diff options
Diffstat (limited to 'libre')
3 files changed, 6 insertions, 141 deletions
diff --git a/libre/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/libre/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch index c6b567471..fced98119 100644 --- a/libre/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ b/libre/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -1,8 +1,7 @@ -From e71668257d1353a7bd428ec90f0871b038db813b Mon Sep 17 00:00:00 2001 +From 4272e4eff36395bf7e89550111219bede31013e2 Mon Sep 17 00:00:00 2001 From: Serge Hallyn <serge.hallyn@canonical.com> Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by - default +Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> [bwh: Remove unneeded binary sysctl bits] @@ -54,7 +53,7 @@ index b69248e6f0e0..3b1cd11dc6dc 100644 if (err) goto bad_unshare_out; diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index ba4d9e85feb8..e88b93a850df 100644 +index d80bee8ff12e..ce7a1a5794a5 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -106,6 +106,9 @@ extern int core_uses_pid; diff --git a/libre/linux-libre-pae/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch b/libre/linux-libre-pae/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch deleted file mode 100644 index c092a69cb..000000000 --- a/libre/linux-libre-pae/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 7a6c88347cc6dd3b0ade3be5e45cb932a07cec82 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Fri, 8 Mar 2019 00:58:53 +0100 -Subject: [PATCH 2/2] netfilter: nf_tables: fix set double-free in abort path - -The abort path can cause a double-free of an anonymous set. -Added-and-to-be-aborted rule looks like this: - -udp dport { 137, 138 } drop - -The to-be-aborted transaction list looks like this: - -newset -newsetelem -newsetelem -rule - -This gets walked in reverse order, so first pass disables the rule, the -set elements, then the set. - -After synchronize_rcu(), we then destroy those in same order: rule, set -element, set element, newset. - -Problem is that the anonymous set has already been bound to the rule, so -the rule (lookup expression destructor) already frees the set, when then -cause use-after-free when trying to delete the elements from this set, -then try to free the set again when handling the newset expression. - -Rule releases the bound set in first place from the abort path, this -causes the use-after-free on set element removal when undoing the new -element transactions. To handle this, skip new element transaction if -set is bound from the abort path. - -This is still causes the use-after-free on set element removal. To -handle this, remove transaction from the list when the set is already -bound. - -Joint work with Florian Westphal. - -Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path") -Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325 -Acked-by: Florian Westphal <fw@strlen.de> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - include/net/netfilter/nf_tables.h | 6 ++---- - net/netfilter/nf_tables_api.c | 17 +++++++++++------ - 2 files changed, 13 insertions(+), 10 deletions(-) - -diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h -index b4984bbbe157..3d58acf94dd2 100644 ---- a/include/net/netfilter/nf_tables.h -+++ b/include/net/netfilter/nf_tables.h -@@ -416,7 +416,8 @@ struct nft_set { - unsigned char *udata; - /* runtime data below here */ - const struct nft_set_ops *ops ____cacheline_aligned; -- u16 flags:14, -+ u16 flags:13, -+ bound:1, - genmask:2; - u8 klen; - u8 dlen; -@@ -1329,15 +1330,12 @@ struct nft_trans_rule { - struct nft_trans_set { - struct nft_set *set; - u32 set_id; -- bool bound; - }; - - #define nft_trans_set(trans) \ - (((struct nft_trans_set *)trans->data)->set) - #define nft_trans_set_id(trans) \ - (((struct nft_trans_set *)trans->data)->set_id) --#define nft_trans_set_bound(trans) \ -- (((struct nft_trans_set *)trans->data)->bound) - - struct nft_trans_chain { - bool update; -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 4893f248dfdc..e1724f9d8b9d 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) - list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { - if (trans->msg_type == NFT_MSG_NEWSET && - nft_trans_set(trans) == set) { -- nft_trans_set_bound(trans) = true; -+ set->bound = true; - break; - } - } -@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans) - nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); - break; - case NFT_MSG_NEWSET: -- if (!nft_trans_set_bound(trans)) -- nft_set_destroy(nft_trans_set(trans)); -+ nft_set_destroy(nft_trans_set(trans)); - break; - case NFT_MSG_NEWSETELEM: - nft_set_elem_destroy(nft_trans_elem_set(trans), -@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net) - break; - case NFT_MSG_NEWSET: - trans->ctx.table->use--; -- if (!nft_trans_set_bound(trans)) -- list_del_rcu(&nft_trans_set(trans)->list); -+ if (nft_trans_set(trans)->bound) { -+ nft_trans_destroy(trans); -+ break; -+ } -+ list_del_rcu(&nft_trans_set(trans)->list); - break; - case NFT_MSG_DELSET: - trans->ctx.table->use++; -@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net) - nft_trans_destroy(trans); - break; - case NFT_MSG_NEWSETELEM: -+ if (nft_trans_elem_set(trans)->bound) { -+ nft_trans_destroy(trans); -+ break; -+ } - te = (struct nft_trans_elem *)trans->data; -- - te->set->ops->remove(net, te->set, &te->elem); - atomic_dec(&te->set->nelems); - break; --- -2.21.0 - diff --git a/libre/linux-libre-pae/PKGBUILD b/libre/linux-libre-pae/PKGBUILD index c96f223df..2edebbe91 100644 --- a/libre/linux-libre-pae/PKGBUILD +++ b/libre/linux-libre-pae/PKGBUILD @@ -11,7 +11,7 @@ pkgbase=linux-libre-pae _srcbasever=5.0-gnu -_srcver=5.0.5-gnu +_srcver=5.0.6-gnu _replacesarchkernel=('linux%') # '%' gets replaced with _kernelname _replacesoldkernels=() # '%' gets replaced with _kernelname @@ -42,7 +42,6 @@ source=( 0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch 0002-fix-Atmel-maXTouch-touchscreen-support.patch 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch ) validpgpkeys=( '474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva @@ -50,7 +49,7 @@ validpgpkeys=( ) sha512sums=('56b8e77eb445c92c3e0ec0dc45fa5fb09641cad18003b79991652b83cf1d96cc1651750dfa9eec15652108a1b8aff1781c4f8ec5f92784b8542e59e0605922d9' 'SKIP' - '5331dacd07dca625cebb3a05cf9779fd2d9260d78cec072508a360506c2fcc23a8783b3961c8438849d0155ab9f00d2f907fe2329d5734fac9cba637ce06529c' + 'c015da00812cfc9cb16e408807338d2e09270e3b33deb85c5cab36e9c2e6155dbc2a3653d744de272032d524bbb59b428984debf1369e42b788b51caf4591526' 'SKIP' '13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3' 'SKIP' @@ -64,8 +63,7 @@ sha512sums=('56b8e77eb445c92c3e0ec0dc45fa5fb09641cad18003b79991652b83cf1d96cc165 '2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf' '02af4dd2a007e41db0c63822c8ab3b80b5d25646af1906dc85d0ad9bb8bbf5236f8e381d7f91cf99ed4b0978c50aee37cb9567cdeef65b7ec3d91b882852b1af' 'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168' - '0016e750127728458ab23ef445f92a8b52064806f235c03dd92e699a8bfb397d6274f6ba484a99af19ed729f6c63bab714bd350c7e7ed82c30a4b62b29857ff7' - '8348ecfeec519a41c68f1a97ec4b6007b3ed5ed61c271733d562ae22c6c85e4e217eb6c367bb53f3c53ad72f311360bd3aa57d09fba7cda358748c2bdd0416c2') + '7748427819372a27b5aa9b3ce8cc8c75397bc3a76ac4fddd06f497ce5a1b34c2e15b6301e764e6e007ad66a49bb3f9c49e906c179875e115d213d2682ddb2576') _kernelname=${pkgbase#linux-libre} _replacesarchkernel=("${_replacesarchkernel[@]/\%/${_kernelname}}") @@ -86,7 +84,6 @@ prepare() { # add Arch patches patch -p1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - patch -p1 -i ../0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch # maintain the TTY over USB disconnects # http://www.coreboot.org/EHCI_Gadget_Debug |