kernel: disable AX25 amateur radio protocol support in response to CVE-2024-35887 (#12553)

CVE-2024-35887 is a vulnerability discovered in the ax25 code. Since we
don't support amateur radios, it is better to fully disable this feature
and lower the attack surface area.

Signed-off-by: Chris Co <chrco@microsoft.com>

Author: christopherco

SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec

@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for Azure
 Name:           kernel-azure-signed-%{buildarch}
 Version:        5.15.176.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Sat Feb 22 2025 Chris Co <chrco@microsoft.com> - 5.15.176.3-3
+- Bump to match kernel-azure spec
+
 * Tue Feb 11 2025 Rachel Menge <rachelmenge@microsoft.com> - 5.15.176.3-2
 - Bump release to match kernel-azure
 

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        5.15.176.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld
 
 %changelog
+* Sat Feb 22 2025 Chris Co <chrco@microsoft.com> - 5.15.176.3-3
+- Bump release to match kernel
+
 * Tue Feb 11 2025 Rachel Menge <rachelmenge@microsoft.com> - 5.15.176.3-2
 - Bump release to match kernel
 

SPECS/kernel-azure/config_aarch64

@@ -1785,22 +1785,7 @@ CONFIG_HAMRADIO=y
 #
 # Packet Radio protocols
 #
-CONFIG_AX25=m
-CONFIG_AX25_DAMA_SLAVE=y
-CONFIG_NETROM=m
-CONFIG_ROSE=m
-
-#
-# AX.25 network device drivers
-#
-CONFIG_MKISS=m
-CONFIG_6PACK=m
-CONFIG_BPQETHER=m
-CONFIG_BAYCOM_SER_FDX=m
-CONFIG_BAYCOM_SER_HDX=m
-CONFIG_YAM=m
-# end of AX.25 network device drivers
-
+# CONFIG_AX25 is not set
 CONFIG_CAN=m
 CONFIG_CAN_RAW=m
 CONFIG_CAN_BCM=m

SPECS/kernel-azure/kernel-azure.signatures.json

@@ -2,7 +2,7 @@
   "Signatures": {
     "cbl-mariner-ca-20211013-20230216.pem": "228046d92ccb7d268cf4f195425c0f990afa00a968cc940fb1df4629fb7a6765",
     "config": "709587c5500af8f805ecfbd62b49c64a1e2c9ce21e1f0e09e992508f96663bd5",
-    "config_aarch64": "afe6c84516359cdb227e1316c944ea84deda2cf20ef3e8e3264edcf653d03476",
+    "config_aarch64": "dee6946a414d8d82990b9509e0f41ed490c071fcd560cf6b34234b0994b62064",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
     "kernel-5.15.176.3.tar.gz": "d7a029ae0897929f983b89aa902897adcd057028206818014fa7648a854581a3"
   }

SPECS/kernel-azure/kernel-azure.spec

@@ -28,7 +28,7 @@
 Summary:        Linux Kernel
 Name:           kernel-azure
 Version:        5.15.176.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -420,6 +420,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Sat Feb 22 2025 Chris Co <chrco@microsoft.com> - 5.15.176.3-3
+- Disable AX25 Amateur Radio protocol support
+
 * Tue Feb 11 2025 Rachel Menge <rachelmenge@microsoft.com> - 5.15.176.3-2
 - Append 20230216 key to CBL-Mariner key
 

SPECS/kernel-headers/kernel-headers.spec

@@ -12,7 +12,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
 Version:        5.15.176.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -73,6 +73,9 @@ done
 %endif
 
 %changelog
+* Sat Feb 22 2025 Chris Co <chrco@microsoft.com> - 5.15.176.3-3
+- Bump release to match kernel
+
 * Tue Feb 11 2025 Rachel Menge <rachelmenge@microsoft.com> - 5.15.176.3-2
 - Bump release to match kernel
 

SPECS/kernel/config_aarch64

@@ -1786,22 +1786,7 @@ CONFIG_HAMRADIO=y
 #
 # Packet Radio protocols
 #
-CONFIG_AX25=m
-CONFIG_AX25_DAMA_SLAVE=y
-CONFIG_NETROM=m
-# CONFIG_ROSE is not set
-
-#
-# AX.25 network device drivers
-#
-CONFIG_MKISS=m
-CONFIG_6PACK=m
-CONFIG_BPQETHER=m
-CONFIG_BAYCOM_SER_FDX=m
-CONFIG_BAYCOM_SER_HDX=m
-CONFIG_YAM=m
-# end of AX.25 network device drivers
-
+# CONFIG_AX25 is not set
 CONFIG_CAN=m
 CONFIG_CAN_RAW=m
 CONFIG_CAN_BCM=m

SPECS/kernel/kernel.signatures.json

@@ -2,7 +2,7 @@
   "Signatures": {
     "cbl-mariner-ca-20211013-20230216.pem": "228046d92ccb7d268cf4f195425c0f990afa00a968cc940fb1df4629fb7a6765",
     "config": "c6c28fba7ee15b5dd9cd75006350eb2fe3cb2f907fde4511f102c3c8edf8c370",
-    "config_aarch64": "dfba0705205a5fc33d55bdc29db56c6aac9803b9d72bd44b4e15d187b747d899",
+    "config_aarch64": "3ea6095b7f26f0b179cc6502f0cc0e1c5ee54898a07c45fa1d549e25e8cfa608",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
     "kernel-5.15.176.3.tar.gz": "d7a029ae0897929f983b89aa902897adcd057028206818014fa7648a854581a3"
   }

SPECS/kernel/kernel.spec

@@ -28,7 +28,7 @@
 Summary:        Linux Kernel
 Name:           kernel
 Version:        5.15.176.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -426,6 +426,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Sat Feb 22 2025 Chris Co <chrco@microsoft.com> - 5.15.176.3-3
+- Disable AX25 Amateur Radio protocol support
+
 * Tue Feb 11 2025 Rachel Menge <rachelmenge@microsoft.com> - 5.15.176.3-2
 - Append 20230216 key to CBL-Mariner key
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -1,5 +1,5 @@
 filesystem-1.1-20.cm2.aarch64.rpm
-kernel-headers-5.15.176.3-2.cm2.noarch.rpm
+kernel-headers-5.15.176.3-3.cm2.noarch.rpm
 glibc-2.35-7.cm2.aarch64.rpm
 glibc-devel-2.35-7.cm2.aarch64.rpm
 glibc-i18n-2.35-7.cm2.aarch64.rpm