diff --git a/debian/changelog b/debian/changelog index 8621eb02b..cc840913f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,72 @@ -linux (3.19-1~exp2) UNRELEASED; urgency=medium +linux (3.19.1-1~exp1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.19.1 + - Bluetooth: ath3k: workaround the compatibility issue with xHCI controller + (Closes: #778463) + - random: Fix fast_mix() function (regression in 3.17) + - xfs: inode unlink does not set AGI buffer type + - xfs: set buf types when converting extent formats + - xfs: set superblock buffer type correctly + - iwlwifi: mvm: validate tid and sta_id in ba_notif + - iwlwifi: mvm: fix failure path when power_update fails in add_interface + (regression in 3.15) + - HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events + (regression in 3.19) + - cpufreq: Set cpufreq_cpu_data to NULL before putting kobject + - [xen] manage: Fix USB interaction issues when resuming (regression in + 3.17) + - [xen] xen-scsiback: mark pvscsi frontend request consumed only after last + read + - megaraid_sas: endianness related bug fixes and code optimization + - rc-main: Re-apply filter for no-op protocol change (regression in 3.17) + - proc/pagemap: walk page tables under pte lock + - NFS: struct nfs_commit_info.lock must always point to inode->i_lock + (regression in 3.17) + - [mips*] asm: asmmacro: Replace "add" instructions with "addu" + - mm/hugetlb: pmd_huge() returns true for non-present hugepage + - blk-mq: fix double-free in error path + - nfs41: .init_read and .init_write can be called with valid pg_lseg + (regression in 3.15) + - SUNRPC: NULL utsname dereference on NFS umount during namespace cleanup + - NFSv4: Ensure we reference the inode for return-on-close in delegreturn + - NFSv4.1: Fix a kfree() of uninitialised pointers in + decode_cb_sequence_args + - sg: fix unkillable I/O wait deadlock with scsi-mq + - sg: fix EWOULDBLOCK errors with scsi-mq + - iscsi-target: Drop problematic active_ts_list usage + - cipso: don't use IPCB() to locate the CIPSO IP option (regression in 3.18) + - ring-buffer: Do not wake up a splice waiter when page is not full + (regression in 3.18) + - tty: Remove warning in tty_lock_slave() (regression in 3.19) + - tty: Prevent untrappable signals from malicious program + - USB: fix use-after-free bug in usb_hcd_unlink_urb() + - [armhf] usb: dwc3: gadget: add missing spin_lock() (regression in 3.19) + - usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN + - cdc-acm: add sanity checks + - ntp: Fixup adjtimex freq validation on 32-bit systems (regression in 3.19) + - udf: Check length of extended attributes and allocation descriptors + - [s390*] KVM: forward hrtimer if guest ckc not pending yet + (regression in 3.17) + - [s390*] KVM: base hrtimer on a monotonic clock + - [s390*] KVM: floating irqs: fix user triggerable endless loop + - [s390*] KVM: avoid memory leaks if __inject_vm() fails + - gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip + per node (regression in 3.19) + - sb_edac: Fix detection on SNB machines (regression in 3.18) + - jffs2: fix handling of corrupted summary length + - samsung-laptop: Add use_native_backlight quirk, and enable it on some + models (regression in 3.16) + - libceph: fix double __remove_osd() problem + - btrfs: fix leak of path in btrfs_find_item + - Btrfs: fix fsync data loss after adding hard link to inode + - blk-throttle: check stats_cpu before reading it from sysfs + - [x86] efi: Avoid triple faults during EFI mixed mode calls + - [x86][xen] irq: Fix regression in 3.19 + - Replace ACCESS_ONCE of non-scalar types with READ_ONCE + - kernel: tighten rules for ACCESS_ONCE + - [x86] spinlocks/paravirt: Fix memory corruption on unlock + - quota: Store maximum space limit in bytes [ Ben Hutchings ] * [armhf] Drop sun7i device tree patches which are included in 3.19 diff --git a/debian/patches/bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch b/debian/patches/bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch deleted file mode 100644 index ee8e97a2d..000000000 --- a/debian/patches/bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch +++ /dev/null @@ -1,98 +0,0 @@ -From: Hector Marco-Gisbert -Date: Sat, 14 Feb 2015 09:33:50 -0800 -Subject: ASLR: fix stack randomization on 64-bit systems -Origin: http://article.gmane.org/gmane.linux.kernel/1888210 - -The issue is that the stack for processes is not properly randomized on 64 bit -architectures due to an integer overflow. - -The affected function is randomize_stack_top() in file "fs/binfmt_elf.c": - -static unsigned long randomize_stack_top(unsigned long stack_top) -{ - unsigned int random_variable = 0; - - if ((current->flags & PF_RANDOMIZE) && - !(current->personality & ADDR_NO_RANDOMIZE)) { - random_variable = get_random_int() & STACK_RND_MASK; - random_variable <<= PAGE_SHIFT; - } - return PAGE_ALIGN(stack_top) + random_variable; - return PAGE_ALIGN(stack_top) - random_variable; -} - -Note that, it declares the "random_variable" variable as "unsigned int". Since -the result of the shifting operation between STACK_RND_MASK (which is -0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64): - -random_variable <<= PAGE_SHIFT; - -then the two leftmost bits are dropped when storing the result in the -"random_variable". This variable shall be at least 34 bits long to hold the -(22+12) result. - -These two dropped bits have an impact on the entropy of process stack. -Concretely, the total stack entropy is reduced by four: from 2^28 to 2^30 (One -fourth of expected entropy). - -This patch restores back the entropy by correcting the types involved in the -operations in the functions randomize_stack_top() and stack_maxrandom_size(). - -The successful fix can be tested with: -$ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done -7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack] -7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack] -7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack] -7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack] -... - -Once corrected, the leading bytes should be between 7ffc and 7fff, rather -than always being 7fff. - -CVE-2015-1593 - -Signed-off-by: Hector Marco-Gisbert -Signed-off-by: Ismael Ripoll -[kees: rebase, fix 80 char, clean up commit message, add test example, cve] -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org ---- - arch/x86/mm/mmap.c | 6 +++--- - fs/binfmt_elf.c | 5 +++-- - 2 files changed, 6 insertions(+), 5 deletions(-) - ---- a/arch/x86/mm/mmap.c -+++ b/arch/x86/mm/mmap.c -@@ -35,12 +35,12 @@ struct __read_mostly va_alignment va_ali - .flags = -1, - }; - --static unsigned int stack_maxrandom_size(void) -+static unsigned long stack_maxrandom_size(void) - { -- unsigned int max = 0; -+ unsigned long max = 0; - if ((current->flags & PF_RANDOMIZE) && - !(current->personality & ADDR_NO_RANDOMIZE)) { -- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT; -+ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT; - } - - return max; ---- a/fs/binfmt_elf.c -+++ b/fs/binfmt_elf.c -@@ -554,11 +554,12 @@ out: - - static unsigned long randomize_stack_top(unsigned long stack_top) - { -- unsigned int random_variable = 0; -+ unsigned long random_variable = 0; - - if ((current->flags & PF_RANDOMIZE) && - !(current->personality & ADDR_NO_RANDOMIZE)) { -- random_variable = get_random_int() & STACK_RND_MASK; -+ random_variable = (unsigned long) get_random_int(); -+ random_variable &= STACK_RND_MASK; - random_variable <<= PAGE_SHIFT; - } - #ifdef CONFIG_STACK_GROWSUP diff --git a/debian/patches/series b/debian/patches/series index 8ae43f740..ce733f411 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -66,7 +66,6 @@ bugfix/all/aic94xx-remove-broken-fallback-for-missing-ctrl-a.patch bugfix/all/rtsx_usb_ms-use-msleep_interruptible-in-polling-loop.patch bugfix/all/net-mv643xx-disable-tso-by-default.patch bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch -bugfix/all/aslr-fix-stack-randomization-on-64-bit-systems.patch # Miscellaneous features features/all/efi-autoload-efi-pstore.patch