+++ /dev/null
-From 45f4251eac81036e2532b16d13f1ad421813eca9 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Thu, 13 Apr 2017 10:13:31 +0200
-Subject: [Zesty][PATCH 1/2] UBUNTU: SAUCE: net sched actions: fix access to uninitialized data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-(cherry-picked from http://marc.info/?l=linux-netdev&m=149200746116365 )
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
----
- net/sched/act_api.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/sched/act_api.c b/net/sched/act_api.c
-index 501c42d..32f12f5 100644
---- a/net/sched/act_api.c
-+++ b/net/sched/act_api.c
-@@ -607,7 +607,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
- if (err < 0)
- goto err_mod;
-
-- if (tb[TCA_ACT_COOKIE]) {
-+ if (name == NULL && tb[TCA_ACT_COOKIE]) {
- int cklen = nla_len(tb[TCA_ACT_COOKIE]);
-
- if (cklen > TC_COOKIE_MAX_SIZE) {
---
-2.1.4
-
+++ /dev/null
-From b3c6f3b25edface1ece9b30aa1fe5d6f9abae098 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Thu, 13 Apr 2017 10:13:32 +0200
-Subject: [Zesty][PATCH 2/2] UBUNTU: SAUCE: net sched actions: decrement module refcount earlier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
-
-Whether the reference count has to be decremented depends
-on whether the policy was created. If TCA_ACT_COOKIE is
-passed and an error occurs there, the same condition still
-has to be honored.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-(cherry-picked from http://marc.info/?l=linux-netdev&m=149200742616349)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
----
- net/sched/act_api.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/net/sched/act_api.c b/net/sched/act_api.c
-index 32f12f5..07068ca 100644
---- a/net/sched/act_api.c
-+++ b/net/sched/act_api.c
-@@ -607,28 +607,29 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
- if (err < 0)
- goto err_mod;
-
-+ /* module count goes up only when brand new policy is created
-+ * if it exists and is only bound to in a_o->init() then
-+ * ACT_P_CREATED is not returned (a zero is).
-+ */
-+ if (err != ACT_P_CREATED)
-+ module_put(a_o->owner);
-+
- if (name == NULL && tb[TCA_ACT_COOKIE]) {
- int cklen = nla_len(tb[TCA_ACT_COOKIE]);
-
- if (cklen > TC_COOKIE_MAX_SIZE) {
- err = -EINVAL;
- tcf_hash_release(a, bind);
-- goto err_mod;
-+ goto err_out;
- }
-
- if (nla_memdup_cookie(a, tb) < 0) {
- err = -ENOMEM;
- tcf_hash_release(a, bind);
-- goto err_mod;
-+ goto err_out;
- }
- }
-
-- /* module count goes up only when brand new policy is created
-- * if it exists and is only bound to in a_o->init() then
-- * ACT_P_CREATED is not returned (a zero is).
-- */
-- if (err != ACT_P_CREATED)
-- module_put(a_o->owner);
-
- return a;
-
---
-2.1.4
-
--- /dev/null
+From e18cf144f49054fa79d43689accdd2766618953d Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Mon, 24 Apr 2017 16:26:00 +0200
+Subject: [PATCH 1/2] net_sched: nla_memdup_cookie() can be static
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
+
+Fixes the following sparse warning:
+
+net/sched/act_api.c:532:5: warning:
+ symbol 'nla_memdup_cookie' was not declared. Should it be static?
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+(cherry picked from commit 6f2e3f7d9785dacb358b48b44950182b5c13e4bc)
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Acked-by: Kamal Mostafa <kamal@canonical.com>
+Acked-by: Seth Forshee <seth.forshee@canonical.com>
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+---
+ net/sched/act_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/act_api.c b/net/sched/act_api.c
+index 501c42d..e336f30 100644
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -532,7 +532,7 @@ int tcf_action_dump(struct sk_buff *skb, struct list_head *actions,
+ return err;
+ }
+
+-int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
++static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
+ {
+ a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
+ if (!a->act_cookie)
+--
+2.1.4
+
--- /dev/null
+From 3fe083491bf6c688d34c6e300f14d775a5b8a443 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Mon, 24 Apr 2017 16:26:00 +0200
+Subject: [PATCH 2/2] net sched actions: allocate act cookie early
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
+
+Policing filters do not use the TCA_ACT_* enum and the tb[]
+nlattr array in tcf_action_init_1() doesn't get filled for
+them so we should not try to look for a TCA_ACT_COOKIE
+attribute in the then uninitialized array.
+The error handling in cookie allocation then calls
+tcf_hash_release() leading to invalid memory access later
+on.
+Additionally, if cookie allocation fails after an already
+existing non-policing filter has successfully been changed,
+tcf_action_release() should not be called, also we would
+have to roll back the changes in the error handling, so
+instead we now allocate the cookie early and assign it on
+success at the end.
+
+CVE-2017-7979
+Fixes: 1045ba77a596 ("net sched actions: Add support for user cookies")
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+(cherry picked from commit e0535ce58b92d7baf0b33284a6c4f8f0338f943e)
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Acked-by: Kamal Mostafa <kamal@canonical.com>
+Acked-by: Seth Forshee <seth.forshee@canonical.com>
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ net/sched/act_api.c | 55 +++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 32 insertions(+), 23 deletions(-)
+
+diff --git a/net/sched/act_api.c b/net/sched/act_api.c
+index e336f30..bdbc7a9 100644
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -532,20 +532,20 @@ int tcf_action_dump(struct sk_buff *skb, struct list_head *actions,
+ return err;
+ }
+
+-static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
++static struct tc_cookie *nla_memdup_cookie(struct nlattr **tb)
+ {
+- a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
+- if (!a->act_cookie)
+- return -ENOMEM;
++ struct tc_cookie *c = kzalloc(sizeof(*c), GFP_KERNEL);
++ if (!c)
++ return NULL;
+
+- a->act_cookie->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
+- if (!a->act_cookie->data) {
+- kfree(a->act_cookie);
+- return -ENOMEM;
++ c->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
++ if (!c->data) {
++ kfree(c);
++ return NULL;
+ }
+- a->act_cookie->len = nla_len(tb[TCA_ACT_COOKIE]);
++ c->len = nla_len(tb[TCA_ACT_COOKIE]);
+
+- return 0;
++ return c;
+ }
+
+ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
+@@ -554,6 +554,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
+ {
+ struct tc_action *a;
+ struct tc_action_ops *a_o;
++ struct tc_cookie *cookie = NULL;
+ char act_name[IFNAMSIZ];
+ struct nlattr *tb[TCA_ACT_MAX + 1];
+ struct nlattr *kind;
+@@ -569,6 +570,18 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
+ goto err_out;
+ if (nla_strlcpy(act_name, kind, IFNAMSIZ) >= IFNAMSIZ)
+ goto err_out;
++ if (tb[TCA_ACT_COOKIE]) {
++ int cklen = nla_len(tb[TCA_ACT_COOKIE]);
++
++ if (cklen > TC_COOKIE_MAX_SIZE)
++ goto err_out;
++
++ cookie = nla_memdup_cookie(tb);
++ if (!cookie) {
++ err = -ENOMEM;
++ goto err_out;
++ }
++ }
+ } else {
+ err = -EINVAL;
+ if (strlcpy(act_name, name, IFNAMSIZ) >= IFNAMSIZ)
+@@ -607,20 +620,12 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
+ if (err < 0)
+ goto err_mod;
+
+- if (tb[TCA_ACT_COOKIE]) {
+- int cklen = nla_len(tb[TCA_ACT_COOKIE]);
+-
+- if (cklen > TC_COOKIE_MAX_SIZE) {
+- err = -EINVAL;
+- tcf_hash_release(a, bind);
+- goto err_mod;
+- }
+-
+- if (nla_memdup_cookie(a, tb) < 0) {
+- err = -ENOMEM;
+- tcf_hash_release(a, bind);
+- goto err_mod;
++ if (name == NULL && tb[TCA_ACT_COOKIE]) {
++ if (a->act_cookie) {
++ kfree(a->act_cookie->data);
++ kfree(a->act_cookie);
+ }
++ a->act_cookie = cookie;
+ }
+
+ /* module count goes up only when brand new policy is created
+@@ -635,6 +640,10 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
+ err_mod:
+ module_put(a_o->owner);
+ err_out:
++ if (cookie) {
++ kfree(cookie->data);
++ kfree(cookie);
++ }
+ return ERR_PTR(err);
+ }
+
+--
+2.1.4
+
cd ${KERNEL_SRC}; patch -p1 < ../cgroup-cpuset-add-cpuset.remap_cpus.patch
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch
cd ${KERNEL_SRC}; patch -p1 < ../openvswitch-Set-internal-device-max-mtu-to-ETH_MAX_M.patch
- cd ${KERNEL_SRC}; patch -p1 < ../0001-net-sched-actions-fix-access-to-uninitialized-data.patch
- cd ${KERNEL_SRC}; patch -p1 < ../0002-net-sched-actions-decrement-module-refcount-earlier.patch
+ cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch
+ cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch
sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
touch $@