Release linux (4.13.4-2).
-----BEGIN PGP SIGNATURE----- iQKmBAABCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnjY8RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E05EP/2gI2pOyeOjGAzSiu/SRd5mHcLfRJkqE osob+C8dJsWQdgWLtO1SQkRYybBuBoujSVAo9X6pezI6OBmcKbJc8eAejWYVPtL8 pSI7OomkTyx6AP7EKfe89kpgf4Qe8QOYrXukW050RcE78fCm3icznACeubY9ET9T s7+DAGWWkJpHO3rIErNxgJFMEibpKsIIcrUOIZrSsZwpQTlh7KV8tozIBiE8l135 ocZKaGGqBQcTIWX7gVjcdpBNacxcFghRHodFCwrrv9wFvAg/s+0TN1YQXSucitQH Cp9iO4McDeQxDvcSQyBhQmlCxcL/+JxnfosJmabBvwn7L45dGm+pbsGviIG86tyM O7fNs82xdMxCFc9CIXKrE3hAk+mjXuMiUc7mha3/1+cS/Di444N5djXmvj8D84pu i/pp6D8zWNe/imid9sFH/txst3sgsSvlf77W3HXxZqJ5GOLzluApSX2eptpDRI1Q E/RU2R2T/NPTChroHsZr5QZ6iV/YS2F9E0YYAQcDuWNXS9Ey7nK+gjKqa7/5B6n1 STtT0HMD0fcAfvWN1rk9mudm6ZNYgLpjYKtFsaFf/K4I5f4fIhvnCbnnFgKMA3Qx rcLh201dG1fGwQ2EpiD5S0pqn7iYEP2d9vHzo363l20FyfQ8jgGt7dNfceEuiCSs O+EKuTohhEJH =juOG -----END PGP SIGNATURE----- Merge tag 'debian/4.13.4-2' Release linux (4.13.4-2).
This commit is contained in:
commit
146583d59c
|
@ -37,6 +37,28 @@ linux (4.14~rc3-1~exp1) experimental; urgency=medium
|
|||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 02 Oct 2017 04:47:08 +0100
|
||||
|
||||
linux (4.13.4-2) unstable; urgency=medium
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [armhf,arm64] thermal: Enable BCM2835_THERMAL as module (Closes: #877699)
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* brcmfmac: add length check in brcmf_cfg80211_escan_handler()
|
||||
(CVE-2017-0786)
|
||||
* [powerpc*] Use emergency stack for kernel TM Bad Thing program
|
||||
(CVE-2017-1000255)
|
||||
* [powerpc*] Fix illegal TM state in signal handler
|
||||
* mac80211: fix deadlock in driver-managed RX BA session start.
|
||||
Thanks to Eric Côté (Closes: #878092)
|
||||
* KEYS: prevent KEYCTL_READ on negative key (CVE-2017-12192)
|
||||
* waitid(): Add missing access_ok() checks (CVE-2017-5123)
|
||||
* ALSA: seq: Fix use-after-free at creating a port (CVE-2017-15265)
|
||||
* [x86] KVM: nVMX: update last_nonleaf_level when initializing nested EPT
|
||||
(CVE-2017-12188)
|
||||
* [x86] KVM: MMU: always terminate page walks at level 1 (CVE-2017-12188)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 15 Oct 2017 08:57:36 +0200
|
||||
|
||||
linux (4.13.4-1) unstable; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
|
|
|
@ -757,6 +757,11 @@ CONFIG_CPU_THERMAL=y
|
|||
CONFIG_HISI_THERMAL=m
|
||||
CONFIG_QCOM_SPMI_TEMP_ALARM=m
|
||||
|
||||
##
|
||||
## file: drivers/thermal/broadcom/Kconfig
|
||||
##
|
||||
CONFIG_BCM2835_THERMAL=m
|
||||
|
||||
##
|
||||
## file: drivers/thermal/qcom/Kconfig
|
||||
##
|
||||
|
|
|
@ -1062,6 +1062,11 @@ CONFIG_SPI_SPIDEV=y
|
|||
CONFIG_ROCKCHIP_THERMAL=m
|
||||
CONFIG_ARMADA_THERMAL=y
|
||||
|
||||
##
|
||||
## file: drivers/thermal/broadcom/Kconfig
|
||||
##
|
||||
CONFIG_BCM2835_THERMAL=m
|
||||
|
||||
##
|
||||
## file: drivers/thermal/tegra/Kconfig
|
||||
##
|
||||
|
|
141
debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
vendored
Normal file
141
debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
vendored
Normal file
|
@ -0,0 +1,141 @@
|
|||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Mon, 9 Oct 2017 11:09:20 +0200
|
||||
Subject: ALSA: seq: Fix use-after-free at creating a port
|
||||
Origin: https://git.kernel.org/linus/71105998845fb012937332fe2e806d443c09e026
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15265
|
||||
|
||||
There is a potential race window opened at creating and deleting a
|
||||
port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates
|
||||
a port object and returns its pointer, but it doesn't take the
|
||||
refcount, thus it can be deleted immediately by another thread.
|
||||
Meanwhile, snd_seq_ioctl_create_port() still calls the function
|
||||
snd_seq_system_client_ev_port_start() with the created port object
|
||||
that is being deleted, and this triggers use-after-free like:
|
||||
|
||||
BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
|
||||
=============================================================================
|
||||
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
|
||||
-----------------------------------------------------------------------------
|
||||
INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
|
||||
___slab_alloc+0x425/0x460
|
||||
__slab_alloc+0x20/0x40
|
||||
kmem_cache_alloc_trace+0x150/0x190
|
||||
snd_seq_create_port+0x94/0x9b0 [snd_seq]
|
||||
snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
|
||||
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
|
||||
snd_seq_ioctl+0x40/0x80 [snd_seq]
|
||||
do_vfs_ioctl+0x54b/0xda0
|
||||
SyS_ioctl+0x79/0x90
|
||||
entry_SYSCALL_64_fastpath+0x16/0x75
|
||||
INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
|
||||
__slab_free+0x204/0x310
|
||||
kfree+0x15f/0x180
|
||||
port_delete+0x136/0x1a0 [snd_seq]
|
||||
snd_seq_delete_port+0x235/0x350 [snd_seq]
|
||||
snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
|
||||
snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
|
||||
snd_seq_ioctl+0x40/0x80 [snd_seq]
|
||||
do_vfs_ioctl+0x54b/0xda0
|
||||
SyS_ioctl+0x79/0x90
|
||||
entry_SYSCALL_64_fastpath+0x16/0x75
|
||||
Call Trace:
|
||||
[<ffffffff81b03781>] dump_stack+0x63/0x82
|
||||
[<ffffffff81531b3b>] print_trailer+0xfb/0x160
|
||||
[<ffffffff81536db4>] object_err+0x34/0x40
|
||||
[<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
|
||||
[<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
|
||||
[<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
|
||||
[<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
|
||||
[<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
|
||||
[<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
|
||||
[<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
|
||||
[<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
|
||||
[<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
|
||||
[<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
|
||||
.....
|
||||
|
||||
We may fix this in a few different ways, and in this patch, it's fixed
|
||||
simply by taking the refcount properly at snd_seq_create_port() and
|
||||
letting the caller unref the object after use. Also, there is another
|
||||
potential use-after-free by sprintf() call in snd_seq_create_port(),
|
||||
and this is moved inside the lock.
|
||||
|
||||
This fix covers CVE-2017-15265.
|
||||
|
||||
Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
|
||||
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/seq/seq_clientmgr.c | 6 +++++-
|
||||
sound/core/seq/seq_ports.c | 7 +++++--
|
||||
2 files changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
|
||||
index ea2d0ae85bd3..6c9cba2166d9 100644
|
||||
--- a/sound/core/seq/seq_clientmgr.c
|
||||
+++ b/sound/core/seq/seq_clientmgr.c
|
||||
@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
|
||||
struct snd_seq_port_info *info = arg;
|
||||
struct snd_seq_client_port *port;
|
||||
struct snd_seq_port_callback *callback;
|
||||
+ int port_idx;
|
||||
|
||||
/* it is not allowed to create the port for an another client */
|
||||
if (info->addr.client != client->number)
|
||||
@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
|
||||
return -ENOMEM;
|
||||
|
||||
if (client->type == USER_CLIENT && info->kernel) {
|
||||
- snd_seq_delete_port(client, port->addr.port);
|
||||
+ port_idx = port->addr.port;
|
||||
+ snd_seq_port_unlock(port);
|
||||
+ snd_seq_delete_port(client, port_idx);
|
||||
return -EINVAL;
|
||||
}
|
||||
if (client->type == KERNEL_CLIENT) {
|
||||
@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
|
||||
|
||||
snd_seq_set_port_info(port, info);
|
||||
snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
|
||||
+ snd_seq_port_unlock(port);
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
|
||||
index 0a7020c82bfc..d21ece9f8d73 100644
|
||||
--- a/sound/core/seq/seq_ports.c
|
||||
+++ b/sound/core/seq/seq_ports.c
|
||||
@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp)
|
||||
}
|
||||
|
||||
|
||||
-/* create a port, port number is returned (-1 on failure) */
|
||||
+/* create a port, port number is returned (-1 on failure);
|
||||
+ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
|
||||
+ */
|
||||
struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
|
||||
int port)
|
||||
{
|
||||
@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
|
||||
snd_use_lock_init(&new_port->use_lock);
|
||||
port_subs_info_init(&new_port->c_src);
|
||||
port_subs_info_init(&new_port->c_dest);
|
||||
+ snd_use_lock_use(&new_port->use_lock);
|
||||
|
||||
num = port >= 0 ? port : 0;
|
||||
mutex_lock(&client->ports_mutex);
|
||||
@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
|
||||
list_add_tail(&new_port->list, &p->list);
|
||||
client->num_ports++;
|
||||
new_port->addr.port = num; /* store the port number in the port */
|
||||
+ sprintf(new_port->name, "port-%d", num);
|
||||
write_unlock_irqrestore(&client->ports_lock, flags);
|
||||
mutex_unlock(&client->ports_mutex);
|
||||
- sprintf(new_port->name, "port-%d", num);
|
||||
|
||||
return new_port;
|
||||
}
|
||||
--
|
||||
2.11.0
|
||||
|
79
debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
vendored
Normal file
79
debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
vendored
Normal file
|
@ -0,0 +1,79 @@
|
|||
From: Cyril Bur <cyrilbur@gmail.com>
|
||||
Date: Thu, 17 Aug 2017 20:42:26 +1000
|
||||
Subject: powerpc/64s: Use emergency stack for kernel TM Bad Thing program
|
||||
checks
|
||||
Origin: https://git.kernel.org/linus/265e60a170d0a0ecfc2d20490134ed2c48dd45ab
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000255
|
||||
|
||||
When using transactional memory (TM), the CPU can be in one of six
|
||||
states as far as TM is concerned, encoded in the Machine State
|
||||
Register (MSR). Certain state transitions are illegal and if attempted
|
||||
trigger a "TM Bad Thing" type program check exception.
|
||||
|
||||
If we ever hit one of these exceptions it's treated as a bug, ie. we
|
||||
oops, and kill the process and/or panic, depending on configuration.
|
||||
|
||||
One case where we can trigger a TM Bad Thing, is when returning to
|
||||
userspace after a system call or interrupt, using RFID. When this
|
||||
happens the CPU first restores the user register state, in particular
|
||||
r1 (the stack pointer) and then attempts to update the MSR. However
|
||||
the MSR update is not allowed and so we take the program check with
|
||||
the user register state, but the kernel MSR.
|
||||
|
||||
This tricks the exception entry code into thinking we have a bad
|
||||
kernel stack pointer, because the MSR says we're coming from the
|
||||
kernel, but r1 is pointing to userspace.
|
||||
|
||||
To avoid this we instead always switch to the emergency stack if we
|
||||
take a TM Bad Thing from the kernel. That way none of the user
|
||||
register values are used, other than for printing in the oops message.
|
||||
|
||||
This is the fix for CVE-2017-1000255.
|
||||
|
||||
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
|
||||
Cc: stable@vger.kernel.org # v4.9+
|
||||
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
|
||||
[mpe: Rewrite change log & comments, tweak asm slightly]
|
||||
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
||||
---
|
||||
arch/powerpc/kernel/exceptions-64s.S | 24 +++++++++++++++++++++++-
|
||||
1 file changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
|
||||
index 48da0f5d2f7f..b82586c53560 100644
|
||||
--- a/arch/powerpc/kernel/exceptions-64s.S
|
||||
+++ b/arch/powerpc/kernel/exceptions-64s.S
|
||||
@@ -734,7 +734,29 @@ EXC_REAL(program_check, 0x700, 0x100)
|
||||
EXC_VIRT(program_check, 0x4700, 0x100, 0x700)
|
||||
TRAMP_KVM(PACA_EXGEN, 0x700)
|
||||
EXC_COMMON_BEGIN(program_check_common)
|
||||
- EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
|
||||
+ /*
|
||||
+ * It's possible to receive a TM Bad Thing type program check with
|
||||
+ * userspace register values (in particular r1), but with SRR1 reporting
|
||||
+ * that we came from the kernel. Normally that would confuse the bad
|
||||
+ * stack logic, and we would report a bad kernel stack pointer. Instead
|
||||
+ * we switch to the emergency stack if we're taking a TM Bad Thing from
|
||||
+ * the kernel.
|
||||
+ */
|
||||
+ li r10,MSR_PR /* Build a mask of MSR_PR .. */
|
||||
+ oris r10,r10,0x200000@h /* .. and SRR1_PROGTM */
|
||||
+ and r10,r10,r12 /* Mask SRR1 with that. */
|
||||
+ srdi r10,r10,8 /* Shift it so we can compare */
|
||||
+ cmpldi r10,(0x200000 >> 8) /* .. with an immediate. */
|
||||
+ bne 1f /* If != go to normal path. */
|
||||
+
|
||||
+ /* SRR1 had PR=0 and SRR1_PROGTM=1, so use the emergency stack */
|
||||
+ andi. r10,r12,MSR_PR; /* Set CR0 correctly for label */
|
||||
+ /* 3 in EXCEPTION_PROLOG_COMMON */
|
||||
+ mr r10,r1 /* Save r1 */
|
||||
+ ld r1,PACAEMERGSP(r13) /* Use emergency stack */
|
||||
+ subi r1,r1,INT_FRAME_SIZE /* alloc stack frame */
|
||||
+ b 3f /* Jump into the macro !! */
|
||||
+1: EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
|
||||
bl save_nvgprs
|
||||
RECONCILE_IRQ_STATE(r10, r11)
|
||||
addi r3,r1,STACK_FRAME_OVERHEAD
|
||||
--
|
||||
2.11.0
|
||||
|
62
debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
vendored
Normal file
62
debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
vendored
Normal file
|
@ -0,0 +1,62 @@
|
|||
From: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
||||
Date: Tue, 22 Aug 2017 17:20:09 -0400
|
||||
Subject: powerpc/tm: Fix illegal TM state in signal handler
|
||||
Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea
|
||||
|
||||
Currently it's possible that on returning from the signal handler
|
||||
through the restore_tm_sigcontexts() code path (e.g. from a signal
|
||||
caught due to a `trap` instruction executed in the middle of an HTM
|
||||
block, or a deliberately constructed sigframe) an illegal TM state
|
||||
(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
|
||||
implicitly the MSR register from SRR1 register on return to userspace
|
||||
it causes a TM Bad Thing exception.
|
||||
|
||||
That illegal state can be set (a) by a malicious user that disables
|
||||
the TM bit by tweaking the bits in uc_mcontext before returning from
|
||||
the signal handler or (b) by a sufficient number of context switches
|
||||
occurring such that the load_tm counter overflows and TM is disabled
|
||||
whilst in the signal handler.
|
||||
|
||||
This commit fixes the illegal TM state by ensuring that TM bit is
|
||||
always enabled before we return from restore_tm_sigcontexts(). A small
|
||||
comment correction is made as well.
|
||||
|
||||
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
|
||||
Cc: stable@vger.kernel.org # v4.9+
|
||||
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
||||
Signed-off-by: Breno Leitao <leitao@debian.org>
|
||||
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
|
||||
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
||||
---
|
||||
arch/powerpc/kernel/signal_64.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
|
||||
index c83c115858c1..b2c002993d78 100644
|
||||
--- a/arch/powerpc/kernel/signal_64.c
|
||||
+++ b/arch/powerpc/kernel/signal_64.c
|
||||
@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
|
||||
if (MSR_TM_RESV(msr))
|
||||
return -EINVAL;
|
||||
|
||||
- /* pull in MSR TM from user context */
|
||||
+ /* pull in MSR TS bits from user context */
|
||||
regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
|
||||
|
||||
+ /*
|
||||
+ * Ensure that TM is enabled in regs->msr before we leave the signal
|
||||
+ * handler. It could be the case that (a) user disabled the TM bit
|
||||
+ * through the manipulation of the MSR bits in uc_mcontext or (b) the
|
||||
+ * TM bit was disabled because a sufficient number of context switches
|
||||
+ * happened whilst in the signal handler and load_tm overflowed,
|
||||
+ * disabling the TM bit. In either case we can end up with an illegal
|
||||
+ * TM state leading to a TM Bad Thing when we return to userspace.
|
||||
+ */
|
||||
+ regs->msr |= MSR_TM;
|
||||
+
|
||||
/* pull in MSR LE from user context */
|
||||
regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Mon, 9 Oct 2017 11:36:52 -0700
|
||||
Subject: waitid(): Add missing access_ok() checks
|
||||
Origin: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5123
|
||||
|
||||
Adds missing access_ok() checks.
|
||||
|
||||
CVE-2017-5123
|
||||
|
||||
Reported-by: Chris Salls <chrissalls5@gmail.com>
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
|
||||
Cc: stable@kernel.org # 4.13
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
kernel/exit.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/kernel/exit.c b/kernel/exit.c
|
||||
index f2cd53e92147..cf28528842bc 100644
|
||||
--- a/kernel/exit.c
|
||||
+++ b/kernel/exit.c
|
||||
@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
|
||||
if (!infop)
|
||||
return err;
|
||||
|
||||
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
|
||||
+ goto Efault;
|
||||
+
|
||||
user_access_begin();
|
||||
unsafe_put_user(signo, &infop->si_signo, Efault);
|
||||
unsafe_put_user(0, &infop->si_errno, Efault);
|
||||
@@ -1735,6 +1738,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
|
||||
if (!infop)
|
||||
return err;
|
||||
|
||||
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
|
||||
+ goto Efault;
|
||||
+
|
||||
user_access_begin();
|
||||
unsafe_put_user(signo, &infop->si_signo, Efault);
|
||||
unsafe_put_user(0, &infop->si_errno, Efault);
|
||||
--
|
||||
2.15.0.rc0
|
||||
|
83
debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
vendored
Normal file
83
debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
vendored
Normal file
|
@ -0,0 +1,83 @@
|
|||
From: Ladi Prosek <lprosek@redhat.com>
|
||||
Date: Thu, 5 Oct 2017 11:10:23 +0200
|
||||
Subject: KVM: MMU: always terminate page walks at level 1
|
||||
Origin: https://git.kernel.org/linus/829ee279aed43faa5cb1e4d65c0cad52f2426c53
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
|
||||
|
||||
is_last_gpte() is not equivalent to the pseudo-code given in commit
|
||||
6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect
|
||||
value of last_nonleaf_level may override the result even if level == 1.
|
||||
|
||||
It is critical for is_last_gpte() to return true on level == 1 to
|
||||
terminate page walks. Otherwise memory corruption may occur as level
|
||||
is used as an index to various data structures throughout the page
|
||||
walking code. Even though the actual bug would be wherever the MMU is
|
||||
initialized (as in the previous patch), be defensive and ensure here
|
||||
that is_last_gpte() returns the correct value.
|
||||
|
||||
This patch is also enough to fix CVE-2017-12188.
|
||||
|
||||
Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: Andy Honig <ahonig@google.com>
|
||||
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
|
||||
[Panic if walk_addr_generic gets an incorrect level; this is a serious
|
||||
bug and it's not worth a WARN_ON where the recovery path might hide
|
||||
further exploitable issues; suggested by Andrew Honig. - Paolo]
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/mmu.c | 14 +++++++-------
|
||||
arch/x86/kvm/paging_tmpl.h | 3 ++-
|
||||
2 files changed, 9 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
|
||||
index 3c25f20115bc..7a69cf053711 100644
|
||||
--- a/arch/x86/kvm/mmu.c
|
||||
+++ b/arch/x86/kvm/mmu.c
|
||||
@@ -3974,19 +3974,19 @@ static inline bool is_last_gpte(struct kvm_mmu *mmu,
|
||||
unsigned level, unsigned gpte)
|
||||
{
|
||||
/*
|
||||
- * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
|
||||
- * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
|
||||
- * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
|
||||
- */
|
||||
- gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
|
||||
-
|
||||
- /*
|
||||
* The RHS has bit 7 set iff level < mmu->last_nonleaf_level.
|
||||
* If it is clear, there are no large pages at this level, so clear
|
||||
* PT_PAGE_SIZE_MASK in gpte if that is the case.
|
||||
*/
|
||||
gpte &= level - mmu->last_nonleaf_level;
|
||||
|
||||
+ /*
|
||||
+ * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set
|
||||
+ * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means
|
||||
+ * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then.
|
||||
+ */
|
||||
+ gpte |= level - PT_PAGE_TABLE_LEVEL - 1;
|
||||
+
|
||||
return gpte & PT_PAGE_SIZE_MASK;
|
||||
}
|
||||
|
||||
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
|
||||
index 86b68dc5a649..f18d1f8d332b 100644
|
||||
--- a/arch/x86/kvm/paging_tmpl.h
|
||||
+++ b/arch/x86/kvm/paging_tmpl.h
|
||||
@@ -334,10 +334,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
|
||||
--walker->level;
|
||||
|
||||
index = PT_INDEX(addr, walker->level);
|
||||
-
|
||||
table_gfn = gpte_to_gfn(pte);
|
||||
offset = index * sizeof(pt_element_t);
|
||||
pte_gpa = gfn_to_gpa(table_gfn) + offset;
|
||||
+
|
||||
+ BUG_ON(walker->level < 1);
|
||||
walker->table_gfn[walker->level - 1] = table_gfn;
|
||||
walker->pte_gpa[walker->level - 1] = pte_gpa;
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
34
debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
vendored
Normal file
34
debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
vendored
Normal file
|
@ -0,0 +1,34 @@
|
|||
From: Ladi Prosek <lprosek@redhat.com>
|
||||
Date: Thu, 5 Oct 2017 11:10:22 +0200
|
||||
Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT
|
||||
Origin: https://git.kernel.org/linus/fd19d3b45164466a4adce7cbff448ba9189e1427
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188
|
||||
|
||||
The function updates context->root_level but didn't call
|
||||
update_last_nonleaf_level so the previous and potentially wrong value
|
||||
was used for page walks. For example, a zero value of last_nonleaf_level
|
||||
would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's
|
||||
walk_addr_generic function (CVE-2017-12188).
|
||||
|
||||
Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb
|
||||
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/mmu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
|
||||
index 106d4a029a8a..3c25f20115bc 100644
|
||||
--- a/arch/x86/kvm/mmu.c
|
||||
+++ b/arch/x86/kvm/mmu.c
|
||||
@@ -4555,6 +4555,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
|
||||
|
||||
update_permission_bitmask(vcpu, context, true);
|
||||
update_pkru_bitmask(vcpu, context, true);
|
||||
+ update_last_nonleaf_level(vcpu, context);
|
||||
reset_rsvds_bits_mask_ept(vcpu, context, execonly);
|
||||
reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
|
||||
}
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -112,6 +112,12 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
|
||||
bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
|
||||
bugfix/all/waitid-Add-missing-access_ok-checks.patch
|
||||
bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
|
||||
bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch
|
||||
bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue