Read-Only source code mirror, Proxmox uses mailing list workflow for development.
4c390211d8
CVE-2017-1000364 (rather bugfix for the original CVE fix): * mm/mmap.c: expand_downwards: don't require the gap if !vm_prev * mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack CVE-2017-1000365: fs/exec.c: account for argv/envp pointers CVE-2017-10810: drm/virtio: don't leak bo on drm_gem_object_init failure CVE-2017-7482: rxrpc: Fix several cases where a padded len isn't checked in ticket decode Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> |
||
|---|---|---|
| proxmox-ve | ||
| submodules | ||
| .gitignore | ||
| .gitmodules | ||
| 0001-netfilter-nft_set_rbtree-handle-re-addition-element-.patch | ||
| abi-blacklist | ||
| abi-check | ||
| abi-previous | ||
| bridge-patch.diff | ||
| ceph-scheduler-fix.patch | ||
| cgroup-cpuset-add-cpuset.remap_cpus.patch | ||
| changelog.Debian | ||
| control.in | ||
| control.tools | ||
| copyright | ||
| CVE-2014-9900-net-Zeroing-the-structure-ethtool_wolinfo-in-ethtool.patch | ||
| CVE-2017-7346-drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_.patch | ||
| CVE-2017-7482-rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch | ||
| CVE-2017-9605-drm-vmwgfx-Make-sure-backup_handle-is-always-valid.patch | ||
| CVE-2017-10810-drm-virtio-don-t-leak-bo-on-drm_gem_object_init-fail.patch | ||
| CVE-2017-1000364-mm-mmap.c-do-not-blow-on-PROT_NONE-MAP_FIXED-holes-i.patch | ||
| CVE-2017-1000364-mm-mmap.c-expand_downwards-don-t-require-the-gap-if-.patch | ||
| CVE-2017-1000365-fs-exec.c-account-for-argv-envp-pointers.patch | ||
| CVE-2017-1000380-ALSA-timer-Fix-missing-queue-indices-reset-at-SNDRV_.patch | ||
| CVE-2017-1000380-ALSA-timer-Fix-race-between-read-and-ioctl.patch | ||
| find-firmware.pl | ||
| fwlist-previous | ||
| headers-control.in | ||
| headers-postinst.in | ||
| kvm-dynamic-halt-polling-disable-default.patch | ||
| Makefile | ||
| override_for_missing_acs_capabilities.patch | ||
| postinst.in | ||
| postrm.in | ||
| prerm.in | ||
| README | ||
| uname-version-timestamp.patch | ||
KERNEL SOURCE: ============== We currently use the Ubuntu kernel sources, available from: http://kernel.ubuntu.com/git/ubuntu/ubuntu-xenial.git/ Ubuntu will maintain those kernels till: https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Additional/Updated Modules: --------------------------- - include latest e1000e driver from intel/sourceforge - include latest ixgbe driver from intel/sourceforge - include latest igb driver from intel/sourceforge # Note: hpsa does not compile with kernel 3.19.8 #- include latest HPSA driver (HP Smart Array) # # * http://sourceforge.net/projects/cciss/ - include native OpenZFS filesystem kernel modules for Linux * https://github.com/zfsonlinux/ For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ - include latest DRBD 9 driver, see http://drbd.linbit.com/home/what-is-drbd/ FIRMWARE: ========= We create our own firmware package, which includes the firmware for all proxmox-ve kernels. So far this include pve-kernel-2.6.18 pve-kernel-2.6.24 pve-kernel-2.6.32 pve-kernel-3.10.0 pve-kernel-3.19.0 We use 'find-firmware.pl' to extract lists of required firmeware files. The script 'assemble-firmware.pl' is used to read those lists and copy the files from various source directory into a target directory. We do not include firmeware for some wireless HW when there is a separate debian package for that, for example: zd1211-firmware atmel-firmware bluez-firmware PATCHES: -------- bridge-patch.diff: Avoid bridge problems with changing MAC see also: http://forum.openvz.org/index.php?t=msg&th=5291 Behaviour after 2.6.27 has changed slighly - after setting mac address of bridge device, then address won't change. So we could omit that patch, requiring to set hwaddress in /etc/network/interfaces. Watchdog blacklist ------------------ By default, all watchdog modules are black-listed because it is totally undefined which device is actually used for /dev/watchdog. We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf The user typically edit /etc/modules to enable a specific watchdog device. Additional information ---------------------- We use the default configuration provided by Ubuntu, and apply the following modification: see Makefile (PVE_CONFIG_OPTS) - enable CONFIG_CEPH_FS=m (request from user) - enable common CONFIG_BLK_DEV_XXX to avoid hardware detection problems (udev, undate-initramfs have serious problems without that) CONFIG_BLK_DEV_SD=y CONFIG_BLK_DEV_SR=y CONFIG_BLK_DEV_DM=y - add workaround for Debian bug #807000 (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807000) CONFIG_BLK_DEV_NVME=y - compile NBD and RBD modules CONFIG_BLK_DEV_NBD=m CONFIG_BLK_DEV_RBD=m - set LOOP_MIN_COUNT to 8 (debian defaults) CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 - disable module signatures (CONFIG_MODULE_SIG) - enable IBM JFS file system This is disabled in RHEL kernel for no real reason, so we enable it as requested by users (bug #64) - enable apple HFS and HFSPLUS This is disabled in RHEL kernel for no real reason, so we enable it as requested by users - enable CONFIG_BCACHE=m (requested by user) - enable CONFIG_BRIDGE=y Else we get warnings on boot, that net.bridge.bridge-nf-call-iptables is an unknown key - enable CONFIG_DEFAULT_SECURITY_APPARMOR We need this for lxc - set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y because if not set, it can give some dynamic memory or cpu frequencies change, and vms can crash (mainly windows guest). see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273 - use 'deadline' as default scheduler This is the suggested setting for KVM. We also measure bad fsync performance with ext4 and cfq. - disable CONFIG_INPUT_EVBUG Module evbug is not blacklisted on debian, so we simply disable it to avoid key-event logs (which is a big security problem) Testing final kernel with kvm ----------------------------- kvm -kernel data/boot/vmlinuz-3.19.8-1-pve -initrd initrd.img-3.19.8-1-pve -append "vga=791 video=vesafb:ywrap,mtrr" /dev/zero