summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--kernels/linux-libre-x86_64/0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch121
-rw-r--r--kernels/linux-libre-x86_64/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch131
-rw-r--r--kernels/linux-libre-x86_64/0003-exec-Fix-mem-leak-in-kernel_read_file.patch49
-rw-r--r--kernels/linux-libre-x86_64/PKGBUILD21
4 files changed, 140 insertions, 182 deletions
diff --git a/kernels/linux-libre-x86_64/0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch b/kernels/linux-libre-x86_64/0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch
deleted file mode 100644
index b88dd07df..000000000
--- a/kernels/linux-libre-x86_64/0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From 39ed3f341657277612ad6879fbc460198c6e5396 Mon Sep 17 00:00:00 2001
-From: Mao Wenan <maowenan@huawei.com>
-Date: Mon, 18 Feb 2019 10:44:44 +0800
-Subject: [PATCH 2/3] net: crypto set sk to NULL when af_alg_release.
-
-KASAN has found use-after-free in sockfs_setattr.
-The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close()
-and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
-that crypto module forgets to set the sk to NULL after af_alg_release.
-
-KASAN report details as below:
-BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
-Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
-
-CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
-1.10.2-1ubuntu1 04/01/2014
-Call Trace:
- dump_stack+0xca/0x13e
- print_address_description+0x79/0x330
- ? vprintk_func+0x5e/0xf0
- kasan_report+0x18a/0x2e0
- ? sockfs_setattr+0x120/0x150
- sockfs_setattr+0x120/0x150
- ? sock_register+0x2d0/0x2d0
- notify_change+0x90c/0xd40
- ? chown_common+0x2ef/0x510
- chown_common+0x2ef/0x510
- ? chmod_common+0x3b0/0x3b0
- ? __lock_is_held+0xbc/0x160
- ? __sb_start_write+0x13d/0x2b0
- ? __mnt_want_write+0x19a/0x250
- do_fchownat+0x15c/0x190
- ? __ia32_sys_chmod+0x80/0x80
- ? trace_hardirqs_on_thunk+0x1a/0x1c
- __x64_sys_fchownat+0xbf/0x160
- ? lockdep_hardirqs_on+0x39a/0x5e0
- do_syscall_64+0xc8/0x580
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-RIP: 0033:0x462589
-Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
-f7 48 89 d6 48 89
-ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
-48 c7 c1 bc ff ff
-ff f7 d8 64 89 01 48
-RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
-RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
-RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
-RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
-R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
-R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
-
-Allocated by task 4185:
- kasan_kmalloc+0xa0/0xd0
- __kmalloc+0x14a/0x350
- sk_prot_alloc+0xf6/0x290
- sk_alloc+0x3d/0xc00
- af_alg_accept+0x9e/0x670
- hash_accept+0x4a3/0x650
- __sys_accept4+0x306/0x5c0
- __x64_sys_accept4+0x98/0x100
- do_syscall_64+0xc8/0x580
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-
-Freed by task 4184:
- __kasan_slab_free+0x12e/0x180
- kfree+0xeb/0x2f0
- __sk_destruct+0x4e6/0x6a0
- sk_destruct+0x48/0x70
- __sk_free+0xa9/0x270
- sk_free+0x2a/0x30
- af_alg_release+0x5c/0x70
- __sock_release+0xd3/0x280
- sock_close+0x1a/0x20
- __fput+0x27f/0x7f0
- task_work_run+0x136/0x1b0
- exit_to_usermode_loop+0x1a7/0x1d0
- do_syscall_64+0x461/0x580
- entry_SYSCALL_64_after_hwframe+0x49/0xbe
-
-Syzkaller reproducer:
-r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
-0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
-0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
-0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
-0xffffffffffffffff, 0x0)
-r1 = socket$alg(0x26, 0x5, 0x0)
-getrusage(0x0, 0x0)
-bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
-'sha256-ssse3\x00'}, 0x80)
-r2 = accept(r1, 0x0, 0x0)
-r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
-r4 = dup3(r3, r0, 0x0)
-fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
-
-Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()")
-Signed-off-by: Mao Wenan <maowenan@huawei.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- crypto/af_alg.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/af_alg.c b/crypto/af_alg.c
-index 17eb09d222ff..ec78a04eb136 100644
---- a/crypto/af_alg.c
-+++ b/crypto/af_alg.c
-@@ -122,8 +122,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private)
-
- int af_alg_release(struct socket *sock)
- {
-- if (sock->sk)
-+ if (sock->sk) {
- sock_put(sock->sk);
-+ sock->sk = NULL;
-+ }
- return 0;
- }
- EXPORT_SYMBOL_GPL(af_alg_release);
---
-2.20.1
-
diff --git a/kernels/linux-libre-x86_64/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch b/kernels/linux-libre-x86_64/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
new file mode 100644
index 000000000..c092a69cb
--- /dev/null
+++ b/kernels/linux-libre-x86_64/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
@@ -0,0 +1,131 @@
+From 7a6c88347cc6dd3b0ade3be5e45cb932a07cec82 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 8 Mar 2019 00:58:53 +0100
+Subject: [PATCH 2/2] netfilter: nf_tables: fix set double-free in abort path
+
+The abort path can cause a double-free of an anonymous set.
+Added-and-to-be-aborted rule looks like this:
+
+udp dport { 137, 138 } drop
+
+The to-be-aborted transaction list looks like this:
+
+newset
+newsetelem
+newsetelem
+rule
+
+This gets walked in reverse order, so first pass disables the rule, the
+set elements, then the set.
+
+After synchronize_rcu(), we then destroy those in same order: rule, set
+element, set element, newset.
+
+Problem is that the anonymous set has already been bound to the rule, so
+the rule (lookup expression destructor) already frees the set, when then
+cause use-after-free when trying to delete the elements from this set,
+then try to free the set again when handling the newset expression.
+
+Rule releases the bound set in first place from the abort path, this
+causes the use-after-free on set element removal when undoing the new
+element transactions. To handle this, skip new element transaction if
+set is bound from the abort path.
+
+This is still causes the use-after-free on set element removal. To
+handle this, remove transaction from the list when the set is already
+bound.
+
+Joint work with Florian Westphal.
+
+Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
+Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/net/netfilter/nf_tables.h | 6 ++----
+ net/netfilter/nf_tables_api.c | 17 +++++++++++------
+ 2 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index b4984bbbe157..3d58acf94dd2 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -416,7 +416,8 @@ struct nft_set {
+ unsigned char *udata;
+ /* runtime data below here */
+ const struct nft_set_ops *ops ____cacheline_aligned;
+- u16 flags:14,
++ u16 flags:13,
++ bound:1,
+ genmask:2;
+ u8 klen;
+ u8 dlen;
+@@ -1329,15 +1330,12 @@ struct nft_trans_rule {
+ struct nft_trans_set {
+ struct nft_set *set;
+ u32 set_id;
+- bool bound;
+ };
+
+ #define nft_trans_set(trans) \
+ (((struct nft_trans_set *)trans->data)->set)
+ #define nft_trans_set_id(trans) \
+ (((struct nft_trans_set *)trans->data)->set_id)
+-#define nft_trans_set_bound(trans) \
+- (((struct nft_trans_set *)trans->data)->bound)
+
+ struct nft_trans_chain {
+ bool update;
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4893f248dfdc..e1724f9d8b9d 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
+ list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
+ if (trans->msg_type == NFT_MSG_NEWSET &&
+ nft_trans_set(trans) == set) {
+- nft_trans_set_bound(trans) = true;
++ set->bound = true;
+ break;
+ }
+ }
+@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans)
+ nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
+ break;
+ case NFT_MSG_NEWSET:
+- if (!nft_trans_set_bound(trans))
+- nft_set_destroy(nft_trans_set(trans));
++ nft_set_destroy(nft_trans_set(trans));
+ break;
+ case NFT_MSG_NEWSETELEM:
+ nft_set_elem_destroy(nft_trans_elem_set(trans),
+@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net)
+ break;
+ case NFT_MSG_NEWSET:
+ trans->ctx.table->use--;
+- if (!nft_trans_set_bound(trans))
+- list_del_rcu(&nft_trans_set(trans)->list);
++ if (nft_trans_set(trans)->bound) {
++ nft_trans_destroy(trans);
++ break;
++ }
++ list_del_rcu(&nft_trans_set(trans)->list);
+ break;
+ case NFT_MSG_DELSET:
+ trans->ctx.table->use++;
+@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net)
+ nft_trans_destroy(trans);
+ break;
+ case NFT_MSG_NEWSETELEM:
++ if (nft_trans_elem_set(trans)->bound) {
++ nft_trans_destroy(trans);
++ break;
++ }
+ te = (struct nft_trans_elem *)trans->data;
+-
+ te->set->ops->remove(net, te->set, &te->elem);
+ atomic_dec(&te->set->nelems);
+ break;
+--
+2.21.0
+
diff --git a/kernels/linux-libre-x86_64/0003-exec-Fix-mem-leak-in-kernel_read_file.patch b/kernels/linux-libre-x86_64/0003-exec-Fix-mem-leak-in-kernel_read_file.patch
deleted file mode 100644
index e8c87ad80..000000000
--- a/kernels/linux-libre-x86_64/0003-exec-Fix-mem-leak-in-kernel_read_file.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 3096ba94fa87b22664baa91e71a55ce698bb8aed Mon Sep 17 00:00:00 2001
-From: YueHaibing <yuehaibing@huawei.com>
-Date: Tue, 19 Feb 2019 10:10:38 +0800
-Subject: [PATCH 3/3] exec: Fix mem leak in kernel_read_file
-
-syzkaller report this:
-BUG: memory leak
-unreferenced object 0xffffc9000488d000 (size 9195520):
- comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
- hex dump (first 32 bytes):
- ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................
- 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z.....
- backtrace:
- [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
- [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
- [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
- [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
- [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
- [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
- [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
- [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
- [<00000000241f889b>] 0xffffffffffffffff
-
-It should goto 'out_free' lable to free allocated buf while kernel_read
-fails.
-
-Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
-Signed-off-by: YueHaibing <yuehaibing@huawei.com>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- fs/exec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fs/exec.c b/fs/exec.c
-index fc281b738a98..20c33029a062 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -929,7 +929,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
- bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
- if (bytes < 0) {
- ret = bytes;
-- goto out;
-+ goto out_free;
- }
-
- if (bytes == 0)
---
-2.20.1
-
diff --git a/kernels/linux-libre-x86_64/PKGBUILD b/kernels/linux-libre-x86_64/PKGBUILD
index 98b39e318..cfbf3893f 100644
--- a/kernels/linux-libre-x86_64/PKGBUILD
+++ b/kernels/linux-libre-x86_64/PKGBUILD
@@ -11,8 +11,8 @@
pkgbase=linux-libre-x86_64 # Build stock kernel
#pkgbase=linux-libre-custom # Build kernel with a different name
-_srcbasever=4.20-gnu
-_srcver=4.20.11-gnu
+_srcbasever=5.0-gnu
+_srcver=5.0.2-gnu
_replacesarchkernel=('linux%') # '%' gets replaced with _kernelname
_replacesoldkernels=() # '%' gets replaced with _kernelname
@@ -23,7 +23,7 @@ _archpkgver=${_srcver%-*}
pkgver=${_srcver//-/_}
pkgrel=1
arch=(i686)
-url="https://linux-libre.fsfla.org/"
+url='https://linux-libre.fsfla.org/'
license=(GPL2)
makedepends=(xmlto kmod inetutils bc libelf python-sphinx graphviz)
makedepends+=('x86_64-pc-linux-gnu-gcc')
@@ -44,16 +44,15 @@ source=(
0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch
0002-fix-Atmel-maXTouch-touchscreen-support.patch
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
- 0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch
- 0003-exec-Fix-mem-leak-in-kernel_read_file.patch
+ 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
)
validpgpkeys=(
'474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva
'6DB9C4B4F0D8C0DC432CF6E4227CA7C556B2BA78' # David P.
)
-sha512sums=('a4a0a25fd490c051deb32ff84ba51e8807bfc8db1ad46c22c7807e9be2e5db5e1c22c211e47fca2509d5d75d64626fb28e9bbc8ccadc565f27fe9c8e47e12dc4'
+sha512sums=('56b8e77eb445c92c3e0ec0dc45fa5fb09641cad18003b79991652b83cf1d96cc1651750dfa9eec15652108a1b8aff1781c4f8ec5f92784b8542e59e0605922d9'
'SKIP'
- '3cb387665734be799f3c833939f0938e17216f08aff5113a85a845dcf382d997f3574e8ea30c0fb6d5e85295106a347324c3b50858939d4568b6fa25c40a05ff'
+ '2eee919805705709ef5493e0a0e1f7baeb71fed20da7ee06c09546c8976046568447422fc4f0b70178a645840a5a3d46946b4573ea42c025182916cb13bb849a'
'SKIP'
'13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3'
'SKIP'
@@ -68,8 +67,7 @@ sha512sums=('a4a0a25fd490c051deb32ff84ba51e8807bfc8db1ad46c22c7807e9be2e5db5e1c2
'02af4dd2a007e41db0c63822c8ab3b80b5d25646af1906dc85d0ad9bb8bbf5236f8e381d7f91cf99ed4b0978c50aee37cb9567cdeef65b7ec3d91b882852b1af'
'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168'
'9d24dff68a11aee6b5f1b6b003b27603a8c431e76c3cb638e852cd8c0ccd2a298b1116bbad0dc816e9de7d987dcf329a5d250673067ec125760eee543f65eed5'
- '67710358e51ffd30aaf64351e6c3542bdfa9e4e3db43ee38fca8b15357d71be3cd18db0180d196c8b2d44781ce2625e5b709d496dea0723d0616ebdfb048028a'
- 'e81e85b98f126a1e298d54a289659e648582070db617194a8ed13796535341f3a052e3103ee87c4d9bd797103429b883ae2e761cb6f4b61b15f0c0fea017ff95')
+ '8348ecfeec519a41c68f1a97ec4b6007b3ed5ed61c271733d562ae22c6c85e4e217eb6c367bb53f3c53ad72f311360bd3aa57d09fba7cda358748c2bdd0416c2')
_kernelname=${pkgbase#linux-libre}
_replacesarchkernel=("${_replacesarchkernel[@]/\%/${_kernelname}}")
@@ -90,10 +88,9 @@ prepare() {
install -m644 -t drivers/video/logo \
../logo_linux_{clut224.ppm,vga16.ppm,mono.pbm}
- # Arch's linux patches
+ # add Arch patches
patch -p1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
- patch -p1 -i ../0002-net-crypto-set-sk-to-NULL-when-af_alg_release.patch
- patch -p1 -i ../0003-exec-Fix-mem-leak-in-kernel_read_file.patch
+ patch -p1 -i ../0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
# maintain the TTY over USB disconnects
# http://www.coreboot.org/EHCI_Gadget_Debug