debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.9.22 

Drop patches applied upstream.
This commit is contained in:
Ben Hutchings 2017-04-16 21:46:39 +01:00
parent 326a2052e2
commit 31945f628c
10 changed files with 224 additions and 509 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

228
debian/changelog vendored
View File

@ -1,4 +1,226 @@
linux (4.9.18-2) UNRELEASED; urgency=medium
linux (4.9.22-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.19
- net/openvswitch: Set the ipv6 source tunnel key address attribute
correctly
- net: properly release sk_frag.page
- [arm64] amd-xgbe: Fix jumbo MTU processing on newer hardware
- openvswitch: Add missing case OVS_TUNNEL_KEY_ATTR_PAD
- net: unix: properly re-increment inflight counter of GC discarded
candidates
- net: vrf: Reset rt6i_idev in local dst after put
- net/mlx5: Add missing entries for set/query rate limit commands
- net/mlx5e: Use the proper UAPI values when offloading TC vlan actions
- net/mlx5: Increase number of max QPs in default profile
- net/mlx5e: Count GSO/LRO packets correctly
- ipv6: make sure to initialize sockc.tsflags before first use
- ipv4: provide stronger user input validation in nl_fib_input()
- socket, bpf: fix sk_filter use after free in sk_clone_lock
- tcp: initialize icsk_ack.lrcvtime at session start time
- Input: iforce,ims-pcu,hanwang,yealink,cm109,kbtab,sur40 - validate
number of endpoints before using them
- ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
- ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
- ALSA: hda - Adding a group of pin definition to fix headset problem
- ACM gadget: fix endianness in notifications
- usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's
wBytesPerInterval
- USB: uss720,idmouse,wusbcore: fix NULL-deref at probe
- usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer
- usb: hub: Fix crash after failure to read BOS descriptor
- USB: usbtmc: add missing endpoint sanity check
- USB: usbtmc: fix probe error path
- uwb: i1480-dfu: fix NULL-deref at probe
- mmc: ushc: fix NULL-deref at probe
- [armhf[ iio: adc: ti_am335x_adc: fix fifo overrun recovery
- iio: sw-device: Fix config group initialization
- iio: hid-sensor-trigger: Change get poll value function order to avoid
sensor properties losing after resume from S3
- parport: fix attempt to write duplicate procfiles
- ext4: mark inode dirty after converting inline directory
- ext4: lock the xattr block before checksuming it
- [powerpc*/*64*] Fix idle wakeup potential to clobber registers
- mmc: sdhci: Do not disable interrupts while waiting for clock
- mmc: sdhci-pci: Do not disable interrupts in sdhci_intel_set_power
- [x86] hwrng: amd - Revert managed API changes
- [x86] hwrng: geode - Revert managed API changes
- [armhf] clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module
clock
- [armhf] clk: sunxi-ng: mp: Adjust parent rate for pre-dividers
- mwifiex: pcie: don't leak DMA buffers when removing
- [x86] crypto: ccp - Assign DMA commands to the channel's CCP
- xen/acpi: upload PM state from init-domain to Xen
- [x86] iommu/vt-d: Fix NULL pointer dereference in device_to_iommu
- [arm64] kaslr: Fix up the kernel image alignment
- cpufreq: Restore policy min/max limits on CPU online
- cgroup, net_cls: iterate the fds of only the tasks which are being
migrated
- blk-mq: don't complete un-started request in timeout handler
- [x86] drm/amdgpu: reinstate oland workaround for sclk
- jbd2: don't leak memory if setting up journal fails
- [x86] intel_th: Don't leak module refcount on failure to activate
- [x86] Drivers: hv: vmbus: Don't leak channel ids
- [x86] Drivers: hv: vmbus: Don't leak memory when a channel is rescinded
- libceph: don't set weight to IN when OSD is destroyed
- [x86] device-dax: fix pmd/pte fault fallback handling
- [armhf] drm/bridge: analogix dp: Fix runtime PM state on driver bind
- nl80211: fix dumpit error path RTNL deadlocks
- drm: reference count event->completion
- fbcon: Fix vc attr at deinit
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.20
- xfrm: policy: init locks early
- [x86] KVM: cleanup the page tracking SRCU instance
- virtio_balloon: init 1st buffer in stats vq
- [mips*] ptrace: Preserve previous registers for short regset write
- [sparc64] ptrace: Preserve previous registers for short regset write
- fscrypt: remove broken support for detecting keyring key revocation
(CVE-2017-7374)
- sched/rt: Add a missing rescheduling point
- [armhf] usb: musb: fix possible spinlock deadlock
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.21
- libceph: force GFP_NOIO for socket allocations
- xen/setup: Don't relocate p2m over existing one
- xfs: only update mount/resv fields on success in __xfs_ag_resv_init
- xfs: use per-AG reservations for the finobt
- xfs: pull up iolock from xfs_free_eofblocks()
- xfs: sync eofblocks scans under iolock are livelock prone
- xfs: fix eofblocks race with file extending async dio writes
- xfs: fix toctou race when locking an inode to access the data map
- xfs: fail _dir_open when readahead fails
- xfs: filter out obviously bad btree pointers
- xfs: check for obviously bad level values in the bmbt root
- xfs: verify free block header fields
- xfs: allow unwritten extents in the CoW fork
- xfs: mark speculative prealloc CoW fork extents unwritten
- xfs: reset b_first_retry_time when clear the retry status of xfs_buf_t
- xfs: update ctime and mtime on clone destinatation inodes
- xfs: reject all unaligned direct writes to reflinked files
- xfs: don't fail xfs_extent_busy allocation
- xfs: handle indlen shortage on delalloc extent merge
- xfs: split indlen reservations fairly when under reserved
- xfs: fix uninitialized variable in _reflink_convert_cow
- xfs: don't reserve blocks for right shift transactions
- xfs: Use xfs_icluster_size_fsb() to calculate inode chunk alignment
- xfs: tune down agno asserts in the bmap code
- xfs: only reclaim unwritten COW extents periodically
- xfs: fix and streamline error handling in xfs_end_io
- xfs: Use xfs_icluster_size_fsb() to calculate inode alignment mask
- xfs: use iomap new flag for newly allocated delalloc blocks
- xfs: try any AG when allocating the first btree block when reflinking
- scsi: libsas: fix ata xfer length
- scsi: scsi_dh_alua: Check scsi_device_get() return value
- scsi: scsi_dh_alua: Ensure that alua_activate() calls the completion
function
- ALSA: seq: Fix race during FIFO resize
- ALSA: hda - fix a problem for lineout on a Dell AIO machine
- [x86] ASoC: Intel: Skylake: fix invalid memory access due to wrong
reference of pointer
- HID: wacom: Don't add ghost interface as shared data
- mmc: sdhci: Disable runtime pm when the sdio_irq is enabled
- NFSv4.1 fix infinite loop on IO BAD_STATEID error
- nfsd: map the ENOKEY to nfserr_perm for avoiding warning
- [hppa] Clean up fixup routines for get_user()/put_user()
- [hppa] Avoid stalled CPU warnings after system shutdown
- [hppa] Fix access fault handling in pa_memcpy()
- ACPI: Fix incompatibility with mcount-based function graph tracing
- ACPI: Do not create a platform_device for IOAPIC/IOxAPIC
- USB: fix linked-list corruption in rh_call_control()
- [x86] KVM: clear bus pointer when destroyed
- KVM: kvm_io_bus_unregister_dev() should never fail
- drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags
- [armhf,arm64] drm/vc4: Allocate the right amount of space for boot-time
CRTC state.
- [armhf] drm/etnaviv: (re-)protect fence allocation with GPU mutex
- [x86] mm/KASLR: Exclude EFI region from KASLR VA space randomization
- [x86] mce: Fix copy/paste error in exception table entries
- lib/syscall: Clear return values when no stack
- mm: rmap: fix huge file mmap accounting in the memcg stats
- mm, hugetlb: use pte_present() instead of pmd_present() in
follow_huge_pmd()
- qla2xxx: Allow vref count to timeout on vport delete.
- mm: workingset: fix premature shadow node shrinking with cgroups
- blk: improve order of bio handling in generic_make_request()
- blk: Ensure users for current->bio_list can see the full list.
- padata: avoid race in reordering
- nvme/core: Fix race kicking freed request_queue
- nvme/pci: Disable on removal when disconnected
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.22
- ppdev: check before attaching port
- ppdev: fix registering same device name
- [x86] drm/vmwgfx: Type-check lookups of fence objects
- [x86] drm/vmwgfx: avoid calling vzalloc with a 0 size in
vmw_get_cap_3d_ioctl()
- drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
- [x86] drm/vmwgfx: Remove getparam error message
- sysfs: be careful of error returns from ops->show()
- [armhf,arm64] KVM: Take mmap_sem in stage2_unmap_vm
- [armhf,arm64] KVM: Take mmap_sem in kvm_arch_prepare_memory_region
- [armhf,arm64] kvm: Fix locking for kvm_free_stage2_pgd
- [x86] iio: bmg160: reset chip when probing
- [arm64] mm: unaligned access by user-land should be received as SIGBUS
- cfg80211: check rdev resume callback only for registered wiphy
- CIFS: Reset TreeId to zero on SMB2 TREE_CONNECT
- mm/page_alloc.c: fix print order in show_free_areas()
- ptrace: fix PTRACE_LISTEN race corrupting task->state
- dm verity fec: limit error correction recursion
- dm verity fec: fix bufio leaks
- ACPI / gpio: do not fall back to parsing _CRS when we get a deferral
- xfs: Honor FALLOC_FL_KEEP_SIZE when punching ends of files
- ring-buffer: Fix return value check in test_ringbuffer()
- mac80211: unconditionally start new netdev queues with iTXQ support
- brcmfmac: use local iftype avoiding use-after-free of virtual interface
- [powerpc*] Disable HFSCR[TM] if TM is not supported
- [powerpc*] mm: Add missing global TLB invalidate if cxl is active
- [powerpc*/*64*]: Fix flush_(d|i)cache_range() called from modules
- [powerpc*] Don't try to fix up misaligned load-with-reservation
instructions
- [powerpc*] crypto/crc32c-vpmsum: Fix missing preempt_disable()
- dm raid: fix NULL pointer dereference for raid1 without bitmap
- [s390x] decompressor: fix initrd corruption caused by bss clear
- [s390x] uaccess: get_user() should zero on failure (again)
- [mips*el/loongson-3] Check TLB before handle_ri_rdhwr() for Loongson-3
- [mips*el/loongson-3] Add MIPS_CPU_FTLB for Loongson-3A R2
- [mips*el/loongson-3] Flush wrong invalid FTLB entry for huge page
- [mips*el/loongson-3] c-r4k: Fix Loongson-3's vcache/scache waysize
calculation
- mm/mempolicy.c: fix error handling in set_mempolicy and mbind
(CVE-2017-7616)
- random: use chacha20 for get_random_int/long
- [armhf] drm/sun4i: tcon: Move SoC specific quirks to a DT matched data
structure
- [armhf] drm/sun4i: Add compatible strings for A31/A31s display pipelines
- [armhf] drm/sun4i: Add compatible string for A31/A31s TCON (timing
controller)
- HID: i2c-hid: add a simple quirk to fix device defects
- usb: dwc3: gadget: delay unmap of bounced requests
- [x86] ASoC: Intel: bytct_rt5640: change default capture settings
- [armhf,arm64] clocksource/drivers/arm_arch_timer: Don't assume clock runs
in suspend
- scsi: ufs: introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk
- HID: multitouch: do not retrieve all reports for all devices
- [arm64] mmc: sdhci-msm: Enable few quirks
- scsi: ufs: ensure that host pa_tactivate is higher than device
- svcauth_gss: Close connection when dropping an incoming message
- scsi: ufs: add quirk to increase host PA_SaveConfigTime
- [x86] platform: acer-wmi: Only supports AMW0_GUID1 on acer family
- nvme: simplify stripe quirk
- ACPI / sysfs: Provide quirk mechanism to prevent GPE flooding
- HID: usbhid: Add quirk for the Futaba TOSD-5711BB VFD
- [x86] drm/i915: actually drive the BDW reserved IDs
- scsi: ufs: issue link starup 2 times if device isn't active
- [armhf] serial: 8250_omap: Add OMAP_DMA_TX_KICK quirk for AM437x
- ACPI / button: Change default behavior to lid_init_state=open
- [x86] ACPI: save NVS memory for Lenovo G50-45
- HID: wacom: don't apply generic settings to old devices
- [arm64] firmware: qcom: scm: Fix interrupted SCM calls
- [armhf] watchdog: s3c2410: Fix infinite interrupt in soft mode
- [x86] platform: asus-wmi: Set specified XUSB2PR value for X550LB
- [x86] platform: asus-wmi: Detect quirk_no_rfkill from the DSDT
- [x86] reboot/quirks: Add ASUS EeeBook X205TA reboot quirk
- [x86] reboot/quirks: Add ASUS EeeBook X205TA/W reboot quirk
- usb-storage: Add ignore-residue quirk for Initio INIC-3619
- [x86] reboot/quirks: Fix typo in ASUS EeeBook X205TA reboot quirk
[ Ben Hutchings ]
* w1: Really enable W1_MASTER_GPIO as module (Closes: #858975)
@ -25,10 +247,6 @@ linux (4.9.18-2) UNRELEASED; urgency=medium
[ Salvatore Bonaccorso ]
* ping: implement proper locking (CVE-2017-2671)
* fscrypt: remove broken support for detecting keyring key revocation
(CVE-2017-7374)
* mm/mempolicy.c: fix error handling in set_mempolicy and mbind
(CVE-2017-7616)
-- Ben Hutchings <ben@decadent.org.uk> Thu, 30 Mar 2017 18:27:30 +0100

253
debian/patches/bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch vendored
View File

@ -1,253 +0,0 @@
From: Eric Biggers <ebiggers@google.com>
Date: Tue, 21 Feb 2017 15:07:11 -0800
Subject: fscrypt: remove broken support for detecting keyring key revocation
Origin: https://git.kernel.org/linus/1b53cf9815bb4744958d41f3795d5d5a1d365e2d
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7374
Filesystem encryption ostensibly supported revoking a keyring key that
had been used to "unlock" encrypted files, causing those files to become
"locked" again. This was, however, buggy for several reasons, the most
severe of which was that when key revocation happened to be detected for
an inode, its fscrypt_info was immediately freed, even while other
threads could be using it for encryption or decryption concurrently.
This could be exploited to crash the kernel or worse.
This patch fixes the use-after-free by removing the code which detects
the keyring key having been revoked, invalidated, or expired. Instead,
an encrypted inode that is "unlocked" now simply remains unlocked until
it is evicted from memory. Note that this is no worse than the case for
block device-level encryption, e.g. dm-crypt, and it still remains
possible for a privileged user to evict unused pages, inodes, and
dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by
simply unmounting the filesystem. In fact, one of those actions was
already needed anyway for key revocation to work even somewhat sanely.
This change is not expected to break any applications.
In the future I'd like to implement a real API for fscrypt key
revocation that interacts sanely with ongoing filesystem operations ---
waiting for existing operations to complete and blocking new operations,
and invalidating and sanitizing key material and plaintext from the VFS
caches. But this is a hard problem, and for now this bug must be fixed.
This bug affected almost all versions of ext4, f2fs, and ubifs
encryption, and it was potentially reachable in any kernel configured
with encryption support (CONFIG_EXT4_ENCRYPTION=y,
CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or
CONFIG_UBIFS_FS_ENCRYPTION=y). Note that older kernels did not use the
shared fs/crypto/ code, but due to the potential security implications
of this bug, it may still be worthwhile to backport this fix to them.
Fixes: b7236e21d55f ("ext4 crypto: reorganize how we store keys in the inode")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: Michael Halcrow <mhalcrow@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[carnil: backport synced with 2984e52c75c657db7901f6189f02e0251ca963c2 in 4.9.20]
---
fs/crypto/crypto.c | 10 +---------
fs/crypto/fname.c | 2 +-
fs/crypto/keyinfo.c | 52 +++++++++---------------------------------------
include/linux/fscrypto.h | 2 --
4 files changed, 11 insertions(+), 55 deletions(-)
diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
index 98f87fe8f186..61cfccea77bc 100644
--- a/fs/crypto/crypto.c
+++ b/fs/crypto/crypto.c
@@ -352,7 +352,6 @@ EXPORT_SYMBOL(fscrypt_zeroout_range);
static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
{
struct dentry *dir;
- struct fscrypt_info *ci;
int dir_has_key, cached_with_key;
if (flags & LOOKUP_RCU)
@@ -364,18 +363,11 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
return 0;
}
- ci = d_inode(dir)->i_crypt_info;
- if (ci && ci->ci_keyring_key &&
- (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
- (1 << KEY_FLAG_REVOKED) |
- (1 << KEY_FLAG_DEAD))))
- ci = NULL;
-
/* this should eventually be an flag in d_flags */
spin_lock(&dentry->d_lock);
cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY;
spin_unlock(&dentry->d_lock);
- dir_has_key = (ci != NULL);
+ dir_has_key = (d_inode(dir)->i_crypt_info != NULL);
dput(dir);
/*
diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c
index 9b774f4b50c8..80bb956e14e5 100644
--- a/fs/crypto/fname.c
+++ b/fs/crypto/fname.c
@@ -350,7 +350,7 @@ int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname,
fname->disk_name.len = iname->len;
return 0;
}
- ret = get_crypt_info(dir);
+ ret = fscrypt_get_encryption_info(dir);
if (ret && ret != -EOPNOTSUPP)
return ret;
diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
index 67fb6d8876d0..bb4606368eb1 100644
--- a/fs/crypto/keyinfo.c
+++ b/fs/crypto/keyinfo.c
@@ -99,6 +99,7 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
kfree(full_key_descriptor);
if (IS_ERR(keyring_key))
return PTR_ERR(keyring_key);
+ down_read(&keyring_key->sem);
if (keyring_key->type != &key_type_logon) {
printk_once(KERN_WARNING
@@ -106,11 +107,9 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
res = -ENOKEY;
goto out;
}
- down_read(&keyring_key->sem);
ukp = user_key_payload(keyring_key);
if (ukp->datalen != sizeof(struct fscrypt_key)) {
res = -EINVAL;
- up_read(&keyring_key->sem);
goto out;
}
master_key = (struct fscrypt_key *)ukp->data;
@@ -121,17 +120,11 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
"%s: key size incorrect: %d\n",
__func__, master_key->size);
res = -ENOKEY;
- up_read(&keyring_key->sem);
goto out;
}
res = derive_key_aes(ctx->nonce, master_key->raw, raw_key);
- up_read(&keyring_key->sem);
- if (res)
- goto out;
-
- crypt_info->ci_keyring_key = keyring_key;
- return 0;
out:
+ up_read(&keyring_key->sem);
key_put(keyring_key);
return res;
}
@@ -173,12 +166,11 @@ static void put_crypt_info(struct fscrypt_info *ci)
if (!ci)
return;
- key_put(ci->ci_keyring_key);
crypto_free_skcipher(ci->ci_ctfm);
kmem_cache_free(fscrypt_info_cachep, ci);
}
-int get_crypt_info(struct inode *inode)
+int fscrypt_get_encryption_info(struct inode *inode)
{
struct fscrypt_info *crypt_info;
struct fscrypt_context ctx;
@@ -188,21 +180,15 @@ int get_crypt_info(struct inode *inode)
u8 *raw_key = NULL;
int res;
+ if (inode->i_crypt_info)
+ return 0;
+
res = fscrypt_initialize();
if (res)
return res;
if (!inode->i_sb->s_cop->get_context)
return -EOPNOTSUPP;
-retry:
- crypt_info = ACCESS_ONCE(inode->i_crypt_info);
- if (crypt_info) {
- if (!crypt_info->ci_keyring_key ||
- key_validate(crypt_info->ci_keyring_key) == 0)
- return 0;
- fscrypt_put_encryption_info(inode, crypt_info);
- goto retry;
- }
res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
if (res < 0) {
@@ -230,7 +216,6 @@ int get_crypt_info(struct inode *inode)
crypt_info->ci_data_mode = ctx.contents_encryption_mode;
crypt_info->ci_filename_mode = ctx.filenames_encryption_mode;
crypt_info->ci_ctfm = NULL;
- crypt_info->ci_keyring_key = NULL;
memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor,
sizeof(crypt_info->ci_master_key));
@@ -285,14 +270,8 @@ int get_crypt_info(struct inode *inode)
if (res)
goto out;
- kzfree(raw_key);
- raw_key = NULL;
- if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) {
- put_crypt_info(crypt_info);
- goto retry;
- }
- return 0;
-
+ if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL)
+ crypt_info = NULL;
out:
if (res == -ENOKEY)
res = 0;
@@ -300,6 +279,7 @@ int get_crypt_info(struct inode *inode)
kzfree(raw_key);
return res;
}
+EXPORT_SYMBOL(fscrypt_get_encryption_info);
void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
{
@@ -317,17 +297,3 @@ void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
put_crypt_info(ci);
}
EXPORT_SYMBOL(fscrypt_put_encryption_info);
-
-int fscrypt_get_encryption_info(struct inode *inode)
-{
- struct fscrypt_info *ci = inode->i_crypt_info;
-
- if (!ci ||
- (ci->ci_keyring_key &&
- (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
- (1 << KEY_FLAG_REVOKED) |
- (1 << KEY_FLAG_DEAD)))))
- return get_crypt_info(inode);
- return 0;
-}
-EXPORT_SYMBOL(fscrypt_get_encryption_info);
diff --git a/include/linux/fscrypto.h b/include/linux/fscrypto.h
index ff8b11b26f31..f6dfc2950f76 100644
--- a/include/linux/fscrypto.h
+++ b/include/linux/fscrypto.h
@@ -79,7 +79,6 @@ struct fscrypt_info {
u8 ci_filename_mode;
u8 ci_flags;
struct crypto_skcipher *ci_ctfm;
- struct key *ci_keyring_key;
u8 ci_master_key[FS_KEY_DESCRIPTOR_SIZE];
};
@@ -256,7 +255,6 @@ extern int fscrypt_has_permitted_context(struct inode *, struct inode *);
extern int fscrypt_inherit_context(struct inode *, struct inode *,
void *, bool);
/* keyinfo.c */
-extern int get_crypt_info(struct inode *);
extern int fscrypt_get_encryption_info(struct inode *);
extern void fscrypt_put_encryption_info(struct inode *, struct fscrypt_info *);
--
2.11.0

76
debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch vendored
View File

@ -1,76 +0,0 @@
From: Chris Salls <salls@cs.ucsb.edu>
Date: Fri, 7 Apr 2017 23:48:11 -0700
Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
In the case that compat_get_bitmap fails we do not want to copy the
bitmap to the user as it will contain uninitialized stack data and leak
sensitive data.
Signed-off-by: Chris Salls <salls@cs.ucsb.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
mm/mempolicy.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 75b2745..37d0b33 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1529,7 +1529,6 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, int __user *, policy,
COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
compat_ulong_t, maxnode)
{
- long err = 0;
unsigned long __user *nm = NULL;
unsigned long nr_bits, alloc_size;
DECLARE_BITMAP(bm, MAX_NUMNODES);
@@ -1538,14 +1537,13 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
if (nmask) {
- err = compat_get_bitmap(bm, nmask, nr_bits);
+ if (compat_get_bitmap(bm, nmask, nr_bits))
+ return -EFAULT;
nm = compat_alloc_user_space(alloc_size);
- err |= copy_to_user(nm, bm, alloc_size);
+ if (copy_to_user(nm, bm, alloc_size))
+ return -EFAULT;
}
- if (err)
- return -EFAULT;
-
return sys_set_mempolicy(mode, nm, nr_bits+1);
}
@@ -1553,7 +1551,6 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len,
compat_ulong_t, mode, compat_ulong_t __user *, nmask,
compat_ulong_t, maxnode, compat_ulong_t, flags)
{
- long err = 0;
unsigned long __user *nm = NULL;
unsigned long nr_bits, alloc_size;
nodemask_t bm;
@@ -1562,14 +1559,13 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len,
alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
if (nmask) {
- err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
+ if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
+ return -EFAULT;
nm = compat_alloc_user_space(alloc_size);
- err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
+ if (copy_to_user(nm, nodes_addr(bm), alloc_size))
+ return -EFAULT;
}
- if (err)
- return -EFAULT;
-
return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
}
--
2.1.4

29
debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch vendored
View File

@ -1,29 +0,0 @@
From: peter chang <dpf@google.com>
Date: Wed, 15 Feb 2017 14:11:54 -0800
Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
Origin: https://git.kernel.org/cgit/linux/kernel/git/mkp/scsi.git/commit?id=bf33f87dd04c371ea33feb821b60d63d754e3124
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7187
The user can control the size of the next command passed along, but the
value passed to the ioctl isn't checked against the usable max command
size.
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Chang <dpf@google.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---
drivers/scsi/sg.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int
result = get_user(val, ip);
if (result)
return result;
+ if (val > SG_MAX_CDB_SIZE)
+ return -ENOMEM;
sfp->next_cmd_len = (val > 0) ? val : 0;
return 0;
case SG_GET_VERSION_NUM:

34
debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch vendored
View File

@ -1,34 +0,0 @@
From: Andy Whitcroft <apw@canonical.com>
Date: Thu, 23 Mar 2017 07:45:44 +0000
Subject: [PATCH 2/2] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size
harder
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues. To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.
CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
net/xfrm/xfrm_user.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 81c4112..87e0c22 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
up = nla_data(rp);
ulen = xfrm_replay_state_esn_len(up);
- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+ /* Check the overall length and the internal bitmap length to avoid
+ * potential overflow. */
+ if (nla_len(rp) < ulen ||
+ xfrm_replay_state_esn_len(replay_esn) != ulen ||
+ replay_esn->bmp_len != up->bmp_len)
return -EINVAL;
if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)

42
debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch vendored
View File

@ -1,42 +0,0 @@
From: Andy Whitcroft <apw@canonical.com>
Date: Wed, 22 Mar 2017 07:29:31 +0000
Subject: [PATCH 1/2] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL
replay_window
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate
the user supplied replay_esn to ensure that the size is valid and to ensure
that the replay_window size is within the allocated buffer. However later
it is possible to update this replay_esn via a XFRM_MSG_NEWAE call.
There we again validate the size of the supplied buffer matches the
existing state and if so inject the contents. We do not at this point
check that the replay_window is within the allocated memory. This leads
to out-of-bounds reads and writes triggered by netlink packets. This leads
to memory corruption and the potential for priviledge escalation.
We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the
user is not trying to change the size of the replay state buffer which
includes the replay_esn. It however does not check the replay_window
remains within that buffer. Add validation of the contained replay_window.
CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
net/xfrm/xfrm_user.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 0889209..81c4112 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
return -EINVAL;
+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
+ return -EINVAL;
+
return 0;
}

33
debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch vendored
View File

@ -1,33 +0,0 @@
Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
From: Li Qiang <liq3ea@gmail.com>
Date: Tue, 28 Mar 2017 03:10:53 +0000
Origin: https://lists.freedesktop.org/archives/dri-devel/2017-March/137124.html
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
'req->mip_levels' array. This array can be assigned any value from
the user space. As both the 'num_sizes' and the array is uint32_t,
it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
used as the loop count. This can lead an oob write. Add the check of
'req->mip_levels' to avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
---
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -713,8 +713,11 @@ int vmw_surface_define_ioctl(struct drm_
128;
num_sizes = 0;
- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
+ return -EINVAL;
num_sizes += req->mip_levels[i];
+ }
if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
num_sizes == 0)

29
debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch vendored
View File

@ -1,29 +0,0 @@
From: Murray McAllister <murray.mcallister@insomniasec.com>
Date: Fri, 24 Mar 2017 20:33:00 -0700
Subject: vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
Origin: https://cgit.freedesktop.org/mesa/vmwgfx/commit/?id=e904061d2c8968429954be87ad1cc45526510812
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261
Before memory allocations vmw_surface_define_ioctl() checks the
upper-bounds of a user-supplied size, but does not check if the
supplied size is 0.
Add check to avoid NULL pointer dereferences.
Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
[bwh: Fix filename]
---
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_
for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
num_sizes += req->mip_levels[i];
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
- DRM_VMW_MAX_MIP_LEVELS)
+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
+ num_sizes == 0)
return -EINVAL;
size = vmw_user_surface_size + 128 +

2
debian/patches/debian/kernelvariables.patch vendored
View File

@ -58,7 +58,7 @@ use of $(ARCH) needs to be moved after this.
export KCONFIG_CONFIG
@@ -373,6 +337,44 @@ LDFLAGS_vmlinux =
CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized
CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
+-include $(obj)/.kernelvariables

7
debian/patches/series vendored
View File

@ -122,17 +122,10 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
debian/time-mark-timer_stats-as-broken.patch
bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
bugfix/all/ping-implement-proper-locking.patch
bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch
bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch