diff --git a/debian/changelog b/debian/changelog index 49b1642c8..30ce29053 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.11.7-1) UNRELEASED; urgency=medium +linux (4.11.8-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.7 @@ -63,6 +63,70 @@ linux (4.11.7-1) UNRELEASED; urgency=medium - mm: larger stack guard gap, between vmas - Allow stack to grow up to address space limit - mm: fix new crash in unmapped_area_topdown() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.8 + - [armhf] clk: sunxi-ng: a31: Correct lcd1-ch1 clock register offset + - [armhf] clk: sunxi-ng: v3s: Fix usb otg device reset bit + - [armhf] clk: sunxi-ng: sun5i: Fix ahb_bist_clk definition + - xen/blkback: fix disconnect while I/Os in flight + - xen-blkback: don't leak stack data via response ring (XSA-216) + - ALSA: firewire-lib: Fix stall of process context at packet error + - ALSA: pcm: Don't treat NULL chmap as a fatal error + - ALSA: hda - Add Coffelake PCI ID + - ALSA: hda - Apply quirks to Broxton-T, too + - fs/exec.c: account for argv/envp pointers (CVE-2017-1000365) + - [powerpc] perf: Fix oops when kthread execs user process + - autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL + - fs/dax.c: fix inefficiency in dax_writeback_mapping_range() + - lib/cmdline.c: fix get_options() overflow while parsing ranges + - [x86] perf/x86/intel: Add 1G DTLB load/store miss support for SKL + - perf probe: Fix probe definition for inlined functions + - [x86] KVM: fix singlestepping over syscall (CVE-2017-7518) + - [s390x] KVM gaccess: fix real-space designation asce handling for gmap + shadows + - [powerpc*] KVM: Book3S HV: Cope with host using large decrementer mode + - [powerpc*] KVM: Book3S HV: Preserve userspace HTM state properly + - [powerpc*] KVM: Book3S HV: Ignore timebase offset on POWER9 DD1 + - [powerpc*] KVM: Book3S HV: Context-switch EBB registers properly + - [powerpc*] KVM: Book3S HV: Restore critical SPRs to host values on guest + exit + - [powerpc*] KVM: Book3S HV: Save/restore host values of debug registers + - CIFS: Improve readdir verbosity + - CIFS: Fix some return values in case of error in 'crypt_message' + - cxgb4: notify uP to route ctrlq compl to rdma rspq + - HID: Add quirk for Dell PIXART OEM mouse + - random: silence compiler warnings and fix race + - signal: Only reschedule timers on signals timers have sent + - [powerpc] kprobes: Pause function_graph tracing during jprobes handling + - ]powerpc*] 64s: Handle data breakpoints in Radix mode + - Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list + - brcmfmac: add parameter to pass error code in firmware callback + - brcmfmac: use firmware callback upon failure to load + - brcmfmac: unbind all devices upon failure in firmware callback + - time: Fix clock->read(clock) race around clocksource changes + - time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting + - [arm64] vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW + - target: Fix kref->refcount underflow in transport_cmd_finish_abort + - iscsi-target: Fix delayed logout processing greater than + SECONDS_FOR_LOGOUT_COMP + - iscsi-target: Reject immediate data underflow larger than SCSI transfer + length + - drm/radeon: add a PX quirk for another K53TK variant + - drm/radeon: add a quirk for Toshiba Satellite L20-183 + - [x86] drm/amdgpu/atom: fix ps allocation size for EnableDispPowerGating + - [x86] drm/amdgpu: adjust default display clock + - [x86] drm/amdgpu: add Polaris12 DID + - ACPI / scan: Apply default enumeration to devices with ACPI drivers + - ACPI / scan: Fix enumeration for special SPI and I2C devices + - rxrpc: Fix several cases where a padded len isn't checked in ticket + decode (CVE-2017-7482) + - drm: Fix GETCONNECTOR regression + - usb: gadget: f_fs: avoid out of bounds access on comp_desc + - spi: double time out tolerance + - net: phy: fix marvell phy status reading + - netfilter: xtables: zero padding in data_to_user + - netfilter: xtables: fix build failure from COMPAT_XT_ALIGN outside + CONFIG_COMPAT + - brcmfmac: fix uninitialized warning in brcmf_usb_probe_phase2() [ Ben Hutchings ] * [m68k] udeb: Use only the common module list for nic-shared-modules @@ -79,10 +143,6 @@ linux (4.11.7-1) UNRELEASED; urgency=medium [ Vagrant Cascadian ] * [arm64] Enable support for Rockchip systems (Closes: #860976). - [ Salvatore Bonaccorso ] - * rxrpc: Fix several cases where a padded len isn't checked in ticket decode - (CVE-2017-7482) - -- Ben Hutchings Tue, 20 Jun 2017 19:18:44 +0100 linux (4.11.6-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch b/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch deleted file mode 100644 index 06f79be4d..000000000 --- a/debian/patches/bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch +++ /dev/null @@ -1,206 +0,0 @@ -From: David Howells -Date: Thu, 15 Jun 2017 00:12:24 +0100 -Subject: rxrpc: Fix several cases where a padded len isn't checked in ticket - decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/5f2f97656ada8d811d3c1bef503ced266fcd53a0 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7482 - -This fixes CVE-2017-7482. - -When a kerberos 5 ticket is being decoded so that it can be loaded into an -rxrpc-type key, there are several places in which the length of a -variable-length field is checked to make sure that it's not going to -overrun the available data - but the data is padded to the nearest -four-byte boundary and the code doesn't check for this extra. This could -lead to the size-remaining variable wrapping and the data pointer going -over the end of the buffer. - -Fix this by making the various variable-length data checks use the padded -length. - -Reported-by: 石磊 -Signed-off-by: David Howells -Reviewed-by: Marc Dionne -Reviewed-by: Dan Carpenter -Signed-off-by: David S. Miller ---- - net/rxrpc/key.c | 64 ++++++++++++++++++++++++++++++--------------------------- - 1 file changed, 34 insertions(+), 30 deletions(-) - -diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c -index 0a4e28477ad9..54369225766e 100644 ---- a/net/rxrpc/key.c -+++ b/net/rxrpc/key.c -@@ -217,7 +217,7 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, - unsigned int *_toklen) - { - const __be32 *xdr = *_xdr; -- unsigned int toklen = *_toklen, n_parts, loop, tmp; -+ unsigned int toklen = *_toklen, n_parts, loop, tmp, paddedlen; - - /* there must be at least one name, and at least #names+1 length - * words */ -@@ -247,16 +247,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, - toklen -= 4; - if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX) - return -EINVAL; -- if (tmp > toklen) -+ paddedlen = (tmp + 3) & ~3; -+ if (paddedlen > toklen) - return -EINVAL; - princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL); - if (!princ->name_parts[loop]) - return -ENOMEM; - memcpy(princ->name_parts[loop], xdr, tmp); - princ->name_parts[loop][tmp] = 0; -- tmp = (tmp + 3) & ~3; -- toklen -= tmp; -- xdr += tmp >> 2; -+ toklen -= paddedlen; -+ xdr += paddedlen >> 2; - } - - if (toklen < 4) -@@ -265,16 +265,16 @@ static int rxrpc_krb5_decode_principal(struct krb5_principal *princ, - toklen -= 4; - if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX) - return -EINVAL; -- if (tmp > toklen) -+ paddedlen = (tmp + 3) & ~3; -+ if (paddedlen > toklen) - return -EINVAL; - princ->realm = kmalloc(tmp + 1, GFP_KERNEL); - if (!princ->realm) - return -ENOMEM; - memcpy(princ->realm, xdr, tmp); - princ->realm[tmp] = 0; -- tmp = (tmp + 3) & ~3; -- toklen -= tmp; -- xdr += tmp >> 2; -+ toklen -= paddedlen; -+ xdr += paddedlen >> 2; - - _debug("%s/...@%s", princ->name_parts[0], princ->realm); - -@@ -293,7 +293,7 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td, - unsigned int *_toklen) - { - const __be32 *xdr = *_xdr; -- unsigned int toklen = *_toklen, len; -+ unsigned int toklen = *_toklen, len, paddedlen; - - /* there must be at least one tag and one length word */ - if (toklen <= 8) -@@ -307,15 +307,17 @@ static int rxrpc_krb5_decode_tagged_data(struct krb5_tagged_data *td, - toklen -= 8; - if (len > max_data_size) - return -EINVAL; -+ paddedlen = (len + 3) & ~3; -+ if (paddedlen > toklen) -+ return -EINVAL; - td->data_len = len; - - if (len > 0) { - td->data = kmemdup(xdr, len, GFP_KERNEL); - if (!td->data) - return -ENOMEM; -- len = (len + 3) & ~3; -- toklen -= len; -- xdr += len >> 2; -+ toklen -= paddedlen; -+ xdr += paddedlen >> 2; - } - - _debug("tag %x len %x", td->tag, td->data_len); -@@ -387,7 +389,7 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, - const __be32 **_xdr, unsigned int *_toklen) - { - const __be32 *xdr = *_xdr; -- unsigned int toklen = *_toklen, len; -+ unsigned int toklen = *_toklen, len, paddedlen; - - /* there must be at least one length word */ - if (toklen <= 4) -@@ -399,6 +401,9 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, - toklen -= 4; - if (len > AFSTOKEN_K5_TIX_MAX) - return -EINVAL; -+ paddedlen = (len + 3) & ~3; -+ if (paddedlen > toklen) -+ return -EINVAL; - *_tktlen = len; - - _debug("ticket len %u", len); -@@ -407,9 +412,8 @@ static int rxrpc_krb5_decode_ticket(u8 **_ticket, u16 *_tktlen, - *_ticket = kmemdup(xdr, len, GFP_KERNEL); - if (!*_ticket) - return -ENOMEM; -- len = (len + 3) & ~3; -- toklen -= len; -- xdr += len >> 2; -+ toklen -= paddedlen; -+ xdr += paddedlen >> 2; - } - - *_xdr = xdr; -@@ -552,7 +556,7 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep) - { - const __be32 *xdr = prep->data, *token; - const char *cp; -- unsigned int len, tmp, loop, ntoken, toklen, sec_ix; -+ unsigned int len, paddedlen, loop, ntoken, toklen, sec_ix; - size_t datalen = prep->datalen; - int ret; - -@@ -578,22 +582,21 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep) - if (len < 1 || len > AFSTOKEN_CELL_MAX) - goto not_xdr; - datalen -= 4; -- tmp = (len + 3) & ~3; -- if (tmp > datalen) -+ paddedlen = (len + 3) & ~3; -+ if (paddedlen > datalen) - goto not_xdr; - - cp = (const char *) xdr; - for (loop = 0; loop < len; loop++) - if (!isprint(cp[loop])) - goto not_xdr; -- if (len < tmp) -- for (; loop < tmp; loop++) -- if (cp[loop]) -- goto not_xdr; -+ for (; loop < paddedlen; loop++) -+ if (cp[loop]) -+ goto not_xdr; - _debug("cellname: [%u/%u] '%*.*s'", -- len, tmp, len, len, (const char *) xdr); -- datalen -= tmp; -- xdr += tmp >> 2; -+ len, paddedlen, len, len, (const char *) xdr); -+ datalen -= paddedlen; -+ xdr += paddedlen >> 2; - - /* get the token count */ - if (datalen < 12) -@@ -614,10 +617,11 @@ static int rxrpc_preparse_xdr(struct key_preparsed_payload *prep) - sec_ix = ntohl(*xdr); - datalen -= 4; - _debug("token: [%x/%zx] %x", toklen, datalen, sec_ix); -- if (toklen < 20 || toklen > datalen) -+ paddedlen = (toklen + 3) & ~3; -+ if (toklen < 20 || toklen > datalen || paddedlen > datalen) - goto not_xdr; -- datalen -= (toklen + 3) & ~3; -- xdr += (toklen + 3) >> 2; -+ datalen -= paddedlen; -+ xdr += paddedlen >> 2; - - } while (--loop > 0); - --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index 61a6e037b..8fa57a5a7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -145,7 +145,6 @@ bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch bugfix/all/sunrpc-refactor-svc_set_num_threads.patch bugfix/all/nfsv4-fix-callback-server-shutdown.patch bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch -bugfix/all/rxrpc-Fix-several-cases-where-a-padded-len-isn-t-che.patch # Fix exported symbol versions bugfix/sparc/revert-sparc-move-exports-to-definitions.patch