diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-02-25 23:31:15 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-02-25 23:31:15 +0100 |
commit | ec3f28f8c0e89b7bee8b21e7cae44495048c9376 (patch) | |
tree | 32ddfefafaa94333b0ab416e3f0b2fde773ec5cf /debian/patches | |
parent | d9316ddf62e8fc567f5fa100174fd7126eaba60c (diff) | |
parent | ee817157ee8ed9e1d8cd19ec65bbe898efb472fe (diff) | |
download | linux-debian-ec3f28f8c0e89b7bee8b21e7cae44495048c9376.tar.gz |
Merge tag 'debian/5.16.11-1'
Release linux (5.16.11-1).
Drop patches applied upstream
Diffstat (limited to 'debian/patches')
4 files changed, 241 insertions, 0 deletions
diff --git a/debian/patches/bugfix/all/cgroup-v1-Correct-privileges-check-in-release_agent-.patch b/debian/patches/bugfix/all/cgroup-v1-Correct-privileges-check-in-release_agent-.patch new file mode 100644 index 000000000..dc45c8781 --- /dev/null +++ b/debian/patches/bugfix/all/cgroup-v1-Correct-privileges-check-in-release_agent-.patch @@ -0,0 +1,55 @@ +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com> +Date: Thu, 17 Feb 2022 17:11:28 +0100 +Subject: cgroup-v1: Correct privileges check in release_agent writes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/467a726b754f474936980da793b4ff2ec3e382a7 + +The idea is to check: a) the owning user_ns of cgroup_ns, b) +capabilities in init_user_ns. + +The commit 24f600856418 ("cgroup-v1: Require capabilities to set +release_agent") got this wrong in the write handler of release_agent +since it checked user_ns of the opener (may be different from the owning +user_ns of cgroup_ns). +Secondly, to avoid possibly confused deputy, the capability of the +opener must be checked. + +Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/stable/20220216121142.GB30035@blackbody.suse.cz/ +Signed-off-by: Michal Koutný <mkoutny@suse.com> +Reviewed-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp> +Signed-off-by: Tejun Heo <tj@kernel.org> +--- + kernel/cgroup/cgroup-v1.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c +index 0e877dbcfeea..afc6c0e9c966 100644 +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -546,6 +546,7 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of, + char *buf, size_t nbytes, loff_t off) + { + struct cgroup *cgrp; ++ struct cgroup_file_ctx *ctx; + + BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); + +@@ -553,8 +554,9 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of, + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ +- if ((of->file->f_cred->user_ns != &init_user_ns) || +- !capable(CAP_SYS_ADMIN)) ++ ctx = of->priv; ++ if ((ctx->ns->user_ns != &init_user_ns) || ++ !file_ns_capable(of->file, &init_user_ns, CAP_SYS_ADMIN)) + return -EPERM; + + cgrp = cgroup_kn_lock_live(of->kn, false); +-- +2.35.1 + diff --git a/debian/patches/bugfix/all/netfilter-nf_tables_offload-incorrect-flow-offload-a.patch b/debian/patches/bugfix/all/netfilter-nf_tables_offload-incorrect-flow-offload-a.patch new file mode 100644 index 000000000..27353d1d8 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-nf_tables_offload-incorrect-flow-offload-a.patch @@ -0,0 +1,150 @@ +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Thu, 17 Feb 2022 23:41:20 +0100 +Subject: netfilter: nf_tables_offload: incorrect flow offload action array + size +Origin: https://git.kernel.org/linus/b1a5983f56e371046dcf164f90bfaf704d2b89f6 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-25636 + +immediate verdict expression needs to allocate one slot in the flow offload +action array, however, immediate data expression does not need to do so. + +fwd and dup expression need to allocate one slot, this is missing. + +Add a new offload_action interface to report if this expression needs to +allocate one slot in the flow offload action array. + +Fixes: be2861dc36d7 ("netfilter: nft_{fwd,dup}_netdev: add offload support") +Reported-and-tested-by: Nick Gregory <Nick.Gregory@Sophos.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + include/net/netfilter/nf_tables.h | 2 +- + include/net/netfilter/nf_tables_offload.h | 2 -- + net/netfilter/nf_tables_offload.c | 3 ++- + net/netfilter/nft_dup_netdev.c | 6 ++++++ + net/netfilter/nft_fwd_netdev.c | 6 ++++++ + net/netfilter/nft_immediate.c | 12 +++++++++++- + 6 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index eaf55da9a205..c4c0861deac1 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -905,9 +905,9 @@ struct nft_expr_ops { + int (*offload)(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + const struct nft_expr *expr); ++ bool (*offload_action)(const struct nft_expr *expr); + void (*offload_stats)(struct nft_expr *expr, + const struct flow_stats *stats); +- u32 offload_flags; + const struct nft_expr_type *type; + void *data; + }; +diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h +index f9d95ff82df8..797147843958 100644 +--- a/include/net/netfilter/nf_tables_offload.h ++++ b/include/net/netfilter/nf_tables_offload.h +@@ -67,8 +67,6 @@ struct nft_flow_rule { + struct flow_rule *rule; + }; + +-#define NFT_OFFLOAD_F_ACTION (1 << 0) +- + void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow, + enum flow_dissector_key_id addr_type); + +diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c +index 9656c1646222..2d36952b1392 100644 +--- a/net/netfilter/nf_tables_offload.c ++++ b/net/netfilter/nf_tables_offload.c +@@ -94,7 +94,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, + + expr = nft_expr_first(rule); + while (nft_expr_more(rule, expr)) { +- if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION) ++ if (expr->ops->offload_action && ++ expr->ops->offload_action(expr)) + num_actions++; + + expr = nft_expr_next(expr); +diff --git a/net/netfilter/nft_dup_netdev.c b/net/netfilter/nft_dup_netdev.c +index bbf3fcba3df4..5b5c607fbf83 100644 +--- a/net/netfilter/nft_dup_netdev.c ++++ b/net/netfilter/nft_dup_netdev.c +@@ -67,6 +67,11 @@ static int nft_dup_netdev_offload(struct nft_offload_ctx *ctx, + return nft_fwd_dup_netdev_offload(ctx, flow, FLOW_ACTION_MIRRED, oif); + } + ++static bool nft_dup_netdev_offload_action(const struct nft_expr *expr) ++{ ++ return true; ++} ++ + static struct nft_expr_type nft_dup_netdev_type; + static const struct nft_expr_ops nft_dup_netdev_ops = { + .type = &nft_dup_netdev_type, +@@ -75,6 +80,7 @@ static const struct nft_expr_ops nft_dup_netdev_ops = { + .init = nft_dup_netdev_init, + .dump = nft_dup_netdev_dump, + .offload = nft_dup_netdev_offload, ++ .offload_action = nft_dup_netdev_offload_action, + }; + + static struct nft_expr_type nft_dup_netdev_type __read_mostly = { +diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c +index fa9301ca6033..619e394a91de 100644 +--- a/net/netfilter/nft_fwd_netdev.c ++++ b/net/netfilter/nft_fwd_netdev.c +@@ -79,6 +79,11 @@ static int nft_fwd_netdev_offload(struct nft_offload_ctx *ctx, + return nft_fwd_dup_netdev_offload(ctx, flow, FLOW_ACTION_REDIRECT, oif); + } + ++static bool nft_fwd_netdev_offload_action(const struct nft_expr *expr) ++{ ++ return true; ++} ++ + struct nft_fwd_neigh { + u8 sreg_dev; + u8 sreg_addr; +@@ -222,6 +227,7 @@ static const struct nft_expr_ops nft_fwd_netdev_ops = { + .dump = nft_fwd_netdev_dump, + .validate = nft_fwd_validate, + .offload = nft_fwd_netdev_offload, ++ .offload_action = nft_fwd_netdev_offload_action, + }; + + static const struct nft_expr_ops * +diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c +index 90c64d27ae53..d0f67d325bdf 100644 +--- a/net/netfilter/nft_immediate.c ++++ b/net/netfilter/nft_immediate.c +@@ -213,6 +213,16 @@ static int nft_immediate_offload(struct nft_offload_ctx *ctx, + return 0; + } + ++static bool nft_immediate_offload_action(const struct nft_expr *expr) ++{ ++ const struct nft_immediate_expr *priv = nft_expr_priv(expr); ++ ++ if (priv->dreg == NFT_REG_VERDICT) ++ return true; ++ ++ return false; ++} ++ + static const struct nft_expr_ops nft_imm_ops = { + .type = &nft_imm_type, + .size = NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)), +@@ -224,7 +234,7 @@ static const struct nft_expr_ops nft_imm_ops = { + .dump = nft_immediate_dump, + .validate = nft_immediate_validate, + .offload = nft_immediate_offload, +- .offload_flags = NFT_OFFLOAD_F_ACTION, ++ .offload_action = nft_immediate_offload_action, + }; + + struct nft_expr_type nft_imm_type __read_mostly = { +-- +2.35.1 + diff --git a/debian/patches/bugfix/all/netfilter-xt_socket-missing-ifdef-CONFIG_IP6_NF_IPTA.patch b/debian/patches/bugfix/all/netfilter-xt_socket-missing-ifdef-CONFIG_IP6_NF_IPTA.patch new file mode 100644 index 000000000..dbb81b3d5 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-xt_socket-missing-ifdef-CONFIG_IP6_NF_IPTA.patch @@ -0,0 +1,33 @@ +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Sat, 12 Feb 2022 00:44:11 +0100 +Subject: netfilter: xt_socket: missing ifdef CONFIG_IP6_NF_IPTABLES dependency +Origin: https://git.kernel.org/linus/2874b7911132f6975e668f6849c8ac93bc4e1f35 + +nf_defrag_ipv6_disable() requires CONFIG_IP6_NF_IPTABLES. + +Fixes: 75063c9294fb ("netfilter: xt_socket: fix a typo in socket_mt_destroy()") +Reported-by: kernel test robot <lkp@intel.com> +Reviewed-by: Eric Dumazet<edumazet@google.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + net/netfilter/xt_socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c +index 662e5eb1cc39..7013f55f05d1 100644 +--- a/net/netfilter/xt_socket.c ++++ b/net/netfilter/xt_socket.c +@@ -220,8 +220,10 @@ static void socket_mt_destroy(const struct xt_mtdtor_param *par) + { + if (par->family == NFPROTO_IPV4) + nf_defrag_ipv4_disable(par->net); ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) + else if (par->family == NFPROTO_IPV6) + nf_defrag_ipv6_disable(par->net); ++#endif + } + + static struct xt_match socket_mt_reg[] __read_mostly = { +-- +2.35.1 + diff --git a/debian/patches/series b/debian/patches/series index 9f5dcf417..7602ff442 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -77,6 +77,8 @@ features/x86/x86-make-x32-syscall-support-conditional.patch # Miscellaneous bug fixes bugfix/all/disable-some-marvell-phys.patch bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch +bugfix/all/cgroup-v1-Correct-privileges-check-in-release_agent-.patch +bugfix/all/netfilter-xt_socket-missing-ifdef-CONFIG_IP6_NF_IPTA.patch # Miscellaneous features @@ -96,6 +98,7 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch +bugfix/all/netfilter-nf_tables_offload-incorrect-flow-offload-a.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |