From 31945f628c99b3a1074dc8ef64611a4cf6ee0f21 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 16 Apr 2017 21:46:39 +0100 Subject: [PATCH] Update to 4.9.22 Drop patches applied upstream. --- debian/changelog | 228 +++++++++++++++- ...roken-support-for-detecting-keyring-.patch | 253 ------------------ ...ix-error-handling-in-set_mempolicy-a.patch | 76 ------ ...eck-length-passed-to-sg_next_cmd_len.patch | 29 -- ...m_msg_newae-incoming-esn-size-harder.patch | 34 --- ...e-xfrma_replay_esn_val-replay_window.patch | 42 --- ...overflow-in-vmw_surface_define_ioctl.patch | 33 --- ...eference-in-vmw_surface_define_ioctl.patch | 29 -- debian/patches/debian/kernelvariables.patch | 2 +- debian/patches/series | 7 - 10 files changed, 224 insertions(+), 509 deletions(-) delete mode 100644 debian/patches/bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch delete mode 100644 debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch delete mode 100644 debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch delete mode 100644 debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch delete mode 100644 debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch delete mode 100644 debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch delete mode 100644 debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch diff --git a/debian/changelog b/debian/changelog index bbbacf589..53f7466b5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,226 @@ -linux (4.9.18-2) UNRELEASED; urgency=medium +linux (4.9.22-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.19 + - net/openvswitch: Set the ipv6 source tunnel key address attribute + correctly + - net: properly release sk_frag.page + - [arm64] amd-xgbe: Fix jumbo MTU processing on newer hardware + - openvswitch: Add missing case OVS_TUNNEL_KEY_ATTR_PAD + - net: unix: properly re-increment inflight counter of GC discarded + candidates + - net: vrf: Reset rt6i_idev in local dst after put + - net/mlx5: Add missing entries for set/query rate limit commands + - net/mlx5e: Use the proper UAPI values when offloading TC vlan actions + - net/mlx5: Increase number of max QPs in default profile + - net/mlx5e: Count GSO/LRO packets correctly + - ipv6: make sure to initialize sockc.tsflags before first use + - ipv4: provide stronger user input validation in nl_fib_input() + - socket, bpf: fix sk_filter use after free in sk_clone_lock + - tcp: initialize icsk_ack.lrcvtime at session start time + - Input: iforce,ims-pcu,hanwang,yealink,cm109,kbtab,sur40 - validate + number of endpoints before using them + - ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() + - ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call + - ALSA: hda - Adding a group of pin definition to fix headset problem + - ACM gadget: fix endianness in notifications + - usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's + wBytesPerInterval + - USB: uss720,idmouse,wusbcore: fix NULL-deref at probe + - usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer + - usb: hub: Fix crash after failure to read BOS descriptor + - USB: usbtmc: add missing endpoint sanity check + - USB: usbtmc: fix probe error path + - uwb: i1480-dfu: fix NULL-deref at probe + - mmc: ushc: fix NULL-deref at probe + - [armhf[ iio: adc: ti_am335x_adc: fix fifo overrun recovery + - iio: sw-device: Fix config group initialization + - iio: hid-sensor-trigger: Change get poll value function order to avoid + sensor properties losing after resume from S3 + - parport: fix attempt to write duplicate procfiles + - ext4: mark inode dirty after converting inline directory + - ext4: lock the xattr block before checksuming it + - [powerpc*/*64*] Fix idle wakeup potential to clobber registers + - mmc: sdhci: Do not disable interrupts while waiting for clock + - mmc: sdhci-pci: Do not disable interrupts in sdhci_intel_set_power + - [x86] hwrng: amd - Revert managed API changes + - [x86] hwrng: geode - Revert managed API changes + - [armhf] clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module + clock + - [armhf] clk: sunxi-ng: mp: Adjust parent rate for pre-dividers + - mwifiex: pcie: don't leak DMA buffers when removing + - [x86] crypto: ccp - Assign DMA commands to the channel's CCP + - xen/acpi: upload PM state from init-domain to Xen + - [x86] iommu/vt-d: Fix NULL pointer dereference in device_to_iommu + - [arm64] kaslr: Fix up the kernel image alignment + - cpufreq: Restore policy min/max limits on CPU online + - cgroup, net_cls: iterate the fds of only the tasks which are being + migrated + - blk-mq: don't complete un-started request in timeout handler + - [x86] drm/amdgpu: reinstate oland workaround for sclk + - jbd2: don't leak memory if setting up journal fails + - [x86] intel_th: Don't leak module refcount on failure to activate + - [x86] Drivers: hv: vmbus: Don't leak channel ids + - [x86] Drivers: hv: vmbus: Don't leak memory when a channel is rescinded + - libceph: don't set weight to IN when OSD is destroyed + - [x86] device-dax: fix pmd/pte fault fallback handling + - [armhf] drm/bridge: analogix dp: Fix runtime PM state on driver bind + - nl80211: fix dumpit error path RTNL deadlocks + - drm: reference count event->completion + - fbcon: Fix vc attr at deinit + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.20 + - xfrm: policy: init locks early + - [x86] KVM: cleanup the page tracking SRCU instance + - virtio_balloon: init 1st buffer in stats vq + - [mips*] ptrace: Preserve previous registers for short regset write + - [sparc64] ptrace: Preserve previous registers for short regset write + - fscrypt: remove broken support for detecting keyring key revocation + (CVE-2017-7374) + - sched/rt: Add a missing rescheduling point + - [armhf] usb: musb: fix possible spinlock deadlock + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.21 + - libceph: force GFP_NOIO for socket allocations + - xen/setup: Don't relocate p2m over existing one + - xfs: only update mount/resv fields on success in __xfs_ag_resv_init + - xfs: use per-AG reservations for the finobt + - xfs: pull up iolock from xfs_free_eofblocks() + - xfs: sync eofblocks scans under iolock are livelock prone + - xfs: fix eofblocks race with file extending async dio writes + - xfs: fix toctou race when locking an inode to access the data map + - xfs: fail _dir_open when readahead fails + - xfs: filter out obviously bad btree pointers + - xfs: check for obviously bad level values in the bmbt root + - xfs: verify free block header fields + - xfs: allow unwritten extents in the CoW fork + - xfs: mark speculative prealloc CoW fork extents unwritten + - xfs: reset b_first_retry_time when clear the retry status of xfs_buf_t + - xfs: update ctime and mtime on clone destinatation inodes + - xfs: reject all unaligned direct writes to reflinked files + - xfs: don't fail xfs_extent_busy allocation + - xfs: handle indlen shortage on delalloc extent merge + - xfs: split indlen reservations fairly when under reserved + - xfs: fix uninitialized variable in _reflink_convert_cow + - xfs: don't reserve blocks for right shift transactions + - xfs: Use xfs_icluster_size_fsb() to calculate inode chunk alignment + - xfs: tune down agno asserts in the bmap code + - xfs: only reclaim unwritten COW extents periodically + - xfs: fix and streamline error handling in xfs_end_io + - xfs: Use xfs_icluster_size_fsb() to calculate inode alignment mask + - xfs: use iomap new flag for newly allocated delalloc blocks + - xfs: try any AG when allocating the first btree block when reflinking + - scsi: libsas: fix ata xfer length + - scsi: scsi_dh_alua: Check scsi_device_get() return value + - scsi: scsi_dh_alua: Ensure that alua_activate() calls the completion + function + - ALSA: seq: Fix race during FIFO resize + - ALSA: hda - fix a problem for lineout on a Dell AIO machine + - [x86] ASoC: Intel: Skylake: fix invalid memory access due to wrong + reference of pointer + - HID: wacom: Don't add ghost interface as shared data + - mmc: sdhci: Disable runtime pm when the sdio_irq is enabled + - NFSv4.1 fix infinite loop on IO BAD_STATEID error + - nfsd: map the ENOKEY to nfserr_perm for avoiding warning + - [hppa] Clean up fixup routines for get_user()/put_user() + - [hppa] Avoid stalled CPU warnings after system shutdown + - [hppa] Fix access fault handling in pa_memcpy() + - ACPI: Fix incompatibility with mcount-based function graph tracing + - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC + - USB: fix linked-list corruption in rh_call_control() + - [x86] KVM: clear bus pointer when destroyed + - KVM: kvm_io_bus_unregister_dev() should never fail + - drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags + - [armhf,arm64] drm/vc4: Allocate the right amount of space for boot-time + CRTC state. + - [armhf] drm/etnaviv: (re-)protect fence allocation with GPU mutex + - [x86] mm/KASLR: Exclude EFI region from KASLR VA space randomization + - [x86] mce: Fix copy/paste error in exception table entries + - lib/syscall: Clear return values when no stack + - mm: rmap: fix huge file mmap accounting in the memcg stats + - mm, hugetlb: use pte_present() instead of pmd_present() in + follow_huge_pmd() + - qla2xxx: Allow vref count to timeout on vport delete. + - mm: workingset: fix premature shadow node shrinking with cgroups + - blk: improve order of bio handling in generic_make_request() + - blk: Ensure users for current->bio_list can see the full list. + - padata: avoid race in reordering + - nvme/core: Fix race kicking freed request_queue + - nvme/pci: Disable on removal when disconnected + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.22 + - ppdev: check before attaching port + - ppdev: fix registering same device name + - [x86] drm/vmwgfx: Type-check lookups of fence objects + - [x86] drm/vmwgfx: avoid calling vzalloc with a 0 size in + vmw_get_cap_3d_ioctl() + - drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces + - [x86] drm/vmwgfx: Remove getparam error message + - sysfs: be careful of error returns from ops->show() + - [armhf,arm64] KVM: Take mmap_sem in stage2_unmap_vm + - [armhf,arm64] KVM: Take mmap_sem in kvm_arch_prepare_memory_region + - [armhf,arm64] kvm: Fix locking for kvm_free_stage2_pgd + - [x86] iio: bmg160: reset chip when probing + - [arm64] mm: unaligned access by user-land should be received as SIGBUS + - cfg80211: check rdev resume callback only for registered wiphy + - CIFS: Reset TreeId to zero on SMB2 TREE_CONNECT + - mm/page_alloc.c: fix print order in show_free_areas() + - ptrace: fix PTRACE_LISTEN race corrupting task->state + - dm verity fec: limit error correction recursion + - dm verity fec: fix bufio leaks + - ACPI / gpio: do not fall back to parsing _CRS when we get a deferral + - xfs: Honor FALLOC_FL_KEEP_SIZE when punching ends of files + - ring-buffer: Fix return value check in test_ringbuffer() + - mac80211: unconditionally start new netdev queues with iTXQ support + - brcmfmac: use local iftype avoiding use-after-free of virtual interface + - [powerpc*] Disable HFSCR[TM] if TM is not supported + - [powerpc*] mm: Add missing global TLB invalidate if cxl is active + - [powerpc*/*64*]: Fix flush_(d|i)cache_range() called from modules + - [powerpc*] Don't try to fix up misaligned load-with-reservation + instructions + - [powerpc*] crypto/crc32c-vpmsum: Fix missing preempt_disable() + - dm raid: fix NULL pointer dereference for raid1 without bitmap + - [s390x] decompressor: fix initrd corruption caused by bss clear + - [s390x] uaccess: get_user() should zero on failure (again) + - [mips*el/loongson-3] Check TLB before handle_ri_rdhwr() for Loongson-3 + - [mips*el/loongson-3] Add MIPS_CPU_FTLB for Loongson-3A R2 + - [mips*el/loongson-3] Flush wrong invalid FTLB entry for huge page + - [mips*el/loongson-3] c-r4k: Fix Loongson-3's vcache/scache waysize + calculation + - mm/mempolicy.c: fix error handling in set_mempolicy and mbind + (CVE-2017-7616) + - random: use chacha20 for get_random_int/long + - [armhf] drm/sun4i: tcon: Move SoC specific quirks to a DT matched data + structure + - [armhf] drm/sun4i: Add compatible strings for A31/A31s display pipelines + - [armhf] drm/sun4i: Add compatible string for A31/A31s TCON (timing + controller) + - HID: i2c-hid: add a simple quirk to fix device defects + - usb: dwc3: gadget: delay unmap of bounced requests + - [x86] ASoC: Intel: bytct_rt5640: change default capture settings + - [armhf,arm64] clocksource/drivers/arm_arch_timer: Don't assume clock runs + in suspend + - scsi: ufs: introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk + - HID: multitouch: do not retrieve all reports for all devices + - [arm64] mmc: sdhci-msm: Enable few quirks + - scsi: ufs: ensure that host pa_tactivate is higher than device + - svcauth_gss: Close connection when dropping an incoming message + - scsi: ufs: add quirk to increase host PA_SaveConfigTime + - [x86] platform: acer-wmi: Only supports AMW0_GUID1 on acer family + - nvme: simplify stripe quirk + - ACPI / sysfs: Provide quirk mechanism to prevent GPE flooding + - HID: usbhid: Add quirk for the Futaba TOSD-5711BB VFD + - [x86] drm/i915: actually drive the BDW reserved IDs + - scsi: ufs: issue link starup 2 times if device isn't active + - [armhf] serial: 8250_omap: Add OMAP_DMA_TX_KICK quirk for AM437x + - ACPI / button: Change default behavior to lid_init_state=open + - [x86] ACPI: save NVS memory for Lenovo G50-45 + - HID: wacom: don't apply generic settings to old devices + - [arm64] firmware: qcom: scm: Fix interrupted SCM calls + - [armhf] watchdog: s3c2410: Fix infinite interrupt in soft mode + - [x86] platform: asus-wmi: Set specified XUSB2PR value for X550LB + - [x86] platform: asus-wmi: Detect quirk_no_rfkill from the DSDT + - [x86] reboot/quirks: Add ASUS EeeBook X205TA reboot quirk + - [x86] reboot/quirks: Add ASUS EeeBook X205TA/W reboot quirk + - usb-storage: Add ignore-residue quirk for Initio INIC-3619 + - [x86] reboot/quirks: Fix typo in ASUS EeeBook X205TA reboot quirk [ Ben Hutchings ] * w1: Really enable W1_MASTER_GPIO as module (Closes: #858975) @@ -25,10 +247,6 @@ linux (4.9.18-2) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * ping: implement proper locking (CVE-2017-2671) - * fscrypt: remove broken support for detecting keyring key revocation - (CVE-2017-7374) - * mm/mempolicy.c: fix error handling in set_mempolicy and mbind - (CVE-2017-7616) -- Ben Hutchings Thu, 30 Mar 2017 18:27:30 +0100 diff --git a/debian/patches/bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch b/debian/patches/bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch deleted file mode 100644 index 0e58294da..000000000 --- a/debian/patches/bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch +++ /dev/null @@ -1,253 +0,0 @@ -From: Eric Biggers -Date: Tue, 21 Feb 2017 15:07:11 -0800 -Subject: fscrypt: remove broken support for detecting keyring key revocation -Origin: https://git.kernel.org/linus/1b53cf9815bb4744958d41f3795d5d5a1d365e2d -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7374 - -Filesystem encryption ostensibly supported revoking a keyring key that -had been used to "unlock" encrypted files, causing those files to become -"locked" again. This was, however, buggy for several reasons, the most -severe of which was that when key revocation happened to be detected for -an inode, its fscrypt_info was immediately freed, even while other -threads could be using it for encryption or decryption concurrently. -This could be exploited to crash the kernel or worse. - -This patch fixes the use-after-free by removing the code which detects -the keyring key having been revoked, invalidated, or expired. Instead, -an encrypted inode that is "unlocked" now simply remains unlocked until -it is evicted from memory. Note that this is no worse than the case for -block device-level encryption, e.g. dm-crypt, and it still remains -possible for a privileged user to evict unused pages, inodes, and -dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by -simply unmounting the filesystem. In fact, one of those actions was -already needed anyway for key revocation to work even somewhat sanely. -This change is not expected to break any applications. - -In the future I'd like to implement a real API for fscrypt key -revocation that interacts sanely with ongoing filesystem operations --- -waiting for existing operations to complete and blocking new operations, -and invalidating and sanitizing key material and plaintext from the VFS -caches. But this is a hard problem, and for now this bug must be fixed. - -This bug affected almost all versions of ext4, f2fs, and ubifs -encryption, and it was potentially reachable in any kernel configured -with encryption support (CONFIG_EXT4_ENCRYPTION=y, -CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or -CONFIG_UBIFS_FS_ENCRYPTION=y). Note that older kernels did not use the -shared fs/crypto/ code, but due to the potential security implications -of this bug, it may still be worthwhile to backport this fix to them. - -Fixes: b7236e21d55f ("ext4 crypto: reorganize how we store keys in the inode") -Signed-off-by: Eric Biggers -Signed-off-by: Theodore Ts'o -Acked-by: Michael Halcrow -Signed-off-by: Greg Kroah-Hartman -[carnil: backport synced with 2984e52c75c657db7901f6189f02e0251ca963c2 in 4.9.20] ---- - fs/crypto/crypto.c | 10 +--------- - fs/crypto/fname.c | 2 +- - fs/crypto/keyinfo.c | 52 +++++++++--------------------------------------- - include/linux/fscrypto.h | 2 -- - 4 files changed, 11 insertions(+), 55 deletions(-) - -diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c -index 98f87fe8f186..61cfccea77bc 100644 ---- a/fs/crypto/crypto.c -+++ b/fs/crypto/crypto.c -@@ -352,7 +352,6 @@ EXPORT_SYMBOL(fscrypt_zeroout_range); - static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags) - { - struct dentry *dir; -- struct fscrypt_info *ci; - int dir_has_key, cached_with_key; - - if (flags & LOOKUP_RCU) -@@ -364,18 +363,11 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags) - return 0; - } - -- ci = d_inode(dir)->i_crypt_info; -- if (ci && ci->ci_keyring_key && -- (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) | -- (1 << KEY_FLAG_REVOKED) | -- (1 << KEY_FLAG_DEAD)))) -- ci = NULL; -- - /* this should eventually be an flag in d_flags */ - spin_lock(&dentry->d_lock); - cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY; - spin_unlock(&dentry->d_lock); -- dir_has_key = (ci != NULL); -+ dir_has_key = (d_inode(dir)->i_crypt_info != NULL); - dput(dir); - - /* -diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c -index 9b774f4b50c8..80bb956e14e5 100644 ---- a/fs/crypto/fname.c -+++ b/fs/crypto/fname.c -@@ -350,7 +350,7 @@ int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname, - fname->disk_name.len = iname->len; - return 0; - } -- ret = get_crypt_info(dir); -+ ret = fscrypt_get_encryption_info(dir); - if (ret && ret != -EOPNOTSUPP) - return ret; - -diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c -index 67fb6d8876d0..bb4606368eb1 100644 ---- a/fs/crypto/keyinfo.c -+++ b/fs/crypto/keyinfo.c -@@ -99,6 +99,7 @@ static int validate_user_key(struct fscrypt_info *crypt_info, - kfree(full_key_descriptor); - if (IS_ERR(keyring_key)) - return PTR_ERR(keyring_key); -+ down_read(&keyring_key->sem); - - if (keyring_key->type != &key_type_logon) { - printk_once(KERN_WARNING -@@ -106,11 +107,9 @@ static int validate_user_key(struct fscrypt_info *crypt_info, - res = -ENOKEY; - goto out; - } -- down_read(&keyring_key->sem); - ukp = user_key_payload(keyring_key); - if (ukp->datalen != sizeof(struct fscrypt_key)) { - res = -EINVAL; -- up_read(&keyring_key->sem); - goto out; - } - master_key = (struct fscrypt_key *)ukp->data; -@@ -121,17 +120,11 @@ static int validate_user_key(struct fscrypt_info *crypt_info, - "%s: key size incorrect: %d\n", - __func__, master_key->size); - res = -ENOKEY; -- up_read(&keyring_key->sem); - goto out; - } - res = derive_key_aes(ctx->nonce, master_key->raw, raw_key); -- up_read(&keyring_key->sem); -- if (res) -- goto out; -- -- crypt_info->ci_keyring_key = keyring_key; -- return 0; - out: -+ up_read(&keyring_key->sem); - key_put(keyring_key); - return res; - } -@@ -173,12 +166,11 @@ static void put_crypt_info(struct fscrypt_info *ci) - if (!ci) - return; - -- key_put(ci->ci_keyring_key); - crypto_free_skcipher(ci->ci_ctfm); - kmem_cache_free(fscrypt_info_cachep, ci); - } - --int get_crypt_info(struct inode *inode) -+int fscrypt_get_encryption_info(struct inode *inode) - { - struct fscrypt_info *crypt_info; - struct fscrypt_context ctx; -@@ -188,21 +180,15 @@ int get_crypt_info(struct inode *inode) - u8 *raw_key = NULL; - int res; - -+ if (inode->i_crypt_info) -+ return 0; -+ - res = fscrypt_initialize(); - if (res) - return res; - - if (!inode->i_sb->s_cop->get_context) - return -EOPNOTSUPP; --retry: -- crypt_info = ACCESS_ONCE(inode->i_crypt_info); -- if (crypt_info) { -- if (!crypt_info->ci_keyring_key || -- key_validate(crypt_info->ci_keyring_key) == 0) -- return 0; -- fscrypt_put_encryption_info(inode, crypt_info); -- goto retry; -- } - - res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); - if (res < 0) { -@@ -230,7 +216,6 @@ int get_crypt_info(struct inode *inode) - crypt_info->ci_data_mode = ctx.contents_encryption_mode; - crypt_info->ci_filename_mode = ctx.filenames_encryption_mode; - crypt_info->ci_ctfm = NULL; -- crypt_info->ci_keyring_key = NULL; - memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor, - sizeof(crypt_info->ci_master_key)); - -@@ -285,14 +270,8 @@ int get_crypt_info(struct inode *inode) - if (res) - goto out; - -- kzfree(raw_key); -- raw_key = NULL; -- if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) { -- put_crypt_info(crypt_info); -- goto retry; -- } -- return 0; -- -+ if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL) -+ crypt_info = NULL; - out: - if (res == -ENOKEY) - res = 0; -@@ -300,6 +279,7 @@ int get_crypt_info(struct inode *inode) - kzfree(raw_key); - return res; - } -+EXPORT_SYMBOL(fscrypt_get_encryption_info); - - void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci) - { -@@ -317,17 +297,3 @@ void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci) - put_crypt_info(ci); - } - EXPORT_SYMBOL(fscrypt_put_encryption_info); -- --int fscrypt_get_encryption_info(struct inode *inode) --{ -- struct fscrypt_info *ci = inode->i_crypt_info; -- -- if (!ci || -- (ci->ci_keyring_key && -- (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) | -- (1 << KEY_FLAG_REVOKED) | -- (1 << KEY_FLAG_DEAD))))) -- return get_crypt_info(inode); -- return 0; --} --EXPORT_SYMBOL(fscrypt_get_encryption_info); -diff --git a/include/linux/fscrypto.h b/include/linux/fscrypto.h -index ff8b11b26f31..f6dfc2950f76 100644 ---- a/include/linux/fscrypto.h -+++ b/include/linux/fscrypto.h -@@ -79,7 +79,6 @@ struct fscrypt_info { - u8 ci_filename_mode; - u8 ci_flags; - struct crypto_skcipher *ci_ctfm; -- struct key *ci_keyring_key; - u8 ci_master_key[FS_KEY_DESCRIPTOR_SIZE]; - }; - -@@ -256,7 +255,6 @@ extern int fscrypt_has_permitted_context(struct inode *, struct inode *); - extern int fscrypt_inherit_context(struct inode *, struct inode *, - void *, bool); - /* keyinfo.c */ --extern int get_crypt_info(struct inode *); - extern int fscrypt_get_encryption_info(struct inode *); - extern void fscrypt_put_encryption_info(struct inode *, struct fscrypt_info *); - --- -2.11.0 - diff --git a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch deleted file mode 100644 index 114a2b890..000000000 --- a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Chris Salls -Date: Fri, 7 Apr 2017 23:48:11 -0700 -Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind. -Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 - -In the case that compat_get_bitmap fails we do not want to copy the -bitmap to the user as it will contain uninitialized stack data and leak -sensitive data. - -Signed-off-by: Chris Salls -Signed-off-by: Linus Torvalds ---- - mm/mempolicy.c | 20 ++++++++------------ - 1 file changed, 8 insertions(+), 12 deletions(-) - -diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index 75b2745..37d0b33 100644 ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -1529,7 +1529,6 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, int __user *, policy, - COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask, - compat_ulong_t, maxnode) - { -- long err = 0; - unsigned long __user *nm = NULL; - unsigned long nr_bits, alloc_size; - DECLARE_BITMAP(bm, MAX_NUMNODES); -@@ -1538,14 +1537,13 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask, - alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8; - - if (nmask) { -- err = compat_get_bitmap(bm, nmask, nr_bits); -+ if (compat_get_bitmap(bm, nmask, nr_bits)) -+ return -EFAULT; - nm = compat_alloc_user_space(alloc_size); -- err |= copy_to_user(nm, bm, alloc_size); -+ if (copy_to_user(nm, bm, alloc_size)) -+ return -EFAULT; - } - -- if (err) -- return -EFAULT; -- - return sys_set_mempolicy(mode, nm, nr_bits+1); - } - -@@ -1553,7 +1551,6 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len, - compat_ulong_t, mode, compat_ulong_t __user *, nmask, - compat_ulong_t, maxnode, compat_ulong_t, flags) - { -- long err = 0; - unsigned long __user *nm = NULL; - unsigned long nr_bits, alloc_size; - nodemask_t bm; -@@ -1562,14 +1559,13 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len, - alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8; - - if (nmask) { -- err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits); -+ if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits)) -+ return -EFAULT; - nm = compat_alloc_user_space(alloc_size); -- err |= copy_to_user(nm, nodes_addr(bm), alloc_size); -+ if (copy_to_user(nm, nodes_addr(bm), alloc_size)) -+ return -EFAULT; - } - -- if (err) -- return -EFAULT; -- - return sys_mbind(start, len, mode, nm, nr_bits+1, flags); - } - --- -2.1.4 - diff --git a/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch b/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch deleted file mode 100644 index 7def878e3..000000000 --- a/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: peter chang -Date: Wed, 15 Feb 2017 14:11:54 -0800 -Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN -Origin: https://git.kernel.org/cgit/linux/kernel/git/mkp/scsi.git/commit?id=bf33f87dd04c371ea33feb821b60d63d754e3124 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7187 - -The user can control the size of the next command passed along, but the -value passed to the ioctl isn't checked against the usable max command -size. - -Cc: -Signed-off-by: Peter Chang -Acked-by: Douglas Gilbert -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/sg.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/scsi/sg.c -+++ b/drivers/scsi/sg.c -@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int - result = get_user(val, ip); - if (result) - return result; -+ if (val > SG_MAX_CDB_SIZE) -+ return -ENOMEM; - sfp->next_cmd_len = (val > 0) ? val : 0; - return 0; - case SG_GET_VERSION_NUM: diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch deleted file mode 100644 index faf3861a5..000000000 --- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Andy Whitcroft -Date: Thu, 23 Mar 2017 07:45:44 +0000 -Subject: [PATCH 2/2] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size - harder -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184 - -Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to -wrapping issues. To ensure we are correctly ensuring that the two ESN -structures are the same size compare both the overall size as reported -by xfrm_replay_state_esn_len() and the internal length are the same. - -CVE-2017-7184 -Signed-off-by: Andy Whitcroft ---- - net/xfrm/xfrm_user.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c -index 81c4112..87e0c22 100644 ---- a/net/xfrm/xfrm_user.c -+++ b/net/xfrm/xfrm_user.c -@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es - up = nla_data(rp); - ulen = xfrm_replay_state_esn_len(up); - -- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) -+ /* Check the overall length and the internal bitmap length to avoid -+ * potential overflow. */ -+ if (nla_len(rp) < ulen || -+ xfrm_replay_state_esn_len(replay_esn) != ulen || -+ replay_esn->bmp_len != up->bmp_len) - return -EINVAL; - - if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch deleted file mode 100644 index 758973ece..000000000 --- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Andy Whitcroft -Date: Wed, 22 Mar 2017 07:29:31 +0000 -Subject: [PATCH 1/2] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL - replay_window -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184 - -When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate -the user supplied replay_esn to ensure that the size is valid and to ensure -that the replay_window size is within the allocated buffer. However later -it is possible to update this replay_esn via a XFRM_MSG_NEWAE call. -There we again validate the size of the supplied buffer matches the -existing state and if so inject the contents. We do not at this point -check that the replay_window is within the allocated memory. This leads -to out-of-bounds reads and writes triggered by netlink packets. This leads -to memory corruption and the potential for priviledge escalation. - -We already attempt to validate the incoming replay information in -xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the -user is not trying to change the size of the replay state buffer which -includes the replay_esn. It however does not check the replay_window -remains within that buffer. Add validation of the contained replay_window. - -CVE-2017-7184 -Signed-off-by: Andy Whitcroft ---- - net/xfrm/xfrm_user.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c -index 0889209..81c4112 100644 ---- a/net/xfrm/xfrm_user.c -+++ b/net/xfrm/xfrm_user.c -@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es - if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) - return -EINVAL; - -+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) -+ return -EINVAL; -+ - return 0; - } - diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch deleted file mode 100644 index 85146707b..000000000 --- a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch +++ /dev/null @@ -1,33 +0,0 @@ -Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() -From: Li Qiang -Date: Tue, 28 Mar 2017 03:10:53 +0000 -Origin: https://lists.freedesktop.org/archives/dri-devel/2017-March/137124.html -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294 - -In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the -'req->mip_levels' array. This array can be assigned any value from -the user space. As both the 'num_sizes' and the array is uint32_t, -it is easy to make 'num_sizes' overflow. The later 'mip_levels' is -used as the loop count. This can lead an oob write. Add the check of -'req->mip_levels' to avoid this. - -Signed-off-by: Li Qiang ---- - drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -713,8 +713,11 @@ int vmw_surface_define_ioctl(struct drm_ - 128; - - num_sizes = 0; -- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) -+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) { -+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS) -+ return -EINVAL; - num_sizes += req->mip_levels[i]; -+ } - - if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || - num_sizes == 0) diff --git a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch deleted file mode 100644 index b4dac5cc1..000000000 --- a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Murray McAllister -Date: Fri, 24 Mar 2017 20:33:00 -0700 -Subject: vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() -Origin: https://cgit.freedesktop.org/mesa/vmwgfx/commit/?id=e904061d2c8968429954be87ad1cc45526510812 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261 - -Before memory allocations vmw_surface_define_ioctl() checks the -upper-bounds of a user-supplied size, but does not check if the -supplied size is 0. - -Add check to avoid NULL pointer dereferences. - -Signed-off-by: Murray McAllister -Reviewed-by: Sinclair Yeh -[bwh: Fix filename] ---- ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_ - for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) - num_sizes += req->mip_levels[i]; - -- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * -- DRM_VMW_MAX_MIP_LEVELS) -+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || -+ num_sizes == 0) - return -EINVAL; - - size = vmw_user_surface_size + 128 + diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch index f59d00b7d..d2bdec0b1 100644 --- a/debian/patches/debian/kernelvariables.patch +++ b/debian/patches/debian/kernelvariables.patch @@ -58,7 +58,7 @@ use of $(ARCH) needs to be moved after this. export KCONFIG_CONFIG @@ -373,6 +337,44 @@ LDFLAGS_vmlinux = - CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized + CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,) CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,) +-include $(obj)/.kernelvariables diff --git a/debian/patches/series b/debian/patches/series index 69a977211..99a6cc7d4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -122,17 +122,10 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch debian/time-mark-timer_stats-as-broken.patch bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch -bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch -bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch -bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch -bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch -bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch bugfix/all/ping-implement-proper-locking.patch -bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch -bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch