Update to 4.14-rc3
This commit is contained in:
parent
6c9c816966
commit
335613b4d6
|
@ -1,4 +1,4 @@
|
|||
linux (4.14~rc2-1~exp1) UNRELEASED; urgency=medium
|
||||
linux (4.14~rc3-1~exp1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream release candidate
|
||||
|
||||
|
|
|
@ -1,66 +0,0 @@
|
|||
From: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Date: Fri, 29 Sep 2017 13:43:15 -0400
|
||||
Subject: fix infoleak in waitid(2)
|
||||
Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
|
||||
|
||||
kernel_waitid() can return a PID, an error or 0. rusage is filled in the first
|
||||
case and waitid(2) rusage should've been copied out exactly in that case, *not*
|
||||
whenever kernel_waitid() has not returned an error. Compat variant shares that
|
||||
braino; none of kernel_wait4() callers do, so the below ought to fix it.
|
||||
|
||||
Reported-and-tested-by: Alexander Potapenko <glider@google.com>
|
||||
Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
|
||||
Cc: stable@vger.kernel.org # v4.13
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
kernel/exit.c | 23 ++++++++++-------------
|
||||
1 file changed, 10 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/kernel/exit.c b/kernel/exit.c
|
||||
index 3481ababd06a..f2cd53e92147 100644
|
||||
--- a/kernel/exit.c
|
||||
+++ b/kernel/exit.c
|
||||
@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
|
||||
struct waitid_info info = {.status = 0};
|
||||
long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
|
||||
int signo = 0;
|
||||
+
|
||||
if (err > 0) {
|
||||
signo = SIGCHLD;
|
||||
err = 0;
|
||||
- }
|
||||
-
|
||||
- if (!err) {
|
||||
if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
|
||||
return -EFAULT;
|
||||
}
|
||||
@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
|
||||
if (err > 0) {
|
||||
signo = SIGCHLD;
|
||||
err = 0;
|
||||
- }
|
||||
-
|
||||
- if (!err && uru) {
|
||||
- /* kernel_waitid() overwrites everything in ru */
|
||||
- if (COMPAT_USE_64BIT_TIME)
|
||||
- err = copy_to_user(uru, &ru, sizeof(ru));
|
||||
- else
|
||||
- err = put_compat_rusage(&ru, uru);
|
||||
- if (err)
|
||||
- return -EFAULT;
|
||||
+ if (uru) {
|
||||
+ /* kernel_waitid() overwrites everything in ru */
|
||||
+ if (COMPAT_USE_64BIT_TIME)
|
||||
+ err = copy_to_user(uru, &ru, sizeof(ru));
|
||||
+ else
|
||||
+ err = put_compat_rusage(&ru, uru);
|
||||
+ if (err)
|
||||
+ return -EFAULT;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (!infop)
|
||||
--
|
||||
2.14.2
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
From: Xin Long <lucien.xin@gmail.com>
|
||||
Date: Sun, 27 Aug 2017 20:25:26 +0800
|
||||
Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
|
||||
Origin: https://patchwork.kernel.org/patch/9923803/
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
|
||||
|
||||
ChunYu found a kernel crash by syzkaller:
|
||||
|
||||
[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
|
||||
[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
|
||||
[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
|
||||
[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
|
||||
[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
|
||||
[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
|
||||
[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
|
||||
[...]
|
||||
[ 651.627260] Call Trace:
|
||||
[ 651.629156] skb_release_all+0x4f/0x60
|
||||
[ 651.629450] consume_skb+0x1a5/0x600
|
||||
[ 651.630705] netlink_unicast+0x505/0x720
|
||||
[ 651.632345] netlink_sendmsg+0xab2/0xe70
|
||||
[ 651.633704] sock_sendmsg+0xcf/0x110
|
||||
[ 651.633942] ___sys_sendmsg+0x833/0x980
|
||||
[ 651.637117] __sys_sendmsg+0xf3/0x240
|
||||
[ 651.638820] SyS_sendmsg+0x32/0x50
|
||||
[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
|
||||
|
||||
It's caused by skb_shared_info at the end of sk_buff was overwritten by
|
||||
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
|
||||
|
||||
During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
|
||||
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
|
||||
new value to skb_shinfo(SKB)->nr_frags by ev->type.
|
||||
|
||||
This patch is to fix it by checking nlh->nlmsg_len properly there to
|
||||
avoid over accessing sk_buff.
|
||||
|
||||
Reported-by: ChunYu Wang <chunwang@redhat.com>
|
||||
Signed-off-by: Xin Long <lucien.xin@gmail.com>
|
||||
Acked-by: Chris Leech <cleech@redhat.com>
|
||||
---
|
||||
drivers/scsi/scsi_transport_iscsi.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/scsi/scsi_transport_iscsi.c
|
||||
+++ b/drivers/scsi/scsi_transport_iscsi.c
|
||||
@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
|
||||
uint32_t group;
|
||||
|
||||
nlh = nlmsg_hdr(skb);
|
||||
- if (nlh->nlmsg_len < sizeof(*nlh) ||
|
||||
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
|
||||
skb->len < nlh->nlmsg_len) {
|
||||
break;
|
||||
}
|
|
@ -111,8 +111,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
|
||||
bugfix/all/fix-infoleak-in-waitid-2.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue