From 2c351aeb14b2f439bc1690bc4e53682ef49dd761 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Sun, 14 Oct 2018 18:18:16 +0200 Subject: [PATCH] Update to 4.18.12 This updates to 4.18.12, including removal of applied upstream patches. This also disables rt until 4.18.12-rt7 is integrated to this package --- debian/changelog | 183 +++++++++++++++++- debian/config/defines | 2 +- ...py-a-kernel-pointer-to-user-memory-i.patch | 48 ----- ...ze-pstate.m-when-being-set-from-user.patch | 58 ------ ...n-guest-core-register-access-from-us.patch | 99 ---------- debian/patches/series | 3 - 6 files changed, 183 insertions(+), 210 deletions(-) delete mode 100644 debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch delete mode 100644 debian/patches/bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch delete mode 100644 debian/patches/bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch diff --git a/debian/changelog b/debian/changelog index 252071719..54626cbfb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.18.11-1) UNRELEASED; urgency=medium +linux (4.18.12-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.11 @@ -82,6 +82,187 @@ linux (4.18.11-1) UNRELEASED; urgency=medium - sched/fair: Fix vruntime_normalized() for remote non-migration wakeup - [x86] vmw_balloon: include asm/io.h - iw_cxgb4: only allow 1 flush on user qps + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.12 + - tsl2550: fix lux1_input error in low light + - vmci: type promotion bug in qp_host_get_user_memory() + - [x86] numa_emulation: Fix emulated-to-physical node mapping + - staging: rts5208: fix missing error check on call to rtsx_write_register + - [armhf] power: supply: axp288_charger: Fix initial + constant_charge_current value + - [sh4] serial: sh-sci: Stop RX FIFO timer during port shutdown + - [arm64] power: vexpress: fix corruption in notifier registration + - [x86] iommu/amd: make sure TLB to be flushed before IOVA freed + - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 + - USB: serial: kobil_sct: fix modem-status error handling + - 6lowpan: iphc: reset mac_header after decompress to fix panic + - [s390x] mm: correct allocate_pgste proc_handler callback + - power: remove possible deadlock when unregistering power_supply + - cxgb4: Fix the condition to check if the card is T5 + - RDMA/bnxt_re: Fix a couple off by one bugs + - RDMA/i40w: Hold read semaphore while looking after VMA + - RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c + - IB/core: type promotion bug in rdma_rw_init_one_mr() + - IB/mlx4: Test port number before querying type. + - vhost_net: Avoid tx vring kicks during busyloop + - IB/mlx5: Fix GRE flow specification + - include/rdma/opa_addr.h: Fix an endianness issue + - x86/tsc: Add missing header to tsc_msr.c + - ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled + - [x86] entry/64: Add two more instruction suffixes + - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output + buffer size + - scsi: klist: Make it safe to use klists in atomic context + - [powerpc*] scsi: ibmvscsi: Improve strings handling + - scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion + - usb: wusbcore: security: cast sizeof to int for comparison + - ath10k: sdio: use same endpoint id for all packets in a bundle + - ath10k: sdio: set skb len for all rx packets + - [powerpc*] powerpc/powernv/ioda2: Reduce upper limit for DMA window size + - [x86] platform/x86: asus-wireless: Fix uninitialized symbol usage + - [x86] ACPI / button: increment wakeup count only when notified + - alarmtimer: Prevent overflow for relative nanosleep + - [s390x] s390/dasd: correct numa_node in dasd_alloc_queue + - [s390x] s390/scm_blk: correct numa_node in scm_blk_dev_setup + - posix-timers: Make forward callback return s64 + - posix-timers: Sanitize overrun handling + - [powerpc*] ALSA: snd-aoa: add of_node_put() in error path + - ath10k: use locked skb_dequeue for rx completions + - [armhf] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial + data + - staging: android: ashmem: Fix mmap size validation + - staging: mt7621-eth: Fix memory leak in mtk_add_mac() error path + - [powerpc*, x86, alpha, m68k, hppa] drivers/tty: add error handling for + pcmcia_loop_config + - [arm64] dts: renesas: salvator-common: Fix adv7482 decimal unit addresses + - [x86] media: tm6000: add error handling for dvb_register_adapter + - [powerpc*, mips*, arm64, x86, alpha] ALSA: hda: Add AZX_DCAPS_PM_RUNTIME + for AMD Raven Ridge + - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock + - [armhf] drm/sun4i: Enable DW HDMI PHY clock + - [armhf] drm/sun4i: Fix releasing node when enumerating enpoints + - ath10k: transmit queued frames after processing rx packets + - mt76x2: fix mrr idx/count estimation in mt76x2_mac_fill_tx_status() + - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() + - brcmsmac: fix wrap around in conversion from constant to s16 + - bitfield: fix *_encode_bits() + - [arm64]wlcore: Add missing PM call for + wlcore_cmd_wait_for_event_or_timeout() + - [armhf] drm/omap: gem: Fix mm_list locking + - [armhf] mvebu: declare asm symbols as character arrays in pmsu.c + - RDMA/uverbs: Don't overwrite NULL pointer with ZERO_SIZE_PTR + - HID: hid-ntrig: add error handling for sysfs_create_group + - [x86] HID: i2c-hid: Use devm to allocate i2c_hid struct + - [arm64] dts: renesas: Fix VSPD registers range + - drm/v3d: Take a lock across GPU scheduler job creation and queuing. + - scsi: bnx2i: add error handling for ioremap_nocache + - [arm64] scsi: hisi_sas: Fix the conflict between dev gone and host reset + - [armhf] spi: orion: fix CS GPIO handling again + - scsi: megaraid_sas: Update controller info during resume + - [x86] ASoC: Intel: bytcr_rt5640: Fix Acer Iconia 8 over-current detect + threshold + - [x86] EDAC, i7core: Fix memleaks and use-after-free on probe and remove + - [x86, arm64, armhf] ASoC: dapm: Fix potential DAI widget pointer deref + when linking DAIs + - module: exclude SHN_UNDEF symbols from kallsyms api + - nfsd: fix corrupted reply to badly ordered compound + - [mips*, arm64, x86] EDAC: Fix memleak in module init error path + - ath10k: fix incorrect size of dma_free_coherent in + ath10k_ce_alloc_src_ring_64 + - ath10k: snoc: use correct bus-specific pointer in RX retry + - fs/lock: skip lock owner pid translation in case we are in init_pid_ns + - ath10k: fix memory leak of tpc_stats + - Input: xen-kbdfront - fix multi-touch XenStore node's locations + - drm/vc4: Add missing formats to vc4_format_mod_supported(). + - [armhf] ARM: dts: dra7: fix DCAN node addresses + - drm/vc4: plane: Expand the lower bits by repeating the higher bits + - floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl + - block: fix deadline elevator drain for zoned block devices + - [x86] mm: Expand static page table for fixmap space + - [armhf] serial: imx: restore handshaking irq for imx1 + - [arm64] serial: mvebu-uart: Fix reporting of effective CSIZE to userspace + - [x86] intel_th: Fix device removal logic + - [x86] intel_th: Fix resource handling for ACPI glue layer + - spi: tegra20-slink: explicitly enable/disable clock + - [mips*, 'arm64', x86, armhf] regulator: fix crash caused by null driver + data + - [mips*, 'arm64', x86, armhf] regulator: Fix 'do-nothing' value for + regulators without suspend state + - USB: fix error handling in usb_driver_claim_interface() + - USB: handle NULL config in usb_find_alt_setting() + - usb: core: safely deal with the dynamic quirk lists + - [armhf] usb: musb: dsps: do not disable CPPI41 irq in driver teardown + - USB: usbdevfs: sanitize flags more + - USB: usbdevfs: restore warning for nonsensical flags + - Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in + service_outstanding_interrupt()" + - USB: remove LPM management from usb_driver_claim_interface() + - uaccess: Fix is_source param for check_copy_size() in + copy_to_iter_mcsafe() + - filesystem-dax: Fix use of zero page + - Input: elantech - enable middle button of touchpad on ThinkPad P72 + - IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop + - IB/hfi1: Fix SL array bounds check + - IB/hfi1: Invalid user input can result in crash + - IB/hfi1: Fix context recovery when PBC has an UnsupportedVL + - IB/hfi1: Fix destroy_qp hang after a link down + - [x86] ACPI / hotplug / PCI: Don't scan for non-hotplug bridges if slot + is not bridge + - RDMA/uverbs: Atomically flush and mark closed the comp event queue + - [arm64] KVM: Tighten guest core register access from userspace + - ARM: OMAP2+: Fix null hwmod for ti-sysc debug + - ARM: OMAP2+: Fix module address for modules using mpu_rt_idx + - bus: ti-sysc: Fix module register ioremap for larger offsets + - qed: Wait for ready indication before rereading the shmem + - qed: Wait for MCP halt and resume commands to take place + - qed: Prevent a possible deadlock during driver load and unload + - qed: Avoid sending mailbox commands when MFW is not responsive + - thermal: of-thermal: disable passive polling when thermal zone is disabled + - isofs: reject hardware sector size > 2048 bytes + - mmc: atmel-mci: fix bad logic of sg_copy_{from,to}_buffer conversion + - mmc: android-goldfish: fix bad logic of sg_copy_{from,to}_buffer + conversion + - bus: ti-sysc: Fix no_console_suspend handling + - [armhf] dts: omap4-droid4: fix vibrations on Droid 4 + - bpf, sockmap: fix sock_hash_alloc and reject zero-sized keys + - bpf, sockmap: fix sock hash count in alloc_sock_hash_elem + - tls: possible hang when do_tcp_sendpages hits sndbuf is full case + - bpf: sockmap: write_space events need to be passed to TCP handler + - drm/amdgpu: fix VM clearing for the root PD + - drm/amdgpu: fix preamble handling + - amdgpu: fix multi-process hang issue + - net/ncsi: Fixup .dumpit message flags and ID check in Netlink handler + - tcp_bbr: add bbr_check_probe_rtt_done() helper + - tcp_bbr: in restart from idle, see if we should exit PROBE_RTT + - net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES + - net: hns: fix skb->truesize underestimation + - tools: bpftool: return from do_event_pipe() on bad arguments + - e1000: check on netif_running() before calling e1000_up() + - e1000: ensure to free old tx/rx rings in set_ringparam() + - ixgbe: fix driver behaviour after issuing VFLR + - i40e: Fix for Tx timeouts when interface is brought up if DCB is enabled + - i40e: fix condition of WARN_ONCE for stat strings + - [arm64] crypto: cavium/nitrox - fix for command corruption in queue full + case with backlog submissions. + - hwmon: (ina2xx) fix sysfs shunt resistor read access + - hwmon: (adt7475) Make adt7475_read_word() return errors + - Revert "ARM: dts: imx7d: Invert legacy PCI irq mapping" + - drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode + - drm/amdgpu: Update power state at the end of smu hw_init. + - ata: ftide010: Add a quirk for SQ201 + - nvme-fcloop: Fix dropped LS's to removed target port + - [armhf] dts: omap4-droid4: Fix emmc errors seen on some devices + - drm/amdgpu: Need to set moved to true when evict bo + - [arm64, armhf] smccc-1.1: Make return values unsigned long + - [arm64, armhf] smccc-1.1: Handle function result as parameters + - i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus + - clk: x86: Set default parent to 48Mhz + - [x86] pti: Fix section mismatch warning/error + - [powerpc*] KVM: PPC: Book3S HV: Fix guest r11 corruption with POWER9 TM + workarounds + - [powerpc*] fix csum_ipv6_magic() on little endian platforms + - [powerpc*] pkeys: Fix reading of ibm, processor-storage-keys property + - [powerpc*] pseries: Fix unitialized timer reset on migration + - [arm64] KVM: Sanitize PSTATE.M when being set from userspace [ Ben Hutchings ] * linux-perf: Fix BPF feature detection diff --git a/debian/config/defines b/debian/config/defines index 213b38705..65d428e93 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -122,7 +122,7 @@ debug-info: true signed-code: false [featureset-rt_base] -enabled: true +enabled: false [description] part-long-up: This kernel is not suitable for SMP (multi-processor, diff --git a/debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch b/debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch deleted file mode 100644 index c592afd4d..000000000 --- a/debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Andy Whitcroft -Date: Thu, 20 Sep 2018 09:09:48 -0600 -Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl -Origin: https://git.kernel.org/linus/65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7755 - -The final field of a floppy_struct is the field "name", which is a pointer -to a string in kernel memory. The kernel pointer should not be copied to -user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, -including this "name" field. This pointer cannot be used by the user -and it will leak a kernel address to user-space, which will reveal the -location of kernel code and data and undermine KASLR protection. - -Model this code after the compat ioctl which copies the returned data -to a previously cleared temporary structure on the stack (excluding the -name pointer) and copy out to userspace from there. As we already have -an inparam union with an appropriate member and that memory is already -cleared even for read only calls make use of that as a temporary store. - -Based on an initial patch by Brian Belleville. - -CVE-2018-7755 -Signed-off-by: Andy Whitcroft - -Broke up long line. - -Signed-off-by: Jens Axboe ---- - drivers/block/floppy.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c -index 48f622728ce6..f2b6f4da1034 100644 ---- a/drivers/block/floppy.c -+++ b/drivers/block/floppy.c -@@ -3467,6 +3467,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int - (struct floppy_struct **)&outparam); - if (ret) - return ret; -+ memcpy(&inparam.g, outparam, -+ offsetof(struct floppy_struct, name)); -+ outparam = &inparam.g; - break; - case FDMSGON: - UDP->flags |= FTD_MSG; --- -2.11.0 - diff --git a/debian/patches/bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch b/debian/patches/bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch deleted file mode 100644 index b7c81d02c..000000000 --- a/debian/patches/bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Marc Zyngier -Date: Thu, 27 Sep 2018 16:53:22 +0100 -Subject: arm64: KVM: Sanitize PSTATE.M when being set from userspace -Origin: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18021 - -Not all execution modes are valid for a guest, and some of them -depend on what the HW actually supports. Let's verify that what -userspace provides is compatible with both the VM settings and -the HW capabilities. - -Cc: -Fixes: 0d854a60b1d7 ("arm64: KVM: enable initialization of a 32bit vcpu") -Reviewed-by: Christoffer Dall -Reviewed-by: Mark Rutland -Reviewed-by: Dave Martin -Signed-off-by: Marc Zyngier -Signed-off-by: Will Deacon -[carnil: Backport for 4.18: Cherrypick directly commit from 4.18.12 / -926415e1e4c9] ---- - arch/arm64/kvm/guest.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c -index 4a177629862b..d5c6bb1562d8 100644 ---- a/arch/arm64/kvm/guest.c -+++ b/arch/arm64/kvm/guest.c -@@ -152,17 +152,25 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) - } - - if (off == KVM_REG_ARM_CORE_REG(regs.pstate)) { -- u32 mode = (*(u32 *)valp) & COMPAT_PSR_MODE_MASK; -+ u64 mode = (*(u64 *)valp) & COMPAT_PSR_MODE_MASK; - switch (mode) { - case COMPAT_PSR_MODE_USR: -+ if (!system_supports_32bit_el0()) -+ return -EINVAL; -+ break; - case COMPAT_PSR_MODE_FIQ: - case COMPAT_PSR_MODE_IRQ: - case COMPAT_PSR_MODE_SVC: - case COMPAT_PSR_MODE_ABT: - case COMPAT_PSR_MODE_UND: -+ if (!vcpu_el1_is_32bit(vcpu)) -+ return -EINVAL; -+ break; - case PSR_MODE_EL0t: - case PSR_MODE_EL1t: - case PSR_MODE_EL1h: -+ if (vcpu_el1_is_32bit(vcpu)) -+ return -EINVAL; - break; - default: - err = -EINVAL; --- -2.11.0 - diff --git a/debian/patches/bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch b/debian/patches/bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch deleted file mode 100644 index df5b5a548..000000000 --- a/debian/patches/bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch +++ /dev/null @@ -1,99 +0,0 @@ -From: Dave Martin -Date: Thu, 27 Sep 2018 16:53:21 +0100 -Subject: arm64: KVM: Tighten guest core register access from userspace -Origin: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18021 - -We currently allow userspace to access the core register file -in about any possible way, including straddling multiple -registers and doing unaligned accesses. - -This is not the expected use of the ABI, and nobody is actually -using it that way. Let's tighten it by explicitly checking -the size and alignment for each field of the register file. - -Cc: -Fixes: 2f4a07c5f9fe ("arm64: KVM: guest one-reg interface") -Reviewed-by: Christoffer Dall -Reviewed-by: Mark Rutland -Signed-off-by: Dave Martin -[maz: rewrote Dave's initial patch to be more easily backported] -Signed-off-by: Marc Zyngier -Signed-off-by: Will Deacon ---- - arch/arm64/kvm/guest.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 45 insertions(+) - -diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c -index 07256b08226c..3088463bafc1 100644 ---- a/arch/arm64/kvm/guest.c -+++ b/arch/arm64/kvm/guest.c -@@ -57,6 +57,45 @@ static u64 core_reg_offset_from_id(u64 id) - return id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_ARM_CORE); - } - -+static int validate_core_offset(const struct kvm_one_reg *reg) -+{ -+ u64 off = core_reg_offset_from_id(reg->id); -+ int size; -+ -+ switch (off) { -+ case KVM_REG_ARM_CORE_REG(regs.regs[0]) ... -+ KVM_REG_ARM_CORE_REG(regs.regs[30]): -+ case KVM_REG_ARM_CORE_REG(regs.sp): -+ case KVM_REG_ARM_CORE_REG(regs.pc): -+ case KVM_REG_ARM_CORE_REG(regs.pstate): -+ case KVM_REG_ARM_CORE_REG(sp_el1): -+ case KVM_REG_ARM_CORE_REG(elr_el1): -+ case KVM_REG_ARM_CORE_REG(spsr[0]) ... -+ KVM_REG_ARM_CORE_REG(spsr[KVM_NR_SPSR - 1]): -+ size = sizeof(__u64); -+ break; -+ -+ case KVM_REG_ARM_CORE_REG(fp_regs.vregs[0]) ... -+ KVM_REG_ARM_CORE_REG(fp_regs.vregs[31]): -+ size = sizeof(__uint128_t); -+ break; -+ -+ case KVM_REG_ARM_CORE_REG(fp_regs.fpsr): -+ case KVM_REG_ARM_CORE_REG(fp_regs.fpcr): -+ size = sizeof(__u32); -+ break; -+ -+ default: -+ return -EINVAL; -+ } -+ -+ if (KVM_REG_SIZE(reg->id) == size && -+ IS_ALIGNED(off, size / sizeof(__u32))) -+ return 0; -+ -+ return -EINVAL; -+} -+ - static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) - { - /* -@@ -76,6 +115,9 @@ static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) - (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs) - return -ENOENT; - -+ if (validate_core_offset(reg)) -+ return -EINVAL; -+ - if (copy_to_user(uaddr, ((u32 *)regs) + off, KVM_REG_SIZE(reg->id))) - return -EFAULT; - -@@ -98,6 +140,9 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) - (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs) - return -ENOENT; - -+ if (validate_core_offset(reg)) -+ return -EINVAL; -+ - if (KVM_REG_SIZE(reg->id) > sizeof(tmp)) - return -EINVAL; - --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index b91a2cb35..b0a523905 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -142,9 +142,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch -bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch -bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch -bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch # Fix exported symbol versions