Home Home > GIT Browse
summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
14 daysBump up the version number in spec fileSLE15-SP1_Update_0Nicolai Stange
Signed-off-by: Nicolai Stange <nstange@suse.de>
14 daysMerge branch 'bsc#1144502_15.1u0-2' into SLE15-SP1_Update_0Nicolai Stange
14 daysFix for CVE-2019-13233 ("UAF via race between modify_ldt() and #BR exception")Nicolai Stange
Live patch for CVE-2019-13233. Upstream commit de9f869616dd ("x86/insn-eval: Fix use-after-free access to LDT entry"). KLP: CVE-2019-13233 References: bsc#1144502 CVE-2019-13233 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-07-11Bump up the version number in spec fileNicolai Stange
Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-07-10Merge branch 'bsc#1137597_15.1u0' into SLE15-SP1_Update_0Nicolai Stange
2019-07-10Fix regression bsc#1140747 ("applications tcp socket get stuck")Nicolai Stange
The fix for CVE-2019-11478 ("SACK Slowness / extensive resource usage") can cause TCP connection stalls for applications having setup very low SO_SNDBUF values. Fix this by applying stable-4.4.y commit 46c7b5d6f2a5 ("tcp: refine memory limit test in tcp_fragment()") to the live patch mitigating this CVE. Fixes: cfd1a0fe1e8f ('Fix for CVE-2019-11477 and CVE-2019-11478 ("multiple remote denial of service issues (SACK Panic)")') References: bsc#1140747 bsc#1137597 CVE-2019-11478 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-07-09bsc#1137597: fill in upstream commit idsNicolai Stange
At the time the live patch for CVE-2019-11477 and CVE-2019-11478 ("multiple remote denial of service issues (SACK Panic)") was being prepared, the issue had been under embargo and no upstream commits published. Add their ids to the live patch's file header comment. References: bsc#1137597 CVE-2019-11477 CVE-2019-11478 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-07-01Bump up the version number in spec fileNicolai Stange
Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-06-30Merge branch 'bsc#1138264_15.1u0-1' into SLE15-SP1_Update_0Nicolai Stange
2019-06-30Merge branch 'bsc#1136446_15.1u0' into SLE15-SP1_Update_0Nicolai Stange
2019-06-24Fix for CVE-2019-12817 ("powerpc: access to other processes memory")Nicolai Stange
Live patch for CVE-2019-12817. No upstream commit yet. KLP: CVE-2019-12817 References: bsc#1138264 CVE-2019-12817 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-06-18bsc#1136446: get rid of unwanted dependency on cfg80211.koNicolai Stange
The fix for bsc#1136446, CVE-2019-3846 ("Heap Overflow in mwifiex_update_bss_desc_with_ie function of Marvell Wifi Driver in Linux kernel") introduced a dependency on cfg80211.ko from the live patch module by mistake. It isn't a serious problem, but not really nice either. Fix it up. Fixes: 01c452ed2986 ('Fix for CVE-2019-3846 ("Heap Overflow in mwifiex_update_bss_desc_with_ie function of Marvell Wifi Driver in Linux kernel")') References: bsc#1136446 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-06-18Bump up the version number in spec fileMiroslav Benes
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2019-06-17Merge branch 'bsc#1137597_15.1u0' into SLE15-SP1_Update_0Nicolai Stange
2019-06-17Merge branch 'bsc#1136446_15.1u0' into SLE15-SP1_Update_0Nicolai Stange
2019-06-17Merge branch 'bsc#1133191_15.1u0' into SLE15-SP1_Update_0Nicolai Stange
2019-06-16Fix for CVE-2019-11477 and CVE-2019-11478 ("multiple remote denial of ↵Nicolai Stange
service issues (SACK Panic)") Live patch for CVE-2019-11477 and CVE-2019-11478. No upstream commits yet. KLP: CVE-2019-11477 CVE-2019-11478 References: bsc#1137597 CVE-2019-11477 CVE-2019-11478 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-06-16Fix for CVE-2019-3846 ("Heap Overflow in mwifiex_update_bss_desc_with_ie ↵Nicolai Stange
function of Marvell Wifi Driver in Linux kernel") Live patch for CVE-2019-3846 as well as the related heap overflow handled in bsc#1136935 which hasn't got a unique CVE number assigned yet. Upstream commits 13ec7f10b87f ("mwifiex: Fix possible buffer overflows at parsing bss descriptor") 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor element") 69ae4f6aac15 ("mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()") KLP: CVE-2019-3846 References: bsc#1136446 bsc#1136935 CVE-2019-3846 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-06-16Fix for CVE-2019-11487 ("The Linux kernel [...] allows page->_refcount ↵Nicolai Stange
reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists") Live patch for CVE-2019-11487. Upstream commits f958d7b528 ("mm: make page ref count overflow check tighter and more explicit") 88b1a17dfc ("mm: add 'try_get_page()' helper function") 8fde12ca79 ("mm: prevent get_user_pages() from overflowing page refcount") 15fab63e1e ("fs: prevent page refcount overflow in pipe_buf_get") KLP: CVE-2019-11487 References: bsc#1133191 CVE-2019-11487 Signed-off-by: Nicolai Stange <nstange@suse.de>
2019-03-08Merge branch 'master-livepatch' into SLE15-SP1_Update_0Miroslav Benes
2019-03-07livepatch_main.c: Adaptation to a new livepatch APIMiroslav Benes
The atomic replace patch set among others removed the two-stage API. There is no (un)registration step needed now. SLES backport defines KLP_NOREG_API macro to easily distinguish whether the kernel provides the old or the new API. Use it and change the module init and exit functions accordingly. Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2019-02-13uname_patch: Use klp-convert macros and rely on klp-convert whereMiroslav Benes
possible Signed-off-by: Miroslav Benes <mbenes@suse.cz> Reviewed-by: Nicolai Stange <nstange@suse.de>
2019-02-13Define macros to switch easily between klp-convert and kallsymsMiroslav Benes
Kallsyms trick does not have to be used for resolving undefined symbols when klp-convert is available. It would be great though to share live patches sources between both modes of operation. Define macros to help with the task. Their definitions depend on whether USE_KLP_CONVERT macro is defined. tar-up.sh script is responsible to decide. Signed-off-by: Miroslav Benes <mbenes@suse.cz> Reviewed-by: Nicolai Stange <nstange@suse.de>
2019-02-13Use klp-convert where providedMiroslav Benes
klp-convert tool converts undefined symbols in a live patch kernel module to special relocation records which are resolved by the kernel. It allows to omit kallsyms tricks. Wire it to the spec file and let tar-up.sh script decide if it is to be used depending on a codestream. SLE15-SP1 is supported currently. Signed-off-by: Miroslav Benes <mbenes@suse.cz> Reviewed-by: Nicolai Stange <nstange@suse.de>
2018-12-11Merge branch 'master' into master-livepatchMiroslav Benes
2018-12-11uname_patch: don't hold uts_sem while accessing userspace memoryHEADmasterMiroslav Benes
Backport upstream patch 42a0cc347858 ("sys: don't hold uts_sem while accessing userspace memory"). Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-10-02Update IBS_PROJECT to correct project (SLE-15-SP1:GA)Miroslav Benes
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-10-02New branch for SLE15-SP1_Update_0Miroslav Benes
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-08-09Provide common kallsyms wrapper APINicolai Stange
With bsc#1103203, the need for disambiguating between a multiply defined symbol arose. This is something the kallsyms_lookup_name() based code snippet we used to copy&paste to every individual CVE fix can't handle. Implement a proper wrapper API for doing the kallsyms lookups. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-07-11provide KLP_SHADOW_ID() helper macroNicolai Stange
In analogy to the KGR_SHADOW_ID() macro, introduce KLP_SHADOW_ID() for the construction of unique shadow variable id's. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-07-10scripts/register-patches.sh: implement conditional inclusionNicolai Stange
Currently, subpatches provide a patched_funcs.csv file describing what needs to be patched. register-patches.sh inspects those to assemble one global klp_patch structure. The current format for these patched_funcs.csv's is obj old_func(,sympos) newfun However, sometimes subpatches depend on some kernel configuration values like CONFIG_X86_64 and functions shall get patched only if the target kernel configuration matches. Extends the patched_funcs.csv format to obj old_func(,sympos) newfun (cpp condition) where everything coming after 'newfun' is taken to be a CPP condition to be used for conditional inclusion. In case there's no condition specified, assign that entry the same semantics as if a '1' had been given. Make register-patches.sh guard the corresponding klp_func entries with #if pragmas. Furthermore, let it guard the enclosing klp_object instances by or'ing together all its klp_funcs' conditions. For the sake of better readability, omit redundant #if pragmas as well as condition clauses. In particular, - if a function entry hasn't got any condition explicitly specified, there won't be any #if pragma, neither at the klp_func nor at the klp_object level, - if multiple function entries for an object are protected by the same condition, it'll be or'ed in at the klp_object level only once, - if all of an object's functions share the same condition, no #if pragmas will be emitted at the klp_func level because they would only duplicate what's already there for the enclosing object and - multiple subsequent function entries sharing the same condition get collated. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-07-10scripts/register-patches.sh: allow spaces as patched_funcs.csv separatorsNicolai Stange
Currently there's one single cut(1) usage which requires that (single) tabs are used as field separators for the patched_funcs.csv. As the rest of the code can deal with sequences of any whitespace already, this imposes an unnecessary restriction on the format. Substitute that cut(1) usage by a sed(1) invocation as appropriate. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-06-04livepatch_main.c: Set .replace to trueMiroslav Benes
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2018-05-14Merge branch 'master' into master-livepatchMiroslav Benes
2018-05-14scrips/create-makefile.sh: add support for assembly filesNicolai Stange
Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08Revert "shadow variables: introduce upstream patch"Miroslav Benes
This reverts commit e899c4fd3fe7602ebd70f578d8475f1049de7c78.
2017-12-08Revert "shadow variables: drop EXPORT_SYMBOL()s"Miroslav Benes
This reverts commit ac6cfebd7f831213ebcd4b2690672871572ec49e.
2017-12-08Revert "shadow variables: share shadow data among KGraft modules"Miroslav Benes
This reverts commit 8e1e705d4d56981949f7ae3854d8e1cc2be7f40f.
2017-12-08Revert "shadow variables: add KGR_SHADOW_ID helper"Miroslav Benes
This reverts commit 237c8f3d13c382321d3e65d138d328eae0b82f6c.
2017-12-08livepatch_main.c: klp_patch_init(): fix error handlingNicolai Stange
In case either of the invocations of klp_register_patch() or klp_enable_patch() fails, anything which has been setup by the prior per-(sub-)patch initialiation code, i.e. the expansion of @@KLP_PATCHES_INIT_CALLS@@, won't get undone. Fix this. Also make klp_patch_init() look more like the common 'goto err' idiom and adjust scripts/register_patches.sh accordingly. Fix for commit 7e20201cdcb8 ("kGraft to livepatch migration. API change."). Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08scripts/register_patches.sh: generate klp_object arrayNicolai Stange
The KLP API doesn't take a flat list of to be patched functions like KGraft did, but introduces an intermediate layer: struct klp_object. Each klp_patch instance is supposed to reference an array of klp_object's which in turn provide an array of klp_func's each. To facilitate merging, we want to generate this list of klp_object's automatically, exactly like we did for the flat function list with KGraft. For each klp_patch instance, there must be at most one klp_object entry referring to the same object. Hence care must be taken not to add an entry for the same object twice in case two different (sub-)patches both patch some functions therein. Require from each (sub-)patch to provide the list of to be patched symbols in a file named SUBPATCH/patched_funcs.csv with each line conforming to the obj old_func(,sympos) new_func pattern. Make scripts/register.sh generate an klp_object array initializer based on this and let it expand the @@KLP_PATCHES_OBJS@@ tag within livepatch_main.c accordingly. Do not replace the now obsolete @@KLP_PATCHES_FUNCS@@ anymore. Add and remove the @@KLP_PATCHES_OBJS@@ and @@KLP_PATCHES_FUNCS@@ markers to and from livepatch_main.c respectively. Signed-off-by: Nicolai Stange <nstange@suse.de> [ mb: amend copy&paste error ($newfun at the end of uname klp_func[]) ] Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08rpm/config.sh: Use SUSE:SLE-15:GA projectMiroslav Benes
Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08Revert "scripts: Generate ExclusiveArch in spec file dynamically"Miroslav Benes
This reverts commit 95ed856ea8f99b4e48d7d324278b3628d2ac2fa2. SLE15 will support ppc64le arch from the beginning.
2017-12-08kGraft to livepatch migration. External rename.Libor Pechacek
External rename and thus final step of kGraft -> upstream livepatch migration. kgraft-patch* modules are now livepatch* and live in /lib/modules/$(uname -r)/livepatch. References: fate#323682 Signed-off-by: Libor Pechacek <lpechacek@suse.com> [ mb: changelog ] Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08kGraft to livepatch migration. API change.Libor Pechacek
Change from kGraft API to livepatch API. Note: error handling in _init() function is broken and fixed later. Automatic generation of klp_objects is not present at all. Added later. References: fate#323682 Signed-off-by: Libor Pechacek <lpechacek@suse.com> [ mb: changelog, patch split, whitespace errors ] Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-08kGraft to livepatch migration. Internal rename.Libor Pechacek
Internal rename in preparation for kGraft -> upstream livepatch migration. External module naming stays the same. API is not touched yet. References: fate#323682 Signed-off-by: Libor Pechacek <lpechacek@suse.com> [ mb: changelog edit ] Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-05uname_patch: fix UNAME26 for 4.0Miroslav Benes
Backport upstream commit 39afb5ee4640 ("kernel/sys.c: fix UNAME26 for 4.0"). Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-12-04Revert "Add compat.h to deal with changes of KGR_PATCH macro"Miroslav Benes
This reverts commit 4186bef35862029a2fd36ba4a73d5fa538992709. All currently supported kernels (that is, everything since SLE12_Update_14 and SLE12-SP1_Update_5) have sympos support. We can drop compat, because we don't need it anymore. Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-11-30scripts: Generate ExclusiveArch in spec file dynamicallyMiroslav Benes
ppc64le architecture kernel support is not present in all currently supported branches. It may cause problem for the maintenance team. Generate ExclusiveArch dynamically. It should be 'ppc64le x86_64' for SLE12-SP3 and 'x86_64' for the rest. Signed-off-by: Miroslav Benes <mbenes@suse.cz>
2017-11-23shadow variables: add KGR_SHADOW_ID helperNicolai Stange
As shadow variables are supposed to be shared among different KGraft modules their id's must be compile time constants. Introduce the KGR_SHADOW_ID helper macro for generating them in a uniform manner based on the bsc# number and a local id. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Miroslav Benes <mbenes@suse.cz>