Update to 4.11.8

2017-06-29 19:18:59 +02:00 · 2017-06-29 19:18:59 +02:00 · 2125fc6614
parent 3aaf7fba55
commit 2125fc6614
3 changed files with 65 additions and 212 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,4 +1,4 @@
-linux (4.11.7-1) UNRELEASED; urgency=medium
+linux (4.11.8-1) UNRELEASED; urgency=medium

  * New upstream stable update:
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.7
@ -63,6 +63,70 @@ linux (4.11.7-1) UNRELEASED; urgency=medium
    - mm: larger stack guard gap, between vmas
    - Allow stack to grow up to address space limit
    - mm: fix new crash in unmapped_area_topdown()
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.8
+    - [armhf] clk: sunxi-ng: a31: Correct lcd1-ch1 clock register offset
+    - [armhf] clk: sunxi-ng: v3s: Fix usb otg device reset bit
+    - [armhf] clk: sunxi-ng: sun5i: Fix ahb_bist_clk definition
+    - xen/blkback: fix disconnect while I/Os in flight
+    - xen-blkback: don't leak stack data via response ring (XSA-216)
+    - ALSA: firewire-lib: Fix stall of process context at packet error
+    - ALSA: pcm: Don't treat NULL chmap as a fatal error
+    - ALSA: hda - Add Coffelake PCI ID
+    - ALSA: hda - Apply quirks to Broxton-T, too
+    - fs/exec.c: account for argv/envp pointers (CVE-2017-1000365)
+    - [powerpc] perf: Fix oops when kthread execs user process
+    - autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL
+    - fs/dax.c: fix inefficiency in dax_writeback_mapping_range()
+    - lib/cmdline.c: fix get_options() overflow while parsing ranges
+    - [x86] perf/x86/intel: Add 1G DTLB load/store miss support for SKL
+    - perf probe: Fix probe definition for inlined functions
+    - [x86] KVM: fix singlestepping over syscall (CVE-2017-7518)
+    - [s390x] KVM gaccess: fix real-space designation asce handling for gmap
+      shadows
+    - [powerpc*] KVM: Book3S HV: Cope with host using large decrementer mode
+    - [powerpc*] KVM: Book3S HV: Preserve userspace HTM state properly
+    - [powerpc*] KVM: Book3S HV: Ignore timebase offset on POWER9 DD1
+    - [powerpc*] KVM: Book3S HV: Context-switch EBB registers properly
+    - [powerpc*] KVM: Book3S HV: Restore critical SPRs to host values on guest
+      exit
+    - [powerpc*] KVM: Book3S HV: Save/restore host values of debug registers
+    - CIFS: Improve readdir verbosity
+    - CIFS: Fix some return values in case of error in 'crypt_message'
+    - cxgb4: notify uP to route ctrlq compl to rdma rspq
+    - HID: Add quirk for Dell PIXART OEM mouse
+    - random: silence compiler warnings and fix race
+    - signal: Only reschedule timers on signals timers have sent
+    - [powerpc] kprobes: Pause function_graph tracing during jprobes handling
+    - ]powerpc*] 64s: Handle data breakpoints in Radix mode
+    - Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list
+    - brcmfmac: add parameter to pass error code in firmware callback
+    - brcmfmac: use firmware callback upon failure to load
+    - brcmfmac: unbind all devices upon failure in firmware callback
+    - time: Fix clock->read(clock) race around clocksource changes
+    - time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting
+    - [arm64] vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW
+    - target: Fix kref->refcount underflow in transport_cmd_finish_abort
+    - iscsi-target: Fix delayed logout processing greater than
+      SECONDS_FOR_LOGOUT_COMP
+    - iscsi-target: Reject immediate data underflow larger than SCSI transfer
+      length
+    - drm/radeon: add a PX quirk for another K53TK variant
+    - drm/radeon: add a quirk for Toshiba Satellite L20-183
+    - [x86] drm/amdgpu/atom: fix ps allocation size for EnableDispPowerGating
+    - [x86] drm/amdgpu: adjust default display clock
+    - [x86] drm/amdgpu: add Polaris12 DID
+    - ACPI / scan: Apply default enumeration to devices with ACPI drivers
+    - ACPI / scan: Fix enumeration for special SPI and I2C devices
+    - rxrpc: Fix several cases where a padded len isn't checked in ticket
+      decode (CVE-2017-7482)
+    - drm: Fix GETCONNECTOR regression
+    - usb: gadget: f_fs: avoid out of bounds access on comp_desc
+    - spi: double time out tolerance
+    - net: phy: fix marvell phy status reading
+    - netfilter: xtables: zero padding in data_to_user
+    - netfilter: xtables: fix build failure from COMPAT_XT_ALIGN outside
+      CONFIG_COMPAT
+    - brcmfmac: fix uninitialized warning in brcmf_usb_probe_phase2()

  [ Ben Hutchings ]
  * [m68k] udeb: Use only the common module list for nic-shared-modules
@ -79,10 +143,6 @@ linux (4.11.7-1) UNRELEASED; urgency=medium
  [ Vagrant Cascadian ]
  * [arm64] Enable support for Rockchip systems (Closes: #860976).

-  [ Salvatore Bonaccorso ]
-  * rxrpc: Fix several cases where a padded len isn't checked in ticket decode
-    (CVE-2017-7482)
-
 -- Ben Hutchings <ben@decadent.org.uk>  Tue, 20 Jun 2017 19:18:44 +0100

 linux (4.11.6-1) unstable; urgency=medium
--- a/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
+++ b/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch
@ -1,206 +0,0 @@
-From: David Howells <dhowells@redhat.com>
-Date: Thu, 15 Jun 2017 00:12:24 +0100
-Subject: rxrpc: Fix several cases where a padded len isn't checked in ticket
- decode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/5f2f97656ada8d811d3c1bef503ced266fcd53a0
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7482
-
-This fixes CVE-2017-7482.
-
-When a kerberos 5 ticket is being decoded so that it can be loaded into an
-rxrpc-type key, there are several places in which the length of a
-variable-length field is checked to make sure that it's not going to
-overrun the available data - but the data is padded to the nearest
-four-byte boundary and the code doesn't check for this extra.  This could
-lead to the size-remaining variable wrapping and the data pointer going
-over the end of the buffer.
-
-Fix this by making the various variable-length data checks use the padded
-length.
-
-Reported-by: 石磊 <shilei-c@360.cn>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Marc Dionne <marc.c.dionne@auristor.com>
-Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
---
- net/rxrpc/key.c | 64 ++++++++++++++++++++++++++++++---------------------------
- 1 file changed, 34 insertions(+), 30 deletions(-)
-
-diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
-index 0a4e28477ad9..54369225766e 100644
--- a/net/rxrpc/key.c
-+++ b/net/rxrpc/key.c
-@@ -217,7 +217,7 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
- 				       unsigned int *_toklen)
- {
- 	const __be32 *xdr = *_xdr;
-	unsigned int toklen = *_toklen, n_parts, loop, tmp;
-+	unsigned int toklen = *_toklen, n_parts, loop, tmp, paddedlen;
- 
- 	/* there must be at least one name, and at least #names+1 length
- 	 * words */
-@@ -247,16 +247,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
- 		toklen -= 4;
- 		if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX)
- 			return -EINVAL;
-		if (tmp > toklen)
-+		paddedlen = (tmp + 3) & ~3;
-+		if (paddedlen > toklen)
- 			return -EINVAL;
- 		princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL);
- 		if (!princ->name_parts[loop])
- 			return -ENOMEM;
- 		memcpy(princ->name_parts[loop], xdr, tmp);
- 		princ->name_parts[loop][tmp] = 0;
-		tmp = (tmp + 3) & ~3;
-		toklen -= tmp;
-		xdr += tmp >> 2;
-+		toklen -= paddedlen;
-+		xdr += paddedlen >> 2;
- 	}
- 
- 	if (toklen < 4)
-@@ -265,16 +265,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ,
- 	toklen -= 4;
- 	if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX)
- 		return -EINVAL;
-	if (tmp > toklen)
-+	paddedlen = (tmp + 3) & ~3;
-+	if (paddedlen > toklen)
- 		return -EINVAL;
- 	princ->realm = kmalloc(tmp + 1, GFP_KERNEL);
- 	if (!princ->realm)
- 		return -ENOMEM;
- 	memcpy(princ->realm, xdr, tmp);
- 	princ->realm[tmp] = 0;
-	tmp = (tmp + 3) & ~3;
-	toklen -= tmp;
-	xdr += tmp >> 2;
-+	toklen -= paddedlen;
-+	xdr += paddedlen >> 2;
- 
- 	_debug("%s/...@%s", princ->name_parts[0], princ->realm);
- 
-@@ -293,7 +293,7 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td,
- 					 unsigned int *_toklen)
- {
- 	const __be32 *xdr = *_xdr;
-	unsigned int toklen = *_toklen, len;
-+	unsigned int toklen = *_toklen, len, paddedlen;
- 
- 	/* there must be at least one tag and one length word */
- 	if (toklen <= 8)
-@@ -307,15 +307,17 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td,
- 	toklen -= 8;
- 	if (len > max_data_size)
- 		return -EINVAL;
-+	paddedlen = (len + 3) & ~3;
-+	if (paddedlen > toklen)
-+		return -EINVAL;
- 	td->data_len = len;
- 
- 	if (len > 0) {
- 		td->data = kmemdup(xdr, len, GFP_KERNEL);
- 		if (!td->data)
- 			return -ENOMEM;
-		len = (len + 3) & ~3;
-		toklen -= len;
-		xdr += len >> 2;
-+		toklen -= paddedlen;
-+		xdr += paddedlen >> 2;
- 	}
- 
- 	_debug("tag %x len %x", td->tag, td->data_len);
-@@ -387,7 +389,7 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
- 				    const __be32 **_xdr, unsigned int *_toklen)
- {
- 	const __be32 *xdr = *_xdr;
-	unsigned int toklen = *_toklen, len;
-+	unsigned int toklen = *_toklen, len, paddedlen;
- 
- 	/* there must be at least one length word */
- 	if (toklen <= 4)
-@@ -399,6 +401,9 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
- 	toklen -= 4;
- 	if (len > AFSTOKEN_K5_TIX_MAX)
- 		return -EINVAL;
-+	paddedlen = (len + 3) & ~3;
-+	if (paddedlen > toklen)
-+		return -EINVAL;
- 	*_tktlen = len;
- 
- 	_debug("ticket len %u", len);
-@@ -407,9 +412,8 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen,
- 		*_ticket = kmemdup(xdr, len, GFP_KERNEL);
- 		if (!*_ticket)
- 			return -ENOMEM;
-		len = (len + 3) & ~3;
-		toklen -= len;
-		xdr += len >> 2;
-+		toklen -= paddedlen;
-+		xdr += paddedlen >> 2;
- 	}
- 
- 	*_xdr = xdr;
-@@ -552,7 +556,7 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep)
- {
- 	const __be32 *xdr = prep->data, *token;
- 	const char *cp;
-	unsigned int len, tmp, loop, ntoken, toklen, sec_ix;
-+	unsigned int len, paddedlen, loop, ntoken, toklen, sec_ix;
- 	size_t datalen = prep->datalen;
- 	int ret;
- 
-@@ -578,22 +582,21 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep)
- 	if (len < 1 || len > AFSTOKEN_CELL_MAX)
- 		goto not_xdr;
- 	datalen -= 4;
-	tmp = (len + 3) & ~3;
-	if (tmp > datalen)
-+	paddedlen = (len + 3) & ~3;
-+	if (paddedlen > datalen)
- 		goto not_xdr;
- 
- 	cp = (const char *) xdr;
- 	for (loop = 0; loop < len; loop++)
- 		if (!isprint(cp[loop]))
- 			goto not_xdr;
-	if (len < tmp)
-		for (; loop < tmp; loop++)
-			if (cp[loop])
-				goto not_xdr;
-+	for (; loop < paddedlen; loop++)
-+		if (cp[loop])
-+			goto not_xdr;
- 	_debug("cellname: [%u/%u] '%*.*s'",
-	       len, tmp, len, len, (const char *) xdr);
-	datalen -= tmp;
-	xdr += tmp >> 2;
-+	       len, paddedlen, len, len, (const char *) xdr);
-+	datalen -= paddedlen;
-+	xdr += paddedlen >> 2;
- 
- 	/* get the token count */
- 	if (datalen < 12)
-@@ -614,10 +617,11 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep)
- 		sec_ix = ntohl(*xdr);
- 		datalen -= 4;
- 		_debug("token: [%x/%zx] %x", toklen, datalen, sec_ix);
-		if (toklen < 20 || toklen > datalen)
-+		paddedlen = (toklen + 3) & ~3;
-+		if (toklen < 20 || toklen > datalen || paddedlen > datalen)
- 			goto not_xdr;
-		datalen -= (toklen + 3) & ~3;
-		xdr += (toklen + 3) >> 2;
-+		datalen -= paddedlen;
-+		xdr += paddedlen >> 2;
- 
- 	} while (--loop > 0);
- 
-- 
-2.11.0
-
--- a/debian/patches/series
+++ b/debian/patches/series
@ -145,7 +145,6 @@ bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
 bugfix/all/sunrpc-refactor-svc_set_num_threads.patch
 bugfix/all/nfsv4-fix-callback-server-shutdown.patch
 bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch
-bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch

 # Fix exported symbol versions
 bugfix/sparc/revert-sparc-move-exports-to-definitions.patch