starlingx/integ
Code Issues Proposed changes
integ/kernel/kernel-std/centos/meta_patches/Build-logic-and-sources-for-TiC.patch
zhao.shuai 0d33fc27e2 Upgrade kernel to version kernel-3.10.0-957.21.3.el7 
Security Fix(es):
(CVE-2019-11477)-
An integer overflow flaw was found in the way
the Linux kernel's networking subsystem processed
TCP Selective Acknowledgment (SACK) segments.
While processing SACK segments,
the Linux kernel's socket buffer (SKB) data structure
becomes fragmented. Each fragment is about TCP
maximum segment size (MSS) bytes.
To efficiently process SACK blocks, the Linux kernel merges
multiple fragmented SKBs into one, potentially overflowing
the variable holding the number of segments.
A remote attacker could use this flaw to crash the Linux kernel
by sending a crafted sequence of SACK segments on a TCP
connection with small value of TCP MSS,
resulting in a denial of service (DoS).

(CVE-2019-11478)-
Kernel: tcp: excessive resource consumption while processing SACK
blocks allows remote denial of service.

(CVE-2019-11479)-
Kernel: tcp: excessive resource consumption for TCP connections with low MSS
allows remote denial of service.

Details:
https://access.redhat.com/errata/RHSA-2019:1481
https://access.redhat.com/errata/RHSA-2019:1486
https://nvd.nist.gov/vuln/detail/

Closes-Bug: 1836685
Depends-On: https://review.opendev.org/670856
Change-Id: I150bdf60cec23058e656c60a3fdd677a14259795
Signed-off-by: zhao.shuai <zhaos@neusoft.com>
2019-08-06 16:43:32 +08:00

233 lines
8.4 KiB
Diff
Raw Blame History

From 32af2a0ea3905e23d85a65fd9326dbc6db0a21c4 Mon Sep 17 00:00:00 2001
From: Jim Somerville <Jim.Somerville@windriver.com>
Date: Fri, 20 Apr 2018 14:51:56 -0400
Subject: [PATCH] Build logic and sources for TiC
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
Signed-off-by: zhao.shuai <zhaos@neusoft.com>
---
SPECS/kernel.spec | 73 +++++++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 60 insertions(+), 13 deletions(-)
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 852fd10..e42177e 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -5,7 +5,8 @@ Summary: The Linux kernel
%define dist .el7
-# % define buildid .local
+# This is the STX patch release
+%define buildid .%{tis_patch_ver}.tis
# For a kernel released for public testing, released_kernel should be 1.
# For internal testing builds during development, it should be 0.
@@ -14,12 +15,14 @@ Summary: The Linux kernel
%global distro_build 957
%define rpmversion 3.10.0
-%define pkgrelease 957.21.3.el7
+%define _pkgrelease 957.21.3
+%define pkgrelease %{_pkgrelease}.el7
+
# allow pkg_release to have configurable %%{?dist} tag
%define specrelease 957.21.3%{?dist}
-%define pkg_release %{specrelease}%{?buildid}
+%define pkg_release %{specrelease}%{buildid}
# The kernel tarball/base version
%define rheltarball %{rpmversion}-%{pkgrelease}
@@ -68,7 +71,7 @@ Summary: The Linux kernel
%define with_dbgonly %{?_with_dbgonly: 1} %{?!_with_dbgonly: 0}
# Control whether we perform a compat. check against published ABI.
-%define with_kabichk %{?_without_kabichk: 0} %{?!_without_kabichk: 1}
+%define with_kabichk 0
# Control whether we perform a compat. check against DUP ABI.
%define with_kabidupchk 1
@@ -91,7 +94,7 @@ Summary: The Linux kernel
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
# and 0 for rawhide (all kernels are debug kernels).
# See also 'make debug' and 'make release'. RHEL only ever does 1.
-%define debugbuildsenabled 1
+%define debugbuildsenabled 0
%define with_gcov %{?_with_gcov: 1} %{?!_with_gcov: 0}
@@ -385,6 +388,7 @@ BuildRequires: bison flex
# required for zfcpdump
BuildRequires: glibc-static
%endif
+BuildRequires: util-linux
Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz
@@ -450,6 +454,12 @@ Patch1000: debrand-single-cpu.patch
Patch1001: debrand-rh_taint.patch
Patch1002: debrand-rh-i686-cpu.patch
+# StarlingX Cloud sources here.
+# Not sure if we need to worry about numerical collisions between
+# SourceX and PatchX, so let's not risk it
+Source30000: kernel-3.10.0-x86_64.config.tis_extra
+Source30001: ima_signing_key.pub
+
BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
%description
@@ -612,6 +622,13 @@ manipulation of eBPF programs and maps.
%endif # with_bpftool
+%ifarch x86_64
+%package unsigned
+Summary: Unsigned build of the Linux kernel
+%description unsigned
+Contains an unsigned version of the Linux kernel
+%endif # x86_64
+
%if %{with_gcov}
%package gcov
Summary: gcov graph and source files for coverage data collection.
@@ -777,6 +794,9 @@ cd linux-%{KVRA}
# Drop some necessary files from the source dir into the buildroot
cp $RPM_SOURCE_DIR/kernel-%{version}-*.config .
+# Copy any TiS-specific config changes
+cp $RPM_SOURCE_DIR/kernel-%{version}-*.config.tis_extra .
+
ApplyOptionalPatch linux-kernel-test.patch
ApplyOptionalPatch debrand-single-cpu.patch
ApplyOptionalPatch debrand-rh_taint.patch
@@ -821,6 +841,15 @@ for i in *.config
do
mv $i .config
Arch=`head -1 .config | cut -b 3-`
+
+ # Handle StarlingX Cloud customizations. Use -n to match oldnoconfig below. We want this before
+ # the make line below so that the one below removes any dependencies of ones that we
+ # turn off here. We also want it before "make listnewconfig" so that we can set the
+ # config option for new configs introduced in the StarlingX Cloud patches.
+ if [ -f ${i}.tis_extra ]; then
+ scripts/kconfig/merge_config.sh -m -n .config ${i}.tis_extra
+ fi
+
make %{?cross_opts} ARCH=$Arch listnewconfig | grep -E '^CONFIG_' >.newoptions || true
%if %{listnewconfig_fail}
if [ -s .newoptions ]; then
@@ -894,12 +923,13 @@ BuildKernel() {
# and now to start the build process
- make %{?cross_opts} -s mrproper
+ make -j"%(nproc)" %{?cross_opts} -s mrproper
cp %{SOURCE11} . # x509.genkey
cp %{SOURCE12} . # extra_certificates
cp %{SOURCE15} . # rheldup3.x509
cp %{SOURCE16} . # rhelkpatch1.x509
+ cp %{SOURCE30001} . # ima_signing_key.pub
cp configs/$Config .config
@@ -914,8 +944,8 @@ BuildKernel() {
fi
%endif
- make -s %{?cross_opts} ARCH=$Arch oldnoconfig >/dev/null
- make -s %{?cross_opts} ARCH=$Arch V=1 %{?_smp_mflags} KCFLAGS="%{?kcflags}" WITH_GCOV="%{?with_gcov}" $MakeTarget %{?sparse_mflags}
+ make -s -j"%(nproc)" %{?cross_opts} ARCH=$Arch oldnoconfig >/dev/null
+ make -s -j"%(nproc)" %{?cross_opts} ARCH=$Arch V=1 %{?_smp_mflags} KCFLAGS="%{?kcflags}" WITH_GCOV="%{?with_gcov}" $MakeTarget %{?sparse_mflags}
if [ "$Flavour" != "kdump" ]; then
make -s %{?cross_opts} ARCH=$Arch V=1 %{?_smp_mflags} KCFLAGS="%{?kcflags}" WITH_GCOV="%{?with_gcov}" modules %{?sparse_mflags} || exit 1
@@ -939,6 +969,8 @@ BuildKernel() {
fi
# EFI SecureBoot signing, x86_64-only
%ifarch x86_64
+ cp $KernelImage vmlinuz.unsigned
+ $CopyKernel vmlinuz.unsigned $RPM_BUILD_ROOT/%{image_install_path}/vmlinuz.unsigned
%pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE14} -n %{pesign_name}
mv $KernelImage.signed $KernelImage
%endif
@@ -955,7 +987,7 @@ BuildKernel() {
if [ "$Flavour" != "kdump" ]; then
# Override $(mod-fw) because we don't want it to install any firmware
# we'll get it from the linux-firmware package and we don't want conflicts
- make -s %{?cross_opts} %{?_smp_mflags} ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw=
+ make -s -j"%(nproc)" %{?cross_opts} %{?_smp_mflags} ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw=
%if %{with_gcov}
# install gcov-needed files to $BUILDROOT/$BUILD/...:
# gcov_info->filename is absolute path
@@ -965,7 +997,7 @@ BuildKernel() {
%endif
fi
%ifarch %{vdso_arches}
- make -s %{?cross_opts} ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer
+ make -s -j"%(nproc)" %{?cross_opts} ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer
if [ ! -s ldconfig-kernel.conf ]; then
echo > ldconfig-kernel.conf "\
# Placeholder file, no vDSO hwcap entries used in this kernel."
@@ -1174,6 +1206,12 @@ BuildKernel() {
cp signing_key.priv signing_key.priv.sign${Flavour:+.${Flavour}}
cp signing_key.x509 signing_key.x509.sign${Flavour:+.${Flavour}}
+ # STX: Copy these keys as part of the devel package
+ # The Module signing keys are to ensure that only Out-of-tree
+ # built against the StarlingX Kernel get signed and loaded sans warnings
+ cp signing_key.priv ${RPM_BUILD_ROOT}/lib/modules/${KernelVer}/build/
+ cp signing_key.x509 ${RPM_BUILD_ROOT}/lib/modules/${KernelVer}/build/
+
# remove files that will be auto generated by depmod at rpm -i time
for i in alias alias.bin builtin.bin ccwmap dep dep.bin ieee1394map inputmap isapnpmap ofmap pcimap seriomap symbols symbols.bin usbmap softdep devname
do
@@ -1234,15 +1272,15 @@ make %{?cross_opts} %{?_smp_mflags} -C tools/power/cpupower CPUFREQ_BENCH=false
%endif
%ifarch x86_64
pushd tools/power/x86/x86_energy_perf_policy/
- make
+ make -j"%(nproc)"
popd
pushd tools/power/x86/turbostat
- make
+ make -j"%(nproc)"
popd
%endif #turbostat/x86_energy_perf_policy
%endif
pushd tools
-make tmon
+make -j"%(nproc)" tmon
popd
%endif
@@ -1536,6 +1574,10 @@ fi}\
%{expand:\
%{_sbindir}/new-kernel-pkg --package kernel%{?-v:-%{-v*}} --install %{KVRA}%{?-v:.%{-v*}} || exit $?\
}\
+# If this is a pkg upgrade (ie installed as a patch), set the reboot flag\
+if [ $1 -gt 1 ] ; then\
+ touch /var/run/node_is_patched_rr\
+fi\
%{nil}
#
@@ -1756,6 +1798,11 @@ fi
%kernel_variant_files %{with_debug} debug
%kernel_variant_files %{with_kdump} kdump
+%ifarch x86_64
+%files unsigned
+/boot/vmlinuz.unsigned
+%endif
+
%changelog
* Mon Jun 17 2019 CentOS Sources <bugs@centos.org> - 3.10.0-957.21.3.el7
- Apply debranding changes
--
1.8.3.1
View Git Blame Copy Permalink