From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 26 Apr 2015 10:05:41 +0000 (+0200)
Subject: 3.14-stable patches
X-Git-Tag: v4.0.1~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=162782a7687ba31129298a47714a0c1ead5bd108;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	kvm-x86-sysenter-emulation-is-broken.patch
	netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch
---

diff --git a/queue-3.14/kvm-x86-sysenter-emulation-is-broken.patch b/queue-3.14/kvm-x86-sysenter-emulation-is-broken.patch
new file mode 100644
index 00000000000..2f1d075ab0b
--- /dev/null
+++ b/queue-3.14/kvm-x86-sysenter-emulation-is-broken.patch
@@ -0,0 +1,89 @@
+From f3747379accba8e95d70cec0eae0582c8c182050 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Thu, 1 Jan 2015 23:11:11 +0200
+Subject: KVM: x86: SYSENTER emulation is broken
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit f3747379accba8e95d70cec0eae0582c8c182050 upstream.
+
+SYSENTER emulation is broken in several ways:
+1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
+2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
+   still be set without causing #GP).
+3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
+   legacy-mode.
+4. There is some unneeded code.
+
+Fix it.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[zhangzhiqiang: backport to 3.10:
+ - adjust context
+ - in 3.10 context "ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF)" is replaced by
+   "ctxt->eflags &= ~(EFLG_VM | EFLG_IF)" in upstream, which was changed by another commit.
+ - After the above adjustments, becomes same to the original patch:
+       https://github.com/torvalds/linux/commit/f3747379accba8e95d70cec0eae0582c8c182050
+]
+Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/emulate.c |   27 ++++++++-------------------
+ 1 file changed, 8 insertions(+), 19 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2258,7 +2258,7 @@ static int em_sysenter(struct x86_emulat
+ 	 * Not recognized on AMD in compat mode (but is recognized in legacy
+ 	 * mode).
+ 	 */
+-	if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
++	if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
+ 	    && !vendor_intel(ctxt))
+ 		return emulate_ud(ctxt);
+ 
+@@ -2271,25 +2271,13 @@ static int em_sysenter(struct x86_emulat
+ 	setup_syscalls_segments(ctxt, &cs, &ss);
+ 
+ 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
+-	switch (ctxt->mode) {
+-	case X86EMUL_MODE_PROT32:
+-		if ((msr_data & 0xfffc) == 0x0)
+-			return emulate_gp(ctxt, 0);
+-		break;
+-	case X86EMUL_MODE_PROT64:
+-		if (msr_data == 0x0)
+-			return emulate_gp(ctxt, 0);
+-		break;
+-	default:
+-		break;
+-	}
++	if ((msr_data & 0xfffc) == 0x0)
++		return emulate_gp(ctxt, 0);
+ 
+ 	ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
+-	cs_sel = (u16)msr_data;
+-	cs_sel &= ~SELECTOR_RPL_MASK;
++	cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
+ 	ss_sel = cs_sel + 8;
+-	ss_sel &= ~SELECTOR_RPL_MASK;
+-	if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
++	if (efer & EFER_LMA) {
+ 		cs.d = 0;
+ 		cs.l = 1;
+ 	}
+@@ -2298,10 +2286,11 @@ static int em_sysenter(struct x86_emulat
+ 	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
+ 
+ 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
+-	ctxt->_eip = msr_data;
++	ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
+ 
+ 	ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
+-	*reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
++	*reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
++							      (u32)msr_data;
+ 
+ 	return X86EMUL_CONTINUE;
+ }
diff --git a/queue-3.14/netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch b/queue-3.14/netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch
new file mode 100644
index 00000000000..5c4bad8403a
--- /dev/null
+++ b/queue-3.14/netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch
@@ -0,0 +1,93 @@
+From db29a9508a9246e77087c5531e45b2c88ec6988b Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 26 Sep 2014 11:35:42 +0200
+Subject: netfilter: conntrack: disable generic tracking for known protocols
+
+From: Florian Westphal <fw@strlen.de>
+
+commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream.
+
+Given following iptables ruleset:
+
+-P FORWARD DROP
+-A FORWARD -m sctp --dport 9 -j ACCEPT
+-A FORWARD -p tcp --dport 80 -j ACCEPT
+-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
+
+One would assume that this allows SCTP on port 9 and TCP on port 80.
+Unfortunately, if the SCTP conntrack module is not loaded, this allows
+*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
+which we think is a security issue.
+
+This is because on the first SCTP packet on port 9, we create a dummy
+"generic l4" conntrack entry without any port information (since
+conntrack doesn't know how to extract this information).
+
+All subsequent packets that are unknown will then be in established
+state since they will fallback to proto_generic and will match the
+'generic' entry.
+
+Our originally proposed version [1] completely disabled generic protocol
+tracking, but Jozsef suggests to not track protocols for which a more
+suitable helper is available, hence we now mitigate the issue for in
+tree known ct protocol helpers only, so that at least NAT and direction
+information will still be preserved for others.
+
+ [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
+
+Joint work with Daniel Borkmann.
+
+Fixes CVE-2014-8160.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_proto_generic.c |   26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_proto_generic.c
++++ b/net/netfilter/nf_conntrack_proto_generic.c
+@@ -14,6 +14,30 @@
+ 
+ static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
+ 
++static bool nf_generic_should_process(u8 proto)
++{
++	switch (proto) {
++#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
++	case IPPROTO_SCTP:
++		return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
++	case IPPROTO_DCCP:
++		return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
++	case IPPROTO_GRE:
++		return false;
++#endif
++#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
++	case IPPROTO_UDPLITE:
++		return false;
++#endif
++	default:
++		return true;
++	}
++}
++
+ static inline struct nf_generic_net *generic_pernet(struct net *net)
+ {
+ 	return &net->ct.nf_ct_proto.generic;
+@@ -67,7 +91,7 @@ static int generic_packet(struct nf_conn
+ static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb,
+ 			unsigned int dataoff, unsigned int *timeouts)
+ {
+-	return true;
++	return nf_generic_should_process(nf_ct_protonum(ct));
+ }
+ 
+ #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
diff --git a/queue-3.14/series b/queue-3.14/series
index 3ee7765d2bb..160cfeed002 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -28,3 +28,5 @@ bluetooth-add-support-for-acer-2.patch
 bluetooth-ath3k-add-support-of-mci-13d3-3408-bt-device.patch
 bluetooth-add-usb-device-04ca-3010-as-atheros-ar3012.patch
 mm-hwpoison-drop-lru_add_drain_all-in-__soft_offline_page.patch
+netfilter-conntrack-disable-generic-tracking-for-known-protocols.patch
+kvm-x86-sysenter-emulation-is-broken.patch