From 384fa912298fa149da4607d97b0a659a0c94dd1d Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 4 Nov 2017 08:41:47 +0100 Subject: [PATCH 01/32] Update to 4.13.11 --- debian/changelog | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/debian/changelog b/debian/changelog index 74490fc74..a0cbe97bf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,54 @@ +linux (4.13.11-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11 + - workqueue: replace pool->manager_arb mutex with a flag + - [x86] ALSA: hda/realtek - Add support for ALC236/ALC3204 + - [x86] ALSA: hda - fix headset mic problem for Dell machines with alc236 + - ceph: unlock dangling spinlock in try_flush_caps() + - [powerpc*] KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM + - [powerpc*] KVM: PPC: Book3S HV: POWER9 more doorbell fixes + - [powerpc*] KVM: PPC: Book3S: Protect kvmppc_gpa_to_ua() with SRCU + - [s390x] kvm: fix detection of guest machine checks + - nbd: handle interrupted sendmsg with a sndtimeo set + - spi: uapi: spidev: add missing ioctl header + - spi: a3700: Return correct value on timeout detection + - spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path + - spi: armada-3700: Fix failing commands with quad-SPI + - ovl: add NULL check in ovl_alloc_inode + - ovl: fix EIO from lookup of non-indexed upper + - ovl: handle ENOENT on index lookup + - ovl: do not cleanup unsupported index entries + - fuse: fix READDIRPLUS skipping an entry + - xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() + - xen: fix booting ballooned down hvm guest + - cifs: Select all required crypto modules + - CIFS: Fix NULL pointer deref on SMB2_tcon() failure + - Input: elan_i2c - add ELAN0611 to the ACPI table + - Input: gtco - fix potential out-of-bound access + - Fix encryption labels and lengths for SMB3.1.1 + - SMB3: Validate negotiate request must always be signed + - assoc_array: Fix a buggy node-splitting case (CVE-2017-12193) + - [s390x] scsi: zfcp: fix erp_action use-before-initialize in REC action + trace + - scsi: aacraid: Fix controller initialization failure + - scsi: qla2xxx: Initialize Work element before requesting IRQs + - scsi: sg: Re-fix off by one in sg_fill_request_table() + - [x86] cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't + - [x86] drm/amd/powerplay: fix uninitialized variable + - [x86] drm/i915/perf: fix perf enable/disable ioctls with 32bits + userspace + - [armhf] can: sun4i: fix loopback mode + - can: kvaser_usb: Correct return value in printout + - can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages + - cfg80211: fix connect/disconnect edge cases + - ipsec: Fix aborted xfrm policy dump crash + - [armhf] regulator: fan53555: fix I2C device ids + - [powerpc*] xive: Fix the size of the cpumask used in + xive_find_target_in_mask() + + -- Salvatore Bonaccorso Sat, 04 Nov 2017 08:41:02 +0100 + linux (4.13.10-1) unstable; urgency=medium * New upstream stable update: From 4b0df3bed780f36391d8fe0272b184d6b1c145b6 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 4 Nov 2017 09:52:42 +0100 Subject: [PATCH 02/32] cifs: check MaxPathNameComponentLength != 0 before using it Thanks: Andrew Chadwick Closes: #880504 --- debian/changelog | 6 ++- ...thNameComponentLength-0-before-using.patch | 42 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch diff --git a/debian/changelog b/debian/changelog index a0cbe97bf..cdd3c4339 100644 --- a/debian/changelog +++ b/debian/changelog @@ -47,7 +47,11 @@ linux (4.13.11-1) UNRELEASED; urgency=medium - [powerpc*] xive: Fix the size of the cpumask used in xive_find_target_in_mask() - -- Salvatore Bonaccorso Sat, 04 Nov 2017 08:41:02 +0100 + [ Salvatore Bonaccorso ] + * cifs: check MaxPathNameComponentLength != 0 before using it. + Thanks to Andrew Chadwick (Closes: #880504) + + -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 linux (4.13.10-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch b/debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch new file mode 100644 index 000000000..e2100a15f --- /dev/null +++ b/debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch @@ -0,0 +1,42 @@ +From: Ronnie Sahlberg +Date: Mon, 30 Oct 2017 13:28:03 +1100 +Subject: cifs: check MaxPathNameComponentLength != 0 before using it +Origin: https://git.kernel.org/linus/f74bc7c6679200a4a83156bb89cbf6c229fe8ec0 +Bug-Debian: https://bugs.debian.org/880504 + +And fix tcon leak in error path. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +CC: Stable +Reviewed-by: David Disseldorp +--- + fs/cifs/dir.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c +index e702d48bd023..81ba6e0d88d8 100644 +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -204,7 +204,8 @@ check_name(struct dentry *direntry, struct cifs_tcon *tcon) + struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb); + int i; + +- if (unlikely(direntry->d_name.len > ++ if (unlikely(tcon->fsAttrInfo.MaxPathNameComponentLength && ++ direntry->d_name.len > + le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength))) + return -ENAMETOOLONG; + +@@ -520,7 +521,7 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry, + + rc = check_name(direntry, tcon); + if (rc) +- goto out_free_xid; ++ goto out; + + server = tcon->ses->server; + +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index dd78e73d1..c908afcb6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -78,6 +78,7 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch +bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch # Miscellaneous features From e7fd57b49fd7c877949e6be1ee4c253059d4016f Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 4 Nov 2017 15:43:16 +0100 Subject: [PATCH 03/32] netfilter: nft_set_hash: disable fast_ops for 2-len keys Closes: #880145 --- debian/changelog | 1 + ...t_hash-disable-fast_ops-for-2-len-ke.patch | 57 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 59 insertions(+) create mode 100644 debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch diff --git a/debian/changelog b/debian/changelog index cdd3c4339..6ed0f1867 100644 --- a/debian/changelog +++ b/debian/changelog @@ -50,6 +50,7 @@ linux (4.13.11-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * cifs: check MaxPathNameComponentLength != 0 before using it. Thanks to Andrew Chadwick (Closes: #880504) + * netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch b/debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch new file mode 100644 index 000000000..acfb365c9 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch @@ -0,0 +1,57 @@ +From: Anatole Denis +Date: Wed, 4 Oct 2017 01:17:14 +0100 +Subject: netfilter: nft_set_hash: disable fast_ops for 2-len keys +Origin: https://git.kernel.org/linus/0414c78f14861cb704d6e6888efd53dd36e3bdde +Bug-Debian: https://bugs.debian.org/880145 + +jhash_1word of a u16 is a different value from jhash of the same u16 with +length 2. +Since elements are always inserted in sets using jhash over the actual +klen, this would lead to incorrect lookups on fixed-size sets with a key +length of 2, as they would be inserted with hash value jhash(key, 2) and +looked up with hash value jhash_1word(key), which is different. + +Example reproducer(v4.13+), using anonymous sets which always have a +fixed size: + + table inet t { + chain c { + type filter hook output priority 0; policy accept; + tcp dport { 10001, 10003, 10005, 10007, 10009 } counter packets 4 bytes 240 reject + tcp dport 10001 counter packets 4 bytes 240 reject + tcp dport 10003 counter packets 4 bytes 240 reject + tcp dport 10005 counter packets 4 bytes 240 reject + tcp dport 10007 counter packets 0 bytes 0 reject + tcp dport 10009 counter packets 4 bytes 240 reject + } + } + +then use nc -z localhost to probe; incorrectly hashed ports will +pass through the set lookup and increment the counter of an individual +rule. + +jhash being seeded with a random value, it is not deterministic which +ports will incorrectly hash, but in testing with 5 ports in the set I +always had 4 or 5 with an incorrect hash value. + +Signed-off-by: Anatole Denis +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/nft_set_hash.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c +index 0fa01d772c5e..9c0d5a7ce5f9 100644 +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -643,7 +643,6 @@ nft_hash_select_ops(const struct nft_ctx *ctx, const struct nft_set_desc *desc, + { + if (desc->size) { + switch (desc->klen) { +- case 2: + case 4: + return &nft_hash_fast_ops; + default: +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index c908afcb6..921f6fdd9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -79,6 +79,7 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch +bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch # Miscellaneous features From 43a5e411fdf33ea3f72b511c662586a0bc3084f9 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 4 Nov 2017 16:57:42 +0100 Subject: [PATCH 04/32] Add bug closer for #879768 Gbp-Dch: Ignore --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 6ed0f1867..ef5c54136 100644 --- a/debian/changelog +++ b/debian/changelog @@ -43,7 +43,7 @@ linux (4.13.11-1) UNRELEASED; urgency=medium - can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages - cfg80211: fix connect/disconnect edge cases - ipsec: Fix aborted xfrm policy dump crash - - [armhf] regulator: fan53555: fix I2C device ids + - [armhf] regulator: fan53555: fix I2C device ids (Closes: #879768) - [powerpc*] xive: Fix the size of the cpumask used in xive_find_target_in_mask() From bd1e10f8bd85adf182f122417a843bf6ffbac80c Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 5 Nov 2017 01:54:12 +0000 Subject: [PATCH 05/32] linux-image: Recommend apparmor (Closes: #880441) The apparmor package is needed for loading profiles. In theory, enabling AppArmor without any profiles loaded should do nothing, so this is not really a dependency of the kernel. However, if a systemd unit specifies a AppArmor profile and the kernel has AppArmor enabled then failure to load the profile is fatal. As the linux-image packages select AppArmor as the default LSM, they should probably also be responsible for getting the necessary userland support installed. But since the default can be overridden, use Recommends rather than Depends. --- debian/changelog | 4 ++++ debian/config/defines | 1 + 2 files changed, 5 insertions(+) diff --git a/debian/changelog b/debian/changelog index ef5c54136..a69f0a49d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -52,6 +52,10 @@ linux (4.13.11-1) UNRELEASED; urgency=medium Thanks to Andrew Chadwick (Closes: #880504) * netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145) + [ Ben Hutchings ] + * linux-image: Recommend apparmor, as systemd units with an AppArmor + profile will fail without it (Closes: #880441) + -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 linux (4.13.10-1) unstable; urgency=medium diff --git a/debian/config/defines b/debian/config/defines index 6714a8c29..161c53ce9 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -118,6 +118,7 @@ part-long-xen: This kernel also runs on a Xen hypervisor. [image] initramfs-generators: initramfs-tools initramfs-fallback +recommends: apparmor [relations] # compilers From 4a745d05b14056523a64ddef1a041be4a4d774d8 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Mon, 6 Nov 2017 13:04:21 +0100 Subject: [PATCH 06/32] Add CVE id for CVE-2017-15306 Gbp-Dch: Ignore --- debian/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/changelog b/debian/changelog index a69f0a49d..787c1e78d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,7 @@ linux (4.13.11-1) UNRELEASED; urgency=medium - [x86] ALSA: hda - fix headset mic problem for Dell machines with alc236 - ceph: unlock dangling spinlock in try_flush_caps() - [powerpc*] KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM + (CVE-2017-15306) - [powerpc*] KVM: PPC: Book3S HV: POWER9 more doorbell fixes - [powerpc*] KVM: PPC: Book3S: Protect kvmppc_gpa_to_ua() with SRCU - [s390x] kvm: fix detection of guest machine checks From f13763371cc93ca8c24eed2720e8f493a39f110f Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 8 Nov 2017 10:45:20 +0100 Subject: [PATCH 07/32] Add CVE id reference for CVE-2017-16643 Gbp-Dch: Ignore --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 787c1e78d..17cbf4d04 100644 --- a/debian/changelog +++ b/debian/changelog @@ -26,7 +26,7 @@ linux (4.13.11-1) UNRELEASED; urgency=medium - cifs: Select all required crypto modules - CIFS: Fix NULL pointer deref on SMB2_tcon() failure - Input: elan_i2c - add ELAN0611 to the ACPI table - - Input: gtco - fix potential out-of-bound access + - Input: gtco - fix potential out-of-bound access (CVE-2017-16643) - Fix encryption labels and lengths for SMB3.1.1 - SMB3: Validate negotiate request must always be signed - assoc_array: Fix a buggy node-splitting case (CVE-2017-12193) From 95757c39a8e53d0818763651a94fcf1f3168f9c6 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 11 Nov 2017 08:22:06 +0100 Subject: [PATCH 08/32] Update to 4.13.12 --- debian/changelog | 39 +++++++++++++++-- ...thNameComponentLength-0-before-using.patch | 42 ------------------- debian/patches/series | 1 - 3 files changed, 36 insertions(+), 46 deletions(-) delete mode 100644 debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch diff --git a/debian/changelog b/debian/changelog index 17cbf4d04..3fd022602 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.13.11-1) UNRELEASED; urgency=medium +linux (4.13.12-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11 @@ -47,10 +47,43 @@ linux (4.13.11-1) UNRELEASED; urgency=medium - [armhf] regulator: fan53555: fix I2C device ids (Closes: #879768) - [powerpc*] xive: Fix the size of the cpumask used in xive_find_target_in_mask() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.12 + - ALSA: timer: Add missing mutex lock for compat ioctls + - ALSA: seq: Fix nested rwsem annotation for lockdep splat + - cifs: check MaxPathNameComponentLength != 0 before using it + (Closes: #880504) + - KEYS: return full count in keyring_read() if buffer is too small + - KEYS: trusted: fix writing past end of buffer in trusted_read() + - KEYS: fix out-of-bounds read during ASN.1 parsing + - ASoC: adau17x1: Workaround for noise bug in ADC + - virtio_blk: Fix an SG_IO regression + - [arm64] ensure __dump_instr() checks addr_limit + - [arm64] KVM: its: Fix missing dynamic allocation check in scan_its_table + - [armhf, arm64] KVM: set right LR register value for 32 bit guest when + inject abort + - [armhf,arm64] kvm: Disable branch profiling in HYP code + - [armhf] dts: mvebu: pl310-cache disable double-linefill + - drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting + - drm/amdgpu: allow harvesting check for Polaris VCE + - userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of + i_size + - ocfs2: fstrim: Fix start offset of first cluster group during fstrim + - fs/hugetlbfs/inode.c: fix hwpoison reserve accounting + - mm, swap: fix race between swap count continuation operations + - [x86] drm/i915: Do not rely on wm preservation for ILK watermarks + - [x86] drm/i915/edp: read edp display control registers unconditionally + - [mips*] bpf: Fix a typo in build_one_insn() + - [mips*] smp-cmp: Use right include for task_struct + - [mips*] SMP: Fix deadlock & online race + - Revert "x86: do not use cpufreq_quick_get() for /proc/cpuinfo "cpu MHz"" + - [x86] CPU: Fix up "cpu MHz" in /proc/cpuinfo + - [powerpc*] kprobes: Dereference function pointers only if the address + does not belong to kernel text + - futex: Fix more put_pi_state() vs. exit_pi_state_list() races + - perf/cgroup: Fix perf cgroup hierarchy support + - [x86] mcelog: Get rid of RCU remnants [ Salvatore Bonaccorso ] - * cifs: check MaxPathNameComponentLength != 0 before using it. - Thanks to Andrew Chadwick (Closes: #880504) * netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145) [ Ben Hutchings ] diff --git a/debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch b/debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch deleted file mode 100644 index e2100a15f..000000000 --- a/debian/patches/bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Ronnie Sahlberg -Date: Mon, 30 Oct 2017 13:28:03 +1100 -Subject: cifs: check MaxPathNameComponentLength != 0 before using it -Origin: https://git.kernel.org/linus/f74bc7c6679200a4a83156bb89cbf6c229fe8ec0 -Bug-Debian: https://bugs.debian.org/880504 - -And fix tcon leak in error path. - -Signed-off-by: Ronnie Sahlberg -Signed-off-by: Steve French -CC: Stable -Reviewed-by: David Disseldorp ---- - fs/cifs/dir.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c -index e702d48bd023..81ba6e0d88d8 100644 ---- a/fs/cifs/dir.c -+++ b/fs/cifs/dir.c -@@ -204,7 +204,8 @@ check_name(struct dentry *direntry, struct cifs_tcon *tcon) - struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb); - int i; - -- if (unlikely(direntry->d_name.len > -+ if (unlikely(tcon->fsAttrInfo.MaxPathNameComponentLength && -+ direntry->d_name.len > - le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength))) - return -ENAMETOOLONG; - -@@ -520,7 +521,7 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry, - - rc = check_name(direntry, tcon); - if (rc) -- goto out_free_xid; -+ goto out; - - server = tcon->ses->server; - --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index 921f6fdd9..dc4bf8468 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -78,7 +78,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch -bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch # Miscellaneous features From fdf384b742acb9b7a0c5851d7f59ae1414341106 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 11 Nov 2017 20:50:42 +0000 Subject: [PATCH 09/32] [powerpc*] Ignore kvm-related ABI changes (fixes FTBFS) --- debian/changelog | 1 + debian/config/defines | 2 ++ 2 files changed, 3 insertions(+) diff --git a/debian/changelog b/debian/changelog index 3fd022602..e71ad3052 100644 --- a/debian/changelog +++ b/debian/changelog @@ -89,6 +89,7 @@ linux (4.13.12-1) UNRELEASED; urgency=medium [ Ben Hutchings ] * linux-image: Recommend apparmor, as systemd units with an AppArmor profile will fail without it (Closes: #880441) + * [powerpc*] Ignore kvm-related ABI changes (fixes FTBFS) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/config/defines b/debian/config/defines index 161c53ce9..098f0177c 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -2,6 +2,7 @@ abiname: 1 ignore-changes: __cpuhp_* + __xive_vm_h_* bpf_analyzer cxl_* dax_flush @@ -9,6 +10,7 @@ ignore-changes: inet_del_protocol iommu_device_* kvm_async_pf_task_wait + kvmppc_* mm_iommu_* mv_mbus_* perf_* From 86b8621ec9c752227f55002bf84b0dac95a62652 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 11 Nov 2017 20:53:08 +0000 Subject: [PATCH 10/32] [powerpc*] kvm: Ignore ABI change in 4.13.6 (fixes FTBFS) --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index e71ad3052..9152946f9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -89,7 +89,7 @@ linux (4.13.12-1) UNRELEASED; urgency=medium [ Ben Hutchings ] * linux-image: Recommend apparmor, as systemd units with an AppArmor profile will fail without it (Closes: #880441) - * [powerpc*] Ignore kvm-related ABI changes (fixes FTBFS) + * [powerpc*] kvm: Ignore ABI change in 4.13.6 (fixes FTBFS) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 From a2708107cedb7cabe734e9f61f75007ceedafd41 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 12 Nov 2017 01:09:18 +0000 Subject: [PATCH 11/32] swap: Avoid ABI change in 4.13.12 --- debian/changelog | 1 + .../swap-avoid-abi-change-in-4.13.12.patch | 31 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 33 insertions(+) create mode 100644 debian/patches/debian/swap-avoid-abi-change-in-4.13.12.patch diff --git a/debian/changelog b/debian/changelog index 9152946f9..096d8929d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -90,6 +90,7 @@ linux (4.13.12-1) UNRELEASED; urgency=medium * linux-image: Recommend apparmor, as systemd units with an AppArmor profile will fail without it (Closes: #880441) * [powerpc*] kvm: Ignore ABI change in 4.13.6 (fixes FTBFS) + * swap: Avoid ABI change in 4.13.12 -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/debian/swap-avoid-abi-change-in-4.13.12.patch b/debian/patches/debian/swap-avoid-abi-change-in-4.13.12.patch new file mode 100644 index 000000000..1254d9d54 --- /dev/null +++ b/debian/patches/debian/swap-avoid-abi-change-in-4.13.12.patch @@ -0,0 +1,31 @@ +From: Ben Hutchings +Date: Sun, 12 Nov 2017 01:03:55 +0000 +Subject: swap: Avoid ABI change in 4.13.12 +Forwarded: not-neede + +Commit 2628bd6fc052 "mm, swap: fix race between swap count +continuation operations" added a field to struct swap_info_struct. +swap_info_struct is always allocated in built-in code and modules +won't use this new field, so move it to the end of the structure and +hide it from genksyms. + +--- +--- a/include/linux/swap.h ++++ b/include/linux/swap.h +@@ -246,12 +246,14 @@ struct swap_info_struct { + * both locks need hold, hold swap_lock + * first. + */ ++ struct work_struct discard_work; /* discard worker */ ++ struct swap_cluster_list discard_clusters; /* discard clusters list */ ++#ifndef __GENKSYMS__ + spinlock_t cont_lock; /* + * protect swap count continuation page + * list. + */ +- struct work_struct discard_work; /* discard worker */ +- struct swap_cluster_list discard_clusters; /* discard clusters list */ ++#endif + }; + + /* linux/mm/workingset.c */ diff --git a/debian/patches/series b/debian/patches/series index dc4bf8468..f7e0a404e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -137,3 +137,4 @@ debian/dax-avoid-abi-change-in-4.13.5.patch debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch debian/mac80211-avoid-abi-change-in-4.13.5.patch debian/keys-limit-abi-change-in-4.13.10.patch +debian/swap-avoid-abi-change-in-4.13.12.patch From 5d9e74ced8d8ded0e830f09be2e93b8d0d2b5157 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 16 Nov 2017 15:17:25 +0100 Subject: [PATCH 12/32] mac80211: accept key reinstall without changing anything (CVE-2017-13080) --- debian/changelog | 1 + ...key-reinstall-without-changing-anyth.patch | 82 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 84 insertions(+) create mode 100644 debian/patches/bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch diff --git a/debian/changelog b/debian/changelog index 096d8929d..e28565fe5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -85,6 +85,7 @@ linux (4.13.12-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145) + * mac80211: accept key reinstall without changing anything (CVE-2017-13080) [ Ben Hutchings ] * linux-image: Recommend apparmor, as systemd units with an AppArmor diff --git a/debian/patches/bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch b/debian/patches/bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch new file mode 100644 index 000000000..1f236ad16 --- /dev/null +++ b/debian/patches/bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch @@ -0,0 +1,82 @@ +From: Johannes Berg +Date: Tue, 5 Sep 2017 14:54:54 +0200 +Subject: mac80211: accept key reinstall without changing anything +Origin: https://git.kernel.org/linus/fdf7cb4185b60c68e1a75e61691c4afdc15dea0e +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-13080 + +When a key is reinstalled we can reset the replay counters +etc. which can lead to nonce reuse and/or replay detection +being impossible, breaking security properties, as described +in the "KRACK attacks". + +In particular, CVE-2017-13080 applies to GTK rekeying that +happened in firmware while the host is in D3, with the second +part of the attack being done after the host wakes up. In +this case, the wpa_supplicant mitigation isn't sufficient +since wpa_supplicant doesn't know the GTK material. + +In case this happens, simply silently accept the new key +coming from userspace but don't take any action on it since +it's the same key; this keeps the PN replay counters intact. + +Signed-off-by: Johannes Berg +--- + net/mac80211/key.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index a98fc2b5e0dc..ae995c8480db 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -4,7 +4,7 @@ + * Copyright 2006-2007 Jiri Benc + * Copyright 2007-2008 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH +- * Copyright 2015 Intel Deutschland GmbH ++ * Copyright 2015-2017 Intel Deutschland GmbH + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -620,9 +620,6 @@ int ieee80211_key_link(struct ieee80211_key *key, + + pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; + idx = key->conf.keyidx; +- key->local = sdata->local; +- key->sdata = sdata; +- key->sta = sta; + + mutex_lock(&sdata->local->key_mtx); + +@@ -633,6 +630,21 @@ int ieee80211_key_link(struct ieee80211_key *key, + else + old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); + ++ /* ++ * Silently accept key re-installation without really installing the ++ * new version of the key to avoid nonce reuse or replay issues. ++ */ ++ if (old_key && key->conf.keylen == old_key->conf.keylen && ++ !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { ++ ieee80211_key_free_unused(key); ++ ret = 0; ++ goto out; ++ } ++ ++ key->local = sdata->local; ++ key->sdata = sdata; ++ key->sta = sta; ++ + increment_tailroom_need_count(sdata); + + ieee80211_key_replace(sdata, sta, pairwise, old_key, key); +@@ -648,6 +660,7 @@ int ieee80211_key_link(struct ieee80211_key *key, + ret = 0; + } + ++ out: + mutex_unlock(&sdata->local->key_mtx); + + return ret; +-- +2.15.0 + diff --git a/debian/patches/series b/debian/patches/series index f7e0a404e..a10d1fb0d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -114,6 +114,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch From 6ff07bd9a5004feb2ec861696efd1a1be8c0120e Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 16 Nov 2017 15:21:47 +0100 Subject: [PATCH 13/32] sctp: do not peel off an assoc from one netns to another one (CVE-2017-15115) --- debian/changelog | 2 + ...-off-an-assoc-from-one-netns-to-anot.patch | 63 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 66 insertions(+) create mode 100644 debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch diff --git a/debian/changelog b/debian/changelog index e28565fe5..fdd919821 100644 --- a/debian/changelog +++ b/debian/changelog @@ -86,6 +86,8 @@ linux (4.13.12-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145) * mac80211: accept key reinstall without changing anything (CVE-2017-13080) + * sctp: do not peel off an assoc from one netns to another one + (CVE-2017-15115) [ Ben Hutchings ] * linux-image: Recommend apparmor, as systemd units with an AppArmor diff --git a/debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch b/debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch new file mode 100644 index 000000000..ae30b5a0e --- /dev/null +++ b/debian/patches/bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch @@ -0,0 +1,63 @@ +From: Xin Long +Date: Tue, 17 Oct 2017 23:26:10 +0800 +Subject: sctp: do not peel off an assoc from one netns to another one +Origin: https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15115 + +Now when peeling off an association to the sock in another netns, all +transports in this assoc are not to be rehashed and keep use the old +key in hashtable. + +As a transport uses sk->net as the hash key to insert into hashtable, +it would miss removing these transports from hashtable due to the new +netns when closing the sock and all transports are being freeed, then +later an use-after-free issue could be caused when looking up an asoc +and dereferencing those transports. + +This is a very old issue since very beginning, ChunYu found it with +syzkaller fuzz testing with this series: + + socket$inet6_sctp() + bind$inet6() + sendto$inet6() + unshare(0x40000000) + getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST() + getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF() + +This patch is to block this call when peeling one assoc off from one +netns to another one, so that the netns of all transport would not +go out-sync with the key in hashtable. + +Note that this patch didn't fix it by rehashing transports, as it's +difficult to handle the situation when the tuple is already in use +in the new netns. Besides, no one would like to peel off one assoc +to another netns, considering ipaddrs, ifaces, etc. are usually +different. + +Reported-by: ChunYu Wang +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Signed-off-by: David S. Miller +--- + net/sctp/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index d4730ada7f32..17841ab30798 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4906,6 +4906,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp) + struct socket *sock; + int err = 0; + ++ /* Do not peel off from one netns to another one. */ ++ if (!net_eq(current->nsproxy->net_ns, sock_net(sk))) ++ return -EINVAL; ++ + if (!asoc) + return -EINVAL; + +-- +2.15.0 + diff --git a/debian/patches/series b/debian/patches/series index a10d1fb0d..947383c38 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -115,6 +115,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch +bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch From f4e45ee455924b2891a46141cb3a426473bb2861 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 17:32:44 +0000 Subject: [PATCH 14/32] Update to 4.13.13 --- debian/changelog | 34 ++++++++++- ...t_hash-disable-fast_ops-for-2-len-ke.patch | 57 ------------------- debian/patches/series | 1 - 3 files changed, 31 insertions(+), 61 deletions(-) delete mode 100644 debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch diff --git a/debian/changelog b/debian/changelog index fdd919821..6d5872240 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.13.12-1) UNRELEASED; urgency=medium +linux (4.13.13-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11 @@ -76,15 +76,43 @@ linux (4.13.12-1) UNRELEASED; urgency=medium - [mips*] smp-cmp: Use right include for task_struct - [mips*] SMP: Fix deadlock & online race - Revert "x86: do not use cpufreq_quick_get() for /proc/cpuinfo "cpu MHz"" - - [x86] CPU: Fix up "cpu MHz" in /proc/cpuinfo - [powerpc*] kprobes: Dereference function pointers only if the address does not belong to kernel text - futex: Fix more put_pi_state() vs. exit_pi_state_list() races - perf/cgroup: Fix perf cgroup hierarchy support - [x86] mcelog: Get rid of RCU remnants + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.13 + - netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to + rhashtable" + - netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145) + - workqueue: Fix NULL pointer dereference + - crypto: ccm - preserve the IV buffer + - [x86] crypto: sha1-mb - fix panic due to unaligned access + - [x86] crypto: sha256-mb - fix panic due to unaligned access + - KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2] + - [x86] ACPI / PM: Blacklist Low Power S0 Idle _DSM for Dell XPS13 9360 + - ACPICA: Dispatch active GPEs at init time + - ACPICA: Make it possible to enable runtime GPEs earlier + - ACPI / scan: Enable GPEs before scanning the namespace + - [armel,armhf] 8720/1: ensure dump_instr() checks addr_limit + - ALSA: timer: Limit max instances per timer + - ALSA: usb-audio: support new Amanero Combo384 firmware version + - [x86] ALSA: hda - fix headset mic problem for Dell machines with alc274 + - ALSA: seq: Fix OSS sysex delivery in OSS emulation + - ALSA: seq: Avoid invalid lockdep class warning + - [mips*] Fix CM region target definitions + - [powerpc*] KVM: Book3S HV: Fix exclusion between HPT resizing and other + HPT updates + - Input: elan_i2c - add ELAN060C to the ACPI table + - rbd: use GFP_NOIO for parent stat and data requests + - [x86] drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue + - [armhf] can: sun4i: handle overrun in RX FIFO + - can: peak: Add support for new PCIe/M2 CAN FD interfaces + - [x86] debug: Handle warnings before the notifier chain, to fix KGDB crash + - [x86] smpboot: Make optimization of delay calibration work correctly + - [x86] oprofile/ppro: Do not use __this_cpu*() in preemptible context [ Salvatore Bonaccorso ] - * netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145) * mac80211: accept key reinstall without changing anything (CVE-2017-13080) * sctp: do not peel off an assoc from one netns to another one (CVE-2017-15115) diff --git a/debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch b/debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch deleted file mode 100644 index acfb365c9..000000000 --- a/debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Anatole Denis -Date: Wed, 4 Oct 2017 01:17:14 +0100 -Subject: netfilter: nft_set_hash: disable fast_ops for 2-len keys -Origin: https://git.kernel.org/linus/0414c78f14861cb704d6e6888efd53dd36e3bdde -Bug-Debian: https://bugs.debian.org/880145 - -jhash_1word of a u16 is a different value from jhash of the same u16 with -length 2. -Since elements are always inserted in sets using jhash over the actual -klen, this would lead to incorrect lookups on fixed-size sets with a key -length of 2, as they would be inserted with hash value jhash(key, 2) and -looked up with hash value jhash_1word(key), which is different. - -Example reproducer(v4.13+), using anonymous sets which always have a -fixed size: - - table inet t { - chain c { - type filter hook output priority 0; policy accept; - tcp dport { 10001, 10003, 10005, 10007, 10009 } counter packets 4 bytes 240 reject - tcp dport 10001 counter packets 4 bytes 240 reject - tcp dport 10003 counter packets 4 bytes 240 reject - tcp dport 10005 counter packets 4 bytes 240 reject - tcp dport 10007 counter packets 0 bytes 0 reject - tcp dport 10009 counter packets 4 bytes 240 reject - } - } - -then use nc -z localhost to probe; incorrectly hashed ports will -pass through the set lookup and increment the counter of an individual -rule. - -jhash being seeded with a random value, it is not deterministic which -ports will incorrectly hash, but in testing with 5 ports in the set I -always had 4 or 5 with an incorrect hash value. - -Signed-off-by: Anatole Denis -Signed-off-by: Pablo Neira Ayuso ---- - net/netfilter/nft_set_hash.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c -index 0fa01d772c5e..9c0d5a7ce5f9 100644 ---- a/net/netfilter/nft_set_hash.c -+++ b/net/netfilter/nft_set_hash.c -@@ -643,7 +643,6 @@ nft_hash_select_ops(const struct nft_ctx *ctx, const struct nft_set_desc *desc, - { - if (desc->size) { - switch (desc->klen) { -- case 2: - case 4: - return &nft_hash_fast_ops; - default: --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index 947383c38..e65756465 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -78,7 +78,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch -bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch # Miscellaneous features From 1549b29ea07482d7b4ccee70c92fd11d06e63890 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 17:35:46 +0000 Subject: [PATCH 15/32] Add follow-up fixes relatd to CVE-2017-13080 --- debian/changelog | 2 + ...ompare-tkip-tx-mic-key-in-reinstall-.patch | 76 +++++++++++++++++++ ...e-constant-time-comparison-with-keys.patch | 36 +++++++++ debian/patches/series | 2 + 4 files changed, 116 insertions(+) create mode 100644 debian/patches/bugfix/all/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-.patch create mode 100644 debian/patches/bugfix/all/mac80211-use-constant-time-comparison-with-keys.patch diff --git a/debian/changelog b/debian/changelog index 6d5872240..ba70dfba7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -122,6 +122,8 @@ linux (4.13.13-1) UNRELEASED; urgency=medium profile will fail without it (Closes: #880441) * [powerpc*] kvm: Ignore ABI change in 4.13.6 (fixes FTBFS) * swap: Avoid ABI change in 4.13.12 + * mac80211: use constant time comparison with keys + * mac80211: don't compare TKIP TX MIC key in reinstall prevention -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/bugfix/all/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-.patch b/debian/patches/bugfix/all/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-.patch new file mode 100644 index 000000000..d9b21c398 --- /dev/null +++ b/debian/patches/bugfix/all/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-.patch @@ -0,0 +1,76 @@ +From: Johannes Berg +Date: Tue, 24 Oct 2017 21:12:13 +0200 +Subject: mac80211: don't compare TKIP TX MIC key in reinstall prevention +Origin: https://git.kernel.org/linus/cfbb0d90a7abb289edc91833d0905931f8805f12 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-13080 + +For the reinstall prevention, the code I had added compares the +whole key. It turns out though that iwlwifi firmware doesn't +provide the TKIP TX MIC key as it's not needed in client mode, +and thus the comparison will always return false. + +For client mode, thus always zero out the TX MIC key part before +doing the comparison in order to avoid accepting the reinstall +of the key with identical encryption and RX MIC key, but not the +same TX MIC key (since the supplicant provides the real one.) + +Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") +Signed-off-by: Johannes Berg +--- + net/mac80211/key.c | 36 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index 035d16fe926e..938049395f90 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -610,6 +610,39 @@ void ieee80211_key_free_unused(struct ieee80211_key *key) + ieee80211_key_free_common(key); + } + ++static bool ieee80211_key_identical(struct ieee80211_sub_if_data *sdata, ++ struct ieee80211_key *old, ++ struct ieee80211_key *new) ++{ ++ u8 tkip_old[WLAN_KEY_LEN_TKIP], tkip_new[WLAN_KEY_LEN_TKIP]; ++ u8 *tk_old, *tk_new; ++ ++ if (!old || new->conf.keylen != old->conf.keylen) ++ return false; ++ ++ tk_old = old->conf.key; ++ tk_new = new->conf.key; ++ ++ /* ++ * In station mode, don't compare the TX MIC key, as it's never used ++ * and offloaded rekeying may not care to send it to the host. This ++ * is the case in iwlwifi, for example. ++ */ ++ if (sdata->vif.type == NL80211_IFTYPE_STATION && ++ new->conf.cipher == WLAN_CIPHER_SUITE_TKIP && ++ new->conf.keylen == WLAN_KEY_LEN_TKIP && ++ !(new->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) { ++ memcpy(tkip_old, tk_old, WLAN_KEY_LEN_TKIP); ++ memcpy(tkip_new, tk_new, WLAN_KEY_LEN_TKIP); ++ memset(tkip_old + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); ++ memset(tkip_new + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); ++ tk_old = tkip_old; ++ tk_new = tkip_new; ++ } ++ ++ return !crypto_memneq(tk_old, tk_new, new->conf.keylen); ++} ++ + int ieee80211_key_link(struct ieee80211_key *key, + struct ieee80211_sub_if_data *sdata, + struct sta_info *sta) +@@ -635,8 +668,7 @@ int ieee80211_key_link(struct ieee80211_key *key, + * Silently accept key re-installation without really installing the + * new version of the key to avoid nonce reuse or replay issues. + */ +- if (old_key && key->conf.keylen == old_key->conf.keylen && +- !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) { ++ if (ieee80211_key_identical(sdata, old_key, key)) { + ieee80211_key_free_unused(key); + ret = 0; + goto out; diff --git a/debian/patches/bugfix/all/mac80211-use-constant-time-comparison-with-keys.patch b/debian/patches/bugfix/all/mac80211-use-constant-time-comparison-with-keys.patch new file mode 100644 index 000000000..437ff9f14 --- /dev/null +++ b/debian/patches/bugfix/all/mac80211-use-constant-time-comparison-with-keys.patch @@ -0,0 +1,36 @@ +From: "Jason A. Donenfeld" +Date: Tue, 17 Oct 2017 20:32:07 +0200 +Subject: mac80211: use constant time comparison with keys +Origin: https://git.kernel.org/linus/2bdd713b92a9cade239d3c7d15205a09f556624d +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-13080 + +Otherwise we risk leaking information via timing side channel. + +Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Johannes Berg +--- + net/mac80211/key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index ae995c8480db..035d16fe926e 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include "ieee80211_i.h" + #include "driver-ops.h" +@@ -635,7 +636,7 @@ int ieee80211_key_link(struct ieee80211_key *key, + * new version of the key to avoid nonce reuse or replay issues. + */ + if (old_key && key->conf.keylen == old_key->conf.keylen && +- !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { ++ !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) { + ieee80211_key_free_unused(key); + ret = 0; + goto out; diff --git a/debian/patches/series b/debian/patches/series index e65756465..90a6f7df5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -114,6 +114,8 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch +bugfix/all/mac80211-use-constant-time-comparison-with-keys.patch +bugfix/all/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-.patch bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch # Fix exported symbol versions From c08c3b8b2500abcde482e9736360ca49a348646c Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 17:40:00 +0000 Subject: [PATCH 16/32] usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) --- debian/changelog | 1 + ...usbtest-fix-NULL-pointer-dereference.patch | 39 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 41 insertions(+) create mode 100644 debian/patches/bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch diff --git a/debian/changelog b/debian/changelog index ba70dfba7..c303b84c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -124,6 +124,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * swap: Avoid ABI change in 4.13.12 * mac80211: use constant time comparison with keys * mac80211: don't compare TKIP TX MIC key in reinstall prevention + * usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch b/debian/patches/bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch new file mode 100644 index 000000000..ac4735064 --- /dev/null +++ b/debian/patches/bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch @@ -0,0 +1,39 @@ +From: Alan Stern +Date: Fri, 29 Sep 2017 10:54:24 -0400 +Subject: usb: usbtest: fix NULL pointer dereference +Origin: https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16532 + +If the usbtest driver encounters a device with an IN bulk endpoint but +no OUT bulk endpoint, it will try to dereference a NULL pointer +(out->desc.bEndpointAddress). The problem can be solved by adding a +missing test. + +Signed-off-by: Alan Stern +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Felipe Balbi +--- + drivers/usb/misc/usbtest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c +index 113e38bfe0ef..b3fc602b2e24 100644 +--- a/drivers/usb/misc/usbtest.c ++++ b/drivers/usb/misc/usbtest.c +@@ -202,12 +202,13 @@ get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf) + return tmp; + } + +- if (in) { ++ if (in) + dev->in_pipe = usb_rcvbulkpipe(udev, + in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); ++ if (out) + dev->out_pipe = usb_sndbulkpipe(udev, + out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); +- } ++ + if (iso_in) { + dev->iso_in = &iso_in->desc; + dev->in_iso_pipe = usb_rcvisocpipe(udev, diff --git a/debian/patches/series b/debian/patches/series index 90a6f7df5..c6a86a389 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -117,6 +117,7 @@ bugfix/all/mac80211-accept-key-reinstall-without-changing-anyth.patch bugfix/all/mac80211-use-constant-time-comparison-with-keys.patch bugfix/all/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-.patch bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch +bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch From a06739ccd2b13d72483e753f97716d8ca88d454d Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 18:03:20 +0000 Subject: [PATCH 17/32] media: cx231xx-cards: fix NULL-deref on missing association descriptor (CVE-2017-16536) --- debian/changelog | 2 ++ ...rds-fix-null-deref-on-missing-associ.patch | 36 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 39 insertions(+) create mode 100644 debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch diff --git a/debian/changelog b/debian/changelog index c303b84c5..7ec58dc6a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -125,6 +125,8 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * mac80211: use constant time comparison with keys * mac80211: don't compare TKIP TX MIC key in reinstall prevention * usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) + * media: cx231xx-cards: fix NULL-deref on missing association descriptor + (CVE-2017-16536) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch b/debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch new file mode 100644 index 000000000..b6ad1e07d --- /dev/null +++ b/debian/patches/bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch @@ -0,0 +1,36 @@ +From: Johan Hovold +Date: Thu, 21 Sep 2017 05:40:18 -0300 +Subject: [media] cx231xx-cards: fix NULL-deref on missing association + descriptor +Origin: https://git.kernel.org/linus/6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16536 + +Make sure to check that we actually have an Interface Association +Descriptor before dereferencing it during probe to avoid dereferencing a +NULL-pointer. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: stable # 2.6.30 +Reported-by: Andrey Konovalov +Signed-off-by: Johan Hovold +Tested-by: Andrey Konovalov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c +index e0daa9b6c2a0..9b742d569fb5 100644 +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_interface *interface, + nr = dev->devno; + + assoc_desc = udev->actconfig->intf_assoc[0]; +- if (assoc_desc->bFirstInterface != ifnum) { ++ if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) { + dev_err(d, "Not found matching IAD interface\n"); + retval = -ENODEV; + goto err_if; diff --git a/debian/patches/series b/debian/patches/series index c6a86a389..56461ce42 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -118,6 +118,7 @@ bugfix/all/mac80211-use-constant-time-comparison-with-keys.patch bugfix/all/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-.patch bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch +bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch From c718be9d816ff4a61fff2485b33ddfa6e91367fd Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 18:04:43 +0000 Subject: [PATCH 18/32] media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537) --- debian/changelog | 1 + ...mon-fix-null-ptr-deref-in-imon_probe.patch | 31 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 33 insertions(+) create mode 100644 debian/patches/bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch diff --git a/debian/changelog b/debian/changelog index 7ec58dc6a..4ff2810ff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -127,6 +127,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * usb: usbtest: fix NULL pointer dereference (CVE-2017-16532) * media: cx231xx-cards: fix NULL-deref on missing association descriptor (CVE-2017-16536) + * media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch b/debian/patches/bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch new file mode 100644 index 000000000..40b26ad3d --- /dev/null +++ b/debian/patches/bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch @@ -0,0 +1,31 @@ +From: Arvind Yadav +Date: Mon, 9 Oct 2017 20:14:48 +0200 +Subject: media: imon: Fix null-ptr-deref in imon_probe +Origin: https://git.kernel.org/linus/58fd55e838276a0c13d1dc7c387f90f25063cbf3 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16537 + +It seems that the return value of usb_ifnum_to_if() can be NULL and +needs to be checked. + +Signed-off-by: Arvind Yadav +Tested-by: Andrey Konovalov +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/rc/imon.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -2516,6 +2516,11 @@ static int imon_probe(struct usb_interfa + mutex_lock(&driver_lock); + + first_if = usb_ifnum_to_if(usbdev, 0); ++ if (!first_if) { ++ ret = -ENODEV; ++ goto fail; ++ } ++ + first_if_ctx = usb_get_intfdata(first_if); + + if (ifnum == 0) { diff --git a/debian/patches/series b/debian/patches/series index 56461ce42..0b0b13ca2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -119,6 +119,7 @@ bugfix/all/mac80211-don-t-compare-tkip-tx-mic-key-in-reinstall-.patch bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch +bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch From ed4bdea86177a7f7d22ce5efc1843e8d026f1e7d Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 18:10:19 +0000 Subject: [PATCH 19/32] media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646) --- debian/changelog | 1 + ...0700-fix-invalid-dvb_detach-argument.patch | 191 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 193 insertions(+) create mode 100644 debian/patches/bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch diff --git a/debian/changelog b/debian/changelog index 4ff2810ff..95350a2ab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -128,6 +128,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * media: cx231xx-cards: fix NULL-deref on missing association descriptor (CVE-2017-16536) * media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537) + * media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch b/debian/patches/bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch new file mode 100644 index 000000000..4da262676 --- /dev/null +++ b/debian/patches/bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch @@ -0,0 +1,191 @@ +From: Andrey Konovalov +Date: Thu, 2 Nov 2017 10:38:21 -0400 +Subject: media: dib0700: fix invalid dvb_detach argument +Origin: https://git.kernel.org/linus/eb0c19942288569e0ae492476534d5a485fb8ab4 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16646 + +dvb_detach(arg) calls symbol_put_addr(arg), where arg should be a pointer +to a function. Right now a pointer to state->dib7000p_ops is passed to +dvb_detach(), which causes a BUG() in symbol_put_addr() as discovered by +syzkaller. Pass state->dib7000p_ops.set_wbd_ref instead. + +------------[ cut here ]------------ +kernel BUG at kernel/module.c:1081! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +Modules linked in: +CPU: 1 PID: 1151 Comm: kworker/1:1 Tainted: G W +4.14.0-rc1-42251-gebb2c2437d80 #224 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event +task: ffff88006a336300 task.stack: ffff88006a7c8000 +RIP: 0010:symbol_put_addr+0x54/0x60 kernel/module.c:1083 +RSP: 0018:ffff88006a7ce210 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff880062a8d190 RCX: 0000000000000000 +RDX: dffffc0000000020 RSI: ffffffff85876d60 RDI: ffff880062a8d190 +RBP: ffff88006a7ce218 R08: 1ffff1000d4f9c12 R09: 1ffff1000d4f9ae4 +R10: 1ffff1000d4f9bed R11: 0000000000000000 R12: ffff880062a8d180 +R13: 00000000ffffffed R14: ffff880062a8d190 R15: ffff88006947c000 +FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f6416532000 CR3: 00000000632f5000 CR4: 00000000000006e0 +Call Trace: + stk7070p_frontend_attach+0x515/0x610 +drivers/media/usb/dvb-usb/dib0700_devices.c:1013 + dvb_usb_adapter_frontend_init+0x32b/0x660 +drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286 + dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 + dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162 + dvb_usb_device_init+0xf70/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277 + dib0700_probe+0x171/0x5a0 drivers/media/usb/dvb-usb/dib0700_core.c:886 + usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 + generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 + usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 + hub_port_connect drivers/usb/core/hub.c:4903 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 + worker_thread+0x221/0x1850 kernel/workqueue.c:2253 + kthread+0x3a1/0x470 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 +Code: ff ff 48 85 c0 74 24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8 +de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f> +0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00 +RIP: symbol_put_addr+0x54/0x60 RSP: ffff88006a7ce210 +---[ end trace b75b357739e7e116 ]--- + +Signed-off-by: Andrey Konovalov + +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/usb/dvb-usb/dib0700_devices.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dib0700_devices.c ++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c +@@ -291,7 +291,7 @@ static int stk7700P2_frontend_attach(str + stk7700d_dib7000p_mt2266_config) + != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + } +@@ -325,7 +325,7 @@ static int stk7700d_frontend_attach(stru + stk7700d_dib7000p_mt2266_config) + != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + } +@@ -478,7 +478,7 @@ static int stk7700ph_frontend_attach(str + &stk7700ph_dib7700_xc3028_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -1010,7 +1010,7 @@ static int stk7070p_frontend_attach(stru + &dib7070p_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -1068,7 +1068,7 @@ static int stk7770p_frontend_attach(stru + &dib7770p_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3050,7 +3050,7 @@ static int nim7090_frontend_attach(struc + + if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x10, &nim7090_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, 0x80, &nim7090_dib7000p_config); +@@ -3103,7 +3103,7 @@ static int tfe7090pvr_frontend0_attach(s + /* initialize IC 0 */ + if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, &tfe7090pvr_dib7000p_config[0]) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3133,7 +3133,7 @@ static int tfe7090pvr_frontend1_attach(s + i2c = state->dib7000p_ops.get_i2c_master(adap->dev->adapter[0].fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_6_7, 1); + if (state->dib7000p_ops.i2c_enumeration(i2c, 1, 0x10, &tfe7090pvr_dib7000p_config[1]) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3208,7 +3208,7 @@ static int tfe7790p_frontend_attach(stru + 1, 0x10, &tfe7790p_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, +@@ -3303,7 +3303,7 @@ static int stk7070pd_frontend_attach0(st + stk7070pd_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + +@@ -3378,7 +3378,7 @@ static int novatd_frontend_attach(struct + stk7070pd_dib7000p_config) != 0) { + err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", + __func__); +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + } +@@ -3614,7 +3614,7 @@ static int pctv340e_frontend_attach(stru + + if (state->dib7000p_ops.dib7000pc_detection(&adap->dev->i2c_adap) == 0) { + /* Demodulator not found for some reason? */ +- dvb_detach(&state->dib7000p_ops); ++ dvb_detach(state->dib7000p_ops.set_wbd_ref); + return -ENODEV; + } + diff --git a/debian/patches/series b/debian/patches/series index 0b0b13ca2..678c16170 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -120,6 +120,7 @@ bugfix/all/sctp-do-not-peel-off-an-assoc-from-one-netns-to-anot.patch bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch +bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch From 4ee0c56703668bedb74aa6037f8121cb62b37c01 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 18:11:00 +0000 Subject: [PATCH 20/32] net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647) --- debian/changelog | 1 + ...-fill-null-ptr-deref-in-asix_suspend.patch | 83 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 85 insertions(+) create mode 100644 debian/patches/bugfix/all/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch diff --git a/debian/changelog b/debian/changelog index 95350a2ab..2973a83e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -129,6 +129,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium (CVE-2017-16536) * media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537) * media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646) + * net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/bugfix/all/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch b/debian/patches/bugfix/all/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch new file mode 100644 index 000000000..758f34ddf --- /dev/null +++ b/debian/patches/bugfix/all/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch @@ -0,0 +1,83 @@ +From: Andrey Konovalov +Date: Mon, 6 Nov 2017 13:26:46 +0100 +Subject: net: usb: asix: fill null-ptr-deref in asix_suspend +Origin: https://git.kernel.org/linus/8f5624629105589bcc23d0e51cc01bd8103d09a5 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16647 + +When asix_suspend() is called dev->driver_priv might not have been +assigned a value, so we need to check that it's not NULL. + +Similar issue is present in asix_resume(), this patch fixes it as well. + +Found by syzkaller. + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +Modules linked in: +CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc4-43422-geccacdd69a8c #400 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event +task: ffff88006bb36300 task.stack: ffff88006bba8000 +RIP: 0010:asix_suspend+0x76/0xc0 drivers/net/usb/asix_devices.c:629 +RSP: 0018:ffff88006bbae718 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: ffff880061ba3b80 RCX: 1ffff1000c34d644 +RDX: 0000000000000001 RSI: 0000000000000402 RDI: 0000000000000008 +RBP: ffff88006bbae738 R08: 1ffff1000d775cad R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800630a8b40 +R13: 0000000000000000 R14: 0000000000000402 R15: ffff880061ba3b80 +FS: 0000000000000000(0000) GS:ffff88006c600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ff33cf89000 CR3: 0000000061c0a000 CR4: 00000000000006f0 +Call Trace: + usb_suspend_interface drivers/usb/core/driver.c:1209 + usb_suspend_both+0x27f/0x7e0 drivers/usb/core/driver.c:1314 + usb_runtime_suspend+0x41/0x120 drivers/usb/core/driver.c:1852 + __rpm_callback+0x339/0xb60 drivers/base/power/runtime.c:334 + rpm_callback+0x106/0x220 drivers/base/power/runtime.c:461 + rpm_suspend+0x465/0x1980 drivers/base/power/runtime.c:596 + __pm_runtime_suspend+0x11e/0x230 drivers/base/power/runtime.c:1009 + pm_runtime_put_sync_autosuspend ./include/linux/pm_runtime.h:251 + usb_new_device+0xa37/0x1020 drivers/usb/core/hub.c:2487 + hub_port_connect drivers/usb/core/hub.c:4903 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 + worker_thread+0x221/0x1850 kernel/workqueue.c:2253 + kthread+0x3a1/0x470 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 +Code: 8d 7c 24 20 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5b 48 b8 00 00 +00 00 00 fc ff df 4d 8b 6c 24 20 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> +3c 02 00 75 34 4d 8b 6d 08 4d 85 ed 74 0b e8 26 2b 51 fd 4c +RIP: asix_suspend+0x76/0xc0 RSP: ffff88006bbae718 +---[ end trace dfc4f5649284342c ]--- + +Signed-off-by: Andrey Konovalov +Signed-off-by: David S. Miller +--- + drivers/net/usb/asix_devices.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c +index b2ff88e69a81..3d4f7959dabb 100644 +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -626,7 +626,7 @@ static int asix_suspend(struct usb_interface *intf, pm_message_t message) + struct usbnet *dev = usb_get_intfdata(intf); + struct asix_common_private *priv = dev->driver_priv; + +- if (priv->suspend) ++ if (priv && priv->suspend) + priv->suspend(dev); + + return usbnet_suspend(intf, message); +@@ -678,7 +678,7 @@ static int asix_resume(struct usb_interface *intf) + struct usbnet *dev = usb_get_intfdata(intf); + struct asix_common_private *priv = dev->driver_priv; + +- if (priv->resume) ++ if (priv && priv->resume) + priv->resume(dev); + + return usbnet_resume(intf); diff --git a/debian/patches/series b/debian/patches/series index 678c16170..11f4defd9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -121,6 +121,7 @@ bugfix/all/usb-usbtest-fix-NULL-pointer-dereference.patch bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch +bugfix/all/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch From 91a7ba9320a34546ff5ea72ea2ad7ceb761f6f1b Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 18:12:24 +0000 Subject: [PATCH 21/32] net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649) --- debian/changelog | 1 + ...r-fix-divide-by-0-on-bad-descriptors.patch | 31 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 33 insertions(+) create mode 100644 debian/patches/bugfix/all/net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch diff --git a/debian/changelog b/debian/changelog index 2973a83e3..b2eafdfea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -130,6 +130,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * media: imon: Fix null-ptr-deref in imon_probe (CVE-2017-16537) * media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646) * net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647) + * net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/bugfix/all/net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch b/debian/patches/bugfix/all/net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch new file mode 100644 index 000000000..b9b5a2830 --- /dev/null +++ b/debian/patches/bugfix/all/net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch @@ -0,0 +1,31 @@ +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Mon, 6 Nov 2017 15:37:22 +0100 +Subject: net: cdc_ether: fix divide by 0 on bad descriptors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/2cb80187ba065d7decad7c6614e35e07aec8a974 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16649 + +Setting dev->hard_mtu to 0 will cause a divide error in +usbnet_probe. Protect against devices with bogus CDC Ethernet +functional descriptors by ignoring a zero wMaxSegmentSize. + +Signed-off-by: Bjørn Mork +Acked-by: Oliver Neukum +Signed-off-by: David S. Miller +--- + drivers/net/usb/cdc_ether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -221,7 +221,7 @@ skip: + goto bad_desc; + } + +- if (header.usb_cdc_ether_desc) { ++ if (header.usb_cdc_ether_desc && info->ether->wMaxSegmentSize) { + dev->hard_mtu = le16_to_cpu(info->ether->wMaxSegmentSize); + /* because of Zaurus, we may be ignoring the host + * side link address we were given. diff --git a/debian/patches/series b/debian/patches/series index 11f4defd9..c645ce43c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -122,6 +122,7 @@ bugfix/all/media-cx231xx-cards-fix-null-deref-on-missing-associ.patch bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch bugfix/all/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch +bugfix/all/net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch From 58e12683e192ed2bc42d4612781fb3b9d007e45c Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 18:13:46 +0000 Subject: [PATCH 22/32] net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650) --- debian/changelog | 1 + ...n-fix-divide-by-0-on-bad-descriptors.patch | 59 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 61 insertions(+) create mode 100644 debian/patches/bugfix/all/net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch diff --git a/debian/changelog b/debian/changelog index b2eafdfea..5351a9597 100644 --- a/debian/changelog +++ b/debian/changelog @@ -131,6 +131,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * media: dib0700: fix invalid dvb_detach argument (CVE-2017-16646) * net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647) * net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649) + * net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/bugfix/all/net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch b/debian/patches/bugfix/all/net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch new file mode 100644 index 000000000..9a3575330 --- /dev/null +++ b/debian/patches/bugfix/all/net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch @@ -0,0 +1,59 @@ +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Mon, 6 Nov 2017 15:32:18 +0100 +Subject: net: qmi_wwan: fix divide by 0 on bad descriptors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/7fd078337201cf7468f53c3d9ef81ff78cb6df3b +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16650 + +A CDC Ethernet functional descriptor with wMaxSegmentSize = 0 will +cause a divide error in usbnet_probe: + +divide error: 0000 [#1] PREEMPT SMP KASAN +Modules linked in: +CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc8-44453-g1fdc1a82c34f #56 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event +task: ffff88006bef5c00 task.stack: ffff88006bf60000 +RIP: 0010:usbnet_update_max_qlen+0x24d/0x390 drivers/net/usb/usbnet.c:355 +RSP: 0018:ffff88006bf67508 EFLAGS: 00010246 +RAX: 00000000000163c8 RBX: ffff8800621fce40 RCX: ffff8800621fcf34 +RDX: 0000000000000000 RSI: ffffffff837ecb7a RDI: ffff8800621fcf34 +RBP: ffff88006bf67520 R08: ffff88006bef5c00 R09: ffffed000c43f881 +R10: ffffed000c43f880 R11: ffff8800621fc406 R12: 0000000000000003 +R13: ffffffff85c71de0 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff88006ca00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffe9c0d6dac CR3: 00000000614f4000 CR4: 00000000000006f0 +Call Trace: + usbnet_probe+0x18b5/0x2790 drivers/net/usb/usbnet.c:1783 + qmi_wwan_probe+0x133/0x220 drivers/net/usb/qmi_wwan.c:1338 + usb_probe_interface+0x324/0x940 drivers/usb/core/driver.c:361 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x522/0x740 drivers/base/dd.c:557 + +Fix by simply ignoring the bogus descriptor, as it is optional +for QMI devices anyway. + +Fixes: 423ce8caab7e ("net: usb: qmi_wwan: New driver for Huawei QMI based WWAN devices") +Reported-by: Andrey Konovalov +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +--- + drivers/net/usb/qmi_wwan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 8c3733608271..a4f229edcceb 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -681,7 +681,7 @@ static int qmi_wwan_bind(struct usbnet *dev, struct usb_interface *intf) + } + + /* errors aren't fatal - we can live with the dynamic address */ +- if (cdc_ether) { ++ if (cdc_ether && cdc_ether->wMaxSegmentSize) { + dev->hard_mtu = le16_to_cpu(cdc_ether->wMaxSegmentSize); + usbnet_get_ethernet_addr(dev, cdc_ether->iMACAddress); + } diff --git a/debian/patches/series b/debian/patches/series index c645ce43c..676c0b9b5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -123,6 +123,7 @@ bugfix/all/media-imon-fix-null-ptr-deref-in-imon_probe.patch bugfix/all/media-dib0700-fix-invalid-dvb_detach-argument.patch bugfix/all/net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch bugfix/all/net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch +bugfix/all/net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch From 9f5b9b8ff885bcfdbc3263a5e67b7f341f4689af Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 18:37:11 +0000 Subject: [PATCH 23/32] nftables: Enable NFT_RT, NFT_SET_BITMAP, NFT_OBJREF as modules (Closes: #881931) --- debian/changelog | 2 ++ debian/config/config | 3 +++ 2 files changed, 5 insertions(+) diff --git a/debian/changelog b/debian/changelog index 5351a9597..7e037d2c7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -132,6 +132,8 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * net: usb: asix: fill null-ptr-deref in asix_suspend (CVE-2017-16647) * net: cdc_ether: fix divide by 0 on bad descriptors (CVE-2017-16649) * net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650) + * nftables: Enable NFT_RT, NFT_SET_BITMAP, NFT_OBJREF as modules + (Closes: #881931) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/config/config b/debian/config/config index cea4b05ad..07e33bbda 100644 --- a/debian/config/config +++ b/debian/config/config @@ -6723,16 +6723,19 @@ CONFIG_NF_TABLES_INET=m CONFIG_NF_TABLES_NETDEV=m CONFIG_NFT_EXTHDR=m CONFIG_NFT_META=m +CONFIG_NFT_RT=m CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_SET_RBTREE=m CONFIG_NFT_SET_HASH=m +CONFIG_NFT_SET_BITMAP=m CONFIG_NFT_COUNTER=m CONFIG_NFT_LOG=m CONFIG_NFT_LIMIT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m CONFIG_NFT_NAT=m +CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m From 2cc01f34ce79585cd3cb19c125da7e99bf97e579 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 18:42:09 +0000 Subject: [PATCH 24/32] [powerpc*/*64*] drm: Enable DRM_AMDGPU as module (Closes: #881593) --- debian/changelog | 1 + debian/config/kernelarch-powerpc/config-arch-64 | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7e037d2c7..8dc21a567 100644 --- a/debian/changelog +++ b/debian/changelog @@ -134,6 +134,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * net: qmi_wwan: fix divide by 0 on bad descriptors (CVE-2017-16650) * nftables: Enable NFT_RT, NFT_SET_BITMAP, NFT_OBJREF as modules (Closes: #881931) + * [powerpc*/*64*] drm: Enable DRM_AMDGPU as module (Closes: #881593) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/config/kernelarch-powerpc/config-arch-64 b/debian/config/kernelarch-powerpc/config-arch-64 index aa873f319..329e7a225 100644 --- a/debian/config/kernelarch-powerpc/config-arch-64 +++ b/debian/config/kernelarch-powerpc/config-arch-64 @@ -73,6 +73,11 @@ CONFIG_CRYPTO_DEV_VMX=y ## CONFIG_CRYPTO_DEV_VMX_ENCRYPT=m +## +## file: drivers/gpu/drm/Kconfig +## +CONFIG_DRM_AMDGPU=m + ## ## file: drivers/gpu/drm/ast/Kconfig ## From e81177b8a9494906fd0b47f08aa8fc413b80ef19 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 18:44:33 +0000 Subject: [PATCH 25/32] amdgpu: Enable DRM_AMDGPU_USERPTR on all architectures I missed this when enabling amdgpu on arm64. Also move the explicit disabling of DRM_AMDGPU_CIK to the top level config. --- debian/changelog | 1 + debian/config/config | 2 ++ debian/config/kernelarch-x86/config | 6 ------ 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/debian/changelog b/debian/changelog index 8dc21a567..2ed2ddb7c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -135,6 +135,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * nftables: Enable NFT_RT, NFT_SET_BITMAP, NFT_OBJREF as modules (Closes: #881931) * [powerpc*/*64*] drm: Enable DRM_AMDGPU as module (Closes: #881593) + * amdgpu: Enable DRM_AMDGPU_USERPTR on all architectures -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/config/config b/debian/config/config index 07e33bbda..46907165e 100644 --- a/debian/config/config +++ b/debian/config/config @@ -616,6 +616,8 @@ CONFIG_DRM_SAVAGE=m ## file: drivers/gpu/drm/amd/amdgpu/Kconfig ## # CONFIG_DRM_AMDGPU_SI is not set +# CONFIG_DRM_AMDGPU_CIK is not set +CONFIG_DRM_AMDGPU_USERPTR=y # CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set ## diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config index 180d583c2..a31559883 100644 --- a/debian/config/kernelarch-x86/config +++ b/debian/config/kernelarch-x86/config @@ -502,12 +502,6 @@ CONFIG_DRM_SIS=m ## CONFIG_DRM_AMD_ACP=y -## -## file: drivers/gpu/drm/amd/amdgpu/Kconfig -## -# CONFIG_DRM_AMDGPU_CIK is not set -CONFIG_DRM_AMDGPU_USERPTR=y - ## ## file: drivers/gpu/drm/amd/amdkfd/Kconfig ## From a4d1de0350f289863e1700186b51571624596f86 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 19:07:46 +0000 Subject: [PATCH 26/32] [arm64,x86] net/wireless: Enable RTL8723BS as module (Closes: #881568) --- debian/changelog | 1 + debian/config/arm64/config | 5 +++++ debian/config/kernelarch-x86/config | 5 +++++ 3 files changed, 11 insertions(+) diff --git a/debian/changelog b/debian/changelog index 2ed2ddb7c..9639c3b2d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -136,6 +136,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium (Closes: #881931) * [powerpc*/*64*] drm: Enable DRM_AMDGPU as module (Closes: #881593) * amdgpu: Enable DRM_AMDGPU_USERPTR on all architectures + * [arm64,x86] net/wireless: Enable RTL8723BS as module (Closes: #881568) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/config/arm64/config b/debian/config/arm64/config index 9d55bdfb9..1e3987a7e 100644 --- a/debian/config/arm64/config +++ b/debian/config/arm64/config @@ -754,6 +754,11 @@ CONFIG_SPI_THUNDERX=m CONFIG_SPMI=y CONFIG_SPMI_MSM_PMIC_ARB=y +## +## file: drivers/staging/rtl8723bs/Kconfig +## +CONFIG_RTL8723BS=m + ## ## file: drivers/thermal/Kconfig ## diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config index a31559883..a7280503e 100644 --- a/debian/config/kernelarch-x86/config +++ b/debian/config/kernelarch-x86/config @@ -1633,6 +1633,11 @@ CONFIG_RTL8192E=m ## CONFIG_RTL8192U=m +## +## file: drivers/staging/rtl8723bs/Kconfig +## +CONFIG_RTL8723BS=m + ## ## file: drivers/staging/rts5208/Kconfig ## From 3529916815ac2ba2bb45ad4b1a0abbd1c78e637c Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 19:10:31 +0000 Subject: [PATCH 27/32] [arm64] nvmem: Enable NVMEM_SUNXI_SID as module (Closes: #881567) --- debian/changelog | 1 + debian/config/arm64/config | 1 + 2 files changed, 2 insertions(+) diff --git a/debian/changelog b/debian/changelog index 9639c3b2d..41ba80311 100644 --- a/debian/changelog +++ b/debian/changelog @@ -137,6 +137,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * [powerpc*/*64*] drm: Enable DRM_AMDGPU as module (Closes: #881593) * amdgpu: Enable DRM_AMDGPU_USERPTR on all architectures * [arm64,x86] net/wireless: Enable RTL8723BS as module (Closes: #881568) + * [arm64] nvmem: Enable NVMEM_SUNXI_SID as module (Closes: #881567) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/config/arm64/config b/debian/config/arm64/config index 1e3987a7e..485b1d0ce 100644 --- a/debian/config/arm64/config +++ b/debian/config/arm64/config @@ -552,6 +552,7 @@ CONFIG_WLCORE_SDIO=m ## file: drivers/nvmem/Kconfig ## CONFIG_QCOM_QFPROM=m +CONFIG_NVMEM_SUNXI_SID=m ## ## file: drivers/pci/dwc/Kconfig From 26fe100dfe53cac76fcd3be9ffdbc29ec5ef6569 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 19:11:54 +0000 Subject: [PATCH 28/32] [x86] rmi4: Disable RMI4_SMB (Closes: #880471) --- debian/changelog | 1 + debian/config/kernelarch-x86/config | 5 ----- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index 41ba80311..dd0b3905b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -138,6 +138,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * amdgpu: Enable DRM_AMDGPU_USERPTR on all architectures * [arm64,x86] net/wireless: Enable RTL8723BS as module (Closes: #881568) * [arm64] nvmem: Enable NVMEM_SUNXI_SID as module (Closes: #881567) + * [x86] rmi4: Disable RMI4_SMB (Closes: #880471) -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config index a7280503e..074704513 100644 --- a/debian/config/kernelarch-x86/config +++ b/debian/config/kernelarch-x86/config @@ -781,11 +781,6 @@ CONFIG_MOUSE_ELAN_I2C_I2C=y CONFIG_MOUSE_ELAN_I2C_SMBUS=y CONFIG_MOUSE_VSXXXAA=m -## -## file: drivers/input/rmi4/Kconfig -## -CONFIG_RMI4_SMB=m - ## ## file: drivers/input/serio/Kconfig ## From 8aabb7ea89bd5a674f3bddc3cb44cf609e6a99d9 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 19:17:33 +0000 Subject: [PATCH 29/32] amdgpu: Enable DRM_AMDGPU_SI, CONFIG_DRM_AMDGPU_CIK (Closes: #847570) --- debian/changelog | 1 + debian/config/config | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index dd0b3905b..95b248bee 100644 --- a/debian/changelog +++ b/debian/changelog @@ -136,6 +136,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium (Closes: #881931) * [powerpc*/*64*] drm: Enable DRM_AMDGPU as module (Closes: #881593) * amdgpu: Enable DRM_AMDGPU_USERPTR on all architectures + * amdgpu: Enable DRM_AMDGPU_SI, CONFIG_DRM_AMDGPU_CIK (Closes: #847570) * [arm64,x86] net/wireless: Enable RTL8723BS as module (Closes: #881568) * [arm64] nvmem: Enable NVMEM_SUNXI_SID as module (Closes: #881567) * [x86] rmi4: Disable RMI4_SMB (Closes: #880471) diff --git a/debian/config/config b/debian/config/config index 46907165e..9715535b9 100644 --- a/debian/config/config +++ b/debian/config/config @@ -615,8 +615,8 @@ CONFIG_DRM_SAVAGE=m ## ## file: drivers/gpu/drm/amd/amdgpu/Kconfig ## -# CONFIG_DRM_AMDGPU_SI is not set -# CONFIG_DRM_AMDGPU_CIK is not set +CONFIG_DRM_AMDGPU_SI=y +CONFIG_DRM_AMDGPU_CIK=y CONFIG_DRM_AMDGPU_USERPTR=y # CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set From 7cb3e39661100cc42d77476698f5413b78f09330 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 20:49:22 +0000 Subject: [PATCH 30/32] ALSA: timer: Avoid ABI change in 4.13.13 --- debian/changelog | 1 + ...sa-timer-avoid-abi-change-in-4.13.13.patch | 25 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 27 insertions(+) create mode 100644 debian/patches/debian/alsa-timer-avoid-abi-change-in-4.13.13.patch diff --git a/debian/changelog b/debian/changelog index 95b248bee..a6b64ec53 100644 --- a/debian/changelog +++ b/debian/changelog @@ -140,6 +140,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * [arm64,x86] net/wireless: Enable RTL8723BS as module (Closes: #881568) * [arm64] nvmem: Enable NVMEM_SUNXI_SID as module (Closes: #881567) * [x86] rmi4: Disable RMI4_SMB (Closes: #880471) + * ALSA: timer: Avoid ABI change in 4.13.13 -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/debian/alsa-timer-avoid-abi-change-in-4.13.13.patch b/debian/patches/debian/alsa-timer-avoid-abi-change-in-4.13.13.patch new file mode 100644 index 000000000..e7a874a00 --- /dev/null +++ b/debian/patches/debian/alsa-timer-avoid-abi-change-in-4.13.13.patch @@ -0,0 +1,25 @@ +From: Ben Hutchings +Date: Thu, 16 Nov 2017 20:46:00 +0000 +Subject: ALSA: timer: Avoid ABI change in 4.13.13 +Forwarded: not-needed + +Commit 9b7d869ee5a7 ("ALSA: timer: Limit max instances per timer") +added two new members to the end of struct snd_timer, and this changes +ABI for many exported symbols. However, snd_timer is always allocated +in the snd-timer module, which is the same place the new members are +used. We can safely hide the change from genksyms. + +--- +--- a/include/sound/timer.h ++++ b/include/sound/timer.h +@@ -90,8 +90,10 @@ struct snd_timer { + struct list_head ack_list_head; + struct list_head sack_list_head; /* slow ack list head */ + struct tasklet_struct task_queue; ++#ifndef __GENKSYMS__ + int max_instances; /* upper limit of timer instances */ + int num_instances; /* current number of timer instances */ ++#endif + }; + + struct snd_timer_instance { diff --git a/debian/patches/series b/debian/patches/series index 676c0b9b5..e12e8aaf1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -148,3 +148,4 @@ debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch debian/mac80211-avoid-abi-change-in-4.13.5.patch debian/keys-limit-abi-change-in-4.13.10.patch debian/swap-avoid-abi-change-in-4.13.12.patch +debian/alsa-timer-avoid-abi-change-in-4.13.13.patch From 617046eb4541312f1af391ca8d84fd39ca89c226 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 21:04:07 +0000 Subject: [PATCH 31/32] netfilter: nat: Avoid ABI change in 4.13.13 --- debian/changelog | 1 + ...lter-nat-avoid-abi-change-in-4.13.13.patch | 58 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 60 insertions(+) create mode 100644 debian/patches/debian/netfilter-nat-avoid-abi-change-in-4.13.13.patch diff --git a/debian/changelog b/debian/changelog index a6b64ec53..c6b5214f0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -141,6 +141,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * [arm64] nvmem: Enable NVMEM_SUNXI_SID as module (Closes: #881567) * [x86] rmi4: Disable RMI4_SMB (Closes: #880471) * ALSA: timer: Avoid ABI change in 4.13.13 + * netfilter: nat: Avoid ABI change in 4.13.13 -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 diff --git a/debian/patches/debian/netfilter-nat-avoid-abi-change-in-4.13.13.patch b/debian/patches/debian/netfilter-nat-avoid-abi-change-in-4.13.13.patch new file mode 100644 index 000000000..b833dca31 --- /dev/null +++ b/debian/patches/debian/netfilter-nat-avoid-abi-change-in-4.13.13.patch @@ -0,0 +1,58 @@ +From: Ben Hutchings +Date: Thu, 16 Nov 2017 21:00:59 +0000 +Subject: netfilter: nat: Avoid ABI change in 4.13.13 +Forwarded: not-needed + +Commit e1bf1687740c ("netfilter: nat: Revert "netfilter: nat: convert +nat bysrc hash to rhashtable") changed the type of +nf_conn::nat_bysource. Thankfully the two types are the same size, +and nothing outside of nf_nat_core touches this field directly. Hide +the change from genksyms but add compile-time assertions to make sure +that this isn't an ABI change. + +--- +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -82,7 +83,11 @@ struct nf_conn { + possible_net_t ct_net; + + #if IS_ENABLED(CONFIG_NF_NAT) ++#ifndef __GENKSYMS__ + struct hlist_node nat_bysource; ++#else ++ struct rhlist_head nat_bysource; ++#endif + #endif + /* all members below initialized via memset */ + u8 __nfct_init_offset[0]; +--- a/include/net/netfilter/nf_nat.h ++++ b/include/net/netfilter/nf_nat.h +@@ -1,5 +1,6 @@ + #ifndef _NF_NAT_H + #define _NF_NAT_H ++#include + #include + #include + #include +--- a/net/netfilter/nf_nat_core.c ++++ b/net/netfilter/nf_nat_core.c +@@ -796,6 +796,11 @@ static int __init nf_nat_init(void) + { + int ret; + ++ /* bwh: Assert that nat_bysource hasn't changed size or alignment */ ++ BUILD_BUG_ON(sizeof(struct hlist_node) != sizeof(struct rhlist_head)); ++ BUILD_BUG_ON(__alignof__(struct hlist_node) != ++ __alignof__(struct rhlist_head)); ++ + /* Leave them the same for the moment. */ + nf_nat_htable_size = nf_conntrack_htable_size; + diff --git a/debian/patches/series b/debian/patches/series index e12e8aaf1..3f0ba374f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -149,3 +149,4 @@ debian/mac80211-avoid-abi-change-in-4.13.5.patch debian/keys-limit-abi-change-in-4.13.10.patch debian/swap-avoid-abi-change-in-4.13.12.patch debian/alsa-timer-avoid-abi-change-in-4.13.13.patch +debian/netfilter-nat-avoid-abi-change-in-4.13.13.patch From 8c84dc3d1481fe5ff77259e0be70639bdd7ce6b1 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 16 Nov 2017 21:04:10 +0000 Subject: [PATCH 32/32] Prepare to release linux (4.13.13-1). --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index c6b5214f0..ea7d767cb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.13.13-1) UNRELEASED; urgency=medium +linux (4.13.13-1) unstable; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11 @@ -143,7 +143,7 @@ linux (4.13.13-1) UNRELEASED; urgency=medium * ALSA: timer: Avoid ABI change in 4.13.13 * netfilter: nat: Avoid ABI change in 4.13.13 - -- Salvatore Bonaccorso Sat, 04 Nov 2017 09:54:41 +0100 + -- Ben Hutchings Thu, 16 Nov 2017 21:04:10 +0000 linux (4.13.10-1) unstable; urgency=medium