kernels: fix CVE-2017-11600

Extras:
 - added script to update linux version
 - jna: rerun the build on failure

Change-Id: I1734ab9dc3a0177c0a40f08d0b279e3fd98565bd
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3693
Tested-by: gerrit-photon <[email protected]>
Reviewed-by: Anish Swaminathan <[email protected]>

SPECS/jna/jna.spec

@@ -4,7 +4,7 @@
 Summary:        Java Native Access
 Name:           jna
 Version:        4.4.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        Apache
 URL:            http://github.com/twall/jna
 Group:          Applications/System
@@ -41,9 +41,16 @@ rm -rf %{buildroot}
 
 %build
 export JAVA_HOME=/usr/lib/jvm/OpenJDK-%{JAVA8_VERSION}
-#disabling all tests
+
+# Intermittent issue happens:
+#
+# BUILD FAILED
+# /usr/src/photon/BUILD/jna-4.4.0/build.xml:717: API for native code has changed, or javah output is inconsistent.
+# Re-run this build after checking /usr/src/photon/BUILD/jna-4.4.0/build/native-linux-x86-64/jni.checksum or updating jni.version and jni.md5 in build.xml
+#
+# Rerun the build will pass it
+ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/*.java" -Drelease=true || \
 ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/*.java" -Drelease=true
-#$ANT_HOME/bin/ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/LibraryLoadTest.java" -Drelease=true
 
 %install
 export JAVA_HOME=/usr/lib/jvm/OpenJDK-%{JAVA8_VERSION}
@@ -72,6 +79,8 @@ ant -Ddist=$JNA_DIST_DIR dist -Drelease=true
 %{_prefix}/*.aar
 
 %changelog
+*   Tue Sep 05 2017 Alexey Makhalov <[email protected]> 4.4.0-7
+-   Rerun the build on failure
 *   Thu Aug 17 2017 Harish Udaiya Kumar <[email protected]> 4.4.0-6
 -   Removed clover.jar from jna-devel source-full.zip file
 *   Mon Jun 19 2017 Divya Thaluru <[email protected]> 4.4.0-5

SPECS/linux-api-headers/linux-api-headers.spec

@@ -1,14 +1,14 @@
 Summary:	Linux API header files
 Name:		linux-api-headers
-Version:	4.9.43
+Version:	4.9.47
 Release:	1%{?dist}
 License:	GPLv2
 URL:		http://www.kernel.org/
 Group:		System Environment/Kernel
 Vendor:		VMware, Inc.
 Distribution: Photon
 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5
+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d
 BuildArch:	noarch
 %description
 The Linux API Headers expose the kernel's API for use by Glibc.
@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de
 %defattr(-,root,root)
 %{_includedir}/*
 %changelog
+*   Mon Sep 04 2017 Alexey Makhalov <[email protected]> 4.9.47-1
+-   Version update
 *   Mon Aug 14 2017 Alexey Makhalov <[email protected]> 4.9.43-1
 -   Version update
 *   Wed Jun 28 2017 Alexey Makhalov <[email protected]> 4.9.34-1

SPECS/linux/linux-esx.spec

@@ -1,15 +1,15 @@
 %global security_hardening none
 Summary:        Kernel
 Name:           linux-esx
-Version:        4.9.43
+Version:        4.9.47
 Release:        1%{?dist}
 License:        GPLv2
 URL:            http://www.kernel.org/
 Group:          System Environment/Kernel
 Vendor:         VMware, Inc.
 Distribution:   Photon
 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5
+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d
 Source1:        config-esx
 Source2:        initramfs.trigger
 # common
@@ -36,6 +36,8 @@ Patch19:        06-pv-ops-boot_clock.patch
 Patch20:        07-vmware-only.patch
 Patch21:        vmware-balloon-late-initcall.patch
 Patch22:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+# Fix CVE-2017-11600
+Patch23:        xfrm-policy-check-policy-direction-value.patch
 BuildRequires: bc
 BuildRequires: kbd
 BuildRequires: kmod-devel
@@ -93,6 +95,7 @@ The Linux package contains the Linux kernel doc files
 %patch20 -p1
 %patch21 -p1
 %patch22 -p1
+%patch23 -p1
 
 %build
 # patch vmw_balloon driver
@@ -189,6 +192,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
 /usr/src/linux-headers-%{uname_r}
 
 %changelog
+*   Mon Sep 04 2017 Alexey Makhalov <[email protected]> 4.9.47-1
+-   Fix CVE-2017-11600
 *   Mon Aug 14 2017 Alexey Makhalov <[email protected]> 4.9.43-1
 -   Version update
 -   [feature] new sysctl option unprivileged_userns_clone

SPECS/linux/linux-secure.spec

@@ -1,15 +1,15 @@
 %global security_hardening none
 Summary:        Kernel
 Name:           linux-secure
-Version:        4.9.43
-Release:        2%{?dist}
+Version:        4.9.47
+Release:        1%{?dist}
 License:        GPLv2
 URL:            http://www.kernel.org/
 Group:          System Environment/Kernel
 Vendor:         VMware, Inc.
 Distribution:   Photon
 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5
+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d
 Source1:        config-secure
 Source2:        aufs4.9.tar.gz
 %define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906
@@ -47,6 +47,8 @@ Patch26:        0014-hv_sock-introduce-Hyper-V-Sockets.patch
 Patch27:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch
 Patch28:        0002-allow-also-ecb-cipher_null.patch
 Patch29:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+# Fix CVE-2017-11600
+Patch30:        xfrm-policy-check-policy-direction-value.patch
 # NSX requirements (should be removed)
 Patch99:        LKCM.patch
 BuildRequires:  bc
@@ -142,6 +144,7 @@ EOF
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
+%patch30 -p1
 
 pushd ..
 %patch99 -p0
@@ -257,6 +260,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
 /usr/src/linux-headers-%{uname_r}
 
 %changelog
+*   Mon Sep 04 2017 Alexey Makhalov <[email protected]> 4.9.47-1
+-   Fix CVE-2017-11600
 *   Tue Aug 22 2017 Anish Swaminathan <[email protected]> 4.9.43-2
 -   Add missing xen block drivers
 *   Mon Aug 14 2017 Alexey Makhalov <[email protected]> 4.9.43-1

SPECS/linux/linux.spec

@@ -1,15 +1,15 @@
 %global security_hardening none
 Summary:        Kernel
 Name:           linux
-Version:        4.9.43
-Release:        2%{?dist}
+Version:        4.9.47
+Release:        1%{?dist}
 License:    	GPLv2
 URL:        	http://www.kernel.org/
 Group:        	System Environment/Kernel
 Vendor:         VMware, Inc.
 Distribution: 	Photon
 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5
+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d
 Source1:	config
 Source2:	initramfs.trigger
 %define ena_version 1.1.3
@@ -44,6 +44,8 @@ Patch23:        0014-hv_sock-introduce-Hyper-V-Sockets.patch
 Patch24:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch
 Patch25:        0002-allow-also-ecb-cipher_null.patch
 Patch26:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+# Fix CVE-2017-11600
+Patch27:        xfrm-policy-check-policy-direction-value.patch
 
 BuildRequires:  bc
 BuildRequires:  kbd
@@ -138,6 +140,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel.
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
+%patch27 -p1
 
 %build
 make mrproper
@@ -297,6 +300,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
 /usr/share/doc/*
 
 %changelog
+*   Mon Sep 04 2017 Alexey Makhalov <[email protected]> 4.9.47-1
+-   Fix CVE-2017-11600
 *   Tue Aug 22 2017 Anish Swaminathan <[email protected]> 4.9.43-2
 -   Add missing xen block drivers
 *   Mon Aug 14 2017 Alexey Makhalov <[email protected]> 4.9.43-1

SPECS/linux/xfrm-policy-check-policy-direction-value.patch

@@ -0,0 +1,44 @@
+From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <[email protected]>
+Date: Wed, 2 Aug 2017 19:50:14 +0200
+Subject: xfrm: policy: check policy direction value
+
+The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
+as an array index. This can lead to an out-of-bound access, kernel lockup and
+DoS. Add a check for the 'dir' value.
+
+This fixes CVE-2017-11600.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Cc: <[email protected]> # v2.6.21-rc1
+Reported-by: "bo Zhang" <[email protected]>
+Signed-off-by: Vladis Dronov <[email protected]>
+Signed-off-by: Steffen Klassert <[email protected]>
+---
+ net/xfrm/xfrm_policy.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index ff61d85..6f5a0dad 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
+ 	struct xfrm_state *x_new[XFRM_MAX_DEPTH];
+ 	struct xfrm_migrate *mp;
+
++	/* Stage 0 - sanity checks */
+ 	if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
+ 		goto out;
+
++	if (dir >= XFRM_POLICY_MAX) {
++		err = -EINVAL;
++		goto out;
++	}
++
+ 	/* Stage 1 - find policy */
+ 	if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
+ 		err = -ENOENT;
+-- 
+cgit v1.1
+

tools/update_linux.sh

@@ -0,0 +1,18 @@
+#! /bin/sh
+
+specs="linux-api-headers/linux-api-headers.spec linux/linux.spec linux/linux-esx.spec linux/linux-secure.spec"
+
+tarball_url=`curl -s https://www.kernel.org  | grep -Eo 'https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.9.[0-9]*.tar.xz'`
+tarball=$(basename $tarball_url)
+version=`echo $tarball | sed 's/linux-//; s/.tar.xz//'`
+echo latest linux version: $version
+test -f stage/SOURCES/$tarball && echo up to date && exit 0
+$(cd stage/SOURCES && wget $tarball_url)
+sha1=`sha1sum stage/SOURCES/$tarball | awk '{print $1}'`
+changelog_entry=$(echo "`date +"%a %b %d %Y"` `git config user.name` <`git config user.email`> $version-1")
+for spec in $specs; do
+	sed -i '/^Version:/ s/4.9.[0-9]*/'$version'/' SPECS/$spec
+	sed -i '/^Release:/ s/[0-9]*%/1%/' SPECS/$spec
+	sed -i '/^%define sha1 linux/ s/=[0-9a-f]*$/='$sha1'/' SPECS/$spec
+	sed -i '/^%changelog/a*   '"$changelog_entry"'\n-   Version update' SPECS/$spec
+done