From 540a56c51ac79f4bbbf927d1659f2467e3e89e1b Mon Sep 17 00:00:00 2001 From: Jan Alexander Steffens Date: Wed, 3 Jan 2018 07:21:25 +0000 Subject: [PATCH] 4.14.11-1 --- ...sallow-unprivileged-CLONE_NEWUSER-by.patch | 15 ++++--- ..._check_for_copper_link_ich8lan-retur.patch | 8 ++-- ...017-8824-use-after-free-in-DCCP-code.patch | 10 ++--- ...stack-out-of-bounds-read-in-xfrm_sta.patch | 12 +++--- ...ut-of-bounds-read-on-socket-policy-l.patch | 12 +++--- ...ask_iter-crash-on-CSS_TASK_ITER_PROC.patch | 10 ++--- ...-Do-not-enable-PTI-on-AMD-processors.patch | 42 ++++++++++++++++++ PKGBUILD | 43 +++++++++++-------- config | 3 +- 9 files changed, 104 insertions(+), 51 deletions(-) rename 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch => 0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch (87%) rename 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch => 0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch (82%) rename 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch => 0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch (79%) rename 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch => 0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch (80%) rename 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch => 0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch (93%) create mode 100644 0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch index 29582c2..64341b9 100644 --- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -1,8 +1,9 @@ -From 5ec2dd3a095442ec1a21d86042a4994f2ba24e63 Mon Sep 17 00:00:00 2001 -Message-Id: <5ec2dd3a095442ec1a21d86042a4994f2ba24e63.1512651251.git.jan.steffens@gmail.com> +From fb89d912d5f7289d3a922c77b671e36e1c740f5e Mon Sep 17 00:00:00 2001 +Message-Id: From: Serge Hallyn Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default +Subject: [PATCH 1/7] add sysctl to disallow unprivileged CLONE_NEWUSER by + default Signed-off-by: Serge Hallyn [bwh: Remove unneeded binary sysctl bits] @@ -14,7 +15,7 @@ Signed-off-by: Daniel Micay 3 files changed, 30 insertions(+) diff --git a/kernel/fork.c b/kernel/fork.c -index 07cc743698d3668e..4011d68a8ff9305c 100644 +index 500ce64517d93e68..35f5860958b40e9b 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -102,6 +102,11 @@ @@ -29,7 +30,7 @@ index 07cc743698d3668e..4011d68a8ff9305c 100644 /* * Minimum number of threads to boot the kernel -@@ -1555,6 +1560,10 @@ static __latent_entropy struct task_struct *copy_process( +@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process( if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -40,7 +41,7 @@ index 07cc743698d3668e..4011d68a8ff9305c 100644 /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -2348,6 +2357,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; @@ -54,7 +55,7 @@ index 07cc743698d3668e..4011d68a8ff9305c 100644 if (err) goto bad_unshare_out; diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index b86520ed3fb60fbf..f7dab3760839f1a1 100644 +index 56aca862c4f584f5..e8402ba393c1915d 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -105,6 +105,9 @@ extern int core_uses_pid; diff --git a/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch b/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch similarity index 87% rename from 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch rename to 0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch index 7e3ecbd..8c23c9a 100644 --- a/0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch +++ b/0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch @@ -1,8 +1,10 @@ -From c3c1af44db713ac6624e729ea4832d0ce70685e0 Mon Sep 17 00:00:00 2001 -Message-Id: +From 8c6956686606b9c3661e74a410c8cb2fc276c5ee Mon Sep 17 00:00:00 2001 +Message-Id: <8c6956686606b9c3661e74a410c8cb2fc276c5ee.1514959852.git.jan.steffens@gmail.com> +In-Reply-To: +References: From: Benjamin Poirier Date: Mon, 11 Dec 2017 16:26:40 +0900 -Subject: [PATCH 1/2] e1000e: Fix e1000_check_for_copper_link_ich8lan return +Subject: [PATCH 2/7] e1000e: Fix e1000_check_for_copper_link_ich8lan return value. e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan() diff --git a/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch b/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch similarity index 82% rename from 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch rename to 0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch index 26311bf..d7872e2 100644 --- a/0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch +++ b/0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch @@ -1,10 +1,10 @@ -From 80d3e994e0631d9135cadf20a0b5ad483d7e9bbb Mon Sep 17 00:00:00 2001 -Message-Id: <80d3e994e0631d9135cadf20a0b5ad483d7e9bbb.1513282811.git.jan.steffens@gmail.com> -In-Reply-To: -References: +From b81e273fb227373a2951c7256ab11a87d5333a9d Mon Sep 17 00:00:00 2001 +Message-Id: +In-Reply-To: +References: From: Mohamed Ghannam Date: Tue, 5 Dec 2017 20:58:35 +0000 -Subject: [PATCH 2/2] dccp: CVE-2017-8824: use-after-free in DCCP code +Subject: [PATCH 3/7] dccp: CVE-2017-8824: use-after-free in DCCP code Whenever the sock object is in DCCP_CLOSED state, dccp_disconnect() must free dccps_hc_tx_ccid and diff --git a/0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch b/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch similarity index 79% rename from 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch rename to 0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch index b44eb2a..4dca618 100644 --- a/0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch +++ b/0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch @@ -1,8 +1,10 @@ -From b0bfa7c33cead5dd87267cfd4c29fda47dc1adc4 Mon Sep 17 00:00:00 2001 -Message-Id: +From d03c0ef520f40c6de691c37e0f168c87b3423015 Mon Sep 17 00:00:00 2001 +Message-Id: +In-Reply-To: +References: From: Steffen Klassert Date: Wed, 15 Nov 2017 06:40:57 +0100 -Subject: [PATCH 1/3] Revert "xfrm: Fix stack-out-of-bounds read in +Subject: [PATCH 4/7] Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find." This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e. @@ -16,10 +18,10 @@ Signed-off-by: Steffen Klassert 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c -index 6eb228a70131069b..a2e531bf4f976308 100644 +index 2a6093840e7e856e..6bc16bb61b5533ef 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c -@@ -1361,29 +1361,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl, +@@ -1362,29 +1362,36 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl, struct net *net = xp_net(policy); int nx; int i, error; diff --git a/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch b/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch similarity index 80% rename from 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch rename to 0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch index ad46144..edd7b24 100644 --- a/0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch +++ b/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch @@ -1,10 +1,10 @@ -From 1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f Mon Sep 17 00:00:00 2001 -Message-Id: <1c3a5e72b70bcfaf342075a3fa5fcbdf99302a3f.1514245012.git.jan.steffens@gmail.com> -In-Reply-To: -References: +From 3721d64246982f91a5bf863fc17ac60ff722e0c4 Mon Sep 17 00:00:00 2001 +Message-Id: <3721d64246982f91a5bf863fc17ac60ff722e0c4.1514959852.git.jan.steffens@gmail.com> +In-Reply-To: +References: From: Steffen Klassert Date: Fri, 22 Dec 2017 10:44:57 +0100 -Subject: [PATCH 2/3] xfrm: Fix stack-out-of-bounds read on socket policy +Subject: [PATCH 5/7] xfrm: Fix stack-out-of-bounds read on socket policy lookup. When we do tunnel or beet mode, we pass saddr and daddr from the @@ -24,7 +24,7 @@ Signed-off-by: Steffen Klassert 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c -index a2e531bf4f976308..c79ed3bed5d4dc2f 100644 +index 6bc16bb61b5533ef..50c5f46b5cca942e 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1169,9 +1169,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, diff --git a/0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch b/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch similarity index 93% rename from 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch rename to 0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch index 80a09f9..0a54ce1 100644 --- a/0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch +++ b/0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch @@ -1,10 +1,10 @@ -From a3c64fe9d978f3ee8f21fac5b410c63fe7cce725 Mon Sep 17 00:00:00 2001 -Message-Id: -In-Reply-To: -References: +From a79cb4d4e540c72a601ca0494e914565c16e2893 Mon Sep 17 00:00:00 2001 +Message-Id: +In-Reply-To: +References: From: Tejun Heo Date: Wed, 20 Dec 2017 07:09:19 -0800 -Subject: [PATCH 3/3] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC +Subject: [PATCH 6/7] cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC While teaching css_task_iter to handle skipping over tasks which aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to diff --git a/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch b/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch new file mode 100644 index 0000000..f3af870 --- /dev/null +++ b/0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch @@ -0,0 +1,42 @@ +From 51786b65797aed683ca72293a3cb86a2cab987c0 Mon Sep 17 00:00:00 2001 +Message-Id: <51786b65797aed683ca72293a3cb86a2cab987c0.1514959852.git.jan.steffens@gmail.com> +In-Reply-To: +References: +From: Tom Lendacky +Date: Tue, 26 Dec 2017 23:43:54 -0600 +Subject: [PATCH 7/7] x86/cpu, x86/pti: Do not enable PTI on AMD processors + +AMD processors are not subject to the types of attacks that the kernel +page table isolation feature protects against. The AMD microarchitecture +does not allow memory references, including speculative references, that +access higher privileged data when running in a lesser privileged mode +when that access would result in a page fault. + +Disable page table isolation by default on AMD processors by not setting +the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI +is set. + +Signed-off-by: Tom Lendacky +Reviewed-by: Borislav Petkov +--- + arch/x86/kernel/cpu/common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index f2a94dfb434e9a7c..b1be494ab4e8badf 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c) + + setup_force_cpu_cap(X86_FEATURE_ALWAYS); + +- /* Assume for now that ALL x86 CPUs are insecure */ +- setup_force_cpu_bug(X86_BUG_CPU_INSECURE); ++ if (c->x86_vendor != X86_VENDOR_AMD) ++ setup_force_cpu_bug(X86_BUG_CPU_INSECURE); + + fpu__init_system(c); + +-- +2.15.1 + diff --git a/PKGBUILD b/PKGBUILD index 314e6ee..a302a3c 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -4,7 +4,7 @@ pkgbase=linux # Build stock -ARCH kernel #pkgbase=linux-custom # Build kernel with a different name _srcname=linux-4.14 -pkgver=4.14.10 +pkgver=4.14.11 pkgrel=1 arch=('x86_64') url="https://www.kernel.org/" @@ -21,11 +21,12 @@ source=( '90-linux.hook' # pacman hook for initramfs regeneration 'linux.preset' # standard config files for mkinitcpio ramdisk 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - 0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch - 0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch - 0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch - 0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch - 0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch + 0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch + 0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch + 0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch + 0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch + 0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch + 0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -33,18 +34,19 @@ validpgpkeys=( ) sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7' 'SKIP' - '16f560aa713b46c707f04a226f67dc31fdd280aae57dd19e0413d61df5336c74' + 'f588b62d7ee1d2ebdc24afa0e256ff2f8812d5cab3bf572bf02e7c4525922bf9' 'SKIP' - '4d12ed868b05720c3d263c8454622c67bdee6969400049d7adac7b00907ad195' + '24b8cf6829dafcb2b5c76cffaae6438ad2d432f13d6551fa1c8f25e66b751ed4' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' - '37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85' - 'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3' - '1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2' - 'ed3266ab03f836f57de0faf8a10ffd7566c909515c2649de99adaab2fac4aa32' - '64a014f7e1b4588728b3ea9538beee67ec63fb792d890c7be9cc13ddc2121b00' - '3d4c41086c077fbd515d04f5e59c0c258f700433c5da3365d960b696c2e56efb') + '06bc1d8b1cd153c3146a4376d833f5769b980e5ef5eae99ddaaeb48bf514dae2' + 'b90bef87574f30ec66c0f10d089bea56a9e974b6d052fee3071b1ff21360724b' + 'f38531dee9fd8a59202ce96ac5b40446f1f035b89788ea9ecb2fb3909f703a25' + '705d5fbfce00ccc20490bdfb5853d67d86ac00c845de6ecb13e414214b48daeb' + '0a249248534a17f14fab7e14994811ae81fe324668a82ff41f3bcabeeae1460f' + '8e1b303957ddd829c0c9ad7c012cd32f2354ff3c8c1b85da3d7f8a54524f3711' + '914a0a019545ad7d14ed8d5c58d417eb0a8ec12a756beec79a545aabda343b31') _kernelname=${pkgbase#linux} @@ -64,17 +66,20 @@ prepare() { patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch # https://bugs.archlinux.org/task/56575 - patch -Np1 -i ../0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch + patch -Np1 -i ../0002-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch # https://nvd.nist.gov/vuln/detail/CVE-2017-8824 - patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch + patch -Np1 -i ../0003-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch # https://bugs.archlinux.org/task/56605 - patch -Np1 -i ../0001-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch - patch -Np1 -i ../0002-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch + patch -Np1 -i ../0004-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_sta.patch + patch -Np1 -i ../0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch # https://bugs.archlinux.org/task/56846 - patch -Np1 -i ../0003-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch + patch -Np1 -i ../0006-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch + + # For AMD processors, keep PTI off by default + patch -Np1 -i ../0007-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch cp -Tf ../config .config diff --git a/config b/config index 852bc54..31a820d 100644 --- a/config +++ b/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.9-1 Kernel Configuration +# Linux/x86 4.14.11-1 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -8130,6 +8130,7 @@ CONFIG_SECURITY=y # CONFIG_SECURITY_WRITABLE_HOOKS is not set CONFIG_SECURITYFS=y # CONFIG_SECURITY_NETWORK is not set +CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_SECURITY_INFINIBAND is not set # CONFIG_SECURITY_PATH is not set # CONFIG_INTEL_TXT is not set