
Date: Tuesday, February 6, 2018 @ 00:39:19 Author: anthraxx Revision: 289327 upgpkg: linux-hardened 4.14.17.a-1 - remove applied security patches Modified: linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 Deleted: linux-hardened/trunk/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch linux-hardened/trunk/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch -+ CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch | 78 -- CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch | 60 --- PKGBUILD | 14 - config.x86_64 |4 4 files changed, 8 insertions(+), 148 deletions(-) Deleted: CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch === --- CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch 2018-02-05 23:46:52 UTC (rev 289326) +++ CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch 2018-02-06 00:39:19 UTC (rev 289327) @@ -1,78 +0,0 @@ -From 4b380c42f7d00a395feede754f0bc2292eebe6e5 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee-Date: Sun, 3 Dec 2017 12:12:45 -0800 -Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks - -The capability check in nfnetlink_rcv() verifies that the caller -has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. -However, nfnl_cthelper_list is shared by all net namespaces on the -system. An unprivileged user can create user and net namespaces -in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() -check: - -$ nfct helper list -nfct v1.4.4: netlink error: Operation not permitted -$ vpnns -- nfct helper list -{ -.name = ftp, -.queuenum = 0, -.l3protonum = 2, -.l4protonum = 6, -.priv_data_len = 24, -.status = enabled, -}; - -Add capable() checks in nfnetlink_cthelper, as this is cleaner than -trying to generalize the solution. - -Signed-off-by: Kevin Cernekee -Signed-off-by: Pablo Neira Ayuso - net/netfilter/nfnetlink_cthelper.c | 10 ++ - 1 file changed, 10 insertions(+) - -diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c -index 41628b393673..d33ce6d5ebce 100644 a/net/netfilter/nfnetlink_cthelper.c -+++ b/net/netfilter/nfnetlink_cthelper.c -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth; - int ret = 0; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) - return -EINVAL; - -@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth; - bool tuple_set = false; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (nlh->nlmsg_flags & NLM_F_DUMP) { - struct netlink_dump_control c = { - .dump = nfnl_cthelper_dump_table, -@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth, *n; - int j = 0, ret; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (tb[NFCTH_NAME]) - helper_name = nla_data(tb[NFCTH_NAME]); - --- -2.15.1 - Deleted: CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch === --- CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch 2018-02-05 23:46:52 UTC (rev 289326) +++ CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch 2018-02-06 00:39:19 UTC (rev 289327) @@ -1,60 +0,0 @@ -From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee -Date: Tue, 5 Dec 2017 15:42:41 -0800 -Subject: [PATCH] netfilter: xt_osf: Add missing permission checks - -The capability check in nfnetlink_rcv() verifies that the caller -has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. -However, xt_osf_fingers is shared by all net namespaces on the -system. An unprivileged user can create user and net namespaces -in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() -check: - -vpnns -- nfnl_osf -f /tmp/pf.os - -vpnns -- nfnl_osf -f /tmp/pf.os -d - -These non-root operations successfully modify the
[arch-commits] Commit in linux-hardened/trunk (4 files)
Date: Friday, December 15, 2017 @ 01:51:34 Author: anthraxx Revision: 274476 upgpkg: linux-hardened 4.14.6.a-1 Added: linux-hardened/trunk/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch linux-hardened/trunk/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch Modified: linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config.x86_64 -+ 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch | 73 ++ 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch | 57 +++ PKGBUILD| 27 ++- config.x86_64 | 70 + 4 files changed, 163 insertions(+), 64 deletions(-) Added: 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch === --- 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch (rev 0) +++ 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch 2017-12-15 01:51:34 UTC (rev 274476) @@ -0,0 +1,73 @@ +From c3c1af44db713ac6624e729ea4832d0ce70685e0 Mon Sep 17 00:00:00 2001 +Message-Id:+From: Benjamin Poirier +Date: Mon, 11 Dec 2017 16:26:40 +0900 +Subject: [PATCH 1/2] e1000e: Fix e1000_check_for_copper_link_ich8lan return + value. + +e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan() +are the two functions that may be assigned to mac.ops.check_for_link when +phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e: +Separate signaling for link check/link up") changed the meaning of the +return value of check_for_link for copper media but only adjusted the first +function. This patch adjusts the second function likewise. + +Reported-by: Christian Hesse +Reported-by: Gabriel C +Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047 +Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up") +Tested-by: Christian Hesse +Signed-off-by: Benjamin Poirier +--- + drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 --- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c +index d6d4ed7acf031172..31277d3bb7dc1241 100644 +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -1367,22 +1367,25 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force) + * Checks to see of the link status of the hardware has changed. If a + * change in link status has been detected, then we read the PHY registers + * to get the current speed/duplex if link exists. ++ * ++ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link ++ * up). + **/ + static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) + { + struct e1000_mac_info *mac = >mac; + s32 ret_val, tipg_reg = 0; + u16 emi_addr, emi_val = 0; + bool link; + u16 phy_reg; + + /* We only want to go out to the PHY registers to see if Auto-Neg +* has completed and/or if our link status has changed. The +* get_link_status flag is set upon receiving a Link Status +* Change or Rx Sequence Error interrupt. +*/ + if (!mac->get_link_status) +- return 0; ++ return 1; + + /* First we want to see if the MII Status Register reports +* link. If so, then we want to get the current speed/duplex +@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw) +* different link partner. +*/ + ret_val = e1000e_config_fc_after_link_up(hw); +- if (ret_val) ++ if (ret_val) { + e_dbg("Error configuring flow control\n"); ++ return ret_val; ++ } + +- return ret_val; ++ return 1; + } + + static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter) +-- +2.15.1 + Added: 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch === --- 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch (rev 0) +++ 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch 2017-12-15 01:51:34 UTC (rev 274476) @@ -0,0 +1,57 @@ +From 80d3e994e0631d9135cadf20a0b5ad483d7e9bbb Mon Sep 17 00:00:00 2001 +Message-Id: <80d3e994e0631d9135cadf20a0b5ad483d7e9bbb.1513282811.git.jan.steff...@gmail.com> +In-Reply-To: +References: +From: Mohamed