summaryrefslogtreecommitdiff
path: root/libre
diff options
context:
space:
mode:
Diffstat (limited to 'libre')
-rw-r--r--libre/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch7
-rw-r--r--libre/linux-libre-pae/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch131
-rw-r--r--libre/linux-libre-pae/PKGBUILD9
3 files changed, 6 insertions, 141 deletions
diff --git a/libre/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/libre/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
index c6b567471..fced98119 100644
--- a/libre/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+++ b/libre/linux-libre-pae/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
@@ -1,8 +1,7 @@
-From e71668257d1353a7bd428ec90f0871b038db813b Mon Sep 17 00:00:00 2001
+From 4272e4eff36395bf7e89550111219bede31013e2 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@canonical.com>
Date: Fri, 31 May 2013 19:12:12 +0100
-Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by
- default
+Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
[bwh: Remove unneeded binary sysctl bits]
@@ -54,7 +53,7 @@ index b69248e6f0e0..3b1cd11dc6dc 100644
if (err)
goto bad_unshare_out;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index ba4d9e85feb8..e88b93a850df 100644
+index d80bee8ff12e..ce7a1a5794a5 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -106,6 +106,9 @@ extern int core_uses_pid;
diff --git a/libre/linux-libre-pae/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch b/libre/linux-libre-pae/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
deleted file mode 100644
index c092a69cb..000000000
--- a/libre/linux-libre-pae/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From 7a6c88347cc6dd3b0ade3be5e45cb932a07cec82 Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Fri, 8 Mar 2019 00:58:53 +0100
-Subject: [PATCH 2/2] netfilter: nf_tables: fix set double-free in abort path
-
-The abort path can cause a double-free of an anonymous set.
-Added-and-to-be-aborted rule looks like this:
-
-udp dport { 137, 138 } drop
-
-The to-be-aborted transaction list looks like this:
-
-newset
-newsetelem
-newsetelem
-rule
-
-This gets walked in reverse order, so first pass disables the rule, the
-set elements, then the set.
-
-After synchronize_rcu(), we then destroy those in same order: rule, set
-element, set element, newset.
-
-Problem is that the anonymous set has already been bound to the rule, so
-the rule (lookup expression destructor) already frees the set, when then
-cause use-after-free when trying to delete the elements from this set,
-then try to free the set again when handling the newset expression.
-
-Rule releases the bound set in first place from the abort path, this
-causes the use-after-free on set element removal when undoing the new
-element transactions. To handle this, skip new element transaction if
-set is bound from the abort path.
-
-This is still causes the use-after-free on set element removal. To
-handle this, remove transaction from the list when the set is already
-bound.
-
-Joint work with Florian Westphal.
-
-Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
-Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325
-Acked-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- include/net/netfilter/nf_tables.h | 6 ++----
- net/netfilter/nf_tables_api.c | 17 +++++++++++------
- 2 files changed, 13 insertions(+), 10 deletions(-)
-
-diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
-index b4984bbbe157..3d58acf94dd2 100644
---- a/include/net/netfilter/nf_tables.h
-+++ b/include/net/netfilter/nf_tables.h
-@@ -416,7 +416,8 @@ struct nft_set {
- unsigned char *udata;
- /* runtime data below here */
- const struct nft_set_ops *ops ____cacheline_aligned;
-- u16 flags:14,
-+ u16 flags:13,
-+ bound:1,
- genmask:2;
- u8 klen;
- u8 dlen;
-@@ -1329,15 +1330,12 @@ struct nft_trans_rule {
- struct nft_trans_set {
- struct nft_set *set;
- u32 set_id;
-- bool bound;
- };
-
- #define nft_trans_set(trans) \
- (((struct nft_trans_set *)trans->data)->set)
- #define nft_trans_set_id(trans) \
- (((struct nft_trans_set *)trans->data)->set_id)
--#define nft_trans_set_bound(trans) \
-- (((struct nft_trans_set *)trans->data)->bound)
-
- struct nft_trans_chain {
- bool update;
-diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
-index 4893f248dfdc..e1724f9d8b9d 100644
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
- list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
- if (trans->msg_type == NFT_MSG_NEWSET &&
- nft_trans_set(trans) == set) {
-- nft_trans_set_bound(trans) = true;
-+ set->bound = true;
- break;
- }
- }
-@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans)
- nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
- break;
- case NFT_MSG_NEWSET:
-- if (!nft_trans_set_bound(trans))
-- nft_set_destroy(nft_trans_set(trans));
-+ nft_set_destroy(nft_trans_set(trans));
- break;
- case NFT_MSG_NEWSETELEM:
- nft_set_elem_destroy(nft_trans_elem_set(trans),
-@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net)
- break;
- case NFT_MSG_NEWSET:
- trans->ctx.table->use--;
-- if (!nft_trans_set_bound(trans))
-- list_del_rcu(&nft_trans_set(trans)->list);
-+ if (nft_trans_set(trans)->bound) {
-+ nft_trans_destroy(trans);
-+ break;
-+ }
-+ list_del_rcu(&nft_trans_set(trans)->list);
- break;
- case NFT_MSG_DELSET:
- trans->ctx.table->use++;
-@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net)
- nft_trans_destroy(trans);
- break;
- case NFT_MSG_NEWSETELEM:
-+ if (nft_trans_elem_set(trans)->bound) {
-+ nft_trans_destroy(trans);
-+ break;
-+ }
- te = (struct nft_trans_elem *)trans->data;
--
- te->set->ops->remove(net, te->set, &te->elem);
- atomic_dec(&te->set->nelems);
- break;
---
-2.21.0
-
diff --git a/libre/linux-libre-pae/PKGBUILD b/libre/linux-libre-pae/PKGBUILD
index c96f223df..2edebbe91 100644
--- a/libre/linux-libre-pae/PKGBUILD
+++ b/libre/linux-libre-pae/PKGBUILD
@@ -11,7 +11,7 @@
pkgbase=linux-libre-pae
_srcbasever=5.0-gnu
-_srcver=5.0.5-gnu
+_srcver=5.0.6-gnu
_replacesarchkernel=('linux%') # '%' gets replaced with _kernelname
_replacesoldkernels=() # '%' gets replaced with _kernelname
@@ -42,7 +42,6 @@ source=(
0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch
0002-fix-Atmel-maXTouch-touchscreen-support.patch
0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
- 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
)
validpgpkeys=(
'474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva
@@ -50,7 +49,7 @@ validpgpkeys=(
)
sha512sums=('56b8e77eb445c92c3e0ec0dc45fa5fb09641cad18003b79991652b83cf1d96cc1651750dfa9eec15652108a1b8aff1781c4f8ec5f92784b8542e59e0605922d9'
'SKIP'
- '5331dacd07dca625cebb3a05cf9779fd2d9260d78cec072508a360506c2fcc23a8783b3961c8438849d0155ab9f00d2f907fe2329d5734fac9cba637ce06529c'
+ 'c015da00812cfc9cb16e408807338d2e09270e3b33deb85c5cab36e9c2e6155dbc2a3653d744de272032d524bbb59b428984debf1369e42b788b51caf4591526'
'SKIP'
'13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3'
'SKIP'
@@ -64,8 +63,7 @@ sha512sums=('56b8e77eb445c92c3e0ec0dc45fa5fb09641cad18003b79991652b83cf1d96cc165
'2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf'
'02af4dd2a007e41db0c63822c8ab3b80b5d25646af1906dc85d0ad9bb8bbf5236f8e381d7f91cf99ed4b0978c50aee37cb9567cdeef65b7ec3d91b882852b1af'
'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168'
- '0016e750127728458ab23ef445f92a8b52064806f235c03dd92e699a8bfb397d6274f6ba484a99af19ed729f6c63bab714bd350c7e7ed82c30a4b62b29857ff7'
- '8348ecfeec519a41c68f1a97ec4b6007b3ed5ed61c271733d562ae22c6c85e4e217eb6c367bb53f3c53ad72f311360bd3aa57d09fba7cda358748c2bdd0416c2')
+ '7748427819372a27b5aa9b3ce8cc8c75397bc3a76ac4fddd06f497ce5a1b34c2e15b6301e764e6e007ad66a49bb3f9c49e906c179875e115d213d2682ddb2576')
_kernelname=${pkgbase#linux-libre}
_replacesarchkernel=("${_replacesarchkernel[@]/\%/${_kernelname}}")
@@ -86,7 +84,6 @@ prepare() {
# add Arch patches
patch -p1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
- patch -p1 -i ../0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
# maintain the TTY over USB disconnects
# http://www.coreboot.org/EHCI_Gadget_Debug