4.10.13-100.fc24.gnu

5 files changed, 94 insertions, 9 deletions

diff --git a/freed-ora/current/f24/CVE-2017-7477.patch b/freed-ora/current/f24/CVE-2017-7477.patch
new file mode 100644
index 000000000..6405614cc
--- /dev/null
+++ b/freed-ora/current/f24/CVE-2017-7477.patch
@@ -0,0 +1,73 @@
+From 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 21 Apr 2017 23:14:48 +0200
+Subject: macsec: avoid heap overflow in skb_to_sgvec
+
+While this may appear as a humdrum one line change, it's actually quite
+important. An sk_buff stores data in three places:
+
+1. A linear chunk of allocated memory in skb->data. This is the easiest
+   one to work with, but it precludes using scatterdata since the memory
+   must be linear.
+2. The array skb_shinfo(skb)->frags, which is of maximum length
+   MAX_SKB_FRAGS. This is nice for scattergather, since these fragments
+   can point to different pages.
+3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff,
+   which in turn can have data in either (1) or (2).
+
+The first two are rather easy to deal with, since they're of a fixed
+maximum length, while the third one is not, since there can be
+potentially limitless chains of fragments. Fortunately dealing with
+frag_list is opt-in for drivers, so drivers don't actually have to deal
+with this mess. For whatever reason, macsec decided it wanted pain, and
+so it explicitly specified NETIF_F_FRAGLIST.
+
+Because dealing with (1), (2), and (3) is insane, most users of sk_buff
+doing any sort of crypto or paging operation calls a convenient function
+called skb_to_sgvec (which happens to be recursive if (3) is in use!).
+This takes a sk_buff as input, and writes into its output pointer an
+array of scattergather list items. Sometimes people like to declare a
+fixed size scattergather list on the stack; othertimes people like to
+allocate a fixed size scattergather list on the heap. However, if you're
+doing it in a fixed-size fashion, you really shouldn't be using
+NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its
+frag_list children arent't shared and then you check the number of
+fragments in total required.)
+
+Macsec specifically does this:
+
+        size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
+        tmp = kmalloc(size, GFP_ATOMIC);
+        *sg = (struct scatterlist *)(tmp + sg_offset);
+	...
+        sg_init_table(sg, MAX_SKB_FRAGS + 1);
+        skb_to_sgvec(skb, sg, 0, skb->len);
+
+Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're
+using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will
+overflow the heap, and disaster ensues.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: stable@vger.kernel.org
+Cc: security@kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/macsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index ff0a5ed..dbab05a 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2716,7 +2716,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
+ }
+ 
+ #define MACSEC_FEATURES \
+-	(NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
++	(NETIF_F_SG | NETIF_F_HIGHDMA)
+ static struct lock_class_key macsec_netdev_addr_lock_key;
+ 
+ static int macsec_dev_init(struct net_device *dev)
+-- 
+cgit v1.1
+
diff --git a/freed-ora/current/f24/kernel.spec b/freed-ora/current/f24/kernel.spec
index 180935615..1350f8cf1 100644
--- a/freed-ora/current/f24/kernel.spec
+++ b/freed-ora/current/f24/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 12
+%define stable_update 13
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -661,6 +661,9 @@ Patch863: rhbz_1441310.patch
 # CVE-2017-7645 rhbz 1443615 1443617
 Patch866: CVE-2017-7645.patch
 
+# CVE-2017-7477 rhbz 1445207 1445208
+Patch867: CVE-2017-7477.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2327,6 +2330,15 @@ fi
 #
 # 
 %changelog
+* Thu Apr 27 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.10.13-gnu.
+
+* Thu Apr 27 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.13-200
+- Linux v4.10.13
+
+* Tue Apr 25 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2017-7477 (rhbz 1445207 1445208)
+
 * Sat Apr 22 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.10.12-gnu.
 
diff --git a/freed-ora/current/f24/patch-4.10-gnu-4.10.12-gnu.xz.sign b/freed-ora/current/f24/patch-4.10-gnu-4.10.12-gnu.xz.sign
deleted file mode 100644
index b02226bdb..000000000
--- a/freed-ora/current/f24/patch-4.10-gnu-4.10.12-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iEYEABECAAYFAlj6Tr0ACgkQvLfPh359R6eDEQCeKCoX2JnPBlC4mLOA3TnVENgG
-qeYAoKgMW8ugIoSFi7t5Xk3wn3x5Q02K
-=acOD
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f24/patch-4.10-gnu-4.10.13-gnu.xz.sign b/freed-ora/current/f24/patch-4.10-gnu-4.10.13-gnu.xz.sign
new file mode 100644
index 000000000..55b925773
--- /dev/null
+++ b/freed-ora/current/f24/patch-4.10-gnu-4.10.13-gnu.xz.sign
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iEYEABECAAYFAlkCkaoACgkQvLfPh359R6dmQgCfalLHVriV1Al6FxZIX7zezGGx
+vBYAnjfL/EtpLZfPcc1/3pt9GmSzVJXn
+=XSrJ
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f24/sources b/freed-ora/current/f24/sources
index 89f557a0c..850f5d75c 100644
--- a/freed-ora/current/f24/sources
+++ b/freed-ora/current/f24/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-libre-4.10-gnu.tar.xz) = 44d1774a1d43a15322297d351737fbcbf92c6f433266ce2b17587437d433562cf5811fdae48fafd5a8e00d18ed9ac2e1ad4b12a657f322eb234384316ad131e0
 SHA512 (perf-man-4.10.tar.gz) = 2c830e06f47211d70a8330961487af73a8bc01073019475e6b6131d3bb8c95658b77ca0ae5f1b44371accf103658bc5a3a4366b3e017a4088a8fd408dd6867e8
-SHA512 (patch-4.10-gnu-4.10.12-gnu.xz) = b0c542b4ae08fa3cdf7194cf6744e241162982b91ed31b01dfae03d879ebac7eba4e9434c065d500ca66e89a9f9f758c5854dc5aeecf667622932beabf80aa7c
+SHA512 (patch-4.10-gnu-4.10.13-gnu.xz) = ef0eb568775c55bde0f615237e827461aa8ee04cafb77783bc28fb6d040929f0802f53ad7c89b383342214fa080fc7e92b6f091cd7b695c5110615c0669ea3ea