Update to 4.17.4
This updates the debian changelog for listing changes of this stable update. It also removes the patches that have been merged upstream. Signed-off-by: Romain Perier <romain.perier@gmail.com>
This commit is contained in:
parent
999f952b74
commit
16fe15c366
|
@ -1,6 +1,239 @@
|
||||||
linux (4.17.3-2) UNRELEASED; urgency=medium
|
linux (4.17.4-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
* [armhf] DRM: Enable CONFIG_DRM_IMX_PARALLEL_DISPLAY
|
* New upstream stable update:
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.4
|
||||||
|
- [x86] spectre_v1: Disable compiler optimizations over
|
||||||
|
array_index_mask_nospec()
|
||||||
|
- [x86] xen: Add call of speculative_store_bypass_ht_init() to PV paths
|
||||||
|
- [x86] UV: Add adjustable set memory block size function
|
||||||
|
- [x86] UV: Use new set memory block size function
|
||||||
|
- [x86] UV: Add kernel parameter to set memory block size
|
||||||
|
- [x86] mce: Improve error message when kernel cannot recover
|
||||||
|
- [x86] mce: Check for alternate indication of machine check recovery on
|
||||||
|
Skylake
|
||||||
|
- [x86] mce: Fix incorrect "Machine check from unknown source" message
|
||||||
|
- [x86] mce: Do not overwrite MCi_STATUS in mce_no_way_out()
|
||||||
|
- [x86] Call fixup_exception() before notify_die() in math_error()
|
||||||
|
- [m68k] mm: Adjust VM area to be unmapped by gap size for __iounmap()
|
||||||
|
- [m68k] mac: Fix SWIM memory resource end address
|
||||||
|
- hwmon: (k10temp) Add support for Stoney Ridge and Bristol Ridge CPUs
|
||||||
|
- mtd: spi-nor: intel-spi: Fix atomic sequence handling
|
||||||
|
- serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version
|
||||||
|
- signal/xtensa: Consistenly use SIGBUS in do_unaligned_user
|
||||||
|
- PM / Domains: Fix error path during attach in genpd
|
||||||
|
- PCI / PM: Do not clear state_saved for devices that remain suspended
|
||||||
|
- ACPI / LPSS: Avoid PM quirks on suspend and resume from S3
|
||||||
|
- PM / core: Fix supplier device runtime PM usage counter imbalance
|
||||||
|
- PM / OPP: Update voltage in case freq == old_freq
|
||||||
|
- mmc: renesas_sdhi: really fix WP logic regressions
|
||||||
|
- usb: do not reset if a low-speed or full-speed device timed out
|
||||||
|
- 1wire: family module autoload fails because of upper/lower case mismatch.
|
||||||
|
- ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
|
||||||
|
- ASoC: cs35l35: Add use_single_rw to regmap config
|
||||||
|
- ASoC: mediatek: preallocate pages use platform device
|
||||||
|
- ASoC: cirrus: i2s: Fix LRCLK configuration
|
||||||
|
- ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup
|
||||||
|
- thermal: bcm2835: Stop using printk format %pCr
|
||||||
|
- lib/vsprintf: Remove atomic-unsafe support for %pCr
|
||||||
|
- ftrace/selftest: Have the reset_trigger code be a bit more careful
|
||||||
|
- mips: ftrace: fix static function graph tracing
|
||||||
|
- branch-check: fix long->int truncation when profiling branches
|
||||||
|
- ipmi:bt: Set the timeout before doing a capabilities check
|
||||||
|
- Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw
|
||||||
|
loader
|
||||||
|
- printk: fix possible reuse of va_list variable
|
||||||
|
- fuse: fix congested state leak on aborted connections
|
||||||
|
- fuse: atomic_o_trunc should truncate pagecache
|
||||||
|
- fuse: don't keep dead fuse_conn at fuse_fill_super().
|
||||||
|
- fuse: fix control dir setup and teardown
|
||||||
|
- [powerpc*] mm/hash: Add missing isync prior to kernel stack SLB switch
|
||||||
|
- [powerpc*] pkeys: Detach execute_only key on !PROT_EXEC
|
||||||
|
- [powerpc*] ptrace: Fix setting 512B aligned breakpoints with
|
||||||
|
PTRACE_SET_DEBUGREG
|
||||||
|
- [powerpc*] perf: Fix memory allocation for core-imc based on
|
||||||
|
num_possible_cpus()
|
||||||
|
- [powerpc*] ptrace: Fix enforcement of DAWR constraints
|
||||||
|
- [powerpc*] powernv/ioda2: Remove redundant free of TCE pages
|
||||||
|
- [powerpc*] powernv: copy/paste - Mask SO bit in CR
|
||||||
|
- [powerpc*] powernv/cpuidle: Init all present cpus for deep states
|
||||||
|
- [powerpc*] cpuidle: powernv: Fix promotion from snooze if next state
|
||||||
|
disabled
|
||||||
|
- [powerpc*] fadump: Unregister fadump on kexec down path.
|
||||||
|
- libnvdimm, pmem: Do not flush power-fail protected CPU caches
|
||||||
|
- [armhf, arm64] soc: rockchip: power-domain: Fix wrong value when power
|
||||||
|
up pd with writemask
|
||||||
|
- [powerpc*] 64s/radix: Fix radix_kvm_prefetch_workaround paca access of not
|
||||||
|
possible CPU
|
||||||
|
- [powerpc] e500mc: Set assembler machine type to e500mc
|
||||||
|
- [powerpc*] 64s: Fix DT CPU features Power9 DD2.1 logic
|
||||||
|
- cxl: Configure PSL to not use APC virtual machines
|
||||||
|
- cxl: Disable prefault_mode in Radix mode
|
||||||
|
- [armhf] 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
|
||||||
|
- [armhf] dts: Fix SPI node for Arria10
|
||||||
|
- [armhf] dts: socfpga: Fix NAND controller node compatible
|
||||||
|
- [armhf] dts: socfpga: Fix NAND controller clock supply
|
||||||
|
- [armhf] dts: socfpga: Fix NAND controller node compatible for Arria10
|
||||||
|
- hwrng: core - Always drop the RNG in hwrng_unregister()
|
||||||
|
- softirq: Reorder trace_softirqs_on to prevent lockdep splat
|
||||||
|
- [arm64] Fix syscall restarting around signal suppressed by tracer
|
||||||
|
- [arm64] crypto: arm64/aes-blk - fix and move skcipher_walk_done out of
|
||||||
|
kernel_neon_begin, _end
|
||||||
|
- [arm64] kpti: Use early_param for kpti= command-line option
|
||||||
|
- [arm64] mm: Ensure writes to swapper are ordered wrt subsequent cache
|
||||||
|
maintenance
|
||||||
|
- [arm64] dts: marvell: fix CP110 ICU node size
|
||||||
|
- [arm64] dts: meson: disable sd-uhs modes on the libretech-cc
|
||||||
|
- [arm64] dts: meson-gx: fix ATF reserved memory region
|
||||||
|
- of: overlay: validate offset from property fixups
|
||||||
|
- of: unittest: for strings, account for trailing \0 in property length
|
||||||
|
field
|
||||||
|
- of: platform: stop accessing invalid dev in of_platform_device_destroy
|
||||||
|
- tpm: fix use after free in tpm2_load_context()
|
||||||
|
- tpm: fix race condition in tpm_common_write()
|
||||||
|
- efi/libstub/tpm: Initialize efi_physical_addr_t vars to zero for mixed
|
||||||
|
mode
|
||||||
|
- IB/qib: Fix DMA api warning with debug kernel
|
||||||
|
- IB/{hfi1, qib}: Add handling of kernel restart
|
||||||
|
- IB/mlx4: Mark user MR as writable if actual virtual memory is writable
|
||||||
|
- IB/core: Make testing MR flags for writability a static inline function
|
||||||
|
- IB/mlx5: Fetch soft WQE's on fatal error state
|
||||||
|
- IB/isert: Fix for lib/dma_debug check_sync warning
|
||||||
|
- IB/isert: fix T10-pi check mask setting
|
||||||
|
- IB/hfi1: Fix fault injection init/exit issues
|
||||||
|
- IB/hfi1: Reorder incorrect send context disable
|
||||||
|
- IB/hfi1: Optimize kthread pointer locking when queuing CQ entries
|
||||||
|
- IB/hfi1: Fix user context tail allocation for DMA_RTAIL
|
||||||
|
- IB/uverbs: Fix ordering of ucontext check in ib_uverbs_write
|
||||||
|
- RDMA/mlx4: Discard unknown SQP work requests
|
||||||
|
- xprtrdma: Return -ENOBUFS when no pages are available
|
||||||
|
- RDMA/core: Save kernel caller name when creating CQ using ib_create_cq()
|
||||||
|
- mtd: rawnand: Do not check FAIL bit when executing a SET_FEATURES op
|
||||||
|
- mtd: cfi_cmdset_0002: Change write buffer to check correct value
|
||||||
|
- mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally
|
||||||
|
- mtd: rawnand: fix return value check for bad block status
|
||||||
|
- mtd: rawnand: mxc: set spare area size register explicitly
|
||||||
|
- mtd: rawnand: micron: add ONFI_FEATURE_ON_DIE_ECC to supported features
|
||||||
|
- mtd: rawnand: All AC chips have a broken GET_FEATURES(TIMINGS).
|
||||||
|
- mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
|
||||||
|
- mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
|
||||||
|
- mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
|
||||||
|
- mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
|
||||||
|
- clk:aspeed: Fix reset bits for PCI/VGA and PECI
|
||||||
|
- [x86] PCI: hv: Make sure the bus domain is really unique
|
||||||
|
- PCI: Add ACS quirk for Intel 7th & 8th Gen mobile
|
||||||
|
- PCI: Add ACS quirk for Intel 300 series
|
||||||
|
- PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on
|
||||||
|
resume
|
||||||
|
- PCI: Account for all bridges on bus when distributing bus numbers
|
||||||
|
- auxdisplay: fix broken menu
|
||||||
|
- pinctrl: armada-37xx: Fix spurious irq management
|
||||||
|
- pinctrl: samsung: Correct EINTG banks order
|
||||||
|
- pinctrl: devicetree: Fix pctldev pointer overwrite
|
||||||
|
- cpufreq: intel_pstate: Fix scaling max/min limits with Turbo 3.0
|
||||||
|
- [mips*] pb44: Fix i2c-gpio GPIO descriptor table
|
||||||
|
- [mips*] io: Add barrier after register read in inX()
|
||||||
|
- time: Make sure jiffies_to_msecs() preserves non-zero time periods
|
||||||
|
- irqchip/gic-v3-its: Don't bind LPI to unavailable NUMA node
|
||||||
|
- locking/rwsem: Fix up_read_non_owner() warning with DEBUG_RWSEMS
|
||||||
|
- X.509: unpack RSA signatureValue field from BIT STRING
|
||||||
|
- Btrfs: fix return value on rename exchange failure
|
||||||
|
- iio: adc: ad7791: remove sample freq sysfs attributes
|
||||||
|
- iio: sca3000: Fix an error handling path in 'sca3000_probe()'
|
||||||
|
- mm: fix __gup_device_huge vs unmap
|
||||||
|
- scsi: scsi_debug: Fix memory leak on module unload
|
||||||
|
- scsi: hpsa: disable device during shutdown
|
||||||
|
- scsi: qla2xxx: Delete session for nport id change
|
||||||
|
- scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
|
||||||
|
- scsi: qla2xxx: Mask off Scope bits in retry delay
|
||||||
|
- scsi: qla2xxx: Spinlock recursion in qla_target
|
||||||
|
- scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
|
||||||
|
- scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
|
||||||
|
- scsi: zfcp: fix misleading REC trigger trace where erp_action setup
|
||||||
|
failed
|
||||||
|
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early
|
||||||
|
return
|
||||||
|
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for
|
||||||
|
ERP_FAILED
|
||||||
|
- scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
|
||||||
|
- scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
|
||||||
|
- linvdimm, pmem: Preserve read-only setting for pmem devices
|
||||||
|
- libnvdimm, pmem: Unconditionally deep flush on *sync
|
||||||
|
- [armhf] clk: meson: meson8b: mark fclk_div2 gate clocks as CLK_IS_CRITICAL
|
||||||
|
- [armhf] rtc: sun6i: Fix bit_idx value for clk_register_gate
|
||||||
|
- md: fix two problems with setting the "re-add" device state.
|
||||||
|
- rpmsg: smd: do not use mananged resources for endpoints and channels
|
||||||
|
- ubi: fastmap: Cancel work upon detach
|
||||||
|
- ubi: fastmap: Correctly handle interrupted erasures in EBA
|
||||||
|
- UBIFS: Fix potential integer overflow in allocation
|
||||||
|
- backlight: as3711_bl: Fix Device Tree node lookup
|
||||||
|
- backlight: max8925_bl: Fix Device Tree node lookup
|
||||||
|
- backlight: tps65217_bl: Fix Device Tree node lookup
|
||||||
|
- Revert "iommu/amd_iommu: Use CONFIG_DMA_DIRECT_OPS=y and
|
||||||
|
dma_direct_{alloc,free}()"
|
||||||
|
- f2fs: don't use GFP_ZERO for page caches
|
||||||
|
- um: Fix initialization of vector queues
|
||||||
|
- um: Fix raw interface options
|
||||||
|
- mfd: twl-core: Fix clock initialization
|
||||||
|
- mfd: intel-lpss: Program REMAP register in PIO mode
|
||||||
|
- mfd: intel-lpss: Fix Intel Cannon Lake LPSS I2C input clock
|
||||||
|
- perf tools: Fix symbol and object code resolution for vdso32 and vdsox32
|
||||||
|
- [x86] perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING
|
||||||
|
- [x86] perf intel-pt: Fix decoding to accept CBR between FUP and
|
||||||
|
corresponding TIP
|
||||||
|
- [x86] perf intel-pt: Fix MTC timing after overflow
|
||||||
|
- [x86] perf intel-pt: Fix "Unexpected indirect branch" error
|
||||||
|
- [x86] perf intel-pt: Fix packet decoding of CYC packets
|
||||||
|
- media: vsp1: Release buffers for each video node
|
||||||
|
- media: uvcvideo: Support realtek's UVC 1.5 device
|
||||||
|
- media: cx231xx: Ignore an i2c mux adapter
|
||||||
|
- media: v4l2-compat-ioctl32: prevent go past max size
|
||||||
|
- media: cx231xx: Add support for AverMedia DVD EZMaker 7
|
||||||
|
- media: rc: mce_kbd decoder: fix stuck keys
|
||||||
|
- media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
|
||||||
|
- nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
|
||||||
|
- NFSv4: Fix possible 1-byte stack overflow in
|
||||||
|
nfs_idmap_read_and_verify_message
|
||||||
|
- NFSv4: Revert commit 5f83d86cf531d ("NFSv4.x: Fix wraparound issues..")
|
||||||
|
- NFSv4: Fix a typo in nfs41_sequence_process
|
||||||
|
- video: uvesafb: Fix integer overflow in allocation
|
||||||
|
- ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
|
||||||
|
- Input: silead - add MSSL0002 ACPI HID
|
||||||
|
- Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID
|
||||||
|
- pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume
|
||||||
|
- rbd: flush rbd_dev->watch_dwork after watch is unregistered
|
||||||
|
- mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm()
|
||||||
|
- mm: fix devmem_is_allowed() for sub-page System RAM intersections
|
||||||
|
- xen: Remove unnecessary BUG_ON from __unbind_from_irq()
|
||||||
|
- net: ethernet: fix suspend/resume in davinci_emac
|
||||||
|
- udf: Detect incorrect directory size
|
||||||
|
- Input: xpad - fix GPD Win 2 controller name
|
||||||
|
- Input: psmouse - fix button reporting for basic protocols
|
||||||
|
- Input: elan_i2c_smbus - fix more potential stack buffer overflows
|
||||||
|
- Input: elantech - enable middle button of touchpads on ThinkPad P52
|
||||||
|
- Input: elantech - fix V4 report decoding for module with middle key
|
||||||
|
- ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl
|
||||||
|
- ALSA: hda - Force to link down at runtime suspend on ATI/AMD HDMI
|
||||||
|
- ALSA: hda/realtek - Fix pop noise on Lenovo P50 & co
|
||||||
|
- ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
|
||||||
|
- ALSA: hda/realtek - Fix the problem of two front mics on more machines
|
||||||
|
- Revert "i2c: algo-bit: init the bus to a known state"
|
||||||
|
- i2c: gpio: initialize SCL to HIGH again
|
||||||
|
- slub: fix failure when we delete and create a slab cache
|
||||||
|
- kasan: depend on CONFIG_SLUB_DEBUG
|
||||||
|
- dm: use bio_split() when splitting out the already processed bio
|
||||||
|
- pmem: only set QUEUE_FLAG_DAX for fsdax mode
|
||||||
|
- block: Fix transfer when chunk sectors exceeds max
|
||||||
|
- block: Fix cloning of requests with a special payload
|
||||||
|
- [x86] e820: put !E820_TYPE_RAM regions into memblock.reserved
|
||||||
|
- selinux: move user accesses in selinuxfs out of locked regions
|
||||||
|
- [x86] entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int
|
||||||
|
$0x80"
|
||||||
|
- [x86] efi: Fix efi_call_phys_epilog() with CONFIG_X86_5LEVEL=y
|
||||||
|
- dm zoned: avoid triggering reclaim from inside dmz_map()
|
||||||
|
- dm thin: handle running out of data space vs concurrent discard
|
||||||
|
|
||||||
|
[Sjoerd Simons]
|
||||||
|
* [armhf] DRM: Enable CONFIG_DRM_IMX_PARALLEL_DISPLAY
|
||||||
|
|
||||||
-- Sjoerd Simons <sjoerd@debian.org> Wed, 04 Jul 2018 10:25:57 +0200
|
-- Sjoerd Simons <sjoerd@debian.org> Wed, 04 Jul 2018 10:25:57 +0200
|
||||||
|
|
||||||
|
|
|
@ -1,61 +0,0 @@
|
||||||
From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
|
|
||||||
Date: Thu, 21 Jun 2018 13:20:53 -0400
|
|
||||||
Subject: tracing: Check for no filter when processing event filters
|
|
||||||
Origin: https://git.kernel.org/linus/70303420b5721c38998cf987e6b7d30cc62d4ff1
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12714
|
|
||||||
|
|
||||||
The syzkaller detected a out-of-bounds issue with the events filter code,
|
|
||||||
specifically here:
|
|
||||||
|
|
||||||
prog[N].pred = NULL; /* #13 */
|
|
||||||
prog[N].target = 1; /* TRUE */
|
|
||||||
prog[N+1].pred = NULL;
|
|
||||||
prog[N+1].target = 0; /* FALSE */
|
|
||||||
-> prog[N-1].target = N;
|
|
||||||
prog[N-1].when_to_branch = false;
|
|
||||||
|
|
||||||
As that's the first reference to a "N-1" index, it appears that the code got
|
|
||||||
here with N = 0, which means the filter parser found no filter to parse
|
|
||||||
(which shouldn't ever happen, but apparently it did).
|
|
||||||
|
|
||||||
Add a new error to the parsing code that will check to make sure that N is
|
|
||||||
not zero before going into this part of the code. If N = 0, then -EINVAL is
|
|
||||||
returned, and a error message is added to the filter.
|
|
||||||
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
|
|
||||||
Reported-by: air icy <icytxw@gmail.com>
|
|
||||||
bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019
|
|
||||||
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
|
|
||||||
---
|
|
||||||
kernel/trace/trace_events_filter.c | 10 +++++++++-
|
|
||||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
|
|
||||||
index e1c818dbc0d7..0dceb77d1d42 100644
|
|
||||||
--- a/kernel/trace/trace_events_filter.c
|
|
||||||
+++ b/kernel/trace/trace_events_filter.c
|
|
||||||
@@ -78,7 +78,8 @@ static const char * ops[] = { OPS };
|
|
||||||
C(TOO_MANY_PREDS, "Too many terms in predicate expression"), \
|
|
||||||
C(INVALID_FILTER, "Meaningless filter expression"), \
|
|
||||||
C(IP_FIELD_ONLY, "Only 'ip' field is supported for function trace"), \
|
|
||||||
- C(INVALID_VALUE, "Invalid value (did you forget quotes)?"),
|
|
||||||
+ C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), \
|
|
||||||
+ C(NO_FILTER, "No filter found"),
|
|
||||||
|
|
||||||
#undef C
|
|
||||||
#define C(a, b) FILT_ERR_##a
|
|
||||||
@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_parens, int nr_preds,
|
|
||||||
goto out_free;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (!N) {
|
|
||||||
+ /* No program? */
|
|
||||||
+ ret = -EINVAL;
|
|
||||||
+ parse_error(pe, FILT_ERR_NO_FILTER, ptr - str);
|
|
||||||
+ goto out_free;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
prog[N].pred = NULL; /* #13 */
|
|
||||||
prog[N].target = 1; /* TRUE */
|
|
||||||
prog[N+1].pred = NULL;
|
|
|
@ -1,43 +0,0 @@
|
||||||
From: Wenwen Wang <wang6495@umn.edu>
|
|
||||||
Date: Tue, 8 May 2018 08:50:28 -0500
|
|
||||||
Subject: virt: vbox: Only copy_from_user the request-header once
|
|
||||||
Origin: https://git.kernel.org/linus/bd23a7269834dc7c1f93e83535d16ebc44b75eba
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12633
|
|
||||||
|
|
||||||
In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from
|
|
||||||
the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the
|
|
||||||
'version', 'size_in', and 'size_out' fields of 'hdr' are verified.
|
|
||||||
|
|
||||||
Before this commit, after the checks a buffer for the entire request would
|
|
||||||
be allocated and then all data including the verified header would be
|
|
||||||
copied from the userspace 'arg' pointer again.
|
|
||||||
|
|
||||||
Given that the 'arg' pointer resides in userspace, a malicious userspace
|
|
||||||
process can race to change the data pointed to by 'arg' between the two
|
|
||||||
copies. By doing so, the user can bypass the verifications on the ioctl
|
|
||||||
argument.
|
|
||||||
|
|
||||||
This commit fixes this by using the already checked copy of the header
|
|
||||||
to fill the header part of the allocated buffer and only copying the
|
|
||||||
remainder of the data from userspace.
|
|
||||||
|
|
||||||
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
|
|
||||||
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
drivers/virt/vboxguest/vboxguest_linux.c | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/drivers/virt/vboxguest/vboxguest_linux.c
|
|
||||||
+++ b/drivers/virt/vboxguest/vboxguest_linux.c
|
|
||||||
@@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct
|
|
||||||
if (!buf)
|
|
||||||
return -ENOMEM;
|
|
||||||
|
|
||||||
- if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
|
|
||||||
+ *((struct vbg_ioctl_hdr *)buf) = hdr;
|
|
||||||
+ if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
|
|
||||||
+ hdr.size_in - sizeof(hdr))) {
|
|
||||||
ret = -EFAULT;
|
|
||||||
goto out;
|
|
||||||
}
|
|
|
@ -131,8 +131,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
|
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch
|
|
||||||
bugfix/all/tracing-check-for-no-filter-when-processing-event-fi.patch
|
|
||||||
bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
|
bugfix/all/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
|
||||||
bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch
|
bugfix/all/ext4-always-verify-the-magic-number-in-xattr-blocks.patch
|
||||||
bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
|
bugfix/all/ext4-always-check-block-group-bounds-in-ext4_init_bl.patch
|
||||||
|
|
Loading…
Reference in New Issue