debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.8.14

This commit is contained in:
Salvatore Bonaccorso 2016-12-12 19:50:34 +01:00
parent 9382fc4d92
commit 14a852ee64
7 changed files with 47 additions and 386 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
debian/changelog vendored
View File

@ -1,4 +1,4 @@
linux (4.8.13-1) UNRELEASED; urgency=medium
linux (4.8.14-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.12
@ -71,6 +71,52 @@ linux (4.8.13-1) UNRELEASED; urgency=medium
IPI
- [arm64] mm: Set PSTATE.PAN from the cpu_enable_pan() call
- [arm64] suspend: Reconfigure PSTATE after resume from idle
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.14
- gro_cells: mark napi struct as not busy poll candidates
- virtio-net: add a missing synchronize_net()
- [armhf] net: dsa: b53: Fix VLAN usage and how we treat CPU port
- net: check dead netns for peernet2id_alloc()
- ip6_tunnel: disable caching when the traffic class is inherited
- net: sky2: Fix shutdown crash
- af_unix: conditionally use freezable blocking calls in read
- rtnetlink: fix FDB size computation
- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
- rtnl: fix the loop index update error in rtnl_dump_ifinfo()
- ipv6: bump genid when the IFA_F_TENTATIVE flag is clear
- udplite: call proper backlog handlers
- [armhf] net: dsa: bcm_sf2: Ensure we re-negotiate EEE during after link
change
- net, sched: respect rcu grace period on cls destruction
- [armhf] net: dsa: fix unbalanced dsa_switch_tree reference counting
- net/sched: pedit: make sure that offset is valid
- netlink: Call cb->done from a worker thread
- netlink: Do not schedule work from sk_destruct
- net/dccp: fix use-after-free in dccp_invalid_packet
- GSO: Reload iph after pskb_may_pull
- packet: fix race condition in packet_set_ring (CVE-2016-8655)
- ip6_offload: check segs for NULL in ipv6_gso_segment.
- cdc_ether: Fix handling connection notification
- tipc: check minimum bearer MTU (CVE-2016-8632)
- geneve: avoid use-after-free of skb->data
- net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793)
- net: ping: check minimum size on ICMP header length (CVE-2016-8399)
- ipv4: Restore fib_trie_flush_external function and fix call ordering
- ipv4: Fix memory leak in exception case for splitting tries
- ipv4: Drop leaf from suffix pull/push functions
- ipv4: Drop suffix update from resize code
- [sparc64] Fix find_node warning if numa node cannot be found
- [sparc64] fix compile warning section mismatch in find_node()
- [sparc] Fix inverted invalid_frame_pointer checks on sigreturns
- constify iov_iter_count() and iter_is_iovec()
- Don't feed anything but regular iovec's to blk_rq_map_user_iov
(CVE-2016-9576)
- ipv6: Set skb->protocol properly for local output
- ipv4: Set skb->protocol properly for local output
- Revert: "ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in
ip6_tnl_xmit()"
- flowcache: Increase threshold for refusing new allocations
- esp4: Fix integrity verification when ESN are used
- esp6: Fix integrity verification when ESN are used
[ Uwe Kleine-König ]
* [armhf] dts: armada-385: add support for Turris Omnia
@ -80,13 +126,8 @@ linux (4.8.13-1) UNRELEASED; urgency=medium
(Closes: #845611)
[ Salvatore Bonaccorso ]
* tipc: check minimum bearer MTU (CVE-2016-8632)
* packet: fix race condition in packet_set_ring (CVE-2016-8655)
* net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793)
* Add ABI reference for 4.8.0-2
* Ignore ABI changes in KVM
* net: ping: check minimum size on ICMP header length (CVE-2016-8399)
* Don't feed anything but regular iovec's to blk_rq_map_user_iov (CVE-2016-9576)
* net: handle no dst on skb in icmp6_send (CVE-2016-9919)
* [rt] Update to 4.8.11-rt7

41
debian/patches/bugfix/all/Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch vendored
View File

@ -1,41 +0,0 @@
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue, 6 Dec 2016 16:18:14 -0800
Subject: Don't feed anything but regular iovec's to blk_rq_map_user_iov
Origin: https://git.kernel.org/linus/a0ac402cfcdc904f9772e1762b3fda112dcc56a0
In theory we could map other things, but there's a reason that function
is called "user_iov". Using anything else (like splice can do) just
confuses it.
Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
block/blk-map.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block/blk-map.c b/block/blk-map.c
index b8657fa..27fd8d92 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
struct iov_iter i;
int ret;
+ if (!iter_is_iovec(iter))
+ goto fail;
+
if (map_data)
copy = true;
else if (iov_iter_alignment(iter) & align)
@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
unmap_rq:
__blk_rq_unmap_user(bio);
+fail:
rq->bio = NULL;
return -EINVAL;
}
--
2.1.4

49
debian/patches/bugfix/all/net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch vendored
View File

@ -1,49 +0,0 @@
From: Eric Dumazet <edumazet@google.com>
Date: Fri, 2 Dec 2016 09:44:53 -0800
Subject: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
Origin: https://git.kernel.org/linus/b98b0bc8c431e3ceb4b26b0dfc8db509518fb290
CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...
Note that before commit 82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.
This needs to be backported to all known linux kernels.
Again, many thanks to syzkaller team for discovering this gem.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/core/sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index 5e3ca41..00a074d 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
val = min_t(u32, val, sysctl_wmem_max);
set_sndbuf:
sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
+ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
/* Wake up sending tasks if we upped the value. */
sk->sk_write_space(sk);
break;
@@ -751,7 +751,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
* returning the value we actually used in getsockopt
* is the most desirable behavior.
*/
- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
+ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
break;
case SO_RCVBUFFORCE:
--
2.1.4

71
debian/patches/bugfix/all/net-ping-check-minimum-size-on-ICMP-header-length.patch vendored
View File

@ -1,71 +0,0 @@
From: Kees Cook <keescook@chromium.org>
Date: Mon, 5 Dec 2016 10:34:38 -0800
Subject: net: ping: check minimum size on ICMP header length
Origin: https://git.kernel.org/linus/0eab121ef8750a5c8637d51534d5e9143fb0633f
Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
was no check that the iovec contained enough bytes for an ICMP header,
and the read loop would walk across neighboring stack contents. Since the
iov_iter conversion, bad arguments are noticed, but the returned error is
EFAULT. Returning EINVAL is a clearer error and also solves the problem
prior to v3.19.
This was found using trinity with KASAN on v3.18:
BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
Read of size 8 by task trinity-c2/9623
page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
[< inline >] print_address_description mm/kasan/report.c:147
[< inline >] kasan_report_error mm/kasan/report.c:236
[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
[< inline >] check_memory_region mm/kasan/kasan.c:264
[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
[< inline >] memcpy_from_msg include/linux/skbuff.h:2667
[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
[< inline >] __sock_sendmsg_nosec net/socket.c:624
[< inline >] __sock_sendmsg net/socket.c:632
[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
[< inline >] SYSC_sendto net/socket.c:1797
[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
CVE-2016-8399
Reported-by: Qidan He <i@flanker017.me>
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/ipv4/ping.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 205e200..96b8e2b 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -657,6 +657,10 @@ int ping_common_sendmsg(int family, struct msghdr *msg, size_t len,
if (len > 0xFFFF)
return -EMSGSIZE;
+ /* Must have at least a full ICMP header. */
+ if (len < icmph_len)
+ return -EINVAL;
+
/*
* Check the flags.
*/
--
2.1.4

92
debian/patches/bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch vendored
View File

@ -1,92 +0,0 @@
From: Philip Pettersson <philip.pettersson@gmail.com>
Date: Wed, 30 Nov 2016 14:55:36 -0800
Subject: packet: fix race condition in packet_set_ring
Origin: https://git.kernel.org/linus/84ac7260236a49c79eede91617700174c2c19b0c
When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.
This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/packet/af_packet.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index d2238b2..dd23323 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
if (optlen != sizeof(val))
return -EINVAL;
- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
- return -EBUSY;
if (copy_from_user(&val, optval, sizeof(val)))
return -EFAULT;
switch (val) {
case TPACKET_V1:
case TPACKET_V2:
case TPACKET_V3:
- po->tp_version = val;
- return 0;
+ break;
default:
return -EINVAL;
}
+ lock_sock(sk);
+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+ ret = -EBUSY;
+ } else {
+ po->tp_version = val;
+ ret = 0;
+ }
+ release_sock(sk);
+ return ret;
}
case PACKET_RESERVE:
{
@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
/* Added to avoid minimal code churn */
struct tpacket_req *req = &req_u->req;
+ lock_sock(sk);
/* Opening a Tx-ring is NOT supported in TPACKET_V3 */
if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
net_warn_ratelimited("Tx-ring is not supported.\n");
@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
goto out;
}
- lock_sock(sk);
/* Detach socket from network */
spin_lock(&po->bind_lock);
@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
if (!tx_ring)
prb_shutdown_retire_blk_timer(po, rb_queue);
}
- release_sock(sk);
if (pg_vec)
free_pg_vec(pg_vec, order, req->tp_block_nr);
out:
+ release_sock(sk);
return err;
}
--
2.1.4

122
debian/patches/bugfix/all/tipc-check-minimum-bearer-MTU.patch vendored
View File

@ -1,122 +0,0 @@
From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek@suse.cz>
Date: Fri, 2 Dec 2016 09:33:41 +0100
Subject: tipc: check minimum bearer MTU
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/3de81b758853f0b29c61e246679d20b513c4cfec
Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.
As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.
Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/tipc/bearer.c | 11 +++++++++--
net/tipc/bearer.h | 13 +++++++++++++
net/tipc/udp_media.c | 5 +++++
3 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 975dbeb..52d7476 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -421,6 +421,10 @@ int tipc_enable_l2_media(struct net *net, struct tipc_bearer *b,
dev = dev_get_by_name(net, driver_name);
if (!dev)
return -ENODEV;
+ if (tipc_mtu_bad(dev, 0)) {
+ dev_put(dev);
+ return -EINVAL;
+ }
/* Associate TIPC bearer with L2 bearer */
rcu_assign_pointer(b->media_ptr, dev);
@@ -610,8 +614,6 @@ static int tipc_l2_device_event(struct notifier_block *nb, unsigned long evt,
if (!b)
return NOTIFY_DONE;
- b->mtu = dev->mtu;
-
switch (evt) {
case NETDEV_CHANGE:
if (netif_carrier_ok(dev))
@@ -624,6 +626,11 @@ static int tipc_l2_device_event(struct notifier_block *nb, unsigned long evt,
tipc_reset_bearer(net, b);
break;
case NETDEV_CHANGEMTU:
+ if (tipc_mtu_bad(dev, 0)) {
+ bearer_disable(net, b);
+ break;
+ }
+ b->mtu = dev->mtu;
tipc_reset_bearer(net, b);
break;
case NETDEV_CHANGEADDR:
diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
index 78892e2f..278ff7f 100644
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@@ -39,6 +39,7 @@
#include "netlink.h"
#include "core.h"
+#include "msg.h"
#include <net/genetlink.h>
#define MAX_MEDIA 3
@@ -59,6 +60,9 @@
#define TIPC_MEDIA_TYPE_IB 2
#define TIPC_MEDIA_TYPE_UDP 3
+/* minimum bearer MTU */
+#define TIPC_MIN_BEARER_MTU (MAX_H_SIZE + INT_H_SIZE)
+
/**
* struct tipc_media_addr - destination address used by TIPC bearers
* @value: address info (format defined by media)
@@ -215,4 +219,13 @@ void tipc_bearer_xmit(struct net *net, u32 bearer_id,
void tipc_bearer_bc_xmit(struct net *net, u32 bearer_id,
struct sk_buff_head *xmitq);
+/* check if device MTU is too low for tipc headers */
+static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve)
+{
+ if (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve)
+ return false;
+ netdev_warn(dev, "MTU too low for tipc bearer\n");
+ return true;
+}
+
#endif /* _TIPC_BEARER_H */
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 78cab9c..b58dc95 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -697,6 +697,11 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
udp_conf.local_ip.s_addr = htonl(INADDR_ANY);
udp_conf.use_udp_checksums = false;
ub->ifindex = dev->ifindex;
+ if (tipc_mtu_bad(dev, sizeof(struct iphdr) +
+ sizeof(struct udphdr))) {
+ err = -EINVAL;
+ goto err;
+ }
b->mtu = dev->mtu - sizeof(struct iphdr)
- sizeof(struct udphdr);
#if IS_ENABLED(CONFIG_IPV6)
--
2.1.4

5
debian/patches/series vendored
View File

@ -102,11 +102,6 @@ bugfix/all/fs-Give-dentry-to-inode_change_ok-instead-of-inode.patch
bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch
bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch
bugfix/all/mnt-Add-a-per-mount-namespace-limit-on-the-number-of.patch
bugfix/all/tipc-check-minimum-bearer-MTU.patch
bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
bugfix/all/net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
bugfix/all/net-ping-check-minimum-size-on-ICMP-header-length.patch
bugfix/all/Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
bugfix/all/net-handle-no-dst-on-skb-in-icmp6_send.patch
# ABI maintenance