Add upstream fixes for various information leaks
This commit is contained in:
parent
59fd45aa71
commit
08942bb065
|
@ -95,6 +95,10 @@ linux (4.5.5-1) UNRELEASED; urgency=medium
|
|||
- mmap: Fix use-after-free in remap_file_pages(2)
|
||||
* Revert "stmmac: Fix 'eth0: No PHY found' regression" (Closes: #823493)
|
||||
* [x86] kvm:vmx: more complete state update on APICv on/off (CVE-2016-4440)
|
||||
* USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)
|
||||
* ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (CVE-2016-4569)
|
||||
* ALSA: timer: Fix leak in events via snd_timer_user_ccallback or
|
||||
snd_timer_user_tinterrupt (CVE-2016-4578)
|
||||
|
||||
[ Roger Shimizu ]
|
||||
* armhf: Enable SENSORS_PWM_FAN / PWM_SAMSUNG as module, as recommended by
|
||||
|
|
28
debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
vendored
Normal file
28
debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
vendored
Normal file
|
@ -0,0 +1,28 @@
|
|||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:44:20 -0400
|
||||
Subject: [1/2] ALSA: timer: Fix leak in events via snd_timer_user_ccallback
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
|
||||
|
||||
The stack object “r1” has a total size of 32 bytes. Its field
|
||||
“event” and “val” both contain 4 bytes padding. These 8 bytes
|
||||
padding bytes are sent to user without being initialized.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/timer.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/sound/core/timer.c
|
||||
+++ b/sound/core/timer.c
|
||||
@@ -1247,6 +1247,7 @@ static void snd_timer_user_ccallback(str
|
||||
tu->tstamp = *tstamp;
|
||||
if ((tu->filter & (1 << event)) == 0 || !tu->tread)
|
||||
return;
|
||||
+ memset(&r1, 0, sizeof(r1));
|
||||
r1.event = event;
|
||||
r1.tstamp = *tstamp;
|
||||
r1.val = resolution;
|
28
debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
vendored
Normal file
28
debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
vendored
Normal file
|
@ -0,0 +1,28 @@
|
|||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:44:32 -0400
|
||||
Subject: [2/2] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/e4ec8cc8039a7063e24204299b462bd1383184a5
|
||||
|
||||
The stack object “r1” has a total size of 32 bytes. Its field
|
||||
“event” and “val” both contain 4 bytes padding. These 8 bytes
|
||||
padding bytes are sent to user without being initialized.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/timer.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/sound/core/timer.c
|
||||
+++ b/sound/core/timer.c
|
||||
@@ -1290,6 +1290,7 @@ static void snd_timer_user_tinterrupt(st
|
||||
}
|
||||
if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
|
||||
tu->last_resolution != resolution) {
|
||||
+ memset(&r1, 0, sizeof(r1));
|
||||
r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
|
||||
r1.tstamp = tstamp;
|
||||
r1.val = resolution;
|
28
debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
vendored
Normal file
28
debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
vendored
Normal file
|
@ -0,0 +1,28 @@
|
|||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:44:07 -0400
|
||||
Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/cec8f96e49d9be372fdb0c3836dcf31ec71e457e
|
||||
|
||||
The stack object “tread” has a total size of 32 bytes. Its field
|
||||
“event” and “val” both contain 4 bytes padding. These 8 bytes
|
||||
padding bytes are sent to user without being initialized.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/timer.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/sound/core/timer.c
|
||||
+++ b/sound/core/timer.c
|
||||
@@ -1755,6 +1755,7 @@ static int snd_timer_user_params(struct
|
||||
if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
|
||||
if (tu->tread) {
|
||||
struct snd_timer_tread tread;
|
||||
+ memset(&tread, 0, sizeof(tread));
|
||||
tread.event = SNDRV_TIMER_EVENT_EARLY;
|
||||
tread.tstamp.tv_sec = 0;
|
||||
tread.tstamp.tv_nsec = 0;
|
|
@ -0,0 +1,36 @@
|
|||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:32:16 -0400
|
||||
Subject: USB: usbfs: fix potential infoleak in devio
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/681fef8380eb818c0b845fca5d2ab1dcbab114ee
|
||||
|
||||
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
|
||||
are padding bytes which are not initialized and leaked to userland
|
||||
via “copy_to_user”.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/usb/core/devio.c | 9 +++++----
|
||||
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/drivers/usb/core/devio.c
|
||||
+++ b/drivers/usb/core/devio.c
|
||||
@@ -1186,10 +1186,11 @@ static int proc_getdriver(struct usb_dev
|
||||
|
||||
static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
|
||||
{
|
||||
- struct usbdevfs_connectinfo ci = {
|
||||
- .devnum = ps->dev->devnum,
|
||||
- .slow = ps->dev->speed == USB_SPEED_LOW
|
||||
- };
|
||||
+ struct usbdevfs_connectinfo ci;
|
||||
+
|
||||
+ memset(&ci, 0, sizeof(ci));
|
||||
+ ci.devnum = ps->dev->devnum;
|
||||
+ ci.slow = ps->dev->speed == USB_SPEED_LOW;
|
||||
|
||||
if (copy_to_user(arg, &ci, sizeof(ci)))
|
||||
return -EFAULT;
|
|
@ -137,9 +137,13 @@ bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
|
|||
bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
|
||||
bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch
|
||||
bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch
|
||||
bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch
|
||||
bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
|
||||
bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
|
||||
bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
|
||||
bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
|
||||
|
||||
# ABI maintenance
|
||||
bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch
|
||||
debian/ib-fix-abi-change-in-4.5.3.patch
|
||||
debian/v4l2-fix-abi-changes-in-4.5.3.patch
|
||||
debian/cgroup-fix-abi-change-in-4.5.3.patch
|
||||
|
|
Loading…
Reference in New Issue